{"id":9584,"date":"2018-04-13T14:50:55","date_gmt":"2018-04-13T19:50:55","guid":{"rendered":"https:\/\/rud.is\/b\/?p=9584"},"modified":"2018-04-16T12:15:00","modified_gmt":"2018-04-16T17:15:00","slug":"does-congress-really-care-about-your-privacy","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/","title":{"rendered":"Does Congress Really Care About Your Privacy?"},"content":{"rendered":"<p>I apologize up-front for using bad words in this post.<\/p>\n<p>Said bad words include &#8220;Facebook&#8221;, &#8220;Mark Zuckerberg&#8221; and many referrals to entities within the U.S. Government. Given the topic, it cannot be helped.<\/p>\n<p>I&#8217;ve also left the <code>R<\/code> tag on this despite only showing some ggplot2 plots and Markdown tables. See the end of the post for how to get access to the code &amp; data. <code>R<\/code> was used solely and extensively for the work behind the words.<\/p>\n<hr \/>\n<p>This week Congress put on a show as they summoned the current Facebook CEO &#8212; Mark Zuckerberg &#8212; down to Washington, D.C. to demonstrate how little most of them know about how the modern internet and social networks actually work plus chest-thump to prove to their constituents they really and truly care about <em>you<\/em>.<\/p>\n<p>These Congress-critters offered such proof in the guise of railing against Facebook for how they&#8217;ve handled your data. Note that I should really say <em>our<\/em> data since they do have an extensive profile database on me and most everyone else even if they&#8217;re not Facebook platform users (full disclosure: I do not have a Facebook account).<\/p>\n<p>Ostensibly, this data-mishandling impacted your privacy. Most of the committee members wanted any constituent viewers to come away believing they and their fellow Congress-critters truly care about <em>your<\/em> privacy.<\/p>\n<p>Fortunately, we have a few ways to measure this &#8220;caring&#8221; and the remainder of this post will explore how much members of the U.S. House and Senate care about your privacy when you visit their official <code>.gov<\/code> web sites. Future posts may explore campaign web sites and other metrics, but what better place to show they care about you then right there in their digital houses.<\/p>\n<h3>Privacy Primer<\/h3>\n<p>When you visit a web site with any browser, the main URL pulls in resources to aid in the composition and functionality of the page. These could be:<\/p>\n<ul>\n<li>HTML (the main page is very likely HTML unless it&#8217;s just a media URL)<\/li>\n<li>images (<code>png<\/code>, <code>jpg<\/code>, <code>gif<\/code>, &#8220;svg&#8221;, etc), <\/li>\n<li>fonts<\/li>\n<li>CSS (the &#8220;style sheet&#8221; that tells the browser how to decorate and position elements on the page)<\/li>\n<li>binary objects (such as embedded PDF files or &#8220;protocol buffer&#8221; content)<\/li>\n<li>XML or JSON <\/li>\n<li>JavaScript<\/li>\n<\/ul>\n<p>(plus some others)<\/p>\n<p>When you go to, say, <code>www.example.com<\/code> the site does not have to load all the resources from <code>example.com<\/code> domains. In fact, it&#8217;s rare to find a modern site which does not use resources from one or more third party sites.<\/p>\n<p>When each resource is loaded (generally) some information about you goes along for the ride. At a minimum,  the request time and source (your) IP address is exposed and &#8212; unless you&#8217;re <em>really<\/em> careful\/paranoid &#8212; the referring site, browser configuration and even cookies are even available to the third party sites. It does not take many of these data points to (pretty much) uniquely identify you. And, this is just for &#8220;benign&#8221; content like images. We&#8217;ll get to JavaScript in a bit.<\/p>\n<p>As you move along the web, these third-party touch-points add up. To demonstrate this, I did my best to de-privatize my browser and OS configuration and visited 12 web sites while keeping a fresh install of <a href=\"https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/lightbeam\/\">Firefox Lightbeam<\/a> running. Here&#8217;s the result:<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"9588\" data-permalink=\"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/privacy-final\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?fit=1810%2C1576&amp;ssl=1\" data-orig-size=\"1810,1576\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"privacy-final\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?fit=510%2C444&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?resize=402%2C350&#038;ssl=1\" alt=\"\" width=\"402\" height=\"350\" class=\"alignright size-full wp-image-9588\" \/><\/p>\n<p>Each main circle is a distinct\/main site and the triangles are resources the site tried to load. The red triangles indicate a common third-party resource that was loaded by two or more sites. Each of those red triangles knows where you&#8217;ve been (again, unless you&#8217;ve been very careful\/paranoid) and can use that information to enhance their knowledge about you.<\/p>\n<p>It gets a bit worse with JavaScript content since a much stronger fingerprint can be created for you (you can learn more about fingerprints at this <a href=\"https:\/\/panopticlick.eff.org\/\">spiffy EFF site<\/a>). Plus, JavaScript code can try to pilfer cookies, &#8220;hack&#8221; the browser, serve up malicious adverts, measure time-on-site, and even enlist you in a <a href=\"https:\/\/www.extremetech.com\/computing\/257786-browser-cryptocurrency-mining-exploding-across-web\">cryptomining army<\/a>.<\/p>\n<p>There are other issues with trusting loaded browser content, but we&#8217;ll cover that a bit further into the investigation.<\/p>\n<h3>Measuring &#8220;Caring&#8221;<\/h3>\n<p>The word &#8220;privacy&#8221; was used over 100 times each day by both Zuckerberg and our Congress-critters. Senators and House members made it pretty clear Facebook should care more about your privacy. Implicit in said posit is that they, themselves, <em>must<\/em> care about your privacy. I&#8217;m sure they&#8217;ll be glad to point out all along the midterm campaign trails just how much they&#8217;re doing to protect <em>your<\/em> privacy.<\/p>\n<p>We don&#8217;t just have to take their word for it. After berating Facebook&#8217;s chief college dropout and chastising the largest social network on the planet we can see just how much of &#8220;you&#8221; these representatives give to Facebook (and other sites) and also how much they protect you when you decide to pay them[<a href=\"https:\/\/www.senate.gov\/general\/contact_information\/senators_cfm.cfm\">\u2020<\/a>] [<a href=\"https:\/\/www.house.gov\/representatives\">\u2021<\/a>] a digital visit.<\/p>\n<p>For this metrics experiment, I built a crawler using <a href=\"https:\/\/r-project.org\">R<\/a> and my <a href=\"https:\/\/github.com\/hrbrmstr\/splashr\/\"><code>splashr<\/code>?<\/a> package which, in turn, uses <a href=\"https:\/\/github.com\/scrapinghub\/splash\">ScrapingHub&#8217;s open source <code>Splash<\/code><\/a>. Splash is an automation framework that lets you programmatically visit a site just like a human would with a real browser.<\/p>\n<p>Normally when one scrapes content from the internet they&#8217;re just grabbing the plain, single HTML file that is at the target of a URL. <code>Splash<\/code> lets us behave like a browser and capture all the resources &#8212; images, CSS, fonts, JavaScript &#8212; the site loads and will also <em>execute<\/em> any JavaScript, so it will also capture resources each script may itself load.<\/p>\n<p>By capturing the <em>entire<\/em> browser experience for the main page of each member of Congress we can get a pretty good idea of just how much each one cares about your digital privacy, and just how much they <em>secretly love Facebook<\/em>.<\/p>\n<p>Let&#8217;s take a look, first, at where you go when you digitally visit a Congress-critter.<\/p>\n<h3>Network\/Hosting\/DNS<\/h3>\n<p>Each House and Senate member has an <em>official<\/em> (not campaign) site that is hosted on a <code>.gov<\/code> domain and served up from a handful of IP addresses across the following (<code>n<\/code> is the number of Congress-critter web sites):<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"left\">asn<\/th>\n<th align=\"left\">aso<\/th>\n<th align=\"right\">n<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"left\">AS5511<\/td>\n<td align=\"left\">Orange<\/td>\n<td align=\"right\">425<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">AS7016<\/td>\n<td align=\"left\">Comcast Cable Communications, LLC<\/td>\n<td align=\"right\">95<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">AS20940<\/td>\n<td align=\"left\">Akamai International B.V.<\/td>\n<td align=\"right\">13<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">AS1999<\/td>\n<td align=\"left\">U.S. House of Representatives<\/td>\n<td align=\"right\">6<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">AS7843<\/td>\n<td align=\"left\">Time Warner Cable Internet LLC<\/td>\n<td align=\"right\">1<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">AS16625<\/td>\n<td align=\"left\">Akamai Technologies, Inc.<\/td>\n<td align=\"right\">1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&#8220;Orange&#8221; is really Akamai and Akamai is a <em>giant<\/em> content delivery network which helps web sites efficiently provide content to your browser and can offer Denial of Service (DoS) protection. Most sites are behind Akamai, which means you &#8220;touch&#8221; Akamai every time you visit the site. They know you were there, but I know a sufficient body of folks who work at Akamai and I&#8217;m <em>fairly<\/em> certain they&#8217;re not <em>too<\/em> evil. Virtually no representative solely uses House\/Senate infrastructure, but this is almost a necessity given how easy it is to take down a site with a DoS attack and how polarized politics is in America.<\/p>\n<p>To get to those IP addresses, DNS names like <code>www.king.senate.gov<\/code> (one of the Senators from my state) needs to be translated to IP addresses. DNS queries are also data gold mines and everyone from your ISP to the DNS server that knows the name-to-IP mapping likely sees your IP address. Here are the DNS servers that serve up the directory lookups for all of the House and Senate domains:<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"left\">nameserver<\/th>\n<th align=\"left\">gov_hosted<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"left\">e4776.g.akamaiedge.net.<\/td>\n<td align=\"left\">FALSE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">wc.house.gov.edgekey.net.<\/td>\n<td align=\"left\">FALSE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">e509.b.akamaiedge.net.<\/td>\n<td align=\"left\">FALSE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">evsan2.senate.gov.edgekey.net.<\/td>\n<td align=\"left\">FALSE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">e485.b.akamaiedge.net.<\/td>\n<td align=\"left\">FALSE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">evsan1.senate.gov.edgekey.net.<\/td>\n<td align=\"left\">FALSE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">e483.g.akamaiedge.net.<\/td>\n<td align=\"left\">FALSE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">evsan3.senate.gov.edgekey.net.<\/td>\n<td align=\"left\">FALSE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">wwwhdv1.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">firesideweb02cc.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">firesideweb01cc.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">firesideweb03cc.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">dchouse01cc.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">c3pocc.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">ceweb.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">wwwd2-cdn.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">45press.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">gopweb1a.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">eleven11web.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">frontierweb.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">primitivesocialweb.house.gov.<\/td>\n<td align=\"left\">TRUE<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Akamai <em>kinda<\/em> does need to serve up DNS for the sites they host, so this list also makes sense. But, you&#8217;ve now had two touch-points logged and we haven&#8217;t even loaded a single web page yet.<\/p>\n<h3>Safe? &amp; Secure? Connections<\/h3>\n<p>When we <em>finally<\/em> make a connection to a Congress-critter&#8217;s site, it is going to be over SSL\/TLS. They all support it (which is ?, but SSL\/TLS confidentiality is not as bullet-proof as many &#8220;HTTPS Everywhere&#8221; proponents would like to con you into believing). However, I took a look at the SSL certificates for House and Senate sites. Here&#8217;s a sampling from, again, my state (one House representative):<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"9598\" data-permalink=\"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/house-ssl\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/house-ssl.png?fit=1184%2C1228&amp;ssl=1\" data-orig-size=\"1184,1228\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"house-ssl\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/house-ssl.png?fit=510%2C529&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/house-ssl.png?resize=510%2C529&#038;ssl=1\" alt=\"\" width=\"510\" height=\"529\" class=\"aligncenter size-full wp-image-9598\" \/><\/p>\n<p>The <code>*.house.gov<\/code> &#8220;Common Name (CN)&#8221; is a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Wildcard_certificate\">wildcard certificate<\/a>. Many SSL certificates have just one valid CN, but it&#8217;s also possible to list alternate, valid &#8220;alt&#8221; names that can all use the same, single certificate. Wildcard certificates ease the burden of administration but it also means that if, say, I managed to get my hands on the certificate chain and private key file, I could setup <code>vladimirputin.house.gov<\/code> somewhere and your browser would think it&#8217;s A-OK. Granted, there are far more Representatives than there are Senators and their tenure length is pretty erratic these days, so I can <em>sort of<\/em> forgive them for taking the easy route, but I also in no way, shape or form believe they protect those chains and private keys well.<\/p>\n<p>In contrast, the Senate can and does embed the alt-names:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/senate-ssl.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"9597\" data-permalink=\"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/senate-ssl\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/senate-ssl.png?fit=1184%2C1228&amp;ssl=1\" data-orig-size=\"1184,1228\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"senate-ssl\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/senate-ssl.png?fit=510%2C529&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/senate-ssl.png?resize=510%2C529&#038;ssl=1\" alt=\"\" width=\"510\" height=\"529\" class=\"aligncenter size-full wp-image-9597\" \/><\/a><\/p>\n<h3>Are We There Yet?<\/h3>\n<p>We&#8217;ve got the IP address of the site and established a &#8220;secure&#8221; connection. Now it&#8217;s time to grab the index page and all the rest of the resources that come along for the ride. As noted in the <em>Privacy Primer<\/em> (above), the loading of third-party resources is problematic from a privacy (and security) perspective. Just how many third party resources do House and Senate member sites rely on?<\/p>\n<p>To figure that out, I tallied up all of the <em>non-<code>.gov<\/code><\/em> resources loaded by each web site and plotted the distribution of House and Senate (separately) in a &#8220;beeswarm&#8221; plot with a boxplot shadowing underneath so you can make out the pertinent quantiles:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/third-party-distrubiton.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"9600\" data-permalink=\"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/third-party-distrubiton\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/third-party-distrubiton.png?fit=1664%2C1064&amp;ssl=1\" data-orig-size=\"1664,1064\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"third-party-distrubiton\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/third-party-distrubiton.png?fit=510%2C326&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/third-party-distrubiton.png?resize=510%2C326&#038;ssl=1\" alt=\"\" width=\"510\" height=\"326\" class=\"aligncenter size-full wp-image-9600\" \/><\/a><\/p>\n<p>As noted, the median is around 30 for both House and Senate member sites. In other words, they value your browsing privacy <em>so little<\/em> that most Congress-critters gladly share your browser session with many other sites.<\/p>\n<p>We also talked about confidentiality above. If an <code>https<\/code> site loads <code>http<\/code> resources the contents of what you see on the page cannot but guaranteed. So, how responsible are they when it comes to at least ensuring these third-party resources are loaded over <code>https<\/code>?<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/https-distribution-1.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"9607\" data-permalink=\"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/https-distribution-1\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/https-distribution-1.png?fit=1862%2C970&amp;ssl=1\" data-orig-size=\"1862,970\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"https-distribution-1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/https-distribution-1.png?fit=510%2C266&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/https-distribution-1.png?resize=510%2C266&#038;ssl=1\" alt=\"\" width=\"510\" height=\"266\" class=\"aligncenter size-full wp-image-9607\" \/><\/a><\/p>\n<p>You&#8217;re <em>mostly<\/em> covered from a pseudo-confidentiality perspective, but what are they serving up to you? Here&#8217;s a summary of the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Basics_of_HTTP\/MIME_types\">MIME types<\/a> being delivered to you:<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"left\">MIME Type<\/th>\n<th align=\"right\">Number of Resources Loaded<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"left\">image\/jpeg<\/td>\n<td align=\"right\">6,445<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">image\/png<\/td>\n<td align=\"right\">3,512<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">text\/html<\/td>\n<td align=\"right\">2,850<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">text\/css<\/td>\n<td align=\"right\">1,830<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">image\/gif<\/td>\n<td align=\"right\">1,518<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">text\/javascript<\/td>\n<td align=\"right\">1,512<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">font\/ttf<\/td>\n<td align=\"right\">1,266<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">video\/mp4<\/td>\n<td align=\"right\">974<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">application\/json<\/td>\n<td align=\"right\">673<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">application\/javascript<\/td>\n<td align=\"right\">670<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">application\/x-javascript<\/td>\n<td align=\"right\">353<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">application\/octet-stream<\/td>\n<td align=\"right\">187<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">application\/font-woff2<\/td>\n<td align=\"right\">99<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">image\/bmp<\/td>\n<td align=\"right\">44<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">image\/svg+xml<\/td>\n<td align=\"right\">39<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">text\/plain<\/td>\n<td align=\"right\">33<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">application\/xml<\/td>\n<td align=\"right\">15<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">image\/jpeg, video\/mp2t<\/td>\n<td align=\"right\">12<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">application\/x-protobuf<\/td>\n<td align=\"right\">9<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">binary\/octet-stream<\/td>\n<td align=\"right\">5<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">font\/woff<\/td>\n<td align=\"right\">4<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">image\/jpg<\/td>\n<td align=\"right\">4<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">application\/font-woff<\/td>\n<td align=\"right\">2<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">application\/vnd.google.gdata.error+xml<\/td>\n<td align=\"right\">1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>We&#8217;ll cover some of these in more detail a bit further into the post.<\/p>\n<h3>Facebook &amp; &#8220;Friends&#8221;<\/h3>\n<p>Facebook started all this, so just how cozy are these Congress-critters with Facebook?<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/fb-track-1.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"9612\" data-permalink=\"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/fb-track-1\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/fb-track-1.png?fit=1664%2C1064&amp;ssl=1\" data-orig-size=\"1664,1064\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"fb-track-1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/fb-track-1.png?fit=510%2C326&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/fb-track-1.png?resize=510%2C326&#038;ssl=1\" alt=\"\" width=\"510\" height=\"326\" class=\"aligncenter size-full wp-image-9612\" \/><\/a><\/p>\n<p>Turns out that both Senators and House members are <em>very<\/em> comfortable letting you give Facebook a love-tap when you come visit their sites since over 60% of House and 40% of Senate sites use 2 or more Facebook resources. Not all Facebook resources are created equal[ly evil] and we&#8217;ll look at some of the more invasive ones soon.<\/p>\n<p>Facebook is not the only devil out there. I added in the public filter list from <a href=\"https:\/\/disconnect.me\/\">Disconnect<\/a> and the numbers go up from 60% to 70% for the House and from 40% to 60% for the Senate when it comes to a larger corpus of known tracking sites\/resources.<\/p>\n<p>Here&#8217;s a list of some (first 20) of the top domains (with one of Twitter&#8217;s media-serving domains taking the individual top-spot):<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"left\">Main third-party domain<\/th>\n<th align=\"right\"># of &#8216;pings&#8217;<\/th>\n<th align=\"right\">%<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"left\">twimg.com<\/td>\n<td align=\"right\">764<\/td>\n<td align=\"right\">13.7%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">fbcdn.net<\/td>\n<td align=\"right\">655<\/td>\n<td align=\"right\">11.8%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">twitter.com<\/td>\n<td align=\"right\">573<\/td>\n<td align=\"right\">10.3%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">google-analytics.com<\/td>\n<td align=\"right\">489<\/td>\n<td align=\"right\">8.8%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">doubleclick.net<\/td>\n<td align=\"right\">462<\/td>\n<td align=\"right\">8.3%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">facebook.com<\/td>\n<td align=\"right\">451<\/td>\n<td align=\"right\">8.1%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">gstatic.com<\/td>\n<td align=\"right\">385<\/td>\n<td align=\"right\">6.9%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">fonts.googleapis.com<\/td>\n<td align=\"right\">270<\/td>\n<td align=\"right\">4.9%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">youtube.com<\/td>\n<td align=\"right\">246<\/td>\n<td align=\"right\">4.4%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">google.com<\/td>\n<td align=\"right\">183<\/td>\n<td align=\"right\">3.3%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">maps.googleapis.com<\/td>\n<td align=\"right\">144<\/td>\n<td align=\"right\">2.6%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">webtrendslive.com<\/td>\n<td align=\"right\">95<\/td>\n<td align=\"right\">1.7%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">instagram.com<\/td>\n<td align=\"right\">75<\/td>\n<td align=\"right\">1.3%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">bootstrapcdn.com<\/td>\n<td align=\"right\">68<\/td>\n<td align=\"right\">1.2%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">cdninstagram.com<\/td>\n<td align=\"right\">63<\/td>\n<td align=\"right\">1.1%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">fonts.net<\/td>\n<td align=\"right\">51<\/td>\n<td align=\"right\">0.9%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">ajax.googleapis.com<\/td>\n<td align=\"right\">50<\/td>\n<td align=\"right\">0.9%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">staticflickr.com<\/td>\n<td align=\"right\">34<\/td>\n<td align=\"right\">0.6%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">translate.googleapis.com<\/td>\n<td align=\"right\">34<\/td>\n<td align=\"right\">0.6%<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">sharethis.com<\/td>\n<td align=\"right\">32<\/td>\n<td align=\"right\">0.6%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>So, when you go to check out what your representative is &#8216;officially&#8217; up to, you&#8217;re being served\u2026up on a silver platter to a plethora of sites where you are the product.<\/p>\n<p>It&#8217;s starting to look like Congress-folk aren&#8217;t as sincere about your privacy as they may have led us all to believe this week.<\/p>\n<h3>A [Java]Script for Success[ful Privacy Destruction]<\/h3>\n<p>As stated earlier, not all third-party content is created equally malicious. JavaScript resources run code in your browser on your device and while there <em>are<\/em> limits to what it can do, those limits diminish weekly as crafty coders figure out more ways to use JavaScript to collect information and perform shady or malicious deeds.<\/p>\n<p>So, how many House\/Senate sites load one or more third-party JavaScript resources?<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/third-party-js.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"9614\" data-permalink=\"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/third-party-js\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/third-party-js.png?fit=1706%2C1022&amp;ssl=1\" data-orig-size=\"1706,1022\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"third-party-js\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/third-party-js.png?fit=510%2C306&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/third-party-js.png?resize=510%2C306&#038;ssl=1\" alt=\"\" width=\"510\" height=\"306\" class=\"aligncenter size-full wp-image-9614\" \/><\/a><\/p>\n<p>Virtually all of them.<\/p>\n<p>To make matters worse, <em>no <code>.gov<\/code> or third-party resource of any kind was loaded using <a href=\"https:\/\/www.w3.org\/TR\/SRI\/\">subresource integrity<\/a> validation<\/em>. Subresource integrity validation means that the site owner &#8212; at some point &#8212; ensured that the resource being loaded was not malicious and then created a fingerprint for it and told your browser what that fingerprint is so it can compare it to what got loaded. If the fingerprints don&#8217;t match, the content is not loaded\/executed. Using subresource integrity is not trivial since it requires a top-notch content management team and failure to synchronize\/checkpoint third-party content fingerprints will result in resources failing to load.<\/p>\n<p>Congress was quick to demand that Facebook implement stronger policies and controls, but they, themselves, cannot be bothered.<\/p>\n<h3>Future Work<\/h3>\n<p>There are plenty more avenues to explore in this data set (such as &#8220;security headers&#8221; &#8212; they all 100% use <code>strict-transport-security<\/code> pretty well, but are deeply deficient in others) and more targets for future works, such as the campaign sites of House and Senate members. I may follow up with a look at a specific slice from this data set (the members of the committees who were berating Zuckerberg this week).<\/p>\n<p>The bottom line is that while the beating Facebook took this week was just, those inflicting the pain have a long way to go themselves before they can truly judge what other social media and general internet sites do when it comes to ensuring the safety and privacy of their visitors.<\/p>\n<p>In other words, &#8220;Legislator, regulate thyself&#8221; before thy regulatists others.<\/p>\n<h3>FIN<\/h3>\n<p>Apart from some egregiously bad (or benign) examples, I tried not to &#8220;name and shame&#8221;. I also won&#8217;t answer any questions about facets by party since that really doesn&#8217;t matter too much as they&#8217;re all pretty bad when it comes to understanding and implementing privacy and safey on their sites.<\/p>\n<p>The data set can be found over at <a href=\"https:\/\/zenodo.org\/record\/1219056\">Zenodo<\/a> (alternately, click\/tap\/select the badge below). I converted the R data frame to ndjson\/streaming JSON\/jsonlines (however you refer to the format) and tested it out in Apache Drill.<\/p>\n<p>I&#8217;ll toss up some R code using data extracts later this week (meaning by April 20th).<\/p>\n<p><a href=\"https:\/\/doi.org\/10.5281\/zenodo.1219056\"><img decoding=\"async\" src=\"https:\/\/zenodo.org\/badge\/DOI\/10.5281\/zenodo.1219056.svg\" alt=\"DOI\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I apologize up-front for using bad words in this post. Said bad words include &#8220;Facebook&#8221;, &#8220;Mark Zuckerberg&#8221; and many referrals to entities within the U.S. Government. Given the topic, it cannot be helped. I&#8217;ve also left the R tag on this despite only showing some ggplot2 plots and Markdown tables. See the end of the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":9588,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[775,681,91],"tags":[566,464],"class_list":["post-9584","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-commentary","category-cybersecurity","category-r","tag-internet-privacy","tag-privacy"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Does Congress Really Care About Your Privacy? - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Does Congress Really Care About Your Privacy? - rud.is\" \/>\n<meta property=\"og:description\" content=\"I apologize up-front for using bad words in this post. Said bad words include &#8220;Facebook&#8221;, &#8220;Mark Zuckerberg&#8221; and many referrals to entities within the U.S. Government. Given the topic, it cannot be helped. I&#8217;ve also left the R tag on this despite only showing some ggplot2 plots and Markdown tables. See the end of the [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2018-04-13T19:50:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-04-16T17:15:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?fit=1810%2C1576&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"1810\" \/>\n\t<meta property=\"og:image:height\" content=\"1576\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Does Congress Really Care About Your Privacy?\",\"datePublished\":\"2018-04-13T19:50:55+00:00\",\"dateModified\":\"2018-04-16T17:15:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/\"},\"wordCount\":2559,\"commentCount\":9,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/privacy-final.png?fit=1810%2C1576&ssl=1\",\"keywords\":[\"Internet privacy\",\"Privacy\"],\"articleSection\":[\"Commentary\",\"Cybersecurity\",\"R\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/\",\"name\":\"Does Congress Really Care About Your Privacy? - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/privacy-final.png?fit=1810%2C1576&ssl=1\",\"datePublished\":\"2018-04-13T19:50:55+00:00\",\"dateModified\":\"2018-04-16T17:15:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/privacy-final.png?fit=1810%2C1576&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/privacy-final.png?fit=1810%2C1576&ssl=1\",\"width\":\"1810\",\"height\":\"1576\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2018\\\/04\\\/13\\\/does-congress-really-care-about-your-privacy\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Does Congress Really Care About Your Privacy?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Does Congress Really Care About Your Privacy? - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/","og_locale":"en_US","og_type":"article","og_title":"Does Congress Really Care About Your Privacy? - rud.is","og_description":"I apologize up-front for using bad words in this post. Said bad words include &#8220;Facebook&#8221;, &#8220;Mark Zuckerberg&#8221; and many referrals to entities within the U.S. Government. Given the topic, it cannot be helped. I&#8217;ve also left the R tag on this despite only showing some ggplot2 plots and Markdown tables. See the end of the [&hellip;]","og_url":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/","og_site_name":"rud.is","article_published_time":"2018-04-13T19:50:55+00:00","article_modified_time":"2018-04-16T17:15:00+00:00","og_image":[{"width":1810,"height":1576,"url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?fit=1810%2C1576&ssl=1","type":"image\/png"}],"author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Does Congress Really Care About Your Privacy?","datePublished":"2018-04-13T19:50:55+00:00","dateModified":"2018-04-16T17:15:00+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/"},"wordCount":2559,"commentCount":9,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"image":{"@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?fit=1810%2C1576&ssl=1","keywords":["Internet privacy","Privacy"],"articleSection":["Commentary","Cybersecurity","R"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/","url":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/","name":"Does Congress Really Care About Your Privacy? - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"primaryImageOfPage":{"@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/#primaryimage"},"image":{"@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?fit=1810%2C1576&ssl=1","datePublished":"2018-04-13T19:50:55+00:00","dateModified":"2018-04-16T17:15:00+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/#primaryimage","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?fit=1810%2C1576&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?fit=1810%2C1576&ssl=1","width":"1810","height":"1576"},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2018\/04\/13\/does-congress-really-care-about-your-privacy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Does Congress Really Care About Your Privacy?"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/04\/privacy-final.png?fit=1810%2C1576&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p23idr-2uA","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":11637,"url":"https:\/\/rud.is\/b\/2018\/11\/09\/escaping-the-macos-10-14-mojave-sandbox-with-r-rstudio\/","url_meta":{"origin":9584,"position":0},"title":"Escaping the macOS 10.14 (Mojave) Filesystem Sandbox with R \/ RStudio","author":"hrbrmstr","date":"2018-11-09","format":false,"excerpt":"If you're an R\/RStudio user who has migrated to Mojave (macOS 10.14) or are contemplating migrating to it, you will likely eventually run into an issue where you're trying to access resources that are in Apple's new hardened filesystem sandboxes. Rather than reinvent the wheel by blathering about what that\u2026","rel":"","context":"In &quot;macOS&quot;","block_context":{"text":"macOS","link":"https:\/\/rud.is\/b\/category\/macos\/"},"img":{"alt_text":"Photo by Alexander Dummer on Unsplash","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/11\/alexander-dummer-261098-unsplash.jpg?fit=1200%2C801&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/11\/alexander-dummer-261098-unsplash.jpg?fit=1200%2C801&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/11\/alexander-dummer-261098-unsplash.jpg?fit=1200%2C801&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/11\/alexander-dummer-261098-unsplash.jpg?fit=1200%2C801&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/11\/alexander-dummer-261098-unsplash.jpg?fit=1200%2C801&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":10060,"url":"https:\/\/rud.is\/b\/2018\/04\/15\/a-word-about-tracking-on-this-site\/","url_meta":{"origin":9584,"position":1},"title":"A Word About Tracking On This Site","author":"hrbrmstr","date":"2018-04-15","format":false,"excerpt":"Since I just railed against Congress for being a bit two-faced about privacy I thought some rud.is site disclosure would be in order. At present, third-party tracking is limited to: Something in my WordPress configuration adding a DNS pre-fetch for fonts.googleapis.com. There are a few more other DNS pre-fetches that\u2026","rel":"","context":"In &quot;Commentary&quot;","block_context":{"text":"Commentary","link":"https:\/\/rud.is\/b\/category\/commentary\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":187,"url":"https:\/\/rud.is\/b\/2011\/02\/23\/herding-firesheep\/","url_meta":{"origin":9584,"position":2},"title":"Herding [Fire]sheep","author":"hrbrmstr","date":"2011-02-23","format":false,"excerpt":"By now, many non-IT and non-Security folk have heard of Firesheep, a tool written by @codebutler which allows anyone using Firefox on unprotected networks to capture and hjijack active sessions to popular social media sites (and other web sites). The sidebar\/extension puts an attactive and easy-to-understand GUI over a process\u2026","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7269,"url":"https:\/\/rud.is\/b\/2017\/11\/27\/voteogram-is-now-on-cran\/","url_meta":{"origin":9584,"position":3},"title":"voteogram Is Now On CRAN","author":"hrbrmstr","date":"2017-11-27","format":false,"excerpt":"Earlier this year, I made a package that riffed off of ProPublica's really neat voting cartograms (maps) for the U.S. House and Senate. You can see one for disaster relief spending in the House and one for the ACA \"Skinny Repeal\" in the Senate. We can replicate both here with\u2026","rel":"","context":"In &quot;cartography&quot;","block_context":{"text":"cartography","link":"https:\/\/rud.is\/b\/category\/cartography\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/11\/plot_zoom_png-1-2.png?fit=1063%2C1200&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/11\/plot_zoom_png-1-2.png?fit=1063%2C1200&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/11\/plot_zoom_png-1-2.png?fit=1063%2C1200&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/11\/plot_zoom_png-1-2.png?fit=1063%2C1200&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/11\/plot_zoom_png-1-2.png?fit=1063%2C1200&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":9386,"url":"https:\/\/rud.is\/b\/2018\/04\/01\/more-options-for-querying-dns-from-r-with-1-1-1-1\/","url_meta":{"origin":9584,"position":4},"title":"More Options For Querying DNS From R with 1.1.1.1","author":"hrbrmstr","date":"2018-04-01","format":false,"excerpt":"You have to have been living under a rock to not know about Cloudflare's new 1.1.1.1 DNS offering. I won't go into \"privacy\", \"security\" or \"speed\" concepts in this post since that's a pretty huge topic to distill for folks given the, now, plethora of confusing (and pretty technical) options\u2026","rel":"","context":"In &quot;DNS&quot;","block_context":{"text":"DNS","link":"https:\/\/rud.is\/b\/category\/dns\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5916,"url":"https:\/\/rud.is\/b\/2017\/05\/07\/plot-the-vote-making-u-s-senate-house-cartograms-in-r\/","url_meta":{"origin":9584,"position":5},"title":"Plot the Vote: Making U.S. Senate &#038; House Cartograms in R","author":"hrbrmstr","date":"2017-05-07","format":false,"excerpt":"Political machinations are a tad insane in the U.S. these days & I regularly hit up @ProPublica & @GovTrack sites (& sub to the GovTrack e-mail updates) as I try to be an informed citizen, especially since I've got a Senator and Representative who seem to be in the sway\u2026","rel":"","context":"In &quot;cartography&quot;","block_context":{"text":"cartography","link":"https:\/\/rud.is\/b\/category\/cartography\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/05\/rep_gt-1.png?fit=1200%2C840&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/05\/rep_gt-1.png?fit=1200%2C840&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/05\/rep_gt-1.png?fit=1200%2C840&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/05\/rep_gt-1.png?fit=1200%2C840&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/05\/rep_gt-1.png?fit=1200%2C840&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/9584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=9584"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/9584\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media\/9588"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=9584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=9584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=9584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}