Security

The Electronic Frontier Foundation sued the CIA, the U.S. Department of Defense, Department of Justice, and three other government agencies on Tuesday for allegedly refusing to release information about how they are using social networks in surveillance and investigations.

The nonprofit Internet rights watchdog group formally asked more than a dozen agencies or departments in early October to provide records about federal guidelines on the use of sites like Facebook, Twitter, and Flickr for investigative or data gathering purposes, according to the lawsuit.

The requests were prompted by published news reports about how authorities are using social networks to monitor citizen activities and aid in investigations. For example, according to the lawsuit, government officials have: used Facebook to hunt for fugitives and search for evidence of underage drinking; researched the activities of an activist on Facebook and LinkedIn; watched YouTube to identify riot suspects; searched the home of a social worker because of Twitter messages regarding police actions he sent during the G-20 summit; and used fake identities to trick Facebook users into accepting friend requests.

The EFF needs access to the information to "help inform Congress and the public about the effect of such uses and purposes on citizens' privacy rights and associated legal protections," the lawsuit said.

None of the agencies contacted had complied with the EFF's Freedom of Information Act (FOIA) requests and only one, the IRS, had asked for an extension, according to the suit.

The suit, filed in federal court in San Francisco, names the defendants as the CIA, the office of the Director of National Intelligence, and the departments of Defense, Justice, Homeland Security, and Treasury.

The FOIA requests and the lawsuit were filed on behalf of the EFF by the Samuelson Law, Technology, and Public Policy Clinic at the University of California at Berkeley School of Law.

Government surveillance of citizens, particularly in areas they consider private, should have oversight, said Shane Witnov, a law student who worked on the case for the Samuelson Clinic.

"Social-networking sites are becoming a part of the way we communicate every day and everyone thinks they are sharing information [on the sites] with just their friends," he said. "Governments are using the sites but not in the way [citizens] expect when they sign up."

The government agencies could not be reached for comment Tuesday afternoon.

Updated 4:55 p.m. PST with comment from Samuelson Clinic law student.

IBM said Monday that it has acquired database security firm Guardium.

Guardium is a leading vendor in monitoring and protecting databases for large enterprises. In addition to securing the data and watching database activity, Guardium's technology can automate certain tasks to assist businesses with regulatory compliance, said IBM. Big Blue expects the acquisition to help its customers better shield their critical databases against both external and internal threats.

Guardium can check for specific patterns and anomalies when information is accessed, said IBM, allowing enterprises to maintain the integrity of their data. Guardium's technology can also detect fraud and unauthorized access to a database by way of an enterprise application, such as a company's ERP or CRM software.

"Organizations are grappling with government mandates, industry standards and business demands to ensure that their critical data is protected against internal and external threats," said Arvind Krishna, general manager of IBM Information Management, in a statement. "This acquisition is another significant step in our abilities to help clients govern and monitor their data, and ultimately make their information more secure throughout its lifecycle."

Guardium, a privately held company based in Waltham, Mass., will be integrated into IBM's Information Management Software portfolio.

Big Blue hasn't been shy about buying companies this year to increase the scope of its business services. In July, the company picked up analytics and information forecaster SPSS for $1.2 billion. With security a vital need for its customers, IBM also acquired security provider Ounce Labs around the same time.

Financial terms of the Guardium deal were not disclosed.

A pub owner in the U.K. has been fined £8,000 (about $13,183) because someone unlawfully downloaded copyrighted material over its open Wi-Fi hotspot, according to the managing director of hotspot provider The Cloud.

Graham Cove told CNET sister site ZDNet UK on Friday he believes the case to be the first of its kind in the U.K. However, he would not identify the pub concerned, because its owner--a pub that is a client of The Cloud's--had not yet given their permission for the case to be publicized.

Cove would say only that the fine had been levied in a civil case, brought about by a rights holder, "sometime this summer." The Cloud's pubco clients include Fullers, Greene King, Marsdens, Scottish & Newcastle, Mitchell & Butlers, and Punch Taverns.

The law surrounding open Wi-Fi networks and the liability of those running them is a grey area...

Read more of "Pub 'fined £8k' for Wi-Fi copyright infringement" and the followup story, "Law expert issues warning to open Wi-Fi operators," at ZDNet UK.

First, the good news for consumers: the U.S. government's investigation into how dozens of well-known online stores worked with controversial marketers to "deceive" customers out of $1.4 billion has prompted some retailers, including Continental Airlines, to sever ties with the marketers.

Now, the bad news: the marketers--Affinion, Vertrue, and Webloyalty--are still in business and judging from the responses of many of the retailers involved, such as Priceline, Classmates.com, FTD, Shutterfly, and Orbitz, it will be business as usual. They see nothing wrong with the marketing practices that millions of angry online shoppers and members of the U.S. Senate have called a "scam," "robbery" and "theft."

While the U.S. Senate Commerce committee produced a staggering amount of documentation during a hearing last week that appears to show consumers are misled into signing up for so-called loyalty programs, the retailers continue to suggest it's their customers who are at fault.

The controversy began last May, when the Commerce committee launched an investigation into the practices employed by Vertrue, Affinion, and Webloyalty. The committee's investigators found thousands of complaints going back years from people who said they discovered "mysterious charges" on their credit cards and struggled to discover how they got there.

The Senate's investigators said they learned that the retailers had made an unholy alliance with the marketers. Under most of the agreements between the marketing firms and retailers, an advertising page is presented to a shopper while they complete a transaction at the retailer's online store. Many shoppers say they entered their e-mail address and pushed a large "Yes" button on the ad because it appears to be a $10 cash-back offer or coupon. Many of those that complain say they thought they were being rewarded by the retailer for making a purchase.

Written in much smaller print within the ad are the full terms of the deal. A customer is notified there that by providing their e-mail address they are joining a membership program and agreeing to pay one of the marketing firms a monthly fee, typically between $10 and $20.

Despite being blasted last week by members of the Commerce committee, most of the retailers involved haven't done much repenting.

Orbitz "does not pass on any personally identifiable customer information to third party vendors without their permission," the travel site said in a statement.

United Online, parent company of FTD and Classmates.com, a company that the government said banked $70 million via the three marketers said: "We believe that our marketing practices provide clear disclosure. We do not transfer our customer's credit or debit card information to third parties without our customer's consent."

Priceline said the terms of the deal have "been clearly and fully explained."

It's all your fault
The inference is clear: The people complaining about this are the ones who screwed up. The terms of the deal were all in the ad so that means anyone who was charged the monthly fee either wanted it at the time or was negligent.

I can start by listing all the information that the government has found that shows that as many as 30 million consumers were unaware that they were signing up for the loyalty programs. But first, let's look at the obvious.

Webloyalty, Affinion and Vertrue all say they do their best to make it clear to consumers what they're signing up for. That's nonsense of course. If their claim was true, they would simply insert the following graph or something like it high up into their ads:

BY ENTERING YOUR CREDIT CARD NUMBER YOU ARE REGISTERING FOR MEMBERSHIP PROGRAM AND YOUR CREDIT CARD WILL BE CHARGED $12 PER MONTH FOR THIS SERVICE UNTIL YOU CANCEL YOUR MEMBERSHIP. ENTER CARD NUMBER HERE:________. EXPIRATION DATE HERE:________.

Voila. End of confusion.

This simple fact was presented in a Jan. 8, 2007, court filing that was part a class-action lawsuit filed against Webloyalty, one of several suits filed against the three marketing companies over the years. In this case, the attorneys representing plaintiff Joe Kuefler sized up why they believed Webloyalty doesn't display its terms in this clear way or ask consumers to input their credit card information themselves.

"The answer is nefarious," the lawyers wrote. "If customers had to retype their credit card numbers, they would know that they were registering for a monthly fee-based service and defendants would not be able to get rich by fooling people into signing up."

Confusion breeds deception
Here's the next obvious fact that readers should know: burying important contractual information deep inside big blocks of text isn't new. Creating confusion around a purchasing experience and then obtaining a consumer's credit card information from someone other than the owner to make charges isn't novel. These ideas have been around in some form or another for decades and are outlawed in many parts of the brick-and-mortar world. These tactics won't fool everyone, but they will mislead enough consumers for the companies to profit.

In the court filing against Webloyalty, Kuefler's lawyers said that if they could get their hands on the company's internal documents they could prove Webloyalty knew that most "members" were duped into signing up. Well, the government did obtain documents.

According to the Senate Commerce committee's report a Vertrue employee once wrote that "cancellation calls represent approximately 98 percent of call volume" to the company's customer service operations. One Webloyalty employee said in an e-mail that "90 percent of our members don't know anything about the membership."

Documents obtained by the government show Affinion estimated that the chances of obtaining money from a consumer would be four times higher if a retailer handed over a customer's credit-card information to the marketing firm than if the firm had to get it from the actual cardholder.

Prentiss Cox, a former assistant attorney general and now a Minnesota law professor, says that in his decade-long experience studying the marketing practices employed by Affinion, Vertrue and Webloyalty, it's clear to him that those who voluntarily sign up for the loyalty memberships run by those companies is less than 5 percent.

Since I began writing about this in July, I've seen a lot of reader feedback from people who don't believe they could ever be misled into signing up for the membership programs. But I've also read thousands of complaints, which can be found here, here, and here. Among those that have claimed to have been duped are lawyers, computer programmers, vice presidents, U.S. Army veterans, and journalists.

The government wrote that more than 35 million people have been enrolled in Affinion, Vertrue, and Webloyalty's clubs.

Cox says the marketing techniques used by Affinion, Webloyalty, and Vertue work because shoppers have been conditioned to believe that on the Web they can't be charged without entering their credit card information. He notes the ads that Affinion, Vertrue and Webloyalty stick in the faces of consumers come late in the transaction process, when a consumer might think they need to click the "yes" button and enter their e-mail address to verify their identities. In addition, the ads "are sold as free offers," Cox said. This lowers a shopper's guard.

Another effective technique employed by the marketing companies is that they know many people will be embarrassed. Many consumers will hear that they entered their e-mail address and will assume they erred. Some won't make a stink because they don't want to admit that they don't check their bank statements well enough.

By saying, "we never release credit card information without the consumers authorization," the marketing companies and their retail partners imply that the money their customers lost was caused by their own negligence.

Affinion, Vertrue, Webloyalty, and their retail partners are all profiting from their customers' shame, when it is they who should be ashamed.

Click here for a related podcast.

Facebook on Tuesday announced that it has decided to adopt a revised privacy policy designed to be more accessible and easier to understand.

The social network had just completed a weeklong comment period for the new revision and, though "a lot of people participated," less than 7,000 members commented. According to Facebook's rules, this meant that a vote was unnecessary, Michael Richter, Facebook deputy general counsel, wrote in a company blog.

Overall, members supported the proposed changes, including the simplification of the language used to describe the policy and the document's new structure, Richter said.

The site also plans to add visual resources designed to make the document more accessible, such as a glossary of important terms and informational "learn more" videos. Facebook expects to post the revision in English, French, Italian, German, and Spanish soon.

The revision is the latest chapter in Facebook's privacy saga. In July, an investigation by Canada's privacy commissioner suggested that Facebook is unconcerned with members' privacy and called on it to do more. Commissioner Jennifer Stoddart expressed concern that while it's easy for members to deactivate their accounts, the process of actually deleting them is less clear. Facebook could therefore retain member data from deactivated accounts for an indefinite period of time, in violation of Canadian privacy law.

The social network went through a user backlash over the introduction of its News Feed in 2006, and a bigger one over the controversial Beacon advertising program in 2007. More recently, a revision to Facebook's terms of use prompted consumer advocacy blog The Consumerist to highlight language that it said meant that Facebook claimed ownership of user profile data and photos.

Malwarebytes is accusing China-based computer security firm IObit of intellectual property theft, but IObit denied the allegations and said there were problems with its malware submission site.

Malwarebytes claims IObit stole from its database of signatures of malicious applications that its software uses for detecting malware on customer computers.

Malwarebytes discovered that IObit's Security 360 free anti-malware software was flagging a specific key generator piece of code for Malwarebytes' Anti-Malware software and using the same naming scheme, which includes the phrase "Don't Steal Our Software," according to a blog post on the Malwarebytes.org site.

After finding additional evidence, Malwarebytes conducted a test and added fake definitions for a fake rogue application to its database of malware. Within two weeks, IObit was detecting the fake files and using "almost exactly" the fake names, Malwarebytes said.

"We soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database," the blog post says. "They are using both our database and our database format exactly."

Malwarebytes, which said it uncovered evidence that IObit may have stolen proprietary databases of other security vendors as well, said it plans to pursue legal action against IObit

IObit denied the allegations, saying it was a "mistake," and accused Malwarebytes of spreading "malicious rumors."

IObit said it would soon release a legal letter an explanation about the technical aspects that proves its case. In the meantime, IObit temporarily deleted all disputed items in its database to avoid "dispute and possible problems" and disabled its malware submission page, the company said in a blog post.

Basically, someone submitted samples with the name used by another vendor, the post says.

"Unfortunately, IObit database analyzer carelessly used the names provided by the submission. This mistake can be understood because it is very normal--Many enthusiastic IObit users find there are samples missed by IObit Security 360 but detected by other anti-malware products, then they would submit these samples to us and provide names defined by other anti-malware vendors."

"There are holes and problems with IObit malware submission procedure and database management," the post concluded.

The security industry consolidation continues.

Web and e-mail security provider M86 Security was set to announce on Tuesday the acquisition of Finjan.

Finjan brings to the table a secure Web gateway product and software-as-a-service solutions, M86 said in a statement. Under the merger, which is effective immediately, Finjan will maintain a development center and operations in Netanya, Israel.

U.S.-based Finjan SW will remain an independent company to retain its malware detection intellectual property, according to a statement.

M86 was created a year ago with the merger of Marshal and 8e6. In March 2009, the combined company acquired behavioral malware detection company Avinti.

Last week, Cisco Systems said it was buying Web-based security software company ScanSafe. And earlier in October, Barracuda Networks, which makes security appliances, announced its purchase of Purewire, a Web security-as-a-service provider.

Meanwhile, vulnerability management provider Rapid7 recently acquired Metasploit, an open-source penetration testing framework and exploit database.

Nokia and SAP are forming a new company that will use their technologies to help manufacturers battle counterfeit products.

Announced Tuesday at SAP TechEd in Vienna, Original1 will offer services to better authenticate branded products and protect them from counterfeiting, the companies said in a statement.

Offering software as a service (SaaS), Original1 will draw on a combination of SAP's supply-chain technology and Nokia's mobile authentication software. Nokia and SAP will each own 40 percent of the business, while German firm Giesecke & Devrient (G&D) will own the remaining 20 percent and add the security and encryption component.

The service will target products that are especially vulnerable to counterfeiting, such as pharmaceuticals and luxury goods, G&D spokesman Stefan Waldenmaier said. Other items, such as auto parts and software, could also benefit from the service, he said.

At this point, the service can only work with physical products, not electronic items. So, for example, Original1 could protect boxed software but not downloadable media.

Here's how it works: branded products will be electronically tagged with smart, tamper-proof barcodes, allowing the manufacturer to track them using a Nokia smartphone as they move from factory to store shelf. A retailer can then check the product information against a database and determine whether the data is coming from a legitimate product.

Located in Frankfurt, Germany, Original1 will be run by Claudia Alsdorf, currently the vice president of SAP Research.

"Counterfeiting is a worldwide problem that is increasing and affecting many successful companies in all industries," Alsdorf said in a statement. "Today, more than ever, companies need to combat counterfeiting before it's too late, when their company livelihood is at stake."

SAP has already run pilot tests of the new service with some of its customers and said the testing has been successful.

Nokia and SAP have a history of working together on mobile projects. Nokia is an SAP global technology partner, while SAP is a Nokia Enterprise Zone member.

Subject to regulatory approval, Original1 is expected to open its doors before year's end.

In the video below from SAP, Alsdorf talks about the new company:

Cisco Systems said Tuesday it plans to buy privately held Web-based security software company ScanSafe for about $183 million.

The all-cash deal, which also includes retention-based incentives, is expected to close in Cisco's fiscal second quarter, which ends in January 2010.

ScanSafe is a cloud-based software service that allows customers to license the application on demand. Cloud-based services help customers save on costs, because they don't have to buy licenses to software and manage the software applications themselves.

The ScanSafe technology will help Cisco expand on capabilities it added when it bought IronPort in 2007, the company said. Cisco also plans to integrate ScanSafe's service with its AnyConnect VPN Client to provide a secure mobility solution. And Cisco will use ScanSafe's data centers to provide new cloud security services.

After a lull, Cisco has stepped up its acquisitions. This is the third acquisition the company has announced this month. Two weeks ago it said it would buy wireless equipment maker Starent Networks for $2.9 billion. And at the beginning of the month, it said it would buy Norwegian video conference equipment maker Tandberg for $3 billion. CEO John Chambers has said the company is looking for even more acquisitions.