Posts tagged as:

Did Google Defeat People’s Privacy Preferences?

by on February 19, 2012 · 3 comments

Given the importance of privacy self-help—that is, setting your browser to control what it reveals about you when you surf the Web—I was concerned to hear that Google, among others, had circumvented third-party cookie blocking that is a default setting of Apple’s Safari browser. Jonathan Mayer of Stanford’s Center for Internet and Society published a thorough and highly technical explanation of the problem on Thursday.

The story starts with a flaw in Safari’s cookie blocking. Mayer notes Safari’s treatment of third-party cookies:

Reading Cookies Safari allows third-party domains to read cookies.
Modifying Cookies If an HTTP request to a third-party domain includes a cookie, Safari allows the response to write cookies.
Form Submission If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari.

Mayer says Google was exploiting this yet-to-be-closed loophole to install third-party cookies, the domain of which Safari would then allow to write cookies. After describing “(relatively) straightforward” cookie synching, Mayer says:

But we noticed a special response at the last step for Safari browsers. … Instead of responding with the “_drt_” cookie, the server sends back a page that includes a form and JavaScript to submit the form (using POST) to its own URL.

Third-party cookie blocking evaded, and users’ preferences frustrated.

Ars Technica has published Google’s response, which doesn’t seem to have gone up on any of its blogs, in full. Google says they created this functionality to deliver better services to their users, but doing so inadvertently allowed Google advertising cookies to be set on the browser.

I don’t know that I’m technically sophisticated enough to register a firm judgement, but it looks to me like Google was faced with an interesting dilemma: They had visitors who were signed in to their service and who had opted to see personalized ads and other content, such as ‘+1’s but those same visitors had set their browsers contrary to those desires. Google chose the route better for Google, defeating the browser-set preferences. That, I think, was a mistake.

I wonder if there isn’t some Occam’s Razor that a Google engineer might have applied at some point in this process, thinking, “Golly, we are really going to great lengths to get around a browser setting. Are we sure we should be doing this?” Maybe it would have been more straightforward to highlight to Safari users that their settings were reducing their enjoyment of Google’s services and ads, and to invite those users to change their settings. This, and urging Apple to fix the browser, would have been more consistent with the company’s credo of non-evil.

Now, to the ideological stuff, of which I can think of two items:

1) There is a battle for control of earth out there—well, a battle over whether third-party cookie blocking is good or bad. Have your way advocates. I think the consuming public—that is, the market—should decide.

2) There is a battle to make a federal case out of every privacy transgression. An advocacy group called Consumer Watchdog (which has been prone to privacy buffoonery in the past) hustled out a complaint to the Federal Trade Commission. I think the injured parties should be compensated in full for their loss and suffering, of which there wasn’t any. De minimis non curat lex, so this is actually just a learning opportunity for Google, for browser authors, and for the public.

Kudos and thanks are due to Jonathan Mayer, as well as ★★★★★ and Ashkan Soltani, for exposing this issue.

SHARE: 3 comments

What Privacy Conservatives & Moral Conservatives Share in Common

by on October 12, 2010 · 0 comments

In a post here last month on “Two Paradoxes of Privacy Regulation,” I discussed some of the interesting — and to me, troubling — similarities between rising calls for online privacy regulation and ongoing attempts to enact various types of controls on online speech or expression.  In that essay, I argued that while most privacy advocates are First Amendment supporters as it pertains to content regulation, they abandon their free speech values and corresponding constitutional tests when it comes to privacy regulation. When the topic of debate shifts from concerns about potentially objectionable content to the free movement of personal information, personal responsibility and self-regulation become the last option, not the first.  Privacy advocates typically ignore, downplay, or denigrate user-empowerment tools, even though many of those same advocates endorse “self-help” efforts as the superior method of dealing with objectionable speech or media content. In essence, therefore, they are claiming self-help is the right answer in one context, but not the other.  Ironically, therefore, privacy advocates and moral conservatives actually share much in common in that they are using the same playbook to advance their goals:  They are rejecting personal responsibility and user-empowerment tools and techniques in favor or government control for their respective issues.

Keeping that insight in mind, I want to take this comparison a step further and suggest that what really unites these two movements is a general conservatism about how our online lives and online business should be governed.  For the moral conservatives, that instinct is well-understood. They want hold the line against what they believe is a decaying moral order by restricting access to potentially objectionable speech or content — dirty words, violent video games, online porn, or whatever else.   The conservatism of the modern privacy movement is less obvious at first blush.  I suspect that many privacy conservatives would not consider themselves “conservative” at all, and they might even be highly offended at being grouped in with moral conservatives who seek to wield government power to control online speech and expression. Nonetheless, the two groups share a common trait — an innate hostility to the impact of technological / social change within the realm of “rights” or values they care about.  In their respective arenas, they both rejected the evolutionary dynamism of the free marketplace and they long for a return to a simpler and supposedly better time. Continue reading →

SHARE: 0 comments

Nanny State Says: “Shhhhh! That Commercial is Too Loud!”

by on October 8, 2009 · 27 comments

steigman-steve-blown-awayWhen the government tells someone to shut up, we call it censorship and the First Amendment requires the government to defend its regulation. But what if the government just says, “Shhhh… could you please turn that down?” Rep. Anna Eshoo’s Commercial Advertisement Loudness Mitigation Act (“CALM Act” – HR 1084) would do just that: require the FCC to issue rules that broadcast and cable TV ads:

(1) … shall not be excessively noisy or strident; (2) … shall not be presented at modulation levels substantially higher than the program material that such advertisements accompany; and (3) [their] average maximum loudness…  shall not be substantially higher than the average maximum loudness of the program material that such advertisements accompany.

Now,  I understand where Ms. Eshoo is coming from: I have a very low tolerance for noise in general and for television in particular—and it’s not just about commercials. (I find TV news at least as “noisy” and “strident” as commercials. That’s why I opted-out from the whole TV thing in about 2000. Yup, that’s right: I found better things to do with my time and the supposedly all-powerful “gatekeepers” of Hollywood couldn’t do a damn thing about it. You should try it if you don’t like what’s on TV! To paraphrase Voltaire, “I disapprove of what you say watch,  but I will defend to the death your right to say watch it! You can get most of what’s worth watching on DVD or online anyway.) But do we really need bureaucrats in Washington micromanaging volume levels? Maybe Congressmen would have a little more time to read the bills they vote for if they they weren’t so busy fiddling with everyone else’s remote!

Eshoo’s bill has passed the House Energy & Commerce Committee’s Communications Subcommittee just as the TV industry is completing work on voluntary standards of their own. That’s one “less restrictive” alternative to regulation. What about technological empowerment? If Americans really hate loud commercials so much, why don’t they demand TVs with built-in volume normalization features? But this bill isn’t merely unnecessary, it would also set a disturbing precedent in at least six ways.

Continue reading →

SHARE: 27 comments

WordPress Worm: Cyber-Security Begins at Home

by on September 5, 2009 · 9 comments

Wordpress has experienced a major security vulnerability, with a worm making its way around the ‘Net, attacking earlier versions of WordPress. Fortunately, because of the hard work of the Wordpress open source community, the current (2.8.4) and most recent (2.8.3) versions are immune. Yet as with any piece of program, some users haven’t upgraded.  In the case of Wordpress (which we use at the TLF), upgrading can be difficult for sites that rely on plug-ins that aren’t always updated quickly when a new version of WordPress is released.

While my heart goes out to my fellow Wordpress bloggers who may have experienced an attack, I’m just glad that, for once, the message isn’t that somehow we need the government to protect us all from cyber-catastrophes, but, instead, a little good-old-fashioned digital self-help!  From the Wordpress Blog:

WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.

As with parental controls and privacy, protecting your security online begins at home. Government can help to educate and promote empowerment solutions, and industry certainly has a role to play in both, and communities like Wordpress can offer invaluable support, but at the end of the day, only you can protect yourself online!

SHARE: 9 comments

What Unites Advocates of Speech Controls & Privacy Regulation?

by on August 11, 2009 · 23 comments

What Unites Advocates of Speech Controls & Privacy Regulation? [pdf]

by Adam Thierer & Berin Szoka The Progress & Freedom Foundation, Progress on Point No. 16.19

Anyone who has spent time following debates about speech and privacy regulation comes to recognize the striking parallels between these two policy arenas. In this paper we will highlight the common rhetoric, proposals, and tactics that unite these regulatory movements. Moreover, we will argue that, at root, what often animates calls for regulation of both speech and privacy are two remarkably elitist beliefs:

  1. People are too ignorant (or simply too busy) to be trusted to make wise decisions for themselves (or their children); and/or,
  2. All or most people share essentially the same values or concerns and, therefore, “community standards” should trump household (or individual) standards.

While our use of the term “elitism” may unduly offend some understandably sensitive to populist demagoguery, our aim here is not to launch a broadside against elitism as Time magazine culture critic William H. Henry once defined it: “The willingness to assert unyieldingly that one idea, contribution or attainment is better than another.”[1] Rather, our aim here is to critique that elitism which rises to the level of political condescension and legal sanction. We attack not so much the beliefs of some leaders, activists, or intellectuals that they have a better idea of what it in the public’s best interest than the public itself does, but rather the imposition of those beliefs through coercive, top-down mandates.

That sort of elitism—elitism enforced by law—is often the objective of speech and privacy regulatory advocates. Our goal is to identify the common themes that unite these regulatory movements, explain why such political elitism is unwarranted, and make it clear how it threatens individual liberty as well as the future of free and open Internet. As an alternative to this elitist vision, we advocate an empowerment agenda: fostering an environment in which users have the tools and information they need to make decisions for themselves and their families. Continue reading →

SHARE: 23 comments

ClaimMyName: Self-Help Against Name-Squatting on Social Media Services

by on August 8, 2009 · 11 comments

The proliferation of Web 2.0 social media services has magnified the old problem of cyber-squatting: Every new service represents the possibility that someone else might claim your name, or your organization’s trademark, as a user name before you do! This problem is especially significant where user names correspond to vanity URLs, as with Twitter and, more recently, Facebook.

So I was intrigued to discover that the market is responding to this need: ClaimMyName (CMN) will take care of user registrations on 30 Web 20 services for $329 or on an astounding 300 services for $799. CMN is a “freemium” service offered by DandyID.com, a nifty free service that allows users to organize all their social media profiles for something like 390 services so that buttons for each service can easily be added to an author bio page on a blog, as we’ve done at the TLF. So if I really wanted to make sure that no one else registered http://<WEB2.0service>.com/berinszoka, or /techliberation or /ProgressFreedom, this service would allow me to do so with just a few clicks—at a price of either $10.97/service for thirty or $2.66/service for 300 services.

CMN is essentially a mini-Mark Monitor, the international company famous for protecting trademarks online—except that CMN facilitates self-help by users outside of trademark law: No registration is required; everything is done on a first-come-first-serve basis. Pretty cool.

SHARE: 11 comments

Privacy Solutions (Part 5): CCleaner

by on July 17, 2009 · 18 comments

CCleanerby Eric Beach & Adam Thierer

In our ongoing “Privacy Solutions Series” we have been outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online. These tools and methods form an important part of a layered approach that we believe offers a more effective alternative to government-mandated regulation of online privacy. [See entries 1, 2, 3, 4]  In this installment, we will be exploring CCleaner, a free Windows-based tool created by UK-based software developer Piriform that scrubs you computer’s hard drive and cleans its registry. We’ll describe how CCleaner helps you destroy data and protect your private information.

Whenever you move files to the recycling bin and subsequently purge the recycling bin, the affected files remain on your computer. In other words, deleting files from the recycling bin does not remove them from the computer. The reason for this is important and, in many ways, beneficial. In some respects, many computer file systems work like an old library catalog system. A file is like a catalog card and contains the reference to the actual place on the hard drive where the information contained in the file is stored. When a user deletes a file, the computer does not actually clean all the affected hard drive space. Instead, to extend the analogy, the computer simply removes the card catalog entry that points to the hard drive space where the file is contained and frees up this space for new files. The reason this is usually beneficial is that cleaning the hard drive space occupied by a file can take a while. If you want evidence of this, look no further than the length of time required to reformat a hard drive (reformatting a hard drive actually clears the disk’s contents). The practical implication of the way hard drives work is that when you delete an important memo from your computer, it is not actually gone. Similarly, when you clear your browsing history, it is not gone. The bottom line is that an individual who can access your hard drive (a thief, the government, etc.) could view many or all of the files you deleted.

The solution to this problem is to ensure that when a file is deleted, the space on the hard drive occupied by that file is not simply flagged as available space but is entirely rewritten with unintelligible data. One of the best programs for accomplishing this is CCleaner (which formerly stood for “Crap Cleaner”!)

Continue reading →

SHARE: 18 comments

PFF Launches Center for Internet Freedom

by on October 24, 2008 · 12 comments

The Progress & Freedom Foundation has just launched the new Center for Internet Freedom.  CIF offers an alternative to the proliferation of advocacy groups calling for government intervention online by offering timely analyses and critiques of proposals that diminish the vital role of free markets, free speech and property rights.  We aim to drive the Internet policy debate in new directions by emphasizing a layered approach of technological innovation, user education, user self-help, industry self-regulation, and the enforcement of existing laws consistent with the First Amendment.  Such an approach is a less restrictive—and generally more effective—alternative to increased regulation.  

Here are some of the issues I’ll be working on as CIF’s Director in conjunction with my esteemed colleagues Adam Thierer, Adam Marcus, and adjunct fellows: 

  • Defending online advertising as the lifeblood of online content & services, especially in the “Long Tail”;
  • Emphasizing market solutions to problems of privacy protection, especially regarding the use of cookies and packet inspection data;
  • Protecting online speech and expression both in the U.S. and abroad;
  • Defending Section 230 immunity for Internet intermediaries;
  • Opposing online taxation and legal barriers to e-commerce and digital payments, especially at the state and local levels; and
  • Ensuring that Internet governance remains transparent and accountable without hampering the evolution of the Internet.

SHARE: 12 comments

Online Advertising & User Privacy: Principles to Guide the Debate

by on September 24, 2008 · 28 comments

By Berin Szoka & Adam Thierer Progress Snapshot 4.19 (PDF)

Since the fall of 2008, a debate has raged in Washington over “targeted online advertising,” an ominous-sounding shorthand for the customization of Internet ads to match the interests of users.  Not only are these ads more relevant and therefore less annoying to Internet users than untargeted ads, they are more cost-effective to advertisers and more profitable to websites that sell ad space.  While such “smarter” online advertising scares some—prompting comparisons to a corporate “Big Brother” spying on Internet users—it is also expected to fuel the rapid growth of Internet advertising revenues from $21.7 billion in 2007 to $50.3 billion in 2011-an annual growth rate of more than 24%. Since this growing revenue stream ultimately funds the free content and services that Internet users increasingly take for granted, policymakers should think very carefully about what’s really best for consumers before rushing to regulate an industry that has thrived for over a decade under a layered approach that combines technological “self-help” by privacy-wary consumers, consumer education, industry self-regulation, existing state privacy tort laws, and Federal Trade Commission (FTC) enforcement of corporate privacy policies.

In an upcoming PFF Special Report, we will address the many technical, economic, and legal aspects of this complicated policy issue-especially the possibility that regulation may unintentionally thwart market responses to the growing phenomenon of users blocking online ads.

We will also issue a three-part challenge to those who call for regulation of online advertising practices:

  1. Identify the harm or market failure that requires government intervention.
  2. Prove that there is no less restrictive alternative to regulation.
  3. Explain how the benefits of regulation outweigh its costs.

Continue reading →

SHARE: 28 comments

Privacy Solutions (Part 1): Introduction

by on September 5, 2008 · 10 comments

By Adam Thierer & Berin Szoka

Whatever ordinary Americans actually think about online privacy, it remains a hot topic inside the Beltway. While much of that amorphous concern focuses on government surveillance and government access to information about web users, many in Washington have focused on targeted online advertising by private companies as a dire threat to Americans’ privacy — and called for prophylactic government regulation of an industry that is expected to more than double in size to $50.3 billion in 2011 from $21.7 billion last year.

In 1998, when targeted advertising was in its infancy, the FTC proposed four principles as the basis for self-regulation of online data collection: notice, choice, access & security. In 2000, the Commission declared that too few online advertisers adhered to these principles and therefore recommended that Congress mandate their application in legislation that would allow the FTC to issue binding regulations. Subsequent legislative proposals (indexed by CDT by Congress here along with other privacy bills) have languished in Congress ever since. During this time self-regulation of data collection (e.g., the National Advertising Initiative) has matured, the industry has flourished without any clear harm to users and the FTC has returned to its original support for self-regulation over legislation or regulatory mandates.

But over the last year, the advocates of regulation have succeeded in painting a nightmarish picture of all-invasive snooping by online advertisers using more sophisticated techniques of collecting data for targeted advertising. The Federal Trade Commission (FTC) has responded cautiously by proposing voluntary self-regulatory guidelines intended to address these concerns, because the agency recognizes that this growing revenue stream is funding the explosion of “free” (to the user) online content and services that so many Americans now take for granted, and that more sophisticated targeting produces ads that are more relevant to consumers (and therefore also more profitable to advertisers).

Continue reading →

SHARE: 10 comments