Digital Literacy Training (Part 1) with Olivia McKayla Ross (@cyberdoula) and Ingrid Burrington (@lifewinning)

Part 1: OK But What Is The Internet, Really? In this three-day lunch series with Olivia McKayla Ross (@cyberdoula) and Ingrid Burrington (@lifewinning), we will work to demystify the tools and platforms that we use every day. It is our hope that through better understanding the technologies we use, we are better equipped to keep each other safe!

Digital Literacy Training (Part 1) Transcript

OLIVIA: Hi, everyone.

Just before we begin, some of the things that ‑‑ the values that we’re trying to cement this workshop in terms of cyber defense is firstly acknowledging cyber defense as a way of maintaining community‑based power, and cryptography as an abolitionist technology rather than military or something that doesn’t come from us, right?

So, there have been ways of using techniques like cryptography, and using ‑‑ and that community defense is something that doesn’t have to be immediately associated with a white supremacist, industrial technology.

So following that, we want to affirm that there can be a cyber defense pedagogy that can be ant-iracist, anti‑binary, and pro‑femme. But also one that’s trauma informed, right? And doesn’t reinforce paranoia. Because we know there are white supremacist institutions. And teaching from a place of gentleness. And considering, because of our myriad identities, the previous harm people might have experienced, and trying not to replicate it or force people to relive it.

So if you need to take space at any point during this workshop, we want to honor that, and this will be reported and available for view at a later time, as well.

INGRID: Thank you, Olivia. That was great.

My name is Ingrid. I go by she/her pronouns. And we are ‑‑ welcome, welcome to the internet! (Laughs) This is the first of a series of three digital literacy you sessions where we’re gonna be walking through a few different concepts.

And this first one we wanted to start with was really getting into just some of the baseline, you know, technical things around what the internet actually is and how people experience it, or how it, you know, works.

And… We’ve sort of organized this into a couple of sections. We’re gonna, you know, talk ‑‑ start kind of with a couple things about our personal kind of opinions about how to talk about some of these things, some grounding perspectives we’re bringing to it. The internet and kind of how it works as an infrastructure.

Browsers? Which, as like a particular technology for interfacing with the internet. And the World Wide Web, which is… you know, basically the thing that the browser takes you to. (Laughs)

So, starting with our opinions… (Laughs) We got ‑‑ we got more, but these seem important to start with.

The first one that we wanted to convey is that, you know, some of this stuff around what ‑‑ around how the internet works gets treated like this sort of special knowledge, or like something only for smart people. But, you know, companies have a lot more resources to do things. The people who run, work in, found tech companies often have had, you know, privileges like generational wealth! Or like early exposure to technology, that mean that some of this stuff was just more available to them.

And has been for a long time. And if there are things that are confusing, or unfamiliar, it’s ‑‑ you know, it is not because you don’t understand. And it’s because the people who kind of have a lot of control and power, like, are able to like overcome things that are confusing… Yeah.

We’ll come back to this point in other ways, I think, in this presentation today.

OLIVIA: The other point that we really want to hammer in is that nothing is completely secure online. And that’s due to the nature of how we connect to the internet, right? The only way you can really have a completely secure computer is to have a really, really boring computer! Right?

Computers are interesting because… computers and the internet are able to be interesting and fun things to use because we are able to connect to other computers. Right? Because it’s a form of a telecommunication device. And so it’s kind of okay! That our computers can’t be completely secure, because if they were, they’d just be kind of like brick boxes that don’t really do anything.

So instead of trying to chase like a mythological, like, security purity, what we do is we learn to manage risk instead. Right? We create systems so that we put ourselves in at least danger as possible.

What is the internet?

INGRID: So, for our kind of initial kind of grounding point, we want to just ‑‑ or, what the internet is. And this is, this is a hard question, sometimes, I find? Because… The word “internet” comes to kind of mean lots of different things. I ‑‑ for me, one of the most, like, the simplest summary I can ever provide is that the internet is just computers talking to computers. (Laughs)

It’s information going between computers. This image, which is, you know, one of many you can find when you Google image search “internet diagram” is a bunch of computers in, you know, a household, including a game machine and a few PCs. Who is this person? With all these devices? And they’re connecting to a router in their house, which has connected to a modem, which connects to the internet! Which is more computers. Not the ones that you’re seeing on the screen.

It’s kind of dorky, but this is a really goofy example of a computer talking to another computer. It’s from the movie Terminator 3. This also, I realize, is an Italian dub?

INGRID: So, I show this ‑‑ so what’s actually happening in this scene, which is, yes, very garbled, is the lady terminator, who is a robot, a very large sentient computer, is using a cell phone, like a dumb phone, to call another computer? And then she is making noises into the phone that are a translation of data into audio signal. And that is allowing her to hack into the LA School District’s database. It’s ‑‑ and it’s, you know, it’s very 2003? (Laughs) In that that was an era where, when people were getting online in their homes, they would have to connect to a modem that made sounds like that, too.

So I think, you know, it’s kind of a corny old example, but I like it because it also shows something that is hard to see in our day‑to‑day use of the internet, which is that for information to move from one computer to another computer, it has to be rendered into something material. In this case, it’s tones? It’s sound? On a home computer connected to a wi‑fi network, it would be radio waves. And kind of when you get to different layers of the internet, it’s going to be pulses of light traveling through fiberoptic cable.

So everything you type, every image you post, at some point it gets ‑‑ you know, that digital data gets transformed into a collection of, you know, arrangements of points of light, or, you know, a sound, or like a different material.

And it’s, you know, it’s much bigger! (Laughs) Than, like, than what we see on a screen! This is a map of the submarine cables that cross oceans that make it possible for the internet to be a global experience. It’s very terrestrial?

This is just for fun. This is just a video of a shark trying to eat one of the cables in the ocean… A cutie.

Rawrumph!! I just love his little… The point being, yeah. The internet is vulnerable to sharks! It is… it is very big, and it is complicated, and it is ‑‑ it is not just, you know, a thing on a screen. It needs a lot of physical stuff.

And when computers talk to computers, that doesn’t usually mean, like, a one‑to‑one connection? Right? So… I’m talking in this webinar to all of you right now, but, like, my computer is not directly connecting to your computer. What’s actually happening is that both of our computers are talking to the same computer… somewhere else.

There’s like a, you know, intermediary machine, that’s probably in a big building like this. This is an Amazon data center in Ashburn, Virginia. And that’s kind of the model that most of the internet takes; it’s usually, there’s kind of intermediary platforms, right?

And in a lot of technical language, this is called the client‑server model. The idea being that a server, which is a computer, holds things that are, you know, content on the internet, or applications like Zoom, and the client, which is just a computer, requests things from the server. You know, the server serves that. This goes ‑‑ this gets to the client computer through a routing process, that usually means that the information has to travel through multiple computers.

But! Again, this, like ‑‑ these words just mean computer and computer? Technically, you could turn a home computer into a server and get a stable internet connection and make it something ‑‑ make it something that just serves information to the internet. Or, you know, you could even think about the fact that because, you know, lots of information is taken from personal computers and sent to companies, you know, in some ways we are serving all of the time!

And I ‑‑ mostly, this is just a dynamic, again, thinking about… who controls and how the internet is governed, that I think is important to acknowledge? I mean, in some ways, the internet is not computers talking to computers so much as… computers owned by companies talking to computers owned by people?

The internet, you know, it began as a project funded by the U.S. military, but became the domain of private companies in the late 1990s. So all of that stuff that I was talking about earlier? You know, the submarine cables, the data centers, they’re all private property owned by corporations. And it’s kind of ‑‑ all of the, you know, technical infrastructure that makes the internet possible is a public good… but it’s all managed by private companies. So it’s kinda, it’s more, you know, a neoliberal private partnership. And it has been more a long time.

And I mention this mainly because it’s good to remember that companies are beholden to laws and markets, and it’s in a company’s interest to be compliant with laws and be risk‑averse, and that’s partly why a lot of decisions made by platforms or other companies are often, like, kind of harmful ‑‑ like, can be harmful to communities like sex workers.

And again, like, this doesn’t have to be the way the internet is? It’s just sort of how it has been for a very long time.

So, computers talking to other computers is what, you know, is our very simple summary of what the internet is. But computers don’t necessarily ‑‑ don’t ‑‑ can talk to each other in different kind of languages or dialects, let’s say? Which, in, you know, internet speak, are called protocols. Which, you know, a protocol is what it sounds like: It’s a set of rules about how something’s done. And so that’s, I find, maybe the dialect or language thing kind of useful.

Common Internet Protocols

So a few protocols that exist for the internet that you probably encounter in your daily life that you maybe don’t think that much about are Internet Protocol, wi‑fi, Address Resolution Protocol, Simple Mail Transfer Protocol, and HyperText Transfer Protocol. Maybe you haven’t heard as much, or it’s not as commonly talked about? But I’ll explain about these.

And I apologize; these screenshots are from my Mac. There are ways to access these same sorts of things from a Windows machine? I don’t have screenshots. (Laughs)
So Internet Protocol is basically the foundation of getting on the internet. It assigns a number called an IP address, Internet Protocol address, to a computer when it’s connected to a network. And that sort of ‑‑ that is the ID that is used for understanding, like, who a computer is and how do you access it.

So when I want to go get content from a specific website, what I’m actually requesting under the hood is… is a set of numbers that is an IP address, which is like the name or ID of the computer that I want to go to.

I’m hoping this isn’t too abstract, and I hope, like ‑‑ yeah, please, if there are places where you have questions… please, add things to the Q&A.

So, Address Resolution Protocol and Media Access Control are a little different, but I wanted to talk about because it’s sort of related to understanding how your computer becomes a particular identity.

So, all ‑‑ there’s a question: Do all computers have their own IP address? They do, but they change, because different ‑‑ basically, when you go ‑‑ when you join the network, the address is assigned. It’s not a fixed ID. But there is a fixed ID that is connected to your computer, and it’s called a Media Access Control, or MAC, address.

And this is another screenshot from my machine. You can see this thing I circled here. That is my MAC address. And that is at the level of like my hardware, of my computer, an ID that has been… basically, like, baked into the machine. Everything that can connect to a network has one of these IDs.

And when ‑‑ and so Address Resolution Protocol is a mechanism for associating your temporary IP address with the MAC address, and it mainly exists so that if there’s, like ‑‑ like, if the network screws up and assigns the same IP address to two things, to like two different devices, the MAC address can help resolve like, oh, we actually mean this device, not that device.

Oh, I realize I didn’t make a slide for wi‑fi. I think most of you probably know wi‑fi as, like, it is the wireless ‑‑ the way that basically information is transferred to something wireless.
Yes! Your IP ‑‑ well. Your IP address… will change when you connect, although it generally won’t change that much… It’s, it’s not like ‑‑ how am I answering this?

Like, if you’re ‑‑ if you’re connecting to the internet, in like your home? It’s probably ‑‑ you’re probably gonna get the same ID number, just ’cause it’s the same device you’re connecting to? But when you connect to a network at ‑‑ I guess no one goes to coffee shops anymore…

But in the time when you would go to a place with a different wireless network and connect to the internet! (Laughing) You would probably have a different IP address, because you’re connecting from a different device in a different network.

Oh, the other thing ‑‑ the only other thing about wi‑fi thing I will mention right now is that “wi‑fi” doesn’t actually mean anything. It’s not an acronym; it’s not an abbreviation. It’s a completely made‑up name… No one ‑‑ no one has a good answer for why it’s named that! (Laughs) I think like a branding consultant named it? It’s ‑‑ anyway.

So other protocols. So the Simple Mail Transfer Protocol, that underlies how e‑mail works.

So you encounter it a lot, but probably don’t think much about what ‑‑ like, that’s its own special kind of language for moving information, that’s different from the HyperText Transfer Protocol, which is one that may be familiar to all of you because it is the central protocol used for moving information in the browser!

Which is a nice segue, but I realized I also should mention that there is a variant of HTTP called HyperText Transfer Protocol Secure, or HTTPS. It’s an implementation of HTTP that encrypts the information transferred. So, that wasn’t adopted or implemented when browsers and HTTP were first being developed?

Because, again, these technologies were being developed with, you know, public funding and thought of as tools for scientific research, not for making purchases with credit cards or having, you know, private communications. So the implementation of security features and encryption into the internet is sometimes clumsy or frustrating because it was not designed into the original concept.

What’s an internet browser?

All right. So, we are next moving into the browser. I’m kind of a nerd about internet history things, so part of what I wanted to talk about with the browser is just its origin story?

The first example of a browser that was easy to use was created by researchers at a University of Illinois, including a guy named Marc Andreessen. He made something called Netscape Navigator. It was kind of a… It was a very important opening of the internet to the general public, and it changed a lot of the people’s the perception and ability to be part of the internet.

Marc Andreessen became very rich because he did this, and he founded a venture capital company, or firm, called Andreessen Horowitz. Returning to the idea that a lot of these companies are not smart, they’re just rich? He worked on a thing that is very important… That is not a good reason that he gets to throw money at Airbnb and decide how, you know, urban planning and housing is going to be changed forever!

There are fundamental kind of reasons ‑‑ like, there’s something about that which I feel is kind of important to remember. Both to acknowledge ‑‑ it’s not that Marc Andreessen is a dumb guy; that’s that he’s been given a lot of authority through getting a lot of money through being part of one ‑‑ through doing a clever thing.

A lot of the things that define the browser in the 1990s when it was first becoming an adopted thing were actually proprietary technologies made by different companies. So different companies had their own browsers that they had made. And they wanted to be The Browser everyone used. Right? And so they invented new things to make their browser cool? But they wouldn’t work on other ones.

So Olivia will talk a little bit more about these, I think, in the section on the web. But Cascading Style Sheets, which is a way of adding, you know, designing aspects of a web page, were invented by Microsoft. Javascript, which is a programming language that works in browsers, was created by a guy at Netscape in 14 days? (Laughs) And, yeah, if you wanted to ‑‑ if you made a website and it had, you know, CSS in its layout, it would be like ‑‑ it would be visible in a Microsoft browser, but not in a Netscape browser.

This was a terrible way of doing things? And possibly because companies got nervous about possibly getting regulated, and partly because it was just bad for business, they started ‑‑ they sort of, they figured out how to kind of put aside some of their differences and develop standards, basically.

So the standardization of browsers, so that basically when I open something in Chrome and I open something in Firefox it looks the same and it works the same… kind of starts to be worked on in 1998. It really only starts to be implemented/widespread in 2007, and it continues to be worked on. There are entire kind of committees of people who mostly work at the tech companies that make these browsers who kind of come and talk to each other about, like, what are the things we’re all gonna agree are gonna ‑‑ about, like, in terms of how this technology works?

And we’re looking at, and wanting to talk a little bit, about browsers also because they are really useful teaching tools. It’s really easy ‑‑ well, it’s not “really” easy. It is pretty easy to kind of look at what’s going on behind the scenes, using a browser. And that’s mainly because they’re very old.

You know, by 2007 when the iPhone emerges, and when I think the App Store is in 2010 or 2011, you can’t really look and see ‑‑ it’s much harder to go on your phone and see, like, I wonder what kind of data Instagram is sending back to, you know, Facebook right now! Like, to actually try and look for that on your phone is almost impossible. But you can kind of start to look for that in a web browser.

And that’s sort of a privileging of desktop technology, and a legacy of this being kind of an old technology, where transparency was treated as just inherently a good idea. And I think that if they were being built today, we probably wouldn’t have it.

So, we’re going to introduce you to some browser tools in this next section ‑‑ oh, wait, sorry, one more thing I wanted to acknowledge. This isn’t super detailed as far as comparing the privacy features of different browsers? But ‑‑ and we are working on a list of sort of, like, a bibliography that we can share with everyone later.

The point being ‑‑ the main thing I just wanted to convey here is like different browsers defined by different companies, they’re gonna all work more or less the same, but they do have kind of underlying qualities that might not be great for user privacy. And, also, there’s, you know, questions of like… when, you know, one company kind of controls the browser market, how does that change kind of the way that people see the internet?

So, you know, doing some research, doing some comparison of, of what different browsers… you know, do and don’t do. Most of the screenshots for this were done in Firefox. If you use other browsers, that’s fine. But… Yeah.

All right. Now ‑‑ (Laughs) Now we will move to World Wide Web!

What are web pages and how do they work?

OLIVIA: Hi, everyone! So, this part is talking a lot about the actual content that you are able to look at using your browser. So we’ll be making use of a lot of the tools that Ingrid mentioned about looking deeper into the actual… web pages themselves.

Awesome. So, this is a web page. It’s the same page that the video that we showed earlier in the beginning of sharks biting undersea cables! (Laughs) And it’s accessible to anyone who can connect their computer to the World Wide Web. And so, a lot of times we use “the internet” and “the web” interchangeably?

But the internet itself is more of the infrastructure, and the actual place, if we can call it a place, that we’re going to logically… is called the World Wide Web. Right? That’s the whole WWW‑dot thing that we’ve all been doing.

So, web pages are hosted on computers! You can host a web page on your own computer; you can pay another company to host it for you; other companies host themselves, if they have a lot of money. And… If you are paying someone else to host your website for you, you might end up ‑‑ you have a lot less autonomy. Right?

So there’s a lot of movements for people to like start hosting things themselves to avoid things like censorship and surveillance. Because like we said in the beginning, companies are beholden to a lot stricter laws than individuals are. And individuals are able to kind of themselves say ‑‑

What’s the difference between VPN and TOR? If we have time at the end, we will cover that a little bit, briefly. But essentially, a VPN ‑‑ TOR is a browser, and a VPN is something that you can install into your computer.

TOR does something, does things, that are very similar to what VPNs do, in terms of like onion routing? But they’re not… they’re not the same. Like, you can use TOR to navigate the internet, or you can use a VPN and use your normal browser. Right.

To look at a web page’s source, right, oftentimes you can right click or can N‑click? And you click the, like, You click View Page Source, and you’ll be able to get a closer look at the actual web page itself.

And so when you, when you view the source, you ‑‑ oh, you can go back. When you view the source, you end up seeing HTML. Right? So we told you earlier that the web uses HTTP, which is the HyperText Transfer Protocol, to send and receive data. The data that’s being sent and received is HyperText. Right? That’s written in the HyperText Markup Language.

So… HTML isn’t a programming language, per se; it’s a markup language. So it defines the structure of your content. It displays things, like text and images and links to other web pages.

And there are two ways that HTML pages can exist: Static and dynamic. So static would be a lot of the pages that we might code ourselves, right? Dynamic is more of the… the web pages that are generated dynamically are like Facebook and Instagram. The user requests a page, which triggers code that generates an HTML page.

So sometimes you would want… ‑‑ if you try to look at the source code of a website, you won’t really see much of anything? Because that code, like, doesn’t exist yet. Unless you open an inspector, and you look at the code that’s visible on your side.

So, to make this content look better, it’s often styled. Right? ‘Cause otherwise, it would just be plain Arial size 12. So we add color, add shape, animation, layouts, italics. And we do that using Cascading Style Sheets, or CSS.

CSS is also not a programming language. It’s a way of representing information.
So this is what a static HTML file might look like. I grabbed this from a teaching resource, so that’s why you can see things like explanations of what HTML is, because I thought it would look a bit cleaner than the WIRED article.

And this is a CSS file! You see things like font size, font family, color, background color, position. Right? So those are the types of things that you can control using CSS. You can even make animations.

So, knowing that ‑‑ the point that we’re trying to make in saying this is that HTML can’t do anything with your data. Neither can CSS. They just display things that are coming from the other computer that you’re connecting to. So how are web pages collecting our data? Well, the code that actually does stuff in your browser is usually written in Javascript.

So… To see it in action, we can go into Tools, and Web Developer, and Inspector! And we can see some of the stuff that’s going on behind the scenes, right? This is how you do this in Firefox, and it’s similar but not identical in other browsers like Chrome and Safari. You ‑‑ I don’t think you can do this in Safari at all, but I might be wrong about that.

So if you check out the Inspector tab, we have an easier way of reading the HTML source than just pulling it all up in a really large, confusing doc. Right? We get syntax highlighting. We get little disclosure triangles. And we’re able to highlight things and see ‑‑ we’re able to hover over different parts of the HTML, and it’ll highlight that section in the actual web page. So it’s a really useful teaching tool.

The Console tab, we’re able to see more of the Javascript activity that’s happening in the background of the page. So we’re able to see all of these, like, jQuery calls and database calls and analytics. Right? So this is how a web page might try to get information about you so that they ‑‑ the company, in this case WIRED, can use that information to structure their own marketing practices. Like, how many people went to this article about sharks biting undersea cables? They would use Javascript in order to record the fact that you, one person, went to this website.

In the Network tab, it shows data being sent and data being received by your browser. Right? So all of the, all of the ones marked “POST,” or ‑‑ you can only see the P‑O, in this part, are being sent, and all the ones marked “GET” are being received.

And so some of this stuff is fairly, like, normal. It’s actual HTML stuff that’s being included on the page. You can see the different types. And then some of it, in other places, you would be able to see like actual trackers. Right?

And when you click on one of the items, you’re able to see more information about what’s being transferred.

INGRID: And this is not necessarily ‑‑ I mean, although this is not very helpful? Like, when you click the headers? It’s like, here is a bunch of words! I don’t know what’s going on! But the other tabs can give us a little more, and depending on the type of network request, you’ll get slightly easier‑to‑read data.

What are cookies and how do they work?

So, in this section, we’re going to talk a little bit about some of the tracking methods. Cookies… are called cookies, because in ‑‑ they’re called cookies with the web, because in a different technology, whose name I do not recall, this same thing was called a magic cookie.

And I don’t know why it was called that in the other one… It’s just a, it’s a… it’s a holdover from the fact that a small number of people working on the internet had inside jokes, as far as I can tell.

But a cookie is a text file that contains information. Usually it’s something like an ID. And it’s used for doing things like storing preferences, or kind of managing things like paywalls on news websites.

So in this case, the cookie that was handed off to me from this particular page gave me this ID number that’s just like a pile of letters and numbers. And my browser will store that cookie, and then when I ‑‑ if I go back to the WIRED website, it’ll see ‑‑ it’ll check to see, like, oh, do I already have a cookie assigned to this one?

And if it does, it will take note of how many other WIRED articles I’ve already read. And that’s how WIRED gets ‑‑ is able to say, hey, we noticed you’ve gone, you’ve read all your free articles… Stop, stop doing that. You don’t get anymore.

And they’re not ‑‑ they can also be used for things like, you know, like say you have, you know, a certain kind of like ‑‑ like, you have a log‑in with a particular website, and you don’t want to have to log in every time, and the cookie can store some information for you.
But they’re also used for things, like, kind of tracking ‑‑ like, just trying to see where people go online to, you know, be able to figure out how to sell them things.

Just a distinction note, like, if you look at things in the Network tab: A response cookie is a file that comes from, like, a website to your computer; a request cookie is a file that your computer generates that goes to that computer. And it’s, you know. And a lot of this is stuff that is encrypted or encoded or kind of arbitrary ‑‑ like, which is good, in so far as it’s not creating ‑‑ oh, sorry.

It’s not ‑‑ it’s not just giving, you know, information, passing information about you and storing it in the clear? You still probably don’t want it? (Laughs)

So cookies can also be used for, like, tracking. This website has like, you know, a lot of different scripts running on it, because media companies work with other, you know, companies that do this kind of audience tracking stuff.

So like, when I was looking at this one, it was like the URL that the domain was coming from is elsa.memoinsights.com. That’s a weird name, and I don’t know what any of this is. If I type that into the browser, it doesn’t produce a web page?

But when I Google “memo insights,” I find: A company that works with companies to give them, you know, competitive analysis and campaign summaries. I don’t know what these things are, but this is some boutique company that works with Conde Nast, which owns WIRED. Maybe they do something with what I read, and maybe we can learn that people who read WIRED also read the New Yorker, or something.

What are pixel trackers and how do they work?

There are other trackers on the web that are not based in cookies and are a little bit weirder. So, pixel trackers are basically just tiny image files. They’re called this because, you know, sometimes they’re literally just one pixel by one pixel. And to load the image, you know, so the image is hosted on a server somewhere else, not on the WIRED website.

It’s hosted by whatever company, who knows, is doing this work. And because the image has to load from this other server, my computer makes a request to that server. And once that request is logged, it’s ‑‑ that’s, you know, the… that server can, you know, get information from my request about, you know, my computer, where I’m coming from, what ‑‑ like, how long I spent on it, what time I accessed it.

If you ever used, like, e‑mail marketing software, or like newsletter software, like MailChimp or TinyLetter, this is usually how those services are able to tell you how many people have opened your e‑mail. They’ll have like an invisible pixel tracker loaded into the, into the actual e‑mail, and will send the information about when that image loaded to the newsletter web service.

So, and so pixel trackers, they’re sort of sneaky in that they’re like… Again, like, you literally can’t see them on the web page. And they’re not as transparently kind of present? (Laughs) As other things?

What is browser fingerprinting and how does it work?

A more ‑‑ another method of tracking users on the internet across different websites is something called browser fingerprinting, which is a bit more sophisticated than cookies. So in the last few years, browsers have become a lot more dependent on and intertwined with a computer’s, like, operating system and hardware. For example, when you join a Google Hangout or a Zoom call! (Laughs)

You ‑‑ the browser is gonna need to access your webcam and your microphone. Right? And those are, those are, you know, parts of the hardware. So there needs to be like ways for the browser to talk to those parts of your computer? And that in and of itself isn’t a bad thing. But! It means that if a, you know, if some code is triggered that asks questions about, you know, those other parts of hardware, it might just get ‑‑ like, that’s data that could get sent to another server.

So in this example, we’re looking at the loaded information includes things like browser name, browser version. And that’s stuff ‑‑ like, that will usually be in a typical request. Like, knowing what the browser is or what kind of browser isn’t that unusual? But then we get things like what operating system am I on? What version of the operating system am I on?

I don’t ‑‑ like, I don’t know why this site needs that information! And I didn’t see any fingerprinting happening on the WIRED website, so I had to go to the YouTube page that the video was on. (Laughs)

There are a lot of more detailed sorts of things that can be, like, pulled into fingerprinting. So like your camera. Like, is your camera on? What kind of camera is it? That can get ‑‑ that can be something that a, you know, browser fingerprint will want to collect. Your, like, your battery percentage, weirdly? It’s ‑‑ and all of this is in the service of creating, like, an ID to associate with you that is definitively your computer, basically.

As opposed to, like, you know, you can actually like erase cookies from your browser, if you want to. Or you can say, like, don’t store cookies. But it’s a lot harder to not have a battery.

In terms of knowing if fingerprinting’s happening, one way to do that in the Network tab is you’re looking for the POST requests, which means that your computer is sending something to another computer. And one way that it can get sent is in a format called JSON, which is an abbreviation for JavaScript Object Notation. Which is basically a format for data that can be processed by the programming language that works in the browser.

This is ‑‑ another way if, like, if the, you know, the Network tab is like a little overwhelming, there are browser extensions that can show you more kind of detailed things about what’s going on with fingerprinting.

Additionally, just as a sidenote, browser ‑‑ like, browser extensions are another example of like throwbacks of the browser. The idea that anyone can build, like, extra software for that piece of software? It’s like, no one would ever let you do that to the Instagram app on your phone. And it’s sort of a, it’s kind of a leftover thing from something ‑‑ like, Firefox started doing it in 2004, and then everyone copied them. (Laughs)

But, back to fingerprinting.

Just as far as ‑‑ this is a Chrome extension called DFPM, Don’t FingerPrint Me, which just logs this in a slightly tidier way. So I thought I would show it. And it highlights a couple of examples of ways that this page is currently doing fingerprinting that I might want to know about.

So canvas fingerprinting is a method ‑‑ it sort of describes it here. It draws like a little hidden image on the page that then is kind of encoded to be, like, your fingerprint. I think Firefox actually blocks this by default, so I had to do this in Chrome! (Laughs)

WebRTC, that’s related to your camera and microphone. WebRTC stands for Web RealTime Communication, or Chat, I’m not sure which. But that’s basically the tool used for making ‑‑ for doing web calls. They’ll also look at what fonts you have on your computer, your screen resolution. You can see here the battery level stuff.

So I guess the point I wanted to bring across with the fingerprinting stuff is just that, like, there are lots of different things in play here.

Should we ‑‑ do you think we have time for our bonus round…? Oo, it’s almost 1:00. But I feel like there was ‑‑ I’m hoping, I think there was some interest in this. I don’t know, Olivia, what do you think?

OLIVIA: I just pasted in the chat an answer to the TOR versus VPN question? So we can skip those slides. But it might be useful to kind of rapid‑fire go through safer browsing techniques? Yeah, I just got a “yes please” in the Q&A.

What is a VPN and how does it work?

INGRID: Okay. Quick version of the VPN thing. This is how a normal connection, you know, logs data about you. I go to a website, and it logs this computer came to me! This computer over here.

A VPN basically means that you’re connecting to that computer through another computer. And so your request looks as though it’s coming from kind of somewhere else. That being said, like, it’s ‑‑ you know, there’s still other data. Like, given the point I just made about fingerprinting, there’s other data that could be collected there that’s worth thinking about.

When data travels through TOR, TOR is an acronym for The Onion Router, and the idea is that it wraps your request in multiple ‑‑ by going through multiple different computers, which are called relays.

So when you use TOR, which is a browser, to connect, it sends your request through this computer and this computer and this computer, and whatever is the last one you were on before you get to the page you want to visit, that’s where this ‑‑ that’s the, like, IP address that this device is going to log. These are called ‑‑ this last sort of like hop in the routing is called the exit relay. Those can be ‑‑ yeah. I think that that, that was my attempt at being quick. I apologize. (Laughs)

OLIVIA: Fun fact about VPNs. If you ‑‑ because the United States has different privacy laws than other countries, if you were to connect to a VPN server that was in, for example, the European Union, you might get a lot more notifications from the sites that you normally go to about different cookies and different things that they do with your data. Because in Europe, they’re required to tell you, and in America, they’re not always required to tell you what they’re doing with your data.

What is private web browsing and how does it work?

Oh, I can take it. So this is how, in Firefox, you would open a private window. And private windows, I think we’re all kind of a little bit familiar with them. They clear your search and browsing history once you quit. And it doesn’t make you anonymous to websites, or to your internet service provider. It just keeps it private from anyone else.

But that might be really useful to you if you are using a public computer, or if you’re using a computer that might be compromised for any other reason. Like say if you suspect that you’re going to protest and a cop might take your device from you.

What are script blockers and how do they work?

INGRID: So script blockers, so like the tracking and the little analytic tools and stuff usually are written in Javascript, because that is the only programming language that works in a browser. So there are tools that will prevent Javascript from running in your browser. And that can be helpful for preventing some of those tracking tools from sending data back to, back to some, you know, computer somewhere else. It can be a little bit frustrating, because Javascript is used from all ‑‑ for all sorts of things on websites. Sometimes it’s used for loading all of the content of the web page! (Laughs)

Sometimes it’s used to, you know, make things kind of have like fun UI! But it’s ‑‑ so it sort of… You know. It’s worth ‑‑ it’s interesting to try, if only to see how much of your internet experience needs Javascript? But yeah. There are some tools that will, you know ‑‑ the Electronic Frontier Foundation has a cool extension called Privacy Badger that sort of learns which scripts are trackers and which ones aren’t as you browse. But yeah. These are, yeah, these are extensions that browsers will ‑‑ you can install onto a browser.

And then firewalls!

What is a firewall and how does it work?

OLIVIA: So firewalls are kind of the first line of defense for your computer’s security. It would prevent, basically, other computers from connecting directly to your computer, unless you like say yes or no. And so… They’re really easy to turn on? On your computers? But they’re not that way by default.

So in a Mac computer, like I’ve shown here, you would literally just go to security and privacy, and go to the firewall tab, and it’s like one button. Turn off, or turn on. And you don’t really have to do much more than that.

And in Windows, there’s a similar process, if you go to the next slide, where you really just go into settings, go into security, and switch the “on” setting. It’s pretty… It’s pretty easy, and it’s kind of annoying that it’s not done for you automatically.

But I recommend everyone to just check out and see, like, hey, is my firewall turned on? Because it’s a really easy step to immediately make your computer much safer.

INGRID: All right! We went through all the slides! (Laughter)

BLUNT: That was perfectly timed! You got it exactly at 1:00

What’s the difference between a VPN and TOR?

OLIVIA: Okay. So for the TOR versus VPN answer.

As we said just a while ago, TOR uses onion routing and sends your data through multiple computers called TOR nodes to obscure traffic and anonymize you, while a VPN just connects you to a VPN server, that are often owned by VPN providers, which is sometimes you have to pay to use them and other ones are free.

So I described it as kind of like a condom? (Laughs) Between you and your internet service provider? So Verizon knows that you’re using a VPN, but it doesn’t know what you’re doing on it, because a VPN would encrypt all your traffic.

It’s really important that you use a VPN that you trust, because all of your internet traffic is being routed through their computer, which is another reason people like to pay. Because you can have a little bit more faith that it’s like a trusted service if you’re paying for it? Even though that’s of course not always true.

But there is Proton Beacon, which is one I use that’s free, which is run by the same people who run Proton Mail, which I use. I haven’t had any problems with it.

You can use a VPN and TOR at the same time, which is what the question directly asked. And I believe that your ISP would know that you’re using a VPN, but because you’re using a VPN it wouldn’t know that you’re using TOR. Ingrid, if that’s not true, you can like clap me on that.

Because TOR is super slow and it routes your computer through a bunch of different things, it can break a lot of websites, including video streaming like YouTube and Netflix. A lot of people use VPNs, however, so they can access videos or things that are banned in different countries by making it look like they’re in a different place.

But if you’re doing something highly sensitive or illegal, you’d probably want to use TOR, and probably some other precautions, too.

BLUNT: Thank you so much. That was super helpful. Do folks have any questions? Is there anything that people would benefit from sort of like going back and going into in a little bit more detail?

Someone just said: Is there a way around TOR breaking websites? I’ve had used it and it throws a lot of captcha tests on regular websites.

OLIVIA: So Cloudflare kind of hates TOR? (Laughs) It takes a really aggressive stance towards TOR users, actually? There was like an Ars Technica article I read that said Cloudflare said 90% of TOR traffic we see is, per se, malicious.

So I don’t know if there’s going to be a time that you can use captcha and not have it act up, because Cloudflare sees that kind of activity as malicious activity.

Can Apple see what you’re doing on your computer or phone?

INGRID: “This may be hardware‑related, but does Apple see what you’re doing on your computer because you connect to the internet, e.g. any photos, videos you store?”

Okay, to make sure I understand the question: Is the question whether, like, if you’re using an Apple device, whether Apple is able to see or collect anything if you’re connected to the internet from that device?

Okay. So I think ‑‑ I mean, the answer to that is you would need to kind of tell them to do that? (Laughs)

They’re ‑‑ so like, if you are using something like iCloud to store photos and videos, then yes, they would be able to see and have all of those. But in terms of, like, just being on the internet doing things on an Apple device? Apple can’t personally, like, kind of peek in and see that. I mean, they, like ‑‑ there are, you know, other computers will know that you’re on an Apple device.

But yeah, you have to be directly interfacing with Apple’s network for Apple to be able to have anything on or from your computer.

OLIVIA: And when it comes to things like iMessage and iCloud, they… say? That that information is encrypted. Of course, it’s like not open sourced, so we don’t actually know how they’re encrypting it or what they do. But Apple has said for a while that communications between, like say two iMessage users?

So not someone using it to speak to someone who has an Android; that’s SMS.

But two iMessage users speaking to each other, that’s technically an end‑to‑end encrypted conversation. Apple does collect some information from you when you are initially typing in someone’s number to text them, because it pings the server to find out if that number is associated with an iCloud amount.

So for iPhone users, that little moment between when a number that you’re typing in turns either blue or green, in that moment it’s sort of pinging Apple’s servers. So they do have a list of the times that that ping has occurred.

But of course, that doesn’t tell you if you actually contacted the person whose number you typed in; it just knows that you made that query. And that’s the extent, so Apple says, of the information that they collect about your iMessage conversations.

So, yes, they do ‑‑ they can technically see that information? But they tell us that they don’t look at it. So.

Open-source vs. Closed-source Technology

BLUNT: Can you explain a little bit more about open source or closed source technologies?

OLIVIA: Yeah! So, open source technologies are… basically, they’re apps, websites, tools that they’re ‑‑ the code that’s used to write them and run them is publicly available.

When it comes to security technologies, it’s really… best practice to try to use tools that are open source, because that means that they’re able to be publicly audited.

So like, regular security experts can like go in and like actually perform an audit on open source security tools, and know that they work. Versus, you have a lot of paid security tools that you basically assume that they work because people tell you that they work?

And you can’t really, like ‑‑ the public can’t really hold them to any, like, public accountability for whether or not they work or not.

Versus you can actually, like, test the encryption algorithm, say, of Signal, which is a messaging app and all of their code is public information.

INGRID: Open source, it’s also like a way of… kind of letting people developing software kind of support each other, in a way? Because the fact that Signal is open source, it’s not just like oh, we can be accountable if Signal says it’s doing something but it’s not; it’s also a way to be like, hey, I noticed something. Is it working? And you can actually directly contribute to improving that technology.

It’s complicated ‑‑ I mean, the world of open source, it’s complicated in that it’s like, it still has elements of the like… you know, snobby, like, like culture of tech, sometimes? But it, it’s kind of ‑‑ in principle, it’s very like useful for being able to have technologies that are accountable and that kind of have some element of like public engagement and understanding.

How to Choose a VPN

BLUNT: Awesome. Thank you. And so I have another question in the chat: What are some good ways to assess the trustworthiness of a VPN, as you were discussing before?

OLIVIA: The way most people do it, I think, Ingrid, you could check me on this, is kind of by reputation. If you look up how to find a good VPN, you’ll find a lot of articles where people talk about the pros and cons of different ones. And you’ll be kind of directed to the ones considered by the public to be the most trustworthy ones?

INGRID: Yeah. And I think one way I guess I evaluate companies sometimes on this is like looking at their level of engagement with the actual, like, issues that they… of like user privacy?

So like, one of the, you know, things I ended up using as a reference for this workshop as a guide to making ‑‑ as a guide for, like, different browsers, was like a blog post by Express VPN. And they’re a company that, they don’t have to tell me anything about like which browser ‑‑ there’s no reason for them to generate that content.

I mean, it’s good PR‑ish? But they’re not going to get new customers because I’m using a different browser now.

So some of it’s thinking, you know, is it open source or not? What is the like business model? And are they kind of actively, you know, engaging with issues related to user privacy?

We’ll talk a little bit more tomorrow about legislative issues around privacy, and that’s also another way. Like, have they taken positions on particular, you know, proposed laws that could harm user privacy?

To me, those are sort of like, how are they kind of like acting on principles?

OLIVIA: It also might be a good way of checking to see if ‑‑ yeah! If they produce logs in court proceedings, so you know that they don’t track traffic.

Also, to see like, say, certain companies might be funded by other companies that, like, are less concerned about… public safety or privacy or human rights.

So that might also be a good way of like checking to see, like, the integrity of a VPN company. ‘Cause at the end of the day, they’re all companies.

Is WordPress a reputable option for sex workers?

INGRID: All right. The next question: Would y’all consider WordPress reputable for housing a sex worker website?

This ‑‑ thank you for asking, because it lets us kind of talk about something I wanted to figure out how to include in that whole presentation but didn’t.

So… Just as like a point of clarification, and maybe this is understood by people, but maybe for the video it will be helpful… WordPress? (Sighs) Is both a, like, hosting company and a piece of software. WordPress, I think ‑‑ WordPress.org is the hosting one? Or WordPress.com? I can never remember. (Laughs)

I think it’s WordPress.com. But you can host a website on WordPress’s, like, platform, and when you do that you will be running a website that is built using WordPress’s software. Which is also called WordPress! This is confusing and annoying.

But… you can also use WordPress’s software on another web, like, hosting service. Like, you can install WordPress onto a like hosting service website. I think a fair amount today, like of hosting services, actually do sort of a one‑step click, like they’ll set up a server with WordPress for you option.

In terms of WordPress, like, as the host of a website? And as a host for sex worker websites… I don’t actually know. I would say ‑‑ I would, like, check ‑‑ I would need to go check their terms of service? (Laughs)

I think in general… Yeah. I don’t totally ‑‑ I think with all hosting companies, it’s hard ‑‑ like, they’re, like, figuring ‑‑ figuring out which ones are kind of the most reputable is partly about looking at any past incidents they’ve had in terms of takedowns, or like what their ‑‑ also like where they’re located?

So like, WordPress is a company based in the United States, so they’re beholden to United States laws and regulations. And I’m guessing part of the reason this question was asked is that this person ‑‑ that you probably know a little bit about FOSTA‑SESTA, which makes it harder for companies to allow any content related to sex work on their servers.

And as far as I know, WordPress wants to be compliant with it and hasn’t taken a radical stance against it.

Blunt, do you have any…?

BLUNT: Yeah, I can say I think hosting anywhere on a U.S.‑based company right now has a certain amount of risk, which you can decide if that works for you or not. If you are hosting on WordPress right now, I would just recommend making lots of backups of everything, as like a harm reduction tool. So if they decide to stop hosting your content, you don’t lose everything.

And I also just recommend that for most platforms that you’re working on. (Silence)

Cool. So we have around 15 minutes left. So if there are any other questions, now’s the time to ask them. And… I don’t ‑‑ and if not, I wonder if just chatting Ingrid and Olivia a little bit about what y’all will be covering in the next two days!

Okay, we have two more questions.

Can you reverse browser fingerprinting?

“This may be a digital surveillance question, but once you get browser fingerprinted, is it reversible?”

INGRID: Hmm. That’s actually a question where I’m not sure I know the answer. Olivia, do you know…?

OLIVIA: No…

INGRID: I do know that… you can sort of ‑‑ I know on some, on mobile devices, you can like spoof aspects of your identity?

So, like, you can ‑‑ like, so I mentioned Mac addresses are sort of this hard coded thing. That’s just the idea of your like device? A phone can actually ‑‑ like, you can actually generate sort of like fake MAC addresses? (Laughs)

That are the one that’s presenting to the world? So if that sort of was a piece of your fingerprinted identity, that’s one way to kind of, like ‑‑ you know. It’s like you wouldn’t be a perfect match anymore? But… Yeah, I don’t know if there’s sort of a way to completely undo a fingerprinting.

Yeah. I will also look into that and see if I can give you an answer tomorrow, if you’re going to be here tomorrow. If you’re not, it will be in the video for tomorrow.

Additional Digital Literacy Resources

BLUNT: Great, thank you. And someone asked: Are there any readings that y’all would recommend? I’ve read Algorithms of Oppression and am looking for more. I love this question!

OLIVIA: That… the minute I heard that question, like, a really long list of readings just like ran through my brain and then deleted itself? (Laughs) We’ll definitely share like a short reading list in the bibliography that we’ll send out later.

BLUNT: Awesome. That’s great.

Okay, cool! This has been really amazing. Thank you so much. I’m just going to say, one more chance for questions before we begin to wrap up.

Or also, I suppose, things that you’re interested in for the next two days, to see if we’re on track for that.

How do fintech companies use digital surveillance?

Someone asks: This is a fintech‑related question for digital surveillance, but can you talk about how that kind of works internet‑wise?

INGRID: Fintech…

BLUNT: For financial technologies. And how they track you. Oh! So like, if you’re using the same e‑mail address for different things? Is that sort of on the…?

OLIVIA: Like bank tracking? Like money type of…?

INGRID: So… Depending on the, you know, like financial servicer you’re working with, like PayPal or Stripe or whatever, they’re going to have ‑‑ like, they ‑‑ like, in order to work with banks and credit card companies, they are sort of expected to kind of know things about you.

These are like related to rules called KYC, Know Your Customer. And so part of the tracking or like ‑‑ or, not tracking, but part of information that is collected by those providers is a matter of them being legally compliant?

That doesn’t mean it produces great results; it’s simply true.

And I think the ‑‑ in terms of the layer ‑‑ I’m trying to think of what’s ‑‑ I don’t know as much about whether or not companies like Venmo or… Stripe or PayPal are sharing transaction data? I’m pretty sure that’s illegal! (Laughs) But… Who can say. You know, lots of things happen. That would be capitalism.

BLUNT: I also just dropped the account shutdown harm reduction guide that Ingrid and Hacking//Hustling worked on last year, which focuses a lot on financial technologies and the way that, like, data is sort of traced between them and potentially your escorting website. So that was just dropped into the chat below, and I can tweet that out as well in a little bit.

Zoom vs. Jitsi: which is more secure?

OLIVIA: Privacy/security issues of Zoom versus Jitsi… I also prefer to use Jitsi when feasible? But I also found that call quality kind of drops really harshly the more people log on. Like, I don’t think we can actually sustainably have a call of this many people on Jitsi without using like a different ‑‑ without hosting Jitsi on a different server.

Concerning how I handle the privacy/security issues of Zoom, they’re saying they’re going to start betaing end‑to‑end encryption later this month. I don’t know what that actually even means for them, considering that they’re not open source, right?

But I do say that one of the things that I tend to try and practice when it comes to, like, using Zoom, is kind of maintaining security culture amongst me and people who we’re talking to. Right? So I’m never going to talk about, like, any direct actions, right, that are going to happen in real life on Zoom. Refrain from just, like, discussing activity that could get other people in trouble anyway.

Like, while it would be nice to have, like, say this kind of conversation that we’re all having now over an encrypted channel, I think it’s generally much safer and ‑‑ I don’t like using the word “innocent,” but that’s like the word that is popping into my head, to talk about ‑‑ to use Zoom for education, even if it is security education, than it would be to actually discuss real plans.

So… It might be really beneficial to you if you are, like, say, having ‑‑ using Zoom to talk to a large group of people about something that is kind of confidential? To talk over, like, Signal in a group chat, or some other encrypted group chat platform, and decide like, okay, what are you allowed to say over Zoom, and what you’re not allowed to say. And to think of Zoom as basically you having a conversation in public.

Assume for all of your, like, Zoom meetings that someone’s recording and posting it to ‑‑ (Laughs)

YouTube later! And that would probably be… that would probably be the most… secure way to use it, in general? Is just to assume that all of your conversation’s in public.

BLUNT: Yeah. I totally agree, Olivia. And that’s why this is going to be a public‑facing document. So, Zoom felt okay for us for that.

INGRID: Yeah. I mean, I think another way I’ve thought about this with Zoom is like, just remembering what Zoom’s actually designed for, which is workplace surveillance? Right? It’s like, you know, its primary market, like when it was first created, and still, is corporations. Right?

So there’s lots of ‑‑ so like also, when you’re going into like ‑‑ even if you’re going to a, you know, public Zoom thing that is, you know, about learning something. Like, whoever is managing that Zoom call gets a copy of all of the chats. Right?

And even if you’re chatting like privately with one other person, that message is stored by ‑‑ like, someone gets access to that! And… Mostly just that’s something to… like, thinking ‑‑ like, just keep in mind with, yeah, what you do and don’t say. Like, especially if you are not the person who is running the call.

Think about what you would or wouldn’t want someone you don’t know to kind of like have about you.

What’s to come in the digital literacy lunch series?

BLUNT: Awesome. Thank you so much. Do you want to start to wrap up and maybe chat briefly about what we’ll be seeing in the next two sessions?

OLIVIA: Sure, yeah. So the next two sessions are going to be one talking more about how platforms work and sort of the whole, like, algorithmic ‑‑ bleh! (Laughs)

Algorithmic curation, and how misinformation spreads on platforms, and security in the Twitter sphere, rather than just thinking about using the internet in general. And then the third will be talking more explicitly about internet surveillance.

So we’re going to be talking a little bit about surveillance capitalism, as well as like state surveillance, and the places where those intersect, and the places where you might be in danger and how to mitigate risk in that way.

Leave a Reply