Today’s the day Google’s broad new privacy policy goes into effect. European regulators are claiming it violates data protection laws, but it’s here and it may be here to stay.

There are some not-completely-foolproof ways to hide from Google, but first let’s talk about what’s changed. Prior to today, Google had more than 70 privacy policies for its various products. But with the company trying to create a seamless experience across search, Gmail, Google+, Google Docs, Picasa, and much more, Google is consolidating the majority of its policies down into just one document covering most of its products. This will make it easier for Google to track users for the purpose of serving up personalized ads.

“The main change is for users with Google Accounts,” Google said at the time of its January announcement. “Our new Privacy Policy makes clear that, if you’re signed in, we may combine information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience.”

An example? Google search results can already bring up Google+ posts or photos that have been shared with the user. “But there’s so much more that Google can do to help you by sharing more of your information with … well, you,” Google said. “We can make search better—figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too. For example, it’s January, but maybe you’re not a gym person, so fitness ads aren’t that useful to you. We can provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends’ names, are accurate because you’ve typed them before.”

Today, Google’s official blog reminded users of the change, saying it had been the subject of “a fair amount of chatter and confusion.” 

The updated policy can be read online, and describes how Google collects device information, search queries, cellphone-related data, location information, and collects and stores information on users’ devices with the use of HTML5 technology, browser storage, application data caches, and cookies and other “anonymous identifiers.”

Before the changes, Google was “restricted in our ability to combine your YouTube and Search histories with other information in your account,” Google Privacy Director Alma Whitten wrote in the company blog. Now Google can provide a simpler, easier-to-understand privacy policy to users, and improve its products “in ways that help our users get the most from the web,” Whitten wrote.

Google recently promised to follow Do Not Track guidelines in an agreement with the White House, but those changes won’t take effect until sometime later in the year. With Google’s expanded ability to serve up personalized ads, the company makes certain privacy promises. For example, “when showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.”

The policy does not affect most business customers, those who have a signed contract with Google to use Google Apps for Government, Business, or Education. Those of us with free accounts will be affected, and while there are ways to anonymize your Google usage they’re not universally effective. Google’s privacy policy notes that “You may also set your browser to block all cookies, including cookies associated with our services, or to indicate when a cookie is being set by us.” However, Google was recently found to be serving up advertising cookies to users of Safari and Internet Explorer using methods of circumventing the browsers’ default privacy settings.

So what else can you do? Most browsers today have private surfing modes that you can select. You can visit Google’s “Data Liberation Front” website for instructions in exporting data out of Google products. The Electronic Frontier Foundation also has instructions on removing your Google search history from your account. However, even this is not as simple as it sounds. Disabling Web History in your Google account “will not prevent Google from gathering and storing this information and using it for internal purposes,” the EFF notes.

Google does hand over user data in response to government requests on a regular basis, as noted in the company’s Transparency Report. The EFF notes that disabling Web History “does not change the fact that any information gathered and stored by Google could be sought by law enforcement.”

If your account has Web History enabled, Google will keep the records indefinitely. “With it disabled, they will be partially anonymized after 18 months, and certain kinds of uses, including sending you customized search results, will be prevented,” the EFF states.

For those who are really willing to put some work into staying anonymous, downloading a Tor client may be the right step. Tor encrypts your web traffic and sends it through a randomly selected series of computers, preventing shadowy third parties from learning what sites you visit or where you’re located. The Tor Project even played a role in helping Iranians get back online after a recent government crackdown on Internet usage.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Google’s Chrome development team is working on a system to automatically generate passwords, which would help users secure their online identities with passwords that would be diversified across different sites, and are randomized and thus harder to guess. Detailed in developer documentation on the Chromium Project site, the system would detect account sign-up pages and “add a small UI element to the password field” giving the user the option of letting Chrome manage the password for them.

Initial versions of the system would create passwords on an individual basis, at the user’s request. But Google’s development team states that “At some point in the future it might also be possible for us to automatically change all of a user’s passwords when we realize that their account is hijacked.” The developer documentation notes that the feature would make Google “a higher value hijacking target,” than it already is, although “Google is already a high value target so this shouldn’t change much.”

Chrome can already store passwords, a common feature in modern browsers, and it syncs them across computers, with the passwords encrypted in transit and at rest in Google data centers. The idea of auto-generating passwords is not new, either. Password management software such as 1Password and LastPass can already generate passwords and automatically input them into web forms. But these tools cost money and require additional software downloads. Although it’s not clear when it will become available, Google’s scheme would make storing and generating passwords a pre-installed feature of the browser.

Mockup of a potential future version of Chrome which would auto-generate passwords. Image from the Chromium Project.

The first challenge noted by the Chrome development team is detecting sign-up pages, which is accomplished by looking for elements such as “an account name field and two password fields.” Next, the Chrome password generator must come up with a secure password that meets the site’s requirements—many sites require digits, special characters or certain lengths. Because the password generator may choose a password that doesn’t meet the site’s requirements, the user is given a chance to review the suggested password before selecting it.

“If they accept the prompt then we pop up a small box which is prepopulated with what we think is an acceptable random password,” the Chromium development document says. “The reason we don’t just choose a password for them is that many sites have requirements (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters) some of which may be contradictory between sites. So we will choose a default generator that will work on most sites, but users may need to change our password if it doesn’t work.”

The Chromium team is still looking for a “way to authenticate to the browser to enable this feature,” and will have to find a workaround for sites that have autocomplete turned off.

“Any website that has autocomplete turned off will not be able to be protected,” the document states. “Going by current phishing attacks, this means that 40-70% of phishing pages can’t be protected against. Once this feature is rolled out we probably want to see if we can get around this problem. Maybe we can get users to re-authenticate to the browser before logging into such sites.”

How much do you trust Google?

Google is often criticized for invading users’ privacy, as the company makes much of its revenue by serving up personalized ads to users based on their web browsing habits and even the contents of their e-mail. However, the development of technology to generate more secure passwords seems like a good-faith effort to protect users from online attacks, and isn’t so far removed from the already-existing practice of browsers storing passwords.

Google’s password-generator will likely be appealing to many because of the sheer convenience of it. But users will have to decide for themselves just how much of their online activities they want to trust with Google.

In the long run, Chrome developers say the solution should be browser sign-in coupled with the OpenID authentication standard. However, “getting most sites on the Internet to use OpenID will take a while,” the Chrome team states. “In the meantime it would be nice to have a way to achieve the same affect of having the browser control authentication.” Since many people re-use passwords across sites, randomization will go a long way toward better security, making it harder for attackers to steal a user’s entire online identity.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Mozilla developers are planning to build a dramatically different version of Firefox for Windows 8, a change necessitated by Microsoft’s use of the touch-friendly “Metro” user interface for PCs and tablets.

Mozilla describes its Windows 8 plans as part of a 2012 Strategy & Roadmap document updated yesterday. A technology proof-of-concept demonstrating the feasibility of Firefox in Windows 8 is planned for the second quarter of this year, with timing dependent on the release of Microsoft’s Windows 8 consumer preview and developer documentation. A Metro version may be necessary for Firefox to avoid being shut out of Windows 8 tablets running on ARM, which will have only a limited “traditional” Windows desktop. But Mozilla is apparently planning Firefox builds both for the traditional Windows desktop environment and Metro.

“Windows 8 contains two application environments, ‘Classic’ and ‘Metro,’” Mozilla notes. “Classic is very similar to the Windows 7 environment at this time, it requires a simple evolution of the current Firefox Windows product. Metro is an entirely new environment and requires a new Firefox front end and system integration points.”

Metro Firefox will be a new Gecko-based browser focused on touch interactions, with both full-screen and partial-screen modes, with the possibility of a live tile so that users can see updates on the Start screen. There are several unanswered questions, such as which programming language to use for building the Metro front end. Firefox product manager Asa Dotzler further notes that “This proposal depends on Microsoft providing the same capabilities for Firefox as it does for IE—running at the Medium level integrity process that allows us the full use of the Win32 API and what we need from Metro, or a set of APIs that allow Mozilla to port Gecko to the WinRT. For the purposes of this feature proposal, I’m assuming we’ll get the first and we won’t have to port the bulk of Gecko and instead will use the win32 dlls from within Metro.”

Firefox accounts for about 20 percent of worldwide desktop browser market share, but has lost ground to Google Chrome over the past year. Chrome will presumably have a Metro version for Windows 8 as well, but Google has made no official announcement.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

This week, “call your Congressperson” is not just a cliché. It’s one of the most important things you can do to make your voice heard.

As Ars readers know, Wikipedia, reddit, Craigslist, and others are blacking out their sites today in protest of the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA), antipiracy bills that protestors believe would give far too much power to rightsholders at the expense of the Internet as a whole.

Members of Congress are already backpedaling on some of the provisions in SOPA and PIPA, and Rep. Darrell Issa (R-CA) said Tuesday that he expects to have more co-sponsors for his alternative (and much saner) OPEN Act than “than SOPA has in the House.”

SOPA opponents say it is critical to block the bill now, because if it is turned into law website owners will be at risk of having payments blocked, or forced into lengthy and expensive litigation even if they’re not trying to enable piracy or profit from it.

“Scribd could not have come into existence in a world governed by SOPA,” said Scribd co-founder Jared Friedman during a conference call yesterday. Alexis Ohanian, co-founder of reddit (which shares a parent company with Ars Technica), said much the same thing about Internet entrepreneurs. “I’d hate to be the Congressperson who has to go back to his or her district and say, ‘You know what, maybe this is not the industry for you. Maybe you can try your luck in Canada.’”

Video hosting site Veoh found out the hard way what litigation can do to an Internet business, even when the law is on your side. Veoh was “litigated to death” before being finally cleared in a lawsuit filed against the site by Universal Music Group. “The lawsuit dramatically impacted our company,” said founder Dmitry Shapiro. “It cost us millions of dollars to litigate. It took up a tremendous amount of executives’ time. More importantly, it dramatically demotivated our 120 employees who were constantly concerned about what this meant and what would happen to them and their families.”

Veoh’s defense, that it was eligible for safe harbor protection under the Digital Millennium Copyright Act, was upheld on appeal. But it was too late—Shapiro laid everyone off and sold the company in a fire sale.

Friedman said he’s grateful to Shapiro, because Veoh’s “success” in defending itself helped Scribd fend off its own legal threats. But SOPA would weaken safe harbor protections and give copyright owners a “private right of action” to go after money and ad networks, making it even more difficult for future Veohs to gain traction.

You don’t have to be a digital pirate to oppose SOPA, Issa added. “We don’t want people taking brand-new movies and putting them online and prospering while the actual creator of the art is denied,” Issa said. But OPEN, by focusing on the money supply through the International Trade Commission, would target the vast majority of abuses that SOPA intends to prevent without resorting to censorship, he argued. “We think we can do 80 percent of the good with almost no trauma.”

“It is a great time to contact your members of Congress, make sure they know there is an alternative, and that there is a reason to slow down and get it right,” Issa added.

Contact your senator or representative

Sending a message to our elected leaders’ underlings has never been easier. Old-fashioned phone calls count for a lot; they take effort to make, and so they indicate opposition in a way that a mass form e-mail never will. The official Senate site lists the phone numbers and links to contact forms for all senators, while the House has a handy tool that lets you search for your representative by ZIP code and state.

If you’re having trouble thinking of something to say, various anti-SOPA and anti-PIPA organizations can help. Public Knowledge has a form for sending letters to senators describing why PIPA is “overbroad … ripe for abuse … [and] speeds fragmentation of the Internet.” The Electronic Frontier Foundation is providing a similar service for contacting both senators and representatives, as is AmericanCensorship.org.

You can also sign several petitions. This one urges President Barack Obama to veto SOPA should it ever come to his desk and has more than 51,000 signatures; it led to the Obama administration criticizing portions of SOPA, saying that the administration “will not support legislation that reduces freedom of expression, increases cybersecurity risk, or undermines the dynamic, innovative global Internet.”

Another petition backed by Craigslist and reddit is aimed at Congress and has 117,000 supporters. Want to go further and convince your fellow humans that SOPA is bad? If you’re already an expert on SOPA or PIPA, another site lets you volunteer to to explain it to newbies on the phone or in person.

Black out your website

Many of you have your own personal websites. Just because you’re not as big as Wikipedia and reddit doesn’t mean you can’t join the blackout brigade or “SOPA strike,” as some are calling it. On GitHub, one SOPA opponent is providing HTML that can be used to change a website’s homepage to a black screen which lights up when you move your cursor over the middle, revealing a message of protest:

Your own website could look like this today—if you download a bit of code from GitHub

If you have a WordPress site, you can choose from several plugins to make your point, including one that lets you customize which dates the blackout message appears and whether users see it on only their first visit or on all visits. Widgets can also direct visitors to anti-SOPA or anti-PIPA petitions. For those who can’t or don’t want to go completely dark, there are “Stop PIPA” bars to put at the top of your site, while one “SEO-friendly” protest tool created by CloudFlare blacks out any word longer than five characters, making your site look like a redacted government document. Mucking with a site carries some danger of Google’s web-crawling bots not seeing it properly, but luckily a Google employee has posted a handy guide on what not to do.

Boycott SOPA supporters

If you’ve contacted your Congressperson, blacked out your website, and are still itching for more protest action, you can identify SOPA supporters and take the fight to them directly—or boycott their goods and services. One extension for Google Chrome, called No SOPA, warns you when you visit the website of a company that supports the legislation. “Boycott? Nasty letter time? You decide,” writes the maker of the extension.

There’s also quite an extensive list of SOPA supporters on the website of chief SOPA backer Rep. Lamar Smith (R-TX). (GoDaddy was removed from this list after it was the victim of a successful boycott of the company.)

The Internet speaks

“This is the first time we’ve seen an Internet-based action,” Ohanian said yesterday. “There were no leaders of this movement.” But people from numerous political persuasions lined up in agreement that “this was terrible legislation that looked a lot more like lobbyist dollars at work. If you don’t believe this is an election issue already, it is already happening.” In fact, several “real life” protests and rallies are happening today in the streets of San Francisco, New York City, Seattle and perhaps other cities. 

Just because SOPA and PIPA have plenty of opponents doesn’t mean they can’t pass. The bills still have sizable support from music and movie industry groups. Former US Senator Chris Dodd, now CEO of the Motion Picture Association of America, fired off a press release yesterday calling the SOPA blackout “yet another gimmick, albeit a dangerous one, designed to punish elected and administration officials who are working diligently to protect American jobs from foreign criminals.”

If you’re among those who disagree with Dodd, what are your plans now that SOPA blackout day is upon us? If you have any interesting protest ideas, feel free to share them in the comments.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

A worm previously used to commit financial fraud is now stealing Facebook login credentials, compromising at least 45,000 Facebook accounts with the goals of transmitting malicious links to victims’ friends and gaining remote access to corporate networks.

The security company Seculert has been tracking the progress of Ramnit, a worm first discovered in April 2010, and described by Microsoft as “multi-component malware that infects Windows executable files, Microsoft Office files and HTML files” in order to steal “sensitive information such as saved FTP credentials and browser cookies.” Ramnit has previously been used to “bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks,” Seculert says.

Recently, Seculert set up a sinkhole and discovered that 800,000 machines were infected between September and December. Moreover, Seculert found that more than 45,000 Facebook login credentials, mostly in the UK and France, were stolen by a new variant of the worm.

“We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims’ Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware’s spread even further,” Seculert said. “In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.”

Facebook fraud, of course, is nothing new. Facebook itself has acknowledged seeing 600,000 compromised logins each day, although that accounts for just 0.06 percent of the one billion Facebook logins each day.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.