Privacy Roundup #0051 • October 2010
October 2010 was dominated by Google's admission that its Street View cars had grabbed emails and passwords, by leaky social apps handing user identifiers to advertisers, and by Firesheep laying bare the perils of unencrypted web sessions.
1. Facebook apps leaked user identifiers to advertisers and trackers
A Wall Street Journal investigation found that the ten most popular Facebook applications, including FarmVille, were passing unique user IDs to dozens of advertising and tracking firms. The EFF argued that the leak proved Facebook could not enforce the privacy promises it had made only months earlier.
2. Rapleaf admitted passing Facebook IDs to advertising networks
The data broker Rapleaf conceded that it had transmitted Facebook and MySpace user identifiers to advertising networks, then cross-referenced them against dossiers it sold to marketers. The company said it had stopped the practice and would delete the Facebook IDs it had gathered.
3. Google admitted Street View cars grabbed emails, URLs and passwords
Google conceded that its Street View vehicles had captured whole emails, web addresses and passwords from unsecured Wi-Fi networks across some thirty countries. Senior vice-president Alan Eustace said the company was mortified and would delete the payload data as soon as possible.
4. Canada ruled Google Street View breached its privacy law
Canada's Privacy Commissioner determined that Google had violated Canadian privacy law by collecting complete emails, usernames, passwords and other personal data over open Wi-Fi networks. The commissioner attributed the collection to a careless engineering error and set February 2011 as the deadline for remedies.
5. Spain filed suit against Google over Street View Wi-Fi capture
The Spanish Data Protection Agency brought a case against Google for five alleged violations of Spanish law arising from the Street View Wi-Fi collection. The agency said Google had gathered and stored personal data transmitted over open networks, including identifiers tied to subscribers' real names.
6. FTC closed its Google Street View inquiry without penalty
The Federal Trade Commission ended its investigation into Google's Wi-Fi collection after the company pledged to delete the data and strengthen its privacy practices. Officials accepted Google's commitments, including the appointment of a privacy director, and imposed no fine.
7. Firesheep made session hijacking trivial for anyone on open Wi-Fi
Seattle developer Eric Butler released Firesheep, a Firefox extension that let bystanders on the same network seize logged-in sessions for Facebook, Twitter and other sites that did not encrypt their cookies. The tool was downloaded more than a hundred thousand times within a day of its debut.
8. The Register detailed the cookie capture peril behind Firesheep
The Register explained how Firesheep exploited the common practice of encrypting only the login page while leaving the rest of a session in the clear. Butler said he had published the tool precisely to pressure websites into adopting encryption across entire sessions.
9. EFF urged sites to deploy sitewide HTTPS in response to Firesheep
The EFF said the lesson of Firesheep was that websites must encrypt whole sessions rather than just the login form. The group noted that tens of thousands of people installed its HTTPS Everywhere extension in the days after the tool appeared.
10. Schneier called for sitewide encryption to defeat sidejacking
Bruce Schneier wrote that Firesheep had simply made a long-standing session hijacking risk visible to ordinary users. His remedy was straightforward: be outraged that major sites failed to enforce HTTPS at all times, and encrypt entire sessions.
11. MySpace apps were caught sending user IDs to advertisers
A further Wall Street Journal report found that several MySpace applications, including GreenSpot and RockYou Pets, were transmitting user identifiers to advertising firms. MySpace acknowledged that some developers had breached its terms and said it would act against them.
12. Senator Rockefeller pressed Facebook and MySpace over the leaks
Senate Commerce Committee chairman Jay Rockefeller wrote to Facebook and MySpace demanding answers after the Wall Street Journal reports about leaked user identifiers. He said the disclosures raised serious questions about whether the sites enforced their own privacy policies.
13. Facebook launched a download your information tool
At an event in Palo Alto, Mark Zuckerberg unveiled a feature letting users export their photos, messages, wall posts and friend lists as a single archive. Facebook framed the tool as a way for people to take their own data with them.
14. Zynga hit with lawsuit over Facebook privacy breach
A Facebook user filed a class action against Zynga, the maker of FarmVille, alleging that the company had passed unique Facebook identifiers belonging to some 218 million people to advertisers and data brokers. The complaint argued that the transfers broke federal law as well as Zynga's own agreement with Facebook.
15. WikiLeaks released the Iraq War Logs
WikiLeaks published nearly four hundred thousand United States Army field reports, the largest classified military leak to that date. The documents recorded tens of thousands of previously unreported civilian deaths and accounts of abuse, raising sharp questions about secrecy and accountability.
16. Analysts dissected the Stuxnet worm targeting industrial controls
Researchers continued to pick apart Stuxnet, a sophisticated worm that sought out Siemens industrial control systems and was widely linked to Iran's nuclear programme. Schneier cautioned that much of the popular narrative about its origins remained speculation.
17. The UK Parliament debated internet privacy and Street View
Members of the House of Commons held a Westminster Hall debate on internet privacy, with sharp criticism of Google's Wi-Fi collection. One member accused the company of having gathered the data deliberately for commercial use.
18. DHS launched the Stop. Think. Connect. awareness campaign
The Department of Homeland Security opened its Stop. Think. Connect. campaign at the start of National Cybersecurity Awareness Month. Officials promoted simple steps the public could take to stay safer online and to think before sharing.
19. Some 244,000 German houses set to be blurred in Street View
After the opt-out deadline passed, Google said that 244,237 German households across the twenty launch cities had asked to have their buildings blurred before Street View went live. The requests amounted to roughly three per cent of the affected homes, a figure reflecting Germany's unusually strong attachment to control over personal data.
20. Facebook suspended developers over the user identifier leak
Facebook moved to punish developers that had passed user identifiers to advertisers, blocking some apps from invitations, notifications and wall posts for six months. The company said the penalties affected fewer than a dozen developers, though some of them had millions of monthly users.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: