February 28, 2012

Google Circumvents Safari Privacy Protections – This is Why We Need Do Not Track

February 16, 2012 | By Peter Eckersley and Rainey Reitman and Lee Tien

Earlier today, the Wall Street Journal published evidence that Google has been circumventing the privacy settings of Safari and iPhone users, tracking them on non-Google sites despite Apple's default settings, which were intended to prevent such tracking.

This tracking, discovered by Stanford researcher Jonathan Mayer, was a technical side-effect—probably an unintended side-effect—of a system that Google built to pass social personalization information (like, “your friend Suzy +1'ed this ad about candy”) from the google.com domain to the doubleclick.net domain. Further technical explanation can be found below.

Coming on the heels of Google’s controversial decision to tear down the privacy-protective walls between some of its other services, this is bad news for the company. It’s time for Google to acknowledge that it can do a better job of respecting the privacy of Web users. One way that Google can prove itself as a good actor in the online privacy debate is by providing meaningful ways for users to limit what data Google collects about them. Specifically, it’s time that Google's third-party web servers start respecting Do Not Track requests, and time for Google to offer a built-in Do Not Track option.

Meanwhile, users who want to be safe against web tracking can't rely on Safari's well-intentioned but circumventable protections. Until Do Not Track is more widely respected, users who wish to defend themselves against online tracking should use AdBlock Plus for Firefox or Chrome, or Tracking Protection Lists for Internet Explorer.1 AdBlock needs to be used with EasyPrivacy and EasyList in order to offer maximal protection.

Technical details: Google tries to poke a small hole in Safari's privacy protections, but the hole becomes very large

The Safari and iOS browsers have a useful privacy feature: they automatically reject third-party tracking cookies unless a user actively interacts with a widget or clicks on the third party's ads. This is a big step up from the default settings on most browsers. Advertisers typically use tracking cookies to create an invisible record of your online browsing habits, and large advertisers can track you across huge swaths of the web. Safari offers some protection against this type of passive tracking: it specifically prevents a site from setting cookies unless those cookies are from a domain name that you have visited or interacted with directly.

As Google engineers were building the system for passing facts like "your friend Suzy +1'ed this ad" from google.com to doubleclick.net, they would have likely realized that Safari was stopping them from linking this data using third-party DoubleClick cookies. So it appears they added special JavaScript code that tricked Safari into thinking the user was interacting with DoubleClick,2 causing Safari to allow the cookies that would facilitate social personalization (and perhaps, at some point, other forms of pseudonymous behavioral targeting). This was a small hole in Safari's privacy protections.

Unfortunately, that had the side effect of completely undoing all of Safari's protections against doubleclick.net. It caused Safari to allow other DoubleClick cookies, and especially the main "id" tracking cookie that Safari normally blocked. Like a balloon popped with a pinprick, all of Safari's protections against DoubleClick were gone.

The Wall Street Journal has an excellent infographic explaining this process.

The right hand is not talking to the left

Public statements by Google have indicated that parts of the company had a fairly good understanding of Safari's privacy protections:

In the screenshot above, Google states: “While we don’t yet have a Safari version of the Google advertising cookie opt-out plugin, Safari is set by default to block all third party cookies. If you have not changed those settings, this option effectively accomplished the same thing as setting the opt-out cookie.” If only that had stayed true.

Safari gives users an opportunity to block passive tracking by online advertisers. Google's decision to route around those settings took it down a dangerous road. Any code that was specifically designed to circumvent privacy protection features should have triggered a much higher level of review and caution, and that clearly did not happen.

Can Advertisers Learn That "No Means No" (PDF), a research study on flash cookies published in 2011, characterized online advertisers who used flash cookies to override user privacy settings as paternalistic:

Advertisers see individuals as objects. When conceived of as objects, consumers’ preferences no longer matter. Privacy can be coded into oblivion or be circumvented with technology. Our 2009 and 2011 work empirically demonstrates that advertisers implement paternalistic judgments that subjects of targeted marketing cannot make proper judgments for themselves.

Today, Google looks just as paternalistic as ad networks setting flash cookies to outfox people who try to delete their cookies.

People around the world rely on Safari to browse the web, including iPhone users, whose choices are severely limited by Apple's walled garden. That’s a lot of people who are denied a voice when it comes to online tracking.

It’s Time for Google to Make Amends: an Open Letter to Google

Google, the time has finally come. You need to make a pro-privacy offering to restore your users’ trust.

Internet users worldwide have loved your products for years, and we’ve often praised your stance on free expression and transparency and your efforts to limit government access to users’ information. But when it comes to consumer choice around privacy, your commitment to users has been weaker. That’s bad for users, for the future of the Internet, and ultimately, for you. We need to create an Internet that gives users meaningful choice about sharing their personal data, and we need your help to do it.

It’s time for a new chapter in Google’s policy regarding privacy. It’s time to commit to giving users a voice about tracking and then respecting those wishes.

For a long time, we’ve hoped to see Google respect Do Not Track requests when it acts as a third party on the Web, and implement Do Not Track in the Chrome browser. This privacy setting, available in every other major browser, lets users express their choice about whether they want to be tracked by mysterious third parties with whom they have no relationship. And even if a user deleted her cookies, the setting would still be there.

Right now, EFF, Google, and many other groups are involved in a multi-stakeholder process to define the scope and execution of Do Not Track through the Tracking Protection Working Group. Through this participatory forum, civil liberties organizations, advertisers, and leading technologists are working together to define how Do Not Track will give users a meaningful way to control online tracking without unduly burdening companies. This is the perfect forum for Google to engage on the technical specifications of the Do Not Track signal, and an opportunity to bring all parties together to fight for user rights. While the Do Not Track specification is not yet final, there's no reason to wait. Google has repeatedly led the way on web security by implementing features long before they were standardized. Google should do the same with web privacy. Get started today by linking Do Not Track to your existing opt-out mechanisms for advertising, +1, and analytics.

Google, make this a new era in your commitment to defending user privacy. Commit to offering and respecting Do Not Track.

  • 1. As this blog goes to press, we are unsure whether ad blockers for Safari can prevent the browser from sending requests, which is essential for this kind of privacy protection to be effective.
  • 2. The code was web developers call a "hidden form submission", contained in a DoubleClick iframe. This code was only sent to Apple's browsers: Mayer tested 400 user-agent strings, and found that only Safari received the JavaScript that performed hidden form submissions.

Permalink • Print • Comment

August 4, 2011

iOS 5: Top 5 New Features

Coming this fall, iOS users will be getting a an upgrade to their mobile OS, one that adds over 200 new features to the already popular line of iDevices. With this many features, it might be hard to get a handle on just how some of these new features are going to affect your experience.

In this TechTip, I’m going over the top 5 new features in iOS 5 that can change the way you use your iDevice.

iMessage

iOS 5: Top New Features – Geeks.comDo you want to cancel your text messaging plan because it’s too expensive? Okay, you probably won’t be able to do that right away with iMessage, but it might be enough to subscribe to a lesser plan. With iMessage, all iOS 5 devices will be able to send text, images, video, locations, and contats with all other iOS devices, over Wi-Fi or 3G, for free. Data rates will still apply, of course, but you’ll be free from the limits of messaging plans. This is a big move for Apple to get you, your family, and your friends to all use iDevices so nobody will be left out of the conversation.

Notification Center

iOS 5: Top New Features – Geeks.comHow many times have you done this? You pull out your iPhone, you swipe to unlock and just before it unlocks, you see you have a notification, but it’s too late; you’ve already swiped and the message is gone. Unless there’s a badge to let you know where it came from, that message is gone. To cure this problem, Apple’s borrowing an Android-style method that puts all the notficiations in their own app called the Notification Center. All notifications will be logged here, and you’ll be able to see the most recent notifications on the lockscreen at a glance.

Camera App

iOS 5: Top New Features – Geeks.comI’m sure you don’t have to try hard to imagine this next scenario: you’re witnessing something momentous, you remember your iPhone is also a camera, so you pull it out and get ready to snap a photo, but you have to unlock the screen, touch the Camera app, and wait for it to open. It’s not something that ruins usage of the phone, and it’s on par with having to dig out a dedicated point-and-shoot digital camera, but it still leaves something to be desired. With the new and improved Camera app, you’ll be able to start it right from the lockscreen. Better than that, you’ll be through with doing that awkward maneuver you do when trying to snap a photo while touching the button on the touchscreen, because the Volume Up button will be the new capture button.

iCloud

iOS 5: Top New Features – Geeks.comThere are more than just photos and videos stored on my iPhone. There are the many other valuable pieces of information that include phone numbers, email addresses, and appointments. iCloud is going to make managing this extremely simple at zero cost and with zero effort. Almost everything is going to be backed up to Apple’s own servers where it will be accessible by all of your registered iDevices. This will make it easy to avoid the embarrassing mass emails, tweets, or Facebook posts that tell everyone you lost your phone. There is much more to iCloud than this, but this feature alone makes it invaluable to me. The best part is that it is replacing MobileMe, a service that used to do less for nearly a hundred dollars.

PC Free, Over-the-Air Updates

iOS 5: Top New Features – Geeks.comOkay, I cheated, these are two features in one, but they should both be under the heading “cutting the cord” because that’s what these two are about. With PC Free setup, iDevices will no longer need to be plugged into a computer to initialize. Maybe you’ve only set up your phone once and you never plugged it in again, which is a surprisingly common scenario. With Over-the-Air Updates, you’ll be getting the latest firmware updates without having to plug in your device. You’ll still have to plug your iDevice in one last time to install iOS 5, but that could be your very last time! Removing this barrier to entry makes iOS devices even more accessible to users with very limited computer access.

With over 200 new features, these few functions barely even scratch the surface of iOS 5. Be on the look out this fall for the update.

Permalink • Print • Comment

May 29, 2011

Apple’s malware challenge: Usability as its security world changes

Apple’s security reality is changing right before our eyes and the company’s response will be telling. The toughest challenge will be shutting down hackers while keeping its trademark usability in tact.

Steve Jobs & Co. is known for creating devices that can spur gadget lust with just a mere rumor. Apple customers for years have taken the view—inspired by the company’s commercials—that its software is safer. If you have a Mac there’s no need for anti-virus software. You’re secure.

The reality is Apple enjoyed security by obscurity. Its market share wasn’t worth the attention from hackers. Now Apple is worth the attention. Where’s the glory in taking out a smaller computing player when you can take out the big dog—Microsoft?

As a result of Apple’s lack of hacker interest, the company could talk about being more secure even as it tended to rewrite QuickTime and plug security holes every time it launched a new product or generated buzz. While you were playing with your latest greatest Apple software release the company would patch vulnerabilities.

Here’s Apple’s chain of events over the last month:

  • Mac Defender malware attacks Apple users.
  • Apple remains mostly silent and tries to thread the customer service needle.
  • Apple then announces a fix and that a future update will put Mac Defender to bed with an update.
  • Evil doers launch a new renamed version just a few hours later. The new malware is renamed (predictable) and split into two parts, a downloader that delivers a payload similar to Mac Defender (not so predictable).

Does any of this sound familiar? It should. Microsoft went through this same learning process with its security procedures. Microsoft had to button down its security operations and today is able to fend off a lot of attacks.

Ed Bott nailed the importance of these malware attacks against Apple when he said:

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots. Peter James, an Intego spokeperson, told me his company’s analysts were “impressed by the quality of the original version.” The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.

If Apple plans to play Whack-a-Mole with these guys, they’re in for months of misery. Just ask any Windows security expert who was around in 2003 and 2004 when Microsoft was learning a similar painful lesson. If each reaction from Apple takes two or three weeks, the bad guys will make a small fortune and Mac users can count on significant pain and anguish.

Microsoft eventually got security religion, but there was a cost—usability. Vista’s most hated feature was UAC (user account control). Bott later noted that UAC was enough to drive any level-headed person to PC rage.

In a nutshell, Microsoft added a key security feature—and drove its users nuts. Apple naturally capitalized on Microsoft’s UAC flub.

 

This usability vs. security line is one Microsoft has been walking for years. If you use all three of the top Web browsers regularly—IE 9, Google Chrome and Mozilla’s Firefox—you notice pretty quickly that IE 9 has more prompts and security features that can be annoying. I don’t doubt that IE 9 is the most secure browser around, but there are times I feel like I’m taking medicine that has a nasty taste to it.

It’s not like Apple hasn’t paid any attention to security. The biggest issue is that Apple seems to be underestimating what it is up against. Apple is just supposed to work. Security sometimes requires some inconvenience to users. If you build security in from the ground up, usability can suffer.

Apple’s trade-off will between security and UI will be its biggest challenge in the years ahead. If I were to guess, Apple’s Mac malware issues are just the warm-up act for bigger things.

  • Why not target Apple’s iOS, which is a dominant mobile OS?
  • Why not target iTunes and all of those credit card accounts on file?
  • Why not go for the glory of bringing Apple down?

In other words, Apple may have to spend some time talking security frameworks. That’s quite a sea change. If Apple can integrate hardware, software and more security into a package where the consumer doesn’t notice then it will have pulled off a great feat.

Final thought: One natural reaction to talking Apple security is to bring up Google’s Android. Android will be just as big of a hacker target and Google will have to respond to the same challenges as Apple. Ironically, Microsoft’s Windows Phone 7 will have a free pass for a while. Why? Security by obscurity. Microsoft in mobile just isn’t big enough to matter.

Related:

Permalink • Print • Comment

Apple Mac OS X update to put Mac Defender malware issue to bed

Apple said Tuesday that it will deliver a Mac OS X update “in coming days” that will put its Mac Defender malware headaches to rest.

As noted repeatedly by Ed Bott, Apple has had its head in the sand about its Mac Defender malware issue. In a May 24, knowledge base article Apple said:

A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender “anti-virus” software to solve the issue.

This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user’s credit card information which may be used for fraudulent purposes.

The most common names for this malware are MacDefender, MacProtector and MacSecurity.

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.

For now there’s a step by step workaround to manually remove the malware.

What took so long? Apple has historically hung its hat on being a malware free environment. The issue with that positioning is that Apple is a bigger part of the computing landscape. The more market share you have the larger a target you are for hackers.

Here’s the Apple saga:

Permalink • Print • Comment

Apple continues to tell support reps: do not help with Mac malware

Update May 24, 4:30PM PDT: Apple has now posted a support article on its website: How to avoid or remove Mac Defender malware. A note at the top of the article says:

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.

How is Apple responding to the flood of customer calls about installations of the Mac Defender malware?

According to multiple tech support insiders, the company has doubled down on its policy of denying any help to affected customers. Meanwhile, despite evidence that a large number of customers have been affected by this issue, Apple has made no public statement and did not respond to two requests for comment.

My sources tell me call volume for Mac Defender-related issues continues to be high. One AppleCare support agent told me last week that 50% of calls in the previous week were related to this issue. A rep in a different location confirmed that number but said volume had dropped this week:

In the first days after Intego identified the issue I would say 50-60% of calls were driven by Mac Defender.

Now still within the 20-25% range….I think Google may be getting a handle on the gamed SEO placements and poisoned links that started the whole fiasco.

So how big is the problem? Apple’s silence makes it impossible to know for sure. However, I’m told that the division that handles Mac support calls receives between 10,000 and 20,000 calls a day. If 25% of those calls are related to this issue, which has been going on for 25 days, the total number of customers affected could be between 60,000 and 125,000, and growing.

One contractor who works for a third party that handles support calls for Apple in North America sent me a confidential document that had been distributed to all personnel at his location. The document contains detailed instructions from “the client” (Apple) that the firm’s employees must follow when dealing with calls from customers asking for help with Mac Defender issues. (I’ve posted a copy of the document at the end of this post.)

The document, which is labeled “Valid as of May 20th 2011 subject to further revisions,” instructs support reps to “Start with an upbeat tone and stay positive.” That’s followed by two blocks that outline the script the agents are expected to follow:

“I am glad that you decided to call in about this issue today. Based on the symptoms you describe it sounds like you may have malware on your computer. I would be more than happy to send you an article about what malware is and is not. Lets [sic] make sure you have all your software up to date.”

“Apple’s [sic] doesn’t recommend or guarantee any specific third part [sic] anti-virus protection over another. However I can suggest several third party virus protection programs that you may want to consider researching to find the best one for your needs.”

At that point the rep is ordered to suggest “at least three or four different programs from anywhere” and direct the customer to the App Store or the Apple Online Store.

In a particularly Orwellian turn of phrase, the anonymous author of the document then notes dryly, “According to the client the point of this is to empower the customers to become more internet and security savvy.”

The end of the document includes a list of “Things you must never do according to the client.” The list of prohibited actions includes all of the steps required to clean a Mac Defender infection:

– You cannot show the customer how to force quit Safari on a Mac Defender call

– You cannot show the customer how to remove from the Login items.

– You cannot show the customer how to stop the process of Mac Defender in their Activity Monitor.

– You cannot refer the customer to ANY forums or discussions [sic] boards for resolution (this includes the Apple.com forums)

The final item on the list contains instructions that prevent support personnel from indirectly helping clients:

– Once you know that the call is about Mac Defender, and then the customer decides to try and ask you general questions to find a loophole (IE: “OK, then how would you uninstall a third party program in general” or “How do I stop programs from starting upon launch”) The point of this is, things that would be considered “general product usage” questions are not allowed to be answered if the customer has already informed you that he potentially has MacDefender and is now asking obvious questions to skirt our policy.

The upshot of this policy is to explicitly prohibit any action that could help customers. For tech support personnel, that’s a bitter pill to swallow.

One rep who contacted me via e-mail describes the current mood among fellow support reps as “horrid,” adding, “We are now under strict orders, of course without distinctly saying it, to help NO ONE with Mac Defender under threat of our jobs … All I heard all day today from other advisors was how Apple doesn’t want to take care of its customers and how this new policy constrained our ability to do our job and directly affects our pay.”

A second rep told me, “The shit has hit the fan.”

You can see a copy of the entire document here:

Permalink • Print • Comment
Next Page »
Made with WordPress and an easy to customize WordPress theme • Sky Gold skin by Denis de Bernardy