Danger Stranger

George Rosamond
August 11, 2021

Let me start with something from the heart: I strongly believe that a thriving, diverse media of all sorts is vital in any sane society. I abhor the decline of the smokey, charged-up newsroom. I am constantly on the lookout for muckraking journalists ready to defy the powers-that-be with occasionally embarrassing scoops. A living, breathing media in print, on the radio, on television, is a prerequisite for genuine democracy. And I really despise how media organizations, in particular print, became a pawn on the chessboards of hedge funds.

To give more evidence, much of my non-corporate privacy enhancing technology training experiences was with journalists. For instance, one of the most enjoyable events I was involved in organizing was at the Columbia Journalism School's Tow Center in 2014, with most participants being young aspiring student journalists. I was incredibly proud to play a role in getting them to appreciate the centrality of individual security practices and behaviors in a world hostile to transparency.

On that note, when I presented "Why Privacy and Security (usually) need Anonymity" for the ISSA Privacy SIG in June, I gave a few images of ClearOPS Service Provider Reports (referred to as “SPR”) about USAToday.com, although I was hesitant to do so based on that prior experience and what I found.

SPR is our tool for assessing a web domain's privacy and security practices. The report itself displays two-dozen data points that we call "observations," and includes queries about whether the domain displays a privacy policy, the types of encryption for HTTPS available and a variety of other important topics. It's a tool we started building years ago, and is nothing less than a full-fledged search engine created by someone who has built them before.

I included the USAToday.com report to illustrate the importance of minimizing pointless data collection as critical to providing expected anonymity for customers.

Why USA Today? I honestly didn't want to pick on them, and thought one of the usual bad characters in the US would be preferred, maybe an oil company or some other entity that provokes the ire of your average American. But USA Today's report is almost an anomaly, since the number of third parties web site visitors are exposed to is shocking.

Now going back to my starting point, I appreciate the difficult position of media organizations today. Shrink the newsroom, pull the leash on the few remaining on-the-ground journalists, keep the advertisers happy since print sales continue to decline.

But USA Today's SPR from June 6th was shocking.

The first observation I displayed was the response to "Does usatoday.com expose web site visitors to scripts from other domains?".

Instead of a few domains, USAToday.com's report listed 20 other domains. Most of them are related to analytics and advertisements, often in the service of revenue. But exposure to 20 domains means a lot of surface area for data breaches.

More nuanced was the second graphic which illustrated the web site load time of usatoday.com. Some 116 requests were made in 21.79 seconds across 44 different domains.

Like the first observation, most of the domains are concerned with analytics and advertisements.

That's a shocking exposure to ordinary users innocently visiting USAToday.com, and not realizing that dozens of third parties are collecting information about them, usually without any form of consent. USAToday.com's security surface area is likely larger than most other web sites, and with it an increased possibility of their users' data being exposed.

But now for the good news.

Since ClearOPS conducts collections weekly, we now have three collections since the June 15 presentation.

So while I displayed the 20 domains web site visitors were being exposed to in the June 15 presentation, and that number did jump on June 20 to 24 domains, but then the last two collections from June 27 and July 4, that number declined to nine domains.

Similarly for web site load times, the June 20 data showed and increase to 317 requests in 38.79 secs (0.12 avg.) across 66 unique domains, that number declined to 69 requests in 12.71 secs (0.18 avg.) across 26 domains on June 27, and 49 requests in 26.59 secs (0.54 avg.) across 21 domains on July 4.

When privacy and security are quantified, it becomes easier to grasp its significance, and also to plot relative improvements. And while I did feel some level of guilt shaming USAToday.com as a struggling media entity, I was thrilled to see the relative improvements in their SPR results.

Exposing users to third parties is a logical result of the decline of print media, and the growth of data monetization. These trends aren't just going to reverse out of altruism. But recognizing the potential costs through third-party data breaches should certainly mitigate data monetization.

And for that, hats off to USAToday.com.

George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives in creating unorthodox solutions to ordinary problems.