Hi, Eric - thanks for this message. I appreciate the the cautions you note re. public wifi and internet cafe use, and all of us in this field certainly appreciate your use of https by default. Gmail does stand out in that regard in comparison to the other, often-used email providers in the countries that I work in (such as Yahoo and Hotmail.)
However, you are not addressing my question re. browser history. I am copying the Liberation Tech list where this was discussed to keep my colleagues there in the loop. I am also copying David from the GNI who was looking into this. It would be great if you could reply to all. While I understand your reasoning (such as on putting the onus on the user to be educated and aware), our use case is a person who is not necessarily a self-described activist, has only recently learned how to use a computer, and definitely has not had any formal (or even informal) training. Privacy-protected browsing is not in their repertoire, for the most part. That person may say something in a subject line that can be construed as political involvement when, in fact, it is not. Or it may be someone who is just getting involved, say in the context of an upcoming election, for instance, revealing accidentally political affinities when that may not be advisable. This feature lowers the barrier for 'accidental' invasion of privacy significantly after a user has logged out of gmail. It does not require a any knowledge of tech and no premeditation. (Installing and reading keylogger software does require some tech knowledge AND premeditation.) It is also a real threat in many countries where there are a large number of informers who do not necessarily have deep technical knowledge. This feature, given in the countries that I and many on the list here work in, does beg the question why, from the standpoint of usability, you all believe it is a desirable/necessary feature? Incidentally, as noted, Yahoo and Hotmail do not store the subject line of email in their browser history when a user has logged out. Love to hear more linking to each email as a separate page with a title tag is critical for usability, and whether that modifying what's displayed in the title tag of an HTML page after logout is possible. If you like to see some of the sensitive and personal information we were able to glean from the logs in an internet cafe in a repressive country, we'd be happy to share that. I think it'll make the case quite convincingly that maybe user privacy should override usability in this case for many users who rely on shared computers. Thanks so much for addressing this topic more specifically. All the best, Katrin On Jul 14, 2012, at 1:56 AM, Eric Davis wrote: > Hi Katrin, > > Thanks for flagging this. As someone who works on security issues, I > appreciate your concerns. Google product security is designed with the > typical user in mind, so most of it works in the background. However, there > are some choices users should make themselves, especially since different > users have different objectives and priorities. We believe education is an > essential part of security, and to that end provide materials such as in our > "Good to Know" campaign, and we are an active member of the NCSA, a > now-global organization focused on security education. > > When someone uses a publicly accessible computer or an open wifi system, they > are increasing their security/privacy risks. This goes beyond email subject > headers; for example, if someone checks their email via an open wifi system > and their email provider doesn't use session wide https, the full content of > their emails and chat sessions are exposed to anyone using a packet sniffer. > There are packet sniffing browser apps such as Firesheep, which can be > installed within minutes by non-technical users. Gmail is the only major > email provider that provides session wide https by default. > > Some publicly accessible computers (as well as some personal computers) are > infected with malware, including keyloggers. There are of course additional > considerations about spyware when using computers in repressive regimes. In > the event someone uses a publicly accessible computer, he or she should > especially be sure to enable 2-Step Verification, our multi-factor > authentication feature. With 2-Step Verification running, a third party > wouldn't be able to log into my Gmail account just by using my password. > Facebook offers a similar feature. > > In addition to running browser incognito mode when using a public computer, > we also strongly recommend people sign out of their account when they're > done. Again, first and foremost, users should take steps to protect the > content of their private emails. > > I hope this is helpful. I'd be happy to speak with you in more detail over > the phone. > > Best Regards, > > - Eric > Eric Davis | Google Public Policy | [email protected] | 650.492.4612 > > ---------- Forwarded message ---------- > From: Katrin Verclas <[email protected]> > Date: Wed, Jul 4, 2012 at 4:59 AM > Subject: Fwd: question about browser/Gmail subject line / browser history > exposure > To: Christine Chen <[email protected]> > > > Hi Christine - Not sure you are the right person to contact but wanted to > make you aware of this below, and figured you know who would be a good > contact. > > Can you or relevant colleague provide any insight into this (or try to change > it?) We like recommending gmail over Yahoo etc mail services because of your > security practices but this seems problematic. > > Thanks for looking into it. > > Regards, > > Katrin > > > > Begin forwarded message: > > > From: Katrin Verclas <[email protected]> > > Date: July 4, 2012 7:52:55 AM EDT > > To: Stanford tech list List <[email protected]> > > Cc: "Jillian C. York" <[email protected]>, Wojtek Bogusz > > <[email protected]> > > Bcc: [email protected] > > Subject: question about browser/Gmail subject line / browser history > > exposure > > > > Hi all -- > > > > Question for you: A colleague noticed in an Internet cafe (in a repressive > > country) that in FireFox and Chrome the browser history reveals the subject > > line of gmail. The history also reveals the name of the person a user > > Facebook-messaged and profile pages visited. The same was not true for > > Yahoo or hotmail. > > > > See below for a sample screenshot that illustrates what I am talking about > > (using the latest version of FF on Mac OS) It seems to be a function of > > gmail/FB not the browser (same happens in Chrome and Safari, did not try > > for IE). As I said, Yahoo mail and Hotmail do not reveal the subject line > > in the history as far as we could see. > > > > So - is this and oversight or deliberate on the part of Gmail/F? > > > > It seems potentially rather problematic since most users do not delete > > their history nor use any private browsing features or software when in an > > internet cafe. We looked at detailed name/subject line/FB social grapsh in > > the browser history of machines in the cafe for at least eight months > > back). With this information it is very easy to see an individual's > > activity without any other digital logs installed. > > > > Curious about this from a technical POV and whether it can be fixed by > > Gmail/Facebook. We can involve the right people there; after understanding > > this better. > > > > In the meantime, this definitely should be covered in any trainings (that > > is - do not use a a sensitive or revealing subject line, delete your > > history, browse in private mode, etc) > > > > Thanks for any insights. > > > > Best, > > > > Katrin > > > > > > > > > > Katrin Verclas > MobileActive.org > [email protected] > > skype/twitter: katrinskaya > (347) 281-7191 > > Check out SaferMobile.org > Using Mobile Technology More Securely. For Activists, Rights Defenders, and > Journalists. > https://safermobile.org > > MobileActive.org: A global network of people using mobile technology for > social impact > http://mobileactive.org > > > > > <Screen shot 2012-07-04 at 7.37.19 AM.png> Katrin Verclas MobileActive.org [email protected] skype/twitter: katrinskaya (347) 281-7191 Check out SaferMobile.org Using Mobile Technology More Securely. For Activists, Rights Defenders, and Journalists. https://safermobile.org MobileActive.org: A global network of people using mobile technology for social impact http://mobileactive.org _______________________________________________ liberationtech mailing list [email protected] Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
