Archive for Privacy and Security

LivingSocial Hacked; 50 Million Users Affected

April 26, 2013 / Cameron Scott / No comments

The daily deals service LivingSocial has been hacked and will begin sending notifications out to users this afternoon.

Fifty million of the company’s 70 million users were affected.

Only users in Thailand, Malaysia, Indonesia, and the Philippines are free of risk, since the company uses different storage systems in those countries.

“LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue,” CEO Tim O’Shaughnessy wrote in an internal memo obtained by AllThingsD.

The compromised information includes names, email addresses, encrypted passwords and, in some cases, date of birth. LivingSocial specified that it encrypts passwords by hashing and salting them.

The database that stores customer credit card information was not affected by the attack, the company said.

“We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust,” CEO Tim O’Shaughnessy wrote in the leaked memo.

Amazon owns a 29 percent stake in the struggling deals company, whose co-founder and chief technical officer Aaron Batalion quit a month ago.

daily deals, deals, hacks, hacked, livingsocial, amazon

New Career Opportunities Daily: The best jobs in media.

Category: amazon, daily deals, Deals, Hacks, LivingSocial, News, Privacy and Security, security /

Dutchman Arrested in Connection With Massive Cyberbunker DDoS Attacks

April 26, 2013 / Cameron Scott / No comments

hackers, spamhausA Dutch citizen was arrested yesterday in Barcelona in connection with March DDoS attacks on behalf of rogue hosting service Cyberbunker that were aggressive enough to threaten the core infrastructure of the Internet, according to a Dutch press release.

(Full disclosure: We read a computer-generated English translation.)

The house where the man, identified as S.K., was living was searched, and computers, drives and mobile phones were seized.

The attacks appear to have stemmed from a dispute between Cyberbunker hosting service and Spamhaus, an informal anti-spam group that publishes a blacklist of spammers and the services that support them.

According to security researcher Brian Krebs, the man arrested was likely Sven Olaf Kamphuis, who was quoted as a representative of Cyberbunker in the New York Times article about the digital attacks. Kamphuis’s Facebook profile picture appears at left.

The investigation was conducted in the Netherlands by the High Tech Crime Team. S.K. was arrested in Spain with the help of Eurojust, an E.U. judicial collaboration, and is expected to be sent to the Netherlands for trial.

New Career Opportunities Daily: The best jobs in media.

Category: brian krebs, cyberbunker, DDoS, News, Privacy and Security, spamhaus, Sven Olaf Kamphuis /

Studies Point to Generation Gap in Online Privacy Concerns

April 24, 2013 / Cameron Scott / No comments

online privacy, securityTwo studies released this week show that so-called millennials and adults in their thirties and beyond view online privacy differently and take different approaches to protect it.

A study conducted by the University of Southern California’s Annenberg Center for the Digital Future and Bovitz research firm found that those aged 18-34 were more willing to trade private information for discounts and customized online experiences than older users.

“Online privacy is dead — Millennials understand that, while older users have not adapted,” said Jeffrey I. Cole, director of the USC Annenberg center.

More than half of the millennials said they would share their location with companies in order to receive deals at nearby businesses, while 42 percent of users 35 and older would.

Still, a full 70 percent of millennials said no one should be allowed to access their “personal data or web behavior,” compared to 77 percent of the older users.

The Abine survey looked at the specific actions younger and older users had taken to safeguard their online privacy.

Baby boomers, Abine found, were more likely to define privacy in terms of offline behaviors, while millennials often thought of it as a digital phenomenon.

Older users were 25 percent more likely to have done nothing to protect their online privacy. But more than half of the users of all ages would be willing to pay for greater privacy protection, though older users were generally willing to pay more.

“The fact that more than half of respondents would be willing to pay for more online privacy shows a real market demand for solutions. This shared consumer mindset and growing concern over the rise of big data will determine the future of the privacy industry,” said Abine CEO Bill Kerrigan.

Yet millennials were 84 percent more likely to distrust Facebook with their data and 23 percent more consider censoring themselves online out of fear that what they say will come back to haunt them in the future, Abine found.

New Career Opportunities Daily: The best jobs in media.

Category: abine, bill kerrigan, Digital Privacy, Jeffrey I. Cole, News, online privacy, Privacy and Security, usc annenberg center for the digital future /

To Support User Privacy, Path Eschews Advertising Revenue

March 8, 2013 / Cameron Scott / No comments

path, facebook, privacy, mobile apps, social networks, social mediaCEO and co-founder Dave Morin acknowledged that Path had experienced some stumbles related to user privacy, but said the company continues to focus on building a social network that supports privacy and refuses to monetize user data.

The mobile-only social network will not turn to advertising to establish a revenue model, Morin said late Friday at South by Southwest.

“From the beginning, we’ve had a very strong opinion about how we want to make money. The real thing we believe is if users don’t understand how you make money, there’s a problem. The way we think of our business model is that we want to sell things directly to users,” he said

Path’s launch yesterday of stickers, or custom emoticons, has put the company closer to a viable revenue model that doesn’t rely on advertising. In the first 24 hours, stickers brought in more revenue than Path’s previous in-app purchase, photo filters, did in an entire year, according to Morin.

Path has billed itself as a more private social network than Facebook, but it has met with its share of controversy over its handling of user data. Just over a year ago, users and privacy advocates squawked when it was revealed that Path was uploading their mobile address books without asking for permission. Last month, it paid an $800,000 fine stemming from the Federal Trade Commission’s investigation of the practice.

Morin insisted, however, that Path handled contact data in an “industry-standard way.” (Indeed, the fine stemmed from uploads of personal information from several minors who were allowed to sign up for the service despite a professed ban.)

The address books were accessed in order to provide users with a list of their contacts who were also on Path. Users had failed to understand that the matching they saw in the app necessitated Path uploading the data to its own servers, according to Morin.

“This was sort of an education issue with us,” Morin said.

Just last month, Path stumbled again, as a developer revealed that Path had uploaded his location without his permission, using the metadata of a photo he shared on the network.

Privacy is an area so loaded with “landmines,” Morin said, that other entrepreneurs frequently ask him why he even bothers to try to build privacy into Path.

“We keep having to talk about [privacy], but that’s a good place to be,” he said.

The social network limits a users social connections to 150.

“What that does at network scale is create a network that’s a lot more intimate,” Morin said.

Unlike Twitter and Facebook, Path sees more usage at night and on the weekend, indicating that users see it as a part of their personal, rather than professional, identities. As a secondary effect, the friend cap also effectively bars brands from the platform.

Path also limits tagging and other information streams to ensure that users never “lose control” of their own content.

The company is betting that more and more users will turn to social platforms where marketers don’t eavesdrop on their private conversations.

Users are already beginning to experience social fatigue, accounting for the popularity of products like Snapchat, he said.

The real test for apps like Path will be whether users shy away from Facebook as it employs their data more and more explicitly for marketing purposes. In January, the company turned on Graph Search, which makes users’ information searchable and turns every like and check-in into a potential endorsement. Last month, it announced it would support advertising to users targeted using the controversial practices of data brokers. And shortly thereafter, it announced it would acquire the ad network Atlas.

New Career Opportunities Daily: The best jobs in media.

Category: Dave Morin, facebook, News, path, Privacy and Security /

Users May Be Sharing More Than They Realize When Downloading Apps Through Google Play

February 13, 2013 / Cameron Scott / No comments

mobile apps, google, social networks, social media, iOS developer Dan Nolan was appalled to learn as he marketed his first Android app that Google was providing him with the name, email address and city of every user who purchased his app.

Google Play facilitates a transaction between the developer and the user; it does not position itself as the merchant. And it provides the seller with all of the information s/he would need if the user had bought a physical product rather than a digital one.

Individual apps have faced user backlash and even fines for grabbing information about a user from his or her phone without first asking permission.

“This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it’s made crystal clear to them that I’m getting this information,” Nolan wrote on his blog.

Nolan received the information even when users had canceled their orders, he said. Users must also use their full name to publish app reviews on Google Play.

“With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase,” Nolan said.

Google did not respond to a request for comment.

New Career Opportunities Daily: The best jobs in media.

Category: Android, Google Play, mobile apps, News, path, Privacy, Privacy and Security /

Users May Be Sharing More Than They Realize When Downloading Apps Through Google Play

February 13, 2013 / Cameron Scott / No comments

mobile apps, google, social networks, social media, iOS developer Dan Nolan was appalled to learn as he marketed his first Android app that Google was providing him with the name, email address and city of every user who purchased his app.

Google Play facilitates a transaction between the developer and the user; it does not position itself as the merchant. The transaction relies on Google Wallet and thus on its privacy policy. Google provides the seller with all of the information s/he would need if the user had bought a physical product rather than a digital one.

Individual apps have faced user backlash and even fines for grabbing information about a user from his or her phone without first asking permission.

“This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it’s made crystal clear to them that I’m getting this information,” Nolan wrote on his blog.

Nolan received the information even when users had canceled their orders, he said. Users must also use their full name to publish app reviews on Google Play.

“With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase,” Nolan said.

Jonathan Mayer, a highly regarded Stanford graduate student in computer science who has written about privacy, thought Google could have “an FTC problem,” meaning that the Wallet privacy policy could be considered deceptive when compared to Google’s actual handling of consumer data.

To defend itself, Google will “have to lean hard on [the word] ‘necessary’ in the Wallet privacy policy,” Mayer tweeted.

Google did not respond to a request for comment.

New Career Opportunities Daily: The best jobs in media.

Category: Android, dan nolan, Google Play, mobile apps, News, path, Privacy, Privacy and Security /

Document Startup Tracks Changes to Online Privacy Policies

February 6, 2013 / Cameron Scott / No comments

social networks, social media, online privacy, user privacy, privacy policies, terms of serviceDocracy, a startup that uses version-tracking to facilitate the exchange of legal documents, has begun tracking websites’ terms of service, motivated by the dust-up over Instagram’s changes to its privacy policy.

“There is already a lot of scrutiny on the privacy policies of the largest sites, such as Facebook, Twitter and Google. However, other sites are able to ‘fly under the radar,’ effecting changes to their policies that may catch their users unawares,” the company said on its blog.

Operational since late January, the tracker monitors 953 sites using the same kind of Web crawlers Google Search does. On the landing page is a list of site’s whose policies have most recently changed. Users can expand each listing to get an overview of the changes and a blow-by-blow account of the language that has changed.

Privacy experts greeted the site with enthusiasm.

“Oh man, I think it’s great,” said Sarah Downey, a privacy attorney at Abine, a privacy-focused software company.

“It’s definitely a win for users to have a clear, simple, one-stop shop for privacy policy changes. To say it’s tough to stay on top of privacy policies is an understatement,” Downey said, citing a study that found that Internet users would have to spend 40 minutes a day reading privacy policies in order to read all that applied to them.

“It makes sense that [the problem] ultimately requires a technology solution: humans simply can’t keep up with privacy policies,” she said.

Justin Brookman, director of the Center for Democracy and Technology’s consumer privacy project, said he planned to add a bookmark to the site.

“This site seems to do a great job of highlighting the changes and appears to be a powerful resource for consumers who want to stay informed,” he said.

But Docracy’s tracker leaves some aspects of online privacy unaddressed.

“The limitation is that privacy policies rarely describe in detail what the companies are actually doing, but instead what the companies want to reserve the right to do,” Brookman said.

Sometimes, privacy policies also seem to promise the company won’t share user data in particular ways, when the company does in fact share the data. Such deceptive practices are illegal, with enforcement dependent on investigations by the Federal Trade Commission.

New Career Opportunities Daily: The best jobs in media.

Category: abine, Center for Democracy and Technology, docracy, justin brookman, News, Privacy, Privacy and Security, sarah downey, terms of service /

Popular Tumblr Highlights Facebook Graph Search Privacy Fears

January 23, 2013 / Cameron Scott / No comments

social networks, social media, privacy, online privacyPrivacy concerns related to Facebook’s Graph Search are beginning to hit home today, as a Tumblr of “Actual Facebook Graph Searches” gained attention last night and this morning, but privacy experts think Facebook showed increased regard for user privacy with its launch of search.

Tom Scott launched the Tumblr yesterday, featuring clever searches such as Muslim men who like men and married people who like prostitutes. The searches rely mostly on users’ basic profile information and pages they’ve liked.

Scott has made a name for himself poking fun at Facebook; performing, for example, an act called “I Know What You Did Five Minutes Ago,” in which he calls a user from the stage and reveals what he knows about him.

But Scott also says Facebook has “good privacy settings.”

“I’m not sure I’m making any deeper point about privacy: I think, at this point, we’re basically all just rubbernecking – myself included,” he explained on the Tumblr.

Still, he says many people don’t fully understand how privacy settings work.

“If it’d be awkward if it was put on a screen in Times Square, don’t put it on Facebook. Oh, and check your privacy settings again,” Scott noted.

Privacy experts generally agreed that Facebook hasn’t violated users’ privacy with Graph Search, but said privacy on the social network continues to erode.

“Your privacy settings do govern the results on the search, so we can’t really say they’re disregarding people’s choices,” said Sarah Downey, a privacy analyst with Abine, which provides privacy software and updates.

“If there was ever a time to really lock down, that time is now,” she added.

Justin Brookman, director for Center for Democracy and Technology’s consumer privacy project, noted that in the lead-up to the Graph Search launch, Facebook asked users them to view their own information as it can be seen publicly.

“They’ve been doing a good job of messaging around hey, maybe you don’t know who you’re really sharing with,” he said.

Brookman thinks Facebook has learned, through some painful missteps, to take user privacy more seriously.

“There’s definitely more pressure on them. They’ve felt heat about this from regulators and from users, and they’ve lost a lot of good faith from users,” he said.

Still, Graph Search makes shared content easier to find and can display it, as Scott’s Tumblr shows, in contexts that the user might find troubling.

“My initial reaction is, as a user I’m kind of glad it’s there, but I do recognize that there will be scenarios in which it will expose information to people in ways they didn’t expect,” Brookman said.

Downey pointed to another problem: Graph Search takes spontaneous interaction and archives it permanently.

“You choose to like something, and then you forget about it. This will make it so people who are searching for you won’t forget about it. You get no chance to explain yourself,” she said.

And with the birth of search, potential employers and potential dates may increasingly turn to Facebook to vet candidates, as industry handicappers have noted.

Particularly as Facebook amasses a longer record of users’ lives in its databases, search could turn up results that no longer reflect a user’s opinion. Downey also frets that as Facebook continues to tinker with privacy settings, it could disclose in search content that users may not expect to be public.

“Facebook privacy settings are so notoriously complicated and they’re always changing, so reassuring people that their stuff is protected by Facebook’s settings is not really very reassuring,” she said.

But the most likely scenario is that Facebook will continue to improve Graph Search, and as it does, users will continue to share their day-to-day lives.

“Think about where it will be in 10 years if people are still using Facebook. There will be a lot of stuff on there,” Brookman said.

The data that Facebook has sorted for the first iteration of Graph Search is messy, as observers have noted: It hasn’t been structured to work in the way that the search tool uses it. But as the social network builds new features that are designed to work with search, its results will get cleaner.

Cleaner results, while good for Facebook and prospective employers, may shine a sharper spotlight on shared content users would rather forget.

New Career Opportunities Daily: The best jobs in media.

Category: abine, Center for Democracy and Technology, facebook, Graph Search, justin brookman, News, Privacy and Security, sarah downey, tom scott, tumblr /

Will Foursquare Dodge User Backlash As It Changes Privacy Policies?

January 2, 2013 / Cameron Scott / No comments

social networks, social networking, social media, local search, recommendationsFoursquare announced plans over the holiday weekend to change its privacy policies effective at the end of the month, which, while unlikely to cause the kind of brouhaha that Instagram’s proposed changes did, may not take effect without controversy.

“As our product evolves, one of the things we do is update our policies to match it. And a big aspect of that is privacy (something we think about a lot),” the company said in an email to users.

The company flagged plans to consistently display users’ first and last names, rather than first name and last initial, and to show business owners information about which users have checked in to their venue for the whole day rather than just three hours.

By emailing users individually, explaining the changes in simple terms and pointing them to a Privacy 101 page for more information, Foursquare is clearly hoping to avoid the kind of privacy flap Instagram has just gone through.

Privacy advocates thought the changes were less controversial than Instagram’s, but may still result in ruffled feathers for some users.

“The degree of the change is smaller. Going from displaying a user’s full name part of the time to displaying it all of the time is a much smaller change than what the text of the proposed Instagram policy would have allowed,” said David Jacobs, consumer protection counsel at the Electronic Privacy Information Center. 


But the company will have to do more than email its 30 million users to ensure that they aren’t taken by surprise by the move to use their last names, said Justin Brookman, director of the project on consumer privacy at the Center for Democracy and Technology.

“If you sign up being told that you’ll be disclosed to strangers as John M., you can’t just suddenly start disclosing him to the world as John McDonald,” he said.

Foursquare will have to put notification of the change directly into its user workflow to really ensure that users understand what’s at stake. “Typically, if you’re materially expanding the disclosure of previously provided information, like real name, you need users’ affirmative permission for that,” Brookman said.

According to Foursquare’s description in the email to users, the service now “sometimes shows your full name and sometimes shows your first name and last initial. For instance, if you search for a friend in Foursquare, we show their full name in the results, but when you click through to their profile page you don’t see their last name.”

Unlike Facebook, which owns Instagram, Foursquare does not forbid users to use pseudonyms. The service also allows users to opt out of having their check-ins included in activity reports for business owners.

“Privacy-sensitive users have more options for exercising control on Foursquare [than on Instagram], as they can edit their names in their account settings, and can restrict their visibility to businesses. It’s not just ‘take it or leave it,’” said Jacobs.

New Career Opportunities Daily: The best jobs in media.

Category: Center for Democracy and Technology, david jacobs, EPIC, foursquare, Instagram, justin brookman, News, Privacy, Privacy and Security /

Congress Rejects Privacy Amendments, Approves Continued Wiretapping

December 28, 2012 / Cameron Scott / No comments

wiretapping, wiring, online security, online privacy, surveillance

Flegere / Shutterstock.com

The Senate today renewed the FISA Amendments Act of 2008, the bill widely seen as legalizing warrantless wiretapping, for five more years with a 73-23 vote.

The Senate also voted down four amendments that would have made law enforcement actions accountable, in limited ways, to Congress. One would simply have asked law enforcement agencies to provide an estimate to Congress of how many American citizens’ communications may have been intercepted.

The FISA law was originally established to create a process through which law enforcement agencies could obtain, without public disclosure, warrants to monitor potential foreign agents in the United States. Amendments have subsequently stretched the process to apply to those without explicit government backing and to allow for surveillance without a warrant in some circumstances.

The government is said to have used the law to monitor domestic Internet traffic, a practice which was hotly contested during the Bush administration.

“The Bush administration’s program of warrantless wiretapping, once considered a radical threat to the Fourth Amendment, has become institutionalized for another five years,” said Michelle Richardson, legislative counsel at the ACLU.

The Electronic Frontier Foundation called the program “a blight on our nation and our Constitution” in a blog post about today’s vote.

The FISA Amendments Act passed the House in September. It now goes to the president, who is expected to sign it.

New Career Opportunities Daily: The best jobs in media.

Category: FISA, Legislation, News, President Obama, Privacy and Security, surveillance /
« Older Entries