Archive for the ‘privacy’ Category

File Under: privacy

Google’s New Privacy Policy: What Has Changed and What You Can Do About It

Today’s the day Google’s broad new privacy policy goes into effect. European regulators are claiming it violates data protection laws, but it’s here and it may be here to stay.

There are some not-completely-foolproof ways to hide from Google, but first let’s talk about what’s changed. Prior to today, Google had more than 70 privacy policies for its various products. But with the company trying to create a seamless experience across search, Gmail, Google+, Google Docs, Picasa, and much more, Google is consolidating the majority of its policies down into just one document covering most of its products. This will make it easier for Google to track users for the purpose of serving up personalized ads.

“The main change is for users with Google Accounts,” Google said at the time of its January announcement. “Our new Privacy Policy makes clear that, if you’re signed in, we may combine information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience.”

An example? Google search results can already bring up Google+ posts or photos that have been shared with the user. “But there’s so much more that Google can do to help you by sharing more of your information with … well, you,” Google said. “We can make search better—figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too. For example, it’s January, but maybe you’re not a gym person, so fitness ads aren’t that useful to you. We can provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends’ names, are accurate because you’ve typed them before.”

Today, Google’s official blog reminded users of the change, saying it had been the subject of “a fair amount of chatter and confusion.” 

The updated policy can be read online, and describes how Google collects device information, search queries, cellphone-related data, location information, and collects and stores information on users’ devices with the use of HTML5 technology, browser storage, application data caches, and cookies and other “anonymous identifiers.”

Before the changes, Google was “restricted in our ability to combine your YouTube and Search histories with other information in your account,” Google Privacy Director Alma Whitten wrote in the company blog. Now Google can provide a simpler, easier-to-understand privacy policy to users, and improve its products “in ways that help our users get the most from the web,” Whitten wrote.

Google recently promised to follow Do Not Track guidelines in an agreement with the White House, but those changes won’t take effect until sometime later in the year. With Google’s expanded ability to serve up personalized ads, the company makes certain privacy promises. For example, “when showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.”

The policy does not affect most business customers, those who have a signed contract with Google to use Google Apps for Government, Business, or Education. Those of us with free accounts will be affected, and while there are ways to anonymize your Google usage they’re not universally effective. Google’s privacy policy notes that “You may also set your browser to block all cookies, including cookies associated with our services, or to indicate when a cookie is being set by us.” However, Google was recently found to be serving up advertising cookies to users of Safari and Internet Explorer using methods of circumventing the browsers’ default privacy settings.

So what else can you do? Most browsers today have private surfing modes that you can select. You can visit Google’s “Data Liberation Front” website for instructions in exporting data out of Google products. The Electronic Frontier Foundation also has instructions on removing your Google search history from your account. However, even this is not as simple as it sounds. Disabling Web History in your Google account “will not prevent Google from gathering and storing this information and using it for internal purposes,” the EFF notes.

Google does hand over user data in response to government requests on a regular basis, as noted in the company’s Transparency Report. The EFF notes that disabling Web History “does not change the fact that any information gathered and stored by Google could be sought by law enforcement.”

If your account has Web History enabled, Google will keep the records indefinitely. “With it disabled, they will be partially anonymized after 18 months, and certain kinds of uses, including sending you customized search results, will be prevented,” the EFF states.

For those who are really willing to put some work into staying anonymous, downloading a Tor client may be the right step. Tor encrypts your web traffic and sends it through a randomly selected series of computers, preventing shadowy third parties from learning what sites you visit or where you’re located. The Tor Project even played a role in helping Iranians get back online after a recent government crackdown on Internet usage.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

File Under: privacy

Secure Your Browser: Add-Ons to Stop Web Tracking

Ever wonder who’s tracking your online movements — watching the sites you visit, the links you click and the items you buy? Unless you’ve already taken active steps to stop the tracking, the answer is just about everyone.

Privacy advocates have been working to help raise awareness of the extent to which we are all tracked online. Browser makers like Mozilla have also been working to make consumers aware of what’s happening behind the scenes on the web. Mozilla created and popularized the Do Not Track header, which has now been adopted by all the major browsers. Firefox’s parent company also recently showed off its Collusion add-on as part of the TED 2012 conference.

Collusion is a Firefox add-on that helps you see exactly who is tracking your movements online. It doesn’t stop sites from tracking you, but after Collusion shows you what happens when you browse the web without any tracking protection, you’ll probably want to find something that can stop sites from tracking you.

Not all web tracking is bad. Some services rely on user data to function. For example, if you use Facebook and want to use the company’s ubiquitous Like buttons, Facebook needs to set cookies and keep track of who you are. The problem Mozilla wants to address with Collusion is the fact that most tracking happens without users’ knowledge or consent.

The screenshot below shows the number of websites Collusion found tracking me after I visited the top five most tracker-filled websites according to Privacy Score, namely The Drudge Report, El Paso Times, ReadWriteWeb, TwitPic and Merriam Webster. As a result of visiting just those five sites, according to Collusion, a total of 21 sites were made aware of my visit.

Collusion visualizes who's tracking your web browsing.

That sounds bad, and it is, but it may not even be the full picture. For comparison’s sake I loaded the same five sites and used the Do Not Track Plus add-on, which counted 47 sites with tracking bugs. Want another number? I repeated the test using the Ghostery add-on, which blocked 37 unique sites looking to track me. The variation in number of tracking elements detected is due to several factors, including what each system considers tracking. (Collusion for example, does not seem to count analytics or social buttons, while the others do.)

Even at the low end the numbers remain startling. Visiting five websites means somewhere between 21 and 47 other websites learn about your visit to those five.

If the extent of tracking bothers you there are some steps you can take to stop the tracking. The first would be to head to your browser preferences and turn off third-party cookies. Unfortunately, while that’s a step in the right direction (and you won’t lose any functionality the way you might with the rest of these solutions), some less scrupulous advertisers, including Google, have been caught circumventing this measure.

For a more complete solution you’ll need to use an add-on like Ghostery or Do Not Track Plus, both of which are available for most web browsers. The chief drawback to both of these solutions is that you may lose some functionality. To stick with the Facebook example used earlier, if Ghostery is blocking Facebook scripts then you won’t be able to use Like buttons. Fortunately both Ghostery and Do Not Track Plus allow you to customize which sites are blocked. I recommend blocking everything and then when you encounter something that isn’t working, click the Do Not Track Plus icon and edit the blocking options to allow, for example, Facebook so that Like buttons work (or Disqus so that comments work, etc.). That way you remain protected from the vast majority of invisible tracking, but can still enjoy the web services you choose to trust.

One final note about Webmonkey.com: There are 11 external scripts on this page. Four of them are for the social network buttons at the bottom of most posts. A fifth is for the Disqus comments system. There are also two analytics scripts, one from Google and one from Omniture. In addition to those seven functional scripts there are four ad network scripts from Brightcove, DoubleClick, Omniture and Lotame. (I can’t actually tell for sure what Lotame does, but it definitely collects data.) If you install the add-ons above Webmonkey will not be able to track you. If you don’t, it, like the rest of the web, will.

File Under: Browsers, privacy

Google Tricks Internet Explorer into Accepting Tracking Cookies, Microsoft Claims

Google was caught last week bypassing default privacy settings in the Safari browser in order to serve up tracking cookies. The company claimed the situation was an accident and limited only to the Safari web browser, but today Microsoft claimed Google is doing much the same thing with Internet Explorer.

In a blog post titled “Google bypassing user privacy settings” Microsoft’s IE Corporate Vice President Dean Hachamovitch states that “When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

Hachamovitch explains that IE’s default configuration blocks third-party cookies unless presented with a “P3P (Platform for Privacy Preferences Project) Compact Policy Statement” indicating that the site will not use the cookie to track the user. Microsoft accuses Google of sending a string of text that tricks the browser into thinking the cookie won’t be used for tracking. “By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked,” Microsoft said.

The text allegedly sent by Google actually reads “This is not a P3P policy” and includes a link to a Google page which says cookies used to secure and authenticate Google users are needed to store user preferences, and that the P3P protocol “was not designed with situations like these in mind.”

Microsoft said it has contacted Google to ask the company to “commit to honoring P3P privacy settings for users of all browsers.” Microsoft also updated the Tracking Protection Lists in IE9 to prevent the tracking described by Hachamovitch in the blog post. Ars has contacted Google to see if the company has any response to the Microsoft allegations, and we’ll update this post if we hear back.

UPDATE: It turns out Facebook and many other sites are using an almost identical scheme to override Internet Explorer’s privacy setting, according to privacy researcher Lorrie Faith Cranor at Carnegie Mellon University. “Companies have discovered that they can lie in their [P3P policies] and nobody bothers to do anything about it,” Cranor wrote in a recent blog post.

UPDATE 2: Google has gotten back to us with a lengthy reply, arguing that Microsoft’s reliance on P3P forces outdated practices onto modern websites, and points to a study conducted in 2010 (the Carnegie Mellon research from Cranor and her colleagues) that studied 33,000 sites and found about a third of them were circumventing P3P in Internet Explorer.

“Microsoft uses a ‘self-declaration’ protocol (known as ‘P3P’) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form,” Google Senior VP of Communications and Policy Rachel Whetstone says in a statement e-mailed to Ars. “It is well known—including by Microsoft—that it is impractical to comply with Microsoft’s request while providing modern web functionality.”

Facebook’s “Like” button, the ability to sign into websites using your Google account “and hundreds more modern web services” would be broken by Microsoft’s P3P policy, Google says. “It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality,” Whetstone said. “Today the Microsoft policy is widely non-operational.”

That 2010 research even calls out Microsoft’s own msn.com and live.com for providing invalid P3P policy statements. The research paper further states that “Microsoft’s support website recommends the use of invalid CPs as a work-around for a problem in IE.”

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

File Under: privacy, Security, Social

Worm Steals 45,000 Facebook Login Credentials, Infects Victims’ Friends

A worm previously used to commit financial fraud is now stealing Facebook login credentials, compromising at least 45,000 Facebook accounts with the goals of transmitting malicious links to victims’ friends and gaining remote access to corporate networks.

The security company Seculert has been tracking the progress of Ramnit, a worm first discovered in April 2010, and described by Microsoft as “multi-component malware that infects Windows executable files, Microsoft Office files and HTML files” in order to steal “sensitive information such as saved FTP credentials and browser cookies.” Ramnit has previously been used to “bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks,” Seculert says.

Recently, Seculert set up a sinkhole and discovered that 800,000 machines were infected between September and December. Moreover, Seculert found that more than 45,000 Facebook login credentials, mostly in the UK and France, were stolen by a new variant of the worm.

“We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims’ Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware’s spread even further,” Seculert said. “In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.”

Facebook fraud, of course, is nothing new. Facebook itself has acknowledged seeing 600,000 compromised logins each day, although that accounts for just 0.06 percent of the one billion Facebook logins each day.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

File Under: privacy, Web Standards

W3C Releases New Web Privacy Standard

The World Wide Web Consortium (W3C) has released the first draft of a new web standard aimed at improving online privacy. The W3C’s new Standard for Online Privacy is a set of tools that will ultimately enable your browser to stop sites from tracking your every move on the web.

The first draft of the new privacy standard revolves around the “Do Not Track” (DNT) HTTP header originally introduced by Mozilla as a part of Firefox 4. The DNT header — a bit of code sent every time your browser talks to a web server — can be used to tell websites you don’t want to be tracked. The goal is to give you an easy way to opt out of often invasive tracking practices like behavioral advertising.

Behavior advertising refers to the increasingly common practice of tracking your online behavior and using it to tailor ads to your habits. Advertisers use cookies to follow you around the web, tracking which sites you visit, what you buy and even, in the case of mobile browsers, where you go.

Some web browsers, including Internet Explorer and Chrome, offer an opt-out mechanism in the form of a cookie — add the cookie to your browser and participating sites won’t track your browsing. While the cookie-based approach is widely supported by advertisers, if you ever clear your browser’s cookies for any reason, your privacy settings are lost.

Mozilla’s original “Do Not Track” tool offered the same end result — broadcasting your privacy settings to advertiser’s servers — but instead of using a cookie, Mozilla’s DNT effort created a new HTTP header. The header offers a more robust and permanent solution than cookies and it’s easier for users to control via a simple browser preference.

Mozilla's basic overview of how the DNT header might work

Earlier this year Mozilla turned its DNT efforts over to the W3C where the Tracking Protection Working Group was formed. The working group thus far includes everyone from the major browser vendors to large websites like Google and Facebook. Consumer advocacy groups like Consumer Watchdog, the Electronic Frontier Foundation and even the U.S. Federal Trade Commission are also participating. This first draft of the new privacy standard is the groups’ first public release.

The new spec goes quite a bit further than Mozilla’s original definition of DNT, including sections to define how the header is transmitted, what URI servers should use to respond and how websites are to comply with the preference. Obviously, because this is just the first draft there are still many gaps in the spec.

The new privacy spec is only a first draft, but that’s not the main problem currently stopping DNT from becoming a real-world way to protect your privacy. The real problem is the advertisers. While many are already on board with the new DNT standard, so far few actually obey it. Skeptics often argue that the DNT header won’t truly protect your privacy because there’s no way to force advertising sites to obey it. That is true, and there will no doubt always be some bad apples on the web, but the advertising industry has a surprisingly good track record of self-regulation. Much of that record no doubt stems from fear that, without some degree of self-regulation, governments will step in to impose their own regulation on behalf of consumers.

The W3C’s new privacy standard effort is a long way from finished, and, because it relies on the voluntary participation of advertisers, it will likely never completely protect your privacy. Still, it’s a stronger means of opting out than cookies. Moreover, the existence of an official DNT standard blessed by the W3C just might convince more advertisers to support the initiative.

[Footprints photo by Vinoth Chandar/Flickr/CC]

See Also: