Security

You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.

A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.

The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.

Here's a look at some of the specific threats users of the sites face and what they can do about it.

FACEBOOK

A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.

(Credit: Trend Micro)

Problems: Malware, account hijacking, phishing, and social engineering

The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.

Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.

Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.

Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.

Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.

Problem: Rogue applications

Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.

Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?

Problem: Privacy leaks due to user error

Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.

Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.

These instructions explain how to keep most people from viewing your friends list on Facebook.

(Credit: CNET)

Problem: Privacy leaks due to design or implementation issues

Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.

Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.

Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.

Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.

Problem: Privacy leaks related to marketing

The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.

Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.

Problem: Information used to suppress dissent and target political activists

As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.

"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.

Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.

TWITTER

This screen shot shows a Koobface attack message on a Twitter page.

(Credit: Trend Micro)

Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.

Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."

Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.

Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.

Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.

Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.

Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.

Editors' note: This is a guest column. See Larry Downes' bio below.

It's been a bad week for those, like me, who feel the debate over data privacy too often casts information businesses as evil Halloween monsters, determined to terrorize and humiliate their customers just for the fun of it.

On Monday, the Federal Trade Commission held the first of three conferences on privacy and technology, at which a parade of consumer advocates and legal scholars warned of an imminent data apocalypse.

Recent events seemed, alas, to support that view. Sprint, for example, reported that over the last 13 months, it has received more than 8 million requests for GPS data about customer location and movement from law enforcement agencies. (Sprint is now determining the number customers affected, estimated to be in the thousands.)

Verizon and Yahoo filed objections to a Freedom of Information Act request that asked how much the companies charge to comply with government surveillance orders, claiming that release of the information would "shock" and "confuse" customers.

Then, Google's notoriously private CEO, Eric Schmidt, brushed aside a CNBC's reporter's question about concerns that users are putting too much trust in his company, saying, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

Most disturbing at all is what happened over at Facebook, the social-networking behemoth that now hosts more than 350,000,000 members. Based in part on complaints by government agencies in Canada and Europe, the company announced in July that it had begun testing a more comprehensive and simplified set of privacy settings, promising to give users "even greater control over the information they share and the audiences with whom they share it."

After months of what looked like careful planning, Facebook implemented its new privacy policy and user tools this week.

The announcement landed flat on, well, flat on its face. A chorus of the usual suspects, including the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California cried multiple fouls, objecting both to the nature of the changes and the way in which they were being imperiously foisted on users. "Under the banner of simplification," said Electronic Privacy Information's Center's Marc Rotenberg, "Facebook has pushed users to downgrade their privacy."

First, a word about the changes themselves. In a detailed exegesis published on Wednesday, EFF's Kevin Bankston divided the revisions into three categories: the good, the bad, and the ugly.

In the good column, Bankston noted that all Facebook users are being required to review their privacy settings and have been given new tools to simplify the process. For each individual post to their page, users can now limit who among their friends gets to see what. In the bad department, EFF doesn't like the recommended settings, which pretty much let everyone see everything.

The ugly, however, are genuinely ugly. The version of a user's Facebook page open to Facebook members and nonmembers alike will now show the user's name, profile picture, location, and gender, as well as a complete list of her friends. Most of that information can no longer be controlled other than by not providing it in the first place. (Facebook has already backtracked on the public availability of friends information.) And users can no longer opt out of letting Facebook and third-party applications, such as all those quizzes and tests my friends seem to spend most of the day filling out, access at least some information from their account and that of their friends.

Logic behind privacy policy changes
I understand why Facebook wants these changes. Given the sheer number of Facebook users, it's increasingly difficult to find friends when presented with a list of dozens of profiles with matching names and no other information.

As the company moves to find ways of making money from its network, moreover, open access to information about users is not just important--it's essential. Constraining the company's ability to publish and otherwise monetize that information limits the chances Facebook and other social-networking sites can continue to secure funding, compete in a wide-open market, and ultimately survive as a commercial enterprise.

That, at least, is the kind of reasonable explanation for the changes the company could have provided. Instead, it announced the new policy and implemented it at the same time, leaving no opportunity for user review or comment. According to EFF's Bankston, Facebook didn't disclose the creation of the new category of "publicly available information,"--that is, information about a user that cannot be controlled--until "the very day it is forcing the new changes on users." (Facebook did, in fact, allow a one-week comment period on a draft of the new policy, which is more than 5,000 words long, in early November.)

The company's reliance on good relations with its users makes the ham-fisted and tone-deaf nature of these changes both "shocking" and "confusing." After a minirevolt erupted earlier this year over changes to Facebook's terms of service, in which the company seemed to grant itself a more generous license for user data, a chastened CEO Mark Zuckerberg quickly reversed course.

More than that, Zuckerberg promised that future modifications would be developed in collaboration with users on an open-source model. "Our terms aren't just a document that protects our rights," Zuckerberg wrote on the company's blog, "it's the governing document for how the service is used by everyone across the world. Given its importance, we need to make sure the terms reflect the principles and values of the people using the service."

Exactly. So why didn't Facebook learn from its own painful lesson? While the company tested the new features with some users and solicited comments on the privacy policy over the last several months, Facebook reported in November that the number of comments it received on its draft proposal "did not reach the threshold to hold a vote." That's not a good thing.

Lessons not learned
Despite the high level of emotion, rightly or wrongly, that users attach to the topic of privacy, the new policy and tools simply arrived, providing some new protections even as existing controls were unceremoniously removed. Did the company think no one would notice? These and other recent privacy gaffes and missteps have unfortunate consequences.

Consumers, already uneasy about how increasingly intimate information is being handled online, will trust companies less, raising the potential for government regulations and new privacy agencies to fill a perceived void. That would be a dangerous result, and ultimately a counterproductive one.

Introducing new layers of regulatory bureaucracy will slow the pace of exciting innovations in information technology that have kept users engaged in the first place. And interjecting government oversight over any data raises the possibility of misuse of that information by other parts of the government, a problem made all too clear by continued revelations about secret surveillance under the wide umbrella of the Patriot Act and other antiterrorism measures.

The reality is that most information services do a good and responsible job of balancing user interests in controlling information access with value derived from transactional and other data that pay for much of what happens online.

Though often implicit, users today trade the use of information about their activities, purchases, and interests for innovative and often free services that analyze and aggregate that data. Such services help cell phone users locate their friends with Loopt, consumers simplify their search for products and services on Amazon and eBay, and connect with each other in the low transaction cost world of social-networking applications such as Facebook and Twitter.

The real problem: PR
The real problem here is not of policy but rather of public relations. Start-up companies increasingly invest early and often in legal counsel, in part to navigate the complex waters of intercompany relationships and in part to avoid potentially lethal litigation from patent trolls, unhappy competitors, and a global army of business regulators.

At the same time, marketing, as well as public and government relations, get little attention, as companies believe that enthusiastic users are now the best form of PR a young company can get and at a price that can't be beat.

Maybe so. But as information exchanges have moved from the purely pedestrian business-to-business networks of the 1980s to the everything-and-everybody sharing that characterizes our increasingly digital lives, companies who discount or dismiss the emotional and even irrational attachment consumers have to information about themselves do so at their peril.

It's not that Google, Facebook, and others need to change in any fundamental way how they do business. They must rather rethink the casual, careless, and often conceited way with which they communicate to users, business partners, regulators, and other stakeholders. When the lawyers lead, everyone loses.

For companies like Facebook today and everyone else tomorrow, users and the data they provide are not just the most valuable asset; they are the only asset. As consumers absorb that fact, they will increasingly use the tools of online communities--ironically, tools provided by social-networking sites themselves--to express their dissatisfaction with unequal exchanges of information for value. Better to collaborate with them now than to negotiate later, at the end of a gun.

Facebook, as Mark Zuckerberg correctly noted, is a kind of virtual nation, where terms of service and other policy documents serve as Constitution and governing law. As such, changes to both policy and practice require honest deliberation and engagement with the residents.

They can no longer be delivered as fait accompli. For one thing, it's pretty easy for virtual citizens to revolt against a government they don't like, or simply pack up and move somewhere less tyrannical. Easier than it is in the physical world, in any case.

Google CEO Eric Schmidt is the latest Silicon Valley CEO to draw ire after suggesting that folks seeking privacy might not want to look to the Internet to find it.

"I think judgment matters," Schmidt said, appearing on CNBC (see video below). "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines--including Google--do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities."

In some senses, Schmidt was merely stating the truth about the U.S. law as it currently stands. However his "maybe you shouldn't be doing it in the first place" comments, in particular, seem to have raised the hackles of privacy advocates and others.

Among the most interesting reactions was a posting on a Mozilla veteran's personal Web page suggesting that users might want to switch to Bing because of its better privacy policy.

"That was Eric Schmidt, the CEO of Google, telling you exactly what he thinks about your privacy," Mozilla Director of Community Development Asa Dotzler said on his personal blog, referring to the CNBC comments. "There is no ambiguity, no 'out of context' here. Watch the video."

From there, Dotzler shows how one can easily switch Firefox's search engine from Google to Bing, adding, "Yes, Bing does have a better privacy policy than Google."

To be fair, that Patriot Act and other laws apply just as much to Microsoft as it does to Google. Still, I think Dotzler's posting raises some interesting issues. Plus, it's particularly noteworthy that a Mozilla worker is willing to raise the issue given how the lion's share of Mozilla's revenue comes from the Google traffic generated from Mozilla's search bar.

The difference, in my opinion, isn't that Microsoft is somehow subject to different laws than Google, or even that it would behave differently in the face of a government challenge (both companies kowtow in China, for example). Rather, the two companies seem to have a different approach toward privacy issues.

Google's attitude tends to focus on the great benefits that open information can, and often does have. Plus, of course, its stance is an outgrowth of the fact that Google has built its business around gaining revenue by doing the best job of organizing that information.

That shows up in all kinds of ways. Mozilla Developer Relations Director Christopher Blizzard noted in a Twitter posting that sites users visit in Chrome get sent to Google.

"Everyone knows that every site you visit and all address bar searches in Chrome go to Google, right?" Blizzard wrote. (I sent an e-mail to Mozilla seeking its corporate take on things, but did not immediately get a response.)

Microsoft's approach, meanwhile, stems no less from its economic interest, but its zeal is tempered by years of heavy regulation and consumer backlash.

These differences in attitudes, and shifting tides in the center of power in the tech industry, I expect to be major issues in the coming years as regulators and consumers decide where to place their attention.

That said, Schmidt is hardly the first to point out that the idea of privacy on the Internet might be outmoded. "You already have zero privacy. Get over it," former Sun CEO Scott McNealy famously intoned, drawing many of the same criticisms.

Obviously, privacy advocates argue that protections must extend to the Internet. In a blog posting, security expert Bruce Schneier makes a passionate argument, although I think it is interesting that he digs up an essay from 2006 to make his reply.

"Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance," Schneier wrote. "We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need."

So what do you think? Is privacy a basic human need, or a quaint, outdated notion, or is it, paradoxically, both of those things?

Facebook users are too willing to give out their personal information, security firm Sophos has found.

According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.

After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.

Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."

The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."

Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.

(Credit: Echometrix)

The Department of Defense has pulled a parental control product from its online store serving military families after learning that the company collects childrens' data, according to documents the Electronic Privacy Information Center (EPIC) obtained from the government agency.

EPIC has filed a complaint (PDF) with the Federal Trade Commission alleging that Echometrix, maker of FamilySafe parental control software, violates the Children's Online Privacy Protection Act by collecting personal information from children and disclosing it to third parties for market intelligence purposes. Echometrix denies the allegations.

After learning that the Defense Department's Army and Air Force Exchange Service (AAFES) Web site offers the Echometrix product for sale, EPIC filed a Freedom of Information Act request with the Defense Department.

The agency complied with the FOIA request. Among the documents provided to EPIC were e-mails between Echometrix and a manager at the AAFES Exchange Online Mall who wanted to know how customer information is collected and whether it is used for marketing purposes.

"During the installation process we fully disclose all of Family Safe's procedures and clearly display an opt-out button for all anonymous aggregate data sharing in our (EULA) End User License Agreement," an Echometrix e-mail explains.

"The collection of AAFES customer information (personal or otherwise) for any other purpose than to provide quality customer service is prohibited" by the agreement retailers sign to sell products through the AAFES site, the online mall manager writes in an e-mail. "Giving our customers the ability to opt out does not address this issue. [It] is prohibited in any case. Because of this, we must remove Sentry Parental Controls from the Exchange Online Mall."

Asked for comment, a Department of Defense spokeswoman said the Echometrix product was available on the online mall from September 25 until October 15. "To the best of our knowledge, no military personnel signed up for the service during the approximately three weeks it was available," Air Force Lt. Col. April D. Cuningham, the public affairs officer, wrote in an e-mail.

Echometrix collects information from children to help parents filter out Web sites, analyzes that information and then sells it to third-parties for market intelligence research, said Kimberly Nguyen, the EPIC lawyer who is handling the case.

The data includes personally identifiable information of children, including IM screen names which can be linked to e-mail addresses, she said.

"The collection of childrens' data raises serious privacy concerns, and even the Defense Department realizes that," Nguyen said in an interview.

Echometrix denied the allegations.

"Echometrix does not collect personally identifiable information or expose the source of any digital content. The company has never and will never collect, distribute or sell personal information as defined by COPPA (the Children's Online Privacy Protection Act)," the company said in a statement.

The FTC did not respond to an e-mail seeking comment.

Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.

But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.

Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.

Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.

Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.

Look for trust seals, but verify they're legitimate

(Credit: BBBOnline)

It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.

When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.

If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.

Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.

Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.

It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.

Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.

Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.

Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."

Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.

As the World Trade Center and Pentagon were ablaze on September 11, 2001, the U.S. Secret Service's presidential protective detail was informed that a "Korean airliner has been hijacked" en route to San Francisco, prompting already-skittish agents to worry about another wave of terrorist attacks.

That morning and afternoon, Secret Service agents assigned to protect the president and his family found their pagers constantly buzzing with alerts both true and false. There was a false alarm about a car bomb in downtown Washington, D.C., a report of "two Arab males detained" after asking for directions to the presidential retreat at Camp David, and reassurances that "Twinkle and Turq"--code names for the Bush daughters--were safe and accounted for.

This unusual glimpse into the events of 9/11 comes from messages sent to alphanumeric pagers that were anonymously published on the Internet on Wednesday, via WikiLeaks.org....

Read the full story of "Egads! Confidential 9/11 Pager Messages Disclosed at CBSNews.com.

Facebook on Tuesday announced that it has decided to adopt a revised privacy policy designed to be more accessible and easier to understand.

The social network had just completed a weeklong comment period for the new revision and, though "a lot of people participated," less than 7,000 members commented. According to Facebook's rules, this meant that a vote was unnecessary, Michael Richter, Facebook deputy general counsel, wrote in a company blog.

Overall, members supported the proposed changes, including the simplification of the language used to describe the policy and the document's new structure, Richter said.

The site also plans to add visual resources designed to make the document more accessible, such as a glossary of important terms and informational "learn more" videos. Facebook expects to post the revision in English, French, Italian, German, and Spanish soon.

The revision is the latest chapter in Facebook's privacy saga. In July, an investigation by Canada's privacy commissioner suggested that Facebook is unconcerned with members' privacy and called on it to do more. Commissioner Jennifer Stoddart expressed concern that while it's easy for members to deactivate their accounts, the process of actually deleting them is less clear. Facebook could therefore retain member data from deactivated accounts for an indefinite period of time, in violation of Canadian privacy law.

The social network went through a user backlash over the introduction of its News Feed in 2006, and a bigger one over the controversial Beacon advertising program in 2007. More recently, a revision to Facebook's terms of use prompted consumer advocacy blog The Consumerist to highlight language that it said meant that Facebook claimed ownership of user profile data and photos.

Updated November 18 at 11:19 a.m. PST to clarify that the data was sold by workers at T-Mobile UK, which is operated separately from T-Mobile USA.

British Information Commissioner Christopher Graham says penalties aren't strong enough to deter the sale of private consumer data.

(Credit: BBC)

T-Mobile workers sold personal data on thousands of customers to third parties who then called the individuals as their wireless contracts were due to expire, a T-Mobile UK spokesman has confirmed.

T-Mobile notified England's Information Commission, the watchdog agency responsible for safeguarding consumer privacy, and said the activity was done "without our knowledge," according to the BBC.

Information Commissioner Christopher Graham told the news agency his office will prosecute the individuals responsible.

It's the latest black eye for the T-Mobile brand in recent months. (T-Mobile UK and T-Mobile USA are operated separately.)

Last month an outage with T-Mobile USA network left Sidekick users unable to access the Web or their address books for several days.

And earlier this month T-Mobile's network in the U.S. suffered a major outage that left customers unable to send or receive text messages and access voice messages for part of a day. The outage was due to a software error in the back end system that generated abnormal congestion on the network, the company said in a statement.