Web design blog

“The Belgian data protection authority has told Facebook to stop tracking users who logout or those that have never registered for the social network.”

The Belgian privacy commission has told Facebook to stop tracking the internet activities of people who have not registered with the site or have logged out, after a “staggering” report showed alleged breaches of EU privacy law.

“Facebook tramples on European and Belgian privacy laws”, the data protection authority said in a statement. “Facebook has shown itself particularly miserly in giving precise answers,” it continued, adding that the results of its investigation were “disconcerting” and that it would take legal action if its recommendations were not followed.

Willem Debeuckelaere, president of the Belgian privacy commission, said that the way Facebook is treating its users’ private lives “without respect needs tackling”, and that “it’s make or break time.”

According to a report commissioned by the Belgian data protection agency Facebook has been tracking users on a long-term basis who visit any page — be it a fan page, profile or any other portion of the site that does not require a Facebook account to visit — belonging to the Facebook.com domain.

The opinion published on Friday noted that because Facebook has the power to link internet users’ browsing habits to their real identity, social network interactions and sensitive data including medical information, religious, sexual and political preferences, it is in a unique position compared to most of the other cases of so-called “third-party tracking”.

[Source: The Guardian]

Via BoingBoing.

Cory Doctorow of Boing Boing writes:

We’ve written before about the security vulnerability that allows websites to sniff your browsing history. A paper from UC San Diego computer science department researchers, An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications [PDF], surveys which websites use this invasive technique against their users. YouPorn tops the list, but PerezHilton, Technorati, TheSun.co.uk, and Wired are also spying on their users’ browsing habits by exploiting this vulnerability.

— Cory Doctorow @ Boing Boing

“A researcher from a Dutch university is warning that Facebook’s ‘Like This’ button is watching your every move. Arnold Roosendaal, who is a doctoral candidate at the Tilburg University for Law, Technology and Society, warns that Facebook is tracking and tracing everyone, whether they use the social networking site or not. Roosendaal says that Facebook’s tentacles reach way beyond the confines of its own web sites and subscriber base because more and more third party sites are using the ‘Like This’ button and Facebook Connect.”

— Slashdot

Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. ‘While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,’ Cannon wrote. ‘It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.’

— Slashdot

Here’s a good assessment of the problem:

So let’s say you bought a Windows box. Maybe you got it from HP. Maybe you got it from Dell. Maybe from Sony.

Who do you expect to provide you with a patch when someone discovers a new Windows vulnerability? Microsoft, right? If it’s really serious it’ll probably pop up in the next Patch Tuesday. If it’s hyper-serious then it might come out three or four days after the vuln was announced.

That’s not the way it works in the Android world, annoyingly enough. Imagine if the version of Windows loaded onto that HP machine was a special HP version, full of HP customizations like a proprietary HP window manager and a proprietary HP web browser. MS can’t give you any patches because the HP customizations are a fork of MS’s source [code]; when MS does bugfixes, someone at HP has to take a diff of the new MS tree, merge it with the HP tree, and run it all through QA. Oh, and the store you bought it from? Some of them have their own variant source trees too, so the same machine bought from Best Buy rather than direct from HP has its own fork of the OS.

Now multiply this by a different fork for every damn model they sell. Oh, and because they only have so much money, HP/Dell/Sony/Best Buy/whoever typically only bother merging in the OS updates for computers they made in the last year. If you’re lucky.

— Peganthyrus @ Slashdot

[T]wo US companies, Kindsight Inc. and Phorm Inc., are pitching deep packet inspection services as a way for Internet service providers to claim a share of the lucrative online ad market [Shunned Profiling Technology on the Verge of Comeback]. Kindsight and Phorm say they protect people’s privacy with steps that include obtaining their consent. They also say they don’t use the full power of the technology, and refrain from reading email and analyzing sensitive online activities. Use of deep packet inspection this way would nonetheless give advertisers the ability to show ads to people based on extremely detailed profiles of their Internet activity. To persuade Internet users to opt in to be profiled, Kindsight will offer a free security service, while Phorm promises to provide customized web content such as news articles tailored to users’ interests. Both would share ad revenue with the ISPs. Kindsight says its technology is sensitive enough to detect whether a particular person is online for work, or for fun, and can target ads accordingly.

— Slashdot

“The Wall Street Journal has ‘a pretty useful section tracking privacy issues, privacy protection tools and the threats thereof from online marketers, from the point of view and on the technical level of a relatively savvy consumer,’ says blogger Kevin Fogarty. The downside: He discovered that reading two stories from the WSJ’s privacy section left behind deletion-resistant Flash cookies.”

— Slashdot

New Web Code Draws Concern Over Risks to Privacy

Worries over Internet privacy have spurred lawsuits, conspiracy theories and consumer anxiety as marketers and others invent new ways to track computer users on the Internet. But the alarmists have not seen anything yet.

In the next few years, a powerful new suite of capabilities will become available to Web developers that could give marketers and advertisers access to many more details about computer users’ online activities. Nearly everyone who uses the Internet will face the privacy risks that come with those capabilities, which are an integral part of the Web language that will soon power the Internet: HTML 5.

— Tanzina Vega @ New York Times [via Slashdot]

New Tool Blocks Downloads From Malicious Sites

Science Daily Headlines reports that a new tool has been developed (funded by the National Science Foundation, US Army Research Office and US Office of Naval Research) to prevent ‘drive-by downloads’ whereby simply visiting a website, malware can be silently installed on a computer to steal a user’s identity and other personal information, launch denial-of-service attacks, or participate in botnet activity. The software called Blade — short for Block All Drive-By Download Exploits — is browser-independent and designed to eliminate all drive-by malware installation threats by tracking how users interact with their browsers to distinguish downloads that received user authorization from those that do not. ‘BLADE monitors and analyzes everything that is downloaded to a user’s hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,’ says Wenke Lee, a professor in the School of Computer Science in Georgia Tech’s College of Computing. Blade’s testbed automatically harvests malware URLs from multiple whitehat sources on a daily basis and has an interesting display of the infection rate of different browsers, the applications targeted by drive-by exploits, and the anti-virus detect and miss rates of drive-by binaries.

— Hugh Pickens @ Slashdot