Internet

A coalition of consumer groups wants the Federal Communications Commission (FCC) to keep broadband providers from serving targeted ads to subscribers.

It's part of a growing wave of resistance to marketers tracking consumers and serving ads that match the profiles that are built from such tracking. On another front, Internet pioneer Brendan Eich is launching a new browser, Brave, that blocks targeted ads and inserts more general advertising.

While websites themselves are beyond the reach of the FCC, broadband providers including telephone and wireless companies and satellite TV providers are not. and the groups say the FCC should crack down on them.

"Providers of broadband Internet access service ... have a unique role in the online ecosystem," the organizations say in a letter to FCC Chairman Tom Wheeler. "Their position as Internet gatekeepers gives them a comprehensive view of consumer behavior and until now privacy protections for consumers using those services have been unclear."

The 59 organizations signing the letter include the Consumer Federation of America, Electronic Frontier Foundation, and Free Press. The Electronic Privacy Information Center submitted a more detailed letter.

"Chilling effect

They are asking the FCC to adopt rules that would prohibit broadband providers from collecting and sharing data about consumers without their explicit consent. The watchdogs also say the FCC should require providers to notify consumers about data breaches, and should require providers to "clearly disclose" data collection practices.

The groups also say the prospect of online surveillance "can create a chilling effect on speech and increase the potential for discriminatory practices derived from data use."

Wheeler has said he intends to propose new privacy rules, something the FCC is able to do because of its recent decision to reclassify Internet service providers as common carriers. That move subjected broadband providers to some of the same confidentiality requirements rules as telephone companies.

The commission currently advises broadband providers to follow the “core tenets of basic privacy protections” but has not yet enacted specific privacy regulations.

"The capital asset of the 21st century is information, and it ends up being information about you and me," Wheeler told talk show host Charlie Rose last November. "You and I ought to have a voice in the collection of information about us. Nothing about me without me, is what the expression is."

A long era of uncertainty over the future of Internet taxes may be coming to a close. With a 75-20 vote in the Senate today, Congress passed the Permanent Internet Tax Freedom Act (PITFA), which bans taxing Internet access.

Summed up by Congress, the act “amends the Internet Tax Freedom Act to make permanent the ban on state and local taxation of Internet access and on multiple or discriminatory taxes on electronic commerce.”

While billed as a pro-consumer measure, the measure was supported most fervently by the cable and telecommunications industries.

"We applaud the Senate on today’s passage of the Permanent Internet Tax Freedom Act (ITFA)," said Michael Powell, president of the National Cable & Telecommunications Association, the cable industry's trade association. "Internet access is more than a convenience, it’s critical to the daily lives of Americans."

"By keeping Internet access free from state and local taxes, ITFA will permanently keep down the cost of connectivity, enable more American consumers and businesses to get online and allow the Internet to further power economic growth. We urge President Obama to sign this important legislation to make ITFA permanent once and for all,” said Powell. 

Permanent tax ban

PIFTA makes permanent the Internet Tax Freedom Act (ITFA), which was first passed in 1998. It placed a temporary ban, or moratorium, on taxing Internet access. 

The key word here is “temporary.” ITFA was never made permanent, even though it received bipartisan support. Some senators consistently prevented the tax ban from being made permanent. Sen. Dick Durbin (D-Ill.), for one, wanted to make passage of PITFA contingent on passage of another piece of legislation called the Marketplace Fairness Act (MFA), which stipulates that consumers must pay sales tax on online purchases.

After being promised a vote on a new MFA in 2017, Durbin finally relented and agreed to the bill’s passing, ending 17 years of annual ITFA extensions. 

The bill now awaits the signature of President Barack Obama. Whether he intends to sign it is unknown. If he does, states who have taxes in place for Internet access will need to cease collections by 2020.

No longer do we just have the internet, a way to connect computers, tablets, and smartphones.

Now, all manner of devices – cars, home appliances, even heart monitors – are connected, in an environment that has come to be called the Internet of Things (IoT).

Security firms have a hard enough time keeping your PC secure, so the question may arise, just how secure is your thermostat, and all the other products that work in the IoT universe?

Not very, says Experian. The company notes too many of these connected products are vulnerable because of weak security and controls. That, it says, can create points of weakness in users' critical private networks, systems, and data that are ripe for exploitation.

Strong as the weakest link

"The Internet of Things is only as strong as its weakest link, and it is important to fully understand what an interconnected environment means," said Adam Fingersh, senior vice president and general manager of Experian's fraud and identity business.

Weak security controls on connected products dramatically increase the chances for cybercriminals to hack inside your connected products and gain entry into your broader systems.

"As more and more products are connected, a casual mindset about the security risks inherent in IoT can create significant risk,” Fingersh said.

What to do

Experian has developed some proactive steps for both consumers and businesses. The company first suggests that consumers only buy products that operate in the IoT environment from reputable sources. An unvetted source could sell you a product with malware preloaded.

As you research a product that connects to the internet, make sure you understand the company's privacy policy and how they intend to use any data they collect from you. Data from any IoT device could end up with a third party and might be used for a variety of purposes.

Ask how access to these systems are controlled and guarded. If devices are enabled for downloading apps, exercise the same caution you would on your smartphone – download only from reputable providers.

Fingersh says the bar may be set higher for businesses. He says businesses tend to be bigger targets, and therefore should look at any IoT product it deploys within its system as a potential threat.

For hackers and cybercriminals, ransomware is literally money in the bank.

If a target clicks on a link in an email, designed to appear as though it is from a familiar source, the malware is unleashed on the victim's computer, encrypting every file.

The only way for the victim to regain access to these files – photos, documents, or multimedia files – is to pay the hacker a ransom in Bitcoin. The threat has grown exponentially, ensnaring individual consumers as well as businesses and organizations.

Researchers at the University of Florida (UF) now say they have developed a solution, a software tool that will stop ransomware in its tracks. They call it CryptoDrop. The researchers say it works in a very different way than antivirus software.

Limiting the damage

Instead of identifying the ransomware before it can download to a target computer, CryptoDrop springs into action a nanosecond after the process begins. As a result, only a tiny fraction of files get encrypted.

“Our system is more of an early-warning system,” said Nolen Scaife, a UF doctoral student and founding member of UF’s Florida Institute for Cybersecurity Research.

Scaife says CryptoDrop steps in to prevent the ransomware from completing its task. A victim might lose a few photographs, but that is the limit of the damage. There is no reason to pay a ransom.

The UF researchers say antivirus software has a hard time stopping ransomware because it needs to have seen the malware before in order to be effective. But hackers are constantly tweaking their ransomware bugs, making them unrecognizable.

CrytoDrop is like a security guard, always looking for signs of a ransomeware attack. When it sees the malware encrypt a file, it springs into action to stop the process from going further.

Instead of looking for a particular software profile, it is instead looking at what the software does. If hackers come up with a new malware every week, it won't matter.

Growing threat

In the last few years ransomware attacks have targeted hospitals and even police departments. In 2015 police in Tewksbury, Massachusetts, admitted that they'd had to pay an untraceable $500 Bitcoin ransom to the hackers who'd encrypted the department's computer files.

Also last year, a new form of ransomware emerged, in which hackers planted child pornography images on victims' phones until a ransom was paid.

It's gotten so bad that some companies now build ransoms into their operating budgets, expecting that sooner or later they'll have to pay up. The UF researchers, however, say that might not be necessary.

“We ran our detector against several hundred ransomware samples that were live and in those case it detected 100% of those malware samples and it did so after only a median of 10 files were encrypted,” Scaife said.

The research team says its prototype works with Windows-based systems and the researchers are now seeking a partner to put it on the market.

My internist is the ultimate geek. He has been lugging a MacBook from one exam room to another for years and is a pioneer at integrating software into every aspect of his medical practice.

So when I started a small community news site and offered him free ads for a year, he excitedly accepted. I designed and posted the ads but was puzzled when he didn't mention them on my next visit, even though he talked about other aspects of the site.

One day, he brought the site up on his laptop as we were discussing it and I realized why he hadn't seen his free ads: he was running an ad blocker. I said nothing but wondered how he would like it if I started running a payment blocker, something that would magically stop him from being paid for our visits. After all, how much does it take to give somebody a flu shot and lecture them about cigars?

This, on a much larger scale, is the dilemma now facing websites and their readers and advertisers. Websites, especially those that provide news and other content that is expensive to produce, need revenue. But readers are becoming fed up with the sheer number of ads and the obtrusive and noisy nature of many of them and are fighting back with ad blockers.

Survival threat -- or payback?

For sites already struggling to keep the lights on, this represents a real threat to their survival. But critics say sites have brought this on themselves by flooding their pages with huge pop-ups, auto-play videos and those follow-you-everywhere ads based on what Big Data thinks you're interested in.

Some sites are fighting back, installing software that blocks ad-block users. Others are putting together public relations and, yes, ad campaigns urging consumers to be a little more ad-receptive.

Ad-blocking is all anybody in the ad business is talking about these days. Last week, just in case you missed it, was Advertising Week, when the ad biz celebrates itself. But last week's conferences weren't quite as buoyant as usual, as advertisers and their agencies contemplated the prospect of consumers shutting them out.

Ideas bounced around just the way they do in the brain-storming sessions that produce the ads that fill our lives. Cries of, "better creative," "tighter targeting," and "ads people love" filled the air.

But AOL CEO Tim Armstrong shot down some of the more exuberant cries, berating his fellow media and ad execs for discussing the issue without any consumers in the room.

"Everyone is spending all their time talking about ad blocking right now," he said, AdAge reported. "Everyone should be spending all of their time talking about why consumers feel the need to block ads. ... Few things are more annoying than pop-ups on mobile."

Fox Networks Group President of Ad Sales Toby Byrne agreed and said publishers, marketers, and agencies should work to provide a "better ad experience."

Newspapers grouse

Newspapers, which used to complain constantly about such things as the cost of newsprint, now grouse bitterly about ad blockers, denouncing them as just another form of theft. This ignores the sad fact that many newspaper sites are so packed with ads and subscription come-ons that news-hungry readers are being driven away -- to Business Insider, the Huffington Post, Buzzfeed, and so forth.

Being a lifelong content producer, as we're now called, I have always eschewed ad blockers, regarding them basically as akin to stealing candy from babies. But duty calls, so a little while ago, I loaded a Google Chrome extension called AdBlock.

I hate to say this, but I should have done it years ago. Part of my daily drill involves looking at major newspaper sites, something that over the last few years has come to rival a dental visit. But today I whipped through five or six of the usual suspects in record time, even managing to look at a couple of Tribune and Gannett newspapers which have up until now been completely barricaded behind full-screen ad blitzes.

Not only are there fewer ads to sit through, the pages actually load like lightning, making it possible to see if there's anything worth reading before it makes the transition from news to history.

There's a lot more to this argument, and the giants of the Information Age are trying to figure out which side they're on. Consumers should do the same. Anyone who regularly reads, uses, or otherwise benefits from a site should be willing to look at a few ads or pay a few dollars.

But the reality is that, thanks to ad blockers, no one needs to voluntarily submit to a daily blizzard of ads that obscure the content and render the whole experience an exercise in frustration. It's up to publishers, advertisers, and marketers to figure out how to put out an appealing and profitable product.

Build it, as they old saying has it, and they will come.

The Internet of Things -- interconnected devices like appliances and security alarms -- are fine but it's important to protect them against errant humans, a report from the Federal Trade Commission (FTC) cautions.

Consumers are rushing to install Internet-enabled thermostats, smoke alarms, security systems, health and fitness monitors and cars, a trend that promises improved security, economy and efficiency but that also raises privacy and security concerns.

“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

There are already more than 25 billion connected devices in use worldwide, with that number set to rise significantly as consumer goods companies, auto manufacturers, healthcare providers, and other businesses continue to invest in connected devices, according to data cited in the report.

The report is partly based on input from leading technologists and academics, industry representatives, consumer advocates and others who participated in the FTC’s Internet of Things workshop held in Washington D.C. on Nov. 19, 2013, as well as those who submitted public comments.

Security was one of the main topics addressed at the workshop and in the comments, particularly due to the highly networked nature of the devices. The report includes the following recommendations for companies developing Internet of Things devices:

• build security into devices at the outset, rather than as an afterthought in the design process;
• train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
• ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
• when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
• consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
• monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

Commission staff also recommend that companies consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely.

The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.

The operator of an alleged “revenge porn” website has been banned from sharing nude videos or photographs of people without their consent and will have to destroy the intimate images and personal contact information he collected while operating the site.

The Federal Trade Commission’s complaint against Craig Brittain alleges that he used deception to acquire and post intimate images of women, then referred them to another website he controlled, where the women were told they could have the pictures removed only if they paid hundreds of dollars.

“This behavior is not only illegal but reprehensible,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “I am pleased that as a result of this settlement, the illegally collected images and information will be deleted, and this individual can never return to the so-called ‘revenge porn’ business.”

According to the FTC’s complaint, Brittain acquired the images in a number of ways, such as by posing as a woman on the advertising site Craigslist, and offering nude photos purportedly of himself in exchange for photos provided by women. When women provided him with the photos, Brittain posted them on his site without their knowledge or permission.

In addition to collecting and posting the images himself, Brittain solicited viewers of his site to anonymously submit nude photos of people to his site, according to the complaint. He required submissions to include sensitive personal information about the people in the photos, including their full name, town and state, phone number and Facebook profile.

Bounty system

Brittain also allegedly offered a “bounty system” on his site, wherein users could offer a reward of at least $100 in exchange for other users finding pictures and information about a specific person. Overall, Brittain’s site included photos of more than 1,000 individuals, according to the complaint.

Brittain’s site also advertised content removal services under the name “Takedown Hammer” and “Takedown Lawyer” that could delete consumers’ images and content from the site in exchange for a payment of $200 to $500. Despite presenting these as third-party services, the complaint alleges that the sites for these services were owned and operated by Brittain.

Researchers at the National University of Singapore have discovered a serious new threat to personal privacy in the Internet era: “geo-location inference,” which allows almost anyone with a website to determine the precise location of that site's visitors (from country and city right down to street address), and “geo-inference attacks,” which makes this information available to hackers who can make hyper-precise measurements of the timing of browsers' cache queries.

The full research study, downloadable as a .pdf here, is titled I Know Where You've Been: Geo-Inference Attacks via the Browser Cache. The problem is particularly widespread in the U.S., U.K., Australia, Japan and Singapore, and among users of Chrome, Firefox, Internet Explorer, Opera and Safari browsers.

Head researcher Yaoqi Jia told the Daily Dot that geo-inference attacking is a “new attack” with a “big impact,” and that “It’s the first to utilize timing channels in browsers to infer a user’s geo-location. No existing defenses are efficient to defeat such attacks.” Even the anonymizing network Tor cannot provide perfect protection against it.

What is it?

But what exactly is this problem? Many popular websites are “location-oriented,” which means that different visitors from different locations see different things.

Craigslist lets users narrow their searches by geographical area. Google uses different pages in different countries: Google.com in the United States becomes Google.ca in Canada. And of course, anyone using Google Maps types in all sorts of specific addresses and locations, and Google Maps remembers them all. So does your browser, unless and until you clear your browser history.

You've surely noticed on your own computer or mobile device that, all else being equal, the websites you visit on a regular basis tend to load much faster than some new-to-you website you're visiting for the first time. That's because when you visit your regular sites, your browser saves time by relying partly on its memory cache: the files you see every time you visit a particular website get saved onto your computer or device, so you don't have to re-download them on every subsequent visit.

But this process is not secure, and it does take time. Exactly how much time varies based on many different factors, including your actual physical distance from the website's server.

Suppose that you, and your friend who lives 10 miles away, are both frequent visitors of a website based on the opposite side of the country. (For the sake of this hypothetical, let's also pretend that your computer or mobile device, and your friend's, are alike in every possible way: same connection speeds, same browsing history and memory space, same everything except your geographic locations, which are 10 miles apart.)

Time lag

As far as your merely human senses can tell, it takes the same amount of time to visit that website from your home computer as it does your friend's. But with a computer's super-human senses, you can see there's actually a time lag – a very noticeable one, if you're measuring in something like fractions of nanoseconds.

That, in a nutshell, is geo-location inference. And when hackers break in and steal this information, that's a “geo-inference attack.” And who exactly is vulnerable to such attacks? According to the researchers, all mainstream-browser users and most popular-website visitors:

all five mainstream browsers (Chrome, Firefox, Safari, Opera and IE) on both desktop and mobile platforms as well as TorBrowser are vulnerable to geo-inference attacks. Meanwhile, 62% of Alexa Top 100 websites are susceptible to geo-inference attacks

So what can you do to protect yourself? Delete your browser cache on a regular basis — and Yaoqi also recommends you “Never give additional permissions to unfamiliar sites or open it for a long time” and “clear [your] cache after visiting a site with your credentials, e.g. online banking sites.” This still leaves users vulnerable while they're actually visiting a website, though: even if you clear your cache immediately after finishing an online session, the cache remains full during the session.

For nearly as long as there have been telephones, there have been attempts to achieve the goal of "universal service" -- making telephone service available to everyone. There's growing agreement that it's time to expand that effort to broadband Internet service. 

In the latest move, a coalition of 17 public interest groups and six broadband providers have announced their support of the Federal Communications Commission’s goal of bringing the Lifeline phone subsidy program into the modern era by extending the subsidy to broadband service.

Lifeline is a Reagan-era government benefit program that provides a discount on monthly telephone service for eligible low-income subscribers to help ensure they can connect to the nation's communications networks. It is supported by the federal Universal Service Fund (USF).

"There is near unanimous agreement among broadband providers, public interest advocates, and public officials from all levels of government that the FCC should modernize the Lifeline program to make broadband Internet access more affordable for low-income Americans struggling to get online," said Phillip Berenbroick, Counsel for Government Affairs at the non-profit group Public Knowledge.

"Government reports demonstrate that cost is a significant factor preventing Americans from going online to access education, employment, job training, and health care resources," Berenbroick said.

In a letter to the FCC, the groups say “it is time that Lifeline eligible consumers have the opportunity to use their benefit to reduce the cost of subscribing to broadband Internet access service.”

"No good reason"

FCC Chairman Tom Wheeler said last month that the commission was close to finalizing an overhaul of the Reagan-era subsidy program, saying there was “no good reason” that updates to the Lifeline program shouldn’t go forward.

Proposed updates to Lifeline are a key part of the FCC’s plans to address the “digital divide” and should receive a final vote soon, Wheeler said in a speech at think tank New America.

Value investor Warren Buffett is said to be among a group of investors making a bid to acquire the core assets of Yahoo, the moribund internet portal that has been slowly sinking into obscurity.

Press reports, citing unnamed sources, say that Buffett's Berkshire Hathaway has teamed with Quicken Loans founder Dan Gilbert and other investors to make the bid. AOL parent Verizon had been seen as the leading contender to acquire Yahoo's assets.

Buffett is not a fan of high-tech investments and generally sticks to bread-and-butter companies like railroads and food processors, although his group has become a leading investor in community newspapers. 

Yahoo and other websites are generally regarded as technology companies, as illustrated by the way their managers mangle their media components but underneath all the tech hype, a website like Yahoo is not fundamentally different from a TV network or newspaper.

All provide content that is primarily ad-supported but most tech ventures for some reason put editorial functions in the hands of engineers, often producing results that are similar to what would happen if newspapers turned over publishing duties to their pressmen.  

Content still king

Through his investments in community newspapers, Buffett has been seen as voting for the concept that content is king, especially in smaller communities where a local newspaper has a virtual monopoly on local content. 

Gilbert built Quicken Loans and went on to become a professional investor, taking chunks of numerous high-tech and traditional ventures. He also owns the Cleveland Cavaliers.

Verizon's interest in Yahoo is thought to center on the added heft it would bring to AOL, which has emerged as the cornerstone of Verizon's attempt to become a major content player. 

Others thought to be circling Yahoo include Bain Capital, Mitt Romney's former company, and other private equity firms. 

Yahoo once ruled the internet roost with an elaborate catalog of online resources but was displaced by Google's keyword-driven cataloging strategy. It has suffered through an endless series of CEOs, including the incumbent, Marissa Mayer, who left Google to attempt a Yahoo turnaround that most analysts agree has fallen flat.