Friday, December 30, 2011

The Do Not Track Act of 2011 Has Global Implications

While US senate bill S.913 AKA Do-Not-Track Online Act of 2011 may only apply to US companies and citizens, the effects of the bill would apply to anyone in the world who accesses certain US based sites. Despite much stronger online privacy standards in part of Europe than the US has, EU laws do not apply to US web sites with no European presence.

The Do-Not-Track Online Act of 2011 specifies that personal information will not be collected unless a person consents to it and that the legislation applies to mobile application and service providers. With the explosion of smartphones, this is a particularly important aspect for US citizens. If passed the impact on the Android platform would be evolutionary. The entire spyware culture of Google’s Android market would be changed. For US citizens and all others in the world the requirement that an individual “receives clear, conspicuous, and accurate notice on the collection and use of such information” and that they “affirmatively consents to such collection and use” Is significant. Fundamentally this is “opt in” and would be exactly what the Direct Marketing Association (http://www.the-dma.org/cgi/dispannouncements?article=1550) would be rallying for if they actually supported human decency.

The businesses that are against the legislation are willing to spend a lot more money lobbying against the bill than what they believe the cost of compliance would be, so it will be a tough fight. The only way this bill has a chance of seeing the light of day is if Americans come out en mass and tell their representatives to support the bill and if citizens in the rest of the world pressure their governments to express strong support for the bill.

This piece of legislation has implications far beyond territorial boundaries of the United States of America

The text of the Do Not Track Act of 2011 can be found at http://thomas.loc.gov/cgi-bin/query/z?c112:s913:

Randy Abrams
Independent Security Analyst

HTC “Do You Want Privacy and Security or Your Warranty?”


HTC and other Android phone manufacturers give their customers a difficult choice. As an HTC customer you are forced to choose between privacy and security or you warranty. HTC installs invasive software capable of sending private information to third parties without your knowledge or informed consent. The only way to get rid of these potential threats is to root your device.

A study from North Carolina State University found that the Android permissions model is often not properly enforced, especially by HTC. The result is that stock applications can be attacked to exploit their permissions. The study can be downloaded at www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf.

For my non-techie friends, what the report basically says is that if a game on your Android phone can know where you are by using a GPS, then potentially a completely different program that doesn’t have the ability to use your GPS can use your GPS to track you by using the game to help it. If a pre-installed application can record your voice and send SMS messages, then a malicious application that looks like a harmless game may be able to send expensive SMS messages, or record your phone conversations. The report also found that HTC and Samsung don’t appear to really care at all about the security and privacy of their users.

One of the best ways to improve security and privacy can be to remove applications that you do not use. Software has security flaws and programs that you do not use can still be exploited to allow a criminal to access your data, or determine your location. Knowing your location can lead to physical security problems while accessing your data can lead to identity theft or simply spam that the criminal profits from.

The unfortunate truth is that the only way to remove these security and privacy threats is to root the phone. Again for my non-techie fiends, rooting an Android phone is like having a cardkey to access a building and changing the access permissions so that you can go anywhere in the building at all, even into the security control room!

Here’s the problem with rooting your phone… for HTC, and probably most manufacturers, rooting the phone voids the warranty. As a matter of practice, if you back everything up properly and there is a problem that doesn’t completely cripple the device then you can restore the factory settings and HTC will not know you have done something to void the warranty, but the fact remains that the stance that HTC takes is that if you want to take any reasonable steps to improve privacy and security on your HTC device they will not honor the warranty.

As for why you can’t simply remove pre-installed applications, HTC will blame the carrier, such as T-Mobile and the carrier will blame the manufacturer.

Randy Abrams
Independent Security Analyst

Wednesday, December 28, 2011

Why So Much Viagra Spam?

That’s simple. The long and the short of it (sorry about that) is that Viagra spam is the obvious overcompensation of the incurable impotence of Direct Marketing Association (DMA). In response to the proposed Do Not Track Online Act of 2011 the DMA has issued a limp statement that lacks hard facts http://www.the-dma.org/cgi/dispannouncements?article=1550.

The first sign of dishonesty is when the DMA issues a press release, but let’s dig into this one just a little bit. The DMA claims that their self-regulatory program “provides exactly the type of “simple, straightforward way for people to stop companies from tracking their movements online” that Senator Rockefeller called for upon releasing his bill”. Really? If so then why does the DMA think that the Do Not Track Act will result in job loss? After all it only does EXACTLY what their own self-regulatory program does, right?

The DMA’s "self-regulatory program" is a completely useless smoke screen. The program is a complete lie and is entirely ineffective. To start with, the mechanics of the program are based upon ancient technology that the brightest minds at the DMA can’t begin to comprehend. The entire strategy is based upon putting cookies on your computer and the impotent masterminds at the DMA can’t even figure that out. Really, an opt-out page that unsuccessfully attempts to drop a bunch of cookies and is still in beta to do even that (http://www.aboutads.info/choices/)? Seriously, each of their members knows how to successfully write cookies, but the “organization” can’t get a cookie writing app out of beta and make it work. Not that it would be an intelligent, reasonable, viable, or honest approach even if it did work as designed.
  
How well is the self-enforcement working? Well, Between Twitter, Google, and Facebook we have 60 years of FTC monitoring due to egregious anti-privacy practices, so either the DMA’s self-regulation is completely useless or these companies aren’t members and the DMA is completely impotent. I suspect that the DMA’s membership is tiny and they lie about their size :) You have to agree to let the DMA track you before you can find out who the members are though as only members can see the membership list.

The DMA misrepresents the bill as ““The bill would prohibit a company from doing something as simple as keeping track of the customers who interact with it online, making it impossible to provide the kind of customized user experience that consumers have come to expect.” What they really mean is that unlike their useless program, consent would be required to track people. This is exactly what the DMA does not want.

The DMA further states that they are “concerned that legislative proposals regarding the Internet run the risk of undercutting the leading area of American dominance and job growth.” In other words, privacy invasion is the job sector the DMA seeks to protect.

The DMA appears to be illiterate as well. They state “Further, the DMA is concerned that this latest legislative proposal would impose untold regulatory compliance costs on businesses without a showing that there is a market failure or a need to regulate”

60 years of oversight by the FTC for only 3 companies, not to mention a lawsuit against Disney, Ustream, SodaHead, Warner Bros. and others for spying on kids (http://arstechnica.com/tech-policy/news/2010/08/lawsuit-disney-others-spy-on-kids-with-zombie-cookies.ars), plus a brand new lawsuit against Facebook that allege illegal tracking (http://idealab.talkingpointsmemo.com/2011/10/facebook-hit-with-lawsuits-over-timeline-and-tracking.php) and the DMA is too blind to see that there is obvious need for regulation and there are obvious market failures.

I always thought it would be fun to write for the National Enquirer. I admire the creative thought that goes into some of the completely fictional stories, but now I realize that fictional writing for the likes of the National Enquirer, the Weekly World News, and FOX TV News are simply training for writing a DMA press release.

The DMA lacks anything remotely resembling credibility, and is a monument to self-regulatory impotence. If the DMA is opposed to the Do Not Track Act of 2011 you can bet the legislation is in your best interest. If you live in the US I recommend you contact your local congressional representatives and urge their support for it!

Sorry DMA, All the Viagra in the world cannot help your self-regulatory impotence.

Randy Abrams
Independent Security Analyst

Tuesday, December 27, 2011

Facebook - The Misleading Advertising Platform

Companies that advertise on Facebook really need to be careful about their strategies. It is no longer enough to consider the message you put out to potential customers, you have to think about how Facebook is going to co-opt your message. I have already blogged about how Facebook might potentially use photos of children to promote booze, sex and tobacco (http://randy-abrams.blogspot.com/2011/12/does-your-kid-like-jack-daniels.html), but the hazards advertisers face are not limited to choices users make about their profile pictures. I’ll give you a case in point. I saw an ad yesterday from my former employer, ESET.


This looks like a reasonable promotion. There’s marketing value in having people “Like your page” and offering an incentive is a legitimate approach. The gotcha is how Facebook might to change the message.

Let’s assume I have not heard of ESET before, or never tried the product. It seems like a good time to try a new security solution and I have no real energy, positive or negative, around ESET. I “Like” the page and get my free trial. Now here is where things can get bad for a company in a hurry.

My friend sees an ad from ESET that shows my picture and says I “like” ESET. My friend says to me, I saw your picture next to an ESET ad that says you like them! Are they really good?” If I am like many Facebook users I will not have been aware that my picture could be used without my permission, and trying a product is not at all the same thing as liking a product. Facebook is translating a desire to test out a security product into a misleading advertising claim. There is potential for a very negative and adverse reaction.

Facebook has adopted an Orwellian double-speak approach with the word “like” and advertisers should be mindful of the changes to their ads that Facebook makes when they pair users with advertisers.

Perhaps the incidence of this type of negative response is low enough that the risk/reward ratio merits the approach, but it is a scenario that companies advertising on Facebook should consider. The word “like” in Facebook context is deliberately misleading and at times definitely conveys a false impression… and this is by design.

Advertisers on Facebook need to consider how their ad is going to be presented after Facebook adds their spin to it. In time users will probably get used to having their profile picture used without consent or previous knowledge, but until then there could be some bumps in the road for advertisers.

If I have to “like” a page to get the information I want, I don’t have a problem with that, but until Facebook agrees to not use my name and photo to promote a company’s product if I have simply subscribed to their news feed, I am un-liking all commercial entities.

As I have already told Alaska Airlines and ESET, as soon as Facebook changes their policy so that I have a choice as to where my name and photo are used in advertising, I’ll come back and “like” you again!

Randy Abrams
Independent Security Analyst

Wednesday, December 21, 2011

Does your Kid “Like” Jack Daniels, Marlboro’s and Hustler?


When Facebook makes a decision, they leave users with very few options to meaningfully express dissatisfaction with the changes. Recently Facebook began rolling out a massively disliked change called “timeline” and the only effective way I see to protest the change is to hide ads and indicate that is why you have hidden them (http://randy-abrams.blogspot.com/2011/12/facebook-timeline-or-time-bomb.html)

The latest news is that after much ado to divert your attention away from long standing plans, Facebook plans to use your kid to advertise Jack Daniels (https://www.facebook.com/jackdaniels), Hustler (https://www.facebook.com/pages/Hustler/104010389635531), Marlboro (https://www.facebook.com/pages/Marlboro-Cigarettes-Brands/112436532109106) and all other manner of product and service. OK, that may be a bit sensationalistic, but nowhere far from realistic. Here’s the scoop (yeah, your kid may like Scoop Away https://www.facebook.com/ScoopAway?ref=ts too).

Back in 2009 the LA Times reported that Facebook could use your pictures to advertise product without your permission http://opinion.latimes.com/opinionla/2009/07/facebook-can-use-your-pictures-for-ads-no-permission-required.html). Facebook quickly laid out a scrumptious feast of red herring and told you that this wasn’t the case (https://www.facebook.com/blog.php?post=110636457130). This was to divert your attention away from the obvious intent that was present even back then. It should come as no surprise that Facebook has decided that your profile picture will be used without your permission to promote products and services. It’s in the news here http://www.tntmagazine.com/news/world/facebook-using-your-picture-in-sponsored-stories-from-2012 and here http://www.pcmag.com/article2/0,2817,2397889,00.asp

Here’s the thing you need to be careful of… If you use your child’s picture for your profile picture, and lots of people do, then it is your child’s picture that is going to be shown as supporting a product or a service. If as an adult you want to “like” Jack Daniels, Marlboro, and hustler, that is your choice, but it is probably not what you have in mind for associating your kids with.

So, how do you protest the impending policy change by Facebook? I am aware of two viable protests. One of the ways to protest is to file suit, and people in California have done just that. http://www.businessweek.com/news/2011-12-21/facebook-lawsuit-against-ads-given-go-ahead-by-u-s-judge.html

The other way to protest is to start un-liking ALL commercial Facebook entities. It is important that you also express why you are un-liking them.

Here is what I will told Alaska Airlines…



The only way Facebook will listen to consumers is to hit them in the advertisement.

It can be a little tricky to unnlike a page. Facebook tries to hide that form you. You need to go to the page and then scroll down to the bottom of the ledt ahnd column where you will find an “unlike” link. Facebook makes the “like” link prominent, but attempts to thwart user choice by making it much harder to find out how to “unlike” a page.

I must go now and unlike all commercial entities on Facebook until Facebook makes it prudent to “like” such entities.

If oyu use a picture of your child for your profile picture, I suggest you seriously consider the wisdom of the decision. Remember, today it is only products and events you have explicitly liked or subscribed to, but Facebook has nmuch deeper claims to your pictures and are only a policy change away from using profile or other pictures to promote anything they like.

Randy Abrams
Independent Security Analyst

Monday, December 19, 2011

Facebook – Timeline or Time Bomb?


Facebook is changing the way you see the site. Instead of the coherent flow of updates and information you currently enjoy, Facebook is copying the older MySpace style layout, to give all of the pages a scrapbook type appearance, and ripping off Timeline.com by prominently naming it “Timeline”.

The change is significantly more far-reaching than creating chaos out of order. You better start reading and understanding the privacy implications. You might want to take a look at what PC World calls “6 must-do privacy tweaks”.  

If you haven’t seen the new look, then you might want to read about everything you are likely to hate about the new look at http://www.theatlanticwire.com/technology/2011/12/everything-youll-hate-about-new-facebook-timeline/46237/.

Most users have probably not yet been converted over to the new look, but already there is a growing backlash. Pages like Undo Timeline https://www.facebook.com/pages/Undo-Timeline/322551701106897 are rapidly gaining in popularity and user complaints are rampant. Facebook is not at all likely to listen to user complaints however. The reason behind timeline is not to enhance the user experience, it is to sell more advertising. One of the metrics Facebook uses to sell ads is how much time users spend on the site. The new look forces users to spend/waste more time setting up their page and viewing other pages. By design, most of the page is wasted at the top with a graphic, called a ‘cover’, that you probably don’t want to see on every visit and only serves to keep you on the page longer.

So, how do you protest the change? Liking pages, such as Undo Timeline is a start. When you set up “Timeline” Facebook they ask that you not use a cover that is the same as someone else’s. I recommend that all protesters choose the same cover. Feel free to use the one I will be using…


This alone is not likely to accomplish much, other than to amuse others who dislike the change, but there is something you can do that will be effective if millions of protesters join in. If you make timelines unattractive to advertisers then Facebook will either listen or disable feedback. Here is how you effectively protest.

When you visit a page go straight to the ads and point to the upper right corner of the ad. This will make a little X appear that you can click on and choose to hide the ad. Next you will be asked why you are hiding the ad. I suggest you choose “other” and type in “Protest Timeline”. Here are some pictures to help you. Apologies to Lutron Electronics, nothing against them, but their ad was handy.


                      

There is likely no more effective protest against Facebook than to kick them in the advertising dollar.

Some people are going to like or even love the change and that is fine for them, but if Facebook cared as much about a quality product as they do about advertising, the change would be an option. The fact is that Facebook knows most people will dislike the change and so they force it.

So, where does the time bomb come in? Mark Zuckerberg is alleged to have stolen the idea and code for Facebook from a couple of other Harvard students. The claim was compelling enough that Facebook settled a lawsuit for a significant sum of money and stock. http://en.wikipedia.org/wiki/ConnectU. Seemingly, even a young dog isn’t learning new tricks and a website called Timeline.com has filed suit against Facebook for trademark infringement. If you know Facebook’s history, then you know that Facebook is engaging in far more egregious activity than others have that Facebook accused of Trademark infringement. Facebook, following the ethical leadership and ideals of its founder has filed a countersuit that really should  thrown out as being frivolous. If justice prevails then timeline will blow up in Facebook’s face. I recommend you read the follow article to understand how two faced Facebook can really be http://paidcontent.org/article/419-facebook-countersues-timelines.com/.
Regardless of whether you like the new look or not, remember to routinely check your privacy settings on Facebook. I recommend you set up a dummy account that you do not friend so that you can see how the rest of the world sees your profile.

Randy Abrams
Independent Security Analyst