Risk
3/28/2011
09:18 PM
Connect Directly
RSS
E-Mail
50%
50%

Do Not Track Momentum Mounts

Legislation to be proposed by Senator John Kerry and analysis of business comments to the FTC may point toward stronger privacy protections.

Will the FTC -- which can advise Congress, but otherwise has little regulatory power -- see Do Not Track become law? When initially released for public comment in December 2010, the FTC's Internet privacy proposal was publicly slammed by the advertising industry, although lauded by privacy rights groups.

Interestingly, however, an analysis of businesses' related comments to the FTC sees widespread support for privacy -- at least as a concept. So said a blog post from attorney Richard Santalesa, senior counsel, Information Law Group, which evaluated all 442 of the comments submitted to the FTC by individuals, organizations, agencies, and businesses. Microsoft, for example, in its submission said that it "supports an industry-wide privacy-by-design principle that encourages businesses to incorporate privacy protections into their data practices and to develop comprehensive privacy programs."

But many businesses raise concerns over Do Not Track and other FTC privacy proposals. These range from hesitation over standardizing on a single approach or technology, to problems with FTC Fair Information Practices.

Facebook, for example, argues that privacy protections should be strengthened so long as users aren't impeded. In addition, it "broadly opines that common Do Not Track 'concerns are not implicated when the user has a relationship with the company [i.e. Facebook] conducting the tracking and understands that the entity may be collecting data,'" said Santalesa. In other words, Facebook wants an opt-out for its users being able to opt out.

Regardless, related privacy laws could arrive soon. On Friday, a draft was leaked of Senator John Kerry's yet to proposed legislation -- the Commercial Privacy Bill of Rights Act of 2011 -- that would allow the FTC to develop and enforce rules for how people's personal information is handled.

The act "directs the FTC to make rules requiring certain entities that handle information covered by the act to comply with a host of new requirements protecting the security of the information as well as the privacy of the individuals to whom information pertains," said attorney Nicole Friess, associate, Information Law Group, in a blog post.

The as yet not proposed legislation, which is co-sponsored by Senator John McCain, suggests that privacy will no longer be left to advertisers to safeguard, which is the current approach.

"With the exception of the FTC's enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation," Friess said. "Between the new draft of the 'Commercial Privacy Bill of Rights Act of 2011,' three separate privacy bills pending in the House, and the Obama administration backing a 'consumer privacy bill of rights,' it looks like change is in the air -- and I'm not just saying that to be clever."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.