A Wall Street Journal article today draws attention to yet another unexpected way in which Facebook's privacy practices have not complied with its public statements and have disregarded users' privacy rights. Just last week, when asked about Facebook's privacy practices with advertisers, Facebook executive Elliot Schrage wrote:
We don’t share your information with advertisers. Our targeting is anonymous. We don’t identify or share names. Period.
As the Wall Street Journal report shows, this was not true. In fact, Facebook's architecture at the time allowed advertisers to see detailed personal information about some Facebook users.
The article identified a security flaw concerning referer URLs, a basic part of the web's architecture. For readers who aren't web gurus: A "referer" is a piece of information sent whenever you click on a link. It tells the site you're visiting what URL you've just come from. (The term's strange spelling is one of the web's many historical in-jokes.) In some instances, the referer URL will also include a "query string" that reveals additional information.
Ordinarily, the query string doesn't reveal anything sensitive. In fact, it's a maxim of web engineering that sensitive information (like passwords) should never be placed in the query string, exactly because doing so can cause security and privacy problems.
It's a maxim that Facebook apparently forgot. A paper published last August by researchers at AT&T Labs and Worcester Polytechnic (blogged by EFF here) showed how Facebook's referers revealed information to advertisers that could be used to personally identify visitors. The problem was made far worse by the changes Facebook made in December and April, which designated radically more user data as "publicly available information" and created new tech tools for mining that data.
Yesterday, facing the pressure of the impending Wall Street Journal article, Facebook fixed the worst aspects of that loophole. They say they're in the process of fixing the rest.
Beyond the fixes Facebook has already made, what steps can be taken to prevent this kind of data leakage in the future? There are some steps Facebook could take, like moving users to HTTPS, which can limit transmission of referer URLs. And users can protect themselves by using plugins like Firefox's RefControl. We also encourage both social networking services and web browsers to adopt emerging standards like 'noreferrer', which would allow sites much simpler control over how referers are handled.
Of course, as demonstrated in the AT&T/WPI paper, referer strings are not the only path by which social networks leak personal information to advertisers. That paper found that 11 of the 12 social networking sites it examined leak personal information to advertisers by one method or another. Hopefully, today's WSJ article is a sign that all of these methods will soon be receiving closer scrutiny.
Google has just announced that it is rolling out an encrypted version of its web search service, https://www.google.com. This is something we've been asking Google for privately and publicly for some time, and we're very pleased to see it come to pass.
Several important points about encrypted Google search:
It isn't on by default. You need to make sure that the URL is httpsbefore you type your query. [We hope to be posting a better solution to this shortly].
HTTPS only protects against eavesdropping. It doesn't prevent Google from logging your searches, or prevent a government or civil litigant from obtaining your records from Google. Defending yourself against logging may be possible, but is definitely harder.
For the time being, encryption is only available for web search and a few other result types that you can click through to on the left of the results pages. Some important Google search services, such as maps and images, remain unencryptable for the time being.
Google engineers have indicated that they have data showing that the extra latency required for HTTPS will make searches less pleasing in a very subconscious way. Their SPDY project is an attempt to offer a variant of HTTP that is both encrypted and lower-latency than the current one. We look forward to using it!
Google had previously represented that it did not collect or store what it calls "payload data" and what EFF and the law call communications "content" — the actual information that was being transmitted by users over the unprotected networks. But on Friday the company admitted that its audit of the software deployed in the Street View cars revealed that the devices actually had been inadvertently collecting content transmitted over non-password protected Wi-Fi networks. To its credit, Google publicly admitted the error.
There's no reason to doubt Google's claim of mistake, but at this point in their growth and sophistication, Google should not be making these kinds of privacy errors. Google programmers wrote the Street View Wi-Fi access mapping code and Google employees used that code to collect about 600 gigabytes of extra data. Someone at the company should also have ensured that the code, both as written and in practice was (1) collecting only the data necessary for the project, (2) collecting only the data that Google represented that it was collecting, and (3) otherwise in compliance with the law.
Google is too mature to be making these kinds of rookie privacy mistakes. When you are in the business of collecting and monetizing other people's personal data — as Google and so many other internet businesses are — clear standards and comprehensive auditing are essential to protect against improper collection, use or leakage of private information. Google’s failure to make enforceable promises to implement such safeguards is one of the reasons for EFF's opposition to the Google Books settlement.
Following this unfortunate privacy breach, Google will likely have to face European and U.S. regulators as well as the inevitable lawsuits. Notably, Google’s potential liability under U.S. law is not clear. Penalties for wiretapping electronic communications in the federal Electronic Communications Privacy Act (ECPA) only apply to intentional acts of interception, yet Google claims it collected the content by accident. Further, the scope of legal protections for unencrypted wireless communications is uncertain. There is an exception to ECPA's general prohibition on content interception when the intercepted communications are "readily accessible to the general public." This exception was not written with Wi-Fi in mind and the courts have not yet directly grappled with the issue, but Google may assert that unencrypted Wi-Fi signals fit that exception.
Open Wi-Fi is a great public service, but users must take the initiative if they care about the confidentiality of information traveling over their open wireless networks. With legal protections unclear, the only privacy safeguards are technological. If you want any security, you need to encrypt your packets.
As for the Street View debacle, the first priority should be to secure the private information that was already improperly collected. Google has set forth a solid plan to accomplish this: it commissioned an independent third party to review the software at issue, confirm that Google segregated the data and made it inaccessible, and to figure out how to prevent these problems in the future.
Google must eventually destroy the data, though it will have to wait for approval from relevant regulators investigating the incident and from courts in which lawsuits are pending. If access to the communications is necessary for civil or criminal investigations or for discovery in a lawsuit, then care must be taken to protect user privacy in the meantime. In particular, calls from some quarters for Google to simply turn over the data to the U.S. or other governments are wrong-headed. To allow a government to investigate a privacy breach by further violating privacy is senseless.
The second priority should be for Google, and everyone else in the data collection business, to closely examine their data collection practices to ensure that they are actually doing what they have promised. In addition, companies should re-evaluate their data retention policies. While not directly related to the Wi-Fi gaffe, Google’s long-term retention of search data creates an unnecessary risk to users that the data will be disclosed, as Jules Polonetsky of the Future of Privacy Forum recently pointed out:
Yahoo has been able to implement a three-month retention period for its search and ad-serving log data without any impact on the quality of search results or ad-serving capabilities. Why can't other companies follow Yahoo's lead? The Article 29 Working Group of European regulators have advised that six months is the maximum time period for search data retention in their jurisdiction, and Microsoft has already started deleting full IP addresses from their search logs after six months.
In contrast to Yahoo and Microsoft, Google only partially anonymizes the IP addresses linked to your search queries at nine months, rather than at three or six months, and never completely deletes them. Yet, as the clear market leader when it comes to search, Google should have the best privacy practices in the business. With great success comes great responsibility. Google isn't a little start-up anymore. Even when it doesn't make mistakes, it regularly handles personal, intimate information from billions of people around the world. It's time for Google to lead the way in responsible data collection and retention practices.
Are you an attorney licensed to practice law in the United States? If you are, EFF needs your help to fight spam-igation.
The U.S. Copyright Group has quietly targeted 50,000 Bit Torrent users for legal action in federal court in Washington DC. The defendants, all Does, are accused of having downloaded independent films such as "Far Cry," "Steam Experiment," and "Uncross the Stars" without authorization. U.S. Copyright Group has recently announced that it will also be targeting unauthorized downloaders of the film "Hurt Locker." News reports suggest that the attorneys bringing these suits are not affiliated with any major entertainment companies, but are instead intent on building a lucrative business model built from collecting settlements from the largest possible set of individual defendants.
The lawsuits proceed similarly to the RIAA lawsuits against unauthorized music downloaders: US Copyright Group files a copyright infringement suit in federal court in Washington DC, against thousands of Does, identified by IP address. Then it presents ISP's with the list of IP's and dates and subpoenas the billing address of the user who had that IP at that date. The ISP's then contact then contact their customers, inform them of the subpoena, and give them an opportunity to file a motion to quash.
In the event that no motion to quash is filed, the ISP gives up the identity of the user. US Copyright Group's attorneys then contact the user and offer a settlement, usually starting at $2500.
EFF is seeking as many attorneys as possible to advise the targets of these lawsuits and, where appropriate, file motions to quash. Respondents' contact information would be added to a website that will act as a resource for the targets of these lawsuits.
If interested, please contact Rebecca Reagan at firstname.lastname@example.org with your contact information or the contact information for your firm, and the states in which you are licensed to practice law.
Social network service providers today are in a unique position. They are intermediaries and hosts to our communications, conversations and connections with loved ones, family, friends and colleagues. They have access to extremely sensitive information, including data gathered over time and from many different individuals.
Here at EFF, we've been thinking a lot recently about what specific rights a responsible social network service should provide to its users. Social network services must ensure that users have ongoing privacy and control over personal information stored with the service. Users are not just a commodity, and their rights must be respected. Innovation in social network services is important, but it must remain consistent with, rather than undermine, user privacy and control. Based on what we see today, therefore, we suggest three basic privacy-protective principles that social network users should demand:
#1: The Right to Informed Decision-Making
Users should have the right to a clear user interface that allows them to make informed choices about who sees their data and how it is used.
Users should be able to see readily who is entitled to access any particular piece of information about them, including other people, government officials, websites, applications, advertisers and advertising networks and services.
Whenever possible, a social network service should give users notice when the government or a private party uses legal or administrative processes to seek information about them, so that users have a meaningful opportunity to respond.
#2: The Right to Control
Social network services must ensure that users retain control over the use and disclosure of their data. A social network service should take only a limited license to use data for the purpose for which it was originally given to the provider. When the service wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user. The right to control includes users' right to decide whether their friends may authorize the service to disclose their personal information to third-party websites and applications.
Social network services must ask their users' permission before making any change that could share new data about users, share users' data with new categories of people, or use that data in a new way. Changes like this should be "opt-in" by default, not "opt-out," meaning that users' data is not shared unless a user makes an informed decision to share it. If a social network service is adding some functionality that its users really want, then it should not have to resort to unclear or misleading interfaces to get people to use it.
#3: The Right to Leave
Users giveth, and users should have the right to taketh away.
One of the most basic ways that users can protect their privacy is by leaving a social network service that does not sufficiently protect it. Therefore, a user should have the right to delete data or her entire account from a social network service. And we mean really delete. It is not enough for a service to disable access to data while continuing to store or use it. It should be permanently eliminated from the service's servers.
Furthermore, if users decide to leave a social network service, they should be able to easily, efficiently and freely take their uploaded information away from that service and move it to a different one in a usable format. This concept, known as "data portability" or "data liberation," is fundamental to promote competition and ensure that users truly maintain control over their information, even if they sever their relationship with a particular service.
The Electronic Frontier Foundation (EFF) has added thousands of never-before-seen records to its online collection of documents obtained through the Freedom of Information Act (FOIA). The treasure trove of government records, now up to date and posted on our website in its entirety, is the result of almost 200 FOIA requests and over a dozen lawsuits.
The document collection now includes for the first time:
The results show that the overwhelming majority of Internet users could be uniquely fingerprinted and tracked using only the configuration and version information that their browsers make available to websites. These types of system information should be regarded as identifying, in much the same way that cookies, IP addresses, and supercookies are.
In our analysis of anonymized data from around half a million distinct browsers, 84% had unique configurations. Among browsers that had Flash or Java installed, 94% were unique, and only 1% had fingerprints that were seen more than twice. However, our experiment only studied a limited number of variables, and the companies that offer specialized fingerprinting services are likely to use a wider and therefore more powerful range of measurements.
While almost all browsers are uniquely fingerprintable, there were four special categories that were comparatively resistant to fingerprinting:
Those that use TorButton, which successfully anticipated and defended against many fingerprinting measurements.
Mobile devices like Androids and iPhones (unfortunately, these devices tend not to have good interfaces for controlling cookies, and so may be trackable by that method)
Corporate desktop machines that are precise clones of one another (Such systems appeared to constitute around 3-4% of the visitors to Panopticlick; unfortunately, there are some fingerprinting techniques like CPU clock skew measurement which would will work against these systems. commercial fingerprinting services employ those techniques).
Ultimately, browser developers will need to take the lead in defending their users against this particularly troublesome form of tracking. That won't be easy, but our article includes a number of recommendations about how to start.
[Click here and here for earlier blog posts about the Gizmodo warrant.]
Today, San Mateo County Superior Court Judge Clifford Cretan ordered the release of the previously-sealed warrant affidavit that led to the search of Gizmodo editor Jason Chen’s house. As expected, the affidavit confirmed that there was no legal basis for the search.
The search warrant affidavit does indeed allege that Jason Chen committed three crimes: receipt of stolen property (California Penal Code section 496(a)), theft (California Penal Code section 499c(b)(3)), and “maliciously damaging the property of another” (California Penal Code section 594(b)(1)). Whether Chen will even be charged with such crimes, let alone convicted, remains to be seen. But as we have repeatedlypointed out, the warranted search and seizure of Chen’s property was still illegal.
In his recent article titled "iPhone, Gizmodo, and Moral Clarity About Crime," Rutgers law professor Stuart Green argued that the decision to seek a warrant was justified and that critics who question this decision must be confused, misguided, or "legally mistaken." Professor Green flatly misstated the law. Contrary to his assertion, there is no “specific exemption” to what Green refers to as the California reporter’s shield law “when the police are looking for evidence that the journalists … themselves committed crimes.” Moreover, the shield law itself, which is a testimonial privilege, however, that protects journalists who refuse to testify about sources and unpublished information, is not directly relevant to the Chen raid at all.
Instead, the applicable statute is California Penal Code section 1524(g), which categorically prohibits the issuance of warrants for “unpublished information obtained or prepared in gathering, receiving or processing of information for communication to the public.” This is a limitation on the warrant process itself and does not affect the potential legal liability of a journalist-suspect. Contrary to the assertions of Professor Green, George Washington University Law School Professor JonathanTurley, and others, it contains no exemption, specific or otherwise, that limits its reach.
The California Supreme Court has said that the reporter’s testimonial privilege might give way in very limited circumstances, such as when another constitutional right (like a defendant’s right to a fair trial) comes into play. No such right is implicated here. And in any event, the California Supreme Court has never second-guessed the California legislature’s judgment in passing the Penal Code section at issue here. Nor is it likely to, since the protection provided by 1524(g) was specifically enacted to limit the ability of law enforcement to search journalists pursuant to a search warrant, a protection that the U.S. Supreme Court held was not found in the U.S. Constitution.
The protections afforded to Chen by the California Penal Code will likely not affect the potential prosecution of any crime here. The police already know the identity of the person who purportedly found the phone and passed it on to Gizmodo. The allegedly stolen phone was returned to Apple before the raid. Moreover, the police also have Gizmodo’s detailed video analysis of the iPhone prototype, which would likely come in handy as evidence at any eventual trial. What the police will lose, if Chen’s attorneys choose to press the issue, is the information that they illegally seized. The police could then try to subpoena a small subset of this information from Chen directly. (Recall that all of Chen's computers and all of the data on them were seized in the raid). The issuance of a subpoena would would allow Chen and Gizmodo to challenge the validity of the district attorney’s legal position, a far different posture than the one Chen found himself in after armed police officers bashed in his door.
San Mateo prosecutors are predictably circling the wagons to defend the raid. The D.A. agreed to halt any search of Chen’s computers while he evaluates the implication of California legal protections for journalists, conceding that such a post-raid analysis is “unusual.” This concession speaks volumes about how much thought went into this raid before it took place. It should also give pause to commentators who have ignored the extent of the legal ramifications triggered by the search and instead rushed to the defense of the police, confusing a desire to force the police to comply with the law with an attack on the enforceability of trade secret or copyright law.
Opposition to the police raid of Jason Chen’s home has nothing to do with misplaced support for a scrappy underdog or an affinity for schoolyard conceptions of right and wrong. Objections to overreaching police power are rooted in both a dedication to free speech and freedom of the press and in a fealty to the rule of law. The relevant legal question in the Chen matter is whether the police obtained a warrant for “unpublished information obtained or prepared in gathering, receiving or processing of information for communication to the public.” Obviously, they did. If critics believe that police should be able to execute warrants to seize unpublished notes and other data held by journalists – and I would urge them to think through the ramifications of such a decision – then the proper course is to lobby the legislature for such a change to the very clear statute that is now in place, not to pretend that the law already supports their position.