Recently in Corporate Category

Verizon Supercookies

The Federal Communications Commission has settled its Verizon Wireless "supercookie" probe, resulting in better consumer controls and transparency between the provider and its customers. The FCC's investigation found that the company had inserted unique, undeletable identifiers into web traffic and used these to identify customers in order to deliver targeted ads from Verizon and other third parties. As a result of this settlement and the FCC investigation, Verizon Wireless is notifying consumers about its targeted advertising programs, will obtain customers' opt-in consent before sharing UIDH with third parties, and will obtain customers' opt-in or opt-out consent before sharing UIDH internally within the Verizon corporate family. The company will also pay a fine.

Interesting article from microsoft with views from three past CPOs.
I am attending the IAPP Global Privacy Summit, the biggest privacy industry conference. Google has sponsored the networking happy hour and has bought me a drink. Do I thank Google or thank myself for using Google's services?

Prepare for Google's Privacy Policy Shift

On Thursday, March 1st, Google's new unified privacy policy goes into effect. Previously, all Google services maintained separate silos of data operating under separate privacy policies. This is no longer the case. Google is now unifying it's data and, ultimately, building rich stores of data about you. Below are a few actions you can take to mitigate the amount and type of data Google will have access to after the policy change goes into effect.

1. Do not perform Google Searches while signed into your account.

This is the simplest way to ensure Google does not capture search history associated with your user ID/profile. As an alternative, keep your Google account signed in on one browser (e.g. Firefox) and use another browser operating under privacy protection mode (e.g. Chrome's Incognito Mode) to conduct searches. This is not fool proof -- google can certainly be smart enough to identify signed in sessions and non-signed in sessions originating from the same IP address...but it's a start.

Please note all steps below assume you are signed into your Google account

2. Remove your Google History

If this is already disabled, you will see two buttons that read "No Thanks" and "Enabled Web History". Simply click "No thanks" and pat yourself on the back for being smart about your search privacy.

If web history is enabled:
  • Click the button says "View History"
  • Click "Remove All Web History"

Doing this automatically stops the future collection of web history. If you ever wish to resume history collection, simply click the "Resume" button.

3. Remove your YouTube History
  • Click on "YouTube" in the toolbar at the top of the page
  • On the right of the page, click your username and select "Video Manager"
  • On the left side of the page, click the "History" button
  • Click the "Clear Viewing History" button, confirm your choice when the pop-up displays
  • Refresh the page/click the "History" button again
  • Finally, click "Pause Viewing History"
4. Disable Google Chat/Talk History
  • In Gmail, click on the cog/wheel in the upper right corner
  • Click Mail Settings
  • Click Chat
  • Ensure "Never save chat" history is enabled

5. Remove old e-mail from Google

Navigate to and look at the date on the e-mails, these are the oldest e-mails stored in your Google Account.Take a walk through memory lane...Scary, huh?

To remove these e-mails from Google Servers:
  • Click the cog/wheel in the upper right corner of Gmail
  • Select "Mail Settings"
  • Select "Forwarding and POP/IMAP"
  • Click "Enable IMAP"
  • Download a mail client such as Thunderbird, Outlook, Apple Mail, etc
  • Follow directions to setup mail client:
    • Using the mail client, create a local email storage file= such as an outlook PST or a Thunderbird local folder
    • Download all e-mails from Google to your local storage
    • Delete all e-mails from Google
    • Repeat this every month, ensuring only the last six months of e-mail stay on Google's Servers

6. Android Phone - Web Browser

  • Open your Web Browser
  • Click the Menu Key on your phone
  • Select "More"
  • Select "Settings"
  • Clear your history, cache, and location access.
  • Suggest disabling "Enabled location" to prevent future websites from accessing your location.

Security Best Practices for your Google Account

While not related to the impending privacy changes, the follow steps are two important functions to enable on your Google account.

7. Google Mail Connection

  • In the Gmail settings, click on the "General" settings tab
  • Ensure "Browser Connection" has "Always use https" enabled

8. 2-Step verification

2-Step verification is similar to what major banking websites are now using. This service provides stronger security protection on your account. The process is very simple: Once activated, you will need to verify the device(s) you frequently sign into your google account from. Your home computer, your work computer, your iPad, etc. To do this, Google will send you an SMS text message with a unique code. You will be required to enter both your password and this code to verify the device you are signing into Google with. This will prevent people from accessing your account from unauthorized devices/computers.

To enable:

Akamai and Evidon Privacy Notice delivery

Content Delivery Network (CDN) giant Akamai and advertising-industry self-regulation platform provider Evidon (nee Better Advertising) have teemed up to provide more robust privacy notices to individuals. Akamai will provide the distribution network -- most likely using Edge Side Includes (ESI) (wikipedia, Akamai) -- for "Evidon's privacy and compliance services for the management of the Industry Self-Regulatory Program in the US, the European ePrivacy Directive, and its corollary self-regulatory effort for Online Behavioral Advertising."

I can't wait to see this in action and I hope Evidon pushes out in new directions for privacy notice/choice. I'd love to see Evidon build on Aza Raskin's privacy icon project. Evidon and its partners will reach a large audience and can use their bully pulpit to advance changes in the standard idea of notice and consent (choice). More granular control over opting-in/opting-out or programs? Something even more radical? This is a big technological step forward for providing smart notice/choice, why not try out more new ideas?

I would also like to see Evidon and its partners use this platform for testing new approaches to advertising, information collection, notice, and choice. For example:

Testing the impact of a truly opt-in model on ad impressions: "Would you like to see ads on this site?"
Testing the impact of opt-in information collection: "Advertising network XYZ would like to collect browsing habits: Yes/No."

We've only been able to speculate on the outcome of this type of granular control, perhaps Evidon could give us some proof.

Verizon PCI Compliance Report

Verizon has published their 2011 Payment Card Industry Compliance Report (PDF). Good reading for those in the security industry.

Mozilla Secure Coding Guidelines

Mozilla has a great resource for webapp and website developers: The Mozilla Secure Coding Guidelines.

These guidelines will help create a more secure app/site. However, they will not, by themselves, decrease privacy risks. Design your app/site to be privacy-conscious.

Facebook cookies and sharing

They are never tasty and now they leave a potentially never ending after taste. Nik Cubrilovic (@nikcub) has a intriguing write up on his blog about a potential for expanded tracking by facebook through their social plugins (comments, likes, APIs, etc) even after a user has logged out. Facebook has denied the potential threat. Interesting discussions in the comments (disqus platform, no less) section of his blog, including facebook's response, and on his twitter page.

I love seeing research like this surface and I give Nik credit for approaching facebook multiple times before publishing. His post is fairly technical but his intro boils it down nicely into layman's terms.

It seems Dave Winer's (@davewiner) post titled "Facebook is scaring me" may have prompted Nik's post after sitting on the data for more than a year. And all of this, of course, after the recent announcements at F8, which prompted renewed privacy concerns regarding facebook's new timeline profile and frictionless sharing features.

It amazes me how often the privacy pot gets stirred, even with pending legislation looming over a largely unregulated industry. You'd think they might lay low on making these drastic and norm-challenging changes.

Google+ Social Identity?

Business Insider has an article highlighting recent comments made by Eric Schmidt regarding Google+'s real name policy. Andy Carvin of NPR had a chance to ask Eric Schdmidt how Google justifies the policy given that real identities could put people at risk. Eric's response was a rather frank admission that Google sees G+ not as a social service but as an identity service.

I can't help but wonder if this was the original intention of G+ or a strategic shift that happened after the announcement of the National Strategy for Trusted Identities in Cyberspace (NSTIC) in April, 2011.

Eric also said that G+ use is completely optional. Users are not required to join the service and users who dislike the policy can easily walk away**.

Will Eric Schmidt's comments impact your use of G+? Do you believe anonymous/pseudonymous access should be allowed?

**Google has made it very easy to close out your Plus account. Access and look under the "Services" section. Follow the "Delete profile and remove associated social features."

RSA Postmortem: 5 months later

Great post from F-Secure Labs on how one dedicated employee, Timo Hirvonen, found the actual attack e-mail and 0-day exploit payload used in compromising RSA (the security division of EMC) back in March, 2011.

While the attack vector (phishing) was not advanced, the exploit code was. As the F-Secure article points out, RSA could not have defended against this brand new threat via antivirus or other network/system defense. However, proper training of employees on opening suspicious attachments could have prevented the whole thing.

My favorite detail in the post is that an RSA employee uploaded the e-mail to VirusTotal. This is speculation, but I can imagine the additional virus scanning occurred immediately after opening the file and seeing the actions (see video on F-Secure post). I can further imagine the "oh, crap" reaction of the person who watched, on their screen, as one of the leading security product providers got owned.

Building an organizational culture of security and privacy can go a very long way. Training and awareness is a critical complement to any enterprise defense strategy. You can deploy millions of dollars worth of defense systems and still be compromised by the actions of a dedicated and resourceful adversary and the actions of one, untrained, employee.

A closing note: In the beginning of August the RSA breach was revealed, through an EMC earnings calling, to have cost $66 million to investigate, mitigate, and help customers.