I can't say for certain that ISPs, online advertising networks, and other big Web companies are already tracking our Web use and sending us ads and other information based on conclusions they draw from our unique browsing history.
But it wouldn't surprise me one bit if they were. And if they aren't already, I know it's only a matter of time.
Web sites have been using persistent cookies to remember you from session to session for a long time. Usually, sites know only the site you arrived from and the site you go to when you leave.
ISPs and other organizations use deep packet inspection and other techniques to keep a history of your browsing. They claim the browsing histories are anonymous. But when your privacy is at stake, it doesn't pay to trust any commercial operation to do what's in your best interest rather than what will make them the most money.
You can take various steps to thwart the efforts of Web spies, including using products and services that promise anonymous surfing. This week, a group of "programmers, artists, and designers" posted the full release of a program called AntiPhorm Lite, which attempts to obfuscate your browsing tracks by visiting sites at random. The make-believe browsing renders the collection of your Web history meaningless from the trackers' perspective.
The AntiPhorm random browser is intended to prevent Web trackers from knowing what you're up to online.
(Credit: AntiPhorm)That's the theory, at least. The program's creators claim it is safe to use and consumes very little processing or bandwidth because it examines only the HTML of the sites it visits, so no images, videos, Javascript, or Flash are ever downloaded when the program runs in its hidden or text-only console view. (Note that in hidden view, the only way to deactivate the program short of shutting down your PC is to open Task Manager and kill its process.)
The program's name is derived from the Phorm behavioral advertising company that recently entered into an agreement with the U.K. ISPs Virgin Media, BT, and TalkTalk to tap into their customers' browsing history. As you can imagine, the plan has met with resistance from privacy advocates.
AntiPhorm also features a console view that lets you see the random sites the program opens. When I tried this mode, AntiPhorm opened a new Firefox tab every 20 or so seconds. My imaginary personality jumped from IT sites to Yahoo's search page to Amazon to IMDB back to Amazon, then over to eBay, back to Amazon, and 'round and 'round.
It was a little disconcerting to see the "Welcome, Dennis!" greeting when an Amazon page opened, and the program would've kept opening two or three new sites a minute if left unattended. The designers promise that AntiPhorm won't visit any potentially embarrassing sites, but I quickly switched back to the program's text-only mode, which merely lists the sites it is visiting.
What do you gain by using a program such as AntiPhorm to make your Web activities more difficult to track? Individually, probably not much, especially if you don't care what ads the online networks serve up when you browse. Collectively, you might play a small role in preserving the privacy of everyone's browsing history by making behavioral advertising less profitable.
That's the theory, anyway.
Updated May 6, 5:50 AM PDT to reflect the actual announcement from the two companies.
Yahoo and McAfee announced a partnership Tuesday under which potentially unsafe Web sites appearing in Yahoo search results will be flagged as risky.
The deal, an exclusive for Yahoo, uses McAfee SiteAdvisor technology to label a variety of potentially dangerous Web sites with red warning text and links to McAfee information about what risks the site poses. Among the triggers for a red warning message are sites that host spyware, adware, or virus-infected downloads; sites that have links to other Web sites with dangerous material; and sites that have a track record of harvesting e-mail addresses later used to send spam, the companies said.
The McAfee service flags risky Web sites in Yahoo searches with red warning text.
(Credit: Yahoo)The move, along with related technology at Google and protections now built into browsers such as Internet Explorer and Firefox, spotlights a gradual expansion of the war against computer attacks.
Mainstream computer security efforts began with antivirus software that runs on people's personal computers, spread to corporations that screen e-mails and other network traffic for dangerous traffic, and now is being built into the online search gateways that most people use to navigate the Web. Think of it as security software as a service.
Priyank Garg, director of Yahoo search product management, has high hopes for the Yahoo service, both for user protection and for hobbling attackers who try to exploit network insecurities.
"We expect users will have more confidence when searching on the Web," Garg said.
Deal extends beyond search results
And the multiyear partnership means the McAfee technology could be used elsewhere within Yahoo, Garg said.
"We have the ability to use their data throughout Yahoo," Garg said. "All the teams throughout the company are excited to leverage this information."
That could mean some changes. Yahoo currently uses Symantec's Norton Antivirus software to check e-mail attachments sent with its Yahoo Mail service.
Yahoo is trying the move to improve the clout of its search engine. In March, Yahoo was No. 2 in U.S. search results with 20.6 percent of queries, according to research from Hitwise. And it lost share to Google, which had 67.3 percent.
The idea is that people will tilt toward a search engine that will better protect them. Everybody wants more safety in searching, and some folks--parents, and those running schools, Internet cafes, and libraries spring to mind--are more sensitive than usual.
The move, while helpful, isn't necessarily going to mean a dramatic difference for the company, said Forrester analyst Natalie Lambert.
"I think it's going to very much help protect Yahoo users," she said. But when it comes to where people actually choose to search, "Fundamentally it's going to come down to how good the search is, and I think Google will still lead."
Google, here too, is a formidable search competitor. It's got some protections of its own now against sites that try to install malware via browser vulnerabilities. The company uses virtual machines check for Web sites that launch attacks, and those that do are flagged in search results with the warning, "This site may harm your computer."
Currently,Google doesn't check for viruses in downloads, e-mail harvesting schemes for spam operations, or outgoing links that could lead to dangerous Web sites, said spokesman Michael Kirkland. However, he wouldn't rule out that sort of possibility.
"It makes sense to assume Google has a vested interest in keeping its users safe and the Web safe overall," he said.
Curtailing Web attacks?
The Yahoo service could make life significantly harder for those who would attack people's computers, however.
"We see millions of clicks on some of these sites through our search engine today," Garg said. "It is going to have a material impact in distribution of this content."
The service will start in the United States, Canada, the United Kingdom, France, Italy, Germany, Australia, New Zealand, and Spain. So it has broad reach.
And the red flag is only the beginning. Through the McAfee technology, Yahoo has already removed an unspecified number of pages from its search results--for example those that attempt to compromise a vulnerable Web browser with a "drive-by download" attack launched simply by visiting a Web site. "We took out the risky sites where we don't want users to hurt themselves," Garg said.
But beyond the deleted entries and warning labels, Yahoo decided against altering search results. "There is an element of informed use," Garg said, likening the move to providing a city map with dangerous neighborhoods labeled as such rather than omitted altogether.
The Yahoo service isn't likely to directly address phishing, in which users are steered toward entering usernames, passwords, or other sensitive information into fake Web sites. "Phishing is less of a concern for the search experience," Garg said. "The Web sites that come up with phishing aren't usually around long enough" to make it into search results, he said.
While the service could improve security for searchers, it will also lead to a new phase in the constant battle between attackers and computer security firms, Forrester's Lambert predicted.
"At the end of the day, people are going to beat the technology," Lambert said. "You can only get so far ahead with security."
(Credit:
Symantec)
Who says there are no second chances? (Maybe Patriots fans, I dunno.) If you missed out when Fry's offered Norton AntiVirus 2008 free after a pair of mail-in rebates, the deal has returned at Buy.com.
Once again, it's the three-user edition, meaning you can install it on up to three PCs. The software protects against viruses, spyware, rootkits, and the like. CNET liked it, though readers definitely did not. As I said last time, if you're unhappy with the software yourself, you're only out a couple stamps.
Speaking of the rebates, this deal requires a pair: one for $34 on the software itself, the other a $20 competitive rebate. That means you need to provide proof of purchase/ownership for just about any other software utility (get the full deets here). The first rebate offer expires February 9, so you've got the week to pull the trigger. Shipping costs--nada.
StopBadware.org said Tuesday it has labeled the Sears and Kmart community software known as My SHC Community as "badware," or spyware.
The nonprofit organization run by Harvard Law School, Oxford University, and Consumer Reports WebWatch said it cited the Sears Holding Corporation community in particular "because of inadequate disclosure of extensive tracking and data collection and because the application does not identify itself while running."
In response to several accusations that it collects personal information without proper disclosure, My SHC Community has dramatically revised its Web site since last week. It has, among other changes, added a prominent link to its privacy policy.
At issue is the installation of tracking software from ComScore, an online data marketing firm. ComScore has maintained over the years that its data collection methods do not qualify as spyware. However, several leading antispyware researchers disagree.
In a statement (PDF), StopBadware.org said: "Sears Holding Corporation (SHC) has informed StopBadware that SHC is significantly improving the My SHC Community application disclosure and privacy policy language and adding a Start menu icon in an effort to comply with our guidelines and address privacy concerns. They expect these changes to be implemented within 48 hours."
However, late Tuesday, StopBadware.org said it has not changed its designation of SHC Community. "We have not evaluated these planned changes at this time. SHC has also informed us that they have suspended invitations to new users to install the application until these changes are implemented."
Identity theft victims would be allowed to request monetary compensation for the time they spent getting their lives back in order under a bill approved by a U.S. Senate panel.
The Identity Theft Enforcement and Restitution Act of 2007 would allow those who fell prey to identity fraud to seek "criminal restitution"--that is, payouts from the offender in a particular case--for time "reasonably" spent correcting "actual" or "intended" harm.
While potentially significant, it's unclear exactly how much of an impact the legal changes would make, should they be made law (and they're a few steps off from that yet).
According to a Javelin Strategy and Research survey of 5,000 American adults released earlier this year, the number of identity theft victims has declined in recent years, as has the amount of time spent dealing with those harms.
In 2003, there were about 10.1 million adult victims of identity fraud in the United States, but that number dropped to about 8.4 million this year. Meanwhile, the average number of hours each victim spent resolving those issues declined from about 40 hours in 2003 to 25 in 2007.
Threaten to steal data, end up in prison?The Senate bill transcends identity theft-related issues, crossing over into cybercrime. It also includes rewrites to federal computer crime laws that are designed to make it easier for police to punish hackers, keyloggers, and spyware purveyors whose acts may not do quantifiable damage.
Under current law, federal prosecutors can go after only computer crimes that result in at least $5,000 in damage or losses to a victim's computer. Current law also requires that hacking cross state borders, immunizing from federal prosecution crimes in which the hacker and the victim are in the same state. But the approved Senate bill would remove those requirements in criminal cases.
The bill would also make it a felony to damage 10 or more computers with spyware or keyloggers, regardless of how much damage is done. It would create a new crime: threatening to steal or release information from a computer, with the intent to extort money or anything else of value from the person being threatened. Those offenses would carry up to five years in prison, fines, or both.
The Senate bill also adds additional penalties for cybercriminals. They'd be forced to give up any property used to commit their crimes or obtained in the process of those activities.
Sen. Patrick Leahy (D-Vt.), who sponsored the bill along with Sen. Arlen Specter (R-Penn.), said the proposal contains "important and long-overdue steps to protect Americans from the growing and evolving threat of identity theft and other cybercrimes."
The measure doesn't appear to be particularly controversial. It's backed by the U.S. Department of Justice and the Secret Service, and it has also drawn support from a diverse set of groups, including the AARP, the Consumers Union, the Cyber Security Industry Alliance, and the Business Software Alliance, Leahy said. The BSA, for its part, said it would be pressuring the House of Representatives to act this year on a similar proposal, as well as pressuring the full Senate to bless the bill approved in committee Thursday.
WASHINGTON--Federal consumer protection authorities say they want nothing more than to put the financial hurt on deceptive spyware purveyors. The trouble, they say, is that the law still doesn't let them.
Sure, the Federal Trade Commission has the ability to go after spyware purveyors now, and it has done so a dozen or so times. So can state attorneys general and the U.S. Department of Justice.
But currently, the FTC can only force an offending company to turn over ill-gotten profits or to pay a finite amount to affected consumers--"consumer redress," as it's known in legal speak--to help make things right, said FTC Commissioner Jon Leibowitz.
FTC Commissioner Jon Leibowitz
(Credit: Federal Trade Commission)Especially when we're talking things like nuisance pop-up ads, the latter penalty can be "very hard to get" because "it's difficult to quantify their harm," Leibowitz, a Democrat, said at a luncheon discussion hosted here by the Harvard University Law School, the Stop Badware Project, the Center for Democracy & Technology, and the National Cyber Security Industry Alliance.
In some cases, to be sure, the ill-gotten gains chunk alone has been hefty, as in the case of
The FTC's wish list isn't news to Congress. After all, in June, the U.S. House of Representatives overwhelmingly approved a bill that would give the FTC the ability to impose fines of up to $3 million each time a long list of offenses is committed, the bulk of which center on "taking control of a computer" in an unauthorized way.
But for whatever reason, the Senate still hasn't yet acted on the proposal, known as the Spy Act, leaving the FTC to continue its longstanding plea for the extra authority. (Some have suggested imprisonment wouldn't be a bad idea, either.)
Because of what Leibowitz called "limited resources," the FTC doesn't always have time to take its cases all the way to court and get potentially higher monetary penalties. Instead, it sometimes ends up taking settlements that may not involve as tough an outcome.
"Arguably we would be doing a better job on behalf of consumers if we have civil penalties," Leibowitz said.
Congress did make one move last year that is helping the feds to police Internet-related scams, Leibowitz said. A law known as the U.S. Safe Web Act, which allows the U.S. government to more readily share information about international consumer protection cases with foreign government partners, is playing a role in a number of ongoing spyware-related investigations, Leibowitz said.
Meanwhile, passage of antispyware legislation this year is far from certain. In the past four years, the House has twice passed spyware legislation that went on to die in the Senate.
Further complicating matters is the fact that the House this year has passed two competing bills that take significantly different approaches. The bill that would give the FTC the additional fining penalties happens to be the more controversial of the two. It's a more regulatory proposal that has been attacked by online advertisers, technology companies like Yahoo and Google, and banks as proposing overly burdensome rules for any Web site that collects personal information and threatening the viability of a vast array of Web sites that rely on cookies to provide free or low-cost services.
Technology companies prefer a less regulatory version that would punish embedding certain types of malicious software on computers without a user's knowledge with criminal fines and up to five years in prison.
In the name of nabbing terrorists, the German government is floating a plan that would permit authorities to plant spyware on suspects' hard drives through e-mail messages appearing to stem from official sources, according to various news reports out of Berlin this week.
The proposal, which has not yet been made public but was leaked in part to some German news outlets, is reportedly the brainchild of Interior Minister Wolfgang Schaeuble. He's pushing for its inclusion in a broader security law under consideration by Chancellor Angela Merkel's coalition government. The spyware provision is a response to a federal court decision earlier this year that frowned upon secret remote searches of computers, according to a recent report by the Associated Press.
But left-wing party members and civil liberties advocates are railing against the idea as a potential invasion of citizens' privacy, according to AP and Agence-France Presse reports. One Left Party Parliament member told AFP she also feared the policy would make citizens fearful to open e-mails from government sources.
Advocates of the plan, for their part, have tried to assuage fears about abuse of the technique. They have told reporters they would use the so-called "Trojan horse" spyware in a targeted way and would do so only with court approval.
Police use of spyware, as readers of CNET News.com should know, is hardly a new idea. Recent cases in the United States have revealed agents with the FBI and the DEA have installed spyware--in both cases, with a court's permission--as part of investigations.
It was not clear how the German software would operate, although the news reports indicate the goal is to snoop on a suspect's hard drive data and Internet activity. An FBI tool called CIPAV, for example, can immediately report back to the government a computer's Internet Protocol address, Ethernet MAC address, "other variables, and certain registry-type information." Then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.
The widespread availability of spyware-detection software could arguably make it more difficult for any government to hide such a scheme from a tech-savvy suspect. In a recent CNET News.com survey of 13 leading anti-malware vendors, not one acknowledged cooperating unofficially with government agencies--at least U.S. ones--to mask the presence of police spyware. Some, however, indicated they may keep quiet if ordered by a court to do so.
The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash.
Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect's computer, other information found on the PC and, notably, an ongoing log of the user's outbound connections.
Screen snapshot of 'timberlinebombinfo' MySpace account
The suspect, former Timberline High School student Josh Glazebrook, was sentenced this week to 90 days in juvenile detention after pleading guilty to making bomb threats and other charges.
While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since. The two other cases in which federal investigators were known to have used spyware--the Scarfo and Forrester cases--involved agents actually sneaking into offices to implant key loggers.
An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.
"The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique," Sanders wrote. A reference to the operating system's registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was "previously connected to."
News.com has posted Sanders' affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue.
There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an "Internet Protocol Address Verifier" that was sent to a suspect via e-mail.
But bloggers at the time dismissed it--in hindsight, perhaps erroneously--as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug.
Finding out who's behind a MySpace account
An interesting twist in the current case is that the county sheriff's office learned about the MySpace profile -- timberlinebombinfo -- when the creator tried to persuade other students to link to it and at least one of their parents called the police. The sheriff's office reported that 33 students received a request to post the link to "timberlinebombinfo" on their own MySpace pages.
In addition, the bomb hoaxster was sending a series of taunting messages from Google Gmail accounts (including dougbrigs@gmail.com) the week of June 4. A representative excerpt: "There are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am."
The FBI replied by obtaining account logs from Google and MySpace. Both pointed to the Internet Protocol address of 80.76.80.103, which turned out to be a compromised computer in Italy.
That's when the FBI decided to roll out the heavy artillery: CIPAV. "I have concluded that using a CIPAV on the target MySpace 'Timberlinebombinfo' account may assist the FBI to determine the identities of the individual(s) using the activating computer," Sanders' affidavit says.
CIPAV was going to be installed "through an electronic messaging program from an account controlled by the FBI," which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.)
After CIPAV is installed, the FBI said, it will immediately report back to the government the computer's Internet Protocol address, Ethernet MAC address, "other variables, and certain registry-type information." And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.
Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There's no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers -- which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)
One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.
Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI's perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV.
Earlier this week, News.com surveyed 13 security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order.
The verbatim results of our survey are here.
A new Senate bill is likely to vex Internet companies and advertisers, which have been warning for years that supposedly 'antispyware' proposals could impose problematic regulations on legitimate businesses.
Sen. Mark Pryor, an Arkansas Democrat, said in a statement Thursday: "The industry has failed in self-regulating. It's time to step in and enact serious consequences against those who use this invasive and deceptive practice."
Sen. Mark Pryor
(Credit: U.S. Senate)Y'all remember how well that worked with spam, right?
Anyway, the reason this idea is likely to estrange Net companies is that it includes 34 pages of detailed and often-ambiguous regulations that must be followed precisely--on pain of facing civil and criminal penalties.
That's similar to a House of Representatives bill approved by a 368-48 vote this month that is now in the hands of the Senate. It was opposed by American Bankers Association, the Interactive Advertising Bureau, the Information Technology Association of America, and NetCoalition (which counts Yahoo, Google, and News.com publisher CNET Networks as members).
Some highlights from Pryor's proposal:
* Under existing law, "unfair or deceptive acts or practices" are already unlawful. This bill would add a duplicative additional prohibition outlawing the installation of software "through unfair or deceptive acts or practices." (The reason it's duplicative is that if all forms of unfair acts already are unlawful, a subset must be as well.)
* It says that an unauthorized user may not seize control of a computer and enlist it as a spam zombie spewing out bulk e-mail. Modem hijacking, denial of service attacks, and "endless" pop-up advertisements are also outlawed.
* Brower settings can't be altered through "unfair or deceptive mean." Specifically, default home pages, Web proxies, bookmarks, security settings and toolbars can't be tinkered with.
* Software must be able to be uninstalled and disabled through "reasonable efforts." Changing the name or location of software to thwart removal attempts is outlawed, as is requiring a special code or additional program to remove the application.
* Any ads displayed through software must also show the "identity or name" of the program that "caused the advertisement to appear." Ad-displaying software must be easy to eradicate through a "clear and conspicuous hypertext link." (This seems to be a way to target companies like Gator, now called Claria, which has been dubbed spyware and came bundled with popular, supposedly free software.)
Pryor's legislation, called the Counter Spy Act of 2007, is co-sponsored by Bill Nelson, a Florida Democrat.
As expected, the U.S. House of Representatives Judiciary Committee on Wednesday unanimously approved a bill aimed at criminalizing spyware used for malicious purposes.
An identical version of the Internet Spyware Prevention Act, chiefly sponsored by Reps. Zoe Lofgren (D-Calif.) and Bob Goodlatte (R-Va.) passed the full House in the last congressional session by a 395-1 vote.
The bill, which was approved by a House Judiciary subcommittee on Tuesday, proposes punishing those who sneak code onto computers without authorization in an attempt to "impair" the security protections on a machine, transmit personal information about the machine's user, or commit other federal crimes. Violations would carry prison sentences of up to five years.
The bill would also allocate $10 million for the Department of Justice in an effort to help it combat spyware, phishing and other online scams.
Congress has been attempting to pass antispyware bills since 2003. A different, more prescriptive bill--which has drawn opposition from online advertisers and skepticism from Lofgren and Goodlatte--is still pending.
Although high-tech companies like Microsoft, Symantec and Dell have applauded the proposal approved Wednesday, the need for new laws is less apparent.
In the past, the Federal Trade Commission has sued spyware purveyors and has suggested it already has ample authority in that area--although it has also asked Congress for beefed-up fining powers more recently. Justice Department prosecutors have also brought cases against spyware outfits in recent years.
The bill goes next to the full House for approval. It was not immediately clear when that would happen or what the Senate's plans will be. Previous attempts at enacting such legislation have failed because they died before Senate consideration.
- prev
- 1
- next
