All posts tagged ‘privacy’

File Under: Browsers, privacy

Google Tricks Internet Explorer into Accepting Tracking Cookies, Microsoft Claims

Google was caught last week bypassing default privacy settings in the Safari browser in order to serve up tracking cookies. The company claimed the situation was an accident and limited only to the Safari web browser, but today Microsoft claimed Google is doing much the same thing with Internet Explorer.

In a blog post titled “Google bypassing user privacy settings” Microsoft’s IE Corporate Vice President Dean Hachamovitch states that “When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

Hachamovitch explains that IE’s default configuration blocks third-party cookies unless presented with a “P3P (Platform for Privacy Preferences Project) Compact Policy Statement” indicating that the site will not use the cookie to track the user. Microsoft accuses Google of sending a string of text that tricks the browser into thinking the cookie won’t be used for tracking. “By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked,” Microsoft said.

The text allegedly sent by Google actually reads “This is not a P3P policy” and includes a link to a Google page which says cookies used to secure and authenticate Google users are needed to store user preferences, and that the P3P protocol “was not designed with situations like these in mind.”

Microsoft said it has contacted Google to ask the company to “commit to honoring P3P privacy settings for users of all browsers.” Microsoft also updated the Tracking Protection Lists in IE9 to prevent the tracking described by Hachamovitch in the blog post. Ars has contacted Google to see if the company has any response to the Microsoft allegations, and we’ll update this post if we hear back.

UPDATE: It turns out Facebook and many other sites are using an almost identical scheme to override Internet Explorer’s privacy setting, according to privacy researcher Lorrie Faith Cranor at Carnegie Mellon University. “Companies have discovered that they can lie in their [P3P policies] and nobody bothers to do anything about it,” Cranor wrote in a recent blog post.

UPDATE 2: Google has gotten back to us with a lengthy reply, arguing that Microsoft’s reliance on P3P forces outdated practices onto modern websites, and points to a study conducted in 2010 (the Carnegie Mellon research from Cranor and her colleagues) that studied 33,000 sites and found about a third of them were circumventing P3P in Internet Explorer.

“Microsoft uses a ‘self-declaration’ protocol (known as ‘P3P’) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form,” Google Senior VP of Communications and Policy Rachel Whetstone says in a statement e-mailed to Ars. “It is well known—including by Microsoft—that it is impractical to comply with Microsoft’s request while providing modern web functionality.”

Facebook’s “Like” button, the ability to sign into websites using your Google account “and hundreds more modern web services” would be broken by Microsoft’s P3P policy, Google says. “It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality,” Whetstone said. “Today the Microsoft policy is widely non-operational.”

That 2010 research even calls out Microsoft’s own msn.com and live.com for providing invalid P3P policy statements. The research paper further states that “Microsoft’s support website recommends the use of invalid CPs as a work-around for a problem in IE.”

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

File Under: privacy

Flickr’s New ‘Geofence’ Settings Protect Your Geoprivacy

Fencing in the range with Flickr's new Geofence features

The popular photo sharing website Flickr has introduced a new way to geotag your photos without revealing your location to the entire web. Flickr’s new “Geofence” settings give users more granular control over their geotagged photos.

Perhaps the best part of the new Geofence features are how dead simple they are to use — simply draw a circle on a map, choose a geoprivacy setting for that area, and you’re done. Your new fence will apply to any future photo uploads and Flickr will offer to update the privacy settings on any existing images that fall within your new fence.

To get started head over to the Flickr Geo privacy page.

These days geotagging isn’t just something for nerds. In fact, chances are your camera (especially the camera in your phone) is recording location data in your images whether you know it or not. Like other location-aware services, geotagged photos are fast becoming a big part of the current cultural debate about who should be able to see which parts of your life on the web.

“A few years ago, privacy controls like this would have been overkill. Geo data was new and underused, and the answer to privacy concerns was often, ‘you upload it, you deal with it,’” writes Flickr developer Trevor Hartsell on the code.flickr blog. “But today, physical places are important to how we use the web. Sometimes you want everyone to know exactly where you took a photo. And sometimes you don’t.”

Previously, Flickr limited its geotagging options to a simple yes or no — either you shared location data with everyone or no one. Now you can share location data with only those people you trust. For example, you might leave the geodata for your vacation photos visible to everyone, but limit the location data of photos around your house to only your friends and family.

In those cases where there might be overlap between two geofences Flickr will default to the more restrictive of the two. For example, if you draw a circle around your house and limit it to the most restrictive group, “Family,” and then draw a circle around your whole neighborhood and limit that to “Friends,” any areas where the two overlap will still be limited to only the Family group.

Flickr’s new Geofence settings are among the best implemented privacy controls we’ve seen, striking a nearly perfect balance between genuine control and simplicity. And while we’re glad to see Flickr taking the lead, here’s hoping Facebook and others will copy these features into their own privacy controls.

See Also:

File Under: Identity, privacy

Mozilla’s ‘Do Not Track’ Header Is Starting to Catch on With Advertisers

Among the many new features in Firefox 4 is support for the Do Not Track (DNT) HTTP header. If you turn on the DNT header in Firefox 4′s preferences pane, the browser will broadcast a custom header in HTTP requests which tells servers you want to opt out of any tracking cookies.

Mozilla developed the DNT header to give users an easier way to opt out of increasingly intrusive online tracking by websites and advertisers. The header is, in the long run, a far better solution than constantly updating cookie-based block lists, which is currently the main solution for most users.

The problem with the DNT header is that, until now, no websites actually looked for it.

That, however, is changing. Mozilla announced today that the AP News Registry has implemented support for the DNT header across 800 news sites, which see more than 175 million unique visitors every month. That’s a huge shot in the arm for Do Not Track, which was previously a great idea, but one with little real world application.

Starting today, provided you turn on the DNT preference in Firefox 4, the AP News Registry will no longer set any cookies.

Mozilla also reports that it is in talks with the Digital Advertising Alliance to get the self-regulating group to support the DNT header as well. Strange though it may sound, the online ad industry actually has a decent track record of working with privacy advocates and even offers its own cookie-based opt out list. In other words, there is a good chance that DNT will be broadly adopted within the online ad industry.

While the DNT header seems well on its way to becoming a de facto standard (and a real standard, provided the W3C accepts it), it’s important to bear in mind that it will never stop rogue advertisers who choose to ignore your DNT settings. For the bad apples in the bunch, cookie-based blocking will remain the only viable option.

Footprints photo by Vinoth Chandar/Flickr/CC

See Also:

File Under: Browsers, Identity

Firefox 4 Beta 11 Offers ‘Do Not Track’ Privacy Setting

Firefox 4 goes to eleven. Mozilla has released an eleventh beta of Firefox 4, the next major version of the browser. Beta 11 includes the usual bug fixes and speed improvements, but it also has a new feature — the “Do Not Track” setting Mozilla is hoping will become a standard.

If you’re already using Firefox 4 you should be automatically updated. If you’d like to help Mozilla test Firefox 4, head over to the beta downloads page and grab a copy of beta 11.

The Do Not Track feature is a new HTTP header that will stop behavioral advertising tools from tracking where you go on the web. To turn on the new feature just check the box under the Advanced tab in Firefox 4′s preferences.

For now all you’ll be doing is broadcasting the new header information; it won’t actually have any effect. Because no online advertisers yet support the header, the new feature won’t protect your privacy. However, some of the biggest names on internet advertising already voluntarily offer a cookie-based opt-out system and it seems likely that, with Mozilla behind the new header, the same companies will support the new option eventually.

Mozilla is planning to release at least one more beta and then a round of release candidates before Firefox 4 is finalized later this year.

See Also:

File Under: Browsers, Identity

‘Do Not Track’ Tools Land in Firefox Nightly Builds

Mozilla is wasting no time putting its proposed “Do Not Track” HTTP header onto the web. The latest Firefox nightly builds now include support for the new header and it may even make the final release of Firefox 4, due later this month. The new HTTP header, which Mozilla announced last week, is designed to tell online advertisers to stop tracking your web browsing habits.

If you’d like to see how Mozilla has implemented the header, grab the latest Firefox nightly build. There have been a few changes since Mozilla first announced its plan, including renaming the header to simply “DNT.”

To turn the header on, open Firefox’s preferences panel and select the Advanced tab (eventually Mozilla will add the option to the more appropriate Privacy tab). There you’ll see a new option to “Tell websites I do not want to be tracked.” Of course even if you turn the header on today and broadcast “DNT: 1″ to the web, it won’t do anything.

For the header to actually protect your privacy, websites and online advertisers will have to support it. While there’s plenty of debate as to whether they ever will, it definitely won’t happen until the feature is widely available. Mozilla is hoping that including the new header in Firefox 4 will spur advertisers to support it.

For now, broadcasting “DNT: 1″ will be, as Alexander Fowler, the Global Privacy and Public Policy Leader at Mozilla, puts it, “akin to displaying EFF’s Blue Ribbon campaign.”

The current plan is to test the privacy header in the next beta release of Firefox 4 and then, assuming there are no bugs, roll it out with the final release of Firefox 4 later this month.

See Also: