Jump to content

Search the Community

Showing results for tags 'tracking'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 21 results

  1. I IN NO WAY TAKE ANY CREDIT FOR THIS IT WAS TAKEN FROM MDL FORUM AND SOME POSTS BY MEMBERS ON THIS FORUM! Manual: Tools: Microsoft Telemetry Tools Bundle v1.52 Windows 10 Lite v9 Private WinTen v0.74 Blackbird v6 v1.0.79.3 [Works with Win 7/8/8/1/10] O&O ShutUp10 v1.7.1407 WPD - Windows Privacy Dashboard v1.3.1323 WindowsSpyBlocker v4.27.1 Spybot Anti-Beacon v3.1 [Works with Win 7/8/8/1/10] W10Privacy v3.4.0.1 Debotnet v0.5.4 Disable Windows 10 Tracking v3.2.3 Destroy Windows Spying v1.0.1.0 [Works with Win 7/8/8/1/10] [NOT RECOMMENDED AS NOT UPDATED ANYMORE]
  2. The Department of Homeland Security has been purchasing cellphone location data and using it to track activity near the US-Mexico border, according to The Wall Street Journal. The data has reportedly led to arrests after law enforcement saw where people were crossing the border and traced the data back to specific people. The location data comes from a commercial database composed of information compiled on users by marketing companies. Advertisers and app developers are often able to gather far more information than a user might realize, such as once they’ve granted an app permission to use their location for a more legitimate use, like checking the weather. All of this data collection can lead to an incredibly revealing portrait of an individual’s behavior being created, even though they might have little idea that they, theoretically, consented to the information being shared. It also means that the government can obtain very revealing data on a broad swath of people without going through the courts or relying on questionable legal precedents. It can just buy the information outright, like anyone else can. The Department of Homeland Security confirmed to the Journal that it had purchased the data. Immigration and Customs Enforcement and Customs and Border Protection are reported to have used the data but did not specifically acknowledge doing so. The Journal says the data came from Venntel, a company that calls itself a “pioneer in mobile location information” that “supports our national interests through technological innovation.” Venntel indicated that the Department of Homeland Security was a customer but otherwise declined to comment to the Journal. The New York Times recently highlighted just how revealing this information can be. With access to a database of cellphone location data, reporters were able to track even high-profile individuals in great detail. “We followed military officials with security clearances as they drove home at night. We tracked law enforcement officers as they took their kids to school,” wrote Stuart A. Thompson and Charlie Warzel. Source
  3. California's new privacy law has spurred a torrent of online notices. But the law is also forcing changes offline, in traditional stores. To anyone with eyes in their kneecaps, the notice outside gadget retailer B8ta’s glossy store next to San Francisco’s new NBA arena is obvious. “We care about your privacy,” the small plaque proclaims, offering a web address and QR code. Anyone curious and limber enough to bend down and follow these pointers is taken to the retailer’s online privacy policy, which discloses that stepping inside the store puts you in range of technology that automatically collects personal information. That includes “smartphone detectors” and Wi-Fi routers that note the location and unique identifiers of your phone, and cameras equipped with software that estimates your age and gender. B8ta added the signage to its six California stores and expanded its online privacy policy late last year as it prepared to comply with a new state law that took effect this month called the California Consumer Privacy Act. The law requires businesses to disclose what personal information they collect from consumers at or before the time it is collected. It gives state residents the right to request data collected about them be deleted and to forbid a business from selling it. CCPA’s most visible effect has been a plague of website popups on California residents. But the law also applies to offline data collection. B8ta’s new signs and disclosures show how the CCPA might shed more light on the way brick-and-mortar businesses use Wi-Fi routers and other in-store sensors to try to match the customer analytics and tracking of online retailers and ad networks. California legislators rushed to pass CCPA in 2018 to head off a stricter ballot initiative on privacy whose sponsors had collected more than 600,000 signatures. In the process, a provision allowing citizens to sue for violations was removed, leaving the state attorney general as the sole enforcer. But CCPA is in some ways broader than GDPR, the influential European Union privacy law that came into force in 2018. California’s law defines personal information more liberally, to include data about a household, which GDPR does not, for example. CCPA also requires companies to disclose details of how they sell personal data and allow consumers to opt out of any sales, using a broad definition of “sell” that includes trading data for anything of value. Mary Stone Ross, a lawyer and former CIA analyst who coauthored the initiative that led to CCPA, says it was partly inspired by research on use of in-store tracking by retailers. “It was very clear that in order for the CCPA to be effective, it had to cover all collection of all information, not just online collection,” she says. The law that took effect January 1 says businesses must “inform” consumers that they are collecting personal information “at or before the point of collection.” The attorney general’s draft regulations, due to be finalized in time for enforcement to begin in July, suggests physical premises distribute paper notices or display “prominent signage” with a web link. B8ta declined to explain how it reasoned that knee-high notices might inform customers or count as “prominent.” The company’s stores, which resemble Apple stores, feature quirky consumer gadgets such as an e-ink typewriter alongside products from names like Asus and Google. The retailer’s pitch to lure new partners cites its stores’ ability to provide live data on how customers engage or linger near products on display. Other companies collecting data from customers in stores have taken different approaches to disclosure. One patron of Brazilian steakhouse Fogo De Chão received a printed CCPA notice when he visited the chain’s San Francisco restaurant in early January. It informed him that the company collects personal information during purchases and reservations, uses security cameras, and mentions the restaurant’s guest Wi-Fi. That, too, according to the company’s updated online policy, collects personal information. When department store Macy’s updated its privacy policy to comply with CCPA, it added a surprising disclosure—facial recognition may be used on customers for “security and fraud detection purposes.” The company also said that it uses Wi-Fi routers to track where shoppers linger and beacons that “map nearby Bluetooth-enabled devices, much in the same way radar works,” and sells consumer data, including device and network information. Inside the Macy’s store in San Francisco’s Union Square this week, the cameras—potentially using facial recognition—were obvious, but no privacy notices were visible, even at knee level. The company did not respond to multiple requests for comment before publication. After this article was published, Macy's said in a statement, "Macy’s is committed to our customers’ privacy. We are taking the steps necessary to meet the new CCPA privacy law." California’s new privacy regime could help reveal how use of facial recognition is spreading in stores and other semipublic places as the technology becomes more accessible. Lowe’s says it previously tested the technology in three stores, but ultimately decided not to use it. Peter Trepp, CEO of facial recognition provider FaceFirst, declined to say whether he is telling retail customers to post notices in California informing shoppers their faces might be analyzed. The company claims to work with airports, sports teams, and Fortune 500 retailers, who use the software to alert staff when shoplifters known to a store return. source
  4. The iPhone 11 Pro’s Location Data Puzzler One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy. The privacy policy available from the iPhone’s Location Services screen says, “If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.” The policy explains users can disable all location services entirely with one swipe (by navigating to Settings > Privacy > Location Services, then switching “Location Services” to “off”). When one does this, the location services indicator — a small diagonal upward arrow to the left of the battery icon — no longer appears unless Location Services is re-enabled. The policy continues: “You can also disable location-based system services by tapping on System Services and turning off each location-based system service.” But apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically even after individually disabling all system services that use location. On Nov. 13, KrebsOnSecurity contacted Apple to report this as a possible privacy bug in the new iPhone Pro and/or in iOS 13.x, sharing a video showing how the device still seeks the user’s location when each app and system service is set to “never” request location information (but with the main Location Data service still turned on). The video above was recorded on a brand new iPhone 11 Pro. The behavior appears to persist in the latest iPhone operating system (iOS 13.2.3) on iPhone 11 Pro devices. A review of Apple’s support forum indicates other users are experiencing the same issue. I was not able replicate this behavior on an older model iPhone 8 with the latest iOS. This week Apple responded that the company does not see any concerns here and that the iPhone was performing as designed. “We do not see any actual security implications,” an Apple engineer wrote in a response to KrebsOnSecurity. “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings” [emphasis added]. Apple has not yet responded to follow-up questions, but it seems they are saying their phones have some system services that query your location regardless of whether one has disabled this setting individually for all apps and iOS system services. Granted, the latest versions of iOS give users far more granular control over the sharing of this data than in the past, especially with respect to third-party apps. And perhaps this oddity is somehow related to adding support for super-fast new WiFi 6 routers, which may have involved the introduction of new hardware. But it would be nice to know what has changed in the iPhone 11 and why, particularly given Apple’s recent commercials on how they respect user privacy choices — including location information. This post will be updated in the event Apple provides a more detailed response. Source: The iPhone 11 Pro’s Location Data Puzzler (KrebsOnSecurity - Brian Krebs)
  5. Microsoft details tracking prevention improvements in the new Edge browser A while back, Microsoft announced that the new Chromium-based Edge browser was getting built-in tracking prevention, a feature that helped users manage how their activity on the web is tracked. It's been some time since then, and the company has detailed some of the improvements made to the experience with Edge version 79. This is the version that's currently in the Beta channel and set to be the first generally available version of the new browser. Microsoft said its goal with the new improvements was to simultaneously block more kinds of trackers while also ensuring as much compatibility as possible with the web. Blocking too many trackers can cause some sites to break, so a certain balance is necessary. Microsoft says it figured out a way to do this by measuring the user's engagement with organizations, so tracking prevention can be less strict when the user has a clear relationship with a website or organization. This helps users achieve better compatibility with websites they care about most, while blocking more trackers on websites they don't visit as often. Microsoft says that, by enabling this capability, called Org Engagement Mitigation, it actually blocked 25% more trackers on average, so the end result should actually be better for privacy-conscious users. However, if you really don't want any trackers, you'll be happy to know that this feature is only enabled for users that use the Balanced setting for tracking prevention in Edge. Users who opt into Strict mode will still block the maximum number of trackers regardless of their site and organization engagement. For InPrivate mode, Edge 78 initially set the tracking prevention mode to Strict at all times, but that's changing now since users were seeing some sites breaking because of it. InPrivate windows will now follow the same setting as regular browsing, but Microsoft is testing a new toggle in the Canary and Dev channels to allow users to continue using Strict mode for InPrivate browsing. For users who want to know more about which trackers Edge has blocked, there's also now a new page to view a list of blocked trackers and how many times each tracker was blocked. The list can be found in edge://settings/privacy/blockedTrackers. Source: Microsoft details tracking prevention improvements in the new Edge browser (Neowin)
  6. What's in the latest Firefox update? Firefox 69 thwarts web tracking by default for everyone Firefox 69 switches on the browser's anti-tracking technology by default for all users. Magdalena Petrova/IDG Mozilla on Tuesday released Firefox 69 with the browser's anti-tracking technology switched on by default for all users. The organization's security engineers also patched 20 vulnerabilities, one tagged "Critical" and 11 marked "High," the organization's two top threat ratings. The single critical flaw only affected Windows, Mozilla said in its patching commentary. Firefox 69 can be downloaded from Mozilla's site for Windows, macOS and Linux. Because it updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose "About Firefox." The resulting page shows that the browser is either up to date or explains the refresh process. Mozilla updates Firefox every six to eight weeks; it last upgraded the browser on July 9. You get ETP and you get ETP and ... Mozilla first turned on Enhanced Tracking Protection (ETP) in June, but at the time limited the setting to new-to-Firefox users. However, existing customers could flip the ETP switch themselves using the Preferences screen. With Firefox 69, Mozilla has enabled ETP for all users. By default, "Content Blocking" - the feature's name in Firefox's Preferences - is set to "Strict," the strongest protection available. Users can reset that to "Standard" or "Custom," or even turn off everything by clearing all choices in the latter. Mozilla said that prior to Firefox 69's debut, more than 20% of all Firefox users had ETP engaged, signaling that a significant number of existing users had manually enabled ETP in the past three months. "With today's release, we expect to provide protection for 100% of our users by default," wrote Marissa Wood, vice president of product at Mozilla, in a Sept. 3 post to a company blog. ETP has taken a crooked road to release. Tracing its linage to 2015's "Tracking Protection," Mozilla got serious about the concept two years ago, when it broke the technology out of the private-browsing bubble. In October 2018, it named the feature ETP and set Firefox 65, slated to release in January 2019, as the on-by-default target. Problems persisted, however - in several instances Mozilla said the technology was breaking too many sites - and delays were inserted for more testing. Finally, Mozilla used a "soft opening" for ETP in June, limiting the automatic on-by-default to new users as a final quality control check. Wood spelled out additional information about ETP in her Tuesday post. Mozilla All Firefox users now have the browser's anti-tracking feature switched on, set to the strongest protection. Changes can be made in the Preferences pane. Block this, block that Also in Firefox 69, Mozilla's developers enhanced the choices for autoplay, the habit by sites to immediately start playing video on the computer screen and blasting audio from its speakers. Firefox has automatically blocked autoplay of audio since March and version 66. Video with accompanying audio was also stopped from playing. But if a video provider muted the audio, Firefox let the former play. With Firefox 69, users can select "Block Audio and Video" to stop such video from automatically playing. That setting is at Preferences > Privacy & Security > Permissions > Autoplay > Settings > Default for all websites. This version of Firefox also took the next step in Mozilla's kill-Flash process. The browser lost the "Always Activate" option for Flash, meaning that every request to run the player software must be user approved. From this point forward, the only settings are "Ask to Activate," the default, and "Never Activate." This move was previously announced by Mozilla (check out the "Plugin Roadmap for Firefox" here) and should be the last step before all Flash support is yanked from non-enterprise copies. (The Extended Support Release, or ESR, will continue to support Flash until the end of 2020.) The next version of the browser, Firefox 70, should release Oct. 22. Source: What's in the latest Firefox update? Firefox 69 thwarts web tracking by default for everyone (Computerworld - Gregg Keizer)
  7. Apple patched a bug in May, but academics say the rest of the flaws require a redesign of some Apple services. Apple Wireless Direct Link (AWDL), a protocol installed on over 1.2 billion Apple devices, contains vulnerabilities that enable attackers to track users, crash devices, or intercept files transferred between devices via man-in-the-middle (MitM) attacks. hese are the findings of a research project that started last year at the Technical University of Darmstadt, in Germany, and has recently concluded, and whose findings researchers will be presenting later this month at a security conference in the US. The project sought to analyze the Apple Wireless Direct Link (AWDL), a protocol that Apple rolled out in 2014 and which also plays a key role in enabling device-to-device communications in the Apple ecosystem. While most Apple end users might not be aware of the protocol's existence, AWDL is at the core of Apple services like AirPlay and AirDrop, and Apple has been including AWDL by default on all devices the company has been selling, such as Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods. German and US researchers reverse-engineered AWDL But in the past five years, Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors. However, due to the protocol's growing ubiquity in the daily lives of all Apple users, in 2018, a team of TU Darmstadt academics -- later joined by academics from Boston's Northeastern University -- decided to take a look at AWDL, and how the protocol works. "Considering the well-known rocky history of wireless protocols' security, with various flaws being repeatedly discovered in Bluetooth, WEP, WPA2, GSM, UMTS, and LTE, the lack of information regarding AWDL security is a significant concern given the increasing number of services that rely on it," the research team said. To study it, researchers reverse-engineered the AWDL protocol and then re-wrote it as a C implementation named OWL (Open Wireless Link), which they later used to test the real AWDL protocol for various attacks. AWDL vulnerabilities "Our analysis reveals several security and privacy vulnerabilities ranging from design flaws to implementation bugs enabling different kinds of attacks," the research team said. As a result of their work, researchers discovered: A MitM attack which intercepts and modifies files transmitted via AirDrop, effectively allowing for the planting of malicious files. A long-term device tracking attack which works in spite of MAC randomization, and may reveal personal information such as the name of the device owner (over 75% of experiment cases). A DoS attack aiming at the election mechanism of AWDL to deliberately desynchronize the targets' channel sequences effectively preventing communication with other AWDL devices. Two additional DoS attacks on Apple's AWDL implementations in the Wi-Fi driver. The attacks allow crashing Apple devices in proximity by injecting specially crafted frames. The attacks can be targeted to a single victim or affectall neighboring devices at the same time. While AWDL contained various security features to prevent attackers from establishing MitM rogue connections to legitimate devices without authorization, the research team was able to bypass these systems. They did this with the help of a TCP reset attack that blocked the AWDL connection and allowed researchers to interpose their $20 hardware rig between the two devices and establish legitimate connections with both the sender and the receiver. AWDL is ideal for pervasive user tracking But while MitM attacks are hard to pull off and DoS attacks that crash devices are rarely useful, the AWDL vulnerabilities that allow user tracking are the ones that are truly concerning. For this attack, the research team said they were able to obtain information from an AWDL connection such as the device hostname, real MAC address (even if the device has MAC address randomization enabled), the AP the device is connected to, the device class (iOS, watchOS, macOS, tvOS, etc.), and AWDL protocol version. This information, researchers argued, is more than enough to create profiles and track users. Combined with data from online advertisers and analytics providers, it could be used to link devices to their real owners. The research team worried that AWDL-based tracking technology could be deployed in retail stores or public spaces and track users' movement through an area. Some flaws require a protocol/service redesigns As for patches against these attacks, the research team said they notified Apple of all the vulnerabilities they found, between August and December 2018. "While Apple was able to issue a fix for a DoS attack vulnerability after our responsible disclosure, the other security and privacy vulnerabilities require the redesign of some of their services," researchers said. The fix for the AWDL DoS bug (CVE-2019-8612) rolled out in mid-May, with the release of iOS 12.3, tvOS 12.3, watchOS 5.2.1, and macOS 10.14.5. The rest of the AWDL vulnerabilities will likely remain exploitable for the foreseeable future. Some bugs might affect Android devices Furthermore, the same bugs may also affect Android and other types of devices, researchers warned. "The impact of these findings goes beyond Apple's ecosystem as the Wi-Fi Alliance adopted AWDL as the basis for Neighbor Awareness Network-ing (NAN) which, therefore, might be susceptible to similar attacks," the research team said. "NAN, commonly known as Wi-Fi Aware, is a new standard supported by Android which draws on AWDL's design and, thus, might be vulnerable to the similar attacks as presented in [our] work." However, this has not been confirmed, and additional research is needed on the impact of these AWDL bugs on real-world Android NAN (Wi-Fi Aware) implementations. More details about the vulnerabilities described in this article are available in a pre-print white paper named "A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link" that the research team will be presenting at the USENIX security conference in mid-August, in a few weeks time. Source
  8. Facebook is unwittingly auto-generating content for terror-linked groups that its artificial intelligence systems do not recognize as extremist, according to a complaint made public on Thursday. The National Whistleblowers Center in Washington carried out a five-month study of the pages of 3,000 members who liked or connected to organizations proscribed as terrorist by the US government. Researchers found that the Islamic State group and al-Qaeda were "openly" active on the social network. More worryingly, the Facebook's own software was automatically creating "celebration" and "memories" videos for extremist pages that had amassed sufficient views or "likes." The Whistleblower's Center said it filed a complaint with the US Securities and Exchange Commission on behalf of a source that preferred to remain anonymous. "Facebook's efforts to stamp out terror content have been weak and ineffectual," read an executive summary of the 48-page document shared by the center. "Of even greater concern, Facebook itself has been creating and promoting terror content with its auto-generate technology." Survey results shared in the complaint indicated that Facebook was not delivering on its claims about eliminating extremist posts or accounts. The company told AFP it had been removing terror-linked content "at a far higher success rate than even two years go" since making heavy investments in technology. "We don't claim to find everything and we remain vigilant in our efforts against terrorist groups around the world," the company said. Facebook and other social media platforms have been under fire for not doing enough to curb messages of hate and violence, while at the same time criticized for failing to offer equal time for all viewpoints, no matter how unpleasant. Facebook in March announced bans at the social network and Instagram on praise or support for white nationalism and white separatism. Source
  9. Does Google meet its users’ expectations around consumer privacy? This news industry research says no A significant majority of consumers do not expect Google to track their activities across their lives, their locations, on other sites, and on other platforms. Numerous privacy scandals over the past couple of years have fueled the need for increased examination of tech companies’ data tracking practices. While the ethics around data collection and consumer privacy have been questioned for years, it wasn’t until Facebook’s Cambridge Analytics scandal that people began to realize how frequently their personal data is shared, transferred, and monetized without their permission. Cambridge Analytica was by no means an isolated case. Last summer, an AP investigation found that Google’s location tracking remains on even if you turn it off in Google Maps, Search, and other apps. Research from Vanderbilt professor Douglas Schmidt found that Google engages in “passive” data collection, often without the user’s knowledge. His research also showed that Google utilizes data collected from other sources to de-anonymize existing user data. That’s why we at Digital Content Next, the trade association of online publishers I lead, wrote this Washington Post op-ed, “It isn’t just about Facebook, it’s about Google, too” when Facebook first faced Capitol Hill. It’s also why the descriptor surveillance advertising is increasingly being used to describe Google and Facebook’s advertising businesses, which use personal data to tailor and micro-target ads. Consumers are on alert. DCN surveyed a nationally representative sample1 to find out what people expect from Google — and, as with a similar study we conducted last year about Facebook, the results were unsettling. Our findings show that many of Google’s data practices deviate from consumer expectations. We find it even more significant that consumer’s expectations are at an all-time low even after 2018, a year in which awareness around consumer privacy reached peak heights. The results of the study are consistent with our Facebook study: People don’t want surveillance advertising. A majority of consumers indicated they don’t expect to be tracked across Google’s services, let alone be tracked across the web in order to make ads more targeted. Nearly two out of three consumers don’t expect Google to track them across non-Google apps, offline activities from data brokers, or via their location history. There was only one question where a small majority of respondents felt that Google was acting according to their expectations. That was about Google merging data from search queries with other data it collects on its own services. They also don’t expect Google to connect the data back to the user’s personal account, but only by a small majority. Google began doing both of these in 2016 after previously promising it wouldn’t. Google’s personal data collection practices affect the more than 2 billion people who use devices running their Android operating software and hundreds of millions more iPhone users who rely on Google for browsing, maps, or search. Most of them expect Google to collect some data about them in exchange for use of services. However, as our research shows, a significant majority of consumers do not expect Google to track their activities across their lives, their locations, on other sites, and on other platforms. And as the AP discovered, Google continues to do some of this even after consumers explicitly turn off tracking. With new laws in Europe and California and with federal discussions about how to bring similar protections to the rest of America, it’s critical to understand what consumers actually demand, align expectations to those demands, and rebuild trust in our industry. Consumers expect nothing less. Source
  10. 2019 may finally be the year for ‘The Search Engine That Doesn’t Track You’ In late November, hotel conglomerate Marriott International disclosed that the personal information of some 500 million customers — including home addresses, phone numbers, and credit card numbers — had been exposed as part of a data breach affecting its Starwood Hotels and Resorts network. One day earlier, the venerable breakfast chain Dunkin’ (née Donuts) announced that its rewards program had been compromised. Only two weeks before that, it was revealed that a major two-factor authentication provider had exposed millions of temporary account passwords and reset links for Google, Amazon, HQ Trivia, Yahoo, and Microsoft users. These were just the icing on the cake for a year of compromised data: Adidas, Orbitz, Macy’s, Under Armour, Sears, Forever 21, Whole Foods, Ticketfly, Delta, Panera Bread, and Best Buy, just to name a few, were all affected by security breaches. Meanwhile, there’s a growing sense that the tech giants have finally turned on us. Amazon dominates so many facets of the online shopping experience that we might have to rewrite antitrust law to rein them in. Google has been playing fast and loose with its “Don’t Be Evil” mantra by almost launching a censored search engine for the Chinese government while simultaneously developing killer A.I. for Pentagon drones. And we now know that Facebook collected people’s personal data without their consent, let companies such as Spotify and Netflix look at our private messages, fueled fake news and Donald Trump, and was used to facilitate a genocide in Myanmar. The backlash against these companies dominated our national discourse in 2018. The European Union is cracking down on anticompetitive practices at Amazon and Google. Both Facebook and Twitter have had their turns in the congressional hot seat, facing questions from slightly confused but definitely irate lawmakers about how the two companies choose what information to show us and what they do with our data when we’re not looking. Worries over privacy have led everyone from the New York Times to Brian Acton, the disgruntled co-founder of Facebook-owned WhatsApp, to call for a Facebook exodus. And judging by Facebook’s stagnating rate of user growth, people seem to be listening. For Gabriel Weinberg, the founder and CEO of privacy-focused search engine DuckDuckGo, our growing tech skepticism recalls the early 1900s, when Upton Sinclair’s novel The Jungle revealed the previously unexamined horrors of the meatpacking industry. “Industries have historically gone through periods of almost ignorant bliss, and then people start to expose how the sausage is being made,” he says. Gabriel Weinberg, DuckDuckGo CEO and Founder This, in a nutshell, is DuckDuckGo’s proposition: “The big tech companies are taking advantage of you by selling your data. We won’t.” In effect, it’s an anti-sales sales pitch. DuckDuckGo is perhaps the most prominent in a number of small but rapidly growing firms attempting to make it big — or at least sustainable — by putting their customers’ privacy and security first. And unlike the previous generation of privacy products, such as Tor or SecureDrop, these services are easy to use and intuitive, and their user bases aren’t exclusively composed of political activists, security researchers, and paranoiacs. The same day Weinberg and I spoke, DuckDuckGo’s search engine returned results for 33,626,258 queries — a new daily record for the company. Weinberg estimates that since 2014, DuckDuckGo’s traffic has been increasing at a rate of “about 50 percent a year,” a claim backed up by the company’s publicly available traffic data. “You can run a profitable company — which we are — without [using] a surveillance business model,” Weinberg says. If he’s right, DuckDuckGo stands to capitalize handsomely off our collective backlash against the giants of the web economy and establish a prominent brand in the coming era of data privacy. If he’s wrong, his company looks more like a last dying gasp before surveillance capitalism finally takes over the world. DuckDuckGo is based just east of nowhere. Not in the Bay Area, or New York, or Weinberg’s hometown of Atlanta, or in Boston, where he and his wife met while attending MIT. Instead, DuckDuckGo headquarters is set along a side street just off the main drag of Paoli, Pennsylvania, in a building that looks like a cross between a Pennsylvania Dutch house and a modest Catholic church, on the second floor above a laser eye surgery center. Stained-glass windows look out onto the street, and a small statue of an angel hangs precariously off the roof. On the second floor, a door leading out to a balcony is framed by a pair of friendly looking cartoon ducks, one of which wears an eye patch. Just before DuckDuckGo’s entrance sits a welcome mat that reads “COME BACK WITH A WARRANT.” “People don’t generally show up at our doorstep, but I hope that at some point it’ll be useful,” Weinberg tells me, sitting on a couch a few feet from an Aqua Teen Hunger Force mural that takes up a quarter of a wall. At 39, he is energetic, affable, and generally much more at ease with himself than the stereotypical tech CEO. The office around us looks like it was furnished by the set designer of Ready Player One: a Hitchhiker’s Guide to the Galaxy print in the entryway, Japanese-style panels depicting the Teenage Mutant Ninja Turtles in the bathroom, and a vintage-looking RoboCop pinball machine in the break room. There’s even a Lego model of the DeLorean from Back to the Future on his desk. The furniture, Weinberg tells me, is mostly from Ikea. The lamp in the communal area is a hand-me-down from his mom. Weinberg learned basic programming on an Atari while he was still in elementary school. Before hitting puberty, he’d built an early internet bulletin board. “It didn’t really have a purpose” in the beginning, Weinberg says. The one feature that made his bulletin board unique, he says, was that he hosted anonymous AMA-style question panels with his father, an infectious disease doctor with substantial experience treating AIDS patients. This was during the early 1990s, when the stigma surrounding HIV and AIDS remained so great that doctors were known to deny treatment to those suffering from it. Weinberg says that the free—and private—medical advice made the board a valuable resource for the small number of people who found it. It was an early instance of Weinberg’s interest in facilitating access to information, as well as a cogent example of the power of online privacy: “The ability to access informational resources anonymously actually opens up that access significantly,” he told me over email. After graduating from MIT in 2001, Weinberg launched a slew of businesses, none of which are particularly memorable. First there was an educational software program called Learnection. (“Terrible name… the idea was good, but 15 years too early,” he says.) Then he co-founded an early social networking company called Opobox, taking on no employees and writing all the code himself. “Facebook just kind of obliterated it,” Weinberg says, though he was able to sell the network to the parent company of Classmates.com for roughly $10 million in cash in 2006. It was around that time when Weinberg began working on what would become DuckDuckGo. Google had yet to achieve total hegemony over the internet search field, and Weinberg felt that he could create a browser plugin that might help eliminate the scourge of spammy search results in other search engines. To build an algorithm that weeded out bad search results, he first had to do it by hand. “I took a large sample of different pages and hand-marked them as ‘spam’ or ‘not spam.’” The process of scraping the web, Weinberg says, inadvertently earned him a visit from the FBI. “Once they realized I was just crawling the web, they just went away,” he says. He also experimented with creating a proto-Quora service that allowed anyone to pose a question and have it answered by someone else, as well as a free alternative to Meetup.com. Eventually, he combined facets of all three efforts into a full-on search engine. When Weinberg first launched DuckDuckGo in 2008 — the name is a wink to the children’s game of skipping over the wrong options to get to the right one — he differentiated his search engine by offering instant answers to basic questions (essentially an early open-source version of Google’s Answer Box), spam filtering, and highly customizable search results based on user preferences. “Those [were] things that early adopters kind of appreciated,” he says. At the time, Weinberg says, consumer privacy was not a central concern. In 2009, when he made the decision to stop collecting personal search data, it was more a matter of practicality than a principled decision about civil liberties. Instead of storing troves of data on every user and targeting those users individually, DuckDuckGo would simply sell ads against search keywords. Most of DuckDuckGo’s revenue, he explains, is still generated this way. The system doesn’t capitalize on targeted ads, but, Weinberg says, “I think there’s a choice between squeezing out every ounce of profit and making ethical decisions that aren’t at the expense of society.” Until 2011, Weinberg was DuckDuckGo’s sole full-time employee. That year, he pushed to expand the company. He bought a billboard in Google’s backyard of San Francisco that proudly proclaimed, “Google tracks you. We don’t.” (That defiant gesture and others like it were later parodied on HBO’s Silicon Valley.) The stunt paid off in spades, doubling DuckDuckGo’s daily search traffic. Weinberg began courting VC investors, eventually selling a minority stake in the company to Union Square Ventures, the firm that has also backed SoundCloud, Coinbase, Kickstarter, and Stripe. That fall, he hired his first full-time employee, and DuckDuckGo moved out of Weinberg’s house and into the strangest-looking office in all of Paoli, Pennsylvania. Then, in 2013, digital privacy became front-page news. That year, NSA contractor Edward Snowden leaked a series of documents to the Guardian and the Washington Post revealing the existence of the NSA’s PRISM program, which granted the agency unfettered access to the personal data of millions of Americans through a secret back door into the servers of Google, Yahoo, Facebook, Apple, and other major internet firms. Though Google denied any knowledge of the program, the reputational damage had been done. DuckDuckGo rode a wave of press coverage, enjoying placement in stories that offered data privacy solutions to millions of newly freaked-out people worried that the government was spying on them. “All of a sudden we were part of this international story,” Weinberg says. The next year, DuckDuckGo turned a profit. Shortly thereafter, Weinberg finally started paying himself a salary. Today, DuckDuckGo employs 55 people, most of whom work remotely from around the world. (On the day I visited, there were maybe five employees in the Paoli office, plus one dog.) This year, the company went through its second funding round of VC funding, accepting a $10 million investment from Canadian firm OMERS. Weinberg insists that both OMERS and Union Square Ventures are “deeply interested in privacy and restoring power to the non-monopoly providers.” Later, via email, Weinberg declined to share DuckDuckGo’s exact revenue, beyond the fact that its 2018 gross revenue exceeded $25 million, a figure the company has chosen to disclose in order to stress that it is subject to the California Consumer Privacy Act. Weinberg feels that the company’s main challenge these days is improving brand recognition. “I don’t think there’s many trustworthy entities on the internet, just straight-up,” he says. “Ads follow people around. Most people have gotten multiple data breaches. Most people know somebody who’s had some kind of identity theft issue. The percentage of people who’ve had those events happen to them has just grown and grown.” The recent investment from OMERS has helped cover the cost of DuckDuckGo’s new app, launched in January 2018. The app, a lightweight mobile web browser for iOS and Android that’s also available as a Chrome plugin, is built around the DuckDuckGo search engine. It gives each site you visit a letter grade based on its privacy practices and has an option to let you know which web trackers — usually ones from Google, Facebook, or Comscore — it blocked from monitoring your browsing activity. After you’ve finished surfing, you can press a little flame icon and an oddly satisfying animated fire engulfs your screen, indicating that you’ve deleted your tabs and cleared your search history. The rest of the recent investment, Weinberg says, has been spent on “trying to explain to people in the world that [DuckDuckGo] exists.” He continues, “That’s our main issue — the vast majority of people don’t realize there’s a simple solution to reduce their [online] footprint.” To that end, DuckDuckGo maintains an in-house consumer advocacy blog called Spread Privacy, offering helpful tips on how to protect yourself online as well as commentary and analysis on the state of online surveillance. Its most recent initiative was a study on how filter bubbles — the term for how a site like Google uses our data to show us what it thinks we want — can shape the political news we consume. Brand recognition is a challenge for a lot of startups offering privacy-focused digital services. After all, the competition includes some of the biggest and most prominent companies in the world: Google, Apple, Facebook. And in some ways, this is an entire new sector of the market. “Privacy has traditionally not been a product; it’s been more like a set of best practices,” says David Temkin, chief product officer for the Brave web browser. “Imagine turning that set of best practices into a product. That’s kind of where we’re going.” Like DuckDuckGo — whose search engine Brave incorporates into its private browsing mode — Brave doesn’t collect user data and blocks ads and web trackers by default. In 2018, Brave’s user base exploded from 1 million to 5.5 million, and the company reached a deal with HTC to be the default browser on the manufacturer’s upcoming Exodus smartphone. Temkin, who first moved out to the Bay Area in the early ’90s to work at Apple, says that the past two decades of consolidation under Google/Facebook/Netflix/Apple/Amazon have radically upended the notion of the internet as a safe haven for the individual. “It’s swung back to a very centralized model,” he says. “The digital advertising landscape has turned into a surveillance ecosystem. The way to optimize the value of advertising is through better targeting and better data collection. And, well, water goes downhill.” In companies such as Brave and DuckDuckGo, Temkin sees a return to the more conscientious attitude behind early personal computing. “I think to an ordinary user, [privacy] is starting to sound like something they do need to care about,” he says. But to succeed, these companies will have to make privacy as accessible and simple as possible. “Privacy’s not gonna win if it’s a specialist tool that requires an expert to wield,” Temkin says. “What we’re doing is trying to package [those practices] in a way that’s empathetic and respectful to the user but doesn’t impose the requirement for knowledge or the regular ongoing annoyance that might go with maintaining privacy on your own.” In November, I decided to switch my personal search querying to DuckDuckGo in order to see whether it was a feasible solution to my online surveillance woes. Physically making the switch is relatively seamless. The search engine is already an optional default in browsers such as Safari, Microsoft Edge, and Firefox, as well as more niche browsers such as Brave and Tor, the latter of which made DuckDuckGo its default search in 2016. Actually using the service, though, can be slightly disorienting. I use Google on a daily basis for one simple reason: It’s easy. When I need to find something online, it knows what to look for. To boot, it gives me free email, which is connected to the free word processor that my editor and I are using to work on this article together in real time. It knows me. It’s only when I consider the implications of handing over a digital record of my life to a massive company that the sense of free-floating dread about digital surveillance kicks in. Otherwise, it’s great. And that’s the exact hurdle DuckDuckGo is trying to convince people to clear. Using DuckDuckGo can feel like relearning to walk after you’ve spent a decade flying. On Google, a search for, say, “vape shop” yields a map of vape shops in my area. On DuckDuckGo, that same search returns a list of online vaporizer retailers. The difference, of course, is the data: Google knows that I’m in Durham, North Carolina. As far as DuckDuckGo is concerned, I may as well be on the moon. That’s not to say using DuckDuckGo is all bad. For one, it can feel mildly revelatory knowing that you’re seeing the same search results that anyone else would. It restores a sense of objectivity to the internet at a time when being online can feel like stepping into The Truman Show — a world created to serve and revolve around you. And I was able to look up stuff I wanted to know about — how to open a vacuum-sealed mattress I’d bought off the internet, the origin of the martingale dog collar, the latest insane thing Donald Trump did — all without the possibility of my search history coming back to haunt me in the form of ads for bedding, dog leashes, or anti-Trump knickknacks. Without personalized results, DuckDuckGo just needs to know what most people are looking for when they type in search terms and serve against that. And most of the time, we fit the profile of most people. When I asked Weinberg if he wanted to displace Google as the top search engine in all the land, he demurred. “I mean, I wouldn’t be opposed to it,” he says, “but it’s really not our intention, and I don’t expect that to happen.” Instead, he’d like to see DuckDuckGo as a “second option” to Google for people who are interested in maintaining their online anonymity. “Even if you don’t have anything to hide, it doesn’t mean you want people to profit off your information or be manipulated or biased against as a result [of that information],” he says. Even though DuckDuckGo may serve a different market and never even challenge Google head-on, the search giant remains its largest hurdle in the long term. For more than a decade, Google has been synonymous with search. And that association is hard, if not impossible, to break. In the meantime, the two companies are on frosty terms. In 2010, Google obtained the domain duck.com as part of a larger business deal in a company formerly known as Duck Co. For years, the domain would redirect to Google’s search page, despite seeming like something you’d type into your browser while trying to get to DuckDuckGo. After DuckDuckGo petitioned for ownership for nearly a decade, Google finally handed over the domain in December. The acquisition was a minor branding coup for DuckDuckGo — and a potential hedge against accusations of antitrust for Google. That doesn’t mean relations between the two companies have improved. As the Goliath in the room, Google could attempt to undercut DuckDuckGo’s entire business proposition. Over the past few years, even mainstream players have attempted to assuage our privacy anxieties by offering VPNs (Verizon), hosting “privacy pop-ups” (Facebook), and using their billions to fight against state surveillance in court (Microsoft). With some tweaks, Google could essentially copy DuckDuckGo wholesale and create its own privacy-focused search engine with many of the same protections DuckDuckGo has built its business on. As to whether people would actually believe that Google, a company that muscled its way into becoming an integral part of the online infrastructure by selling people’s data, could suddenly transform into a guardian of that data remains to be seen. When it comes to the internet, trust is something easily lost and difficult to regain. In a sense, every time a giant of the internet surveillance economy is revealed to have sold out its customers in some innovatively horrifying way, the ensuing chaos almost serves as free advertising for DuckDuckGo. “The world keeps going in a bad direction, and it makes people think, ‘Hey, I would like to escape some of the bad stuff on the internet and go to a safer place,’” Weinberg says. “And that’s where we see ourselves.” Source
  11. Google Chrome is the most popular browser in the world. Chrome routinely leads the pack in features for security and usability, most recently helping to drive the adoption of HTTPS. But when it comes to privacy, specifically protecting users from tracking, most of its rivals leave it in the dust. Users are more aware of, and concerned about, the harms of pervasive tracking than ever before. So why is Chrome so far behind? It’s because Google still makes most of its money from tracker-driven, behaviorally-targeted ads. The marginal benefit of each additional bit of information about your activities online is relatively small to an advertiser, especially given how much you directly give Google through your searches and use of tools like Google Home. But Google still builds Chrome as if it needs to vacuum up everything it can about your online activities, whether you want it to or not. In the documents that define how the Web works, a browser is called a user agent. It’s supposed to be the thing that acts on your behalf in cyberspace. If the massive data collection appetite of Google’s advertising- and tracking-based business model are incentivizing Chrome to act in Google’s best interest instead of yours, that’s a big problem—one that consumers and regulators should not ignore. Chrome is More Popular Than Ever. So is Privacy. Since Chrome’s introduction in 2008, its market share has risen inexorably. It now accounts for 60% of the browsers on the web. At the same time, the public has become increasingly concerned about privacy online. In 2013, Edward Snowden’s disclosures highlighted the links between massive, surreptitious corporate surveillance and the NSA’s spy programs. In 2016, the EU ratified the General Data Protection Regulation (GDPR), a sweeping (and complicated) set of guidelines that reflected a new, serious approach to data privacy. And in the U.S., this year’s Cambridge Analytica scandal sparked unprecedented backlash against Facebook and other big tech companies, driving states like California to pass real data privacy laws for the first time (although those laws are under threat federally by, you guessed it, Google and Facebook). Around the world, people are waking up to the realities of surveillance capitalism and the surveillance business model: the business of “commodifying reality,” transforming it into behavioral data, and using that data and inferences from it to target us on an ever-more granular level. The more users learn about this business model, the more they want out. That’s why the use of ad and tracker blockers, like EFF’s Privacy Badger, has grown dramatically in recent years. Their popularity is a testament to users’ frustration with the modern web: ads and trackers slow down the browsing experience, burn through data plans, and give people an uneasy feeling of being watched. Companies often justify their digital snooping by arguing that people prefer ads that are “relevant” to them, but studies show that most users don’t want their personal information to be used to target ads. All of this demonstrates a clear, growing demand for consumer privacy, especially as it relates to trackers on the web. As a result, many browser developers are taking action. In the past, tracker blockers have only been available as third-party “extensions” to popular browsers, requiring diligent users to seek them out. But recently, developers of major browsers have started building tracking protections into their own products. Apple’s Safari has been developing Intelligent Tracking Protection, or ITP, a system that uses machine learning to identify and stop third-party trackers; this year, the improved ITP 2.0 became the default for tens of millions of Apple users. Firefox recently rolled out its own tracking protection feature, which is on by default in private browsing windows. Opera ships with the option to turn on both ad and tracker blocking. Even the much-maligned Internet Explorer has a built-in “tracking protection” mode. Yet Google Chrome, the largest browser in the world, has no built-in tracker blocker, nor has the company indicated any plans to build one. Sure, it now blocks some intrusive ads, but that feature has nothing to do with privacy. The closest thing it offers to “private” browsing out-of-the-box is “incognito mode,” which only hides what you do from others who use your machine. That might hide embarrassing searches from your family, but does nothing to protect you from being tracked by Google. Conflicts of Interest Google is the biggest browser company in the world. It’s also the biggest search engine, mobile operating system, video host, and email service. But most importantly, it’s the biggest server of digital ads. Google controls 42% of the digital advertising market, significantly more than Facebook, its largest rival, and vastly more than anyone else. Its tracking codes appear on three quarters of the top million sites on the web. 86% of Alphabet’s revenue (Google’s parent company) comes from advertising. That means all of Alphabet has a vested interest in helping track people and serve them ads, even when that puts the company at odds with its users. Source: The EFF
  12. Microsoft’s Obscure ‘Self Service for Mobile’ Office Activation Microsoft requires a product activation after installing. Users of Microsoft Office currently are facing trouble during telephone activation. After dealing with this issue, I came across another obscure behavior, Microsoft’s ‘Self Service for Mobile’ solution to activate Microsoft Office via mobile devices. Microsoft describes how to activate Microsoft Office 2013, 2016 and Office 365 within this document. There are several possibilities to activate an installed product, via Internet or via Telephone for instance. Activation by phone is required, if the maximum Internet activation threshold is reached. But Office activation by phone fails Within my blog post Office Telephone activation is no longer supported error I’ve addressed the basis issue. If a user re-installs Office, the phone activation fails. The activation dialog box shows the message “Telephone activation is no longer supported for your product“. Microsoft has confirmed this issue for Office 2016 users having a non subscriber installation. But also users of Microsoft Office 2010 or Microsoft Office 2013 are affected. A blog reader posted a tip: Use Mobile devices activation… I’ve posted an article Office 2010: Telefonaktivierung eingestellt? – Merkwürdigkeit II about the Office 2010 telephone activation issue within my German blog, back in January 2017. Then a reader pointed me within a comment to a Self Service for Mobile website. The link http: // bit.ly/2cQPMCb, shortened by bit.ly, points to a website https: // microsoft.gointeract.io/mobileweb/… that provides an ability to activate Microsoft Office (see screenshot below). After selecting a 6 or 7 Digits entry, an activation window with numerical buttons to enter the installation id will be shown (see screenshots shown below). The user has to enter the installation id and receives the activation id – plain and simple. Some users commented within my German blog, that this feature works like a charm. Obscurity, conspiracy, oh my God, what have they done? I didn’t inspect the posted link until writing last Fridays blog post Office Telephone activation is no longer supported error. My idea was, to mention the “Self Service for Mobile” page within the new article. I managed to alter the link to direct it to the English Self Service for Mobile language service site. Suddenly I noticed, that both, the German and also the English “Self Service for Mobile” sites uses https, but are flagged as “unsecure” in Google Chrome (see the screenshot below, showing the German edition of this web page. The popup shown for the web site „Self Service for Mobile“ says, that there is mixed content (images) on the page, so it’s not secure. That catches my attention, and I started to investigate the details. Below are the details for the German version of the web site shown in Google Chrome (but the English web site has the same issues). First of all, I noticed, that the „Self Service for Mobile“ site doesn’t belongs to a microsoft.com domain – in my view a must for a Microsoft activation page. Inspecting the details, I found out, the site contains mixed content (an image contained within the site was delivered via http). The content of the site was also delivered by Cloudflare (I’ve never noticed that case for MS websites before). The image flagged in the mixed content issue was the Microsoft logo, shown within the sites header, transferred via http. The certificate was issued by Go Daddy (an US company) and ends on March 2017. I’ve never noticed, that Go Daddy belongs to Microsoft. I came across Go Daddy during analyzing a phishing campaign months ago. A compromised server, used as a relay by a phishing campaign, has been hosted (according to Whois records) by Go Daddy. But my take down notice send to Go Daddy has never been answered. That causes all alarm bells ringing in my head, because it’s a typical behavior used in phishing sites. Also my further findings didn’t calm the alarm bells in my head. The subdomain microsoft used above doesn’t belongs to a Microsoft domain, it points to a domain gointeract.io. Tying to obtain details about the owner of gointeract.io via WhoIs ended with the following record. Domain : gointeract.io Status : Live Expiry : 2021-03-14 NS 1 : ns-887.awsdns-46.net NS 2 : ns-1211.awsdns-23.org NS 3 : ns-127.awsdns-15.com NS 4 : ns-1980.awsdns-55.co.uk Owner OrgName : Jacada Check for 'gointeract.sh' --- http://www.nic.sh/go/whois/gointeract.sh Check for 'gointeract.ac' --- http://www.nic.ac/go/whois/gointeract.ac Pretty short, isn’t it? No Admin c, no contact person, and Microsoft isn’t mentioned at all, but the domain has been registered till 2021. The Owner OrgName Jacada was unknown to me. Searching the web didn’t gave me more insights at first. Overall, the whole site looks obscure to me. The tiny text, shown within the browser’s lower left corner, was a hyperlink. The German edition of the „Self Service for Mobile“ site opens a French Microsoft site – the English site opens an English Microsoft site. My first conclusion was: Hell, I was tricked by a phishing comment – somebody set up this site to grab installation ids of Office users. So I deactivated the link within the comment and I posted a warning within my German blog post, not to use this „Self Service for Mobile“ site. I also tried to contact the user, who has posted the comment, via e-mail. … but “Microsoft” provides these links … User JaDz responded immediately in an additional comment, and wrote, that the link shortened via bit.ly has been send from Microsoft via SMS – after he tried the telephone activation and selected the option to activate via a mobile device. I didn’t noticed that before – so my conclusion was: Hell, this obscure „Self Service for Mobile“ site is indeed related to Microsoft. Then I started again a web search, but this time with the keywords Jacada and Microsoft. Google showed several hits, pointing to the site jacada.com (see screenshot below). It seems that Jacada is a kind of service provider for several customers. I wasn’t able to find Microsoft within the customer reference. But I know, that Microsoft used external services for some activities. Now I suppose, that somebody from Jacada set up the „Self Service for Mobile“ activation site. The Ajax code used is obviously able to communicate with Microsoft’s activation servers and obtain an activation id. And Microsoft’s activation mechanism provides an option to send the bit.ly link via SMS. Closing words: Security by obscurity? At this point I was left really puzzled. We are not talking about a startup located within a garage. We are having dealing with Microsoft, a multi billion company, that claims to run highly secured and trustable cloud infrastructures world wide. But what’s left, after we wipe of the marketing stuff? The Office activation via telephone is broken (Microsoft confirmed that, after it was reported by customers!). As a customer in need to activate a legal owned, but re-installed, Microsoft Office is facing a nasty situation. Telephone activation is refused, the customers will be (wrongly) notified, that this option is no longer supported. Internet activation is refused due “to many online activations” – well done. But we are not finish yet. They set up a „Self Service for Mobile“ activation site in a way, that is frequently used by phishers. They are sending links via SMS to this site requesting to enter sensitive data like install ids. A site that is using mixed content via https, and is displaying an activation id. In my eyes a security night mare. But maybe I’ve overlooked or misinterpreted something. If you have more insights or an idea, or if my assumptions a wrong, feel free, to drop a comment. I will try to reach out and ask Microsoft for a comment about this issue. Article in German Source Alternate Source reading - AskWoody: Born: Office activation site controlled by a non-Microsoft company
  13. Judge dismisses lawsuit accusing Facebook of tracking users’ activity, saying responsibility was on plaintiffs to keep browsing history private A judge has dismissed a lawsuit accusing Facebook of tracking users’ web browsing activity even after they logged out of the social networking site. The plaintiffs alleged that Facebook used the “like” buttons found on other websites to track which sites they visited, meaning that the Menlo Park, California-headquartered company could build up detailed records of their browsing history. The plaintiffs argued that this violated federal and state privacy and wiretapping laws. US district judge Edward Davila in San Jose, California, dismissed the case because he said that the plaintiffs failed to show that they had a reasonable expectation of privacy or suffered any realistic economic harm or loss. Davila said that plaintiffs could have taken steps to keep their browsing histories private, for example by using the Digital Advertising Alliance’s opt-out tool or using “incognito mode”, and failed to show that Facebook illegally “intercepted” or eavesdropped on their communications. “Facebook’s intrusion could have easily been blocked, but plaintiffs chose not to do so,” said Davila, who dismissed an earlier version of the five-year-old case in October 2015. Clicking on the Facebook “like” button on a third party website – for example, theguardian.com – allows people to share pieces of content to Facebook without having to copy and paste the link into a status update on the social network. When a user visits a page with an embedded “like” button, the web browser sends information to both Facebook and the server where the page is located. “The fact that a user’s web browser automatically sends the same information to both parties does not establish that one party intercepted the user’s communication with the other,” said Davila. The plaintiffs cannot bring privacy and wiretapping claims again, Davila said, but can pursue a breach of contract claim again. Australian internet security blogger Nik Cubrilovic first discovered that Facebook was apparently tracking users’ web browsing after they logged off in 2011. Responding to Cubrilovic, Facebook engineer Gregg Stefancik confirmed that Facebook has cookies that persist after log-out as a safety measure (to prevent others from trying to access the account) but that the company does not use the cookies to track users or sell personal information to third parties. However, in 2014 Facebook started using web browsing data for delivering targeted “interest-based” advertising – which explains why you see ads for products you have already been looking at online appear in your Facebook feed. To address privacy concerns, Facebook introduced a way for users to opt out of this type of advertising targeting from within user settings. “We are pleased with the court’s ruling,” said a Facebook spokeswoman. Source
  14. I've noticed "client_test/0.16.15.0" appearing as a "client" on some of my seeds. It does not download anything, but hangs out for hours, so I did a lookup on the IP addresses, which vary a bit. All come back the same. Registrant Name: Legal Department Registrant Organization: Amazon.com, Inc. Registrant Street: PO BOX 81226 Registrant City: Seattle Registrant State/Province: WA I'm the sole seeder of some of these old media files. I'm surprised they even care. Does this mean Amazon loves me, or what ? Should I expect chocolates or a SWAT team ? :(
  15. Firefox: Always Open Site In Container Tab Mozilla added a much requested feature to Firefox's Container Tabs experiment recently that enables you to always open sites in a specific container. Container Tabs is an upcoming feature of the Firefox web browser that is available as a Test Pilot experiment, and in Firefox Nightly. Mozilla launched the Container Tabs experiment a couple of months ago as a Test Pilot experiment. We talked about the feature in 2016 before already when it was revealed for the first time. Called Containers back then, it allowed participants to load websites in containers. A container is a closed environment which uses custom storage for some data to separate it from the main Firefox data storage and other containers. This is useful for quite a few things, for instance to limit tracking, sign in to the same Web service at the same time in the same browser window, or to separate work from entertainment websites. Firefox: Always open site in Container Tab In the closing words under the original article here on Ghacks, I mentioned that I'd like to see Mozilla add features to Container Tabs that I think would improve the feature significantly. Among the features was a request to restrict sites to certain containers. This made sense in my opinion, as it would allow you to load bank websites in the security container, work related sites and services in the work container, and so on. Mozilla has added the functionality to the latest version of the Container Tabs experiment. Note that this feature has not landed yet in the Firefox Nightly implementation of Containers. A small informational panel is opened when you click on the Container Tabs icon in the Firefox toolbar after installation or update of the add-on in the browser. It highlights that the "always open sites in the containers you want" option is now available. To use it, you right-click inside a container tab to assign it to the loaded container. You may also right-click on the Container Tabs icon in the Firefox toolbar to check the option as well. A prompt is loaded next time you load the site in Firefox. In fact, this prompt is loaded each time you open the site, unless you check the "remember my decision for this site" option. If you check the box, the prompt is not displayed anymore. You can disable the loading of a site in a container tab by right-clicking either on the site or on the icon while the site is loaded in the active tab. Verdict Mozilla continues its work on the upcoming Container Tabs feature. While it is still possible that the feature won't land in Firefox, it seems very likely that it will land eventually. My hope is that Mozilla will address my other feature requests, especially the option to clear data only in a single container tab, as well in future updates. (via Sören Hentzschel) Now You: What is your take on the improvement and Container Tabs in general? Source
  16. Chrome: Sites May Record Audio/Video Without Indication Websites may abuse WebRTC in Google Chrome to record audio or video using the technology without any indication of that to the user. A security vulnerability was reported to Google on April 10, 2017 which allows an attacker to record audio or video using Chrome without indication. Most modern web browsers support WebRTC (Web Real-Time Communications). One of the benefits of WebRTC is that it supports real-time communication without the use of plugins. This includes options to create audio and video chat services, p2p data sharing, screen sharing, and more using the technology. There is also a downside to WebRTC, as it may leak local IP addresses in browsers that support WebRTC. You can protect the IP address from being revealed in Firefox, Chrome and Vivaldi, for instance. The reported vulnerability affects Chrome but it may affect other web browsers as well. For it to work, you'd have to visit a site and allow it to use WebRTC. The site that wants to record audio or video would spawn a JavaScript window then without header, a pop under or pop up window for instance. It can then record audio or video, without giving indications in Chrome that this is happening. Chrome displays recording indicators usually in the tab that uses the functionality, but since the JavaScript window is headerless, nothing is shown to the user. A proof of concept was created which you find linked on the Chromium Bugs website. All you need to do is click on two buttons, and allow the site to use WebRTC in the web browser. The proof of concept demo records audio for 20 seconds, and gives you an option afterwards to download the recording to the local system. A Chromium team member confirmed the existence of the issue, but did not want to call it vulnerability. The explanation does not make a whole lot of sense to me. Because Android does not show an indicator in first place, and Chrome on the desktop only if enough interface space is available, it is not a security vulnerability? At the very least, it is a privacy issue and something that users need to be aware of. While users do have to trust sites enough to give them permissions to use WebRTC, it and the fact that the site needs to launch a popup window are the only things needed to exploit this. Google may improve the situation in the future, but users are on their own right now when it comes to that. The best form of protection is to disable WebRTC which can be done easily if you don't require it, the second best to allow only trusted sites to use WebRTC. If you allow a site to use WebRTC, you may want to look out for any other windows that it may spawn afterwards on top of that. Now You: Do you use services or apps that use WebRTC? Source
  17. Both paid and unpaid apps can track your data. The apps pictured may not - but it’s hard to know which do and which don’t. Anyone who spends much time online knows the saying: “If you’re not paying, you’re the product”. That’s not exactly correct. On the internet, you’re nearly always the product. And while most internet users know that some of their personal data is being collected and monetised, few are aware of the sheer scale of the issue, particularly when it comes to apps. In fact, our research suggests a majority of the top 100 paid and free Google Play apps in Australia, Brazil, Germany and the US contain at least one tracker. This means data could be collected for advertising networks as well as for payment providers. This is just the beginning. As voice-activated intelligent assistants like Siri or Google Now evolve and replace the need for apps on our smartphones, the question of what is being done with our data will only grow more complicated. Nothing is free The difference between what apps actually do with user data and what users expect them to do was apparent in the recent Unroll.Me scandal. Unroll.me is a free online service that cleans email inboxes by unsubscribing the user from unnecessary emails. But many were dismayed when the company was recently discovered to be monetising their mail content. For example, UnRoll.me was reportedly looking for receipts of the ridesharing company Lyft in user emails and selling that information to Uber. Unroll.me’s CEO apologised, saying the company needed to do a better job of disclosing its use of data. But who is in the wrong? Consumers for thinking they were getting a service for free? Or the service provider, who should inform customers of what they’re collecting? The question is even more intriguing when it comes to mobile apps. In fact, compared to online services that usually access a few facets of a user’s personal profile, mobile apps can conveniently tap into a range of personal data such as location, message content, browser history and app installation logs. They do this using third-party libraries embedded in their code, and these libraries can be very intrusive. How libraries work Libraries are third-party trackers used by app developers so they can integrate their products with external services. These may include advertising networks, social media platforms and payment gateways such as Paypal, as well as tools for tracking bugs and crashes. In our study, carried out in 2015, we analysed tracking libraries in the top-100 free and top-100 paid apps in in Australia, Brazil, Germany and the US, revealing some concerning results. Approximately 90% of the top free apps and 60% of the top paid apps in Google Play Store had at least one embedded tracker. For both free and paid apps in the study, Google Ads and Flurry were the two most popular trackers and were integrated with more than 25% of the apps. Other frequently observed libraries include Chartboost, Millennial Media, Google Analytics and Tapjoy. The top trackers were also likely to be present in more than one app, meaning these libraries receive a rich dataset about the user. A summary of the study of top-100 free and paid apps in Google Play Store. NICTA, Author provided Of course, these numbers could have changed in the two years since our research was published, although recent studies suggest the trend has largely continued. It’s also possible these libraries are present without collecting data, but it’s nonetheless disturbing to see the presence of so many trackers in paid apps that have an alternative business model. What lies ahead? So what can you do if you don’t want to be tracked? Use your judgement when giving apps permission to access your data by first asking questions such as, “does this game really need to know my phone number?” Consider using mobile anti-virus and privacy advisory apps such as Lookout Security & Antivirus, Mobile Security and Antivirus, and PrivMetrics (this app is a beta release by Data61). Ultimately, however, these solutions barely touch the surface of a much larger issue. In the near future, apps may be replaced by built-in services that come with a smartphone’s operating system. The intelligent personal assistant by Google, Google Now, for example, could eliminate the need for individual transport, messenger, news and weather apps, as well as some financial apps. These services, otherwise known as aggregator platform services, could build extensive profiles that cover several aspects of our online and offline behaviour. When used, they have access to an incredibly broad range of our activities, not to mention our location. Still, app users have so far been willing to exchange their data for convenience. There’s little reason to believe that trend will not continue. Article source
  18. New Vault 7 leaks show CIA can install persistent malware on OS X and iOS devices A new trove of documents belonging to Wikileak’s Vault 7 leaks, dubbed “Dark Matter” reveal that Apple devices including Macs and iPhones have been compromised by the CIA. They are affected by firmware malware meaning that even a re-installation of the operating system will not fix the device. The CIA’s Embedded Development Branch (EDB) have created several tools for exploiting Apple devices, these include: Sonic Screwdriver – allows an attacker to boot its malware from peripheral devices such as a USB stick. DarkSeaSkies – is an “implant” that persists in the EFI firmware of MacBook Air computers. It consists of “DarkMatter”, “SeaPea” and “NightSkies” which affect EFI, kernel-space, and user-space respectively. Triton – macOS malware. Dark Mallet – Triton infector. DerStake – EFI-persistent version of Triton. The documents show that DerStake was at version 1.4 as of 2013, but other documents show that as of 2016, the CIA was working on DerStake 2.0. According to Wikileaks, NightSkies can infect Apple iPhones, the organisation said what’s noteworthy is that NightSkies has been able to infect iPhones since 2008. The CIA documents say NightSkies is a “beacon/loader/implant tool”. It is “expressly designed” to be physically installed onto factory fresh iPhones meaning the CIA has been intercepting the iPhone supply chain of its targets since at least 2008. "Dark Matter" is just the latest release of documents from the wider Vault 7 leaks, more CIA documents are expected in the future. Main Source: Wikileaks Source
  19. Facebook Bans Devs From Creating Surveillance Tools With User Data Without a hint of irony, Facebook has told developers that they may not use data from Instagram and Facebook in surveillance tools. The social network says that the practice has long been a contravention of its policies, but it is now tidying up and clarifying the wording of its developer policies. American Civil Liberties Union, Color of Change and the Center for Media Justice put pressure on Facebook after it transpired that data from users' feeds was being gathered and sold on to law enforcement agencies. The re-written developer policy now explicitly states that developers are not allowed to "use data obtained from us to provide tools that are used for surveillance." It remains to be seen just how much of a difference this will make to the gathering and use of data, and there is nothing to say that Facebook's own developers will not continue to engage in the same practices. Deputy chief privacy officer at Facebook, Rob Sherman, says: Transparency reports published by Facebook show that the company has complied with government requests for data. The secrecy such requests and dealings are shrouded in means that there is no way of knowing whether Facebook is engaged in precisely the sort of activity it is banning others from performing. Source
  20. Security flaws smash worthless privacy protection Analysis To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there's a technique known as MAC address randomization. This replaces the number that uniquely identifies a device's wireless hardware with randomly generated values. In theory, this prevents scumbags from tracking devices from network to network, and by extension the individuals using them, because the devices in question call out to these nearby networks using different hardware identifiers. It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC addresses, so that shoppers are recognized by their handheld when they next walk in, or walk into affiliate shop with the same creepy system present. This could be used to alert assistants, or to follow people from department to department, store to store, and then sell that data to marketers and ad companies. Public wireless hotspots can do the same. Transport for London in the UK, for instance, used these techniques to study Tube passengers. Regularly changing a device's MAC address is supposed to defeat this tracking. But it turns out to be completely worthless, due to a combination of implementation flaws and vulnerabilities. That and the fact that MAC address randomization is not enabled on the majority of Android phones. In a paper published on Wednesday, US Naval Academy researchers report that they were able to "track 100 per cent of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames." Beyond this one vulnerability, an active RTS (Request to Send) attack, the researchers also identify several alternative deanonymization techniques that work against certain types of devices. Cellular radio hardware has its own set of security and privacy issues; these are not considered in the Naval Academy study, which focuses on Android and iOS devices. Each 802.11 network interface in a mobile phone has a 48-bit MAC address layer-2 hardware identifier, one that's supposed to be persistent and globally unique. Hardware makers can register with the Institute of Electrical and Electronics Engineers (IEEE) to buy a block of MAC addresses for their networking products: the manufacturer is assigned a three-byte Organizationally Unique Identifier, or OUI, with is combined with an additional three-byte identifier that can be set to any value. Put those six bytes together, and you've got a 48-bit MAC address that should be globally unique for each device. The IEEE's registration system makes it easy to identify the maker of a particular piece of network hardware. The IEEE also provides the ability to purchase a private OUI that's not associated with a company name, but according to the researchers "this additional privacy feature is not currently used by any major manufacturers that we are aware of." Alternatively, the IEEE offers a Company Identifier, or CID, which is another three-byte prefix that can be combined with three additional bytes to form 48-bit MAC addresses. CID addresses can be used in situations where global uniqueness is not required. These CID numbers tend to be used for MAC address randomization and are usually transmitted when a device unassociated with a specific access point broadcasts 802.11 probe requests, the paper explains. The researchers focused on devices unassociated with a network access point – as might happen when walking down the street through various Wi-Fi networks – rather than those associated and authenticated with a specific access point, where the privacy concerns differ and unique global MAC addresses come into play. Unmasking Previous security research has shown that flaws in the Wi-Fi Protected Setup (WPS) protocol can be used to reverse engineer a device's globally unique MAC address through a technique called Universally Unique IDentifier-Enrollee (UUID-E) reversal. The US Naval Academy study builds upon that work by focusing on randomized MAC address implementations. The researchers found that "the overwhelming majority of Android devices are not implementing the available randomization capabilities built into the Android OS," which makes such Android devices trivial to track. It's not clear why this is the case, but the researchers speculate that 802.11 chipset and firmware incompatibilities might be part of it. Samsung v Apple Surprisingly, Samsung devices, which accounted for 23 per cent of the researcher's Android data set, show no evidence of implementing MAC address randomization. Apple, meanwhile, introduced MAC address randomization in iOS 8, only to break it in iOS 10. While the researchers were evaluating devices last year, Apple launched iOS 10 and changed its network probe broadcasts to include a distinct Information Element (IE), data added to Wi-Fi management frames to extend the Wi-Fi protocol. "Inexplicably the addition of an Apple vendor-specific IE was added to all transmitted probe requests," the paper explains. "This made identification of iOS 10 Apple devices trivial regardless of the use of MAC address randomization." This shortcoming aside, Apple handles randomization correctly, in the sense that it properly randomizes the full 48-bits available for MAC addresses (with the exception of the Universal/Local bit, set to distinguish between global MAC addresses and the local ones used for randomization, and the Unicast/Multicast Bit). The researchers find this interesting because the IEEE charges a fee for using the first three bytes of that space for CID prefixes, "meaning that Apple is freely making use of address space that other companies have paid for." In a phone interview with The Register, Travis Mayberry, assistant professor at the US Naval Academy and one of the paper's co-authors, expressed surprise that something like 70 per cent of Android phones tested did not implement MAC address randomization. "It's strange that Android was so vulnerable," he said. "It's just really bad at doing what it was supposed to do." 'Closest to being pretty good' Apple, meanwhile, fared better in terms of effort, though not results. "Apple is the closest to being pretty good," Mayberry said, but noted that Apple devices, despite the advantage of hardware consistency, are still vulnerable to an RTS (Request to Send) attack. Sending RTS frames to an Apple phone forces the device to reveal its global unique MAC address, rather than the randomized one normally presented to the hotspot. "No matter how hard you try, you can't defend against that because it's a property of the wireless chip itself," said Mayberry. There was single Android phone that fared well. "The one Android phone that was resistant to our passive attacks was the CAT S60 which is some kind of 'tough' phone used on construction sites and the like," Mayberry explained in an email. "It did not have a recognizable fingerprint and did not ever transmit its global MAC except when associating. It was still vulnerable to our active RTS attack though, since like I said, that is a problem with the actual chips and effects every phone." Mayberry was at a loss to explain why Apple shot itself in the foot by adding a trackable identifier to a system that previously worked well. "I initially thought it might be to support some of the 'continuity' features where multiple apple devices can discover and exchange stuff like open browser tabs and clipboard contents but that came out in earlier versions of iOS," he said. "It also might be linked to the HomeKit features that they added in iOS to control IoT devices. Basically it would have to be to purposefully identify and discover other Apple devices that are not associated, otherwise we wouldn't see it in probe requests. All of this is pure speculation though and we really don't have a strong reason for it." Mayberry said he hoped the research would help the industry understand the consequences of everyone doing things differently. There's no generally accepted way to handle MAC address randomization. "There are so many phones not using it," he said. "There should be a standard." By Thomas Claburn https://www.theregister.co.uk/2017/03/10/mac_address_randomization/
  21. How To Stop Everyone Tracking You On The Web It’s no secret that there’s big money to be made in violating your privacy. Companies will pay big bucks to learn more about you, and service providers on the web are eager to get their hands on as much information about you as possible. So what do you do? How do you keep your information out of everyone else’s hands? Here’s a guide to surfing the web while keeping your privacy intact. The adage goes, “If you’re not paying for a service, you’re the product, not the customer”, and it’s never been more true. Every day more news breaks about a new company that uploads your address book to their servers, skirts in-browser privacy protection, and tracks your every move on the web to learn as much about your browsing habits and activities as possible. In this post, we’ll explain why you should care, and help you lock down your surfing so you can browse in peace. Why You Should Care Your personal information is valuable. More valuable than you might think. When we originally published our guide to stop Facebook from tracking you around the web, some people cried “So what if they track me? I’m not that important/I have nothing to hide/they just want to target ads to me and I’d rather have targeted ads over useless ones!” To help explain why this is short-sighted and a bit naive, let me share a personal story. Before I joined the Lifehacker team, I worked at a company that traded in information. Our clients were huge companies and one of the services we offered was to collect information about people, their demographics, income and habits, and then roll it up so they could get a complete picture about who you are and how to convince you to buy their products. In some cases, we designed websites and campaigns to convince you to provide even more information in exchange for a coupon, discount or the simple promise of either of those. It works very, very well. The real money is in taking your data and shacking up with third parties to help them come up with new ways to convince you to spend money, sign up for services and give up more information. Relevant ads are nice, but the real value in your data exists where you won’t see it until you’re too tempted by the offer to know where it came from, whether it’s a coupon in your mailbox or a new daily deal site with incredible bargains tailored to your desires. It all sounds good until you realise the only thing you have to trade for such “exciting” bargains is everything personal about you: your age, income, family’s ages and income, medical history, dietary habits, favourite websites, your birthday… the list goes on. It would be fine if you decided to give up this information for a tangible benefit, but you may never see a benefit aside from an ad, and no one’s including you in the decision. Here’s how to take back that control. How to Stop Trackers from Following Where You’re Browsing with Chrome If you’re a Chrome user, there are tons of great add-ons and tools designed to help you uncover which sites transmit data to third parties without your knowledge, which third parties are talking about you, and which third parties are tracking your activity across sites. This list isn’t targeted to a specific social network or company — instead, these extensions can help you with multiple offenders. ◾Adblock Plus — We’ve discussed AdBlock plus several times, but there’s never been a better time to install it than now. For extra protection, one-click installs the Antisocial subscription for AdBlock. With it, you can banish social networks like Facebook, Twitter, and Google+ from transmitting data about you after you leave those sites, even if the page you visit has a social plugin on it. ◾Ghostery — Ghostery does an excellent job at blocking the invisible tracking cookies and plug-ins on many websites, showing it all to you, and then giving you the choice whether you want to block them one-by-one, or all together so you’ll never worry about them again. The best part about Ghostery is that it’s not just limited to social networks, but will also catch and show you ad-networks and web publishers as well. ◾ScriptNo for Chrome — ScriptNo is much like Ghostery in that any scripts running on any site you visit will sound its alarms. The difference is that while Ghostery is a bit more exclusive about the types of information it alerts you to, ScriptNo will sound the alarm at just about everything, which will break a ton of websites. You’ll visit the site, half of it won’t load or work, and you’ll have to selectively enable scripts until it’s usable. Still, its intuitive interface will help you choose which scripts on a page you’d like to allow and which you’d like to block without sacrificing the actual content on the page you’d like to read. ◾Do Not Track Plus — The “Do Not Track” feature that most browsers have is useful, but if you want to beef them up, the previously mentioned Do Not Track Plus extension puts a stop to third-party data exchanges, like when you visit a site like ours that has Facebook and Google+ buttons on it. By default, your browser will tell the network that you’re on a site with those buttons — with the extension installed, no information is sent until you choose to click one. Think of it as opt-in social sharing, instead of all-in. Ghostery, AdBlock Plus and Do Not Track are the ones you’ll need the most. ScriptNo is a bit more advanced and may take some getting used to. In addition to installing extensions, make sure you practise basic browser maintenance that keeps your browser running smoothly and protects your privacy at the same time. Head into Chrome’s Advanced Content Settings, and make sure you have third-party cookies blocked and all cookies set to clear after browsing sessions. Log out of social networks and web services when you’re finished using them instead of just leaving them perpetually logged in, and use Chrome’s “Incognito Mode” whenever you’re concerned about privacy. How to Stop Trackers from Following Where You’re Browsing with Firefox Many of the essential privacy extensions for Firefox are from the same developers who made their Chrome counterparts, and they work in similar fashion. ◾Adblock Plus — AdBlock Plus is just as essential in Firefox as it is in Chrome, as is the Antisocial subscription, which you can installed at the Antisocial site. The extension and the subscription together are a powerful combination to remove annoying ads from sites you love, retain the ones that don’t bother you, and keep ads and plug-ins from sending data about you without your explicit consent. ◾Ghostery — Ghostery is also available for Firefox, and gives you the same information about the scripts, cookies and trackers under every site you visit. Click the icon in your status bar to see what information a given site is collecting and sending about you, and you can pick and choose what to allow or what to block. ◾Do Not Track Plus — Do Not Track Plus is also available for Firefox, and works the same way as the Chrome version. ◾NoScript — NoScript is a great extension and provides you an incredible amount of information about what’s happening behind the scenes on any site that you visit — the trouble with it is that that information can be overwhelming, and if you don’t allow certain things, the site simply won’t work until you do. I have a bit of a love/hate relationship with NoScript for that reason, but if you’re serious about not letting anything run on a site without your permission, this is the tool for you. ◾Priv3 — Although it’s only available for Firefox, this experimental extension from researchers at Rutgers University and the International Computer Science Institute (ICSI) will protect you from third-party cookies set by Facebook, Twitter, Google+ and LinkedIn. We’ve mentioned it before, and I still have it installed myself. Like Do Not Track Plus, it doesn’t remove elements from a page — it simply makes them inactive until you interact with them. We’d say Ghostery, AdBlock Plus and Priv3 are the essentials here. Do Not Track Plus and Priv3 cover some of the same territory, so you can go either way there, and as with Chrome, NoScript is for advanced users looking for more granular control. Firefox’s “Do Not Track” feature is worth enabling as well, even if many sites circumvent it with well-placed cookies and social plug-ins that are all but required if a site wants a social media presence or solid placement in search results these days. Additionally, make yourself familiar with Firefox’s privacy and content settings. As with any browser, we suggest you log out of services when you’re finished, and set Firefox to clear your private data, cookies and browsing history when you close the browser. If you’re more worried about some sites than others, you can always just clear those cookies when you log out. How to Stop Trackers from Following Where You’re Browsing with Internet Explorer, Safari and Opera Firefox and Chrome may get the spotlight in the browser wars, but those of you using Safari, IE or Opera aren’t totally safe just by virtue of your browser choice. Just this week, Google was caught with its hands in the cookie jar (no pun intended) circumventing cookie protection controls in Internet Explorer 9. Nik Cubrilovic has an excellent writeup of the situation, and he points out that they’re not alone by any means. In response, Microsoft has published a tracking protection add-in for IE9 to stop them. Regardless of your browser, the same types of basic maintenance we mentioned are in order. Do Not Track Plus is available for Safari and IE users, there’s a special build of AdBlock for Safari, for Opera, and even Internet Explorer. NoScript or ScriptNo fans can use NotScripts for Opera to get the same effect. These are a few examples, but look around — its likely that while some of the extensions mentioned above may not be available for your preferred browser, someone’s taken the initiative to write a similar add-on that gets the job done. Mobile Browsing Mobile browsing is a new frontier. There are dozens of mobile browsers, and even though most people use the one included on their device, there are few tools to protect your privacy by comparison to the desktop. Check to see if your preferred browser has a “privacy mode” that you can use while browsing, or when you’re logged in to social networks and other web services. Try to keep your social network use inside the apps developed for it, and — as always — make sure to clear your private data regularly. Some mobile browsers have private modes and the ability to automatically clear your private data built in, like Firefox for Android, Atomic Web Browser, and Dolphin Browser for both iOS and Android. Considering Dolphin is our pick for the best Android browser and Atomic is our favourite for iOS, they’re worth downloading. Extreme Measures If none of these extensions make you feel any better, or you want to take protecting your privacy and personal data to the next level, it’s time to break out the big guns. One tip that came up during our last discussion about Facebook was to use a completely separate web browser just for logged-in social networks and web services, and another browser for potentially sensitive browsing, like your internet shopping, banking and other personal activities. If you have some time to put into it, check out our guide to browsing without leaving a trace, which was written for Firefox, but can easily be adapted to any browser you use. If you’re really tired of companies tracking you and trading in your personal information, you always have the option to just provide false information. The same way you might give a fake phone number or address to a supermarket card sign-up sheet, you can scrub or change personal details about yourself from your social network profiles, Google accounts, Windows Live account and others. Change your birthday or your first name. Set your phone number a digit off, or omit your apartment number when asked for your street address. We’ve talked about how to disappear before, and carefully examine the privacy and account settings for the web services you use. Keep in mind that some of this goes against the terms of service for those companies and services — they have a vested interest in knowing the real you, after all, so tread carefully and tread lightly if you want to go the “make yourself anonymous” route. Worst case, start closing accounts with offending services, and migrate to other, more privacy-friendly options. These are just a few tips that won’t significantly change your browsing experience, but can go a long way toward protecting your privacy. This issue isn’t going anywhere, and as your personal information becomes more valuable and there are more ways to keep it away from prying eyes, you’ll see more news of companies finding ways to eke out every bit of data from you and the sites you use. Some of these methods are more intrusive than others, and some of them may turn you off entirely, but the important thing is that they all give you control over how you experience the web. When you embrace your privacy, you become engaged with the services you use. With a little effort and the right tools, you can make the web more opt-in than it is opt-out. http://www.lifehacker.com.au/2012/02/how-to-stop-everyone-tracking-you-on-the-web/
×
×
  • Create New...