The tentative deal does not “prevent Google from continuing to profit from the misconduct that it previously engaged in,” Consumer Watchdog says. “Indeed, it permits Google to continue to profit from its wrongdoing indefinitely,” the group argues. The organization says the settlement should be rejected because it’s not in the public interest.
If approved by U.S. District Court Judge Susan Illston in San Francisco, the deal would resolve charges against Google stemming from allegations that the company developed a workaround to Safari’s no-tracking settings. Google — which also faces a potential class-action lawsuit over the alleged hack — did not admit wrongdoing in the case.
Google allegedly bypassed Safari’s settings to enable Safari users to like ads with the +1 button. But once the workaround was in place, Google’s DoubleClick was able to track people in order to target ads to them. Google promised that it will allow all tracking cookies that it set on Safari users expire by next year as part of the settlement.
But Consumer Watchdog says Google should do more than let the cookies expire. The group wants Google to delete all data — including IP addresses — collected from Safari users.
Consumer Watchdog also says that Google shouldn’t be able to draw on aggregated data gathered from Safari users for analytics. The group argues that the information collected from those people “can still be used to target others (sometimes called ‘lookalikes’) who exhibit similar behaviors.”
“The proposed order could prevent this result simply by requiring Google to expunge the wrongfully collected data from its database,” the group argues.
Earlier, Consumer Watchdog filed papers opposing the settlement for three reasons. First, the group said the “miniscule” $22.5 million penalty was too low. Second, Consumer Watchdog argued that the settlement should include an injunction prohibiting Google from deceiving users about privacy. And third, the group said Google should be required to admit liability in the case.
The government said in its response, filed last month, that a fine of $22.5 million was appropriate based on its estimate that Google’s profits from the Safari hack amounted to just $4 million. “Assuming … that Google is a profit-maximizing company, it makes no sense for it to engage in a behavior that costs more than the revenue it would earn,” the FTC argued in its court papers.
Consumer Watchdog challenges that $4 million figure. “The government has not given this court any insight into how it made its calculations,” the organization argues, adding that it needs more evidence from Google in order to determine the extent of profits from the workaround.]]>
But current and former representatives for Romney told BNA that he understands that consumer information should be protected and would likely be open to reviewing the White House plan.
Romney’s mostly job-focused campaign team has not yet indicated whether the nominee, if elected, would pursue the existing White House plan or change course, despite a growing debate over the adequacy of federal privacy protections for consumers’ personal data. In the meantime, his overall platform and priorities as a candidate provide some important clues, according to observers.
“I think Romney would let the effort die,” said John Simpson, privacy project director for Consumer Watchdog, a Washington-based public interest group. “He’s an advocate of less regulation on business, so I don’t see much hope that he would be would be concerned about privacy.”
Peter Swire, a law professor at Ohio State University and a former chief privacy counselor for the Clinton administration, went further, characterizing Romney as an out-of-touch candidate who does not appear to grasp the importance of protecting consumers from privacy intrusions in the age of smartphones and social networking websites.
“He lacks a vision for technology policy generally–broadband, spectrum, what it will take to have the best possible infrastructure for the information economy,” he told BNA.
A Romney campaign spokeswoman, asked about consumer privacy initiatives the Republican candidate might pursue as president and whether he supports the White House plan, said: “Modern commerce requires trust between consumers and businesses. Mitt Romney knows that this trust depends on clear rules of the road for how consumers’ information must be protected and can be used. As president, he will review the regulatory regime to ensure that strong and transparent protections are in place.”
As governor of Massachusetts, Romney proposed related state legislation aimed at curbing identity theft by requiring businesses to notify consumers affected by a data security breach. President Obama’s privacy bill of rights proposal would establish much broader protections at the federal level (11 PVLR 355, 2/27/12).
Under the White House plan, the Federal Trade Commission would for the first time be given authority to enforce general privacy standards governing consumer data-handling practices across the business community, both online and offline.
“I think Governor Romney would certainly be open to reviewing something like that,” Beth Lindstrom, a former Massachusetts consumer affairs director under Romney, told BNA. “Ultimately, I think he would try to strike the right balance between consumer rights and regulatory concerns.”
Currently, the United States has narrow federal privacy standards that include rules governing medical records under the Health Insurance Portability and Accountability Act and financial data under the Gramm-Leach-Bliley Act. In addition, the FTC has claimed broad authority to address consumer privacy concerns under Section 5 of the FTC Act, which prohibits “unfair and deceptive” practices. Companies that fail to honor their online privacy policies, for example, may be charged with committing “deception” under the act.
By contrast, the European Union has had a comprehensive data protection regime in place since the 1990s. EU policymakers are now in the process of drafting updated rules. A proposal announced in January includes a “right to be forgotten” principle that would permit individuals to demand the removal of their personal information from the internet (11 PVLR 178, 1/30/12).
Privacy advocates have long been pushing for adoption of a broad, EU-like framework in the United States. But leading U.S. industry groups maintain that a shift toward the European model could create unnecessary regulatory burdens and harm the economy.
Driving the debate is the growing use of the internet and wireless devices and an explosion of consumer data collection.
During the 2008 presidential race, Obama released a general technology policy document in which he promised to, among other objectives, “strengthen privacy protections for the digital age” and hold government and businesses accountable for violations of personal privacy (7 PVLR 1538, 10/27/08).
A report unveiled by the White House earlier this year urged Congress to pass a “privacy bill of rights” that would apply in the private sector. Businesses would be required to respect general privacy principles, such as transparency, as they collect, use, or share consumer data.
The administration has offered to work with lawmakers to enact such legislation. However, key Republicans have said there are a number of issues that must be carefully examined first, including the potential impact on businesses.
Meanwhile, with no immediate hopes for legislative action, the administration is moving forward with facilitating the development of voluntary privacy codes of conduct based on its proposed bill of rights (11 PVLR 1409, 9/17/12). The process is being handled by the National Telecommunications and Information Administration, a component of the Department of Commerce.
Under the plan, a company’s failure to implement a privacy code after committing to doing so could be treated by the FTC as having violated Section 5 of the FTC Act.
NTIA is currently working with a variety of stakeholders, including consumer advocates and business representatives, to come up with a code for mobile application developers.
“By contrast, the Romney campaign website has no mention of privacy, identity theft, or even technology policy that I could find,” Swire said.
Christopher Wolf, partner and director of Privacy and Information Management Practice at Hogan Lovells LLP, in Washington, noted that the 2012 Democratic Party platform endorsed the administration’s privacy bill of rights, while Republicans were silent on the issue (11 PVLR 1378, 9/10/12).
“Given Governor Romney’s aversion to regulation of business generally, one can expect that the current executive branch initiatives to improve consumer privacy will not continue in a Romney administration,” said Wolf, who also serves as a founder and co-chair of the Future of Privacy Forum, a Washington-based think tank. “In addition, one can expect any Romney appointments to the FTC to be conservative and averse to aggressive enforcement under Section 5 [of the FTC Act].”
Under Obama, the federal agencies responsible for consumer privacy protection have been more active than at any other time in U.S. history, according to Lisa Sotto, head of the Privacy and Information Management Practice at Hunton & Williams LLP. She noted, for example, that David Vladeck, director of the FTC’s Bureau of Consumer Protection, has “unquestionably” kept a promise that he made early in his tenure to broaden the agency’s privacy enforcement agenda.
“Under a Romney administration, I suspect we would see much greater reticence to act in such an undaunted manner,” Sotto told BNA. “There would likely be a more forgiving attitude toward privacy incursions that do not result in physical harm or financial loss. The idea that ‘harm to human dignity’ could be actionable under Section 5 of the FTC Act likely would garner less sympathy under a Romney administration.”
Mark Schreiber, a partner in the Boston office of Edwards Wildman Palmer LLP, told BNA that Romney’s approach to protecting consumer privacy would probably be “considerably different” in tone and direction from that of the Obama administration.
“The Republicans assert that Obama’s policies are too focused on regulation, so something like a consumer privacy bill of rights has little or no chance of being pursued in a Romney administration,” Schreiber said.
Ryan Radia, an associate director at the Competitive Enterprise Institute, a Washington-based think tank that advocates limited government, offered similar observations, noting that Romney has emphasized regulatory restraint and pledged to cut federal red tape.
However, he predicted that consumer privacy will be a priority for the next president no matter who wins the election, given the growing importance of the issue.
“A Romney administration might be more skeptical of prescriptive privacy regulation than the current administration, instead preferring to address privacy challenges through voluntary market solutions induced by competitive discipline,” Radia told BNA.
By Alexei Alexis
The White House report on consumer privacy is available at http://www.whitehouse.gov/sites/default/files/email-files/privacy_white_paper.pdf.]]>
The settlement, the largest ever secured by the FTC for violating one of its orders, was announced in August but quickly drew criticism from privacy advocates. They complained the terms are too soft on Google and that the fine—a fraction of the $38 billion Google recorded in 2011 revenue—amounts to a slap on the wrist.
While the FTC and Google came up with the settlement, it needs to be approved by a judge, which is what next month’s hearing is about. Consumer Watchdog, an advocacy group that has been critical of Google’s privacy measures, will argue that the court should not sign off on the deal.
Among the group’s complaints: that the deal allows Google to deny any wrongdoing, that it won’t prevent it from doing the same thing again, and that it requires Google to destroy only the cookies and not the information gained from the tracking, said John Simpson, Consumer Watchdog’s Privacy Project director.
The group will be represented by Silicon Valley antitrust lawyer Gary Reback,
whose work influenced the U.S. Department of Justice when it decided to sue Microsoft in the late 1990s in a landmark antitrust case.
The hearing will take place November 16 at the U.S.
District Court for the Northern District of California in San Francisco.
Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn’s e-mail address is firstname.lastname@example.org]]>
Almost no one noticed, however, even though Microsoft’s policy changes are much the same as those that Google made to its privacy rules this year.
Google’s expanded powers drew scathing criticism from privacy advocates, probing inquiries from regulators and broadside attacks from rivals. Those included Microsoft, which bought full-page newspaper ads telling Google users that Google did not care about their privacy, an accusation it quickly denied.
The difference in the two events illustrates the confusion surrounding Internet consumer privacy. No single authority oversees the collection of personal information from
Web users by Internet companies. Though most companies have written privacy policies, they are often stated in such broad, ambiguous language that they seem to allow virtually any use of customers’ personal information.
Web companies like Microsoft and Google have been moving aggressively to expand their abilities to gather and sort information about individuals’ habits and interests — even as Congress, federal regulators and the Obama administration have been seeking ways to protect Internet users against unwanted privacy incursions.
Microsoft’s policy, which it calls its Services Agreement, allows it to analyze customer content from one its free products and use it to improve another service — for example, taking information from messages a consumer sends on Windows Live Messenger and using it to improve messaging services on Xbox.
Previously, that kind of sharing of information between products would not have been allowed under Microsoft policies, which limited the use of data collected under one of its products to that product alone.
But the new Microsoft policy does allow for such targeted advertising. Microsoft promised not to do so in blog posts and e-mails informing its customers about the change, but not in the formal policy. That has some privacy advocates nervous.
”Over the years, we have consistently informed users that we may use their content to improve the services they receive,” Mr. Evans said in a written statement. ”For instance, we analyze content to improve our spam and malware filters in order to keep customers safe. We also do it to develop new product features such as e-mail categorization to organize similar items like shipping receipts in a common folder, or to automatically add calendar invitations.
”However,” he added, ”one thing we don’t do is use the content of our customers’ private communications and documents to create targeted advertising. If that ever changes, we’ll be the first to let our customers know.”
Microsoft’s new services agreement affects only its free, Web-based products, not the software programs that individuals and companies buy off the shelf for home or business use. It covers Hotmail, and its related e-mail service, Outlook.com, but not the Outlook e-mail and calendar program that is individually loaded onto computer hard drives and widely used by corporations. Bing, its search engine, is covered, but Internet Explorer, its browser, is not.
Microsoft’s pledge not to use the data from its Web services to target advertising has some credibility, given the company’s broader privacy initiatives. The company has said it will include a ”do not track” feature in
its new Internet Explorer 10 Web browser that prevents online advertising companies from monitoring the browsing habits of users so they can target promotions. Microsoft has made ”do not track” the default setting on the new version of Explorer, a move that has caused a firestorm among online advertising companies.
Microsoft’s push to provide better privacy protections for consumers comes at a time when its efforts in Internet advertising have sputtered. Online advertising remains a small fraction of Microsoft’s overall business, accounting for $2.6 billion, or about 3.5 percent, of the company’s revenue during its last fiscal
year, which ended June 30, according to Microsoft’s filings with securities regulators.
But it is easy to see how Microsoft customers might be confused, because the different divisions of Microsoft that draft and oversee its user agreements and privacy policies did not anticipate that the changes in the services agreement would raise privacy questions.
The drafters of the service agreement, a more technical bunch, thought the changes were so small that they were mentioned in August in a specialty ”Volume Licensing” blog dedicated to commercial customers, but seemingly nowhere else on Microsoft’s vast array of corporate Web sites.
Microsoft also sent an e-mail about the change in late August to all of its 325 million Hotmail users. But those notices became the subject of nervous online chatter when some users learned that a similar message, using the same template, was being used by hackers to distribute harmful malware. Online message boards warned against even opening the messages.
Inside Microsoft, officials were focused not on whether the policy changes affected privacy but rather on a different change, one that limits the ability of Microsoft customers to sue the company, including in a class action, over its products. The new agreement requires the use of binding arbitration.
Mr. Evans said the change put in place on Friday in the Services Agreement ”did not alter our existing privacy policies.” Those policies include a 4,000-word main policy and at least 16 related product-specific privacy policies.
That itself is an example of how users cannot possibly know what Internet companies are doing with their personal information, said Jeff Chester, executive director of the Center for Digital Democracy, a consumer protection group based in Washington.
”No one understands how all this data is being put together and being used,” he said. ”All of these companies are in a digital arms race to tie together all the information they have about individuals. For companies like Google and Microsoft, the real goal is to expand market share.”]]>
Google on Wednesday threw open the doors of its Lenoir, N.C. data center to the public, posting a virtual tour of the facility on Street View.
Meanwhile, a detailed story about the facility by author Stephen Levy, who toured the data center by invitation, is running in Wired.
Add to that a new section on the Google website that contains photos from Google’s various data centers, and you’ve got a regular media campaign.
“This is clearly about getting … publicity that isn’t negative,” Randy Abrams, a research director at NSS Labs, told TechNewsWorld. “Google can’t possibly find enough avenues to attempt to show they’re not evil.”
Recently, Google has had to fend off regulatory heat from the European Commission and the U.S. Federal Trade Commission over the consolidation of its privacy policies.
Or perhaps Google “is trying to get people to open up the insides of their buildings for view and are using this as a way to drive that behavior,” Rob Enderle, principal analyst at the Enderle Group, speculated. The White House is among the buildings with their insides detailed in Google Maps Street View.
The Lenoir data center photos put up by Google could be that of any data center’s insides except perhaps for the scale.
You kick off with shots of the front door and the parking lot.
Once inside, apart from close-ups of cabinets and a step ladder, you might as well be walking through a new box store that’s just been set up and is waiting to be stocked. One shot has ceiling-to-floor blue curtains and a cage.
Google has always been highly aware, almost paranoid, about security. Back in March, Google reportedly built servers in the dark at a colocation host.
What has changed?
Some say Google’s trying to keep pace with Facebook and other companies, which have released information about their data centers to the public.
Or perhaps Google’s not really giving away any critical information.
“There are very few people who would even try to exploit the knowledge of where the data centers are, and those who would can probably obtain the information by other means,” NSS Labs’ Abrams pointed out.
“Google doesn’t have to change any practices, change any code, or demonstrate greater respect for their users by showing pictures of their data centers,” Abrams continued. “It’s all sizzle and no steak.”
The people at Google “have no problem with people seeing what’s inside some of these areas,” Enderle told TechNewsWorld. “Security is about physical access.” Further, Google “can make the inside look like anything they want, they don’t have to show what’s actually there.”
The virtual tour “would help create the image that Google is just as open as they want us to be, regardless of the fact that they really aren’t,” Enderle stated. “One of their historic problems is that they are very private but don’t appear to believe that others need to be.”
That image of openness may well be needed — Google’s consolidation of its more than 70 privacy policies across all its products in March sparked outrage among privacy advocates, and led some users to state they’d cancel their Google accounts.
Google responded that its privacy notices respect European law, a statement that John Simpson, Consumer Watchdog’s privacy project director, dismissed as Orwellian.
“Putting a data center on Street View is a gimmick,” Simpson told TechNewsWorld. “It doesn’t reveal anything meaningful about how Google does business. Google says it wants to organize the world’s information and make it more accessible but, when it comes to its own information and procedures, the company remains a black box.”
But the European group, along with EU Data Protection Authorities, says the changes have made it easier for Google to “combine almost any data from any services for any purposes.” In short, the EU board is
arguing that sharing data across different services gives Google too much leeway to possibly use collected data in ways that users hadn’t intended them to be used.
“Combination of data, like any other processing of personal data, requires an appropriate legal ground,” Tuesday’s letter reads, “and should not be incompatible with the purpose for which these data were collected.”
Peter Fleischer, Google’s global privacy counsel, told IBD via an emailed statement that he’s now reviewing the report.
The regulators make the case that Google, as “a leader in the online world,” should be proactive in engaging with governments.
The letter says there are three main “legal issues” with the new policy. Google provides “insufficient information to users,” the “investigation confirmed our concerns about the combination of data across services” and Google “failed to provide retention periods for the personal data is processes.”
John Simpson, of Consumer Watchdog, a group critical of Google, says in a statement that Google acted with “complete disregard” for users’ privacy.
“I am glad the European Union is calling out their abuses, but am disappointed that American consumers must look across the Atlantic to see privacy rights defended,” Simpson said.
Google shares were up a fraction in afternoon trading Tuesday.]]>
Hours after Gov. Jerry Brown signs a bill authorizing state regulations for autonomous vehicles by 2015, the Alliance of Automobile Manufacturers, whose members account for 77% of all car and light-truck sales in the U.S., warns of the need to go slow.
“If the state’s intention is to promote autonomous vehicles, all the concerns – like liability – need to be properly addressed in advance or we can expect a bumpy road ahead,” the group says in a statement.
The new law marks the culmination of what at least some observers describe as a fast-tracked deliberation process fueled by a turbocharged lobbying effort by Google, which is testing a fleet of a dozen or so computer-controlled vehicles. The Internet data company says its self-driven fleet has logged more than 300,000 miles (483,000 km) without an accident.
Even though the manufacturing alliance says it “strongly” endorses advanced technology, including autonomous technology, “policy issues must be resolved before autonomous vehicles may legally operate in California.”
The new legislation offers no protection to the maker of a vehicle that has been converted to an autonomous unit without the consent or even knowledge of the manufacturer, the trade organization argues.
Vehicles currently are designed to be operated by people who are expected to maintain control and operate them safely, but SB 1298, the newly signed bill, “envisions autonomous vehicles where responsibility for safe operation rests on the autonomous system,” the group says.
The alliance’s concerns are shared by interests throughout the automotive and high-tech fields.
A year ago, computer-security company McAfee released a report, “Caution: Malware Ahead,” outlining emerging risks in automotive-system security. The analysis examined vehicle electrical systems and embedded devices such as airbags, radios, power seats, antilock brakes, electronic stability controls, autonomous cruise controls and communication technology.
“Each interface serves as a motivator and means for an attacker to access the vehicle,” says one of the McAfee reports researchers, Stefan Goss, a professor of automotive technology at Germany’s Ostfalia University of Applied Sciences. “We can expect new challenges to protecting the changing interface of embedded systems in cars.
“I expect a new chapter of car security in the next two car generations.”
Stuart McClure, senior vice president and general manager at McAfee says, “It’s one thing to have your email or laptop compromised, but having your car hacked could translate to dire risks to your personal safety.”
The McAfee report and similar recent studies expand on the foundational research done by the since-disbanded Center for Automotive Embedded Systems Security, a collaborative project between the University of California-San Diego and University of Washington, which determined onboard vehicle computer systems will be increasingly vulnerable to malicious attacks as user-connective technology expands.
In their 2011 study, “Comprehensive Experimental Analyses of Automotive Attack Surfaces,” project researchers conclude remote exploitation of a vehicle “is feasible via a broad range of attack vectors (including mechanics’ tools, CD players, Bluetooth and cellular radio) and, further, that wireless communications channels allow long-distance vehicle control, location tracking, in-cabin audio exﬁltration and theft.”
Consumer privacy also is at risk through the new legislation, says John Simpson, privacy project supervisor for the nonprofit advocacy group Consumer Watchdog.
California’s new driverless-auto law “gives the user no control over what data will be gathered and how the information will be used,” Simpson tells WardsAuto. “That’s where we have a problem.”
Several recent consumer surveys, including the “2012 Online and Mobile Privacy Perceptions Report” issued by San Francisco-based TRUSTe privacy management solutions company, suggest consumer concerns over privacy issues are rising across all age ranges.
After interviewing 1,033 U.S. adults and 554 U.S. smartphone users at least 18 years old, TRUSTe discovered 94% of consumers consider privacy an important issue, with 58% expressly indicating they “do not like” online behavioral advertising.
The report found 42% of smartphone users identify privacy and security as top concerns, with an overwhelming majority, 85%, saying they won’t download mobile apps they don’t trust.
The TRUSTe research suggests 60% of those adults surveyed are more concerned about their online privacy today than a year ago, while 49% now check for independent privacy certification or seals, up from 41% in 2011.
All those numbers indicate “a clear sign that consumers are becoming more aware and diligent in looking after their privacy online,” the report says.
Perhaps equally significant, the TRUSTe report and other studies show decidedly more privacy-conscious attitudes among members of the so-called Y- or Millennial-Generation consumers, those generally born from the late 1970s to early 2000s, a group the auto industry is targeting with many of its latest innovations.
Further data collected by the Alliance of Automobile Manufacturers finds seven out of every 10 car buyers are interested in driver-assisting technologies such as adaptive cruise control, blindspot monitoring, lane-departure warning, drowsy-driver alerts and 360-degree cameras.
However, a similar majority favors “technologies that provide alerts over the autonomous car,” because there’s still great distrust of “totally self-driving” vehicles in the general marketplace, the association says.
Citing Google’s widely criticized track record of protecting user privacy, Simpson contends “consumers must have the right to give opt-in consent before any data gathered through driverless car technology is used for any purpose other than driving the vehicle.”
But, he laments, the new driverless law demonstrates safeguarding personal privacy is not “high on people’s priorities right now.”
If the collection of personal data in autonomous vehicles remains unchecked, “then a car trip will no longer just be about going from Point A to Point B. Now it’ll be all about how you go and where you stop along the way,” Simpson says.
“I’m not a Luddite. I see this technology coming, and I see it playing a very useful role,” Simpson says. “All I’m saying is we should be setting these privacy issues from the get-go. Ensure privacy by design.”]]>
That is the message of a popular viral video produced by the Belgian Federation of the Financial Sector (Febelfin), which has so far been seen by more than one-and-a-half million people.
In it, members of the public are invited to a very special mind-reading conducted by a charismatic grey-haired mystic called “Dave”. As the ham actor gets into his stride, more and more compelling information about the lives of his clients is spilled onto the table:
“I see a school in Antwerp”… “A house for sale”… “Your best friend’s name is Julie”… “Interesting love life – I see, three? Four people?”
But Dave leaves the best until last:
“I see a negative [bank] balance”… “Last month, you spent ?200 on alcohol”… “?300 on clothes”.
And then he reads out their bank account numbers, before the secret of his mind-reading power is revealed: a room full of computers operated by balaclava-clad hackers who (supposedly) had been feeding the information to the phony mind-reader in real time.
The video was intended to warn people against making available excessive amounts of what ought to be private information about themselves online, and the ease with which such data can be used to break into email addresses, commerce sites and, ultimately, bank accounts.
But Febelfin might just be wasting its time. Many people remain blasé about publishing the intimate details of their life online and, across the world, online privacy is under attack – from commercial organisations that want to know all there is to know about their customers, to governments that want to know everything that their citizens might be getting up to, online or offline.
Do be evil
Ironically, perhaps, it is YouTube owner Google – motto: “Don’t be evil” – that has drawn most criticism for repeated infringements of privacy. This summer, Google was fined a record $22.5m (£14m) by the US Federal Trade Commission for hacking its way around poorly implemented privacy settings in Apple’s Safari web browser.
Jonathan Mayer, a graduate student in Computer Science and Law at Stanford University, was one of the researchers that uncovered Google’s violation of US privacy laws. Mayer has specialised in researching “third-party web tracking”.
“When I say third-party, I mean websites that a user is not interacting with, such as an ad network or a social network,” says Mayer.
This might be done via a combination of cookies, which can be used to make a user’s browser uniquely identifiable, and the intelligence embedded within an advert or even just some of the buttons that enable a user to “like” an Plain_text or to publicise it over a social network such as Twitter.
With adverts served by an advertising network and such social networking buttons present at almost every website, intelligence-gathering companies – whether advertising networks or social networking companies – can start to put together complete profiles of users. Indeed, both Google and Facebook are also among the web’s biggest advertising companies.
“One of our projects involved trying to understand which companies were placing cookies in Apple Safari. So, we bought advertising of our own and included code in the ads that we bought that measured what cookies seemed to be in place in end-users’ browsers,” says Mayer.
The advertising appeared only for users of Safari running on Apple’s iOS mobile operating system and looked at which advertising companies had tracking cookies in place.
By default, Safari has its privacy option switched on, which restricts the setting of third-party cookies based on domain names. If, for example, someone were to visit the Computing.co.uk website, a cookie from Computing would be permitted, but one from an advertiser would be blocked.
However, when Apple updated Safari, it made a number of architectural amendments on the legitimate grounds of usability that enabled third-party web trackers, including Google, to get round its settings.
For example, if a user filled out some information on a form in a website and hit submit, and that data is submitted (legitimately or otherwise) to a third-party website, it makes sense to keep some track of it to make sure it is submitted only once.
“But it turns out that a form on a website can be submitted not only when a user clicks ‘submit’, but also when a bit of code on a website submits the form. It was a known issue that a website could create an invisible form and use a little bit of code and submit and set cookies in response to that form so that the user never sees anything, but third-party cookies can be set,” says Mayer.
Despite this known bug, the majority of companies nevertheless complied with the spirit of Safari’s privacy settings and very few cookies were in place on devices that had Safari’s privacy feature turned on, which it does by default, which ought to wipe out all cookies.
“But we found a couple of companies had placed an inordinate number of cookies – one of which was Google,” says Mayer. “Roughly 85 per cent of the browsers with this privacy mechanism in place had a Doubleclick cookie.”
Doubleclick is the advertising network that Google acquired for $3.1bn (£1.9bn) in March 2008 – after overcoming both monopoly and privacy objections.
Further investigation by Mayer revealed three other major offenders in addition to Google: Vibrant Media, Media Innovation Group and PointRoll.
The case – partly because it clearly demonstrated intent on Google’s part to circumvent people’s privacy settings – caused a storm of protest, with many arguing that the penalty was not nearly enough to hurt a company with revenues of $37.9bn (£23.4bn) in 2011.
“Google has demonstrated an ability to out-maneuver government regulators repeatedly and ride roughshod over the privacy rights of consumers. Google continues to be disingenuous about its practices,” says John Simpson, privacy project director at US organization Consumer Watchdog.
Google, he adds, has a history of “failing to either respect the privacy of its users or even to comply with prior privacy undertakings”. Consumer Watchdog has called for tougher sanctions against the internet giant.
The issue of third-party web tracking can be dated back to the first popularisation of the internet in the mid-1990s, says Mayer. This is when web browsers were starting to integrate more sophisticated capabilities than merely displaying static text. “There was a recognition at the time that with this sophisticated functionality came the ability to learn an awful lot about what users were doing on the web,” says Mayer.
Browser makers, though, ultimately chose not to implement counter-measures. “Meanwhile, companies started to be founded based on the notion that they could follow individual consumers round the web, learn what their interests are, and make predictions on what could be relevant to them and sell that information for targeted advertising,” says Mayer.
Google’s breach of Safari’s privacy settings is not the first time that companies have creatively tried to evade them to build their databases of people’s browsing history.
Some marketing networks even devised ways to exploit a bug in older browsers, enabling them to uncover a web user’s history by serving up invisible links and then interrogating the browser to find out what “colour” the link was: if a link had been clicked, then it would typically be displayed by the browser in purple rather than blue.
“We found these guys [a company called Epic Marketing] were doing this for over 15,000 URLs, including the National Institute for Health website,” says Mayer.
Many web-tracking companies build their information databases almost without discrimination. Health websites, for example, are a particularly sensitive issue ,given that they can betray deeply personal information – but information that could be highly valuable to advertisers.
Furthermore, if the “first party” website wraps a user name into a URL – which isn’t uncommon – that can be passed on to a third-party and associated with the user’s browsing history. “It only takes a little bit of identifying information ‘leakage’ to make web tracking identifiable. We found that it was going on all over the place,” says Mayer.
Often, though, the process is more straightforward, with companies simply sharing what they know – often information gleaned from registration processes.
For example, in 2011 Mayer and his Stanford research colleague John Mitchell discovered that online dating site OKCupid was sending information about how often subscribers admitted to drinking, smoking and doing drugs to Lotame, an online data company that counts publishers Condé Nast and IDG among its customers.
But for Google, the Safari breach was not a one-off, as far as online privacy campaigners are concerned.
Google Buzz was a social network launched in February 2010 and unceremoniously buried 18 months later.
It integrated Picasa, Flickr, Google Latitude, Google Reader, Google Sidewiki, YouTube, Blogger, FriendFeed, identi.ca and Twitter, and
made weak privacy settings the default. This included making public the names of Gmail contacts that the user most frequently emailed or chatted with.
Just a month after Buzz was buried, Google changed its company-wide privacy settings to enable it to unify the collection and storage of user data across the whole of its online estate. Today, user data is shared across all of Google’s websites – including search, YouTube, Google+, everything – with no opt out.
Mobile raises the stakes still further with Lotame, for example, boasting market data on 30 million Android device users, while Apple iOS users have been tracked thanks to the inclusion of the UDID unique tracking number in iOS.
Google, for example, knows every search made on an Android device via its search service – which accounts for more than 90 per cent of the UK search market, according to Experian Hitwise – and every app download in its Google Play store, too.
Given the undercurrent of discontent with commercial tracking on the web, the tracking industry itself has devised a system of self-regulation with “Do Not Track”, a supposedly universal web tracking opt-out.
Do Not Track signals a user’s opt-out from web tracking with an HTTP header field that requests a web application to disable tracking. It is currently supported by Firefox, Safari, Internet Explorer and Opera – but not Google Chrome – and is being standardised by the Worldwide Web Consortium (W3C).
However, when Mayer investigated whether web tracking companies were honouring Do Not Track, he found that more than half were simply ignoring it.
The privacy features built into all major web browsers is no solution either. Introduced when Apple Safari debuted “private browsing” in April 2005, these enable users to browse without their history being stored locally. But they don’t stop users being tracked by advertisers and marketers when they visit web sites in exactly the same way that they would in a normal session.
Cookies may be deleted at the end of the private browsing session, but the user is still identifiable by their IP address.
Anonymous proxy servers are also widely used, not for the purpose of privacy, but to enable staff to skirt corporate web blocks – because the user is connecting to the proxy and not the banned website – and for people to view content restricted to people in a certain geographic location. They are popular, for example, to enable people outside the UK to watch programmes on the BBC iPlayer.
However, while the basic service is free users have to pay a subscription for unlimited access, connections via faster servers and – surprise, surprise – no advertising.
An increasingly popular application, though, is the Tor web browser, a freely downloadable tool designed to facilitate anonymous, untrackable web browsing.
Tor works by using a system of “onion routing” (its original name was “The Onion Router”). Properly configured, it provides an encrypted connection to other nodes in the Tor network through which online sessions are conducted.
As the data is transferred through the network, it is encrypted and re-encrypted multiple times, then sent through successive Tor relays, each one of which decrypts a “layer” of encryption before passing the data on to the next relay and, ultimately, its destination.
However, that last hop from the final node to the destination server has to be unencrypted, opening up a key weakness of the system.
Dan Egerstad, a Swedish security researcher, ran five Tor nodes. Sniffing exit data traffic from these nodes, he was able to uncover server IP addresses, email accounts and their passwords for sensitive data from – in particular – developing countries’ embassies, the UK Visa Application Centre in Nepal and more than 1,000 corporate accounts.
“Because anyone can join the Tor network, Tor users necessarily pass their traffic to organisations they might not trust: various intelligence agencies, hacker groups, criminal organisations and so on,” said security expert Bruce Schneier, at the time the flaw was uncovered by Egerstad in 2007.
Some people conjecture that it was deliberately architected to be insecure by design. It was, after all, established in 2002 having been originally sponsored by the US Naval Research Laboratory, and continues to be supported by the US State Department. At the same time, Tor is also a haven for all kinds of very illegal activities.
Cynics have argued that state agencies – normally US-based – are almost certainly crawling all over Tor, only tolerating its worst excesses to provide a cover for their own nefarious activities – while using its shortcomings to gather the intelligence they want from people seeking Tor’s supposed anonymity.
It does, though, perhaps illustrate that while the activities of Google and many other over-eager online marketing companies are irritating, it is various governments’ own online surveillance efforts that ought to be feared.]]>
SB 1298 directs the Department of Motor Vehicles to write regulations covering robot cars by January 2015, but the Legislature didn’t require Google to come back for final approval before the driverless cars go from testing stage to the car lot. The law, written by Sen. Alex Padilla, provides no real privacy protections, the nonpartisan, nonprofit group said.
“Substantial safety and liability questions remain,” said John M. Simpson, Consumer Watchdog’s Privacy Project director. “On the privacy issue, the law gives the user no control over what data will be gathered and how the information will be used.”
Consumer Watchdog said that there is little question that driverless car technology will become a reality. The problem is the way the Legislature and Governor rushed to endorse the technology without considering its ramifications.
“What this demonstrates more than anything else is Google’s ability to dazzle and get its way,” said Simpson. “The governor and many legislators have been taken for a ride by Google, and I don’t just mean in the Internet giant’s driverless test vehicles.”
While questions do remain, for the time being, the law does not give carte blanche to Google to send driverless cars on to roads. According to Sharon Ashley, Business Development Manager, Canada for Summit Software and Marketing Solutions, “There needs to be an actual licensed drvier in the vehicle in case they need to take control of the vehicle.”
But Consumer Watchdog warns that rushed technological policy shifts have seen some poor results for California in the past. The last time Sacramento moved so quickly on such an extraordinary technological policy shift was over electricity deregulation, which ended with unprecedented massive blackouts engineered by energy companies like Enron, Consumer Watchdog said.
The time to ensure that the new driverless car technology has the necessary safety and privacy protections is while it is being designed and developed, according to Consumer Watchdog. Trying to catch up after a new technology is developed and broadly implemented simply will not work.
“Google has repeatedly demonstrated that it only pays lip service to privacy concerns and repeatedly violated consumers’ privacy,” said Simpson. “Consumers must have the right to give opt-in consent before any data gathered through driverless car technology is used for any purpose other than driving
Again, it is clear that driverless car technology is coming, so collision repairers need to be aware of the potential impact that this technology might have on their businesses and the industry in the mid to long range future.
“From a collision perspective, I think the body shops need to be prepared for the future as technology continues to change and they need to be prepared to invest in both their staff and equipment,” said Ashley. “Without ongoing training and more sophisticated tools that will be required to repair these types of vehicles, we could see a great deal of poorly repaired cars in the not too distant future.”]]>
How times have changed from the late-1970s when Brown was given the nickname “Governor Moonbeam” for promoting such futuristic ideas as California launching its own satellites. Brown, 74,
was just 36 when he was first elected governor of California.
Even back then he was ahead of the curve championing car pool “diamond lanes” on crowded state freeways and pushing for windmills and burning wood chips to generate electrical power.
Forty years later the self-driving car is a reality and search giant Google lobbied hard for the vehicles that have shown they can drive themselves after some 300,000 miles of testing without an accident on roads as challenging as California’s winding coastal Highway 1.
Google cars have been negotiating U.S. roads for a couple of years and California, like most states, had no law saying that cars must have drivers. Just the idea of a driverless car makes lawyers ask “who do you sue?”
The Los Angeles Times said SB 1298, called the “Google Car” bill, caught Brown’s attention as soon as it reached his desk after passing in the California Legislature. The law regulating autonomous vehicles initially had been opposed by the Alliance of Automobile Manufacturers, which eventually came around.
“I said, ‘Wow. This sounds kind of Moonbeam,’” Brown told the Times. “I want to look at this a little more carefully.”
Brown carpooled to Google headquarters in Mountain View Tuesday in a self-driving Toyota Prius with Google co-founder Sergey Brin to sign the legislation, which allows self-driving cars on state roads by 2015, making California the third state to legalize driverless vehicles. Nevada and Florida both permit self-driving vehicles.
“Today, we’re looking at science fiction becoming tomorrow’s reality,” said Brown. “This self-driving car is another step forward in this long march of California pioneering the future and leading not just the country, but the whole world.”
For now, a licensed human driver must be seated behind a driverless car’s steering wheel in case the need to take over arises in areas like highway construction zones. The law also authorizes the state Department of Motor Vehicles to establish criteria on safety and liability that manufacturers must meet to build and sell self-driving cars.
Brin predicts driverless cars will be available to consumers within five years.
“You can count on one hand the number of years it will take before ordinary people can experience this,” he said.
“I expect that self-driving cars are going to be far safer than human-driven cars,” Brin told an audience of applauding Google employees. “Self driving cars do not run red lights.”
The technology uses cameras, computers and sensors to negotiate traffic and Google Street View and GPS-based services to navigate.
“Self-driving cars have the potential to significantly increase driving safety,” Google said in a statement.
With all that technology at work, John Simpson, director of Consumer Watchdog’s privacy project, says manufacturers will have to let the public know in writing how much data about them and their movements is being collected by the driverless vehicle.
“We think the provision needs to be that the information should be gathered only for the purpose of navigating the vehicle, retained only as long as necessary for the navigation of the vehicle and not used for any other purpose,” he told the San Francisco Chronicle.]]>
Consumer Watchdog is calling for ICANN to keep a close eye on enormous corporations such as Google and Amazon, and to reject applications made to buy new Top Level Domains (TLDs) in bulk.
The watchdog addressed the open letter to ICANN’s board and CEO and other relevant parties. John M Simpson, privacy project director at Consumer Watchdog, said that there are plans by Google and Amazon to buy up enormous amounts of new TLDs. Simpson argues that it is one matter for a company to buy associated domains such as .Google, .YouTube, .Android, .Amazon, or .Kindle, but says that is not what they are looking to do.
Simpson pointed out that Google is using a subsidiary, Charlestone Road Registry, to spend $18.7 million on domain names such as .eat, .buy, .book, .free, .web, and .family, while Amazon has applied for .free, .like, .game, and .shop. They are looking to buy 101 and 76 domain strings respectively.
Consumer Watchdog said in its letter that generic words are not the property of any one company, and that when they are used in a generic way, they belong to all people. But, the watchdog points out, if they are allowed to buy generic names they are closing off common words which they haven’t got intellectual property rights over – nor are they even associated with the brand. Simpson warns that ICANN will be allowing the companies to “circumvent nation-states’ entrenched legal processes for obtaining legitimate and recognised trademark protections”.
In doing so, the argument is that corporations will effectively be privatising parts of the internet – with the possibility of becoming walled gardens.
“Both Google and Amazon are already dominant players on the internet,” Simpson said. “Allowing them further control,” Simpson said, “would threaten the free and open internet that consumers rely upon”.]]>
Gov. Edmund “Jerry” Brown signed the autonomous-vehicles bill into law Tuesday afternoon alongside Google co-founder Sergey Brin and State Sen. Alex Padilla, who authored the bill, at Google’s headquarters in Mountain View, California. The bill, SB 1298, will set up procedures and requirements for determining when the cars are road-ready.
Brin hopes that self-driving cars will be able to drive on public streets in five years or less.
“Anybody who first gets in the car and finds the car is driving will be a little skittish. But they’ll get over it.” said Brown when asked if the California Highway Patrol was on board with the plan.
The cars use a combination of technologies, including radar sensors on the front, video cameras aimed at the surrounding area, various other sensors and artificial-intelligence software that helps steer. Google is the most visible company working on these types of vehicles, but similar projects are under way at other organizations, including Caltech.
Google has already been testing the cars on the road in Nevada, which passed a law last year authorizing driverless vehicles. Both Nevada and California require the cars to have a human behind the wheel who can take control of the vehicle at any time.
So far, the cars have have racked up more than 300,000 driving miles, and 50,000 of those miles were without any intervention from the human drivers, Google says.
There have been no accidents while the cars were controlled by the computer. The only documented accident with one of the Google vehicles was a fender bender that took place while a human was in control.
Brin, who sported a pair of Google glasses at the media event without comment, said the cars could address a variety of current transportation issues. First and foremost, he said, the self-driving cars would be safer than human-driven cars. There were just under 33,000 deaths from motor vehicle accidents in the United States in 2010.
They also could ferry around people who are usually unable to to drive, such as blind people.
“Some people have other disabilities, some people are too young, some people are too old, sometimes we’re too intoxicated,” said Brin.
Ideally, a car that drives itself can minimize traffic by chaining together with other self-driving vehicles and using highways more efficiently. Drivers wouldn’t be limited to listening to NPR and honking during their morning commute; instead they could use that time to be productive, like the millions of people who take public transit currently do.
Brin also discussed the many parking lots in urban and suburban areas, calling them “a scar to the surface of the Earth.” Self-driving cars would be able to drop you off at work and then pick up another person instead of idling in a parking lot. If you did opt to own your own car, it could park itself in the most efficient way possible.
Consumer Watchdog, a consumer-rights group, has expressed reservations about the cars on privacy grounds, saying they would allow Google to gather personal information about passengers.
Google’s fleet of vehicles started with Toyota Prius Hybrids and later added the Lexus RX450h, a crossover SUV, to test on different terrain. The project is directed by Sebastian Thrun, who also co-founded Google Street View.
There are many legal and technical problems still to be worked out before the cars are commonplace. Asked who would get the ticket when a driverless car runs a red light, Brin replied, “Self-driving cars do not run red lights.”]]>