Risk
3/28/2011
09:18 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Do Not Track Momentum Mounts

Legislation to be proposed by Senator John Kerry and analysis of business comments to the FTC may point toward stronger privacy protections.

Will the FTC -- which can advise Congress, but otherwise has little regulatory power -- see Do Not Track become law? When initially released for public comment in December 2010, the FTC's Internet privacy proposal was publicly slammed by the advertising industry, although lauded by privacy rights groups.

Interestingly, however, an analysis of businesses' related comments to the FTC sees widespread support for privacy -- at least as a concept. So said a blog post from attorney Richard Santalesa, senior counsel, Information Law Group, which evaluated all 442 of the comments submitted to the FTC by individuals, organizations, agencies, and businesses. Microsoft, for example, in its submission said that it "supports an industry-wide privacy-by-design principle that encourages businesses to incorporate privacy protections into their data practices and to develop comprehensive privacy programs."

But many businesses raise concerns over Do Not Track and other FTC privacy proposals. These range from hesitation over standardizing on a single approach or technology, to problems with FTC Fair Information Practices.

Facebook, for example, argues that privacy protections should be strengthened so long as users aren't impeded. In addition, it "broadly opines that common Do Not Track 'concerns are not implicated when the user has a relationship with the company [i.e. Facebook] conducting the tracking and understands that the entity may be collecting data,'" said Santalesa. In other words, Facebook wants an opt-out for its users being able to opt out.

Regardless, related privacy laws could arrive soon. On Friday, a draft was leaked of Senator John Kerry's yet to proposed legislation -- the Commercial Privacy Bill of Rights Act of 2011 -- that would allow the FTC to develop and enforce rules for how people's personal information is handled.

The act "directs the FTC to make rules requiring certain entities that handle information covered by the act to comply with a host of new requirements protecting the security of the information as well as the privacy of the individuals to whom information pertains," said attorney Nicole Friess, associate, Information Law Group, in a blog post.

The as yet not proposed legislation, which is co-sponsored by Senator John McCain, suggests that privacy will no longer be left to advertisers to safeguard, which is the current approach.

"With the exception of the FTC's enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation," Friess said. "Between the new draft of the 'Commercial Privacy Bill of Rights Act of 2011,' three separate privacy bills pending in the House, and the Obama administration backing a 'consumer privacy bill of rights,' it looks like change is in the air -- and I'm not just saying that to be clever."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web