Firefox/Google Team Up To Fight Phishing

By Martin H. Bosworth
ConsumerAffairs.com

October 26, 2006
Fans of open-source foundation Mozilla's popular Firefox Web browser had reason to rejoice on Oct. 24, as the company released version 2.0 of the free software to highly positive reviews.

But a new feature designed to protect Web surfers from "phishing" attacks raised a few eyebrows, as it could potentially deliver a user's records of all visited sites to any participating anti-phish site tracker.

More interestingly, the only participating partner at the moment is Google, itself often discussed as having a spotty attitude toward keeping users' data private.

"Phishing" is a form of fraud wherein Web surfers visit a site that looks like a reputable business site -- Amazon.com or Bank of America, for example -- but is in fact designed to collect your financial information.

Phishers not only create dummy Web pages to siphon victims' data, but can also clog up your e-mail inbox with junk requests to provide your personal information.

Firefox 2.0's new "Phishing Protection" feature automatically checks any site the user visits against a "blacklist" of known phishing sites when the feature is enabled.

However, the service also offers the option of sending details about each site you visit to remote anti-phishing services.

Although the system is enabled to work with many anti-phishing services, Google is currently the only active partner. Moreover, Google developed the technology for Firefox's new anti-phishing feature from its own "Safe Browsing" addition for the Firefox suite.

The additional features require explicit "opt-in" consent and user activation, but the news still rankled critics of the search engine giant and its hunger for information.

One user said the service was deliberately targeted to less Web-savvy surfers who "won't care about giving up that little bit of privacy to keep their identity safe from the "bad people".

The Mountain View, Calif.-based company has a mixed record when it comes to keeping user data secret.

Its popular Google Desktop search tool enables a user's computer hard drive to be stored on Google's central servers for search across multiple computers, which also gives Google theoretically unfettered access to a user's hard drive.

Google was careful to emphasize that its Desktop search functions are purely voluntary and "opt-in," rather than the default mode for anyone who uses the tool.

Also, to its considerable credit, Google stood up to the Department of Justice over user data when it refused to turn over search queries to the agency.

The DOJ wanted two months' worth of Google search information to enforce online child-protection laws, but Google opposed the move as being overbroad and endangering its customers' personal privacy.

A Sell-Out?

But not everyone is convinced that Google can be trusted over the long haul.

Fans of Firefox were dismayed over what they saw as a "sellout" move by Mozilla, which recently became a for-profit company after many years as a nonprofit champion of "open source" software development.

Others noted that Google and Mozilla have been frequent business partners, and that Google isn't doing anything other Internet service providers haven't already done.

Some remained unconvinced, however. A commenter at the UK-based Platinax entrepreneurs' forum said that, "It's the provision of data to Google that raises the concerns."

What You Can Do

If you don't want to be duped by phisher e-mails and Web sites, but also don't want to hand over your Web surfing data to Google, don't enable the option of sending information to remote services in Firefox 2.0.

Stick with the default setting of the "blacklist," which should be updated regularly.

The Anti-Phishing Working Group, an organization made up of the heavy hitters in the online business and technology world, maintains a comprehensive list of procedures users can follow to avoid getting phished.

The tips include:

• Always make sure you're using a secure Web site before providing your financial information. Secured sites' Web addresses begin with "https://," rather than http://."

• Don't respond to any e-mail asking for your financial information or to click on a Web site link until you have verified the mail is legitimate. Phisher sites will typically ask for personally identifying information such as names, addresses, and Social Security numbers.

• Regularly check your online bank and financial accounts to ensure all the information is up to date. Never provide credit or bank card data over the Web unless you have verified the site is secure.