Facebook changes touch privacy nerve. Why ‘Privacy By Design’ Is The New Corporate Hotness - Kashmir Hill - The Not-So Private Parts. Just When You Thought It Was Safe: Skype Vulnerabilities Emerge. Silly hackers are always trying to ruin the Internet and they have found yet another target in the form of popular VOIP software Skype. According to the sweetest text security report ever, linked from h-online’s recap: “Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack of input validation and output sanitization of the ‘mobile phone’ profile entry. Other input fields may also be affected.” I love that—output sanitization. Basically what this means is that an attacker can embed JavaScript in the mobile phone field of his or her profile description.
What is the moral of the story? [via The H Security] Facebook facial recognition irks Connecticut watchdog - Jun. 17. Facebook exposing children to online threats: EU survey. (BRUSSELS) - Social networking sites such as Facebook are not doing enough to protect children from potential dangers such as grooming by paedophiles or online bullying, European authorities said Tuesday. Of 14 websites tested on behalf of the European Commission, just two -- Bebo and MySpace -- ensure the required controls to make sure "potential strangers" cannot gain access to profiles. "I am disappointed that most social networking sites are failing to ensure that minors' profiles are accessible only to their approved contacts by default," said European Commission vice president Neelie Kroes in a statement. The authorities in Brussels say the number of minors who use the Internet and subscribe to social networking sites is growing -- currently 77 percent of children aged 13-16 and 38 percent of those aged 9-12.
Kroes said she will urge online social networking site owners to make the changes in a "self-regulatory framework" under discussion. Text and Picture Copyright 2011 AFP. Cellphones Track Your Every Move, and You May Not Even Know. Privacy & Innovation: A Data Privacy Day Reflection. Why Are Health Data Leaking Online? Bad Software, Study Says - Digits. Lost AmeriHealth Mercy Flash Drive Exposes Data of 280,000 Medicaid Members - Health Care IT from eWeek. Google in 'significant breach' of UK data laws.
3 November 2010Last updated at 14:10 Information Commissioner, Christopher Graham: "I think the important thing was to get the foot in the door for an audit of Google which had to be by consent" There was a "significant breach" of the Data Protection Act when Google collected personal data via its Street View cars, the UK's Information Commissioner has ruled. But Google will not face a fine or any punishment, Christopher Graham added. Instead, the Information Commissioner's Office (ICO) will audit Google's data protection practices. The move marks a U-turn for the ICO which originally ruled that no data breach had occurred. Last week the ICO vowed to look again at the evidence, after the Canadian data agency found the search giant in breach of its law.
Its decision was welcomed by MP Robert Halfon, who has been critical of the ICO and of Google, which he recently accused of deliberately collecting the data for commercial gain. However, he said that action had come too late. 'Profoundly sorry' F.T.C. Online Privacy Plan Seeks ‘Do Not Track’ Option. Saying that online companies have failed to protect the privacy of Internet users, the Federal Trade Commission recommended a broad framework for commercial use of Web consumer data, including a simple and universal “do not track” mechanism that would essentially give consumers the type of control they gained over marketers with the national “do not call” registry. Those measures, if widely used, could directly affect the billions of dollars in business done by online advertising companies and by technology giants like that collect highly focused information about consumers that can be used to deliver personalized advertising to them.
While the report is critical of many current industry practices, the commission will probably need the help of Congress to enact some of its recommendations. For now, the trade commission hopes to adopt an approach that it calls “privacy by design,” where companies are required to build protections into their everyday business practices. Mr. Lazy Hackers Unite: Firesheep Boasts +104,000 Downloads In 24 Hours. Well, that was fast. In roughly 24 hours, Firesheep has been downloaded more than 104,000 times, as would-be-hackers — or the merely curious— downloaded the Firefox extension to test the exploit.
As we reported on Sunday night, Eric Butler’s Firesheep allows users on a public Wi-Fi network to effectively spy on others, by giving Firesheep users access to sensitive information (via cookies) that lets them log into their victim’s accounts on unsecured sites. The Firesheep extension is wired to identify a few dozen popular sites that are vulnerable to attack on public networks, such as Twitter, Facebook, Flickr, Tumblr and Yelp. On Monday night we got a chance to catch up with Butler, who has been pretty overwhelmed by the attention. Although he opened Pandora’s box expecting to spark controversy and discussion, he repeatedly asserts that his aim was fundamentally altruistic.
Firesheep was written over the course of a few months in spare time but really boils down to a few weeks of work. Foursquare looks beyond location: Is your check-in startup in trouble? Foursquare announced a new partnership today, hinting at how the startup’s ambitions extend beyond location check-ins. The new partnership is with Runkeeper, a mobile application for tracking your running and jogging activity. When users connect their accounts, they can earn Foursquare badges for their activity in Runkeeper, for example earning a Marathon badge when they run a marathon. Foursquare says this is “the first badge you unlock by doing something, not just checking in.”
That also means the badges won’t really be connected to your location, at least not in the way Foursquare’s other badges are — you earn a Gym Rat badge by going to the gym, while you earn Runkeeper badges by running anywhere. Foursquare says it’s pursuing similar deals with “a handful of carefully selected partners.” And these partnerships should also help Foursquare keep its badge concept fresh. Dataprivacyday2011.org. Code Known as Flash Cookies Raises Privacy Concerns.
Ms. Person Burns, 67, a retired health care executive who lives in Jackson, Miss., said she is wary of online shopping: “Instead of going to , I’m going to the local bookstore.” Ms. Person Burns is one of a growing number of consumers who are taking legal action against companies that track computer users’ activity on the Internet. At issue is a little-known piece of computer code placed on hard drives by the Flash program from Adobe when users watch videos on popular Web sites like and .
The technology, so-called Flash cookies, is bringing an increasing number of federal lawsuits against media and technology companies and growing criticism from some privacy advocates who say the software may also allow the companies to create detailed profiles of consumers without their knowledge. Ms. Person Burns, a claimant who is to be represented by KamberLaw, said she knew cookies existed but did not know about Flash cookies.
Specific Media did not respond to requests for comment. Amazon.com Security Flaw Accepts Passwords That Are Close, But Not Exact | Threat Level. An Amazon.com security flaw allows some customers to log in with variations of their actual password that are close to, but not exactly, their real password. The flaw lets Amazon accept as valid some passwords that have extra characters added on after the 8th character, and also makes the password case-insensitive. For example, if your password is “Password,” Amazon.com will also let you log in with “PASSWORD,” “password,” “passwordpassword,” and “password12345.” Wired has been able to confirm the flaw, which was first reported on Reddit. It appears to affect only older Amazon.com accounts, which have not had their passwords changed in the past several years.
Amazon did not respond to a request for comment. Observers on Reddit speculate that Amazon was using the unix crypt() function to encrypt older passwords, in addition to converting them to uppercase, before storing them in its servers. 1This story originally misstated Gawker’s password security scheme. Internet Control Issues: It’s Not Just China. Fighting international cyber-terrorism isn’t easy, but it’s a mission on which we can all agree, right? Not so fast. Russia has been pushing a proposal in The United Nations agency for information technology, which describes the greatest cyber-threat not as hacking or stealing but as using the Internet to spread ideas that might undermine a country. Russia wants any such use of the Internet classified as “aggression,” and hence illegal under the UN Charter. Sounds like China right?
NPR covered the story this morning, but it’s not a new shift in thinking. It’s a delicate issue for the US diplomatically and inside the US– way bigger than “Googlegate” because, well, I refer you again to the map. I usually try not to get into a lather about protecting Internet freedoms in other countries, because I don’t think it’s the job of private sector tech companies who are supposed to be international to act as tools to enforce Western-style democracy.
But this is something different. Web Upgrade HTML 5 May Weaken Privacy. Creating stronger privacy controls inside Google. In May we announced that we had mistakenly collected unencrypted WiFi payload data (information sent over networks) using our Street View cars. We work hard at Google to earn your trust, and we’re acutely aware that we failed badly here.
So we’ve spent the past several months looking at how to strengthen our internal privacy and security practices, as well as talking to external regulators globally about possible improvements to our policies. Here’s a summary of the changes we’re now making.First, people: we have appointed Alma Whitten as our director of privacy across both engineering and product management. Her focus will be to ensure that we build effective privacy controls into our products and internal practices. Finally, I would like to take this opportunity to update one point in my May blog post.