Privacy advocates opposed to new privacy regulations at Facebook are attempting to get the attention of the U.S. Federal Trade Commission, according to a complaint filed Thursday on behalf of the Electronic Privacy Information Center and several allied groups.
"These changes violate user expectations, diminish user privacy, and contradict Facebook's own representations," the complaint says of Facebook's new regulations, which push more content public, and make even more data available to third-party applications and advertisers. EPIC's goal is to force Facebook to restore the old settings and add additional controls for members.
"We've had productive discussions with dozens of organizations around the world about the recent changes, and we're disappointed that EPIC has chosen to share their concerns with the FTC while refusing to talk to us about them," a retaliatory statement from Facebook read. "We're pleased that so many users have already gone through the process of reviewing and updating their privacy settings, and are impressed that so many have chosen to customize their settings, demonstrating the effectiveness of Facebook's user empowerment and transparency efforts. Of course, the new tools offer users the opportunity to decide on privacy with every photo, link, or status update they wish to post, so the process of personalizing privacy on Facebook will continue."
It's one thing when Facebook users start complaining about new features that they deem excessively creepy--just look at the outrage that surrounded the News Feed, now a mainstay of the site, when it launched in 2006.
It's a bigger fish entirely when government regulatory bodies get involved, particularly the FTC, which has major sway over the advertising and marketing industries. It was only when privacy groups flagged concerns about Facebook's Beacon advertising program two years ago that participating advertisers started to pull out amid bad publicity. A class action settlement over the Beacon program was resolved recently.
Since then, Facebook hasn't had a privacy-related debacle on the same scale. Much of the philosophy behind Beacon was baked into its Facebook Connect universal log-in tool, which shares information from third-party sites on Facebook profiles and lets users log into other sites with their Facebook credentials. But with the public-relations pitch geared toward making the entire online experience easier for users (fewer passwords to remember, no more registration headaches) rather than helping advertisers exploit social-networking channels, the debut of Facebook Connect wasn't subject to the same scrutiny.
The controversial new privacy standards at Facebook have been a long time coming, considering the fact that the social network started to publicly set the groundwork nearly six months ago with a series of announcements about modified privacy controls. It's clear that the company was trying to avoid the sort of press bloodbath that came after the debut of Beacon.
That didn't happen. Facebook has already backtracked on one component of its new privacy regulations, one which made users' friends lists publicly available. It's unclear as to how much EPIC's coalition, not to mention the FTC, will prioritize this most recent controversy.
Behind Facebook's traditional willingness to make tweaks and modifications to new features and products, if they spark some kind of concern among government regulatory bodies or marketers, is a fight that the company will not give up easily. What it all comes down to is that Facebook's once-watertight log-in wall--remember the time that representatives mulled banning a blogger who'd posted Facebook-hosted photos publicly?--is getting in the way of the social network's potentially central role in one of the digital world's crazes du jour, searchable real-time information.
Search companies have been announcing big deals to pull Facebook status messages and Twitter tweets into results, and the media business has gone nuts over the potential to harness the "real-time Web."
Facebook, dependent on advertising revenues and still looking to expand its base of more than 350 million users, obviously wants in on this. But if it doesn't have enough status messages, shared links, and other information pulled into search results, it stands a chance at losing ground to the much-smaller Twitter--already the top name, in terms of a massive, searchable clearinghouse for up-to-the-minute information.
Plus, there are marketers and advertisers for Facebook to consider: more search results equals more page views and more ad revenue, and more public information on users' profiles means more ways for the advertising industry to reach them. But if those same marketers and advertisers are the ones pressuring Facebook to change course, in terms of user privacy, it could cause some friction between the social network and the businesses that have finally begun to accept it as a choice destination for their ad dollars.
Now EPIC is alleging to the FTC that Facebook's new regulations can be outright dangerous: "Dozens of American Facebook users, who posted political messages critical of Iran, have reported that Iranian authorities subsequently questioned and detained their relatives," an item in the complaint reads. "Under the revised privacy settings, Facebook makes such users' friends lists publicly available."
That's not good PR for Facebook, which has repeatedly pitched itself as a destination for open dialogue and grassroots organization across zones of political and ethnic conflict.
Facebook last Wednesday announced new privacy settings that give users some additional control over what information they share, while taking away the ability to hide a few pieces of information from the general public.
One particular piece of publicly available information--users' friends lists--caused a bit of an uproar from a number of sectors, including business people who don't necessarily want to expose their professional networks to the public and their competitors. It is also a concern to some parents who might not want their kids--or a list of their kids' friends--to be widely available.
Facebook quickly backtracked. A day later, the company announced on its blog that users can now uncheck the "Show my friends on my profile" option in the Friends box on their profile so that your friend list won't appear on your publicly viewable profile.
Unfortunately, they weren't very clear on exactly how you make the change. ... Read more
Facebook users are too willing to give out their personal information, security firm Sophos has found.
According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.
After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.
Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."
The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."
Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.
You wouldn't necessarily expect it, but Avast and Google Chrome might be the next peanut butter-and-jelly combo in the software world. Google's nascent browser has paired with one of the most popular free security programs in the world so that when users run the Avast installer on a computer that has neither Chrome nor Avast, they'll be offered a chance to install Chrome simultaneously. This is the first such bundling for Avast in its 21-year existence.
The Chrome installation window in the Avast installer is cleverly polite.
(Credit: Screenshot by Seth Rosenblatt/CNET)The Chrome option in the Avast installer does two things differently from the more familiar opt-out user experience that many programs provide in an installer in exchange for financial sponsorship. For one thing, the Chrome window only turns up if you don't already have it installed, but more importantly, it forces users to actively choose installation. Neither the "yes, install" nor the "no, don't install" radio buttons are checked by default. Of course, users are forced to check off "no" if they don't want it, but this should dramatically cut down on the incidence of accidental installations that tend to plague otherwise-similar piggybacking installs.
The Avast/Chrome combo may strike some as an odd couple, or at least more beneficial for Avast than for Chrome, but keep in mind that Avast has more than double the users that Chrome does. Google's Vice President of Product Management Sundar Pichai said Chrome had more than 40 million users at the Chrome OS press conference at the end of October, and the end of November saw NetApplications peg Chrome at 3.93 percent of the browser market, a 0.35 percentage point increase. Meanwhile, on Avast's Web site, the Czech Republic-based security vendor is preparing to fly its 100 millionth user to Prague on an expenses-paid trip.
A Google spokesman indicated that other deals might be in the works. "Users' response to Google Chrome has been outstanding, and we're continuing to explore ways to make Chrome accessible to even more people. This could potentially include distribution via a number of channels, such as the distribution we are currently doing with Avast."
CNET News staff writer Stephen Shankland contributed to this report.
When you load a website, or use any other fully qualified domain name (ie, www.macfixit.com), the name needs to be resolved to something that your computer can use, such as an IP address. The service that does this is DNS, or "Domain Name System", which is essentially the index or address book for the internet. The DNS network consists of servers and resolvers that work to cache and propagate a distributed hierarchical database of internet names, domains, and subdomains. The resolved IP addresses are sent to the client system (your computer) when you make a DNS request. ... Read more
Amid promises to "reinvent the Web," the browser Opera debuted a new beta feature earlier this year called Unite that has been deemed stable enough to offer to all users. Opera's own hype aside, the Unite service provides people with the capability to serve files, host and stream music, and send messages to each other from inside the browser itself--a feature that is unique among the big five browsers. Opera 10.10 is available for Windows, Mac, and Linux.
Much like Opera's built-in e-mail client, Unite is basically a cloud-based, customizable server that includes multiple services, but its open API allows you to write and share your own services. The initial offering includes the default Unite Home, which is the Opera Unite Web page that is given to each user, a media player for creating your own publicly available music stream, the "fridge" for a Facebook-style message wall, an instant messenger with a public/private toggle, a photo sharing app, and file serving and Web hosting capabilities.
Besides including Unite, Opera 10.10 also includes an array of bug fixes, mostly aimed at smoothing out the Unite experience, tweaking mail, news, and chat features, and fixing three security problems. Two are relatively minor, one concerning an error message leak and the other a buffer overflow. The third error Opera is refusing to disclose at this time, but stated that it was discovered by the Google Security Team's Chris Evans. The full changelog for Opera 10.10 is available.
As I've tested Unite over the past few months, it's generally been a stable experience, with a few hiccups to be expected by the beta. However, it hasn't exactly set the browsing world on fire, either, and its target audience is still hard to define. Do you have an opinion on Unite? Let me know in the comments.
Another iPhone worm has been spotted in the wild.
Unlike the previous exploitation, which merely changed a jailbroken iPhone's wallpaper to a picture of Rick Astley of "Rickrolling" fame, this new threat allows hackers to steal sensitive information.
According to security firm Sophos, which wrote about the exploitation after a Dutch ISP spotted it late last week, the worm attacks jailbroken iPhone and iPod Touch devices only.
The worm "uses command-and-control, like a traditional PC botnet," Sophos wrote in a blog post on Saturday to warn users about the exploit. "It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server to upload stolen data and cede control to the bot master."
Jailbreaking, which has been around for about two years, is a hack that enables iPhone and iPod Touch users to download applications unavailable through Apple's App Store.
Sophos wrote that the worm attacks users on several ISPs, including UPC in the Netherlands, Optus in Australia, and T-Mobile in several countries worldwide. Worse, the worm spreads faster on a Wi-Fi connection than a 3G connection. Users with affected devices might notice extremely short battery life while on Wi-Fi. According to Sophos, that's mainly due to the worm engaging in "so much network activity."
When a device is infected, it's assigned a unique number so that the attackers can easily pinpoint a single device. It also looks for authentication systems that use SMS, better known as mTANs. mTANs are frequently used by banks that send an SMS message with a password to mobile phones, allowing people to log in to their online accounts, Sophos wrote.
In essence, this threat is serious.
Sophos recommends that people with infected iPhones and iPod Touch devices restore them back to Apple's most recent firmware update. For now, there is no other way to fix the problem.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
Internet Explorer 8, Firefox 3, Google Chrome 4, Apple's Safari 4, and Opera 10 include features that block sites known to host malware and malicious downloads. All but Opera also let you browse without leaving any tracks. But just as important as these protections is ensuring that whichever browser you use is thoroughly patched.
Filtering out bad sites
Firefox's built-in antiphishing tool claims to update its bad-site database 48 times a day, according to Mozilla's Firefox security page. Firefox 3 uses Google's Safe Browsing service to automatically block sites that are known to host malware. The Google Code site describes how Safe Browsing works in Firefox.
To verify that attack-site blocking is enabled in Firefox, click Tools > Options > Security and make sure "Block reported attack sites" is checked.
Firefox will prevent known-bad sites from opening when "Block reported attack sites" is checked.
(Credit: Mozilla Foundation)The same feature is built into Google's own Chrome browser. You can ensure that malware-site filtering is on in Chrome by clicking the wrench icon in the top-right corner, choosing Options, and selecting Under the Hood. "Enable phishing and malware filtering" should be checked. The Google Chrome Help site describes the feature. (Hint: This page looks very similar to the description on the Google Code site.)
Google's Chrome browser blocks known-bad sites when "Enable phishing and malware protection" is checked.
(Credit: Google)The SmartScreen technology in version 8 of Internet Explorer blocks known-malicious downloads as well as bad URLs. Other new security features in IE 8 include automatic blocking of click-jacking and cross-site scripting attacks, automatic crash recovery, and highlighting of the actual domain name in the address bar. The Microsoft Security site describes the SmartScreen Filter and includes links to a SmartScreen FAQ and information for site managers.
Apple's Safari browser added phishing and malware blocking in version 3.2, which was released in late 2008; read about this and other security features in Safari 4 on the Apple Safari site. Likewise, Opera's Fraud Protection predates the phishing and malware filters in IE and Firefox and is enhanced in the latest version 10. But attack-site blocking is only one of Opera's many security features, which you can read about on the Opera site.
Browsing in private
To activate private browsing in Firefox 3, click Tools > Start Private Browsing, or simply press Ctrl-Shift-P. You can set Firefox to start in private-browsing mode by clicking Tools > Options > Privacy and check "Automatically start Firefox in a private browsing session." The Mozilla support site provides more information about this feature. Likewise, put IE 8 in private-browsing mode by clicking Safety > InPrivate Browsing, or by pressing Ctrl-Shift-P. You can also open a new tab and click either Browse with InPrivate or Open an InPrivate Window.
IE 8 also lets you control the information about your browsing habits that's shared with Web tracking services. To activate this feature, click Tools > InPrivate Filtering Settings and choose "Let me choose which providers receive my information." This opens the InPrivate Filtering settings dialog, where you can turn filtering off, choose which services to block from tracking you, or automatically block all trackers.
Internet Explorer 8's InPrivate Filtering lets you block some or all Web tracking services.
(Credit: Microsoft)You can open an incognito window in Google Chrome by clicking the wrench icon in the top-right corner and choosing "New incognito window," or simply press Ctrl-Shift-N. The incognito icon (a shadow figure in a fedora and glasses) appears in the top-left corner of the browser window. The Chrome support site offers a more detailed description of this feature.
Opera lacks an equivalent private-browsing capability but does offer private searching and other identity-blocking features, as described on the Opera site. To activate private browsing in Safari, simply click Safari Settings Menu > Private Browsing.
Automatic and not-so-automatic browser updates
Patching is a way of life with nearly all software, but especially with browsers and the media players associated with them: Adobe Reader, the Flash Player, Apple's QuickTime, and Sun's Java, among others. All of a browser's security features can be rendered useless by a piece of malware that takes advantage of an unpatched hole in the program.
Firefox 3 alerts users to the presence of an update and now also notifies you when your Flash Player is out-of-date. Internet Explorer 8 updates via the Windows Update/Microsoft Update services. Google Chrome made a splash by being the first browser to update itself in the background without requiring any prompting from users. Safari updates automatically via Apple's update service, which also serves up patches automatically for QuickTime, iTunes, and other Apple software. Opera also notifies you automatically when a new version is available.
But updating is too important to leave to others. Back in April, I described Secunia's Online Software Inspector and downloadable Personal Software Inspector, which identify out-of-date programs on your PC. The programs mentioned in that post have all been updated since, but Secunia's services should point you to the most recent versions.
(Note that Secunia sometimes reports a program as being out-of-date when in fact you have the latest version. On my PC, it continually reports my up-to-date Flash Player as being in need of an update, for example. But the free service Secunia provides is worth putting up with this and similar minor annoyances.)
There's no way to reduce to zero your risk of picking up some piece of malware while browsing. You need layers of security to keep viruses, Trojans, and botnets at bay—the more layers, the safer your browsing. (Of course, the more layers, the slower your browsing, too, so don't get carried away.)
Much emphasis has been placed on the enhanced security features of the latest versions of the popular browsers. Whether one is any safer than another is anybody's guess, but no browser gives you more ways to thwart a Web-based attack than Firefox via its wealth of security add-ons.
Link checkers add warnings to search results
Search results are often difficult to trust, even when the URL looks familiar. Phishers are adept at planting dangerous links that look like harmless ones. Link checkers provide you with an indication of the trustworthiness of sites before you click their links. (Note that several of the products are available for Internet Explorer as well.)
Some of the programs, such as McAfee's SiteAdvisor, give the thumbs-up or thumbs-down based on a single company's research. Web of Trust (WOT) bases its recommendations on the collective intelligence of a network of volunteers. LinkExtend is a link-check aggregator that combines the analyses of eight different services.
McAfee SiteAdvisor adds a safety indicator to Web search results.
(Credit: McAfee)While the recommendations of link checkers are helpful in identifying safe sites, you can't take their yeas and nays as gospel. For example, sites that offer downloads of system utilities may be flagged as dangerous because the programs require access to the operating system and thus could do major damage in the wrong hands.
Track the trackers
You know popular Web sites download software that tracks your activities on their sites, but do you know who's doing the tracking? Find out with the Ghostery add-on that pops up the names of the trackers as the page opens. The program puts a small "ghost" icon in the bottom-right corner of the Firefox window that turns orange when trackers are present. Click the link that appears to the right of the icon to find out more about the trackers and block them individually or entirely.
The Ghostery Firefox add-on lets you know who's tracking your activities on the site.
(Credit: Ghostery)
View encryption specs
When you open an encrypted Web page, a lock icon appears in the bottom-right corner of the Firefox window and the URL in the address bar begins with "https." But there's more than one form of encryption, and knowing which type and strength of encryption in use can be handy.
The CipherFox add-on puts in the bottom-right of the Firefox status bar the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cipher and keysize currently in use. Double-clicking the entry opens the CipherFox dialog box, where you can disable RC4 encryption and display partial SSL/TLS. (Note that the developer accepts donations to support the product.)
Take charge of Web password management
Firefox's built-in password manager lets you create a master password and remember passwords for specific sites, but if you want to get serious about managing your passwords, get LastPass, a password manager that provides much more granular control over your sign-ins.
After you download and install the add-on, an icon is placed in the top-right corner of the Firefox window. Click it to open the LastPass menu, which lets you manage your identities, open the LastPass Vault, jump to favorite sites, and generate secure passwords. You can also import or export sign-in IDs, compose and print secure notes, and assign keyboard shortcuts for specific actions.
In addition to Firefox and IE, LastPass is available for Google Chrome and Apple's Safari browsers. LastPass backs up your passwords by storing an encrypted copy on its own servers. And because you can access your passwords via the Internet, you can use LastPass on any Web-connected device, although use of LastPass on an iPhone or other smart phone requires a Premium membership, which costs $1 a month. (You can also put LastPass on a USB thumbdrive for use with Firefox Portable and other portable apps.)
Facebook groups are under attack. But the attackers say they come in peace and insist they want only to highlight a flaw in the way Facebook handles group administration.
An organization called Control Your Info has taken control of hundreds of Facebook groups. Those groups had administrators that eventually stepped down from their position, creating a power vacuum at the top. According to the organization, when the administrator steps down, anyone can take over a group, view the members' personal information, and change group information to say whatever they want. Control Your Info believes that the way Facebook handles group administration is a major flaw. And it wants to bring that to everyone's attention.
Control Your Info has hijacked Facebook groups.
(Credit: Screenshot by Don Reisinger/CNET)"Hello, we hereby announce that we have officially hijacked your Facebook group," a message written on Monday reads on one hijacked group. "This means we control a certain part of the information about you on Facebook. If we wanted, we could make you appear in a bad way which could damage your image severely."
Janis Roukkos, a representative from Control Your Info wrote that his organization wants to get social-networking users to "think about the safety in your social-media life to the same extent you do in your real life." Although the Control Your Info is in control of that specific group now, Roukkos wrote that Control Your Info will restore the group name (which it changed) and leave the group "by the end of next week." He also promised to not "mess anything up."
That single group isn't alone. A quick search for "Control Your Info" in Facebook yields hundreds of groups that have been hijacked by the organization. All the group names have been changed to "Control Your Info," the logos have been changed to the organization's image, and the messages are all the same. The only difference is which Control Your Info representative is writing about the organization's intentions to each group.
Control Your Info's blog sheds some more light on the organization's problem with Facebook. According to Control Your Info, "Facebook Groups suffer from a major flaw. If (an) administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.
"When you're admin of a group, you can basically do anything you want with it," the blog post continued. "You can change (its) name, and the groups members won't even get a notification of it. You can send (messages) to all members and edit info. This is just one example that really shows the vulnerabilities of social media."
Once again, Control Your Info attempted to justify its actions. The organization said the "project is strictly not for profit and done for a good cause."
Facebook did not immediately respond to request for comment.
In the meantime, what do you think about Control Your Info's practices? Is it really teaching folks about social-media security? Let us know in the comments below.
