Facebook users are too willing to give out their personal information, security firm Sophos has found.
According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.
After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.
Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."
The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."
Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
(Credit:
Echometrix)
The Department of Defense has pulled a parental control product from its online store serving military families after learning that the company collects childrens' data, according to documents the Electronic Privacy Information Center (EPIC) obtained from the government agency.
EPIC has filed a complaint (PDF) with the Federal Trade Commission alleging that Echometrix, maker of FamilySafe parental control software, violates the Children's Online Privacy Protection Act by collecting personal information from children and disclosing it to third parties for market intelligence purposes. Echometrix denies the allegations.
After learning that the Defense Department's Army and Air Force Exchange Service (AAFES) Web site offers the Echometrix product for sale, EPIC filed a Freedom of Information Act request with the Defense Department.
The agency complied with the FOIA request. Among the documents provided to EPIC were e-mails between Echometrix and a manager at the AAFES Exchange Online Mall who wanted to know how customer information is collected and whether it is used for marketing purposes.
"During the installation process we fully disclose all of Family Safe's procedures and clearly display an opt-out button for all anonymous aggregate data sharing in our (EULA) End User License Agreement," an Echometrix e-mail explains.
"The collection of AAFES customer information (personal or otherwise) for any other purpose than to provide quality customer service is prohibited" by the agreement retailers sign to sell products through the AAFES site, the online mall manager writes in an e-mail. "Giving our customers the ability to opt out does not address this issue. [It] is prohibited in any case. Because of this, we must remove Sentry Parental Controls from the Exchange Online Mall."
Asked for comment, a Department of Defense spokeswoman said the Echometrix product was available on the online mall from September 25 until October 15. "To the best of our knowledge, no military personnel signed up for the service during the approximately three weeks it was available," Air Force Lt. Col. April D. Cuningham, the public affairs officer, wrote in an e-mail.
Echometrix collects information from children to help parents filter out Web sites, analyzes that information and then sells it to third-parties for market intelligence research, said Kimberly Nguyen, the EPIC lawyer who is handling the case.
The data includes personally identifiable information of children, including IM screen names which can be linked to e-mail addresses, she said.
"The collection of childrens' data raises serious privacy concerns, and even the Defense Department realizes that," Nguyen said in an interview.
Echometrix denied the allegations.
"Echometrix does not collect personally identifiable information or expose the source of any digital content. The company has never and will never collect, distribute or sell personal information as defined by COPPA (the Children's Online Privacy Protection Act)," the company said in a statement.
The FTC did not respond to an e-mail seeking comment.
Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.
But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.
Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.
Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.
Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.
Look for trust seals, but verify they're legitimate
(Credit: BBBOnline)It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.
When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.
If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.
Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.
Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.
It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.
Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.
Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.
Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."
Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.
As the World Trade Center and Pentagon were ablaze on September 11, 2001, the U.S. Secret Service's presidential protective detail was informed that a "Korean airliner has been hijacked" en route to San Francisco, prompting already-skittish agents to worry about another wave of terrorist attacks.
That morning and afternoon, Secret Service agents assigned to protect the president and his family found their pagers constantly buzzing with alerts both true and false. There was a false alarm about a car bomb in downtown Washington, D.C., a report of "two Arab males detained" after asking for directions to the presidential retreat at Camp David, and reassurances that "Twinkle and Turq"--code names for the Bush daughters--were safe and accounted for.
This unusual glimpse into the events of 9/11 comes from messages sent to alphanumeric pagers that were anonymously published on the Internet on Wednesday, via WikiLeaks.org....
Read the full story of "Egads! Confidential 9/11 Pager Messages Disclosed at CBSNews.com.
Facebook on Tuesday announced that it has decided to adopt a revised privacy policy designed to be more accessible and easier to understand.
The social network had just completed a weeklong comment period for the new revision and, though "a lot of people participated," less than 7,000 members commented. According to Facebook's rules, this meant that a vote was unnecessary, Michael Richter, Facebook deputy general counsel, wrote in a company blog.
Overall, members supported the proposed changes, including the simplification of the language used to describe the policy and the document's new structure, Richter said.
The site also plans to add visual resources designed to make the document more accessible, such as a glossary of important terms and informational "learn more" videos. Facebook expects to post the revision in English, French, Italian, German, and Spanish soon.
The revision is the latest chapter in Facebook's privacy saga. In July, an investigation by Canada's privacy commissioner suggested that Facebook is unconcerned with members' privacy and called on it to do more. Commissioner Jennifer Stoddart expressed concern that while it's easy for members to deactivate their accounts, the process of actually deleting them is less clear. Facebook could therefore retain member data from deactivated accounts for an indefinite period of time, in violation of Canadian privacy law.
The social network went through a user backlash over the introduction of its News Feed in 2006, and a bigger one over the controversial Beacon advertising program in 2007. More recently, a revision to Facebook's terms of use prompted consumer advocacy blog The Consumerist to highlight language that it said meant that Facebook claimed ownership of user profile data and photos.
Updated November 18 at 11:19 a.m. PST to clarify that the data was sold by workers at T-Mobile UK, which is operated separately from T-Mobile USA.
British Information Commissioner Christopher Graham says penalties aren't strong enough to deter the sale of private consumer data.
(Credit: BBC)T-Mobile workers sold personal data on thousands of customers to third parties who then called the individuals as their wireless contracts were due to expire, a T-Mobile UK spokesman has confirmed.
T-Mobile notified England's Information Commission, the watchdog agency responsible for safeguarding consumer privacy, and said the activity was done "without our knowledge," according to the BBC.
Information Commissioner Christopher Graham told the news agency his office will prosecute the individuals responsible.
It's the latest black eye for the T-Mobile brand in recent months. (T-Mobile UK and T-Mobile USA are operated separately.)
Last month an outage with T-Mobile USA network left Sidekick users unable to access the Web or their address books for several days.
And earlier this month T-Mobile's network in the U.S. suffered a major outage that left customers unable to send or receive text messages and access voice messages for part of a day. The outage was due to a software error in the back end system that generated abnormal congestion on the network, the company said in a statement.
Google's biggest threat is no longer Microsoft. It is itself.
As the company harvests copious quantities of personal data, it becomes dramatically better at serving customer needs...
...and at freaking them out over privacy concerns.
In other words, Google gets stronger with every Google Doc created, every Google Voice call dialed, and every Gmail e-mail sent. It becomes stronger because data is the heart of the Web's biggest businesses, as Redmonk analyst Stephen O'Grady implies.
But in so doing Google also becomes more threatening to the very consumers it is trying to serve.
Google Dashboard is meant to change this by putting consumer data back in the hands of consumers. It's a move that follows on Google's earlier pledge to "open data" and its Data Liberation Front.
As CNET reports, Dashboard lets people review the personal data Google has stored for them, delete it, and alter future collection policies. It's a great way for Google to mollify concerned users, putting control back in their hands.
Still, it's almost certainly never going to be used by the vast majority of Google users. Ever.
Why? Because for all our hand-wringing over privacy--and for good reason--the reality is that most of us, most of the time, really don't care. Or, rather, if accessing useful services or getting work done more efficiently requires some privacy concessions, we gladly concede.
It's not that we don't value our privacy. It's just that in many contexts, we value other things as much or more. We weigh the risks versus the benefits, and often the benefits trump the privacy risks.
It's the same thing with file formats. For years we've been agonizing over Microsoft's lock-in of customers through proprietary file formats (.pst, .doc, etc.). Now Microsoft is opening up the specifications for file formats like .pst (Outlook file format), and yet it will almost certainly change little to nothing in what products most people use most of the time.
People don't use Microsoft Office because they're forced to. They do so because it's convenient. (Yes, an argument can be made that it's convenient because Microsoft has forced network effects through lock-in.)
This, incidentally, is exactly the reason that Wednesday night I declared a ban on Microsoft Office in our family in favor of Google Docs--and didn't opt for OpenOffice (which we also use). I got sick of having to recover documents and perform other IT tasks related to a locally installed office suite, open source or proprietary. And I find it easier to let Google handle the back-end IT operations.
I wasn't trying to evade lock-in. I was trying to increase personal happiness.
Am I concerned about Google snooping on the documents we write and store in Google Docs? Let's just say I worry more about my time fixing Office than whether Google gleans any information from my 12-year old's seventh-grade essay.
Dashboard leaves Google in the prime position of being able to honestly say that it doesn't control user data, while still delivering increasingly beneficial services based on that data. It will not change the way that the vast majority of consumers use Google, but it just might change the way they think about Google.
A very smart move by Google, one that all data-driven businesses should emulate.
Follow me on Twitter @mjasay.
Harriet Pearson, chief privacy officer, IBM
(Credit: IBM)Harriet Pearson once joined a petition signed by Facebook users, urging the social-networking site to do more in terms of privacy.
But the privacy expert considers herself a moderate when it comes to protecting her personal information.
Pearson, IBM's chief privacy officer for the past nine years and also its security counsel since last year, says each person needs a mental model to assess the benefits or risks associated with providing personal data. In the same way, she said, governments ought to be thoughtful when drafting policies and laws on data protection.
In town recently for Singapore's annual GovernmentWare conference, Pearson sat down with ZDNet Asia to discuss data protection legislation, the need for a balanced view regarding data breach notification, and why Asian regulators should not "photocopy" European law books.
Read more of "Asia's lawmakers need not copy Europe" at ZDNet Asia.
eBay is the most trusted company in terms of privacy, and Yahoo and Facebook are among the Top 10, according to a new report released on Wednesday.
Following eBay is Verizon, the U.S. Postal Service, WebMD, IBM, Procter & Gamble, Nationwide and Intuit, with Yahoo and Facebook in the ninth and tenth spots, the study from the Ponemon Institute and Truste says.
Here are the list of the most trusted companies in privacy, according to a study by the Ponemon Institute and Truste.
(Credit: Ponemon Institute/Truste)It was Facebook's debut on the list, as well as the first time a telecommunications company and a government operation cracked the top three.
While the list ranks the most trusted companies based on consumer brand perception it doesn't necessarily translate to the list of the most trustworthy companies, Kevin Bankston, a senior staff attorney at the Electronic Frontier Foundation, told CNET News.
"They really ought to do one ranking for the poll and a separate one for the actual privacy evaluation," Bankston wrote on Facebook. "Blending them together makes these rankings rather useless."
Basically, privacy practices were analyzed and ranked only for a list of 23 companies that were highly rated in a survey of more than 6,000 U.S. consumers earlier this year, according to Truste spokeswoman Carolyn Hodge. The Top 20 from that survey were analyzed and that included 23 companies because of several ties, she said.
So, the latest study most accurately reflects which companies were deemed to have the best privacy practices among a list of companies that consumers perceive as being trustworthy.
"It absolutely is based on consumers' perception of specific brands. That's what we're trying to get at," Hodge said. "The idea behind this research is to promote consumer education about privacy and to promote adoption of best practices by companies...We understand consumers are probably going to name companies they trust and there may not be a clear correlation with privacy."
Regardless, Hodge and Larry Ponemon, founder of the institute that bears his name, said the companies on the list deserved recognition.
"None of these companies is doing badly at privacy," said Hodge. "We're talking about the best companies out there."
"Clearly there can be variance between perception and reality," Ponemon said. But, he noted, Verizon recently adopted a new more consumer-friendly privacy policy, eBay does a good job on data security and Facebook has made great improvements lately on user privacy.
"I'm not a big fan, but what Facebook is is an experiment...they've had issues and come a long way on privacy," he said.
In assessing the level of trustworthiness of the popular brands, Truste staff looked at 40 criteria, Hodges said. The criteria included things like whether a company: has a clear, readability and easy to find privacy statement; provides adequate access to account information; uses cookies and discloses that to users; shares data with other companies and affiliates; has a data retention policy; has a chief privacy officer; whether they disclose a user's e-mail during password reset; and whether they use Web beacons.
In addition, representatives from the Ponemon Institute called companies without identifying themselves and asked questions about privacy practices to see how well their customer service representatives respond to consumer inquiries about that.
Here is the list of the most trusted companies from December 2008.
(Credit: Truste)
A recent simplification of Facebook's user privacy controls wasn't enough for some policymakers.
On Thursday, in conjunction with the Canadian Privacy Commissioner, Facebook announced a new set of modifications to its user privacy controls as well as its developer API, and the targets of these changes are the thousands of third-party applications built on Facebook's developer platform. That means there may be major implications for developers--some of whom rely almost exclusively on Facebook activity as a revenue source.
The Canadian Privacy Commissioner's office released a set of recommendations for Facebook last month, specifically highlighting concerns that third-party applications could access a significant amount of users' personal data. "It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," commissioner Jennifer Stoddart said in a release at the time.
Facebook's newest set of changes will require third-party applications to specify which fields of user data they access (birthdays, favorite music, geographic location, etc.) and will require users to offer explicit permission before an app can access any of their friends' profile data. This is also in tune with recommendations offered earlier this week by a chapter of the American Civil Liberties Union, which highlighted the amount of personal data that third-party apps can access--sometimes without a user knowing it.
"Our productive and constructive dialogue with the Commissioner's office has given us an opportunity to improve our policies and practices in a way that will provide even greater transparency and control for Facebook users," Elliot Schrage, Facebook's vice president of global communications and public policy, said in a release Thursday. "We believe that these changes are not only great for our users and address all of the Commissioners' outstanding concerns, but they also set a new standard for the industry."
But what does it mean for developers? This could make it difficult for some apps--particularly the sillier ones that rely on heavy viral spread and often one-time use--to gain traction and stay effective. These are similar concerns to those that arose when Facebook cracked down on apps that it deemed "spammy" (and often rightfully so). But on the other hand, the new privacy controls could stem off bad press that could easily paint the developer platform as a whole as unsafe or untrustworthy.
"It is important for developers to have access to information, but we want to balance that with transparency and control for users," Ethan Beard, Facebook's director of platform product marketing, said in a blog post geared toward developers.
"We have committed to making these enhancements over the next twelve months, and anticipate a lengthy beta period including opportunities for you to provide input, multiple blog posts, and updated documentation delivered well ahead of time," Beard's post continued. "Understanding that this will likely require modifications to your code base, we want to give you the earliest heads up that these enhancements are on our road map."
