I’m Being Followed: How Google—and 104 Other Companies—Are Tracking Me on the Web is a voyage into the invisible business that funds the web. Who are these companies and what do they want from me? Even if you’re generally familiar with the idea of data collection for targeted advertising, the number and variety of these data collectors will probably astonish you. Right now, a huge chunk of what you’ve ever looked at on the Internet is sitting in databases all across the world.
Many different companies want to know as much about me and what’s on my screen as they possibly can, although they have different reasons for their interest. To be clear, these companies gather data without attaching it to your name (most of the companies do not know names of the people they are following); they use that data to show you ads you’re statistically more likely to click. That’s the game, and there is substantial money in it. Some of the best minds of my generation are thinking about how to make people click ads (think for example how many highly talented people Google has). The online advertising industry argues that technology is changing so rapidly that regulation is not the answer to queasiness about all that data going off to who-knows-where.
The bad news is that people haven’t taken control of the data that’s being collected and traded about them. At the moment there is a fascinating scrum over what “Do Not Track” tools should do and what orders websites will have to respect from users. Do Not Track signals a user’s opt-out preference with an HTTP header. Several large third parties have already committed to honor Do Not Track, but many more have been recalcitrant.
It’s now time for us to watch the watchers. Track Who’s Tracking You With Mozilla Collusion. Collusion is a Firefox browser add-on that lets you track who’s tracking you across the web for behavioral targeting purposes. There is a demonstration put up at collusion.toolness.org, which takes you through five popular websites and visualizes the data collection companies that track you across them. From there, you can download the add-on if you want to see the tracking visualization of your own browsing behavior evolve in real-time.
Collusion looks to offer more transparency to users by creating a visualization of how your data is being spread to different companies as you navigate the web. Each time it detects data being sent to a behavioral tracker, it creates a red (advertisers), grey (websites) or blue dot on the visualization and shows the links between the sites you visit and the trackers they work with. Mozilla has created an online demo to show just how quickly your data ends up in the hands of dozens of different companies as you move on popular web popular sites.
If you need the source code, it’s all at github.com/toolness/collusion. For some more details take a look at Toolness Blog posting on Collusion. This is an interesting experiment to track on who is tracking you. Collusion is about alerting users to tracking that’s happening without their consent. Very interesting! The more access to metrics the better.
240 Comments
Tomi Engdahl says:
Internet Explorer Data Leakage
http://spider.io/blog/2012/12/internet-explorer-data-leakage/
On the 1st of October, 2012, we disclosed to Microsoft the following security vulnerability in Internet Explorer, versions 6–10, which allows your mouse cursor to be tracked anywhere on the screen—even if the Internet Explorer window is minimised. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.
Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications.
The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.
A demonstration of the security vulnerability may be seen
Tomi Engdahl says:
Possible IE bug would let hackers track mouse moves
http://news.cnet.com/8301-1009_3-57559135-83/possible-ie-bug-would-let-hackers-track-mouse-moves/
Microsoft is investigating a researcher’s assertion that all versions of the Web browser are vulnerable to a flaw that allows attackers to track cursor movements on the screen, even if the browser window isn’t in use.
The alleged flaw, which security firm Spider.io says it discovered a few months ago, compromises the security of virtual keyboards and virtual keypads in all supported versions of the browser since IE6, the security firm reports.
“As long as the page with the exploitative advertiser’s ad stays open — even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer — your mouse cursor can be tracked across your entire display,” the security firm said in a statement.
Even the security-conscious are at risk of having their cursor movements recorded, Spider.io warned. “An attacker can get access to your mouse movements simply by buying a display ad slot on any Web page you visit,” the security firm warned, adding that any site from YouTube to The New York Times would be a possible attack vector due to ad exchange activity.
At least two display ad analytics companies are exploiting the suspected vulnerability to see what people are looking at online, Spider.io said.
Tomi Engdahl says:
How much money are you really worth to that lead gen site? More than you think.
http://www.itworld.com/print/328125
In Part II of this series, TY4NS dives into the murky waters of Web lead generators and reveals who’s behind all those spammy infographics.
What is each lead worth to these guys? More than you might think. Just by filling out a form and agreeing to receive calls, I put $50 into the pocket of whatever site was referring me, says a source within the industry who asked to remain anonymous. Had I stayed on the line and been transferred to the closer, I might have been worth from $75 to $250, depending on the type of degree I was pursuing and other factors, says Tom Ferrara, publisher of ForProfitEdu.com and CEO/co-founder of Edufficient, a consulting firm that hopes to increase transparency and ethical behavior in educational lead gen.
The routine at OnlineSchools.com is nearly identical to what I experienced at OnlineSchools.org. You fill out a series of forms for different schools, and then your phone starts ringing and doesn’t stop. OnlineSchools.com also cranks out its share of SEO-enhancing infographics, and like its .org competitor, it masks its DNS listing.
Aftermath: Security trends 2012 « Tomi Engdahl’s ePanorama blog says:
[...] details have surfaced. Application surveillance based on advertisements has got attention. Check my How I’m Being Followed on Web [...]
Tomi Engdahl says:
Ad Blocking Raises Alarm Among Firms Like Google
http://www.nytimes.com/2013/01/07/technology/ad-blocking-raises-alarm-among-firms-like-google.html?pagewanted=all&_r=0
Xavier Niel, the French technology entrepreneur, has made a career of disrupting the status quo.
Now, he has dared to take on Google and other online advertisers in a battle that puts the Web companies under pressure to use the wealth generated by the ads to help pay for the network pipelines that deliver the content.
Mr. Niel’s telecommunications company, Free, which has an estimated 5.2 million Internet-access users in France, began last week to enable its customers to block Web advertising. The company is updating users’ software with an ad-blocking feature as the default setting.
That move has raised alarm among companies that, like Google, have based their entire business models on providing free content to consumers by festooning Web pages with paid advertisements.
No Internet access provider “has the right to decide in place of its citizens what they access or not on the Internet,” Spiil, an association of French online news publishers, said in a statement Friday.
Free is the second-largest Internet access provider in France, behind Orange, which is operated by France Telecom and has 9.8 million Internet customers.
Free’s ad-blocking campaign began last week when it rolled out a new generation of hardware and software that enables users to block Web advertising. Free has set the ad-blocking software as the default option.
On Atlantico, an online news site, Mr. Fontana wrote: “Numerous Web sites, and particularly the online press, have worked out a moral contract with their readers: You get valuable information, we don’t make you pay, because the advertisers pay for you.”
Tomi Engdahl says:
U.S. Spy Law Authorizes Mass Surveillance of European Citizens: Report
http://www.slate.com/blogs/future_tense/2013/01/08/fisa_renewal_report_suggests_spy_law_allows_mass_surveillance_of_european.html
Europeans, take note: The U.S. government has granted itself authority to secretly snoop on you.
That’s according to a new report produced for the European Parliament, which has warned that a U.S. spy law renewed late last year authorizes “purely political surveillance on foreigners’ data” if it is stored using U.S. cloud services like those provided by Google, Microsoft and Facebook.
Europeans were previously alarmed by the fact that the PATRIOT Act could be used to obtain data on citizens outside the United States. But this time the focus is a different law—the Foreign Intelligence and Surveillance Amendments Act—which poses a “much graver risk to EU data sovereignty than other laws hitherto considered by EU policy-makers,”
The FISA Amendments Act was introduced in 2008, retroactively legalizing a controversial “warrantless wiretapping” program initiated following 9/11 by the Bush administration.
Most countries’ spy agencies routinely monitor real-time communications like emails and phone calls of groups under suspicion on national security grounds. However, what makes FISA different is that it explicitly authorizes the targeting of real-time communications and dormant cloud data linked to “foreign-based political organizations”—not just suspected terrorists or foreign government agents. Bowden says FISA is effectively “a carte blanche for anything that furthers U.S. foreign policy interests” and legalizes the monitoring of European journalists, activists, and politicians who are engaged in any issue in which the United States has a stake.
U.S. officials, perhaps unsurprisingly, have continually rejected claims of mass snooping on Europeans.
Tomi Engdahl says:
Nokia Admits Decrypting User Data But Denies Man-in-the-Middle Attacks
http://www.techweekeurope.co.uk/news/nokia-decrypting-traffic-man-in-the-middle-attacks-103799
Nokia says it does decrypt some customer information over HTTPS traffic, but isn’t spying on people
Nokia has rejected claims it might be spying on users’ encrypted Internet traffic, but admitted it is intercepting and temporarily decrypting HTTPS connections for the benefit of customers.
A security professional alleged Nokia was carrying out so-called man-in-the-middle attacks on its own users. Gaurang Pandya, currently infrastructure security architect at Unisys Global Services India, said in December he saw traffic being diverted from his Nokia Asha phone through to Nokia-owned proxy servers.
Pandya wanted to know if SSL-protected traffic was being diverted through Nokia servers too. Yesterday, in a blog post, Pandya said Nokia was intercepting HTTPS traffic and could have been snooping on users’ content, as he had determined by looking at DNS requests and SSL certificates using Nokia’s mobile browser.
Nokia said it was diverting user connections through its own proxy servers as part of the traffic compression feature of its browser, designed to make services speedier. It was not looking at any encrypted content, even though it did temporarily decrypt some information. This could still be defined as a man-in-the-middle attack, although Nokia says no data is being viewed by its staff.
“The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans,” a spokesperson said, in an email sent to TechWeekEurope.
Tomi Engdahl says:
EU privacy laws to spell an end to Facebook for free?
http://www.zdnet.com/end-to-free-facebook-if-proposed-eu-privacy-laws-are-passed-7000009651/
Summary: A lawyer has warned that proposed EU privacy laws would make Facebook and other ad-supported online services unsustainable if they make it into law.
Facebook, Gmail and other ad-supported online services would need to start charging users if proposed changes to EU data protection laws go ahead, a legal expert has warned.
Tomi says:
Dept. of Homeland Security Forced to Release List of Keywords Used to Monitor Social Networking Sites
http://www.forbes.com/sites/reuvencohen/2012/05/26/department-of-homeland-security-forced-to-release-list-of-keywords-used-to-monitor-social-networking-sites/
If you are thinking about tweeting about clouds, pork, exercise or even Mexico, think again. Doing so may result in a closer look by the U.S. Department of Homeland Security.
The list was posted by the Electronic Privacy Information Center who filed a request under the Freedom of Information Act, before suing to obtain the release of the documents.
The information sheds new light on how government analysts are instructed to patrol the internet searching for domestic and external threats.
What wasn’t disclosed is how the agency actually gains access to the various search engines and social networks to monitor the specified keywords. My guess is the DHS has a “special arrangement” with companies like Google, Facebook, Microsoft, Yahoo and Twitter to gain secure direct API access.
Tomi Engdahl says:
I conceal my identity the same way Aaron was indicted for
http://erratasec.blogspot.fi/2013/01/i-conceal-my-identity-same-way-aaron.html
Tomi Engdahl says:
Have a Wi-Fi-Enabled Phone? Stores Are Tracking You
http://yro.slashdot.org/story/13/01/22/2216224/have-a-wi-fi-enabled-phone-stores-are-tracking-you
“Call it Google Analytics for physical storefronts: if you’ve got a phone with wi-fi, stores can detect your MAC address and track your comings and goings, determining which aisles you go to and whether you’re a repeat customer. “
Tomi Engdahl says:
Google Transparency Report: What it takes for governments to access personal information
http://googleblog.blogspot.fi/2013/01/transparency-report-what-it-takes-for.html
Tomi Engdahl says:
Google Tells Cops to Get Warrants for User E-Mail, Cloud Data
http://www.wired.com/threatlevel/2013/01/google-says-get-a-warrant/
Google demands probable-cause, court-issued warrants to divulge the contents of Gmail and other cloud-stored documents to authorities in the United States — a startling revelation Wednesday that runs counter to federal law that does not always demand warrants.
It was not immediately known whether other ISPs are traveling Google’s path when it comes to demanding probable-cause warrants for all stored content. But Google can seemingly grant more privacy than the four corners of the law allows because there’s been a string of conflicting court opinions on whether warrants are required for data stored on third-party servers longer than 180 days. The Supreme Court has never weighed in on the topic — and the authorities are seemingly abiding by Google’s rules to avoid a high court showdown.
Tomi Engdahl says:
Google faces legal action over alleged secret iPhone tracking
http://www.guardian.co.uk/uk/2013/jan/27/google-legal-action-secret-iphone-tracking
10 million UK iPhone users could have grounds to sue Google after it sidestepped Apple security settings to monitor web habits
Google is facing a fresh privacy battle in the UK over its alleged secret tracking of the internet habits of millions of iPhone users.
An estimated 10 million Britons could have grounds to launch a privacy claim over the way Google circumvented Apple’s security settings on the iPhone, iPad and desktop versions of its Safari web browser to monitor their behaviour.
“It is particularly concerning how Google circumvented security settings to snoop on its users. One of the things about Google is that it is so ubiquitous in our lives and if that’s its approach then it’s quite concerning.”
Google is no stranger to damaging privacy battles, having being censured for snooping on Wi-Fi users with its StreetView cars and the failed launch of its email social network, Google Buzz.
Tomi Engdahl says:
Google, Microsoft, Yahoo, and Facebook say they require warrants to give over private content
http://www.theverge.com/2013/1/26/3917684/google-microsoft-yahoo-facebook-require-warrants-private-content
While the policies are somewhat reassuring, they don’t have the full force of the law yet
“If they come for registration information, that’s one thing, but if they ask for content of e-mail, that’s another thing.”
Tomi Engdahl says:
Google stands up for Gmail users, requires cops to get a warrant
As e-mail privacy laws stall in Congress, Google pushes for stronger standard.
http://arstechnica.com/tech-policy/2013/01/google-stands-up-for-gmail-users-requires-cops-to-get-a-warrant/
The United States remains far ahead of all governments who request user information from Google, according to the company’s latest Transparency Report (July through December 2012) which was released on Wednesday.
American government agencies (including federal, state, and local authorities) made over 8,400 requests for nearly 15,000 accounts—far exceeding India, the next largest country in terms of information requests. In 88 percent of those queries, Google complied with at least some, if not all, of the requests.
“In order to compel us to produce content in Gmail we require an ECPA search warrant,” said Chris Gaither, Google spokesperson. “If they come for registration information, that’s one thing, but if they ask for content of e-mail, that’s another thing.”
Currently, law enforcement agencies have a fairly wide latitude when it comes to accessing users’ e-mail.
As Ars’ own Tim Lee wrote in November, “ECPA requires a warrant to obtain freshly sent e-mail before it’s been opened by the recipient. But once an e-mail has been opened, or once it has been sitting in the recipient’s e-mail box for 180 days, a lower standard applies. These rules simply don’t line up with the way modern e-mail systems work.”
Tomi Engdahl says:
Facebook to label ads that follow you around the Web
http://news.cnet.com/8301-1023_3-57567556-93/facebook-to-label-ads-that-follow-you-around-the-web/?part=rss&subj=news&tag=title
If you start to notice a little blue icon near ads on your Facebook page — it means that an advertiser is tracking your every click.
Facebook advertisers will soon label and identify which ads use information from outside Facebook to target you — at least, if they choose to.
The blue “AdChoices” — developed by a coalition of advertisers and marketers specifically to show consumers when they are looking at targeted ads using third-party information — will make its appearance after months of complaints from ad agencies and advertisers, AdAge reported today.
Tomi Engdahl says:
Facebook Is Said to Create Mobile Location-Tracking App
http://www.bloomberg.com/news/2013-02-04/facebook-is-said-to-create-mobile-location-tracking-app.html
Facebook Inc. (FB) is developing a smartphone application that will track the location of users, two people with knowledge of the matter said, bolstering efforts to benefit from growing use of social media on mobile computers.
The app, scheduled for release by mid-March, is designed to help users find nearby friends and would run even when the program isn’t open on a handset, said one of the people, who asked not to be identified because the plans aren’t public.
Facebook is adding features to help it profit from the surging portion of its more than 1 billion users who access the service via handheld devices.
Regulators in the U.S. and Europe have already scrutinized Menlo Park, California-based Facebook amid concerns that it doesn’t do enough to keep data private. Apple Inc. and Google Inc. have similar tools for continuously keeping tabs on user whereabouts.
Tomi Engdahl says:
Software that tracks people on social media created by defence firm
http://www.guardian.co.uk/world/2013/feb/10/software-tracks-social-media-defence
Exclusive: Raytheon’s Riot program mines social network data like a ‘Google for spies’, drawing ire from civil rights groups
A multinational security firm has secretly developed software capable of tracking people’s movements and predicting future behaviour by mining data from social networking websites.
A video obtained by the Guardian reveals how an “extreme-scale analytics” system created by Raytheon, the world’s fifth largest defence contractor, can gather vast amounts of information about people from websites including Facebook, Twitter and Foursquare.
Raytheon says it has not sold the software – named Riot, or Rapid Information Overlay Technology – to any clients.
But the Massachusetts-based company has acknowledged the technology was shared with US government and industry as part of a joint research and development effort, in 2010, to help build a national security system capable of analysing “trillions of entities” from cyberspace.
Riot pulls out this information, showing not only the photographs posted onto social networks by individuals, but also the location at which the photographs were taken.
“We’re going to track one of our own employees,”
“We know where Nick’s going, we know what Nick looks like,” Urch explains, “now we want to try to predict where he may be in the future.”
The video shows that Nick, who posts his location regularly on Foursquare, visits a gym frequently at 6am early each week. Urch quips: “So if you ever did want to try to get hold of Nick, or maybe get hold of his laptop, you might want to visit the gym at 6am on a Monday.”
Mining from public websites for law enforcement is considered legal in most countries.
However, Ginger McCall, an attorney at the Washington-based Electronic Privacy Information Centre, said the Raytheon technology raised concerns about how troves of user data could be covertly collected without oversight or regulation.
“Social networking sites are often not transparent about what information is shared and how it is shared,” McCall said. “Users may be posting information that they believe will be viewed only by their friends, but instead, it is being viewed by government officials or pulled in by data collection services like the Riot search.”
Tomi Engdahl says:
Do Not Track Ineffective and Dangerous, Says Researcher
http://yro.slashdot.org/story/13/02/13/2335219/do-not-track-ineffective-and-dangerous-says-researcher
“Nadim Kobeissi, security researcher, describes the Do Not Track standard of the W3C as dangerous. ‘In fact, Google’s search engine, as well as Microsoft’s (Bing), both ignore the Do Not Track header even though both companies helped implement this feature into their web browsers.”
Tomi Engdahl says:
“Do Not Track” Dangerous and Ineffective
http://log.nadim.cc/?p=112
Do Not Track is supposed to prevent websites from tracking your activity online, probably for advertising purposes. It works by making your browser politely ask every website you visit to not set tracking cookies and so on.
There are real, dangerous problems with this approach and I really cannot believe it was ever taken seriously. Now that it’s implemented and standardized so widely, it’s become a serious threat to how Internet privacy is perceived.
The main problem with Do Not Track is that it lulls users into a completely false sense of privacy. Do Not Track works by simply asking the websites you’re visiting not to track you — the websites are completely free to ignore this request, and in most cases it’s impossible for the user to find out that their Do Not Track request was in fact discarded. When the user therefore enables Do Not Track on their browser, they are lulled into a false belief that they are no longer being tracked, even though from a security perspective, the tracking prevention that Do Not Track presents is useless.
In fact, Google’s search engine, as well as Microsoft’s (Bing), both ignore the Do Not Track header even though both companies helped implement this feature into their web browsers.
Do Not Track needs serious revision, replacement or simply removal. As it is right now, its only discernible function is to promise users with little to moderate computer knowledge (most of the world) that they’re browsing in privacy, while in reality discouraging them from adopting real privacy solutions that work. Web privacy and security engineers need to have a discussion about this.
Tomi Engdahl says:
Woman nails ‘cheating boyf’ on Russian ‘Street View’
http://www.theregister.co.uk/2013/02/22/perm_panorama
A Russian woman has ditched her boyfriend of five years after spotting him with another squeeze on the local equivalent of Street View.
Yandex doesn’t, unlike Google, have a policy of blurring faces. The company’s Catherine Karnaukhova explained: “Showing people in panoramas isn’t against Russian law, since they’re not the main subject of the image.
“However, if someone objects to a particular image, they can request its removal.”
Tomi Engdahl says:
“Six Strikes” Anti-Piracy Scheme Starts Monday
http://torrentfreak.com/six-strikes-anti-piracy-scheme-starts-monday-130223/
The much-discussed U.S. six strikes anti-piracy scheme is expected to go live on Monday. The start date hasn’t been announced officially by the CCI but a source close to the scheme confirmed the plans. During the coming months millions of BitTorrent users will be actively monitored by copyright holders. After repeated warnings, Internet subscribers risk a heavy reduction in download speeds and temporary browsing restrictions.
Tomi Engdahl says:
Firefox to follow Safari, start blocking cookies from third-party advertisers
http://www.theverge.com/2013/2/23/4023078/firefox-to-start-blocking-cookies-from-third-party-advertisers
Firefox is set to start blocking cookies from third-party ad networks by default, thanks to a patch submitted by Stanford law student and online privacy activist Jonathan Mayer. The patch is slated for distribution in release 22 of the popular browser, and mimics the behavior of Apple’s Safari, allowing sites that you’ve actually visited (first parties) to set cookies on your system, but blocking cookies from third parties like advertising networks unless they already have one on your machine.
Firefox already supports the Do Not Track header, which has the effect of asking advertisers not to track your browsing around the web, but Mayer’s patch goes a step further, adding a default setting that refuses unwelcome third-party cookies altogether.
Tomi Engdahl says:
Facebook searches are saved insidiously
Facebook’s privacy settings has been discussed a lot lately. Debate has taken place as a timeline, pictures of publicity as the new search facility issues involved.
F-Secure revealed on his blog on Thursday, again a strange detail of community service: a personal search history is stored in an insidious rather well hidden log file.
Personal search history can be deleted, as long as it is the patience to dig out.
Source: http://www.iltalehti.fi/digi/2013013116622072_du.shtml
Tomi Engdahl says:
Facebook’s Graph Search: Clear Your Searches
http://www.f-secure.com/weblog/archives/00002493.html
Tomi Engdahl says:
The New Firefox Cookie Policy
http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/
The default Firefox cookie policy will, beginning with release 22, more closely reflect user privacy preferences. This mini-FAQ addresses some of the questions that I’ve received from Mozillans, web developers, and users.
How does the new Firefox cookie policy work?
Roughly: Only websites that you actually visit can use cookies to track you across the web.
More precisely: If content has a first-party origin,1 nothing changes. Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.
Tomi Engdahl says:
Apple Rejecting Apps Using Cookie-Tracking Methods, Signaling Push To Its Own Ad Identifier Technology Is Now Underway
http://techcrunch.com/2013/02/25/apple-rejecting-apps-using-cookie-tracking-methods-signaling-push-to-its-own-ad-identifier-technology-is-now-underway/
Mobile app developers using a technology called “cookie tracking” (sometimes called “Safari flip-flop” or “HTML5 first party cookies”) are starting to have their apps rejected by Apple’s App Review team, we’ve heard from a few different industry sources.
With this method in place, Safari is opened upon first launch in order to read a cookie that may exist from a user’s past interactions with ads.
In terms of the user experience, it’s not ideal, but it is one that some app makers are utilizing as an alternative to the deprecated UDID – the unique device identifier that Apple first announced plans to phase out back in mid-2011.
Though Apple’s changes to UDID usage were announced in 2011, it wasn’t until early last year that the developer community really started to rally behind various alternatives following a wake of app rejections for apps still accessing the UDID technology.
Cookie tracking was one of those alternatives. It’s essentially a technology that’s a holdover from the desktop web era, where cookies have been used for some 15 years. On mobile, the process generally involves HTML5 local storage, because “mobile cookies” aren’t technically the same as those on the desktop. “Within local storage, an app developer can drop a token – an ID, if you will – and then retrieve it later. In this regard, it works like a cookie, so the industry frequently uses it and talks about it like it’s a cookie,” explains Craig Palli, VP of Business Development at mobile app marketing firm Fiksu, which works with developers on user acquisition efforts.
The Advertising Identifier, as explained in Apple’s iOS 6 Settings (General –> About –> Advertising –> Limit Ad Tracking), states that “in the future, all advertising networks will be required to use the Advertising Identifier.”
Tomi Engdahl says:
Ask Slashdot: Should We Have the Option of Treating Google Like a Utility?
http://ask.slashdot.org/story/13/02/27/0144218/ask-slashdot-should-we-have-the-option-of-treating-google-like-a-utility
“I’ve been thinking a lot about how much information I give to technology companies like Google and Facebook and how I’m not super comfortable with what I even dimly know about how they’re handling and selling it. Is it time for major companies like this, who offer arguably utility-like services for free in exchange for info, to start giving customers a choice about how to ‘pay’ for their service?”
Tomi Engdahl says:
They Know What You’re Shopping For
http://online.wsj.com/article/SB10001424127887324784404578143144132736214.html#articleTabs%3Dinteractive
‘You’re looking at the premium package, right?’ Companies today are increasingly tying people’s real-life identities to their online browsing habits.
To identify what personal information gets passed to other companies when you log in to popular websites, The Wall Street Journal tested 50 of the top sites (by U.S. traffic) that offer registration, excluding sites that required a real-world account, such as banking sites. The Journal also tested 20 selected other sites that focus on sensitive subjects such as dating, politics, health, or children’s issues, and our own site,
Tomi Engdahl says:
Do Not Track bill reintroduced: ‘They have dragged their feet long enough,’ says senator
http://www.theverge.com/2013/2/28/4041928/do-not-track-online-privacy-bill-reintroduced
Do Not Track is back in the spotlight today as senators Jay Rockefeller (D-W.Va.) and Richard Blumenthal (D-Conn.) reintroduced a bill that would let people opt out of having their online activity tracked by advertisers. Originally introduced in 2011, the Do Not Track Online Act was envisioned as an online equivalent to the nationwide Do Not Call list, but talks have broken down between privacy activists and the ad industry, and nearly two years since its initial proposal, there is still no consensus about how to move forward.
The W3C’s Tracking Protection Working Group was formed in 2011 to design the specification needed to actually implement Senator Rockefeller’s legislation, but with no signs of a consensus forming, it’s doubtful that re-introducing the bill is going to be enough to break through the impasse.
Tomi Engdahl says:
Silent Listeners:
The Evolution of Privacy and Disclosure on Facebook
http://repository.cmu.edu/cgi/viewcontent.cgi?article=1098&context=jpc
Over the past decade, social network sites have experienced dramatic
growth in popularity, reaching most demographics and providing new opportunities for interaction and socialization. Through this growth, users have been challenged to manage novel privacy concerns and balance nuanced trade-os between disclosing and withholding personal information. To date, however, no study has documented how privacy and disclosure evolved on social network sites over an extended period of time.
Our analysis highlights three contrasting trends.
First, over time Facebook users in our dataset exhibited increasingly privacy-seeking behavior, progressively decreasing the amount of personal data shared publicly with unconnected proles in the same network.
However, and second, changes implemented by Facebook near the end of the period of time under our observation arrested or in some cases inverted that trend.
Third, the amount and scope of personal information that Facebook users revealed privately to other connected proles actually increased over time and because of that, so did disclosures to “silent listeners” on the network: Facebook itself, third-party apps, and (indirectly) advertisers.
Tomi Engdahl says:
EU caves in to pressure on new data, privacy law changes; U.S. tech firms breathe sigh of relief
http://www.zdnet.com/eu-caves-in-to-pressure-on-new-data-privacy-law-changes-u-s-tech-firms-breathe-sigh-of-relief-7000012235/
Summary: After major U.S.-based technology companies lobbied European member states and politicians, many will wake up today able to breathe a sigh of relief, as the European Commission is forced to climb down on certain elements of the new proposed data protection and privacy law.
Tomi Engdahl says:
Facebook likes to tell a lot about the user
A study published on Monday shows that likes touch of a Like button, the user can reveal the political position or a possible drug use.
Users will press Like buttons 2.7 billion times a day.
Like-touch of a button on Facebook can tell you about more than this would like to see. U.S. scientific journal PNAS-published study says that the likes of-touch of a button can be inferred from such person’s position on religious or sexual orientation.
For the study, researchers looked at more than 58 000 U.S. Facebook user Likes. The researchers fed their likes algorithm, which produced portraits of the users. These pictures of people compared to the descriptions given by the users themselves. The study showed that the algorithm portraits were based in some respects surprisingly accurate.
Like-button press will say, 95 percent accuracy whether the user is white or black. Male user sexual orientation revealed 88 percent accuracy. Like-button pushed the political position revealed 85 per cent accuracy. The researchers also were able to determine Did 65 percent of personal drugs.
Source: http://yle.fi/uutiset/facebookissa_tykkaaminen_kertoo_paljon_kayttajasta/6533403
Tomi says:
The Enemies of Internet
Special Edition : Surveillance
Era of the digital mercenaries
http://surveillance.rsf.org/en/
Online surveillance is a growing danger for journalists, bloggers, citizen-journalists and human rights defenders. The Spyfiles that WikiLeaks released in 2012 showed the extent of the surveillance market, its worth (more than 5 billion dollars) and the sophistication of its products.
Tomi says:
Imagining a World Without Cookies
http://www.digiday.com/publishers/imagining-a-world-without-cookies/
After hearing of Mozilla’s move to block third-party cookies unless users opted in to them, Mike Zanies, the Interactive Advertising Bureau’s general counsel, reacted fiercely on Twitter: “This default setting would be a nuclear first strike against ad industry.”
This has been the typical stance of many in the industry. Any move to restrict cookies in any way, whether it’s through browser defaults or regulations, is painted as a mortal threat to the ad industry, even to society. And yet it’s hard to believe that a $100 billion global industry would simply fold up its tent and move onto something else if such restrictions come into place. The more likely result would be a period of turmoil, followed by adaption. There would be winners and losers.
This is not an academic argument. In addition to the move by Mozilla, there are regulatory threats. Do Not Track legislation aimed at third parties was re-introduced into the Senate last week, leaving those in opposition to regulation feeling under attack. Some kind of restrictions on the use of cookies appears inevitable.
The industry is vulnerable on this front because it has relied for over 15 years on cookies for a whole host of purposes. Some of them have clear consumer benefit — not having to sign in each time you arrive on a site, for example — while others are clearly designed to benefit marketers rather than consumers.
Tomi says:
Why the IAB Fights for Cookies
http://www.digiday.com/publishers/why-ad-sellers-fear-cookie-restrictions/
The Internet ad industry has premised its approach to privacy around two facts: (1) it doesn’t use personally identifiable information; and (2) the direct-mail guys are sketchier.
This line of defense has proven quite effective. Moves to enact Do Not Track legislation have failed. For the most part, the industry’s had a free hand to self-regulate. Now, it’s facing a different sort of challenge: browser makers are moving to restrict third-party cookies. Mozilla has done this with its new version of the Firefox Web browser. Many expect Microsoft to follow suit. (Google, being the largest seller of online advertising, is unlikely to do the same with Chrome, but you never know.)
That leaves the industry in a difficult position. It has often argued that opponents of targeting don’t fully understand the Web. They’re either privacy zealots or backwards dinosaurs.
The Interactive Advertising Bureau has put forward the position that moves like Mozilla’s are threats to “small businesses.”
Digiday has written about whether restrictions of third-party cookies would be so terrible. The industry is unlikely to fold its tents, return all that money to shareholders and venture backers, and go home. It would likely adjust. There would be winners and losers. As Bill Demas, CEO of Turn, said, “There will still be advertising on the Internet.”
Tomi Engdahl says:
Right to be forgotten on the web unworkable, argue data watchdogs
http://www.v3.co.uk/v3-uk/news/2257523/right-to-be-forgotten-unworkable-argue-data-watchdogs
Privacy groups’ calls for European citizens to have the right to be forgotten online are unrealistic and could damage the economy, according to representatives from the Information Commissioner’s Office (ICO) and European Commission (EC).
“The right to be forgotten worries us as it makes people expect too much,” said Smith.
Instead, Smith said the focus should be on the “right to object” to how personal data is used, as this places the onus on businesses to justify the collection and processing of citizens’ data.
“It is a reversal of the burden of proof system used in the existing process. It will strengthen the person’s position but it won’t stop people processing their data.”
Tomi Engdahl says:
New California “Right to Know” Act Would Let Consumers Find Out Who Has Their Personal Data — And Get a Copy of It
https://www.eff.org/deeplinks/2013/04/new-california-right-know-act-would-let-consumers-find-out-who-has-their-personal
Let’s face it: most of us have no idea how companies are gathering and sharing our personal data. Colossal data brokers are sucking up personal facts about Americans from sources they refuse to disclose. Digital giants like Facebook are teaming up with data brokers in unsettling new ways. Privacy policies for companies are difficult to read at best and can change in a heartbeat. And even savvy users are unlikely to fend off the snooping eyes of online trackers working to build profiles of our interests and web histories.
So what can we do about it? A new proposal in California, supported by a diverse coalition including EFF and the ACLU of Northern California, is fighting to bring transparency and access to the seedy underbelly of digital data exchanges. The Right to Know Act (AB 1291) would require a company to give users access to the personal data the company has stored on them—as well as a list of all the other companies with whom that original company has shared the users’ personal data—when a user requests it. It would cover California residents and would apply to both offline and online companies.
Tomi Engdahl says:
Activists on Front Lines Bringing Computer Security to Oppressed People
https://threatpost.com/en_us/blogs/activists-front-lines-bringing-computer-security-oppressed-people-040313
Security-related policy or legislation is enacted and then enforced to protect corporate, government or military interests. Civil organizations are often left flailing in the wind, fending for themselves with fewer IT resources and experience than a Middle America mom-and-pop operation.
“It’s a widespread assumption that the Internet, mobile devices, social media are empowering, but [attackers] are finding leverage there to put NGOs at risk,”
“They lack awareness. They’re poorly resourced. They’re left out to dry when it comes to policy; government focuses on the private sector and civil society is left defenseless.”
Citizen Lab is one organization that has done intense research into understanding the threat environment facing those groups NGOs and human rights organizations seek to help. Often, these groups are desperate to communicate with others, and believe that social networks or tools such as Skype and other platforms are safe. But attackers, most of whom are believed to be state-sponsored, have infiltrated these networks and platforms with malware that reports back on the activities of these groups.
In the last two weeks, researchers at Citizen Lab and Kaspersky Lab have discovered the first targeted attacks using malware for the Android mobile platform. Spear-phishing emails spoofed from prominent Tibetan activist leaders spread infected Android application package (.APK) files that not only opened backdoor channels to the attackers and collected contact and messaging data from the phone, but also relayed location information that could be used for surveillance.
Tibetan Android users, for example, are barred by the Great Firewall of China from accessing the Google Play store, forcing them to download apps from third-party resources that may be untrustworthy.
“For every Fortune 500 company or network that is breached, somewhere there is a NGO whose social network was compromised,” Deibert said. “The risk is greater, because we are talking about loss of life or imprisonment.”
Tomi Engdahl says:
Why Facebook Home bothers me: It destroys any notion of privacy
http://gigaom.com/2013/04/04/why-facebook-home-bothers-me-it-destroys-any-notion-of-privacy/
Facebook’s history as a repeat offender on privacy, and playing loose and easy with our data means that need to be even more vigilant about privacy issues, thanks to this Home app/faux-OS.
The new Home app/UX/quasi-OS is deeply integrated into the Android environment. It takes an effort to shut it down, because Home’s whole premise is to be always on and be the dashboard to your social world.
But there is a bigger worry. The phone’s GPS can send constant information back to the Facebook servers, telling it your whereabouts at any time.
So if your phone doesn’t move from a single location between the hours of 10 p.m. and 6 a.m. for say a week or so, Facebook can quickly deduce the location of your home. Facebook will be able to pinpoint on a map where your home is, whether you share your personal address with the site or not.
This future is going to happen – and it is too late to debate. However, the problem is that Facebook is going to use all this data — not to improve our lives — but to target better marketing and advertising messages at us. Zuckerberg made no bones about the fact that Facebook will be pushing ads on Home.
Tomi Engdahl says:
Unique in the Crowd: The privacy bounds of human mobility
http://www.nature.com/srep/2013/130325/srep01376/full/srep01376.html
We study fifteen months of human mobility data for one and a half million individuals and find that human mobility traces are highly unique. In fact, in a dataset where the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier’s antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.
the uniqueness of mobility traces decays approximately as the 1/10 power of their resolution. Hence, even coarse datasets provide little anonymity.
Modern information technologies such as the Internet and mobile phones, however, magnify the uniqueness of individuals, further enhancing the traditional challenges to privacy. Mobility data is among the most sensitive data currently being collected.
Tomi Engdahl says:
Firefox users threatened avalanche of advertising: “Blocking cookies dangerous and disturbing”
Mozilla’s Firefox browser to the latest version 22 is coming to an automatic third-party cookie blocking function. It’s got advertisers and unions war feet, and in the future Firefox users are threatened with increasing the number of online ads.
New feature because of ad networks is even more difficult to track user behavior. Because of their own pickings are threatened, they have even called a new feature “dangerous and very disturbing.”
Advertisers have promised to Firefox users to see in the future more and more unallocated ads that may seem even spam.
Source: http://www.tietoviikko.fi/kaikki_uutiset/firefoxkayttajia+uhkaa+mainosvyory++quotevasteiden+estaminen+vaarallista+ja+hairitsevaaquot/a892567?s=r&wtm=tietoviikko/-08042013&
Tomi Engdahl says:
Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight
http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-aircard/
A legal fight over the government’s use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect.
Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don’t have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI.
The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location.
The secretive technology, generically known as a stingray or IMSI catcher, allows law enforcement agents to spoof a legitimate cell tower in order to trick nearby mobile phones and other wireless communication devices like air cards into connecting to the stingray instead of a phone carrier’s legitimate tower.
When devices connect, stingrays can see and record their unique ID numbers and traffic data, as well as information that points to the device’s location.
By moving the stingray around and gathering the wireless device’s signal strength from various locations in a neighborhood, authorities can pinpoint where the device is being used with much more precision than they can get through data obtained from a mobile network provider’s fixed tower location.
Tomi Engdahl says:
EBay Opens Up Its Data for Ad Targeting
Follows lead of Amazon, Google and Facebook By Tim Peterson
http://www.adweek.com/news/technology/ebay-opens-its-data-ad-targeting-148469
Retailers possess a crazy amount of really valuable data for advertisers—e.g., what products someone has bought or have browsed through and may one day buy, potentially sooner if they’re shown an ad for that item.
That has positioned Amazon to ascend to Google’s and Facebook’s level as the apex companies of digital advertising.
“We’re now commercializing that capability for the benefit of other marketers who want to reach shoppers. That’s something new this year,
As with Amazon and any retargeting program, eBay walks a fine line of getting advertisers in front of the appropriate people without creeping them out.
Tomi Engdahl says:
How Wireless Carriers Are Monetizing Your Movements
http://www.technologyreview.com/news/513016/how-wireless-carriers-are-monetizing-your-movements/
Data that shows where people live, work, and play is being sold to businesses and city planners, as mobile operators seek new sources of revenue.
Wireless operators have access to an unprecedented volume of information about users’ real-world activities, but for years these massive data troves were put to little use other than for internal planning and marketing.
More comprehensive than the data collected by any app, this is the kind of information that, experts believe, could help cities plan smarter road networks, businesses reach more potential customers, and health officials track diseases. But even if shared with the utmost of care to protect anonymity, it could also present new privacy risks for customers.
The concerns about making such data available, Blondel says, are not that individual data points will leak out or contain compromising information but that they might be cross-referenced with other data sources to reveal unintended details about individuals or specific groups (see “How Access to Location Data Could Trample Your Privacy”).
Tomi Engdahl says:
Facebook’s Android app can now retrieve data about what apps you use [Update]
http://thenextweb.com/facebook/2013/04/13/facebooks-android-app-can-now-retrieve-data-about-what-apps-you-use/
Facebook on Friday released its Android launcher called Home. The company also updated its Facebook app, adding in new permissions to allow it to collect data about the apps you are running,
Tomi Engdahl says:
Facebook and State Attorneys General Team Up to Educate Teens and Parents about Privacy
http://abcnews.go.com/Technology/facebook-state-attorneys-general-team-educate-teens-parents/story?id=18951226#.UW0AEcpsUik
While some reports indicate that teen Facebook use is on the decline, Facebook along with the National Association of Attorneys General are about to become laser focused on educating that younger demographic and their parents about privacy on the social networking community.
“There are more and more parents now who understand Facebook and how it works and how their children are using it, but don’t necessarily understand the privacy settings and how they work,” Gansler told ABC News in an interview.
“Five years ago it was MySpace. The attorneys general got involved with MySpace and we addressed the sexual predator issues on the site,” Gansler said. “While there is some movement [away from Facebook] into other places, and we are aware of that, we are going to make sure we are involved in those as well. We will move along with the trends towards the next thing in a regulatory capacity.”
Tomi Engdahl says:
FTC warns data brokers on privacy rules
http://www.washingtonpost.com/business/technology/ftc-warns-data-brokers-on-privacy-rules/2013/05/07/2e152c16-b748-11e2-92f3-f291801936b8_story.html
Federal officials have intensified their scrutiny of the data brokerage industry by issuing a series of formal letters in recent days alerting companies that they may be violating federal restrictions on the collection and sale of personal information.
The letters to 10 companies — ranging from firms that compile consumer lists for credit offersto a Web site that helps parents screen potential nannies — amounted to warning shots at a large and fast-growing industry that gathers personal information and markets it to a variety of customers.
The Federal Trade Commission is probing whether some of these practices violate the Fair Credit Reporting Act, which regulates how private companies can use personal information.
“It’s the initial sparks in what’s likely to become the next battle in privacy,” said Jeff Chester, executive director of the Center for Digital Democracy. “They may be using people’s data in new ways, but they could cross old laws.”
Tomi Engdahl says:
Bloomberg Admits Terminal Snooping
http://www.nytimes.com/2013/05/13/business/media/bloomberg-admits-terminal-snooping.html?pagewanted=all&_r=0
Reporters at Bloomberg News were trained to use a function on the company’s financial data terminals that allowed them to view subscribers’ contact information and, in some cases, monitor login activity in order to advance news coverage, more than half a dozen former employees said.
The company acknowledged that at least one reporter had gained access to information on Goldman Sachs after the bank complained to the company last month.