Google's Privacy Invasion: It's Your Fault

Πηγή: Information Week Security
By Thomas Claburn

Feb 20 2012

If we really wanted privacy, we would turn off JavaScript, block ads, and browse in privacy mode through an anonymous proxy. But we would rather have free services.

Google stepped in it, again. The company was caught bypassing the privacy settings of those using Apple's Safari Web browser, which unlike other major browsers blocks third-party cookies by default. Google, like just about every other online company, relies on cookie files to improve ad relevancy, to identify users, and to deliver online services.

The Wall Street Journal, which Friday broke the story as part of its ongoing investigation into online privacy, reports that Google, along with at least three other advertising companies--Vibrant Media, WPP PLC's Media Innovation Group, and Gannett's PointRoll--"exploited a loophole in the browser's privacy settings" to place a cookie file on OS X and iOS devices such as iPhones using Safari.
The incident has prompted Consumer Watchdog, a consumer advocacy group critical of Google's privacy practices, to call for intervention from the Federal Trade Commission. Another consumer advocacy group, the American Consumer Institute, said, "Google’s willful disregard for the privacy choices of consumers and the privacy policies of Apple is a new low even for Google."

Google insists the Wall Street Journal report "mischaracterizes what happened and why." The company says it "used known Safari functionality to provide features that signed-in Google users had enabled" and that it did not collect personal information.

[ Google has been under fire for its planned privacy policy change. Read Google Rejects EU Request On Privacy Policy Consolidation. ]

Google hasn't helped its case by ceasing to use the HTML code that overrode Safari's default behavior. That looks like an admission of guilt. But let's step back for a moment and examine the situation.

The American Consumer Institute's contention Google willfully disregarded "the privacy choices of consumers and the privacy policies of Apple" isn't accurate.

Google disregarded the privacy choices of Apple, which chooses to block third-party cookies by default in its browser. And Google has nothing to do with Apple's privacy policies, which describe how Apple handles customer data.

Google argues that it manipulated Safari to resolve contradictory browser settings. Safari blocks third-party cookies by default. At the same time, Apple has implemented exceptions to Safari's third-party cookie blocking to allow social features like the +1 button to function.

Rachel Whetstone, SVP of communications and public policy, said in a statement that Google deployed its workaround code "to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to '+1' things that interest them."

The fact that other Google cookies got set, Google insists, was accidental. "The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser," Whetstone explained. "We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."

Were it not for the fact that Google's advertising cookie opt-out help page stated explicitly that Safari's default setting was the functional equivalent of opting out, Google's explanation might suffice.

But rewind now to the July 2011 release of OS X Lion. With Lion came Safari 5.1, which included for the first time third-party cookie blocking by default.

Could Apple's decision to block third-party cookies by default have been influenced by its competition with Google, a company that depends on advertising and cookies?

John Battelle, who runs advertising company Federated Media and has written about Google for years, suggests as much in a thoughtful blog post. "Might it be possible that Apple is using data as its weapon, dressed up in the PR friendly clothing of 'privacy protection' for users?" he asks.

Indeed, it's possible.

But Apple is too clever to be caught taking direct action to hinder its competition without plausible deniability. The company has recognized that justifying its actions by claiming security, privacy, or user experience benefits will make almost any change acceptable.

Apple's refusal to support Flash on iOS devices represents an example of this. Its claims about security and performance issues affecting Flash on mobile devices were fair enough. But by shunning Flash, Apple achieved a business benefit: It crippled a competing development platform.

Apple's Gatekeeper in its forthcoming OS X Mountain Lion offers another example. Apple's next Mac operating system will block the installation of apps from third-party developers without an Apple Developer ID by default. This is perfectly justifiable on the grounds of security (even if it undermines Apple's previous assertions that malware isn't a problem on the Mac). But it will also serve to reinforce Apple's control of the OS X software sales channel.

Apple's decision to block third-party cookies by default has extra cover: The RFCs that define how browsers should handle cookies indicate that third-party cookies should be blocked by default. The major browser makers have not followed this recommendation, choosing instead to rely on P3P, an automated mechanism for communicating privacy preferences that's generally seen as a compromise between privacy ideals and business needs.

If we accept Google's explanation that this was an accident at face value, and assume that Apple too is blameless and only wants the best for its users, what are we left with? Is the Wall Street Journal too hard on Google because its owner, Rupert Murdoch, thinks Google steals content, and perhaps goes easy on Apple to secure better access to exclusives? Are consumer advocacy groups focused on Google because Google bashing makes headlines, which help with fundraising?

No, let's put the blame where it belongs, on us, the users of the Internet. We rely on free services like Gmail while insisting on "privacy," a term that we probably can't even define to our collective satisfaction. We accept terms of service contracts and privacy policies that explain in excessive detail how we will not get privacy, how our information will be used, and then we object.

So instead of privacy, let's talk about control. You do have some of that, still. Make some choices about how your information will be used--because it will be used--instead of accepting default settings.

If you object to the way Google does business, use ad-blocking software. This is what the Electronic Frontier Foundation recommends, at least until Google implements Do Not Track in Chrome. Perhaps everyone will follow this advice, Google will collapse, and then we can all just go back to fee-for-service computing. How does a $0.25 per search and $99 for an Android 5.0 upgrade sound?

Here's to hoping that Google offers a paid membership option that disables all information collection and advertising across all its services. Then we will finally be able to see what the absence of privacy is worth.

Lawmakers target Google over privacy laws

Πηγή: Foxnews
Feb 18 2012

WASHINGTON – Three congressmen on Friday called on the Federal Trade Commission to investigate Google Inc., after The Wall Street Journal reported that the Internet giant was bypassing privacy settings of people who used Apple Inc.'s Web browser on phones and computers.

The lawmakers—Edward J. Markey (D., Mass.), Joe Barton (R., Texas) and Cliff Stearns (R., Fla.)—want to know if Google's behavior "constitutes a violation" of a privacy settlement Google and the Federal Trade Commission signed last year. Breaches of the settlement could bring fines of as much as $16,000 per violation per day.

"The FTC is aware of the situation," an agency spokeswoman said. At least two consumer groups also asked the FTC to investigate Google's behavior, which allowed the company to track Web-browsing habits of people using Safari browser software even if they intended for that kind of monitoring to be blocked.

At the heart of the complaints is the fact that, until recently, a page on Google's site told Safari users they could rely on the browser's settings to prevent tracking by Google. Among other things, the FTC settlement barred the company from misrepresenting its privacy practices to users.

"Google falsely told Safari users that they could control the collection of data…when in fact Google was circumventing the preference," wrote John Simpson, the privacy-project director with the advocacy group Consumer Watchdog. Another advocacy group, the Electronic Privacy Information Center, also made similar charges.

Google said it has stopped its practices and deleted the associated tracking files, after being contacted by the Journal. "We are taking immediate steps to address their concerns," a Google spokesman said of the congressmen's letter.

"We are happy to answer any questions regulators and others may have," the Google spokesman said.

Sen. Jay Rockefeller (D., W.Va.), chairman of the Senate Commerce Committee, said he planned to look into Google's behavior and whether it worked "to circumvent consumer choice."

Google's privacy practices have come under increasing scrutiny in recent months, as it and other technology companies have expanded social-networking and information-sharing services. The companies offer many of those products to people for free and receive income from online advertisements that are customized and targeted based on users' information.

The FTC's settlement with Google came after an investigation into the company's now-defunct Buzz social network. The FTC alleged that Google used "deceptive tactics and violated its own privacy promises to consumers" when it launched Buzz. Google had initially made some Buzz users' contacts automatically visible to others.

Google's latest practices also involve social networking. The company says the technology that resulted in the tracking was intended to help it place social-networking buttons on ads. People could use these buttons to indicate they liked the ad and share that with friends on the Google+ network.

To enable that feature, Google used computer code that bypassed Safari's privacy settings. Safari is the only browser that has a default setting blocking advertisers and other tracking companies from placing small files called "cookies" on users' computers. After Google bypassed the settings, the company's massive advertising network was able to track many users as they browse the Web.

"Google's practices could have a wide, sweeping impact because Safari is a major Web browser used by millions of Americans," the lawmakers said in their letter to the FTC. Safari is the standard browser on Apple's iPhone and iPad devices, as well as on Mac computers.

UK: Phone and email records to be stored in new spy plan

The databases would not record the contents of calls, texts or emails but the numbers or email addresses of who they are sent and received by.

Πηγή: The Telegraph
By David Barrett
Feb 18 2012

Details of every phone call and text message, email traffic and websites visited online are to be stored in a series of vast databases under new Government anti-terror plans.

Landline and mobile phone companies and broadband providers will be ordered to store the data for a year and make it available to the security services under the scheme.

The databases would not record the contents of calls, texts or emails but the numbers or email addresses of who they are sent and received by.

For the first time, the security services will have widespread access to information about who has been communicating with each other on social networking sites such as Facebook.

Direct messages between subscribers to websites such as Twitter would also be stored, as well as communications between players in online video games.

The Home Office is understood to have begun negotiations with internet companies in the last two months over the plan, which could be officially announced as early as May.

It is certain to cause controversy over civil liberties - but also raise concerns over the security of the records.

Access to such information would be highly prized by hackers and could be exploited to send spam email and texts. Details of which websites people visit could also be exploited for commercial gain.

The plan has been drawn up on the advice of MI5, the home security service, MI6, which operates abroad, and GCHQ, the Government’s “listening post” responsible for monitoring communications.

Rather than the Government holding the information centrally, companies including BT, Sky, Virgin Media, Vodafone and O2 would have to keep the records themselves.

Under the scheme the security services would be granted “real time” access to phone and internet records of people they want to put under surveillance, as well as the ability to reconstruct their movements through the information stored in the databases.

The system would track “who, when and where” of each message, allowing extremely close surveillance.

Mobile phone records of calls and texts show within yards where a call was made or a message was sent, while emails and internet browsing histories can be matched to a computer’s “IP address”, which can be used to locate where it was sent.

The scheme is a revised version of a plan drawn up by the Labour government which would have created a central database of all the information.

The idea of a central database was later dropped in favour of a scheme requiring communications providers to store the details at the taxpayers’ expense.

But the whole idea was cancelled amid severe criticisms of the number of public bodies which could access the data, which as well as the security services, included local councils and quangos, totalling 653 public sector organisations.

Labour shelved the project - known as the Intercept Modernisation Programme - in November 2009 after a consultation showed it had little public support.

Only one third of respondents backed the plan and half said they feared the scheme lacked safeguards and technical rigour to protect highly sensitive information.

At the same time the Conservatives criticised Labour’s “reckless” record on privacy.

A called Reversing the Rise of the Surveillance State by Dominic Grieve, then shadow home secretary and now Attorney General, published in 2009, said a Tory government would collect fewer personal details which would be held by “specific authorities on a need-to-know basis only”.

But the security services have now won a battle to have the scheme revived because of their concern over the ability of terrorists to avoid conventional surveillance through modern technology.

They can make use of phone tapping but their ability to monitor email traffic and text messages is limited.

They are known to have lobbied Theresa May, the Home Secretary, strongly for the scheme. Their move comes ahead of the London Olympics, which they fear will be a major target for terror attacks, and amid a climate of concern about terrorists’ use of the internet.

It has been highlighted by a number of attacks carried out after radicalisation took place through websites, including the stabbing by a young Muslim woman of an MP at his constituency surgery.

Sources said ministers are planning to allocate legislative time to the new spy programme, called the Communications Capabilities Development Programme (CCDP), in the Queen’s Speech in May.

But last night privacy campaigners warned the scheme was too open to abuse and could be used for “fishing trips” by spies.

Jim Killock, executive director of the Open Rights Group, a civil liberties campaign organisation, said: “This would be a systematic effort to spy on all of our digital communications.

“The Conservatives and Liberal Democrats started their government with a big pledge to roll back the surveillance state.

“No state in history has been able to gather the level of information proposed - it’s a way of collecting everything about who we talk to just in case something turns up.”

There were also concerns about the ability of phone and internet companies to keep the information secure.

And the huge databases could also be used by internet service providers, particularly to work out which advertising to target at users.

Broadband firms including BT came up with a scheme almost three years ago to target advertising, but it did not get off the ground.

However, if companies were able to exploit the information they will be compelled to keep for the CCDP, they would be much more capable of delivering advertising to computers and even mobile phones based on users’ past behaviour.

Gus Hosein, of Privacy International, said: “This will be ripe for hacking. Every hacker, every malicious threat, every foreign government is going to want access to this.

“And if communications providers have a government mandate to start collecting this information they will be incredibly tempted to start monitoring this data themselves so they can compete with Google and Facebook.”

He added: “The internet companies will be told to store who you are friends with and interact with. While this may appear innocuous it requires the active interception of every single communication you make, and this has never been done in a democratic society.”

A Home Office spokesman said: “It is vital that police and security services are able to obtain communications data in certain circumstances to investigate serious crime and terrorism and to protect the public.

“We meet regularly with the communications industry to ensure that capability is maintained without interfering with the public’s right to privacy.

“As set out in the Strategic Defence and Security Review we will legislate as soon as Parliamentary time allows to ensure that the use of communications data is compatible with the Government’s approach to civil liberties.”

Andrew Kernahan of the Internet Service Providers’ Association said: “It is important that proposals to update Government’s capabilities to intercept and retain communications data in the new communications environment are proportionate, respect freedom of expression and the privacy of users, and are widely consulted upon in an open and transparent manner.”

Google sued by Safari user over privacy flap

Πηγή: Washington Post
By Phil Milford and Jef Feeley
Feb 18 2102

Google Inc. officials were sued for violating users’ privacy rights on Apple Inc.’s Safari Web browser by bypassing computer settings designed to block monitoring of consumers’ online activity.

Google, the world’s biggest Internet-search company, has been dodging privacy settings in Safari, which serves as the primary Web browser on Apple’s iPhone and iPad products, lawyers for an Illinois man who uses the Safari browser said in a lawsuit filed today in federal court in Delaware.

“Google’s willful and knowing actions violated” federal wiretapping laws and other computer-related statutes, attorneys for Matthew Soble said in the complaint.

Google has drawn regulatory scrutiny and pressure from consumer advocates for the way it handles personal information. Last year, it agreed to settle claims with the Federal Trade Commission that Google used deceptive tactics and violated its own privacy policies when it introduced its Buzz social- networking service in 2010.

Chris Gaither, a spokesman for Mountain View, California- based Google, said in an e-mail that the company declined to comment on the suit’s allegations.

Researchers at Stanford University said today Google programmers developed codes that allowed them to avoid privacy settings created by their rivals at Cupertino, California-based Apple.

Privacy Circumvented?

The settings were designed to block cookies, or small pieces of code, that can be used to follow users’ activities on the Web. The Wall Street Journal reported Google’s actions in bypassing the privacy settings earlier this week.

Soble is seeking class-action status for his suit, which was filed on behalf of individuals “whose default privacy settings on the web browser software produced by Apple, known as Safari, were knowingly circumvented by Google,” according to the suit.

Google’s actions also prompted Consumer Watchdog to send a letter to the FTC today demanding action against the Internet- search provider.

“Safari users with the browser set to block third-party cookies thought they were not being tracked,” John Simpson, privacy project director of Consumer Watchdog, said in the letter. “Nonetheless, because of an element invisible to the user, but designed to mimic a form, DoubleClick was able to set tracking cookies in an obvious violation of the set preference.”

Lawmaker Attention

The allegations that Google bypassed Apple’s privacy settings to gather information on user’s Web browsing habits also have drawn attention from lawmakers.

“I fully intend to look into this matter and determine the extent to which the practice was used by Google and other third parties to circumvent consumer choice,” West Virginia Senator John D. (Jay) Rockefeller IV, a Democrat and chairman of the Senate Commerce Committee, said in a statement.

“We are taking immediate steps to address concerns, and we are happy to answer any questions regulators and others may have,” Google’s Gaither said in an e-mailed response.

The case is Matthew Soble v. Google Inc., U.S. District Court for the District of Delaware (Wilmington).

Google announces privacy settings change across products; users can’t opt out

Google announced a new privacy policy and terms of service on Jan. 24. Here’s a look at some of the Google products that will be affected by the policy change.

Πηγή: Washington Post
By Cecilia Kang
Jan 24 2012

Google said Tuesday it will require users to allow the company to follow their activities across e-mail, search, YouTube and other services, a radical shift in strategy that is expected to invite greater scrutiny of its privacy and competitive practices.

The information will enable Google to develop a fuller picture of how people use its growing empire of Web sites. Consumers will have no choice but to accept the changes.
The policy will take effect March 1 and will also impact Android mobile phone users, who are required to log in to Google accounts when they activate their phones.

The changes comes as Google is facing stiff competition and recently disappointed investors for the first time in several quarters, failing last week to meet earnings expectations. Apple, perhaps its primary rival, is expected to announce strong earnings Tuesday.

Google’s changes are appeared squarely aimed at Apple and Facebook, which have been successful in keeping people in their ecosystem of products. Google, which makes money by selling ads tailored to its users, is hoping to do the same by offering a Web experience tailored to personal tastes.

“If you’re signed in, we may combine information you’ve provided from one service with information from other services,” Alma Whitten, Google’s director of privacy, product and engineering wrote in a blog post.

“In short, we’ll treat you as a single user across all our products which will mean a simpler, more intuitive Google experience,” she said.

After March 1, a user who has recently watched YouTube videos of the Washington Wizards might suddenly see basketball ticket ads appear in his or her Gmail accounts.

That person may also be reminded of a business trip to Washington on Google Calendar and asked whether he or she wants to notify friends who live in the area, information Google would cull from online contacts or its social network Google+.

Privacy advocates say Google’s changes betray users who are not accustomed to having their information shared across different Web sites.

A user of Gmail, for instance, may send messages about a private meeting with a colleague and may not want the location of that meeting to be thrown into Google’s massive cauldron of data or used for Google’s maps application.

Google recently settled a privacy complaint by the Federal Trade Commission after it allowed users of its now defunct social network Google Buzz to see contacts lists from its e-mail program.

Privacy advocates in recent weeks filed a separate complaint that Google deceived consumers by using information from its new social network Google+ in general search results.

Some worry about security. Gmail users, including some White House staff, last year were targeted by hackers who were able to breach the company’s e-mail accounts.

Google on Tuesday described its new business plan as changes in its privacy policy and terms of service for all its services except for Google Wallet, its Chrome browser and Google Books.

Google has also faced greater scrutiny that it is using its dominance in online search to favor its other applications. Google’s decision to blend Google+ data into search results has been included into a broad FTC antitrust investigation, according to a person familiar with the matter who spoke on the condition of anonymity because the investigation is private.

Engineers from Twitter, Facebook and MySpace responded by launching a Web tool that they say shows Google is moving away from its stated mission to be a neutral Web directory.

On the Web site for the plug-in, the engineers wrote that searches for generic terms such as “movies” or “music” prioritize Google+ results over more relevant content.

FAQ: What kind of data can Google collect and integrate? How will this affect me?
By Hayley Tsukayama

What is Google doing?: In a nutshell, Google is taking information from almost all of your Google services — including Gmail, Picasa, YouTube and search — and integrating the data so that they can learn more about you. (Information from Google Books, Google Wallet and Google Chrome will not be integrated, partly for legal reasons.)

What kind of information are they collecting and integrating?:

Almost anything that’s already in the Google ecosystem: calendar appointments, location data, search preferences, contacts, personal habits based on Gmail chatter, device information and search queries, to name a few.

Can they do that?: Not under the company’s current privacy policies, but Google is introducing a new, unified policy that you can’t opt-out of.

Why is Google doing this?: Google says it will be able to do a lot more “cool things” when it combines information across products. There’s “so much more that Google can do to help you” if you share your information with them.

Give me an example.: From Whitten’s blog post: Google will be able to “provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what traffic is like that day.”

Interesting. Tell me more: Also from Whitten: Google will be able to “ensure that our spelling suggestions, even for your friends’ names, are accurate because you’ve typed them before.”

When do the changes take effect?: March 1.

Can I opt-out?: No.

So what do I do if I don’t like the policy?: You can close your account. Google has provided information on how to take all of your personal information off of Google by closing your Google Account, which would erase your Gmail, Google+ and other accounts.

But I have a lot of data saved on Gmail/Picasa/etc...: Google says it is committed to “data liberation” and that it will allow you to take your information elsewhere if you want to. The company said it would provide directions on how to do this in the help sections for its various services.

I don’t have a Google Account, but use Google search. Am I affected?: No. The new policy only applies to people who have a Google Account linked to services such as Gmail, Picasa or YouTube and are signed in.

What if I have account but am not signed in?: Google can only integrate your information if you are signed in. For example, if you’re signed in to your Gmail account on one tab, and then decide to look up a clip on YouTube on another tab without signing out of your e-mail, the data will be integrated. If you sign out or look up a YouTube clip on a different browser, the data won’t be integrated.

I have an Android phone. How does this affect me?: Because you have to sign in to your Google account to do anything except for browse the Web and make phone calls, Google will be able to track practically anything you do on your phone.

What about if I have an iPhone/Blackberry/Windows 8 phone?: Google’s new privacy policy doesn’t get into the specifics of what it can collect on different platforms and whether this changes if you download a Google app or if you access Gmail, for instance, on your phone’s browser or competitor’s app. But it does say that if you sign into Google services, Google will be able to collect information about your device and usage.

Can you be more specific about the type of information Google will be able to collect on mobile devices?

The privacy policy allows the company to collect a great deal of data: Your device hardware model, operating system version, unique device identifiers and mobile network information. Google says it may associate your device identifiers or phone number with your Google Account. Details of how you use the service, such as search queries. Telephony log information like time and date of calls, duration of calls. IP addresses. Cookies that may “uniquely identify your browser or your Google Account.”

What do privacy advocates have to say about the new policy?: Check back in with us a little later and we’ll let you know. 

Killing Democracy One File at a Time: Justice Department Loosens FBI Domestic Spy Guidelines

Πηγή: Global Research By Tom Burghardt While the Justice Department is criminally inept, or worse, when it comes to prosecuting corporate thieves who looted, and continue to loot, trillions of dollars as capitalism's economic crisis accelerates, they are extremely adept at waging war on dissent. Last week, The New York Times disclosed that the FBI "is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention." Under "constitutional scholar" Barack Obama's regime, the Bureau will revise its "Domestic Investigations and Operations Guide." The "new rules," Charlie Savage writes, will give agents "more latitude" to investigate citizens even when there is no evidence they have exhibited "signs of criminal or terrorist activity."