[Quote]:

Not a word of complaint about the 70/30 revenue split. Their complaint is solely about access to customer information, which they profit by selling. And remember: it’s not Apple that controls that information with App Store subscriptions: it’s us, the users. What the FT is arguing here is that they don’t want their subscribers to have any control over their customer privacy.

[Quote]:

Creepy is a software package for Linux or Windows – with a Mac OS X port in the works – that aims to gather public information on a targeted individual via social networking services in order to pinpoint their location. It’s remarkably efficient at its job, even in its current early form, and certainly lives up to its name when you see it in use for the first time.

You can enter a Twitter or Flickr username into the software’s interface, or use the in-built search utility to find users of interest. When you hit the ‘Geolocate Target’ button, Creepy goes off and uses the services’ APIs to download every photo or tweet they’ve ever published, analysing each for that critical piece of information: the user’s location at the time

[Quote]:

Most people’s understanding of what can actually be done with the data provided by our mobile phones is theoretical; there were few real-world examples. That is why Malte Spitz from the German Green party decided to publish his own data collected from August 2009 to February 2010. However, to even access the information, he had to file a suit against telecommunications giant Deutsche Telekom.

The data, which ZEIT ONLINE has made available for download and acts as the basis for our accompanying interactive map, were contained in a massive Excel document. Each of the 35.831 rows of the spreadsheet represents an instance when Spitz’s mobile phone transferred information over a half-year period. Seen individually, the pieces of data are mostly inconsequential and harmless. But taken together, they provide what investigators call a profile – a clear picture of a person’s habits and preferences, and indeed, of his or her life.

[Quote]:

The Homeland Security Department paid contractors millions of dollars to develop and study surveillance systems that could covertly track pedestrians and check under people’s clothing with airport-style body scanners as they enter train stations, bus depots or major events, newly released documents show.

Two contracts the department signed in 2005 and 2006 were part of its effort to acquire technology to find suicide bombers in a crowd of moving people, according to documents given to the Electronic Privacy Information Center (EPIC), a privacy-rights group that is suing Homeland Security.

The department dropped the projects in a “very early” phase after testing showed flaws, Homeland Security spokesman Bobby Whithorne says.

[Quote]:

The whole thing was over in a matter of minutes and was a completely professional experience.

Or it was, until a male TSA agent walked behind us and hollered: "Hey, I thought she was mine! I was gonna do her!"

[Quote]:

“Researchers from the University of Washington and Microsoft Research have found that cursor movements and cursor hovers can detect the relevance of a search result and whether a user may abandon the search. They use an efficient algorithm written in Javascript to silently record movements and clicks on Bing and find that computing relevance using movements + clicks works better than just clicks (the current state-of-the-art). They explain some of this due to cursor and gaze being closely aligned on the web, and especially so on search result pages. Is this the future of innovation in search ranking — Google and Bing tracking your every twitch and pause?”

…Just in time for Web use to go mobile and touch-based.

[Quote]:

The Internet service provider (ISP) hosting WikiLeaks’ servers is fighting back against the European Data Retention Directive by running all customer traffic through an encrypted virtual private network (VPN) service before logging it.

The European Data Retention Directive, which was approved in 2006, aimed to identify the origin, time and means of communication for all Internet traffic to support investigations.

By anonymizing all traffic, not even WikiLeaks ISP Bahnhof will be able to see what customers are doing, making any such logs useless.

[Quote]:

A year after a Nigerian man allegedly tried to blow up a Detroit-bound airliner, officials say they have made it easier to add individuals’ names to a terrorist watch list and improved the government’s ability to thwart an attack in the United States.

[..]

Since then, senior counterterrorism officials say they have altered their criteria so that a single-source tip, as long as it is deemed credible, can lead to a name being placed on the watch list.

So, if there’s somebody you don’t like, you know what to do…

Share government’s secrets, go to jail. Share normal people’s secrets, TIME man of the year!

[Quote]:

In a landmark decision issued today in the criminal appeal of U.S. v. Warshak, the Sixth Circuit Court of Appeals has ruled that the government must have a search warrant before it can secretly seize and search emails stored by email service providers. Closely tracking arguments made by EFF in its amicus brief, the court found that email users have the same reasonable expectation of privacy in their stored email as they do in their phone calls and postal mail.

[Quote]:

A 10 page Powerpoint presentation (pdf) that I recently obtained through a Freedom of Information Act Request to the Department of Justice, reveals that law enforcement agencies routinely seek and obtain real-time surveillance of credit card transaction. The government’s guidelines reveal that this surveillance often occurs with a simple subpoena, thus sidestepping any Fourth Amendment protections.

[Quote]:

A researcher from a Dutch university is warning that Facebook’s ‘Like This’ button is watching your every move.

Arnold Roosendaal, who is a doctoral candidate at the Tilburg University for Law, Technology and Society, warns that Facebook is tracking and tracing everyone, whether they use the social networking site or not.

Roosendaal says that Facebook’s tentacles reach way beyond the confines of its own web sites and subscriber base because more and more third party sites are using the ‘Like This’ button and Facebook Connect.

[Quote]:

When it comes to wasting police time, the biggest offenders appear to be…the police. That, at least, appears to be the conclusion of the Home Office. Its official statistics, published today, show that while police stopped over 100,000 individuals last year to “prevent acts of terrorism”, there was not a single arrest for a terror offence as a result of these stops.

This perhaps is the final nail in the coffin for the widely criticised section 44 of the Terrorism Act 2000, which gives police forces powers to stop and search individuals – in so-called “designated areas” – to prevent acts of terrorism without the need for reasonable grounds of suspicion. According to today’s report: “In 2009/10, 101,248 stops-and-searches were made under this power.

The report continues: “[This] represents a 60 per cent decrease since 2008/9. Compared with the same quarter of 2008/9, the number of searches carried out in Jan-March 2010 fell by 77 per cent, down to 14,214.”

One reason for the decline may be the fact that in July of this year – following a European Court ruling that finally established that the power granted under s44 was too wide and therefore unlawful – the Home Secretary herself required police forces to stop using it.

[Quote]:

It is all over the news, the Dutch National High Tech Crime Unit took down the Bredolab botnet. Kudos for that, bringing down a botnet with 30 million bots is not an easy task. The C&C servers were taken down and taken over. To notify owners of infected machines a small executable will be send to infected machines that will show a popup that your computer is infected. You can view the page here…

Now, this gesture is nice, but it brings in a few problems…

First, the executable is very small, 8kb only, not encrypted, not compressed, beyond all, not signed. All it will do is actually open this page.

What will prevent people from modifying the URL to point to some malicious webpage and distribute the executable? A researcher at FireEye still found a C&C server active on the Bredolab Botnet. What if this server starts to serve this modified executable to systems that are still infected? You can imagine what would happen…

Second, in the future, the same technique may be used by rogue anti-virus to tell you that your system is infected and tells you to download this super-duper solution (which of course will only continue to make the problem worse).

A third problem here is a legal one… It may not be legal at all in all countries in the world to “plant” this executable that shows the warning on infected systems. Basically you are knowingly trespassing that system…

It’s like the police breaking in and entering to tell you a burglar has been in your house and that you should replace your crappy lock. Very questionable.

[Quote]:

In seven years, New Orleans’ crime camera program has yielded six indictments: three for crimes caught on video and three for bribes and kickbacks a vendor is accused of paying a former city official to sell the cameras to City Hall.

Given that ignominious track record and the millions the city has paid for a camera network that rarely worked, Mayor Mitch Landrieu unceremoniously pulled the plug on the project Thursday.

[Quote]:

This browser extension stops Facebook social plugins—including those within iFrames—from running on sites other than Facebook itself. This includes ‘Like’ buttons, ‘Recommended’ lists, and should also stop any Facebook scripts from tracking your browsing history.

[Quote]:

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.

[Quote]:

In the animal world, squid are masters of disguise. Pigmented skin cells enable them to camouflage themselves—almost instantaneously—from predators. Squid also produce polarized skin patterns by regulating the iridescence of their skin, possibly creating a “hidden communication channel” visible only to animals that are sensitive to polarized light.

In research published today in the journal Biology Letters, MBL (Marine Biological Laboratory) researchers Lydia Mäthger and Roger Hanlon present evidence that the polarized aspect of the skin of the longfin inshore squid, Loligo pealeii, is maintained after passing through the pigment cells responsible for camouflage.

While the notion that a few animals produce polarization signals and use them in communication is not new, Mäthger and Hanlon’s findings present the first anatomical evidence for a “hidden communication channel” that can remain masked by typical camouflage patterns. Their results suggest that it might be possible for squid to send concealed polarized signals to one another while staying camouflaged to fish or mammalian predators, most of which do not have polarization vision.

[Quote]:

Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people’s names and, in some cases, their friends’ names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found.

The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook’s strictest privacy settings. The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure.

[From the same interview as the post below]:

When Bennet asked about the possibility of a Google “implant,” Schmidt invoked what the company calls the “creepy line.”

“Google policy is to get right up to the creepy line and not cross it,” he said. Google implants, he added, probably crosses that line.

At the same time, Schmidt envisions a future where we embrace a larger role for machines and technology. “With your permission you give us more information about you, about your friends, and we can improve the quality of our searches,” he said. “We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”

And that’s not creepy?

You should not expect regulations to stop Google from invading your life, you’ll have to take measures yourself, because, as the post below shows, “laws are written by lobbyists”..

[Quote]:

Federal law enforcement and national security officials are preparing to seek sweeping new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is “going dark” as people increasingly communicate online instead of by telephone.

Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.

The bill, which the Obama administration plans to submit to lawmakers next year, raises fresh questions about how to balance security needs with protecting privacy and fostering innovation. And because security services around the world face the same problem, it could set an example that is copied globally.

[Quote]:

The number of U.S. government requests for Google data rose 20 percent in the last six months, according to data released by the search giant Monday.

U.S. government agencies sent Google 4,287 requests for data on Google users and services from Jan. 1 to June 30, 2010, an average of 23.5 a day. That’s compared to 3,287 for July 1 to Dec. 31, 2009, the company reported Tuesday in an update to its unique transparency tool.

That rise is just a small part of the newest statistics on worldwide government data requests to Google, which are now paired with a comprehensive tool for viewing government blockages of Google services. The new tool lets you check timelines of traffic to 17 Google services from some 200 countries to see blockages and traffic patterns.

[Quote]:

OUT-LAW reported yesterday that the Department for Business Innovation and Skills (BIS) has launched a consultation on its plans for implementing a suite of five EU Directives, known collectively as the European Electronic Communications Framework.

One of these Directives amends the existing Directive on Privacy and Electronic Communications. The new law includes an Article that demands that websites get every visitor’s prior consent before sending cookies to their machines.

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

[..]

The Article that demands prior consent appears to be qualified by a Recital that says: “Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

[..]

The advertising industry is adamant that you can rely on cookie settings

So there you have it – it is illegal for a web server to send your browser a cookie.

Unless it is required for the website to work, or unless your browser settings allow it anyway.

So the practical upshot is that it is illegal to send cookies to browsers who block them? What use is this law?

From the comments on that article:

Industry don’t want these changes because it obligates them to behave ethically and seek consent to track and profile.

Industry don’t give a shit about how this impacts users, they only care about how it impacts their ability to cast a wide net for profiling – which is what opt out has allowed them to do for far too long.

Every once in a while, when it comes to data mining or stuff like net neutrality people will say stuff like “Banks aren’t interested in data mining and knowing all about you!” or that “ISPs aren’t interested in doing special deals for content companies”. Or whatever.

Wake up:

[Quote]:

TELECOMS operators naturally prize mobile-phone subscribers who spend a lot, but some thriftier customers, it turns out, are actually more valuable. Known as “influencers”, these subscribers frequently persuade their friends, family and colleagues to follow them when they switch to a rival operator. The trick, then, is to identify such trendsetting subscribers and keep them on board with special discounts and promotions. People at the top of the office or social pecking order often receive quick callbacks, do not worry about calling other people late at night and tend to get more calls at times when social events are most often organised, such as Friday afternoons. Influential customers also reveal their clout by making long calls, while the calls they receive are generally short.

Companies can spot these influencers, and work out all sorts of other things about their customers, by crunching vast quantities of calling data with sophisticated “network analysis” software.

It’ll be interesting to see what happens when people start to game this system – some of that is already visible in the email behavior in companies where employees know they’re monitored a lot.

[Quote]:

Facebook Inc Chief Executive Mark Zuckerberg says a lawsuit by a man who claims to own a huge chunk of the popular social networking website is seeking to uncover needless details about his private life.

[Quote]:

Government agents can sneak onto your property in the middle of the night, put a GPS device on the bottom of your car and keep track of everywhere you go. This doesn’t violate your Fourth Amendment rights, because you do not have any reasonable expectation of privacy in your own driveway – and no reasonable expectation that the government isn’t tracking your movements.That is the bizarre – and scary – rule that now applies in California and eight other Western states. The U.S. Court of Appeals for the Ninth Circuit, which covers this vast jurisdiction, recently decided the government can monitor you in this way virtually anytime it wants – with no need for a search warrant.

[Quote]:

If you’re surfing the web from a wireless router supplied by some of the biggest device makers, there’s a chance Samy Kamkar can identify your geographic location.

That’s because WiFi access points made by Westell and others are vulnerable to XSS, or cross-site scripting, attacks that can siphon a device’s media access control address with one wayward click of the mouse. Once in possession of the unique identifier, Kamkar can plug it in to Google’s Google Location Services and determine where you are.

[Quote]:

Microsoft gutted a new privacy control system from Internet Explorer 8 at the behest of the advertising industry and its own marketing executives