The Ins, Outs, and Nuances of Internet Privacy

969 views

Published on

Facebook recently came under fire for the discreet international roll-out of its photo facial recognition feature. This feature automatically identifies and suggests tags for individuals appearing in photos posted on Facebook. At first glance, this seemingly innocuous feature appears to quietly augment online social lives. At second glance, the rollout of this feature as a defaulted-to-on setting with no explicit user consent raises many privacy concerns. As a site with extensive power driven by the quantity, quality, and kind of data it collects, Facebook’s decision to step into the world of visual recognition of its users without formal user consent is a big no-no—or is it?

Join us for this month’s eBoost Consulting Brown Bag Lunch Webinar to explore this and other cases that raise internet privacy concerns. Learn the ins, outs, and nuances of internet privacy to determine where to draw the line on data collection and usage.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
969
On SlideShare
0
From Embeds
0
Number of Embeds
100
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Facebook is the most obvious example of a site with serious privacy considerations to address.Lives are documented onlineVoluntarily postedPhotos, locations, marital status, and moreBased on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.http://www.bespokeit.co.uk/2011/06/02/9interesting-facts-about-social-networking-and-internet-privacy/As mentioned in the webinar invitation, Facebook recently came under fire as a result of turning on the photo auto-tagging feature to most of its users be defaultPicasa can do this as can Apple’s iPhotoThe issue is that the database detecting and tagging these photos lives on FB servers (not on the users computer)Creep factor enters when you realize how deep and broad FB’s facial recognition database isSourceshttp://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlhttp://nakedsecurity.sophos.com/2011/06/07/facebook-privacy-settings-facial-recognition-enabled/In this case, the distribution of this feature raised privacy concerns
  • Based on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.
  • Based on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.
  • Based on a recent survey in the US, 39% of employers have rejected job candidates after viewing their Facebook profile.
  • CareerBuilder.com – behavioral targeting focus Let's start with an example of 3rd party tracking: when we went to CareerBuilder.com, which is the largest online jobs site in the United States, and searched for a job, CareerBuilder included JavaScript code from 10 (!) different tracking domains: Rubicon Project, AdSonar, Advertising.com, Tacoda.net (all three are divisions of AOL advertising), Quantcast, Pulse 360, Undertone, AdBureau (part of Microsoft Advertising), Traffic Marketplace, and DoubleClick (which is owned by Google). On other visits we've also seen CareerBuilder include tracking scripts and non-JavaScript web bugs from several other domains. There are pretty sound reasons to hope that when you search for a job online, that fact isn't broadcast to dozens of companies you've never heard of — but that's precisely what's happening here. https://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks
  • CareerBuilder.com – behavioral targeting focus Let's start with an example of 3rd party tracking: when we went to CareerBuilder.com, which is the largest online jobs site in the United States, and searched for a job, CareerBuilder included JavaScript code from 10 (!) different tracking domains: Rubicon Project, AdSonar, Advertising.com, Tacoda.net (all three are divisions of AOL advertising), Quantcast, Pulse 360, Undertone, AdBureau (part of Microsoft Advertising), Traffic Marketplace, and DoubleClick (which is owned by Google). On other visits we've also seen CareerBuilder include tracking scripts and non-JavaScript web bugs from several other domains. There are pretty sound reasons to hope that when you search for a job online, that fact isn't broadcast to dozens of companies you've never heard of — but that's precisely what's happening here. https://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks
  • CareerBuilder.com – behavioral targeting focus Let's start with an example of 3rd party tracking: when we went to CareerBuilder.com, which is the largest online jobs site in the United States, and searched for a job, CareerBuilder included JavaScript code from 10 (!) different tracking domains: Rubicon Project, AdSonar, Advertising.com, Tacoda.net (all three are divisions of AOL advertising), Quantcast, Pulse 360, Undertone, AdBureau (part of Microsoft Advertising), Traffic Marketplace, and DoubleClick (which is owned by Google). On other visits we've also seen CareerBuilder include tracking scripts and non-JavaScript web bugs from several other domains. There are pretty sound reasons to hope that when you search for a job online, that fact isn't broadcast to dozens of companies you've never heard of — but that's precisely what's happening here. https://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks
  • CareerBuilder.com – behavioral targeting focus Let's start with an example of 3rd party tracking: when we went to CareerBuilder.com, which is the largest online jobs site in the United States, and searched for a job, CareerBuilder included JavaScript code from 10 (!) different tracking domains: Rubicon Project, AdSonar, Advertising.com, Tacoda.net (all three are divisions of AOL advertising), Quantcast, Pulse 360, Undertone, AdBureau (part of Microsoft Advertising), Traffic Marketplace, and DoubleClick (which is owned by Google). On other visits we've also seen CareerBuilder include tracking scripts and non-JavaScript web bugs from several other domains. There are pretty sound reasons to hope that when you search for a job online, that fact isn't broadcast to dozens of companies you've never heard of — but that's precisely what's happening here. https://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks
  • CareerBuilder.com – behavioral targeting focus Let's start with an example of 3rd party tracking: when we went to CareerBuilder.com, which is the largest online jobs site in the United States, and searched for a job, CareerBuilder included JavaScript code from 10 (!) different tracking domains: Rubicon Project, AdSonar, Advertising.com, Tacoda.net (all three are divisions of AOL advertising), Quantcast, Pulse 360, Undertone, AdBureau (part of Microsoft Advertising), Traffic Marketplace, and DoubleClick (which is owned by Google). On other visits we've also seen CareerBuilder include tracking scripts and non-JavaScript web bugs from several other domains. There are pretty sound reasons to hope that when you search for a job online, that fact isn't broadcast to dozens of companies you've never heard of — but that's precisely what's happening here. https://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks
  • Search for (214) 244-3399 in phone.Spokeo - Going to go through a manual search of my own nameInformation is embedded not only on the “surface web” but also on the “deepnet”Think of this like the ocean—cast a net in the ocean and you’ll catch all in the surface, but nothing in the deep which is rich with lifeGRAPHIC: http://www.spokeo.com/privacyOther places your data lives electronicallyMedical recordsGovernment databasesEcommerce sites (Amazon, eBay)Search engines (Google, Bing, AOL)
  • Search for (214) 244-3399 in phone.Spokeo - Going to go through a manual search of my own nameInformation is embedded not only on the “surface web” but also on the “deepnet”Think of this like the ocean—cast a net in the ocean and you’ll catch all in the surface, but nothing in the deep which is rich with lifeGRAPHIC: http://www.spokeo.com/privacyOther places your data lives electronicallyMedical recordsGovernment databasesEcommerce sites (Amazon, eBay)Search engines (Google, Bing, AOL)
  • http://www.ted.com/talks/aaron_koblin.html
  • traffic analysisHow does traffic analysis work? Every user is given a unique ID (e.g. within Google, AOL, Bing, etc.)Every device that accesses the internet has a unique IPInternet data packets have two parts: a data payload and a header used for routing. The data payload is whatever is being sent, whether that's an email message, a web page, or an audio file. Even if you encrypt the data payload of your communications, traffic analysis still reveals a great deal about what you're doing and, possibly, what you're saying. That's because it focuses on the header, which discloses source, destination, size, timing, and so on.https://www.torproject.org/about/overview.html.enhow else do sites get my data?data logging - records computer usage (time, sites visited, etc)it’s as basic as searches…search engines--every search is tracked
  • how else do sites get my data?data logging - records computer usage (time, sites visited, etc)it’s as basic as searches…search engines--every search is tracked
  • log filesWeb beaconscookies - data stored on a user's computer that assists in automated access to websites or web features or other information; can also be used for user-tracking by storing special usage history data in a cookietraditional cookie is a HTTP cookie, invented by Lou Montulli and John Giannandrea at Netscape in 1994Cookies are small text files that web servers typically send to computers when a user visits a website. Cookies are stored as text files on the hard drive, and can be accessed by web servers when the user returns to that website or goes to another website. Cookies are used by companies to collect and send information about a user's website visit – for example, number of visits, average time spent, pages viewed, navigation history through the website, and other statistics. This information helps companies improve the user's online experience in many ways: allowing companies to monitor website performance, making the website easier to use, measuring the effectiveness of promotional placement, and tailoring the website to better match a user's interests and preferences. Cookies cannot be used to access any other data on a computer's hard drive, or to personally identify a user. Users who prefer not to accept cookies can set their Internet browser to notify them when they receive a cookie or to prevent cookies from being placed on their hard drive.http://selectout.org/results/optout/users are generally not explicitly alerted when a cookie is droppedflash cookies - local shared objects; work the same way as normal cookies except are used by Adobe Flash Player; same risks as normal cookies but are not as easily blocksThese cookie files are stored outside of the browser's control. Web browsers do not directly allow users to view or delete the cookies stored by a Flash application, users are not notified when such cookies are set, and these cookies never expire. Flash cookies can track users in all the ways traditionally HTTP cookies do, and they can be stored or retrieved whenever a user accesses a page containing a Flash applicationhttps://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wideWhat's more, the Berkeley researchers found that Flash cookies are often used to deliberately circumvent users' HTTP cookie policies. That is, a site may intentionally store the same information redundantly in both HTTP cookie and Flash cookie forms. When a user deletes the HTTP cookie, the site may "respawn" it from the copy that was stored as a Flash cookie! It seems clear that site operators know many users don't want to be tracked with cookies, but have found a way of circumventing those users' privacy preferences.https://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wideevercookie - JS based application which produces cookies in a web browser that actively "resist" deletion by redundantly compying themselves in different forms on the user's machine (e.g. Flash Local Shared Objects, window.name caching)
  • log filesWeb beaconscookies - data stored on a user's computer that assists in automated access to websites or web features or other information; can also be used for user-tracking by storing special usage history data in a cookietraditional cookie is a HTTP cookie, invented by Lou Montulli and John Giannandrea at Netscape in 1994Cookies are small text files that web servers typically send to computers when a user visits a website. Cookies are stored as text files on the hard drive, and can be accessed by web servers when the user returns to that website or goes to another website. Cookies are used by companies to collect and send information about a user's website visit – for example, number of visits, average time spent, pages viewed, navigation history through the website, and other statistics. This information helps companies improve the user's online experience in many ways: allowing companies to monitor website performance, making the website easier to use, measuring the effectiveness of promotional placement, and tailoring the website to better match a user's interests and preferences. Cookies cannot be used to access any other data on a computer's hard drive, or to personally identify a user. Users who prefer not to accept cookies can set their Internet browser to notify them when they receive a cookie or to prevent cookies from being placed on their hard drive.http://selectout.org/results/optout/users are generally not explicitly alerted when a cookie is droppedflash cookies - local shared objects; work the same way as normal cookies except are used by Adobe Flash Player; same risks as normal cookies but are not as easily blocksThese cookie files are stored outside of the browser's control. Web browsers do not directly allow users to view or delete the cookies stored by a Flash application, users are not notified when such cookies are set, and these cookies never expire. Flash cookies can track users in all the ways traditionally HTTP cookies do, and they can be stored or retrieved whenever a user accesses a page containing a Flash applicationhttps://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wideWhat's more, the Berkeley researchers found that Flash cookies are often used to deliberately circumvent users' HTTP cookie policies. That is, a site may intentionally store the same information redundantly in both HTTP cookie and Flash cookie forms. When a user deletes the HTTP cookie, the site may "respawn" it from the copy that was stored as a Flash cookie! It seems clear that site operators know many users don't want to be tracked with cookies, but have found a way of circumventing those users' privacy preferences.https://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wideevercookie - JS based application which produces cookies in a web browser that actively "resist" deletion by redundantly compying themselves in different forms on the user's machine (e.g. Flash Local Shared Objects, window.name caching)
  • log filesWeb beaconscookies - data stored on a user's computer that assists in automated access to websites or web features or other information; can also be used for user-tracking by storing special usage history data in a cookietraditional cookie is a HTTP cookie, invented by Lou Montulli and John Giannandrea at Netscape in 1994Cookies are small text files that web servers typically send to computers when a user visits a website. Cookies are stored as text files on the hard drive, and can be accessed by web servers when the user returns to that website or goes to another website. Cookies are used by companies to collect and send information about a user's website visit – for example, number of visits, average time spent, pages viewed, navigation history through the website, and other statistics. This information helps companies improve the user's online experience in many ways: allowing companies to monitor website performance, making the website easier to use, measuring the effectiveness of promotional placement, and tailoring the website to better match a user's interests and preferences. Cookies cannot be used to access any other data on a computer's hard drive, or to personally identify a user. Users who prefer not to accept cookies can set their Internet browser to notify them when they receive a cookie or to prevent cookies from being placed on their hard drive.http://selectout.org/results/optout/users are generally not explicitly alerted when a cookie is droppedflash cookies - local shared objects; work the same way as normal cookies except are used by Adobe Flash Player; same risks as normal cookies but are not as easily blocksThese cookie files are stored outside of the browser's control. Web browsers do not directly allow users to view or delete the cookies stored by a Flash application, users are not notified when such cookies are set, and these cookies never expire. Flash cookies can track users in all the ways traditionally HTTP cookies do, and they can be stored or retrieved whenever a user accesses a page containing a Flash applicationhttps://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wideWhat's more, the Berkeley researchers found that Flash cookies are often used to deliberately circumvent users' HTTP cookie policies. That is, a site may intentionally store the same information redundantly in both HTTP cookie and Flash cookie forms. When a user deletes the HTTP cookie, the site may "respawn" it from the copy that was stored as a Flash cookie! It seems clear that site operators know many users don't want to be tracked with cookies, but have found a way of circumventing those users' privacy preferences.https://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wideevercookie - JS based application which produces cookies in a web browser that actively "resist" deletion by redundantly compying themselves in different forms on the user's machine (e.g. Flash Local Shared Objects, window.name caching)
  • Talk about how
  • Talk about how
  • outside of legal, common practice data collection, there are security risksbadwaremalwarespywareweb bugphishingPhishing emailsare an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them
  • outside of legal, common practice data collection, there are security risksbadwaremalwarespywareweb bugphishingPhishing emailsare an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them
  • outside of legal, common practice data collection, there are security risksbadwaremalwarespywareweb bugphishingPhishing emailsare an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them
  • outside of legal, common practice data collection, there are security risksbadwaremalwarespywareweb bugphishingPhishing emailsare an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them
  • outside of legal, common practice data collection, there are security risksbadwaremalwarespywareweb bugphishingPhishing emailsare an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them
  • outside of legal, common practice data collection, there are security risksbadwaremalwarespywareweb bugphishingPhishing emailsare an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them
  • outside of legal, common practice data collection, there are security risksbadwaremalwarespywareweb bugphishingPhishing emailsare an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them
  • outside of legal, common practice data collection, there are security risksbadwaremalwarespywareweb bugphishingPhishing emailsare an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them
  • how else do sites get my data?data logging - records computer usage (time, sites visited, etc)it’s as basic as searches…search engines--every search is tracked
  • What exactly is the scope of the issue we’re looking at here?Privacy, security, compliancePrivacy determines what is and is not tracked and collected. Security addresses how this tracking and data storage are done. Compliance addresses standards set (especially in the courts) that set minimum privacy and security measures in place.
  • What exactly is the scope of the issue we’re looking at here?Privacy, security, compliancePrivacy determines what is and is not tracked and collected. Security addresses how this tracking and data storage are done. Compliance addresses standards set (especially in the courts) that set minimum privacy and security measures in place.
  • The Ins, Outs, and Nuances of Internet Privacy

    1. 1.
    2. 2. What data <br />do they <br />track?<br />
    3. 3. What data <br />do they <br />track?<br />Can I anonymize my online <br />activity?<br />
    4. 4. What data <br />do they <br />track?<br />Doesthe web <br />know who <br />I am?<br />Can I anonymize my online <br />activity?<br />
    5. 5. What data <br />do they <br />track?<br />Doesthe web <br />know who <br />I am?<br />Can I anonymize my online <br />activity?<br />What about <br />privacy rights?<br />
    6. 6.
    7. 7.
    8. 8. Whatdata do they track?<br />Doesthe web know who I am?<br />Can I anonymize my online activity?<br />What about privacy rights?<br />
    9. 9. Whatdata do they track?<br />Doesthe web know who I am?<br />Can I anonymize my online activity?<br />What about privacy rights?<br />
    10. 10. Whatdata do they track?<br />Doesthe web know who I am?<br />Can I anonymize my online activity?<br />What about privacy rights?<br />
    11. 11. Whatdata do they track?<br />Doesthe web know who I am?<br />Can I anonymize my online activity?<br />What about privacy rights?<br />
    12. 12. Whatdata do they track?<br />Doesthe web know who I am?<br />Can I anonymize my online activity?<br />What about privacy rights?<br />
    13. 13. Whatdata do they track?<br />Doesthe web know who I am?<br />Can I anonymize my online activity?<br />What about privacy rights?<br />
    14. 14. Whatdata do they track?<br />Doesthe web know who I am?<br />Can I anonymize my online activity?<br />What about privacy rights?<br />
    15. 15. What data <br />do they <br />track?<br />Doesthe web <br />know who <br />I am?<br />Can I anonymize my online <br />activity?<br />What about <br />privacy rights?<br />
    16. 16. This is me.<br />
    17. 17. This is me.<br />
    18. 18. This is me.<br /> Voluntary.<br />
    19. 19.
    20. 20. Photos<br />
    21. 21. Photos<br />build a life.<br />
    22. 22.
    23. 23.
    24. 24.
    25. 25.
    26. 26. =<br />
    27. 27.
    28. 28. It’s automatic.<br />: - 0 <br />
    29. 29. It’s automatic.<br />: - 0 <br />
    30. 30. +<br />
    31. 31. 39%<br />+<br />
    32. 32. 39%<br />rejected<br />+<br />
    33. 33.
    34. 34.
    35. 35. 49 Data Channels!<br />
    36. 36.
    37. 37. - Rubicon Project<br />- AdSonar(AOL)<br />- Advertising.com (AOL)<br />- Tacoda.net (AOL)<br />- Quantcast<br />- Pulse 360<br />- Undertone<br />- AdBureau (Microsoft)<br />- Traffic Marketplace<br />- Doubleclick (Google)<br />
    38. 38. In-Voluntary?<br />Voluntary?<br />- Rubicon Project<br />- AdSonar(AOL)<br />- Advertising.com (AOL)<br />- Tacoda.net (AOL)<br />- Quantcast<br />- Pulse 360<br />- Undertone<br />- AdBureau (Microsoft)<br />- Traffic Marketplace<br />- Doubleclick (Google)<br />
    39. 39. In-Voluntary?<br />- Rubicon Project<br />- AdSonar(AOL)<br />- Advertising.com (AOL)<br />- Tacoda.net (AOL)<br />- Quantcast<br />- Pulse 360<br />- Undertone<br />- AdBureau (Microsoft)<br />- Traffic Marketplace<br />- Doubleclick (Google)<br />
    40. 40. In-Voluntary?<br />Voluntary.<br />- Rubicon Project<br />- AdSonar(AOL)<br />- Advertising.com (AOL)<br />- Tacoda.net (AOL)<br />- Quantcast<br />- Pulse 360<br />- Undertone<br />- AdBureau (Microsoft)<br />- Traffic Marketplace<br />- Doubleclick (Google)<br />
    41. 41.
    42. 42. test drive.<br />
    43. 43. How does it happen?<br />How<br />
    44. 44. How does it happen?<br />How<br />Where does it go?<br />Where<br />
    45. 45. Traffic Analysis<br />
    46. 46. Traffic Analysis<br />Audience Profiling<br />
    47. 47. Log Files<br />
    48. 48. Web Beacons<br />
    49. 49. Cookies<br />
    50. 50. Consider this.<br />
    51. 51. Consider this.<br />
    52. 52. Consider this.<br />PII<br />
    53. 53. Risk / Reward<br />[-]<br />[+]<br />
    54. 54. Risk / Reward<br />[-]<br />[+]<br />
    55. 55.
    56. 56.
    57. 57. Badware<br />
    58. 58. Badware<br />
    59. 59. Badware<br />Malware<br />
    60. 60. Badware<br />Malware<br />
    61. 61. Badware<br />Malware<br />Spyware<br />
    62. 62. Badware<br />Malware<br />Spyware<br />
    63. 63. Badware<br />Malware<br />Spyware<br />Web Bug Phishing Rootkit Virus Worm Probe Keylogger Trojan Horse …<br />
    64. 64. Badware<br />Malware<br />Spyware<br />Web Bug Phishing Rootkit Virus Worm Probe Keylogger Trojan Horse Web Bug Phishing Rootkit Virus Worm Probe …<br />
    65. 65. What’s my defense?<br />
    66. 66.
    67. 67. Tell me, <br />what is privacy?<br />
    68. 68. Tell me, <br />what is privacy?<br />
    69. 69. Tell me, <br />what is privacy?<br />
    70. 70. Tell me, <br />what is privacy?<br />
    71. 71. Tell me, <br />what is privacy?<br />
    72. 72. Tell me, <br />what is privacy?<br />
    73. 73. Privacy<br /> Dictionary<br />1 The quality or state of being apart from company or <br /> observation<br />2 Freedom from unauthorized intrusion<br /> Legal<br />Unlawful intrusion into private affairs, disclosure of private information, publication in a false light, or appropriation of a name for personal gain<br />
    74. 74. Security<br /> Dictionary<br />1 Freedom from danger, risk, etc.; safety<br />2 Something that secures or makes safe; protection; defense<br /> Legal<br />Internet security is a subset of actions aimed at securing information based on computers and in transit between them.<br />
    75. 75. What you can do<br />about privacy and security.<br />
    76. 76. Privacy From Two Perspectives<br />Tips For Consumers and Business Owners<br />
    77. 77. Personal Privacy<br />Ask yourself are you trying to secure your information or your activities?<br />To Secure Activities on the internet consider Anonymity Tools<br />The Onion Router (TOR) – Attempts to conceal your internet tracks by bouncing you around several layers of proxy routers, hence the term onion in the name. Think WikiLeaks<br />To Secure information on your computer consider Privacy Tools<br />Firewalls<br />Antivirus Software (Microsoft Security Essentials-Free)<br />Antimalware Software (SpyBot, Malware Bytes)<br />Always check for proper SSL (https://) encryption before submitting any info to websites<br />Change your Passwords!!!!!<br />
    78. 78. Consumer Privacy Goals<br />Maintain Secure Identity<br />Only give out personal information on a need to know basis<br />Check URL’s of websites to see that they match the SSL certificate before submitting personal info to sites<br />Computer Updates to OS<br />Plug security holes<br />Data Backups<br />Only as good as your last backup<br />Backups can be infected as well if virus infections are not caught early<br />
    79. 79. URL SSL Encryption Example<br />
    80. 80. A Business Owner’s Perspective (i)<br />Ever increasing customer privacy compliance requirements<br />Data Breaches <br />Hackers directly targeting individual companies<br />Sony PS network<br />LulzSec / Anonymous <br />Lockheed Martin (RSA)<br />Industrial Command And Control Virus<br />Stuxnet (Iran)<br />
    81. 81. A Business Owner’s Perspective (ii)<br />LAN Security - Firewalls<br />Wireless Security – Encryption (WPA2)<br />Website Security – Encryption (SSL)<br />PCI Compliance – External Network Probe For Security<br />Database Security – Encryption of sensitive info on the DB<br />Change Logs – Tracking all changes to sensitive information storage and management <br />Audit Yourself before “THEY” Do – Find issues and fix them, its cheaper and easier….<br />
    82. 82. A Business Owner’s Perspective (iii)<br />Email Filtering<br />Spam Filtering Services – AppRiver, Postini<br />Email Virus Filtering – AppRiver, AV on the email server<br />Daily Temp file deletion on workstations<br />Clear Cookies, History from web browsers <br />Daily AV Scans on all workstations<br />Daily AV Scans on all servers before backups<br />Cultivate a culture that allows staff to own up to virus infections when they happen. Catching virus activity early is the best defense.<br />
    83. 83. A Business Owner’s Perspective (iv)<br />Customer Data Collection<br />All Websites and Apps must use SSL encryption when collecting user data. <br />Even something as simple as a email newsletter should be secured.<br />Opt-In on all data collection practices<br />Clearly define what you will and won’t do with client data in a Privacy Policy posted on your site<br />Adhere to your policy or change it if you deem necessary. Do not operate outside your stated policy<br />Define a Data Retention Policy (Usually 3 years)<br />Secure Destruction of data after retention policy<br />
    84. 84. A Business Owner’s Perspective (v)<br />Going International<br />Know your countries privacy laws and adjust your internal collection practices to match. <br />Sometimes Opt-in is not enough<br />US-EU Safe Harbor Framework<br />COPPA – Under 13 in the US<br />Going international opens up easier routes to hacking corporate networks. <br />Think China Hacking Google<br />
    85. 85. The Ins, Outs, and Nuances <br />of Internet Privacy<br />June 30, 2011<br />Greg Hall<br />Owner, 247 IT Outsourcing<br />ghall@247ITOutsourcing.com<br />

    ×