Turn off Google search history before the new privacy policy takes effect.
CNET has a good description of exactly how to do it.
Consumer Privacy Bill of Rights will be hard to enforce
While I am encouraged to see the recently announced Consumer Privacy Bill of Rights, it is no reason to become complacent about your privacy.
First, the Consumer Privacy Bill of Rights is a set of fairly general statements. It is unclear if or when we would see real enforcement.
Second, it will be very difficult to enforce this against non-US services, and it is almost impossible for a user to know if some or all of a website she is visiting is being provided by a non-US company.
Third, it is very difficult to tell if the policies are being violated. Unless the website uses the information directly and immediately it is very hard to tie the use of information back to the source of the information. If it is being silently collected, you really can't tell.
While such policies and statements of principle are a good thing, and one hopes that most major websites will get on board with them, if you actually want to ensure your privacy, you need to take matters into your own hands.
Block cookies, clear out old cookies, and hide your IP address with tools like Anonymizer Universal.
Google tricks iOS Safari into tracking you
Google and other online advertising companies like Vibrant Media, Media Innovation Group, and PointRoll, are using a flaw in Safari on iOS to track you despite your privacy settings.
iOS Safari is set by default to reject tracking cookies from 3rd party websites. That means that unless you are directly and intentionally interacting with a site it should not be able to cookie and track you. Specifically that is intended to prevent tracking by advertisers displaying banner ads on websites.
The hack is that these advertisers use a script within the website to cause submit an invisible web form to the advertising website, which looks to Safari like you directly interacted with that site and so allows the site to send a cookie. Another flaw in Safari causes those cookies to be returned to the 3rd party sites once they have been set.
Apple is saying that they will address the issue. Google is blaming Apple for breaking with web standards (even though almost all browsers support blocking 3rd party cookies iOS Safari is unusual in making this the default).
My suggestion:
- On your iOS device (iPhone, iPad, iPod Touch) go to "Settings", select "Safari", scroll down and "Clear Cookies and Data". Do this frequently.
- Don't log into Google or other social media sites through the browser, only use the dedicated apps.
- Use those social media apps to "like" or "+1" content, rather than doing so in the browser.
- Protect your IP address with a tool like Anonymizer Universal so these sites can't just use your IP address in place of cookies to track you when you are at home or work on a WiFi connection with a long term IP address.
The WSJ had the first article I saw on this, but it is paywalled.
9 to 5 Mac has a nice article on it.
John Battelle's searchblog tries to look at this issue from both sides.
FBI: Anonymity implies terrorist
The FBI in conjunction with the Bureau of Justice Assistance and Joint Regional Intelligence Center have produced a number of fliers to help the public identify possible terrorists. While some of the points have merit, it is very likely that this will generate an extremely high proportion of false alerts based on perfectly reasonable and legal behaviors.
A big red flag for me were the fliers for cyber cafes and electronics stores. These suggest that the use of privacy protecting services, like Anonymizer, should be deemed suspicious. They also call out Encryption, VoIP, and communicating through video games.
In almost all of the fliers they suggest that wanting to pay cash (legal tender for all debts public and private) is suspicious.
Thanks to Public Intelligence for pulling together PDFs of the documents.
India asks social network sites to manually screen all posts.
The NYTimes.com reports that Kapil Sibal, the acting telecommunications minister for India is pushing Google, Microsoft, Yahoo and Facebook to more actively and effectively screen their content for disparaging, inflammatory and defamatory content.
Specifically Mr. Sibal is telling these companies that automated screening is insufficient and that they should have humans read and approve allmessages before they are posted.
This demand is both absurd and offensive.
- It is obviously impossible for these companies to have a human review the volume of messages they receive, the numbers are staggering.
- The demand for human review is either evidence that Mr. Sibal is completely ignorant of the technical realities involved, or this is an attempt to kill social media and their associated free wheeling exchanges of information and opinion.
- There is no clear objective standard for "disparaging, inflammatory, and defamatory" content, so the companies are assured of getting it wrong in many cases putting them at risk.
- The example of unacceptable content sighted by Mr. Sibal is a Facebook page that maligned Congress Party president Sonia Gandhi suggesting that this is more about preventing criticism than actually protecting maligned citizens.
Anonymizer Survey: Anti-virus and Firewall popular but ineffective privacy protectors
Anonymizer just released the results of a new survey of people's use of privacy protecting technologies. The short answer is that the old standards, anti-virus and firewalls, are widely used. Unfortunately they don't actually do much to protect your privacy. They are more about security.
For full details, read the article.
"Private" YouTube videos expose thumbnail images
Thanks to a PrivacyBlog reader for pointing me to this article: Blackhat SEO – Esrun » Youtube privacy failure
It looks like it is easy to find thumbnail images from YouTube videos that have been marked private.
If you have any such videos, go back and check that you are comfortable with the information in the thumbnails being public, or delete the video completely.
Privacy, logging policies, and trackrecord
HideMyAss.com keeps logs and exposes their users. Why that is a bad policy, and how to judge a good privacy provider.
Read MoreSchneier on Security: Domain-in-the-Middle Attacks
Schneier on Security: Domain-in-the-Middle Attacks
Bruce Schneier on the real world effectiveness of a very simple domain name based man in the middle attack.
Here is a Wired article on the same issue showing how it was used to steal 20 GB of email from a Fortune 500 company.
Sneaky tracking code (finally) purged from Microsoft sites • The Register
It looks like Microsoft got caught using "evercookie" or "supercookie" technologies to recreate tracking cookies even after users have tried to delete them from their browsers.
Sneaky tracking code (finally) purged from Microsoft sites • The Register
Amazon address exposure to strangers through your Wishlist
Amazon Customer's Privacy Exposed In theory, your Amazon wish list should allow people to buy you gifts, but should not reveal anything but the list of items you want.
Evidently, if you buy something for someone off their list, you can then see the delivery address in the order reports in your account.
Solution is to remove the delivery address from your list. Your friends and family would have to enter the delivery address manually, but one hopes that they already know it. A good description of the process is in the above linked article.
Stolen Credit Card website hacked
Vendor of Stolen Bank Cards Hacked — Krebs on Security Brian Krebs has an interesting blog post on how all of the credit card information was stolen by a hacker from a website that sells stolen credit cards.
This is in the "don't know whether to laugh or cry" department.
PM David Cameron on censorship: bad when you do it, OK when I do it.
Back in February, British Prime Minister David Cameron gave a speech where he strongly opposed the censorship and crack down on protesters in Egypt.
For decades, some have argued that stability required highly controlling regimes, and that reform and openness would put that stability at risk. So, the argument went, countries like Britain faced a choice between our interests and our values. And to be honest, we should acknowledge that sometimes we have made such calculations in the past. But I say that is a false choice.
As recent events have confirmed, denying people their basic rights does not preserve stability, rather the reverse. Our interests lie in upholding our values - in insisting on the right to peaceful protest, in freedom of speech and the internet, in freedom of assembly and the rule of law. But these are not just our values, but the entitlement of people everywhere; of people in Tahrir Square as much as Trafalgar Square.
Now, with the riots in England he feels that restricting access to social media, and censoring free speech is necessary to maintain order.
Everyone watching these horrific actions will be struck by how they were organised via social media. Free flow of information can be used for good. But it can also be used for ill. And when people are using social media for violence we need to stop them. So we are working with the police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality. I have also asked the police if they need any other new powers. Police were facing a new circumstance where rioters were using the BlackBerry Messenger service, a closed network, to organise riots. We've got to examine that and work out how to get ahead of them.
It is easy to condemn censorship in others, but it seems expedient when one is trying to control one's own population. When in power, the difference between justifiable actions and tyranny is largely a matter of "us" vs "them". "We" are good and would not abuse this power while "they" use censorship to keep the boot of oppression on their people.
The trouble is, it is very hard to know when one has moved past the tipping point, and powerful self justification comes easily to intelligent leaders and their advisors. As has been said many times "no man is the villein of his own story".
This is a Rubicon I hope the UK can hold back from crossing.
Researchers show about a dozen US ISPs redirecting search requests
Researchers analyzing results from the ICSI Netalyzer project have found ISPs redirecting traffic bound for Yahoo! and Bing to third parties like Paxfire, Barefruit, and Golog. According to this EFF article:
Netalyzr's measurements show that approximately a dozen US Internet Service Providers (ISPs), including DirecPC, Frontier, Hughes, and Wide Open West, deliberately and with no visible indication route thousands of users' entire web search traffic via Paxfire's web proxies.
This appears to be done by returning the IP address of the intercepting server rather than the true IP address when you do a DNS lookup of the server (www.yahoo.com for example). Your browser then connects to Paxfire or one of the other companies, rather than yahoo, allowing them to collect data on your activity and possibly modify the results.
There are some things you can do to protect yourself. If your connection to the website is using SSL, or if you have a VPN, your ISP can not intercept or modify your connection.
If you are running FireFox you can install the "HTTPS Everywhere" extension, which will ensure that your connection uses SSL for most of the most popular sites on the Internet.
Using Anonymizer Universal will ensure 100% of your traffic goes over an encrypted connection which will prevent this kind of interception for all websites.
I encourage all of you to visit the ICSI Netalyzer website to test your connection and your ISP for this kind of interception, and to contribute information for their research to detect this kind of strange and/or nefarious activity.
Facebook says “Anonymity on the Internet has to go away”
Randi Zuckerberg, marketing director and co-founder of Facebook said:
I think anonymity on the Internet has to go away… People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.
<irony> This of course explains why no one is a jerk or a bully on Facebook. </irony>
I have been doing this Anonymity thing for much longer than Facebook has existed. I have seen the debates and watched the reality. I am convinced that the problem is that most Internet spaces are impersonal, rather than that they are anonymous. People will be outrageously rude and offensive online while being unfailingly courteous in person, even if both situations are in real name.
In reality, most "real world" interactions are functionally anonymous, yet most of us behave most of the time.
I won't even get in to how terrible her idea would be for people under repressive regimes.
Facebook: “Anonymity on the Internet has to go away” | ZDNet
Micosoft's Google and Skyhook enable tracking of mobile devices.
Publicly accessible Wi-Fi geolocation databases enable tracking of individual laptops and cell phones.
Read MoreHouse panel votes to mandate massive user tracking
House panel approves broadened ISP snooping bill | Privacy Inc. - CNET News
Declan McCullagh of CNET is reporting on a bill to require ISPs to maintain massive records on their users. According to the article this bill requires commercial Internet providers to retain "customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses".
They are calling it the "Protecting Children From Internet Pornographers Act of 2011" in a flagrent attempt to make it politically difficult to vote against it even though the bill has noting directly to do with Internet pornography or protecting children.
Were this bill to become law, it might cause real problems for the growth of public Wi-Fi where there is no user authentication. That would be a huge leap backwards for a very possitive trend of late.
Of course, criminals will continue to be trivially able to circumvent such tracking efforts making this primarily a mechanism for gathering information on innocent persons without any hint of suspicion or probably cause.
It is absolutely un-American to require every citizen to submit to continuous tracking and monitoring on the possibility that some tiny fraction of us will commit a crime. Law enforcement always lobbies hard for such provisions. Make sure your voice is heard that you value your privacy and your rights.
Contact your Representitive and Senators if this is something you feel strongly about.
'War Texting' Attack Hacks Car Alarm System - Dark Reading
This makes a good case for why it concerns me that we seem to be willing to automate all kinds of things that can really impact us without including real security.
Matt Blaze: Wiretapping and Cryptography Today
Matt Blaze analyzes why the widespread use of cryptography has had almsost no impact on our practical ability to do wiretaps and gather information under legitimate court orders. Not too technical and absolutely worth a read.
Forbes picks up the Tech Review article.
Odd that they describe a 15 year old company as a "startup"....