Posted by Maxim Weinstein
Mon, 28 Jul 2008 13:13:00 GMT
Our Berkman colleague, Hal Roberts, notes that Phorm (an ISP-based advertising system that has raised some eyebrows with regard to consumer privacy) may violate its own privacy policy:
In fact, in a couple of hours of looking at the available technical information I found a significant breach of Phorm’s privacy policy missed by the audit: Phorm’s privacy policy claims that it will not disclose its Phorm IDs to any third parties, but a technical description of the system by Richard Clayton finds that Phorm does indeed share its IDs with web sites in a common usage scenario.
StopBadware.org has been keeping an eye on services such as Phorm and competitors such as NebuAd and Front Porch. At issue is that ISPs may deploy these services, which inspect a user’s web traffic to profile the user and serve up relevant ads, without providing the clear notice and opportunity for consent that would give users control over their privacy. We’re not alone in being concerned. The U.S. Congress and the European Commission have both gotten involved after reports of ISPs in the U.S. and the U.K. testing these advertising programs with no notice to their customers.
Posted in all | Tags advertising, frontporch, nebuad, phorm, privacy, stopbadware
Posted by Laureli Mallek
Thu, 24 Jul 2008 21:18:00 GMT
Dancho Danchev has blogged repeatedly about the commercilization of badware producers, and this week he mentioned another example: outsourced email hacking. The hackers-for-hire promise that their seven-step process, from submitting the information of the would-be victim to proof of execution and exchange of money, will be cleaner and yield better results than other methods (phishing, viruses, etc).
Danchev ponders:
Too good to be true, but since they only charge after they provide you with a proof that they did the job, they could be in fact attempting to hack these emails, compared to the majority of cases where scammers scam the scammers.
But, how would you do business with people who make it their business to gain access without detection? Some email providers have stepped forward with more privacy features, for example Gmail has added a details feature allowing users to view their account history which logs time and IP addresses for recent access.
Another feature that I like: remote log-out, which should come in handy after logging into an account from a different machine, though it could become a hassle if your email is being controlled by a third party who decides to deny you access to your own email account.
Posted in all | Tags email, privacy, security
Posted by Laureli Mallek
Mon, 07 Jul 2008 21:02:00 GMT
The German state of Bavaria has approved laws that allow the police to plant spyware on the computers of suspected terrorists. While German federal laws restrict the government to infecting computers with email, Bavarian laws allow police to enter a suspect’s home to physically infect the machine. According to The Register, Bavarian interior minister Joachim Herrmann “gave short shrift to [privacy] objections, stating that Bavaria is leading the field in ‘internal security’ in becoming the first German state to approve the plan.”
This step taken by the Bavarian government counters a ruling earlier this year by Judge Hans-Juergen Papier in North Rhine-Westphalia. He opined that under regular circumstances spying on individuals was unconstitutional, and that permission of a judge would be required prior to implementing this type of surveillance during extreme situations.
In 2007, the internet was talking, though not over VOIP, about the Bavarian government looking to monitor and record Skype phone calls. Documents leaked through Wikileaks showed the thrifty Bavarian government haggling to get a better price on the products needed to invade their citizen’s computers.
Posted in all | Tags enforcement, law, privacy, security, spyware, trojan
Posted by Erica George
Mon, 07 Apr 2008 18:39:00 GMT
The New York Times this weekend featured an editorial by Adam Cohen on erosions of user privacy caused by commercial behavioral tracking. While behavioral tracking (primarily through the use of cookies attached to web pages or to display ads) is not inherently bad, it’s important that companies employing tracking properly disclose what they’re doing in their privacy policies and user agreements.
Cohen notes that the scope of information a company can now learn about its users is larger than many users realize:
Web sites can charge a premium if they are able to tell the maker of an expensive sports car that its ads will appear on Web pages clicked on by upper-income, middle-aged men.
The information, however, gets a lot more specific than age and gender — and more sensitive. Tech companies can keep track of when a particular Internet user looks up Alcoholics Anonymous meetings, visits adult Web sites, buys cancer drugs online or participates in anti-government discussion groups.
Cohen also points out that in many cases, users don’t have enough information about how their personal tracking records will be used:
The bigger issue is the digital dossiers that tech companies can compile. Some companies have promised to keep data confidential, or to obscure it so it cannot be traced back to individuals. But it’s hard to know what a particular company’s policy is, and there are too many to keep track of. And privacy policies can be changed at any time.
Companies can help by making sure their privacy policies are easy to find and understand, and that these policies fully disclose what data is being tracked and how it is being handled after it is collected. StopBadware’s guidelines are a great place to start for pointers on best practices for disclosure.
For more information about cookies and their role in behavioral tracking and privacy, check out the videos from our Cookie Crumbles Contest last fall.
Tags ads, cookies, privacy, tracking
Posted by Maxim Weinstein
Tue, 11 Mar 2008 17:15:00 GMT
While we tend to focus on badware around here, weak online passwords are also a security and privacy risk.
Productivity blog Lifehacker.com points to this tool from Microsoft that allows you to check the strength of your passwords without sending any data to Microsoft. There is also a link to some useful tips for how to create a strong password.
Posted in all | Tags passwords, privacy, security, stopbadware, tips
Posted by Maxim Weinstein
Wed, 05 Dec 2007 22:00:00 GMT
Social networking site Facebook has been on the defensive lately for a variety of poor privacy and dislosure related decisions about its Beacon application. Beacon, which is turned on by default for Facebook users, allows users to update their Facebook news feed with information about recent purchases and other activities on third party web sites, such as Blockbuster.com, Overstock.com, and Epicurious.com.
To its credit, Facebook has worked fairly quickly to respond to many of the complaints:
- Initially, the default behavior for Beacon was to publish your purchases in your profile unless you explicitly said no. In response to public pressure, including a petition from MoveOn.org, Facebook changed its system so that you must affirmatively click “yes” before a story is published.
- There was originally no feature that allowed you to categorically prevent stories from a particular site from being posted to your profile. Facebook added this feature within the user profile privacy settings.
- Until today, there was still no global opt-out feature that simply says, “I don’t want my behaviors on other sites published in my profile.” Facebook announced availability of this feature today.
- Stefan Berteau at Computer Associates noted recently that even when you opt out, information about your habits on these third party sites are still sent along with your e-mail address to Facebook. Following publicity from Stefan’s report and dialogue between Facebook and StopBadware in which we encouraged far better disclosure, Facebook is updating its Beacon FAQ and has already updated its Actions From External Websites pages to disclose the transmission of this data. Facebook also released a statement clarifying that this data is deleted unless the user opts into publishing the story.
- Mark Zuckerberg, CEO of Facebook, apologized today and admitted making mistakes in the product and how the company handled the launch.
The engineers we spoke with at Facebook also point out that they built the system originally to ensure that data stored by Facebook, including e-mail addresses and other contact information, is never provided to the third party web sites.
We applaud Facebook’s commitment to privacy and its responsiveness to the community throughout this process. We don’t fully agree, however, with the conclusion of CEO Mark Zuckerberg’s statement where he says, “[I] hope that this new privacy control addresses any remaining issues we’ve heard about from you.” In our discussions with Facebook during the past 24 hours, we have raised a couple other privacy issues that we hope the Facebook team will still address:
- Facebook offers its partner (third party) sites the option of whether or not to use an encrypted connection to send data (e-mail address, item purchased, etc.) from a user’s PC to Facebook’s servers. We encourage Facebook to make this mandatory, not optional, as this is an important step in keeping this data out of the view of malicious hackers or curious network administrators.
- When a user chooses to opt out of Beacon or clicks “No Thanks” when asked to publish a story in his/her profile, it is not made clear to the user that the data will still be sent to Facebook. This should be an easy clarification to make in the text of these opt-out screens/boxes and would go a long way towards ensuring full disclosure.
We wish to thank Facebook for engaging in dialogue with us on these issues, and we encourage its leadership to continue listening to and learning from the community so the company can reach the goal they expressed to us of becoming a leader in user privacy.
Posted in all | Tags facebook, privacy, stopbadware
|
