Security Now! Transcript of Episode #953


Transcript of Episode #953

Active Listening
Description: Is the U.S. ever going to be able to introduce new child protection legislation, or are we going to continue punting to the U.S. Constitution? 2024 means the beginning of the end of traditional third-party cookies in Chrome. What's the plan for that? How much did the Internet grow during 2023, and why? What's the most used browser-based query language? What's the updated ranking of sites by popularity? What percentage of total Internet traffic is generated by automation? Those and many other interesting stats have been shared by Cloudflare. Then, after catching up with a bit of SpinRite news and some feedback from our listeners, we're going to examine the content of some very disturbing web pages that Cox Media Group originally posted, then quickly removed.
High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-953.mp3

Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-953-lq.mp3

SHOW TEASE: It's time for Security Now!. Steve Gibson is here. Can you believe that the FTC wants to fine Facebook $200 billion? Why Facebook's fighting it, and why some people think maybe they ought to. We'll also talk about the percentage of Internet traffic generated by automation, and how much the Internet traffic has increased in this year alone. And then an amazing offer from Cox Media Group to sell advertisers based on the things you say around the house. Is that possible? Steve will talk about it and more, next on Security Now!.

Leo Laporte: This is Security Now! with Steve Gibson, Episode 953 for Tuesday, December 19th, 2023: Active Listening.
It's time for Security Now!, the show where we cover your security, privacy online, and we talk about how the Internet works, and we also share some fun stuff about sci-fi and other things with this guy right here, Steve Gibson of GRC.com. Hi, Steve.

Steve Gibson: Leo, this is the last podcast we will be recording in 2023.

Leo: End of the year.

Steve: And the good news is the podcast itself will not be ending in 2024.

Leo: Woohoo.

Steve: As it was previously planned to be. But no, by popular demand, literally, we're going to continue. We're going to answer some questions and look at something I think interesting and kind of horrifying and come away with an action plan for next year.
So is the U.S. ever going to be able to introduce new child protection legislation, or are we going to continue punting to the U.S. Constitution? 2024 means the beginning of the end of traditional third-party cookies in Chrome, finally. What's the plan for that, exactly? How much did the Internet grow during 2023, and why? What's the most used browser-based query language currently? What's the updated ranking of sites, top 10, by popularity? What percentage of total Internet traffic is generated by automation? Those and many other interesting stats have been shared by Cloudflare, and we'll dig into those.
Then, after catching up with a bit of SpinRite news which I had promised last week, I have it this week, and some feedback from our listeners, we're going to examine the content of some very disturbing web pages that Cox Media Group originally posted, then quickly removed from the Internet. But not before the Web Archive snatched them up, so we still get to see them. And as always, we have a fun Picture of the Week to share with our listeners.

Leo: And I will not look, as always. All right. I have a picture. Well, you have a picture. I'm ready to look at it. Shall I look at it now?

Steve: Look at it now.

Leo: Okay. Schrodinger's Bowls. I've seen this picture before. This is a nightmare scenario. Describe it for us, Mr. Gibson.

Steve: Yeah. So what we have is a cabinet with four panes of glass, so we're able to see what's inside. And what's happened is, through some catastrophe, maybe an earthquake, we don't know what, a large number of bowls that were once stacked have fallen over inside the cabinet and fallen toward the glass so that, by some miracle, a whole bunch of them have not actually dropped to the bottom because each one in sort of an almost accordion-like fashion is holding onto the lip, the bottom edge of the one below it. And so here's the point. This says "Schrodinger's Bowls currently exist in a state of being both broken and unbroken, until the cupboard is opened to determine their fate." Because it's very clear you're not opening this cupboard, as long as there's gravity...

Leo: You might try.

Steve: ...without breaking some bowls.

Leo: You could try. You might slide a little paper in there. Yeah, you're right, they're just going to - something's got to...

Steve: Yeah, I mean, maybe like if you had some fancy expandable foam, chemical foam.

Leo: There you go, that you put on the floor.

Steve: That you just squirt in there and then, like, you know. But basically these bowls, the point is these bowls are already broken. I mean, they are as good as broken. But it just hasn't happened yet. So, yeah. Anyway, that was a great one. And Lorrie's son Robert was over yesterday, and he, too, had seen it before. So it was new to me, but obviously it's been a meme that's been around a while. So anyway, a little bit of fun.
Okay. So here's something that's not fun. Meta is suing the U.S. Federal Trade Commission on the grounds that it, the FTC, does not have the constitutional authority to hold Meta accountable, and the FTC is attempting to fine Meta - get this - $200 billion.

Leo: What? What?

Steve: $200 billion over Meta's deliberate and flagrant violation, they say, the FTC says, of the Children's Online Privacy Protection Act - we've talked about COPPA, C-O-P-P-A, before - which requires parents to sign off before websites gather and use personal information from children younger than 13. The FTC claims that - and yes, Leo, I like did a double-take and went back and verified it was billion with a "B" because $200 billion. Anyway, the FTC claims that the recent lawsuit filed by 41 states' attorneys general documents that Meta had knowledge that millions of users younger than 13 use its services without having obtained parental permission.
Okay, now, the thing that caught my eye about this is that unbiased observers believe that Meta's argument likely has merit. Even ex-FTC guys are saying, oh, the FTC's probably going to lose this one; and also that the U.S. Supreme Court may side, is likely to side with Meta if the dispute reaches our highest court. So this is another of those issues - and yes, they're piling up - where what's really needed is for U.S. lawmakers in Congress to make some laws, in lieu of continuing to over-leverage and over-interpret the U.S. Constitution. Not surprisingly, the U.S. Constitution, largely written in 1787, which was before two paper cups connected by a string was invented, offers little guidance on the issue of age-based IP-driven website content filtering. What we need are some laws here.
But that turns out to be a problem, too. We've spent some time looking at the UK's attempt to force some means of monitoring all encrypted messaging. And the future of the EU's legislation to force browsers to accept their countries' individual certificate authorities without question remains unclear. The clear pattern here is that technology rarely seems to line up with what lawmakers want. Unfortunately, that never appears to deter them or to make them want it less. They just become more insistent that they ought to be able to have anything they want.
So along those lines, we have a mess brewing here now in the U.S. that Meta's pushback against the FTC brings into sharp focus. It promises to create another challenge that technology may not be able to deliver, and this happens every time we ask the Internet's amazing array of technologies to do something it was never designed to do. Legislators are talking about wanting Internet content providers to protect young people in the U.S. by blocking content based on age. And even if that was all they wanted, it's unclear how technology could provide that. But there are other legislators who believe that some young people must continue to have unfettered access to content that's inherently controversial. So we can't even agree on what we want, even if the Internet technology could provide it.
Suzanne Smalley is a reporter for The Record. She's been following this developing story. Her most recent installment last Monday covered this Meta pushback against the FTC, which may actually, as I say, the FTC may actually lack the legal grounds for their attempted regulation of Meta. But back in July, Suzanne posted a piece in The Record which captured the heart of the issue. Under the headline "Sweeping and controversial children's digital privacy bills" - plural, bills - "head to the full Senate." After my light editing for the podcast, this is what Suzanne wrote.
She said: "Two bills designed to bolster children's privacy and safety online advanced in the Senate on Thursday" - again, that's a Thursday back toward the end of July - "after months of infighting between children's advocacy organizations and technology civil rights groups over what the latter see as problematic freedom of speech and privacy concerns in the legislation. Despite the mixed views, Commerce, Science and Transportation Committee voted to advance the bills, known as the Kids Online Safety Act" - okay, so this is a new one we haven't spoken of before, KOSA - "and the Children and Teens Online Privacy Protection Act." That's COPPA 2.0, so we're going to update that, hasn't been touched since 1998. She wrote: "The latter updates an original COPPA bill passed in 1998, which is considered the first and only major federal privacy legislation.
"Committee Chair Senator Maria Cantwell cheered both bills' success" - that is, you know, in getting to the Senate, at least - "saying of COPPA 2.0 that children and teens can be 'overwhelmed with the complexities of online content that is manipulated and targeted at them.' She said the bill strengthens protections and closes loopholes while ensuring data of children under age 17 is protected more rigorously. President Joe Biden, who discussed the need for stricter children's privacy laws in his State of the Union address, urged the committee to approve the bills earlier this week, but there are questions about their potential to become law, particularly since there are no House versions.
"COPPA 2.0 changes the existing law to require online services to stop collecting data from kids under age 17," which raises it from the underage 13 of COPPA 1.0. "KOSA [that K-O-S-A law] is far more sweeping and requires platforms to filter content directed to users under age 17 in the name of preventing, for example, suicide and anorexia. While celebrating the progress of KOSA, Cantwell acknowledged the profound concerns in the free speech and technology civil rights communities about how the bill would block vital LGBTQ content from older teens. Acknowledging the advocates' concerns, Cantwell said, 'we will continue to work with them.' KOSA, the more politically charged of the two bills, is supported by a range of children's privacy groups and larger organizations devoted to children's mental health, including Common Sense Media, the American Psychological Association, Fairplay and the American Academy of Pediatrics.
"A letter to senators signed by more than 200 groups pointed to troubling statistics that advocates say are directly tied to the broad freedom of access children have to online content and the uncontrolled and often profit-driven behavior of companies pumping it out to them. The letter highlighted that depression rates in teens doubled from 2009 to 2019 and cited a similar doubling of eating disorder emergency room admissions for teen girls from 2019 to now." So just in four years that doubled.
"More than 90,000" - nine zero zero zero zero - "90,000 pro-eating disorder accounts with 20 million followers appear on Instagram, the letter said, with Meta earning an estimated $230 million annually from such accounts. The letter signed by more than 200 groups said: 'After numerous hearings and abundant research findings, the evidence is clear of the potential harms social media platforms can have on the brain development and mental health of our nation's youth, including hazardous substance use, eating disorders, and self-harm.'
"The founder and CEO of Common Sense Media, which focuses on children's privacy and safety online, echoed the letter's assertions Thursday and highlighted the outdatedness of current laws governing children's use of technology, saying the bipartisan group of sponsors were 'doing their part to bring tech policy into the 21st Century.' A large number of freedom of expression and data privacy groups, including the Electronic Frontier Foundation, the Center for Democracy and Technology, and the ACLU, have lobbied hard against KOSA in particular, saying the costs it imposes to address children's online safety are too high. KOSA would mandate parental consent when children under age 13 create online accounts and require providers to give the parents of these children the ability to change privacy settings. As a result, advocates say, children will be forced to tell their parents which sites they visit.
"They point to the bill's inclusion of a so-called 'duty of care' provision, which they say creates an obligation for online service providers to prevent harm to minors under age 17. But in doing so, the bill's broad language will effectively block a wide range of important information, including about mental and reproductive health, LGBTQ issues, and substance use dependency support, they say. The requirement to 'prevent' harm is extreme, advocates say, and will lead to extensive and often ineffective content filtering.
"The bill will also likely trigger an overreaction from online content providers who Emma Llanso, director of the Free Expression Project at CDT, said will block far more content than necessary over liability concerns. Llanso also criticized how the bill would give civil enforcement power to uphold the law to states' attorneys general, many of whom she said have extreme views on reproductive care and LGBTQ rights. At a time when many states are already seeking to block information about gender affirming and reproductive health care, she said, the bill 'puts the most vulnerable young people at a serious disadvantage, facing harassment and consistent targeting of their speech or the speech of people who might be resources or lifelines for them.'
"KOSA inserts itself into the parent-child relationship while ignoring minors' privacy, constitutional and human rights access to information, according to Cody Venzke, who is senior policy counsel for Surveillance, Privacy, and Technology at the ACLU. Venzke said: 'KOSA has created a blunt technological veto over minors' right to learn, explore, and speak.' Advocates also have argued that age verification requirements in both bills would undermine adult and children's privacy.
"In a recent blog post, a CDT policy analyst wrote that because KOSA proposes having online services 'limit by default' minors' ability to communicate with other users a provision that can't realistically be applied to adults it will be impossible to separate adults and children without asking for identification, which could include birth certificates or even facial scans.
"The large number of children's health organizations pushing KOSA say years of failure by social media companies to protect children and adolescents from harmful effects is what prompted the bill's 'duty of care.' The bill's provision for substantial parental controls will create a far safer digital environment, they say. Citing the 90,000 Instagram accounts promoting eating disorders, the Common Sense Media's Technology Policy Counsel said currently many platforms are sitting idly by, continuing to profit off a bubble like that.
"The Counsel acknowledged that content filtering isn't perfect, but said KOSA can be refined over time. In the meantime, she said, under the new law, policymakers will learn more about how online providers' algorithms work, which they can leverage to better protect kids.
"Meanwhile, over on the COPPA 2.0 side, many advocates worry the COPPA 2.0 bill would undermine privacy for substantially more people because it will be less clear who is a child when data collection bans apply to users as old as 16." Previously it was 13. "As a result, age verification will be required from a larger number of people, they say. With users under age 13, content filtering is easier to do. But 16-year-olds use most of the Internet, making age verification much more sweeping and problematic."
And finally, "Eric Null, who is co-director of the privacy and data project at CDT, said, as with KOSA, COPPA 2.0's imposition of an implicit society-wide need for identification could quite possibly lead to the platforms requiring photos of all users' faces. The CDT blog said the bill is poorly designed, pointing to how the bill's 'verifiable parental consent mechanisms' in some cases allow any adult to provide consent, which would make the law easy to circumvent and meaningless. Null said, 'A big issue from our perspective is that when you raise that age limit, the number of websites that have to verify age of all their users skyrockets."
Okay. That was long, but I think it was important to, like, lay out the fact that this is not going anywhere. The UK and the EU are certainly not alone in facing challenges created by the Internet. Here in the U.S., as I said, what I just shared clarifies why we don't have legislation around this. It's not for any lack of recognition that problems exist. The problem is that there's zero consensus about what the problem is. Half of our legislators and action groups want to protect children from content they consider to be harmful, while the other half feels just as strongly that those same children need protected private access to exactly that same controversial information for their benefit.
The way things are currently balanced in Congress, I don't think we need to worry about anything happening in the way of new legislation anytime soon. It should be clear to everyone why Congress is deadlocked over this legislation. And as I noted earlier, Suzanne's updated reporting suggests that the FTC may have broadly overreached and overstepped and that Meta, whose size certainly enables it to defend itself, may prevail in the FTC's attempts to rein in, you know, various parties, including Meta's behavior, with lawsuits and stunning monetary fines. $200 billion is money worth fighting over.

Leo: Yeah, I mean, they're only worth 900 billion. So that's a quarter of their CapEx. That's crazy.

Steve: It's crazy, yes.

Leo: So I think the real issue is that it's a new medium, and legislators or people in the EU are trying to regulate it like broadcasting. But it doesn't work that way. And you're trying to attack at the wrong end of the funnel, at the big fat end. Ultimately it's got to be parents. They're the only people who can - once it gets out of the house, there's nothing you can do. And trying to regulate the Internet like television is nuts. It's just not going to - it doesn't work.

Steve: Well, and so the good news is, I completely agree, the good news is it's very clear this country today is not going to pass this legislation.

Leo: Yeah, but it's sad when we have to rely on the dysfunction of our elected leaders to protect us. That's, you know, that's not ideal, shall we say. And what happens if we get an effective Congress; you know?

Steve: Well, and so if we had that happen, then we have the problem of implementing the technology.

Leo: Yeah, you just can't do it. That's the problem.

Steve: No. It's just not like, again, just as in the UK and in the EU, if some law was passed that said, you know, you must verify the age of anyone 16 or younger, okay, how would you like us to do that?

Leo: Yeah. States have passed laws like that for pornography. And Pornhub just pulled out, said look, anything that we could do to verify ages would be such an invasion of privacy that we're not willing to do it, and you probably wouldn't want us to do it. It's just, but legislators are - I don't think they're dumb. I think they're just angling for votes. And this is a thing that can get votes. Protect the children always gets votes.

Steve: And I would argue, too, that they often aren't concerning themselves with the how of doing things; right?

Leo: Yeah, that's true, yeah.

Steve: You know, it's just like, well, you know, you geniuses in Silicon Valley...

Leo: You figure it out, yeah.

Steve: You seem to be able to do anything. So just, you know, solve that problem.

Leo: We can regulate TV. We can keep stuff that minors shouldn't see off television because it's a small group of people, and you can do that. But you just can't do it with the Internet.

Steve: Or the time that it's broadcast during the day, once upon a time.

Leo: Right. You make laws, and you can regulate that. But the Internet isn't like that. And it's not - they think Meta is like NBC. And that's not how it works. And they've just got to get some sense in their heads. I mean, but it's true. That means you can't protect children from stuff they're going to see online. So that's why ultimately the only people who can are parents.

Steve: Yeah. Yeah. The recent developer blog discussing the release of Chrome 120 included a little blurb that reminded me that it's about to be 2024. The blog wrote: "And a reminder that Chrome is working toward deprecating third-party cookies. In January" - meaning two weeks from now - "an experiment begins that could affect your website, so it's important that you check." And they provided a link to an article titled "Preparing for the end of third-party cookies for auditing and mitigating steps." On that page they wrote: "If your site uses third-party cookies, it's time to take action."
Actually it would have been time a while ago because, you know, two weeks. "It's time to take action as we approach their deprecation. Chrome plans to disable third-party cookies for 1% of users starting in Q1 of 2024 to facilitate testing, and then ramp up to 100% of users by the third quarter of 2024. The ramp up to 100% of users is subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority (CMA)."
Okay. So what Google is referring to here is that it appears that the UK's government Competition and Markets Authority has expressed some concern on behalf of UK advertisers that they might be materially damaged by Google's removal of third-party tracking cookies from Chrome. Oh, gee. So this appears to be the sort of nonsense that any global technology behemoth such as Google just needs to put up with as part of doing business. Anyway, nothing will deter Google from doing this, and that's good news.
Their posting continues: "Our goal with the Privacy Sandbox is to reduce cross-site tracking while still enabling the functionality that keeps online content and services freely accessible by everyone. Deprecating and removing third-party cookies encapsulates the challenge, as they enable critical functionality across sign-in, fraud protection, advertising, and generally the ability to embed rich, third-party content in your sites. But at the same time they're also the key enablers of cross-site tracking. In our previous major milestone, we launched a range of APIs providing a privacy-focused alternative to today's status quo for use cases like identity, advertising, and fraud detection. With alternatives in place, we can now move on to begin phasing out third-party cookies."
Okay. So as we know, Google's replacement which will allow advertisers to obtain some weak "interest" categories about visitors is called TOPICS, T-O-P-I-C-S. We've talked about it here several times, and it's a terrific solution. So 2024 will finally be the year when third-party cookie behavior is changed for the better. It won't be that a third-party site cannot still place a cookie into a user's browser. They can. But that same third-party site will not be able to retrieve that same cookie when that visitor is at any other site. And that's a huge change in behavior. Firefox led the way with this more than two years ago when with Firefox 86 in February of 2021 they introduced Total Cookie Protection. Back then it was present, but not enabled by default.
Two years later, in April of this year, it went live and was enabled by default. And, you know, the world as we know it did not end. Everything kept working. All that happened was the addition of cookie storage partitioning. Historically, all web browsers maintained one single global cookie jar, which held all the cookies being stored by the browser. This was the single fact which made tracking possible, since any advertiser offering content to multiple websites would receive their same tracking cookie, no matter where the user traveled.
But with the adoption of Firefox's Total Cookie Protection, each website effectively gets its own private cookie jar which stores any cookies that anyone wants to set while the user is at that site. But once the user changes to any other site, that site's cookie jar then becomes current. So while advertisers are still welcome to set any cookies they want at every site, all cookie linkage between sites is then broken.
Google certainly already knows that catching up with Firefox in this regard won't end the Internet. They understand that turning this on for 1% of users next month is going to be just fine. But at the same time there's no arguing that this really does represent a significant change to the way browsers have ever worked by default. Firefox did it a couple years ago. Since April it's been on by default. Everything kept working. So it's reasonable, I think, for Chrome, you know, the elephant in the room browser-wise, to be sticking a toe in the water at 1% before jumping in headlong, which they're going to do by the time we get halfway through 2024.
So anyway, we know that change often needs to be forced. If anyone is still, like holding onto some need for third-party cookies to be global across browsers, you know, that's got to end. Chrome is saying, hey, we're not kidding about this. This change is coming. You need to make sure that this isn't going to be breaking anything weird that you might be doing. So yay for that. And it's going to end up, you know, once Google has TOPICS and third-party cookies are sequestered within their own individual cookie jars, Chrome is going to then be able to continue blocking, tracking, and stopping it wherever they can.
And as we've also just seen with GPC and Do Not Track, you know, Global Privacy Control and Do Not Track, we're beginning to have legislation that's going to be enforcing this, too. So I think in the not-too-distant future we are truly going to be seeing a different world where browser-based tracking is no longer happening the way it has historically.
The last piece of news, because there actually wasn't a lot that happened this week, that I want to share before we get to my update on SpinRite and some feedback is Cloudflare's summary of interesting statistics which they gathered over the course of 2023. This is their fourth annual review of Internet trends and patterns which they've observed throughout the year at both the global and also at the country and regional level. So probably the metric which most surprised me was that global Internet traffic grew 25% in 2023.

Leo: Wow.

Steve: I know.

Leo: That's a shock.

Steve: It is astonishing. They noted that major holidays, severe weather, and intentional shutdowns clearly impacted Internet traffic. We'll talk of intentional shutdowns in a second. But, you know, remember all that dark fiber we once had during that Internet, that initial Internet overbuild? I would bet that there's far less excess today than there once was. But Leo, I agree with you. Think about that for a minute. 25% growth in Internet traffic in one year.

Leo: What?

Steve: That is a massive increase in something that's already as mature as the Internet. The only thing I can imagine that might account for that is the continuing increase in the use of streaming media for content delivery.

Leo: Oh, yes, of course, yeah.

Steve: You know? I had been a happy TiVo user for years, switching from analog TiVo to digital TiVo, but remaining with traditional cable TV. But then for me, six years ago when I was setting up my new home with Lorrie, I tried an experiment. We never asked Cox for cable TV, only Internet service. And I've never looked back. And so, Leo, that seems plausible to you, too?

Leo: Yeah, that's - the widespread access to broadband, I mean, really fast broadband, also probably encourages people to do things like stream more content.

Steve: Right, that they just weren't doing before.

Leo: Yeah. I saw a stat, oh, wonder if I can remember it, that Netflix, how many petabytes of data Netflix sends over a month. And it's many hundreds of petabytes. And that's just Netflix.

Steve: I have a buddy whose father does nothing but sit on the couch with his phone in landscape orientation watching Turner Movie Classics.

Leo: Yeah.

Steve: You know, that's how he spends his day. So like, people are watching movies on their phones now.

Leo: Yeah.

Steve: That didn't used to happen.

Leo: Yeah. Yeah, exactly. And, I mean, people have always watched TV all day, but now they're streaming, and streaming a lot, all day.

Steve: Right.

Leo: So, yeah, I guess that must be it; right? Netflix in 2019 took up 11% of the global downstream traffic on the Internet. You know. So I'm sure that's at least that much. And then add on top of that, you know, HBO MAX, or MAX I guess it's called, Disney Plus, all of this stuff.

Steve: Yeah.

Leo: Yeah, I'm not surprised. I think it's got to be. I think you nailed it.

Steve: Okay. Not surprisingly, Google was again the most popular Internet service. But TikTok, which was the leader two years ago in 2021...

Leo: Oh, yeah, we're watching [indiscernible] videos, yeah.

Steve: Yup. TikTok fell to fourth place. The ranking among the top 10, from number one to number 10, is Google, Facebook, Apple, TikTok, Microsoft, YouTube, AWS, Instagram, Amazon, and iCloud. And I have to say I'm a bit surprised that Apple's domain is in number three position, above TikTok in number four and YouTube in number six and Instagram in number eight. You know, like what's Apple doing? Is it just Apple TV? I'm really surprised by the...

Leo: No, because think about it, I mean, all the downloads of apps, you know, the App Store all comes from Apple. The music, Apple's the number one streaming music service.

Steve: Ah, okay.

Leo: All that music. I mean, Apple's doing a lot of streaming, actually, if you think about it. And I guess when you buy a movie on iTunes the stream comes from Apple, too. So there, you know, yeah. I'm not surprised.

Steve: Yeah, yeah. Wow. Wow. As we know, OpenAI was the most popular service in the emerging Generative AI category, and Binance remained the most popular cryptocurrency service. On the mobile front, also no surprise, over two-thirds of all mobile device traffic was consumed by Android devices, with Android commanding a greater than 90% share of mobile device traffic in over 25 countries or regions. So there were places where Android was two-thirds and iOS was one-third. And there were countries where it was almost all Android. So, I mean, like, you know, Bangladesh, for example, was like, you know, all - there was hardly any iOS activity there.
And in the skies above us, the global traffic from Starlink nearly tripled in 2023. After initiating service in Brazil in mid-2022, Starlink traffic from that country jumped by more than a factor of 17 in 2023. So I guess anywhere where you're connectivity challenged, and Starlink is offering service, they're going to see a big jump in Starlink traffic in that region. So, but again, Starlink up by a factor of 3.
On websites, Google Analytics, React, and HubSpot were among the most popular technologies. And worldwide, nearly half of web requests are now using HTTP/2, with 20% using HTTP/3, and the balance, around 30%, still back at /1 or 1.1.
NodeJS was the most popular programming language used for making automated API requests by browsers to backend servers. Cloudflare noted that as developers increasingly use automated API calls to power dynamic websites and applications, they're able to use their visibility, that is, Cloudflare is able to use its visibility into web traffic, so they're able to see what's going on. You know, they're often serving as a proxy in front of web services. So they're able to identify the languages and the APIs that the clients are written in. So beyond NodeJS, which holds the number one spot at 14.6%, the ranking in descending order behind NodeJS is Go at 8.4%, Java at 7%, Python at 6.8% and .NET at 4.3%.
And during 2023, Googlebot was responsible for the highest volume of request traffic to Cloudflare's hosted and their proxied sites. Not surprisingly, Google's busy sucking down web content in order to keep its indexes current.
As for Internet connectivity & speed, Cloudflare saw over 180 Internet outages globally during 2023, with many they said deliberately created by government-directed regional and national shutdowns of their own Internet connectivity. And we've talked about this happening before where for various reasons, like on voting day, various countries will say, okay, pull the plug, we don't want anybody on the Internet while we're doing whatever it is we're doing. So 180 times. So basically, what, one every other day on average.
Only one third of IPv6-capable requests worldwide were made over IPv6. So even though IPv6-capable servers are still relatively rare, among those services that do support IPv6, two thirds of the queries they received were to their IPv4 addresses, not taking advantage of IPv6. And that's not really that surprising at this point. It's going to be a while.
The top 10 countries all had measured average download speeds above 200 Mbps on average, that is, the average user among the top 10 countries had speeds over 200 Mb, with, interestingly, Iceland showing the best results across all four measured Internet quality metrics. You ask why? Well, the reason for Iceland's outstanding performance is that over 85% of all Internet connections there are over fiber. So they've got just a base of really good Internet connectivity in Iceland.
Over 40% of all global traffic is exchanged with mobile devices. 40% is now mobile. And in more than 80 countries and regions, the majority of all traffic is exchanged with mobile devices. And I guess that's no surprise, again, in countries that are basically just mobile users instead of desktop connectivity.
And finally, on the security front, just under 6% of global traffic was mitigated by Cloudflare's systems as being potentially malicious or for customer-defined reasons. So 6% of all global traffic was blocked. In the United States, 3.65% of traffic was mitigated; while in South Korea, it was 8.36%.
A third of global bot traffic comes from the United States, and over 11% of global bot traffic comes from Amazon Web Services. And just to remind everybody, they don't mean "bots" as in malicious bots. Cloudflare means anything that's automated. So any and all legitimate Internet-indexing bots would doubtless be a hefty part of that total of 11%.
But on the malicious front globally, finance was the most attacked industry, but the timing of spikes in mitigated traffic and the target industries did vary widely throughout the year and around the world. So it's not only finance that is being attacked.
Even though the two-year-old Log4j vulnerability remained a top target for attacks during 2023, the HTTP/2 Rapid Reset attacks, which we covered a few months back, emerged as a significant new vulnerability, beginning with a flurry of record-breaking attacks. And as we know, they did cause a little bit of stumble on Cloudflare's systems until they were able to update them in order to mitigate the attack.
And get this: 1.7% of TLS 1.3 traffic is already today using post-quantum encryption. So we're beginning to get there. 1.7% won't get us there; but still, TLS 1.3 does offer some of those protocols, and they're beginning to get used.
In malicious email messages, deceptive links - in other words, phishing - and extortion attempts were the two most common types of threats people received.
And finally, the good news is that PGP-style, I mean, why can't I say this, BGP, whew, BGP, yes, Border Gateway Protocol everybody, BGP-style Internet routing security, measured as the share of valid routes, improved globally during 2023. Significant improvement in routing security was observed in countries including Saudi Arabia, the UAE, and Vietnam.
So stepping back, overall, no big surprises. And overall, when viewed from 20,000 feet, the Internet remains largely stable. It's cool to see the emergence of some post-quantum crypto protocol usage. And I'm still surprised that there could be year-over-year growth of 25% in overall traffic. That just - that's a big bump.
Okay. The announcement I expected two weeks ago to be able to make last week, which Leo, you noted I missed, it was Don Adams on "Get Smart" who used to say "Missed it by that much."

Leo: "Missed it by that much."

Steve: The announcement was that I finally accomplished the surprisingly challenging task of on-the-fly remote server-side EV code signing using a hardware security module. It's a capability I've wanted to have for years. And although it took far more time than I expected, since every aspect of the project fought back, that technology now exists, is now in place, and it appears to be working reliably. I brought it online last Saturday morning for cautious testing by the gang in GRC's development newsgroup. And I checked an hour ago. More than 165 instances of SpinRite's current release candidate number five were successfully built, on-the-fly signed, downloaded, and tested.
I decided to obtain a fresh three-year, which is the maximum you can get, an EV code-signing certificate from DigiCert for the HSM, since the one I had was a year old, and I wanted to get as long a run from the appearance of this new certificate as possible. As we know, reputation is now the way the world works. Not surprisingly, a few people reported that Windows Defender was upset, quarantined, and deleted their download. But most people said that Defender didn't make a peep, and that everything worked for them without a hitch.
My hope is that by the time SpinRite 6.1 is being heavily downloaded, Microsoft will have had time to decide that all is well with it. I just grabbed a fresh copy and dropped it on VirusTotal. It triggered zero out of 68 tests. Not one AV engine had any problem with it. But during my testing I tried that with unsigned code, and at least one-third of them freaked out. So I conclude that this was time well spent to get this thing signed on the fly.
Where I am today is that SpinRite is all but finished. I'm actually a bit happy that the code-signing project took four weeks because during that time many more people have had the chance to use the current release candidate. This has surfaced some remaining edge cases, not really in SpinRite. Well, I'll give you an example. And I would like to resolve those before I formally declare SpinRite 6.1 finished. I could ship it now. But on really troubled drives we've seen that it can still stumble a bit. And since really troubled drives is definitely one of SpinRite's targets, I want to at least know that there's nothing more that can be done.
For example, there have been some reports of very troubled drives dropping offline when SpinRite touches a particularly sensitive spot on the drive. This is something we encountered many times during our early testing. SpinRite pops up a scary red dialog to explain that after being reset, the drive never reported that it was ready for more. SpinRite waits for up to 10 seconds while checking the drive's status every 10 milliseconds before it makes that determination. And if you watch the seconds tick by on a clock, 10 seconds is a long time. But over this past weekend I verified that for really troubled drives, 10 seconds might not be long enough. In this instance, SpinRite needs to be even more patient.
So starting with the next release, SpinRite will give drives a full 60 seconds to get themselves back up and ready to proceed. And since SpinRite's user may wonder what's going on while nothing appears to be happening, after waiting a few seconds, SpinRite will display a "waiting for drive" and then a countdown, so that its users know why nothing appears to be happening. Anyway, so it's those sorts of things. Really, I mean, really just the last little bits.
But, you know, since we've so close to the end of '23, and I'd like any recent improvements to have a bit of time protesting, I figure I'll fuss with SpinRite for the rest of the year, and make it available at the start of 2024. I recognize that even after its official release, I may still be tempted to deal with even edgier edge cases. And, frankly, any improvements I'm making at this point all feed forward into SpinRite 7's design anyway. So it'll be time well invested. I have the feeling that I may be continuing to nudge it along for a while, but also in this day and age it's very easy for any SpinRite owner to update themselves and get the latest and greatest. And of course I'll let everybody know here when that happens. So at the moment there's no reason for me not to improve what I can, and it'll be an early '24 release.

Leo: Perfect. And that's no very far from now. That's just a week or so.

Steve: No, it's two weeks.

Leo: Two weeks.

Steve: And that'll give me some time to add those little finishing bits of polish.

Leo: Me, too. That'll give me time to answer Day Five of Advent of Code.

Steve: That's right.

Leo: Well, it all comes down to Allen's interval algebra, actually, Steve. You would have understood it immediately, but it was a little beyond my tiny brain. We have some very good programmers in - there's an Advent of Code section in our Club. And I don't know, there may be a dozen people solving it in the Club, which is kind of cool because then you can say, hey, what the heck's going on here, and people are really great. It's really - it's a lot of fun.

Steve: That is neat.

Leo: Yeah.

Steve: So we have some good feedback, as always, from our listeners. Someone who asked for anonymity said: "I'm not going to pretend to understand the details of this, but @SGgrc and other authorities have deemed this a major step forward in quantum computing." And apparently he aimed this at @bitcoincoreorg. This was a public tweet. So he asked @bitcoincoreorg, "What is the plan for post-quantum implementation? Current asym crypto is threatened."
So this listener was clearly referring to last week's "Quantum Computing Breakthrough" topic. And he's correct that asymmetric crypto using the algorithms in use today will not be in use in the future. The good news is that things like iterative PBKDF hashing of passwords to obtain a fixed-size token are not asymmetric, so they will remain safe. I'm mentioning this, first because it's something just by itself that's important to appreciate. The world's password-accepting websites will not all need to revamp their password hashing systems.
But also, and blessedly, neither will the operation - he's referring to @bitcoincoreorg - neither will the operation of the Bitcoin Blockchain need to be changed. Recall that the way bitcoins are earned is by guessing what needs to be appended to the most recent blockchain update in order to yield a hash result that ends in some number of trailing zeroes. While GPUs have proven to be quite facile at performing the hash function needed to guess that at very high rates, choosing a random value and hashing the result is not something that is suited to tomorrow's quantum computers.
And thank goodness for the fact that symmetric crypto will not be affected by quantum computing because otherwise we would be in much more serious trouble than we are now. You know, as it is, we've got to abandon all of our asymmetric crypto. We have time to do that, but we really do have to get it done. Still, underlying all of that is symmetric crypto. And as I said, it does not need to be changed. It gets to stand unmodified.
Philip Griffiths tweeted: "Hey, Steve. In 952 you mentioned ZeroTier and Tailscale as open source. Well, 'sort of' is my opinion. ZeroTier is BSL, so open source to many, but not everyone. Tailscale is largely open source; but core parts, for example, the coordination server, are not. NetBird or Headscale would be better examples of overlays which are open source software and allow circumvention of NAT. You could also include OpenZiti, though you could also argue, while it can be better used as a VPN, its true design goal is to make it easier to build secure-by-default distributed apps."
Okay. So although he's right, much of Tailscale is open source, Tailscale have retained some pieces. The GUI clients for Windows, macOS, and iOS are not open, and that rendezvous server, the so-called coordination or control server. So Headscale, which he mentioned, implements a self-hosted, fully open source alternative to Tailscale's control server. Headscale's goal is to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. It implements a narrow scope, essentially a small Tailscale overlay network suitable for personal use, or small open-source organizations.
NetBird looks like another interesting, fully open source overlay network, which does also use Wireguard for its transport security and encryption. OpenZiti is not a general purpose overlay network. It's a system of technology, language APIs, and SDKs that allow developers to incorporate secure overlay network technology into their apps. So it's a completely different bear than Tailscale, ZeroTier, or NetBird.
Now, as for how those three compare, I'm unable to offer any comparison or recommendation from experience. I haven't yet had the need to deploy any of them, so I haven't given them a close look. But when I do I will definitely share a full review of what I find.
Comm Tech Engineer sent a question. He said: "A quick question on SpinRite. Do the hardware specs (better CPU or more RAM) of the PC running SpinRite affect the speed of SpinRite's operations?"
And I've seen this question several times before, so I thought I'd answer it for everyone. The answer is almost always no, the hardware does not matter. SpinRite will detect and alert its user when a SATA III, which is capable of - it has an interface rate of 6 Gbps - when a SATA III drive is connected to a SATA II interface, which is only capable of running at 3 Gbps. However, even though 3 Gbps is sufficient for any spinning drive, there are some solid-state drives which can benefit from SATA III speeds. So the idea there, and actually it happened to a number of our testers who were caught off guard, they did not realize they had a SATA III drive plugged into a SATA II interface. So SpinRite pointed that out for them, and they were able to move them over to SATA III interfaces and increase their performance.
As for CPU and RAM, SpinRite 6.1 does use about 50MB of RAM, but it's rare to find a machine today that has fewer than 4GB, and even 1GB would be fine. Not one, as far as I know, of our more than 800 testers have encountered anywhere in their testing a machine with insufficient RAM for SpinRite 6.1. So I just don't think that's going to be a problem. And the same is true for the CPU under 6.1. What that means essentially is that almost any older hand-me-down PC can be used as a dedicated SpinRite test machine, and many of SpinRite's owners do just that.
Even though 6.1 is way faster than 6.0, and 6.1 is able to run a directly connected drive as fast as that drive is capable of going, drives have become ridiculously huge, and it does still take time to move all that data back and forth. If you've ever tried to do an actual physical format on a drive today, as opposed to a quick format, you quickly learn that that's not something you want to do, at least not often. Anyway, so almost certainly the speed of the system and the amount of RAM it has doesn't matter.
I should mention there was one instance where somebody was considering purchasing a machine and was wondering about SpinRite. 7.0 will be more aggressive. Among other things, it'll be fully multitasking, meaning you'll be able to run it on all the drives you have in the system at once, and the technology it's going to be using for spotting slow spots is going to be much more CPU intensive. So there the answer will probably differ, but not for 6.1 that we have today.
Another listener said: "I'm listening now to SN-950 and wanted to share my experience with trying Passkeys on GitHub. Before Passkeys, I had username, password, and multifactor authentication." And by that he means an external authenticator app. He said: "After enabling Passkeys and using them as the authentication method, GitHub no longer prompts for another factor, so it seems the security of multifactor authentication has disappeared." He said: "I store my MFA seeds outside my password manager. If, however, I were to store my Passkeys within my password manager, I would then reduce my security for any site that skips MFA when using Passkeys.
"I understand," he said, "that Passkeys are better than passwords as the site no longer has a secret to protect. But all the necessary 'eggs' would still be in my password manager's basket. I think Passkey plus MFA would provide the highest level of security, but I don't know which sites will allow or offer that option, and which will drop multifactor authentication while using Passkey authentication under the assumption that multiple factors are no longer necessary, as GitHub appears to assume. For those with the strictest threat model, I think I would not recommend storing Passkeys in the same password manager as everything else. Am I missing something here?
"Also, I never use Twitter myself, so I'd be one of those looking forward to your new email list. I had to dust off my login from years ago just to write this to you."
Okay. So like this listener, I'm a bit distressed to learn that the use of Passkeys automatically disables the use of additional authentication factors, especially for a site such as GitHub where improving authentication integrity has been a recent need and issue. As we know, Passkeys are stronger than usernames and passwords for a number of reasons. But this listener is correct about the vulnerability inherent in allowing any single device to have authority to authenticate us, no matter how strong its authentication mechanism might be.
The right solution would be to offer users who are adopting Passkeys the option to disable their additional authentication factors in favor of Passkeys since Passkeys are certainly stronger than passwords alone; or to keep additional authentication factors in place and enabled under the more proper understanding that any single factor of authentication, regardless of how strong it may be by itself, can still be made more strong by the requirement for an additional factor, especially one that relies upon another device and uses an entirely different technology such as time-varying six-digit tokens.
SKYNET said: "Hi, Steve. Regarding SN-952 and upstream library dependencies, what is this notion that developers have that fixing a bug will automatically introduce something new that will break? How is it not possible to fix a flaw without introducing a new feature that will break something else? It seems that everyone, including Microsoft, cannot fix a flaw or vulnerability without breaking something else. Why are they so connected, and how? How is it that a bug or flaw that needs to be fixed will just automatically break something totally different, totally unrelated to the bug?
"I know it is most certainly possible for companies to fix flaws without breaking something new in their products, so I find it a poor excuse for developers to claim that 'It's all working right, so I don't want to rock the boat and possibly break something else.' To me," he writes, "that just screams that either everything in their code is connected" - that's bad - "or they're bad coders."
Okay. So last week's discussion more specifically related to a fear of updating upstream library dependencies, which are inherently black boxes, in a situation where the successful functioning of a coder's own code is entirely dependent upon the exact behavior of those black boxes. The point being, everything is working now. Let's not rock the boat.
In highly complex projects, mistakes do happen. Say that a group of people decide to entirely recode some library because its codebase has grown old and creaky over years of tweaking. That does happen, and recoding can be a really good thing to do. But try as they might, it could be that this new code, which is intended to behave just the same as the original code did, nevertheless exhibits some slightly different behavior around the edges; and that this change, even if it's subtle, might cause some other code that uses the newly recoded library to break.
Yes, it's a mess; but it's a mess we've created. And the motivations behind the "don't fix it if it's not broken" is, I think, understandable. As a programmer, I understand it, and I guess I'm somewhat surprised and thankful that Microsoft has somehow managed to keep really old programs that were running on very different operating systems still running reliably today. It really is an achievement on their part.
Blaine Trimmell wrote: "I just listened to the Security Now! podcast and want to pass on that Chromium browser does not use OS root store anymore by default." And he provided a link. Okay. So Blaine's Twitter DM included a link to Google's announcement about three months ago, which was made on September 19th, under the headline "Announcing the Launch of the Chrome Root Program." And there Google wrote: "In 2020, we announced that we were in the early phases of establishing the Chrome Root Program and launching the Chrome Root Store. The Chrome Root Program ultimately determines which website certificates are trusted by default in Chrome, and enables more consistent and reliable website certificate validation across platforms. This post shares an update on our progress and how these changes help us to better protect Chrome's users." Since we all know most of this, I'm not going to share it all. But they make a couple points that are salient.
They said: "Chrome uses digital certificates (often referred to as 'certificates,' 'HTTPS certificates,' or 'server authentication certificates') to ensure the connections it makes on behalf of its users are secure and private. Certificates are responsible for binding a domain name to a public key, which Chrome uses to encrypt data sent to and from the corresponding website. As part of establishing a secure connection to a website, Chrome verifies that a recognized entity known as a Certificate Authority issued its certificate. Certificates issued by a CA not recognized by Chrome or a user's local settings can cause users to see warnings and error pages.
"Root stores, sometimes called 'trust stores,' tell operating systems and applications what certificate authorities to trust. The Chrome Root Store contains the set of root CA certificates Chrome trusts by default. A root program is a governance structure that establishes the requirements and security review functions needed to manage the corresponding root store. Members of the Chrome Security Team are responsible for the Chrome Root Program. Our program policy, which establishes the minimum requirements for CAs to be included in the Chrome Root Store, is publicly available.
"Historically, Chrome integrated with the root store and certificate verification process provided by the platform on which it was running. Standardizing the set of CAs trusted by Chrome across platforms through the transition to the Chrome root store, coupled with a consistent certificate verification experience through the use of the Chrome Certificate Verifier, will result in more consistent user and developer experiences."
Okay. So what they're saying here is they used to just use the store that the OS provided. But because those could vary from OS to OS, that meant that Chrome's behavior varied from OS to OS. They decided to change that. So they decided two years ago, actually three, in 2020, to work on incorporating the root store into Chrome and no longer use the underlying OS.
So they finished: "Launching the Chrome Root Program also represents our ongoing commitment to participating in and improving the Web PKI ecosystem. Innovations like ACME have made it easier than ever for website owners to obtain HTTPS certificates. Technologies like Certificate Transparency promote increased accountability and transparency, further improving security for Chrome's users. These enhancements are only made possible through community collaboration to make the web a safer place. However, there's still more work to be done.
"We want to work alongside Certificate Authority owners to define and operationalize the next generation of the Web PKI. Our vision for the future includes modern, reliable, highly agile, purpose-driven PKIs that promote automation, simplicity, and security. And we formed the Root Program and corresponding policy to achieve these goals."
So again, that was in 2020. Ninety days ago they announced this went live. So thank you, Blaine, for this. I had announced Google's announcement that this initiative was ready and was now being rolled out. This of course means now that both Google and, well, Google with Chrome, all the various Chromium browsers, and Firefox will be running with their own local root stores. And given that, as we've seen, just six or seven Certificate Authority root certificates are all that most users will ever need, that doesn't seem like such a big deal. But all of this is relevant, of course, because of the EU's Article 45, which brings into question, what is going to happen in 2024? I have a feeling whatever it is, it'll be next year that we see something happening. So it's going to be extremely interesting.
Okay. And finally, Active Listening. A story blew up in the news last week that currently lacks solid evidence. Well, okay. Solid evidence only inasmuch as it's so bad that it's hard to believe it's true.

Leo: And it could very well be that Cox Media Group is overselling their capabilities.

Steve: Right.

Leo: At least I hope they are.

Steve: On the other hand, we have documentary evidence, thanks to the Web Archive. Anyway, whether or not it's true, it has certainly worried and upset everyone who has heard it. And Leo, I know you talked about it on TWiT on Sunday. You know, definitely an important topic. I suspect that this is the sort of thing that investigative reporters will be digging into further. The short version of the news is that the massive media giant CMG, which is the Cox Media Group, claims in its marketing materials to advertisers and in actual discussions with prospective clients, that it currently has and is using the capability, which their marketing materials term "Active Listening," to listen into the ambient conversations of consumers through microphones embedded in their smartphones, smart TVs, and other similar devices; and that through this means they're able to gather data which they then use to target advertising.
Last Thursday's headline in 404 Media - I need to stop every so often to take a drink, Leo, and I...

Leo: Take a drink. I didn't do an ad for you. Take a drink. Pause for a little bit.

Steve: Last Thursday's headline in 404 Media, which broke the story, was titled "Marketing Company Claims That It Actually Is Listening to Your Phone and Smart Speakers to Target Ads." 404 Media wrote: "The news signals what a huge swath of the public has believed for years, that smartphones are listening to people in order to deliver ads, may finally be a reality in certain situations. Until now, there was no evidence that such a capability actually existed; but its myth permeated due to how sophisticated other ad tracking methods have become."
Okay. So exactly three weeks ago, on November 28th, the CMG website posted a blog page titled "Active Listening: An Overview." They also had a permanent page linked off their domain's root with the URL, you know, blah blah blah domain, /cmg-active-listening. So at that time, three weeks ago, it was all right out there for the world to see. And this is not some fly-by-night sketchy operation. This is the Cox Media Group. To no one's surprise, all of those pages have since disappeared, though it's really worth noting that they were initially completely public, and no one at Cox thought that they nor their Active Listening was a problem.
Fortunately, those pages were up long enough to have been crawled by the Internet's historian, the Web Archive. And this week's shortcut of the week, grc.sc/953, will take you and your browser directly to a faithful copy of the archived blog posting which was made three weeks ago.
So what do we learn directly from this once publicly posted page? It does not disappoint. The page shows a photo of four young hip consumers in their late '20s or early '30s gathered around a table, smiling and chatting with a Mac and a tablet. And the page says: "Imagine a world where you can read minds. One where you know the second someone in your area is concerned about mold in their closet, where you have access to a list of leads who are unhappy with their current contractor, or know who is struggling to pick the perfect fine dining restaurant to propose to their discerning future fiance. This is a world where no pre-purchase murmurs go unanalyzed, and the whispers of consumers become a tool for you to target, retarget, and conquer your local market.
"It's not a far-off fantasy. It's Active Listening technology, and it enables you to unlock unmatched advertising efficiency today so you can boast a bigger bottom line tomorrow. Do we need a bigger vehicle? I feel that my lawyer is screwing me. It's time for us to get serious about buying a house. No matter what they're saying, now you can know and act. A marketing technique fit for the future, available today.
"Machine learning algorithms are improving and introducing a new era for advertising. Our Active Listening tech gives you a weekly roster of qualified customers who have voiced their need for your service or product. We will then upload the list to your preferred advertising platforms so you can target ads to the right people at the right time. Reactive advertising is no longer enough to get ahead. Embracing predictive and proactive strategies is the key to growth.
"Active Listening gives organizations clarity into the most effective channels and timing for their advertising efforts. By incorporating and analyzing customer data gleaned from conversations happening around smart devices, we can pinpoint where and when customers are most likely to engage with ads. When you have this information in reach, you have the power to deploy targeted campaigns at opportune moments on the platforms where your audience spends their time. The results? Maximized visibility and impact. Whether you're a scrappy startup or a Fortune 500, Active Listening makes the unreachable in reach.
"How does it all work? Advertise to the exact people who need your services. CMG can customize your campaign to listen for any keywords or targets relevant to your business. Here's how we do it. Create personas: We flesh out comprehensive buyer personas by uploading past client data into the platform. Identify keywords: We identify top-performing keywords relative to the type of customers you are looking for. Transparent tracking: We set up tracking via pixels placed on your site so we can track your ROI in real-time.
"Leverage AI: AI lets us know when and what to tune into. Our technology detects relevant conversations via smartphones, smart TVs, and other devices. Analyze consumer behavior: As qualified consumers are detected, a 360 analysis via AI on past behaviors of each potential customer occurs. Create a list: With the audience information gathered, an encrypted evergreen audience list is created. Target, retarget, and transcend: We use the list to target your advertising via many different platforms and tactics, including streaming TV, OTT, streaming audio, display ads, paid social media, YouTube, and Google and Bing search. Don't leave money on the table. Claim your territory.
"Our technology provides a process that makes it possible to know exactly when someone is in the market for your services in real-time, giving you significant advantage over your competitors. Territories will be available in 10- or 20-mile radiuses, but customizations can be made for regional, state, and national coverage." And then there's a link with the phrase "Claim your territory now."
Then they provide a handy FAQ where the first question they ask themselves is "Is Active Listening Legal?" To which they reply: "We know what you're thinking. Is this even legal? The short answer is yes, it is legal for phones and devices to listen to you. When a new app download or update prompts consumers with a multipage terms of use agreement somewhere in the fine print, Active Listening is often included." Uh-huh. So why, exactly, then, has CMG website been totally scrubbed of all mention of Active Listening? Perhaps strict legality is not the problem here.
The next question they ask themselves: How Does Active Listening Technology work? And they answer: "Our technology is on the cutting edge of voice data processing. We can identify buyers based on casual conversations in real time. It may seem like black magic, but it's not. It's AI. The growing ability to access microphone data on devices like smartphones and tablets enables our technology partner to aggregate and analyze voice data during pre-purchase conversations. The result? Advertising efficiency and timing taken to a new level. We set specific keywords relevant to your product and service so we know who needs you, why they do, and where we can target them. With this unprecedented understanding of consumer behavior, we can deliver personalized ads that make your target audience think, wow, they must be a mind reader." Right. And that's not creepy at all.
Anyway, 404 Media, the organization that spotted this and broke the story, also found a representative of the company, CMG, on LinkedIn who was explicitly asking interested parties to contact them about the product. One marketing professional pitched by CMG on the tech said a CMG representative explained the prices of the service to them. So it certainly appears to have been available. CMG's website says: "What would it mean for your business if you could target potential clients who are actively discussing their need for your services in their day-to-day conversations? No, it's not a 'Black Mirror' episode. It's Voice Data, and CMG has the capabilities to use it to your business advantage.
"The part of CMG advertising the capability is CMG Local Solutions. CMG itself is owned by Apollo Global Management, a hedge fund, and Cox Enterprises, which includes everyone's favorite residential cable provider, the ISP Cox Communications. CMG operates a wide array of local news television and radio stations."
So, wow. I mean, everybody gets this; right? They talk about overseeing, you know, on this page they say imagine this, what could it do for your business if you were able to target potential clients or customers who are using terms like this in their day-to-day conversations. And they give three, or they give six examples. The car lease ends in a month; we need a plan. Or overheard, a minivan would be perfect for us. Or do I see mold on the ceiling? Or we need to get serious about planning for retirement. Or this AC is on its last leg. Or we need a better mortgage rate.
So according to CMG's now-removed web pages, the way this works is that clients can "claim" a territory where they want to use CMG's services, which are available in a 10- or 20-mile radius. After being set up: "Active Listening begins and is analyzed via AI to detect pertinent conversations via smartphones, smart TVs, and other devices." CMG also claims it installs a tracking pixel on its client's website to monitor the return on investment. With an audience created, CMG then delivers advertisements to these people through streaming TV, audio, display ads, YouTube, and search.
The marketing professional who was pitched by CMG told 404 Media that after a call with the company, they disabled microphone access on much of their own technology. The guy was quoted saying: "I immediately removed all my Amazon Echo devices and locked down microphone permissions on things like my phone. Receiving confirmation that they are doing things like this have confirmed my worst fears; and I, for one, will take no part in it."
For its part, while CMG was busily removing all traces of this from their website, they told 404 Media the following. They said: "CMG Local Solutions markets a wide range of advertising tools. Like other advertising companies, some of those tools include third-party vendor products powered by data sets sourced from users by various social media and other applications, then packaged and resold to data servicers.
"Advertising data based on voice and other data is collected by these platforms and devices under the terms and conditions provided by those apps and accepted by their users, and can then be sold to third-party companies and converted into anonymized information for advertisers. This anonymized data is then resold by numerous advertising companies. CMG businesses do not listen to any conversations or have access to anything beyond a third-party aggregated, anonymized, and fully encrypted data set that can then be used for ad placement. We regret any confusion, and we are committed to ensuring our marketing is clear and transparent."
Okay, now, here's something to think about. Why is Cox doing this? They would not seem to be an obvious entity to create such a service. If, as they claim, all of the data is being aggregated by third parties, and they're just the middlemen who are not doing any direct data gathering themselves, then there's nothing Cox is bringing to the table. Any random organization could do the same thing. But they certainly do appear to have been all gung ho into it when they were public about it. If I were a betting man, I'd put my money on this being an adjunct to all of the massive amount of data that Cox Communications - the Internet ISP - is almost certainly already obtaining from monitoring all of their Internet consumers' available Internet traffic, meaning all DNS query and TLS handshake metadata.
Cox, like any ISP, is sitting on a treasure trove of extremely valuable personal data. Everywhere everyone in everyone's family goes on the Internet is available to an ISP, unless consumers take extreme measures to prevent it from happening. And as we know, almost no one does. And Cox consumers are not anonymous to Cox. Cox knows exactly who and where every household is. They pay their bill every month. And now we know something we didn't directly know before. Now we know who Cox is and what they're really thinking. They're quite willing to hide in the fine print of, in their words, "multipage terms of use agreements."
I'd be much less worried about microphones, which at least for our very secure smartphones seems like a red herring, than about the fact that an organization such as Cox has just shown itself to be is the conduit through which all of its subscribers' residential Internet traffic flows. I think the time has come to think seriously about bringing up encrypted DNS for residential Internet users.
We do not know for sure whether Active Listening applies to audio, or where it applies. But given what we've seen, it seems very unlikely that Cox and its ISP ilk are leaving any money on the table by not "actively listening" to everything they are able to obtain by monitoring all of their subscribers' use of the Internet through our PCs, our smartphones, and any other user-directed Internet devices. Given the evidence it seems clear that, if they can get it, they will sell it and use it. As a result of what was found on Cox's website, the threat of that sort of monitoring being done by a major residential ISP just became far less theoretical and far more likely.
Now, at this point I'm sure many of our listeners are thinking, that seems like a good idea. How do we go about making that happen? Which I think will be a great topic for us to look at closely in 2024, which after all is only a few weeks away. And speaking of which, I want to personally wish, and I know Leo and all of the TWiT network joins me, in wishing all of our listeners a happy and safe holiday season. 2024 promises to be at least as interesting as recent years, and we'll be right here to watch and examine all of it as those events unfold. See you then.

Leo: You bet, yeah. You know, I think there's a mixture of CMG overselling their capabilities because, you know, honestly, we would, if Amazon's Echo, for example, were sending that data back, we would know. The processor on it is not sufficient to do that kind of AI extraction. They would have to send the content back. And you'd see a huge amount of traffic coming out of that thing. And we just don't see that traffic. Same thing with your iPhone. And most hardware microphones there is a light that comes on.

Steve: It's a little orange dot on iPhones.

Leo: And you know when that mic is listening; right?

Steve: Yeah.

Leo: I mean, I guess Apple could be lying to us.

Steve: Well, or users are not - they don't know what the little dot is.

Leo: Yeah, but you and I know, and we don't see that dot coming on at random. In fact, if it comes on, that's a cause for concern. We go, okay, something's listening.

Steve: Right.

Leo: But I would also point out you're already giving them all that information. How good is the signal if I talk to my wife, "I think my lease is running out, what should I do," versus me going online and searching for new cars?

Steve: Exactly.

Leo: They're getting much better signals all the time from your TikTok usage, from your Facebook usage.

Steve: Exactly.

Leo: From your web surfing. And you're absolutely right, Cox sees all of that. So I think that this is, you know, oh, marketers would never lie; right? I think this is marketers overhyping their capabilities, perhaps out of ignorance. What's sad is I think a lot of people are going to throw out their Amazon Echoes, even if they find them useful, because they're worried about that. And I don't think there's any evidence that Echoes or Google device, you know, hubs listen. We would know if they did; right?

Steve: Yup.

Leo: We would know if your phone is listening. Now, your car probably is listening. Your smart TV probably is listening. There are some of the things they mention in here that are, certainly.

Steve: Yeah, I do, I absolutely agree with you. We know much less about some generic smart TV and what it might be doing.

Leo: Yeah, I mean, there's no reason Samsung put a camera and a microphone on my TV. I mean, they may say, oh, it's so you can Zoom. No, that's not. I know exactly why you guys put a camera and microphone on my TV. So certainly that's a reasonable thing to be concerned about. But I think there's also - I hope people don't set their hair on fire on this. You can punish Cox all you want. But, you know, you use Cox. My mom uses Cox.

Steve: Yeah.

Leo: It's not like you have a choice in most markets.

Steve: No choice at all. There's only one broadband provider in our market.

Leo: See? So cutting off your nose to spite your face, it just doesn't make sense. I think they oversold the capabilities. But you're already giving them all that information all the time. I mean, you really are. So, you know, there's no secrets. When you start searching for mold abatement on the Internet, they know what's going on.

Steve: There's a reason; right. Exactly.

Leo: Really good stuff, though. And I'm really glad you brought it up and found the details and everything because it's a topic that we will undoubtedly be covering more in the future. And the use of AI in it is nontrivial. AI makes it - see, the reason it wasn't such a thing to worry about before is because there was such a volume of stuff. Wait a minute. You're listening to everything I say every day all the time? No one can listen to all that. AI could.

Steve: No, in fact we know that the processor in the Echo, it's listening for its trigger word.

Leo: It can barely do that.

Steve: Which then, yeah, exactly, which then wakes it up, and it streams the audio for analysis during, you know, while it's awake.

Leo: People are right to be concerned about privacy. The other thing to watch with interest is who's going to write the letter? Is it going to be Ron Wyden to Cox saying, hey.

Steve: I know.

Leo: What is this? But remember, if such capabilities exist, you know who the number one customer would be? Government. Law enforcement. And that's something really to be concerned about. I don't care if some car dealer contacts me because my lease is running out. I'm sure Ford's already sold that information to every car dealer in town.
I am very concerned if the government thinks I'm an agitator and decides to, you know, listen to everything I'm doing. That's something really much more serious. So I'm interested to see what government's response to this is. I expect a lot of saber rattling and absolutely no action because they use these tools. They don't want data brokers to go away. They're buying the information.
Thank you, Steve. Have a wonderful holiday. We'll see you next time on Security Now!.

Steve: See you next year, my friend.

Copyright (c) 2014 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED

This work is licensed for the good of the Internet Community under the
Creative Commons License v2.5. See the following Web page for details:
http://creativecommons.org/licenses/by-nc-sa/2.5/

Gibson Research Corporation is owned and operated by Steve Gibson. The contents
of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.

Last Edit: Dec 21, 2023 at 14:49 (543.42 days ago) Viewed 6 times per day