Follow us:
  1. Home
  2. News
  3. Tech News
  4. Privacy

Privacy

Privacy groups offer “Do Not Track” compromise; will online advertisers and publishers accept it?

Tracking and data-mining might prove too profitable for publishers to willingly abandon

To be tracked, or not to be tracked? That is the question which privacy and advertising groups have debated since the Internet went public.

This week, the Electronic Frontier Foundation (EFF), along with the privacy company Disconnect and a “coalition of Internet companies” proposed a new Do Not Track, or DNT, standard for web browsing.

The EFF's press release said that this new standard, “coupled with privacy software, will better protect users from sites that try to secretly follow and record their Internet activity, and incentivize advertisers and data collection companies to respect a user’s choice not to be tracked online.”

Companies against DNT options

As its name suggests, the Do Not Track project seeks to give users the option to go online without having every website they visit monitored and recorded, or “tracked.” Though popular with everyday Internet users – the potential trackees – Do Not Track efforts tend to generate less enthusiasm among potential trackers.

Indeed, most companies go out of their way to avoid offering Do Not Track options at all. In April 2014, for example, Yahoo updated its privacy policy to say that henceforth, “web browser Do Not Track settings will no longer be enabled on Yahoo.” Google Chrome's “Do Not Track” help page, last updated in October 2012, says that “At this time, most web services, including Google's, do not alter their behavior or change their services upon receiving Do Not Track requests.”

In June 2014 the Digital Advertising Alliance, an advertisers' trade organization, went so far as to urge Internet standards organizations to abandon do-not-track efforts altogether, and especially criticized companies such as Microsoft, which automatically turned on do-not-track signals for certain Internet Explorer users, on the grounds that default DNT settings might not accurately reflect users' desires to be tracked.

Full stop

As industry consultant Alan Chapell said: “There’s no mechanism for anyone in the digital media ecosystem to trust any DNT signal they receive. As a result, the entire framework is open to question. In any other group, this issue would result in a full stop until the questions are addressed.”

So, Reader: if you're worried that Microsoft or some other nefarious entity is secretly not-tracking you when you'd prefer it monitor and record your every online activity, you can take courage from knowing organizations such as the Digital Advertising Alliance have your back.

If, on the other hand, you'd rather not be tracked, you're arguably better represented by pro-Do Not Track groups such as the EFF. And yet, even privacy advocates admit that the current Do Not Track status quo does cause some legitimate problems for advertisers (which is exactly why the EFF is proposing a new tracking standard).

Advertising legitimacy 

Advertising is not inherently bad. Indeed, where free-to-the-consumer media is concerned, advertising is downright necessary: if a website, television channel, or other media provider lets viewers see its content for free, it needs advertising to pay for producing and distributing that content and for paying the taxes that not-for-profit advocacy groups don't pay. 

That's how TV networks operated, in the days before cable and other forms of pay television: viewers paid nothing to watch a program, but advertisers paid to air commercials during the program breaks.

Of course, the advertisers who made old-school TV commercials didn't know exactly who would see their ads, though they could make some educated guesses based on programming content: if someone's watching a televised NASCAR race, it's better-than-average odds that person has an interest in fast cars and car-related accessories, especially compared to the typical viewer of, say, “My Little Pony.”

But such broad interest generalizations pale in comparison to the hyper-specific data collection possible over the Internet. Instead of content-specific ads as seen on TV commercials, the Internet can allow for viewer-specific ads – especially if said viewer's online activities can be fully tracked.

Except that many Internet users object to such tracking for obvious privacy reasons. So to protect themselves, users will install ad blocking software (such as that offered by Disconnect) which can save users' privacy – at the cost of making it harder if not impossible for ad-dependent websites to make any money.

Personal data is golden

Couldn't Internet advertisers simply use content-specific ads, as TV and radio advertisers do? Sure, but they wouldn't be nearly as effective. As the Wall Street Journal noted in its report on the EFF's latest Do Not Track proposal:

Personal data is the currency of the Internet. Advertisers, especially, use it to target specific people for a particular ad based on search terms they have entered, sites they have visited, and so on—an industry worth roughly $50 billion last year.

Publishers can charge between three and seven times more for targeted ads than those placed on Web pages blindly, according to a study funded by the Digital Advertising Alliance. The Do Not Track effort has foundered because many online businesses were unwilling or unable to find another way to make money.

The Digital Advertising Alliance, you might recall, is the same group which last year urged wholesale abandonment of any Do Not Track efforts — and that study, suggesting that targeted ads generate three to seven times more money than non-targeted ads, explains why.

New proposal

Sadly for the Digital Advertising Alliance and similar groups, many Internet users who couldn't opt out of tracking responded with ad-blocking software. Thus, instead of making three to seven times as much ad money off of various viewers, publishers end up making no money at all.

So the EFF, Disconnect, and other privacy-supporting groups are offering what the Wall Street Journal calls a “Do Not Track compromise” [and the EFF dubbed it a “privacy-friendly Do Not Track policy”] allowing Internet users to avoid tracking while still making it possible for web publishers to collect ad revenue.

Here's how it would work: publishers and web companies would agree not to track users who signed on for Do Not Track. Or, “compliant entities should not collect unique identifiers such as cookies, fingerprints, or supercookies from DNT users, unless … the user has given her informed consent,” as EFF said.

Also, publishers would not retain individual visitors' browser and IP address information longer than 10 days, unless they are legally required to do otherwise.

In exchange, the publishers and websites would get to display what the Journal called “the EFF's 'seal of approval'” on their sites, privacy-policy language assuring users the site would not track them. Users with ad-blocking software would then get the option to disable the ad-blockers on that particular EFF-approved website, so that the viewer will potentially see ads (read: generate ad revenue for the website) without having to be tracked in the process. So far the proposal has no real enforcement mechanism, but would largely operate on the honor system.

Disconnect's CEO, Casey Oppenheim, said in support of the proposal that “The failure of the ad industry and privacy groups to reach a compromise on DNT has led to a viral surge in ad blocking, massive losses for Internet companies dependent on ad revenue, and increasingly malicious methods of tracking users and surfacing advertisements online. Our hope is that this new DNT approach will protect a consumer’s right to privacy and incentivize advertisers to respect user choice, paving a path that allows privacy and advertising to coexist.”

To be tracked, or not to be tracked? That is the question which privacy and advertising groups have debated since the Internet went public.

This week, the Electronic Frontier Foundation (EFF), along with the privacy company Disconnect and a “coalition of Internet companies” proposed a new Do Not Track, or DNT, standard for web browsing.

The EFF's press release said that this new standard, “coupled with privacy software, will better protect users from sites that try to sec...

Not sure how to choose?

Get expert buying tips about Privacy delivered to your inbox.

    Thank you, you have successfully subscribed to our newsletter! Enjoy reading our tips and recommendations.

    We value your privacy. Unsubscribe easily.

    Recent Articles

    Sort by:

    2016 likely to hold more dangerous data breaches

    Consumers could be collateral damage in cyber war

    This year has been marked by a series of serious data breaches, exposing the personal information of millions of U.S. consumers.

    One of the most serious was reported in October, when hackers broke into an Experian system and gained access to confidential information about 15 million consumers who had applied for credit at T-Mobile.

    Experian Data Breach Resolution has surveyed the landscape and offered predictions for what 2016 holds in terms of keeping consumer data secure. While some current issues remain relevant, there are a few emerging areas that organizations should watch out for to be better prepared.

    Making major mistakes

    "We saw different types of breaches this year, and one of the major mistakes companies often make is taking a one-size-fits-all approach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Unfortunately, the reality is that no data breach is the same, and a wide variety of unique circumstances need to be considered in a data breach response plan."

    One of the trends Experian foresees is the escalation of cyber-attacks among nations. When that happens, consumers and businesses tend to become collateral damage.

    As nation-states continue to move their conflicts and espionage efforts to the digital world, the company predicts there will be more incidents aimed at stealing corporate and government secrets or disrupting military operations.

    When that happens, one of the risks is exposure of information about millions of individuals. On the other hand, business data might be compromised more in 2016, or we could see an increase in large public-sector data breaches that expose millions of personal records.

    New-age warfare

    "This is new-age warfare and, as individuals, we need to pick up the pieces if we have been affected and our personal information has been exposed," said Bruemmer. "The public should not be complacent about identity protection. It's important to practice good security habits on an ongoing basis and monitor accounts frequently to catch fraud early."

    Experian Data Breach Resolution also predicts hackers with a political or ideological agenda will become more active, trying to damage the repuation of a company or cause. There have already been a few over the last couple of years.

    These hackers aren't in it for the money, meaning companies must revise their response plans and consider all possible scenarios.

    "This was the new twist to the data breach landscape in 2015, with thieves leveraging stolen data to embarrass or harm companies," said Bruemmer. "Unfortunately, consumers are the pawns in the game, and they are victimized in the process.”

    Personal harm or embarrassment

    Being associated with the organization under attack, consumers may also suffer personal harm or embarrassment if their information is exposed. If an organization has a polarizing or controversial mission, it should consider this scenario and how it will take care of its constituency should a breach occur, Bruemmer said.

    And that leads us to the 2016 presidential race. Bruemmer says political campaigns are likely to be tempting hacking targets.

    "For a fame-hungry criminal or motivated detractor, this is an attractive platform,” Bruemmer said.

    Bruemmer says all candidates, parties, and organizations had better be prepared by securing their systems and having incident response plans in place.

    This year has been marked by a series of serious data breaches, exposing the personal information of millions of U.S. consumers.One of the most serious...

    AT&T helped NSA spy on United Nations, foreign emails and 1.1 billion US phone calls per day

    Company's cooperation with spy agency stands out even by dismal post-9/11 privacy standards

    This has been an especially rough summer for the poor devils working in AT&T;'s public relations department (to say nothing of the poor devils who are actual AT&T; customers). Two months ago, the feds levied a record-breaking $100 million fine against the company for its practice of throttling the connections of unlimited data customers – to the extent that customers with “unlimited” plans actually got as little as one-sixth as much data per billing period as was available to customers of AT&T;'s then-lowest metered-data plan.

    (The company is fighting the fine in court, arguing that its data-throttling activities didn't actually harm any consumers, and the fine should be reduced from $100 million to no more than $16,000.)

    Though perhaps the throttled-data folks did turn out to be the lucky ones. After all: the less data you send and receive over AT&T;'s network, the less data AT&T; can share with the Feds about you. Just yesterday, ProPublica and the New York Times reported that an in-depth analysis of documents released by whistleblower Edward Snowden shows that AT&T; has shown an “extreme willingness to help” the National Security Agency spy on people's electronic communications, to the point where, by 2011, the company gave the NSA more than a billion domestic cellphone records every single day, as the Times said:

    In 2011, AT&T; began handing over 1.1 billion domestic cellphone calling records a day to the N.S.A. after “a push to get this flow operational prior to the 10th anniversary of 9/11,” according to an internal [NSA] newsletter. This revelation is striking because after Mr. Snowden disclosed the program of collecting the records of Americans’ phone calls, intelligence officials told reporters that, for technical reasons, it consisted mostly of landline phone records.

    Mass surveillance 

    This domestic (in-country) spying is in addition to what the company is doing in the rest of the world: “by 2013 the program was processing 60 million foreign-to-foreign emails a day.”

    But American citizens and residents, plus email address holders throughout the world, aren't the only ones AT&T; is monitoring on behalf of the NSA; the company also helped the agency spy on all Internet traffic at United Nations headquarters in New York City. (Previous Snowden documents said that such activities were going on, but didn't identify the telecom responsible.) The United Nations paid AT&T; $1 million per year to operate its fiber optic network.

    Of course, AT&T; is hardly the only company turning over massive amounts of data to the NSA. Remember that in summer 2013, when news first broke of secret documents confirming that the NSA and FBI were indeed engaged in mass surveillance of pretty much everything that went through the central servers of leading U.S. Internet companies (and before former NSA contractor Edward Snowden publicly revealed himself to be the source), initial reports mentioned nine Internet companies cooperating with the program: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.

    Meanwhile, the first telecom named as part of the surveillance program was not AT&T; but Verizon, as Glenn Greenwald reported for the Guardian on June 6, 2013: “The National Security Agency is currently collecting the telephone records of millions of U.S. customers of Verizon, one of America's largest telecoms providers, under a top secret court order issued in April.”

    Decades-long partnership with government

    So why is AT&T; singled out for special attention? Partly because the public has only now learned certain AT&T-specific; details, but mainly because even by post-9/11 standards, wherein American companies and organizations can be legally obligated to both support government spying efforts and say nothing about it (thus giving rise to the practice of “warrant canaries”), AT&T; has been unusually willing to cooperate with the National Security Agency. Other companies might be forced to hand data over to the government, whereas AT&T; is more likely to volunteer.

    For that matter, AT&T;'s partnership with the NSA apparently started in 1985, well before the 9/11 terrorist attacks offered any justification for mass government surveillance.

    In 1984, the old “Ma Bell” telephone monopoly was broken up, with pieces of it transformed into other companies. Ma Bell's former long-distance division became AT&T; Communications. The following year, that new company became a secret partner in the NSA's then-new “Fairview” program.

    Not that AT&T; or the NSA has admitted to this; such information only became disclosed yesterday, after the New York Times and ProPublica deciphered the NSA documents and published their findings. As ProPublica said:

    An analysis of the Fairview documents by The Times and ProPublica reveals a constellation of evidence that points to AT&T; as that program’s partner. Several former intelligence officials confirmed that finding. A Fairview fiber-optic cable, damaged in the 2011 earthquake in Japan, was repaired on the same date as a Japanese-American cable operated by AT&T.; Fairview documents use technical jargon specific to AT&T.; And in 2012, the Fairview program carried out the court order for surveillance on the Internet line, which AT&T; provides, serving the United Nations headquarters.

    Indeed, the NSA's very ability to capture mass Internet traffic on American soil is based on the agency's “extraordinary, decadeslong partnership” with AT&T.;

    "Extreme willingness to help"

    One internal NSA document described the collaboration with AT&T; as “highly collaborative” and another praised the company for its “extreme willingness to help.”

    Despite all of this, AT&T; has publicly maintained that it shares people's private data with the government “only to the extent required by the law,” as it said in a December 2013 letter to the Securities and Exchange Commission (.pdf here).

    More recently, AT&T; spokesman Brad Burns said in a joint statement to ProPublica and the New York Times that “We do not voluntarily provide information to any investigating authorities other than if a person’s life is in danger and time is of the essence.”

    In light of the 1.1 billion American cellphone calling records which AT&T; shares with the NSA every single day, compared to the 318.9 million people who live in the United States, Burns' statement and that previous SEC filing suggest one of two possibilities must be true:

    1. On average, a typical American citizen or resident gets kidnapped, held hostage or otherwise in need of time-sensitive life-saving surveillance-requiring police assistance more than three times per day, every day; or

    2. The extent of spying and surveillance “required by the law” is far greater than anybody previously imagined.

    This has been an especially rough summer for the poor devils working in AT&T's public relations department (to say nothing of the poor devils who are actua...

    DealerApp spied on prospective car buyers

    The app gathered data and provided it to third parties without telling consumers

    If you've spent any time browsing car dealers' sites lately, chances are you've been invited to download an app that would supposedly make your car-shopping faster, easier, and so forth.

    Some apps might really do that but you may pay an unexpected price for it in lost privacy.

    That's what brought DealerApp Vantage LLC to the attention of the New Jersey Division of Consumer Affairs.  The Piscataway, N.J., company develops apps for hundreds of car dealers, each of them customized to reflect the dealer's brand.

    But the state agency says that besides providing information to consumers and the dealers who host the app on their websites, DealerApp Vantage also collects and disseminates app users' personal information without their knowledge or permission.

    “Online consumers, like all other consumers, have the right to control who can view or transmit their sensitive and private personal information,” said Acting Attorney General John J. Hoffman. “This settlement will assure that the alleged violations of consumer privacy committed by DealerApp will no longer occur and will send a message to companies that violate their customers’ privacy that such conduct is unacceptable.”

    Never informed

    The state charged that consumers were never informed that the apps transmitted personal information, not only to the dealership, but also to DealerApp. In addition, the dealerships that bought and utilized apps from DealerApp were also unaware that the company was transmitting the personal information of their customers to DealerApp.

    The personal information collected by the apps and allegedly transmitted to DealerApp included the consumer’s name, email address, telephone number, and the Vehicle Identification Number (VIN) of the vehicle purchased, among other data. The state alleged that DealerApp failed to disclose to consumers that this data was being transmitted by DealerApp, in violation of the New Jersey Consumer Fraud Act. Some of the data was provided to third-party data analytics companies, again without disclosure, the state charged.

    About 500 dealers world-wide, including 38 in New Jersey, are DealerApp clients.

    “The number of threats to online privacy appear to be growing by the day,” said Steve Lee, Acting Director of the New Jersey Division of Consumer Affairs. “No one should be able to profit from the personal information of others that has been obtained through cyber fraud or violations of privacy.”

    Settlement details

    Among other things, under terms of the settlement, DealerApp must:

    • clearly and conspicuously disclose to its dealership customers the types of personal information it collects through its apps;

    • provide disclosures within its privacy policies that clearly and conspicuously disclose the types of personal information it collects from consumers through its apps;

    • provide disclosures within its privacy policies that clearly and conspicuously disclose its use of any third-party data analytics companies and what information such companies may collect from consumers’ use of its apps;

    • not sell, rent, or otherwise transfer personal information to persons or entities other than the dealership customer for which the mobile app in question was customized, without those consumers’ express consent or providing proper disclosure and offering a mechanism for opting-out such practice; and

    • not engage in any unfair or deceptive acts or practices in the conduct of any business, and complying with all applicable laws and regulations in its future business dealings.
    Photo: DealerApp.comIf you've spent any time browsing car dealers' sites lately, chances are you've been invited to download an app that would suppos...

    VA Loses Data on 26 Million Veterans

    Employee Claims Laptop With Sensitive Data Was Stolen

    In the latest laptop data theft, the Veterans Administration says that 26.5 million veterans' personal information is at risk because of a burglary at an e...

    Data Thieves Hit Stop & Shop

    Card Readers Tampered With, PIN Numbers Stolen

    Quincy, Massachusetts-based Stop & Shop Supermarkets reports that several of its stores have been hit by thieves who tampered with checkout-lane card reade...

    Hackers swipe confidential files on 4 million federal workers

    Second major breach in a year of federal personnel records

    Hackers have gained access to confidential personnel records of more than 4 million current and retired federal employees, the U.S. Office of Personnel Management (OPM) said late Thursday. It's the second major breach of federal personnel records in a year.

    "The FBI is working with our interagency partners to investigate this matter," the FBI said in a statement Thursday night. "We take all potential threats to public and private sector systems seriously and will continue to investigate and hold accountable those who pose a threat in cyberspace."

    OPM, the federal government's equivalent of a private company's Human Resources department, said it couldn't say exactly what data the hackers took but said it could be used in "spear-phishing" attacks -- emails designed to make targets think they are dealing with a legitimate request. 

    For example, a hacker might have enough information to trick a federal employee into thinking an email came from a colleague or an OPM official.

    News of the breach was not well received on Capitol Hill.

    “Today's reported breach is part of a troubling pattern by this agency in failing to secure the personal data of federal employees – the second major breach in a year," said Sen. Mark Warner (D-Va.), a member of the Senate Select Committee on Intelligence. "Cyberattacks present a critical threat to our national security and our economy.  We cannot afford to keep dragging our feet in addressing the escalating threats posed by hackers out to steal individuals’ personal information.”

    Chinese involvement?

    It's one of the largest hacks of government information ever and unofficial reports said the attack bore the markings of the Chinese government.

    OPM said it detected the breach in April -- while it was trying to clean up after a March 2014 hack attack -- and the Department of Homeland Security (DHS) said it had concluded "at the beginning of May" that sensitive data had been stolen. Why it took more than a month to inform taxpayers and federal employees of the breach wasn't explained.

    In a typically oblique statement, OPM said -- in effect -- that it had stumbled onto the attack while attempting to shore up its defenses:

    Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. As a result, in April 2015, OPM became aware of the incident affecting its information technology (IT) systems and data that predated the adoption of these security controls.

    "OPM immediately implemented additional security measures to protect the sensitive information it manages," the statement concluded.

    Sen. Warner said he is currently preparing to introduce data breach legislation that would create a "comprehensive, nationwide and uniform data breach standard requiring timely consumer notification for breaches of financial data and other sensitive information," presumably one that would require businesses and government agencies to notify employees as soon as intrusions are detected.

    Warner chaired the first hearing in Congress in the aftermath of a breach of the retailer Target.  On the heels of that hearing, Sens. Warner and Mark Kirk (R-Ill.) called for the private sector to cooperate in creating Information Sharing and Analysis Centers (ISACs) to share information on data breaches, something the retail and financial services industries now have pursued on a voluntary basis.

    Additionally, Sens. Warner and Kirk introduced legislation in the last Congress to strengthen consumer protections for debit cardholders by capping liability for fraud at $50, the same amount as for credit cards.  Sen. Warner currently is working on legislation to require enhanced private sector data security measures and consumer breach notification.

    What to do

    Here's the advice OPM offered to federal employees whose records may have been lost due to its inability to safeguard them:

    • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
    • Request a free credit report at www.AnnualCreditReport.com
    • Review resources provided on the FTC identity theft website, www.identitytheft.gov.
    • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Call TransUnion at 1-800-680-7289 to place this alert.  TransUnion will then notify the other two credit bureaus on your behalf.

     

    Hackers have gained access to confidential personnel records of more than 4 million current and retired federal employees, the U.S. Office of Personnel Man...

    EPIC fail for Uber's new privacy policy: FTC asked to block “deceptive data collection”

    Electronic Privacy Information Center files anti-Uber complaint on Monday

    The Electronic Privacy Information Center (EPIC), a non-profit privacy rights group, has filed a complaint with the Federal Trade Commission asking that the FTC halt the “unfair and deceptive data collection practices” which car-sharing company Uber plans to impose on customers starting in mid-July.

    Among other things, Uber's new “User Privacy Statement” claims the right to track its users even when they're not currently using the app.

    Uber's posted announcement of this update included the sentence “We value your privacy and encourage you to review the new statement” prominently backlighted in blue at the top of the page. When you scroll down to the fourth full paragraph, you find this:

    Location Information: When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

    In other words: when the app is on, we can use it to track your location, and when it's not, we can use your IP address instead. The policy goes on to say that it can use your address-book contact information “to facilitate social interactions through our Services and for other purposes,” a polite way of saying they can spam anybody in your email contact list.

    Lax Views on Privacy

    Uber already has a storied history of coming under fire for its lax views on privacy. Last November was a particularly bad month for Uber's public relations department. First, BuzzFeed reported that Uber executive Emil Michael floated the idea of handling any criticism of the company by digging up dirt on any journalists who dared criticize it.

    When an editor from the website PandoDaily accused Uber of “sexism and misogyny” for apparently working with a French “escort service,” Michael suggested, among other things, that Uber's dirt-diggers could expose the editor by proving a very particular, specific (and presumably unflattering) claim about her personal life.

    Such an attitude arguably sounds bad expressed by any company executive, but are especially damaging coming from a tech company like Uber which, by its very nature, has access to lots of information which customers might prefer to keep private — in Uber's case, its business model ensures that it knows where its customers live, what places they visit, and when. (Indeed, with such information, you could prove lots of particular and specific claims about various people's personal lives, no?)

    Also last November, it came out that an Uber executive had used a program called “God View” to track a journalist's location and movements. Not that “God View” itself was breaking news by then; the previous month, Forbes magazine reported that Uber used “God View” as a form of entertainment at company launch parties, letting staffers enjoy watching real-time “God's eye” views of Uber passengers at that moment, including their identities, current locations and trip itineraries.

    Then, a couple of days before Thanksgiving, Newsweek reported Uber's tendency to advertise its services by sending “ghost texts” – spammy messages allegedly sent from Uber drivers that urged their friends to sign up as well, except the drivers never sent their friends such messages, and didn't even know about them.

    A host of complaints

    EPIC's complaint (available as a .pdf here) lists all of these anti-Uber complaints and several more, and also quotes the proposed new privacy policy before spelling out some of its implications:

    Uber’s Revised Business Practices Will Allow the Company to Routinely Track the Location of Internet Users Even When They are not Customers of Uber

    Uber’s revised privacy policy creates several risks for American consumers. Uber will now collect the precise location of the user when the app is running in the foreground through traditional GPS location services. Uber will also collect precise location information if the app is operating in the background. On phones running iOS, this means that Uber may be able collect location data even after an app has been terminated by the user. … Further, given Uber’s statement that it will collect location data from a user’s device only “[i]f you permit it to,” a user would reasonably assume that the company does not track his or her location by other means. In fact, Uber may continue to “derive your approximate location from your IP address.”

    EPIC's complaint does go on to note that Uber claims “it will allow users to opt-out of these features,” but says Uber's “change in business practices places an unreasonable burden on consumers and is not easy to exercise: while iOS users can later disable the contact syncing option by changing the contacts setting on their mobile devices, the Android platform does not provide any such setting. These statements could lead users to believe that that [sic] they can choose to not share location data with the company after downloading the app, which is not true.”

    The 23-page complaint also points out that “prior to the emergence of Uber and similar services, American consumers could routinely hire taxis without any disclosure of personal information or tracking of their location.” EPIC asks the Federal Trade Commission to investigate Uber's business and data-collection practices; investigate Uber's “possible violation of the Telephone Consumer Protection Act”: “Halt” Uber's collection of contact list information and user location data unless it is required for actual provision of the service; and also investigate other companies engaged in similar practices.

    But representatives for Uber say neither EPIC nor the FTC have any reason for complaint. Spokeswoman Jessica Santillo said that “We care deeply about the privacy of our riders and driver-partners. These updated statements don't reflect a shift in our practices, they more clearly lay out the data we collect today and how it is used to provide or improve our services.”

    The Electronic Privacy Information Center (EPIC), a non-profit privacy rights group, has filed a complaint with the Federal Trade Commission asking that th...

    Stagefright security flaw leaves 95% of Android devices vulnerable to hackers

    Android versions 2.2 and later are at risk

    Early today, security researchers announced their discovery of six massive software vulnerabilities which leave up to 95% of all Google Android devices at major risk of being hijacked by hackers. (The 95% number is based on the estimate that there are currently 1 billion Android phones and tablets in the world, with 950 million of them at risk — any device running version 2.2 or later is vulnerable.)

    Joshua Drake from Zimperium zLabs discovered the critical flaws inside the source code for AOSP, the Android Open Source Project.

    Zimperium's Z Team announced the discovery in a Monday blog post:

    Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats. … [Drake] discovered what we believe to be the worst Android vulnerabilities discovered to date …. multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.

    No protection from hack

    In other words: Stagefright leaves your Android device so vulnerable that hackers could (at least in theory) hijack your device without your knowledge and without any activity from you.

    Most “beware of the hacker” news articles you read advise you to protect yourself by avoiding certain actions: do not download any unsolicited file attachments, do not click on strange links in emails or texts, do not return hang-up phone calls from numbers you don't recognize.

    What makes Stagefright so scary is that there's no similar “Avoid this and you'll be safe” action: in order to seize control of your device, a hacker need only send you a file containing malicious code – and can then take control whether you respond to that sent file or not.

    “These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” Drake said. “Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”

    Complete control

    If this happens, the hacker has pretty much complete control over the device, including camera and audio recording functions – which means the hackers can spy on anything in range of the device. Furthermore, Drake says, “Sophisticated attackers could also create what we call ‘elevated privileges,’ which would provide complete access to the phone’s data.”

    The one bit of good news is that so far, there doesn't seem to be any evidence indicating that hackers have taken advantage of Stagefright. Drake said Zimperium has sent the necessary patch to Google.

    However, given the structure of the current cell phone industry, Google itself can't really get the patch to customers who need it – the individual phone and tablet manufacturers whose devices run on Android (versions 2.2 or later) do, and as Vice's Motherboard blog noted, “it’s anyone guess when that’ll happen. Historically, some manufacturers have taken months to issue even critical patches. At times, for devices older than a year or 18 months, patches never come.”

    Joshua Drake ended his Zimperium post with the suggestion that consumers “contact your device manufacturer and/or carrier to ascertain whether or not your particular device has been updated [with] the requisite patches,” and an additional plea to the makers and sellers of such devices: “If you’re part of any of the various parties that ship derivative versions of Android that might be affected, we encourage you to reach out to obtain the patches from us directly.”

    Early today, security researchers announced their discovery of six massive software vulnerabilities which leave up to 95% of all Google Android devices at ...

    Windows 10 automatically grants home wi-fi network access to your Outlook and Skype contacts

    You have to change your network name if you want to opt out of this

    Microsoft officially launched its new Windows 10 operating system last night, offering free upgrades to current Windows 7 and 8 users who make the switch within the next year.

    Before the rollout, Microsoft trumpteted the various new security features that Windows 10 would offer, so it's arguably ironic that the operating system comes pre-installed with a security flaw touted as a connectivity advantage: a feature called Wi-Fi Sense which, unless you deliberately opt out of the default setting, automatically shares your Wi-Fi network password with all of your contacts in Outlook, Hotmail, and Skype. (You can also share your network password with Facebook “friends,” but that's not automatic; it requires you to opt in.)

    More specifically, it doesn't actually hand out your password to your contacts; it “merely” shares an encrypted version of your password and stores it on Microsoft's servers, thus allowing anyone in your contact list to use your Wi-Fi network when they visit you at home, or merely happen to be in range of it. Or maybe when they're breaking into your house.

    Opting out

    Wi-Fi Sense's FAQ page claims to offer “answers to some questions you might have about Wi-Fi Sense.” Unfortunately, it does not answer the question “Where the hell did Microsoft get the idea that if I exchange an email with someone, this means I want that someone to have access to my home Wi-Fi network?”

    According to Microsoft, the only way to opt out of Wi-Fi Sense is by changing the name of the network to include the phrase _optout (note the underscore symbol before the word). Microsoft offered as an example the name mynetwork_optout. However, Microsoft also says that “It can take several days for your network to be added to the opted-out list for Wi-Fi Sense. If you want to stop your network from being shared sooner than that, you can change your Wi-Fi network password. For more information about how to do that, check the documentation for your router or access point.”

    Don't forget that if you change your Wi-Fi network name, you and everyone in your household will then have to re-connect your devices to the newly named network.

    "Disaster waiting to happen"

    Security expert Brian Krebs, who called the automatic password-sharing “a disaster waiting to happen,” noted that, although Wi-Fi Sense has been a feature on Windows Phone for quite awhile, that was “less of a concern” because Windows Phone has only a tiny share of the mobile device market, which is largely dominated by Android and Apple iOS. However, “embedding this feature in an upgrade version of Windows makes it a serious concern for much of the planet.”

    If you intend an upgrade to Windows 10 but have not yet done so, make sure you change the name of your Wi-Fi network to include _optout before you make the upgrade. Krebs also recommends that “While you’re at it, consider keeping Google off your Wi-Fi network as well. It’s unclear whether the Wi-Fi Sense opt-out kludge will also let users opt-out of having their wireless network name indexed by Google, which requires the inclusion of the phrase “_nomap” in the Wi-Fi network name.”

    Microsoft officially launched its new Windows 10 operating system last night, offering free upgrades to current Windows 7 and 8 users who make the switch w...

    AT&T showed "extreme willingness" to help NSA spy on Americans, report alleges

    More than its competitors, AT&T said to be an eager participant in government spying

    AT&T; outshone its competitor Verizon in at least one area in recent years -- it bent over backwards to help the National Security Agency (NSA) spy on Americans' Internet usage, according to The New York Times, which based its report on classified documents released by Edward Snowden.

    One document cited AT&T; for its "extreme willingness to help" the NSA get access to billions of emails. The company also provided technical assistance in carrying out a secret court order allowing the wiretapping of all Internet communications at the United Nations, the report in Sunday's editions said.

    The Snowden documents have given added credence to earlier allegations that AT&T; was an active partner in NSA's spying efforts. In 2006, a class action lawsuit charged that AT&T; had granted the NSA access to its vast database of customer information.

    The NSA's secret budget for its AT&T; program was more than twice as large as similar programs with its nearest competitor and included the installation of surveillance equipment at 17 of its Internet hubs, far more than Verizon.

    Still operating?

    Whether the surveillance programs are still operating isn't known. After Snowden's revelations two years ago, a public outcry supposedly led to the suspension of at least some of the NSA's domestic spying activities.

    But while saying it has cut back on some of its spying activities, the federal government continues to fight efforts to make details of the programs public. Federal law makes it a crime to reveal the existence of classified programs but no law makes it a crime to lie to the public about the existence or non-existence of such programs.

    The Obama Administration recently argued in a court case that public discussion of telecom surveillance would make any such programs ineffective and pose a threat to national security.

    Federal officials, long accustomed to what some might call the lap-dog behavior of the old-line telecom companies, have been perplexed by the attempts of Internet newcomers to thwart government efforts to spy on their customers.

    In May, a coalition of privacy groups and tech companies urged President Obama to veto any legislation expanding federal surveillance after FBI Director James Comey suggested that Congress make it illegal for tech companies to encrypt customer communications. Comey said he found it "depressing" that companies would try to protect their customers against rampant surveillance.

    "Collect everything"

    Last September, Apple CEO Tim Cook obliquely criticized the government's efforts to enlist private companies in its surveillance activities.

    “I don’t think that the country or the government’s found the right balance. I think they erred too much on the collect everything side. And I think the [U.S.] president and the [Obama] administration is committed to kind of moving that pendulum back,” Cook said in a televised interview.

    Cook also said that Apple,had "never worked with any government agency from any country to create a backdoor in any of our products or services." Observers noted at the time the Cook did not deny that Apple may have provided information to the government, merely that it had not allowed the feds to reach in and grab it.

    AT&T outshone its competitor Verizon in at least one area in recent years -- it bent over backwards to help the National Security Agency (NSA) spy on Ameri...

    Nine major models of Internet-connected baby monitors are extremely vulnerable to hacking

    Security researchers could hack into home-monitoring systems with ease

    Ever since wireless or Internet-connected home baby monitors and security systems became commonplace, there have been equally commonplace warnings about how easily hackers can break into these systems.

    There even exist voyeurism websites dedicated to streaming or archiving camera footage from unprotected Internet protocol (IP) cameras – almost always without the camera owners' knowledge. Last April, for example, a Minnesota family learned this the hard way after they discovered that hackers had hijacked the “nanny cam” in their baby's room – and posted surreptitious baby photos on a foreign website.

    Yet recent research by the Rapid7 cybersecurity firm suggests that the majority of home baby monitors on the market today remain extremely vulnerable to hack attacks. Rapid7's white-hat hackers were successfully able to exploit vulnerabilities in nine different models of baby monitor. Worse yet, many of those vulnerabilities are inherent to their systems – meaning that even security-conscious and tech-savvy users cannot fix them. Mark Stanislav and Tod Beardsley co-wrote Rapid7's report, which is available as a .pdf here.

    Increased hacking threat

    Most baby-monitor-hacking stories emphasize the obvious privacy threats to the baby and others in the house. But Stanislav and Beardsley, in their executive summary, pointed out that the threat stretches much farther than that:

    While Rapid7 is not aware of specific campaigns of mass exploitation of consumer-grade IoT [Internet of things] devices, this paper should serve as an advisory on the growing risk that businesses face as their employees accumulate more of these interconnected devices on their home networks. This is especially relevant today, as employees increasingly blur the lines between home networks and business networks through routine telecommuting and data storage on cloud resources shared between both contexts.

    In other words: any Internet connection, or device with one, has the potential to be hacked. And if a hacker successfully breaches security for one of your Internet-connected devices, there's a good chance he can piggyback from there to breach the security of anything else connected to it.

    So let's say a hacker secretly breaches your baby-cam or other home-security network. You then use your smartphone to watch camera footage while you're out running errands; now the hacker can get into your smartphone. And when you use the phone to check your messages at work, that gives the hackers access to your corporate network, so your personal, private hacking problem might now place the entire company you work for at risk.

    Though the risk to your family is bad enough. Just last week, an unknown hacker used a breached baby monitor to harass a family in Indianapolis. Jared Denman said that his wife was playing with their two-year-old daughter when the baby monitor suddenly started playing music: the 1980s creepy-stalker anthem “Every Breath You Take,” by The Police. Once the hacker realized he had the mother's attention, he started making “sexual noises” over the speaker. Turns out the Denmans, like many baby-monitor buyers, had made the mistake of not changing the system's factory-set username and passwords, which meant anyone who knew them could break in.

    Monitoring devices fail security test

    Yet even consumers savvy enough to avoid such obvious mistakes still can't be certain their privacy is protected when there's a baby monitor in the house. When Rapid7 tested nine different models of baby monitors, said Mark Stanislav, “Eight of the 9 cameras got an F and one got a D minus. Every camera had one hidden account that a consumer can’t change because it’s hard coded or not easily accessible. Whether intended for admin or support, it gives an outsider backdoor access to the camera.”

    The tested baby monitors included various models produced by Gyonii, Philips, Lens Peek-a-view, Summer Baby Zoom, TRENDnet, WiFiBaby, Withing, and iBaby. A chart on page 7 of Rapid7's report (page 9 of the online .pdf) lists the vulnerabilities found in each specific model.

    Some security flaws were more glaring than others. The Philips In.Sight model, according to Stanislav, streams live video onto the Internet without so much as requiring a password or account to protect it. With Summer Baby Zoom, the researchers learned, there's no authentication process to allow new viewers to see specific camera feeds; anyone who wishes to can simply add themselves.

    According to the timelines in Rapid7's report, the researchers informed various vendors of these security flaws in early July. Yet Stanislav said that of all the companies he contacted, Philips was the only responsive vendor.

    Protect your privacy

    While the vulnerabilities exposed byRapid7 can't be entirely eradicated, there are ways users can reduce the possibility of electronic eavesdropping. For example, unencrypted video files or other data is most vulnerable to hacking when viewed over a public WiFi network, so if you must remotely view unencrypted video, Stanislav recommends using a cell phone Internet connection instead.

    Parents should also keep baby monitors unplugged when they're not in use, use secure passwords, change them frequently, and make sure the device's software is always up-to-date. You might also consider setting up a search-engine email alert so that you are notified anytime a news story mentioning your model of baby monitor gets published; if new security flaws or fixes are announced, that would probably be the quickest, easiest way to ensure you hear about it.

    Ever since wireless or Internet-connected home baby monitors and security systems became commonplace, there have been equally commonplace warnings about ho...