privacy

privacy

Does Phorm violate its own privacy policy?

Our Berkman colleague, Hal Roberts, "notes":http://blogs.law.harvard.edu/hroberts/2008/07/25/ernst-young-audit-overl... that Phorm (an ISP-based advertising system that has "raised some eyebrows with regard to consumer privacy":http://www.guardian.co.uk/technology/2008/mar/06/internet.privacy) may violate its own privacy policy:

bq. In fact, in a couple of hours of looking at the available technical information I found a significant breach of Phorm’s privacy policy missed by the audit: Phorm’s privacy policy claims that it will not disclose its Phorm IDs to any third parties, but a technical description of the system by Richard Clayton finds that Phorm does indeed share its IDs with web sites in a common usage scenario.

StopBadware.org has been keeping an eye on services such as Phorm and competitors such as NebuAd and Front Porch. At issue is that ISPs may deploy these services, which inspect a user's web traffic to profile the user and serve up relevant ads, without providing the clear notice and opportunity for consent that would give users control over their privacy. We're not alone in being concerned. The "U.S. Congress":http://computerworld.com/action/article.do?command=viewArticleBasic&taxo... and the "European Commission":http://www.theregister.co.uk/2008/07/16/eu_warns_uk_over_phorm/ have both gotten involved after reports of ISPs in the U.S. and the U.K. testing these advertising programs with no notice to their customers.

Outsource that Email Hack

Posted on July 24, 2008 - 17:24 by lmallek

Dancho Danchev has "blogged":http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html "repeatedly":http://ddanchev.blogspot.com/2007/04/outsourcing-spying-on-your-wife.htm... about the commercilization of badware producers, and this week he mentioned another example: "outsourced email hacking":http://ddanchev.blogspot.com/2008/07/email-hacking-going-commercial.html. The hackers-for-hire promise that their seven-step process, from submitting the information of the would-be victim to proof of execution and exchange of money, will be cleaner and yield better results than other methods (phishing, viruses, etc).

Danchev ponders:
bq. Too good to be true, but since they only charge after they provide you with a proof that they did the job, they could be in fact attempting to hack these emails, compared to the majority of cases where scammers scam the scammers.

But, how would you do business with people who make it their business to gain access without detection? Some email providers have stepped forward with more privacy features, for example Gmail has added a "details feature":http://gmailblog.blogspot.com/2008/07/remote-sign-out-and-info-to-help-y... allowing users to view their account history which logs time and IP addresses for recent access.

Another feature that I like: remote log-out, which should come in handy after logging into an account from a different machine, though it could become a hassle if your email is being controlled by a third party who decides to deny you access to your own email account.

Bavarian Government Gets Up Close and Personal

Posted on July 7, 2008 - 17:05 by lmallek

The German state of Bavaria has approved laws that "allow the police to plant spyware":http://www.theregister.co.uk/2008/07/07/bavaria_police_spyware_plan/ on the computers of suspected terrorists. While German federal laws restrict the government to infecting computers with email, Bavarian laws allow police to enter a suspect's home to physically infect the machine. According to The Register, Bavarian interior minister Joachim Herrmann "gave short shrift to [privacy] objections, stating that Bavaria is leading the field in 'internal security' in becoming the first German state to approve the plan."

This step taken by the Bavarian government "counters a ruling":http://arstechnica.com/news.ars/post/20080227-german-court-says-policewa... earlier this year by Judge Hans-Juergen Papier in North Rhine-Westphalia. He opined that under regular circumstances spying on individuals was unconstitutional, and that permission of a judge would be required prior to implementing this type of surveillance during extreme situations.

In 2007, the internet was talking, though not over VOIP, about the Bavarian government looking to "monitor and record":http://www.boingboing.net/2008/01/26/german-govt-caught-b.html Skype phone calls. Documents leaked through Wikileaks showed the thrifty Bavarian government haggling to get a better price on the products needed to invade their citizen's computers.