Risk
2/23/2012
05:13 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

'Do Not Track' Won't Save You From Yourself

Just because you now have a Consumer Privacy Bill of Rights, don't assume you have privacy.

Congratulations! You've got privacy. Thanks to the Obama Administration's Consumer Privacy Bill of Rights, no one will ever know about your secret shame, cat breading (yes, breading, not breeding).

Through the miracle of self-regulation--the very thing you can't manage as you post picture after picture of cats wearing slices of bread to your Facebook account--companies like Facebook and Google will start honoring your wish to use online services without being tracked for the purpose of advertising. Soon, your Gmail ads will not include any mention of cats or bread, except by chance. Instead, the online ads you see will be irrelevant and annoying. How's that for progress?

Google and its ilk may still use your data for market research and product development. And law enforcement, of course, will still be able to demand data from online companies about your suspicious cat breading activities. But if you just keep telling yourself, "Now, I have privacy," then everything will be okay.

That is, assuming you can actually be bothered to opt-out.

That task will be easier as browser makers implement a "Do Not Track" button. Online ad networks will also be providing a Do Not Track icon on ads, according to the Federal Trade Commission. Just make sure to click on the button and not the ad, or that will be a billable event for the advertiser. Not that Google is likely to complain.

[ Find out about the new Consumer Privacy Bill of Rights. Read Obama's Consumer Privacy Bill of Rights: 9 Facts. ]

Make no mistake, this is a real victory for Mozilla, the first browser maker to implement Do Not Track. And if Google, which pays the lion's share of the non-profit organization's bills thanks to a Firefox search deal, sees ad revenue decline as a result of a data drought, Mozilla doesn't have to worry for another three years.

Alex Fowler, privacy and public policy lead at Mozilla, sees the Consumer Privacy Bill of Rights and the growing momentum of Do Not Track as an expansion of user control.

"While Internet users have always had some measure of control, the needs for online privacy are not being fully addressed by the controls that exist today," he said in an email. "The problem with the existing controls is that users lose some functionality and erode their experience. Having to break one's Web experience to get privacy shouldn't be an acceptable tradeoff."

But privacy isn't dispensed with a button. Nor is it guaranteed by a Consumer Privacy Bill of Rights that specifies many things that companies "should" do, but offers no detail about enforcement or penalties.

Given that the rights guaranteed in the U.S. Constitution's Bill of Rights were not really available to large numbers of U.S. citizens through the Civil Rights era, and even today get bypassed, we should not expect privacy to descend with the stroke of a legislative pen. It should be noted that last year, the Obama administration was arguing that email should not be protected by the Fourth Amendment. Privacy with exceptions is about as comforting as a parachute that "usually" opens.

The Obama administration's privacy framework represents the beginning of what's going to be a long, drawn-out discussion. It's a positive step, but it's just a step, and a step toward responsible business practices--data usage policies--rather than privacy. As Electronic Freedom Foundation attorney Kevin Bankston noted via Twitter, the White House framework preserves the possibility that online companies could be required to retain data for law enforcement purposes beyond stated data retention times. We promise not to track you, unless we have to.

One anonymous commenter posting to the website of privacy researcher Christopher Soghoian, who helped create Do Not Track, voiced his (or her) skepticism: "I personally wouldn't ever trust ad companies to respect law and many countries [don't] even have laws about privacy on the Net. So I'm inclined to laugh out loud at the idea. I will continue to recommend and help friends and family to install and configure Adblock Plus, NoScript, and Ghostery 'correctly' (as in 'extremely restrictive mode') for them to evade as [many] ads and [as much] profiling [as] possible."

Better still, think before you post anything online or send an email. Take the time to understand Internet technology and its repercussions. Know that using a computer is an act of self-surveillance. The efforts of advertisers to understand your behavior and deliver relevant ads are largely inconsequential. Ads can be ignored or blocked, if you care enough to make that choice. But no government guidelines can save you from yourself if you insist on posting pictures of cats bedecked in bread.

As federal agencies embrace devices and apps to meet employee demand, the White House seeks one comprehensive mobile strategy. Also in the new Going Mobile issue of InformationWeek Government: Find out how the National Security Agency is developing technologies to make commercial devices suitable for intelligence work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MARIN000
50%
50%
MARIN000,
User Rank: Apprentice
2/24/2012 | 3:30:44 PM
re: 'Do Not Track' Won't Save You From Yourself
If one wants privacy protection that is 100% effective (ie; the "parachute that always opens) and completely under user control they need to use a software platform that remembers nothing from one session to the next. No supercookies, no tokens...nothing to track. CyberShield Solutions makes such software free to everyone on its website.
JonathonT
50%
50%
JonathonT,
User Rank: Apprentice
2/24/2012 | 4:07:50 PM
re: 'Do Not Track' Won't Save You From Yourself
Another option is to boot up with a LiveCD, which is a full operating system loaded from disc. In live mode, you reboot the computer, using disc in the drive, and boot from that drive instead of the hard drive. You can then use the LiveCD operating system on the disc without writing data permanently and then when you are done, you can shut down and resume using the system normally. You can find lots of LiveCD operating systems at distrowatch.com. There are even a few LiveCD distributions (also termed distros) that you can use like on-CD applications within Windows. Basic LiveCD instructions: Find one that has the features you need (generally anything from the top 5 popular distros will do), download the ISO image for that LiveCD (They can be around 1 GB in size, but there are <650 MB versions for CD images too), burn the saved ISO to a blank disc, and then you can use that LiveCD disc.

--- Jonathon

cloudfilesecurity.biz
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.