free good or bad

Free – good or bad?

It’s always nice to get something for free. Or is it? There are really some free lunches on the net. But what appears to be free can have a hidden price, which often is paid by other means than money.

Internet did for a long time lack payment models and everything on the net was truly free. This was fine on a net that was an academic tool and playground for enthusiasts. Our Internet of today is totally different, and to a large extent business driven. But the culture of getting stuff for free on the net is deeply rooted. People are used to free stuff, or are hesitant to use payment on the net in fear of fraud. This has created a lot of new business models based on free products and services. Either genuinely free or with a hidden compensation. One of the important skills for today’s cybercitizens is to recognize these business models and understand the hidden risks and compensations. Read on to learn how.

Before you take the bait you should always ask yourself: Why is this thing offered for free? That’s the key questions as the vendor’s motives dictate if the product or service is safe to use. First look for info about who made the product and why. Then try to place it in one of the categories below. Now it will be a lot easier to make an educated guess about how safe it is.


A very common way to provide free products or services. Ads are showed to you and the vendor gets money from the advertisers. Be careful with ad-ware your children are using. You have no control over the ads and some content may be unsuitable. Otherwise these are mostly legit if you don’t find the ads too annoying.

User profiling

“If you don’t pay for the product, then you ARE the product.” This is taking ad-ware to the next level. Big data companies like Facebook and Google offer their services for free, but create extensive profiles over their users and utilize them for marketing purposes. This is a privacy problem as you have no control over what data they collect and how it is (mis)used. Intelligence agencies are on top of that also eager to tap into your data. If Facebook knows something about you, then NSA knows too. The problem here is that it is very hard to know what price you really pay for the “free” service. You should consider if the privacy risk is worth taking for the value you get in return.

Hobby and ideological

Many create programs and web services for fun. Giving it away and seeing that people really use it is part of the joy. Some may also have ideological motives, like fighting corporate dominance, guarding peoples’ privacy or defeating net espionage. Products in this category are genuinely free and there’s no hidden compensation. The Firefox browser is an excellent example. The Linux operating system is another.

This “business model” is safe for the customer, but the products and services may not always be the safest choice technically. Providing safe software is a tough task and requires constant maintenance. Hobbyists are not always professional enough for this. In this category you will find a wide range of products with technical security ranging from excellent to very poor. It’s also futile to expect good support services in this category, unless the product has a well-working user forum that provides peer-support.

Donation financed, “begware”

This is a variant of the previous class. Some providers of free software ask for donations openly. This is like a product with a voluntary payment. A lot of people will use the product for free, but some will contribute a couple of bucks to cover the vendor’s expenses. Wikipedia is a good example. BTW, have you ever donated to them? I have and I think it’s very well spent money. The value I get in return is far greater.

Taxpayers’ money

Some free services are provided with tax-payers’ money. These are typically OK to use. Quality might vary tough, as the public sector often lacks the culture of customer service and competitiveness.

Upselling or service fees

Many vendors provide a basic product or service for free, and more functionality or capacity for a price. This is a nice way to let customers try it out and decide later if they need the paid version. Sometimes the product is entirely free and the business model is based on selling support services for it. There’s nothing wrong with this business model and the products are usually OK if the vendor is trustworthy.


Getting something for “free” when buying something else is a common marketing trick. It’s not really a free product, the pricing scheme is just set up to hide its true cost. A common example is receiving a “free” mobile phone or 4G-dongle when signing up for a 2-year subscription. Hardware prices are declining and many people have a misconception that these bundled items are worth more than they really are.

Pirated content

Some content is offered to you free of charge and with no strings attached, but the distributor lacks the right to distribute it. Distributing stuff without permission is illegal practically everywhere, but your status as receiver is not as clear. Whether it is a crime to download the stuff depends on your country’s legislation. Also remember that the common peer-to-peer sharing networks, like BitTorrent, both download and share at once. It’s also common to distribute malware masqueraded as pirated software. The safest way is to look for the content’s original vendor or distribution point, and download it from there. Then you will learn if it really is free, and lose the malware as an extra bonus.

Scams and malware

Malware and scams are often masqueraded as free offerings. Be extremely careful if you are tempted to sign up for anything that sends you “free” information as text messages. Your mobile phone number is a payment method and scammers can charge you for bogus messages sent to your mobile. It can be next to impossible to get them cleaned off the bill. What you think is a handy utility program may also turn out to be malicious software. If you can’t figure out why the tool is free, the real reason may be to plant malware in your computer or mobile device.

Let’s finish with a checklist for people considering using a free service or product:

  1. Find out who made it. Check if the vendor declares openly why the product is free.
  2. Check if the vendor offers paid alternatives to the free version and how they differ.
  3. Try to figure out what category the free offering belongs to.
  4. Is the vendor trustworthy? You shouldn’t use software from untrusted sources even if it’s free.
  5. Finally consider if the free offering really is what you want. Sometimes it’s a great alternative to expensive products, sometimes you pay a high hidden price just to save a couple of bucks. And sometimes the free alternatives just aren’t up to the task and you would be better off with a professionally made product. Consider if it really is smart to save a couple of dollars and insert potentially unreliable code in the system with all your irreplaceable content?
  6. If you still are uncertain, search for user opinions on the net. The true free gems, like Firefox and Linux, have huge user bases and you can find a lot of info about them. Be careful if you have problems finding independent opinions about a free product you consider.

Safe surfing,

More posts from this topic

safe harbor, U.S privacy, European privacy

The ‘Safe Harbor’ ruling divides the ‘old world’ and ‘new world’

This week's ruling by the European Court of Justice striking down the 2000 "Safe harbor" agreement between the European Union and and the United States was celebrated as vindication by privacy activists, who saw the decision as a first major international consequence of the Snowden revelations detailing the extraordinary extent of mass surveillance being conducted by the U.S. and its allies. "The safe harbor agreement allowed U.S. companies to self-certify they abided by EU-strength data protection standards," Politico's David Meyer reported. "This gave them a relatively simple mechanism to start legally handling Europeans’ personal data." That simple mechanism did not abide by the Commissions own privacy standards, the Court decided. "The court, by declaring invalid the safe harbor which currently permits a sizeable amount of the commercial movement of personal data between the EU and the U.S., has signaled that PRISM and other government surveillance undermine the privacy rights that regulates such movements under European law," the EFF's Danny O'Brien wrote. A new Safe Harbor agreement is currently being negotiated and the Court's ruling seems designed to speed that up. But for now many companies -- especially smaller companies -- and users are now in a sort of a legal limbo. And that legal limbo may not be great news for your privacy, according to F-Secure Security Advisor Sean Sullivan, as it creates legal uncertainty that could easily be exploited by government spy agencies and law enforcement. "Uncertainty is their bread or butter," he told me. To Sean, this ruling and the urge to break it represent an "old world" view of the Internet where geography was key. The U.S. government has suggested that it doesn't need to respect borders when it comes to companies like Microsoft, Facebook and Google, which are headquartered in the U.S. but do business around the world. Last month, the Department of Justice said it could demand Microsoft turn over Hotmail data of any user, regardless where s/he lives. "The cloud doesn’t have any borders," Sean said. "Where stuff is located geographically is kind of quaint." You can test this out by using an app like Citizen Ex that tests your "Algorithmic Citizenship." Sean, an American who lives in Finland, is identified as an American online -- as much of the world would be. What Europe gave up in privacy with Safe Harbor was, to some, made up for in creating a cohesive marketplace that made it easier for businesses to prosper. Facebook and Google warned that the U.S.'s aggressive surveillance risked "breaking the Internet." This ruling could be the first crack in that break. Avoiding that requires a "new world" view of the Internet that respects privacy regardless of geography, according to Sean. He's hopeful that reform comes quickly and democratically in a way that doesn't require courts to force politicians' hands. The U.S. showed some willingness to reform is surveillance state when it passed the USA FREEDOM Act -- the first new limitations on intelligence gathering since 9/11. But more needs to be done, says the EFF. The digital rights organization is calling for "reforming Section 702 of the Foreign Intelligence Surveillance Amendments Act, and re-formulating Executive Order 12333." Without these reforms, it's possible that any new agreement that's reached between the U.S. and Europe might not reach the standards now reaffirmed by the European Court of Justice.

October 9, 2015

Is protection against self-incrimination dead in the digital era? (Poll)

How to balance between privacy and crime fighting? That’s one of the big questions now when we are entering the digitally connected era. Our western democracies have a set of well-established and widely accepted rules that control what authorities can and can’t do. One aspect of this has been in the headlines lately. That’s your right to “plead the Fifth”, as the Americans say. Laws are different in every country, but most have something similar to USA’s Fifth Amendment. The beef is that “No person … shall be compelled in any criminal case to be a witness against himself,…”. Or as often expressed in popular culture: “You have the right to remain silent.” With more fancy words, protection against self-incrimination. What this means in practice is that no one can force you to reveal information if authorities are suspecting you of a crime. You have the right to defend yourself, and refusal to disclose information is a legal defense tactic. But the police can search your home and vehicles for items, if they have the proper warrant, and there’s nothing you can do to stop that. In short, the Fifth Amendment protects what you know but not what you have. Sounds fair. But the problem is that there was no information technology when these fundamental principles were formed back in 1789. The makers of the Fifth Amendment, and similar laws in other countries, could not foresee that “what you know” will expand far beyond our own brains. Our mobile gadgets, social media and cloud services can in the worst case store a very comprehensive picture of how we think, whom we have communicated with, where we have been and what we have done. All this is stored in devices, and thus available to the police even if we exercise our right to remain silent. Where were you last Thursday at 10 PM? Do you know Mr John Doe? What's the nature of your relationship with Ms Jane Doe? Have you purchased any chemicals lately? Do you own a gun? Have you traveled to Boston during the last month? Have you ever communicated with These are all questions that an investigator could ask you. And all may still be answered by data in your devices and clouds even if you exercise your right to remain silent. So has the Fifth Amendment lost its meaning? Would the original makers of the amendment accept this situation, or would they make an amendment to the amendment? The situation is pretty clear for social media and cloud storage. This data is stored in some service provider’s data center. The police can obtain a warrant and then get your data without any help from you.(* Same thing with computers they take from your home. The common interpretation is that this isn’t covered by the Fifth Amendment. But what if you stored encrypted files on the servers? Or you use a device that encrypts its local storage (modern Androids and iPhones belong to this category). The police will in these cases need the password. This is something you know, which makes it protected. This is a problem for the police and countries have varying legislation to address the problem. UK takes an aggressive approach and makes it a crime to refuse revealing passwords. Memorized passwords are however protected in US, which was demonstrated in a recent case. Biometric authentication is yet another twist. Imagine that you use your fingerprint to unlock your mobile device. Yes, it’s convenient. But it may at the same time reduce your Fifth Amendment protection significantly. Your fingerprint is what you are, not what you know. There are cases in the US where judges have ruled that forcing a suspect to unlock a device with a fingerprint isn’t in conflict with the constitution. But we haven’t heard the Supreme Court’s ruling on this issue yet. So the Fifth Amendment, and equal laws in other countries, is usually interpreted so that it only protects information stored in your brain. But this definition is quickly becoming outdated and very limited. This is a significant ethical question. Should we let the Fifth Amendment deteriorate and give crime fighting higher priority? Or should we accept that our personal memory expands beyond what we have in our heads? Our personal gadgets do no doubt contain a lot of such information that the makers of Fifth Amendment wanted to protect. If I have the right to withhold a piece of information stored in my head, why should I not have the right to withhold the same information stored elsewhere? Is there really a fundamental difference that justifies treating these two storage types differently? These are big questions where different interests conflict, and there are no perfect solutions. So I pass the question to you. What do you think? [polldaddy poll=9102679]   Safe surfing, Micke   Image by OhLizz   (* It is this simple if the police, the suspect and the service provider all are in the same country. But it can get very complicated in other cases. Let's not go there now as that would be beside the point of this post.  

September 30, 2015
Hillary Clinton, email scandal, phishing scam

A phishing scam may hurt Hillary Clinton’s career — could it cost you yours?

This email was one of five phishing scams found in the 6,400 pages of Hillary Clinton's emails released on Wednesday. While there's no confirmation that former First Lady fell for the scam, her political opponents are using it to attack her for the security risks of the unconventional private server she used while in office -- even though a recent report found that 1 of 7 emails received on official U.S. Defense Department servers were either spam, phishing or other malware attacks. Receiving such attacks is inevitable. Cyber criminals have long known that one the best ways to hack into something is to simply ask you for the password. This technique has long relied on the fact that most of are used to entering our credentials so if a site looks trustworthy enough, we'll just type our credentials. From there, the bad guys can use these keys to unlock our digital life. As we've become more savvy in recognizing untrustworthy emails like the one above, criminals have taken advantage of our growing desire to share information about ourselves online to pioneer a more advanced technique called "spear phishing," which usually arrives in the form of a personalized email from an person or business you have a relationship with. This sort of attack was pioneered to hack high-value targets like Clinton. The Russian-backed Dukes group used this method in its 7-year campaign against western interests and others. In our Business Insider blog, Eija offers an inside look at how the CEO of a Finnish startup was the victim of an attempted spear phishing. "However, anyone can be a target..." Eija explains. And if you work in the U.S. government your chances of being hit with a very personalized attack have greatly increased as a result of the recent hack of the Office of Personnel Management. “Every bit of my personal information is in an attacker’s hands right now,"Paul Beckman, the Department of Homeland security’s chief information security officer, said at the Billington Cybersecurity Summit in September. "They could probably craft my email that even I would be susceptible to, because they know everything about me virtually.” Beckman said he regularly sends fake phishing emails to his staff to see if they fall for them, and “you’d be surprised at how often I catch these guys.”' Getting caught results in mandatory security training. But even after two or three rounds of instruction, the same people still fall for similar scams. “Someone who fails every single phishing campaign in the world should not be holding a [top secret clearance] with the federal government,” he said. “You have clearly demonstrated that you are not responsible enough to responsibly handle that information.” Beckman said he has proposed that those who prove they cannot detect a scam be stripped of their clearance, which could limit their career possibilities or even cost them a job. If you're the CEO of a startup, you recognize that security of your business is essential to your success. But if you're just an employee, your incentives for protecting intellectual property are nowhere as strong. Criminals only need one victim to make one mistake to succeed. So what are employers to do when education just isn't good enough? How about positive reinforcement for those who successfully avoid a scam? The truth is we're all only as secure as our training and focus. Organizations need to work on the best methods for developing both. Whether it's at work or at home or in the U.S. State Department, you're likely to be faced with a phishing attempt before long. Here's basic guidance from Eija on how to avoid being hooked: Be vigilant when entering your password anywhere Enable two-factor authentication Use Google’s built-in Security Checkup and Privacy Checkup tools Periodically review forwarding and mail filter settings, Connected apps & sites, Devices and Activities, shared files Disable POP and IMAP access if you don’t need them for a desktop or mobile client Cheers, Sandra

September 29, 2015