In late May there was a scuffle between Google and a trade group over whether or not California law compels Google to include a link to its privacy policy on its front page. Google was resistant to the idea because adding the word “privacy” would represent an intolerable level of clutter, and there the matter rested until today.

Google VP Marissa Mayer explained the change in a blog post this afternoon:

“Trust is the basis of everything we do, so we want you to be familiar and comfortable with the integrity and care we give your personal data. We added this link both to our homepage and to our results page to make it easier for you to find information about our privacy principles. The new ‘Privacy’ link goes to our Privacy Center, which was revamped earlier this year to be more straightforward and approachable, with videos and a non-legalese overview to make sure you understand in basic terms what Google does, does not, will, and won’t, do in regard to your personal information.

“How does privacy relate to homepage word count? Larry and Sergey told me we could only add this to the homepage if we took a word away - keeping the ‘weight’ of the homepage unchanged at 28 [total words]. Given that the new Privacy link fit best with legal disclaimers on the page, I looked to the copyright line. There, we dropped the word ‘Google’ (realizing it was implied, obviously) and added the new privacy link alongside it.”

Mayer did not, as near as I can tell, also post a YouTube video featuring her sneering into the camera and muttering “Whatever, losers.”

YouTube is, of course, a touchy subject right now, so it was probably best to leave physical displays of Google’s disdain to our imaginations.

(Link)

“Last year, Microsoft and Ask called for some industry standards (a call that would have been better if they’d involved Yahoo and Google beforehand). Google also called for a global privacy standard last year, then this year said it would back a national law, in response to the latest letter over privacy issues from US representative Joe Barton. Microsoft also pushed for a privacy framework this year.”

“We need it. And we need it without political grandstanding, without the privacy advocates arguing that it will water down US state laws (as EPIC did in response to Google saying they’d back a national law). We need protection, and we need various groups to diligently work together to make that happen.

“I remain amazed that after the AOL data leak in 2006, little has happened since then to proect us. But when lawmakers start to understand that the porn and other embarrassing material some of them have watched on YouTube is to be handed over to Viacom, maybe they’ll finally wake up. Remember, lawmakers, even those now deleted videos are fair game.”

I agree with the last sentiment in that excerpt. In the absence of a personal angle, most people are stubbornly resistant to what they consider privacy paranoia.

I don’t much like the idea that “the privacy advocates” should stop talking back to Google when it says next to nothing, which was most certainly the case when the company floated its headline-spinning “support” of legislation nobody’s even drawn up yet.

(Link)

“Yesterday, in the Viacom v. Google litigation, the federal court for the Southern District of New York ordered Google to produce to Viacom (over Google’s objections):

“all data from the Logging database concerning each time a YouTube video has been viewed on the YouTube website or through embedding on a third-party website

…

“The Logging database contains:

“for each instance a video is watched, the unique ‘login ID’ of the user who watched it, the time when the user started to watch the video, the internet protocol address other devices connected to the internet use to identify the user’s computer (‘IP address’), and the identifier for the video.

Here’s the part that slays me:

“Today’s court order made no finding that Viacom could not be accommodated by any other means, nor were the YouTube users provided with notice and an opportunity to contest the claim.

“Instead, the Court focused on some statements made by Google on its blog:

“We … are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.”

Which brings us to a point that gets made time and time again, but seems worth harping on once more: It doesn’t matter if Google or any other gigantic aggregator of tons of your personal data avoids being evil until the end of time. All it takes is a judge with a nasty sense of irony urge on by an equally gigantic entertainment conglomerate with an axe to grind to flush Google’s good intentions down the toilet along with your privacy. If Google is forced to hand over what it has been told to hand over, you now not only have to trust Google with personal information, you have to trust Viacom.

(Link)

A study out of Switzerland indicates that just under 60 percent of browsers in use are up to date.

“What the researchers found is that although software vendors provide patches for security problems, it can take days, weeks or months before people update their applications. In the meantime, those users are at risk.

“But it’s not entirely the fault of users, since Web browser vendors haven’t exactly made patching easy, said Stefan Frei, a doctoral student at the institute, which is known as ETH Zurich, and one of the report’s authors. The Web browser is still fairly young technology, and the industry has yet to settle on a dominant, well-tested design, he said.”

Unsurprisingly, Firefox users fare pretty well in terms of how quickly they’re updated to a new version thanks to automatic background updating.

The study found that, in terms of the proportion of the user base running the latest version, Safari came in second, Opera third, and IE fourth.

I guess I’m running an out-of-date Safari as of today: Leopard.4 arrived yesterday, including an updated Safari, but I’ve only installed it on a Macbook in the house. Nothing broke, so I mean to go ahead and install it on the main machine this afternoon on my way out the door.

I don’t like to install any big update right away, and since I’ve started using Macs I’ve been even less eager. When everything arrives in a big lump, backing out of one problematic patch is hard. The fact that 10.5.4 is arriving in time for the 3G iPhone launch made me even more leery. They got it out in plenty of time, which doesn’t suggest launch-date-driven hurrying, but it still seemed best to let sites like MacUpdate serve as canaries in the coal mine.

Oh … I’ve also got eeebuntu running on my eeePC. It feels like I haven’t been able to use it from day to day in the last week without getting pestered about some update or another. I usually let it do its thing, though. The package management system is easy enough to understand if a single package turns out to be screwed up.

I was a Debian user before there was a “testing” branch and I got caught up in a broken Perl package that crippled “unstable” users. That, in turn, broke big chunks of the package management system itself, but it was still pretty easy to back out of it and get back on track.

(Link)

“Blizzard is charging $6 for the tokens. This sounds like they are providing these ‘at cost’. There are other costs to Blizzard, too. They need to maintain software on the backend that works with the keys. They also need to deal with support costs, as users break the keys and lose them. The users themselves will also experience costs. They have to learn how to use they keys, and it makes logging onto their account more annoying. That last item is an important cost - WoW makes money when their games are fun, annoyances caused by security make games less fun.

“The benefits would be big. Users who use the same username/password on multiple accounts would no longer be danger. Phishing attacks would similarly be broken. Keyloggers in malware would no longer be a threat. Hackers could update their malware from simple keyloggers to hacks that would allow them to hijack WoW sessions, but that would be very costly. Keyloggers hack a wide range of applications, not just WoW - custom software for each application may not be worth it. Moreover, if hackers do come up with techniques to hijack sessions, Blizzard could quickly counter them with their famous ‘Warden’ program.

“Blizzard’s experiment is an interest for all of us. Bank’s [sic] are trying out jury-rigged authentication schemes to avoid the difficulties of hardware devices like Blizzard’s. In our experience as pentesters and system evaluators, these schemes suck. It is our belief that no system can be successful that relies upon people being smart about their authentication credentials. If Blizzard can show success with this system in the gaming community, it’ll be a huge boost for the approach in other areas as well.”

(Link)

Blizzard has a FAQ about the new tokens, and it so happens that Paul Rubens handed in an assignment about just this sort of thing late last week. It went up today at ENP:

Enterprise Networking Planet: User Authentication Beyond the Password

ICANN has, evidently, also approved an extension to IPv4 that will allow letters AND numbers to appear in dotted quads. Or something. You tell me:

“With the stock of available web addresses under the current IPv4 protocol set to run out by 2011, ICANN has been under pressure to find a solution for burgeoning demand.

“In theory, an infinite number of new domain names could be born, which would prove a boon for ICANN because it would receive payment for each one.”

Er … ?

(Link)

Oh … speaking of journalists, be sure to read the self-pitying flameout of the week. Maybe he’ll be able to spend his newfound free time helping AFP reporters understand the difference between a dotted quad and a domain name.

“Until Facebook suspended the Top Friends app, created by Slide, anyone could browse partial profiles of anyone else on Facebook who had added Top Friends to their page. CNET News.com confirmed that the security hole exposed the birthdays, gender, and relationship status of strangers, including Facebook executives, the wife of Google co-founder Larry Page, and one profile that seemed to belong to Paris Hilton that used her middle name ‘Whitney.’

“Basically, the app was not obeying the privacy settings specified by the user, enabling anyone with the know-how to bypass the security once they obtained someone’s Facebook ID number.

“‘We expect third-party apps to follow the rules the users set,’ Ben Ling, director of platform product management at Facebook, said in a phone interview Wednesday. ‘With Top Friends, the privacy settings of the user were not being respected according to the privacy policy terms of use.’”

Well, if we’re going to talk about expectations as an expression of what we most fondly wish, I guess I expect a platform that takes steps to keep this sort of thing from happening at the API level, not at the “we told the darned developer, what else can we do?” level.

If we want to talk about expectations as an expression of what we think we’re going to get regardless of our fondest wishes, I don’t know whether Ling or I should be wearing the dunce cap. Because I pretty much expect this sort of thing is going to be the norm until the Conjoiners take over and we no longer need Facebook since we’ll be able to SuperPoke each other with brain waves. That doesn’t make me a dunce. What makes me a dunce is that I fully expect that sort of thing and I’m still using Facebook.

(Link)

“NebuAd suffered another splash of bad press when the U.K. tech tabloid The Register scoured the professional networking sites LinkedIn and LinkSV and found that five executives at the company used to work at Claria (formerly Gator Corp.), a company that has been widely criticized as a distributor of advertising spyware.

“The controversy around NebuAd may come as a blow to ISPs hoping to cash in on the online advertising market.

“Increasingly, cable companies are looking to harness their users’ data to serve more targeted ads and create a lucrative business line. Several of the nation’s largest cable providers, including Charter (NASDAQ: CHTR), are working together to sell targeted ads across their networks under the aegis of a group called Canoe Ventures.

“A Charter spokeswoman told InternetNews.com that the company still plans to go forward with the NebuAd trial once the privacy issues have been resolved.”

Like I was saying two days ago, when Charter was using much more obfuscatory flack-speak to say about the same thing, we can read “once the privacy issues have been resolved” to mean “once we’re sure J. Random Congressguy won’t come sniffing around again.”

NebuAd isn’t some new kid on the block. Just go searching for the company in the news and you’ll see it has been around for a little while now and has taken in millions in VC. It won’t go away particularly easily, and it operates in the context of an industry that’s already overwhelmingly hostile to your privacy. Look for a few incremental changes in the overall approach that result in the same thing: Yet another entity following you around the ‘net, warehousing your browsing habits, and insisting that you trust its patent-pending technology to keep that information safe.

Claria/Gator ring a bell? Read up.

(Link)

“Here, then, is the bitter joke of the new legislation: From 2001 to 2007, the NSA engaged in a secret program that was a straightforward violation of America’s wiretapping laws. Since the program was revealed, the administration has succeeded in preventing the judiciary from making a definitive declaration that the wiretapping was a crime. Suits against the government get dismissed on state-secrets grounds, because while the program may have been illegal, it was also so highly classified that its legality can never be litigated in open court. And now suits against the telecoms will by dismissed en masse as well. Meanwhile, the new law moves the goal posts, taking illegal things the administration was doing and making them legal.

“Whatever Hoyer and Pelosi—and even Obama—say, this amounts to a retroactive blessing of the illegal program, and historically it means that the country will probably be deprived of any rigorous assessment of what precisely the administration did between 2001 and 2007. No judge will have an opportunity to call the president’s willful violation of a federal statute a crime, and no landmark ruling by the courts can serve as a warning for future generations about government excesses in dangerous times. What’s more, because the proposal so completely plays into the Bush conception of executive power, it renders meaningless any of its own provisions.”

Regardless of how I might feel about the law itself, or the NSA’s program, it’s the second graf of the text above that bothers me the worst. There will never be any real accounting and there will never be any resolution of the legal issues, except to the extent they’re “resolved” by pretending they never arose in the name of their sensitive nature.

Christopher Dodd’s speech on the matter is also good reading.

“NebuAd pays the ISP to be able to eavesdrop on customers’ surfing in order to build profiles that can be used to serve targeted advertising on third-party websites.

“But citing customer feedback from the notifications sent to the trial areas, Charter decided not to test the technology right now, the company announced Tuesday.

“But a spokeswoman emphasized that Charter wasn’t finished with the idea of tapping into the online advertising market, something that cable companies have traditionally done with television.

“We are not moving forward with the pilots at this time. We will continue to take a thoughtful, deliberate approach with the goal to ultimately structure an advertising service that enhances the internet experience for our customers and addresses questions and concerns they’ve raised.”

NebuAd has gone to Washington to make the case that its user surveillance technology isn’t particularly dangerous or unusual for the ad industry, so I’d take Charter’s statement to mean “once NebuAd can assure us that it won’t be attracting any more unwanted attention from people besides our outraged customers, we’ll get right back down to business.”

(Link)

Previously

• Shorter Charter: We’d Rather You Just Not Read the Privacy Advisory in the First Place
• Charter Officially Speaks on NebuAd
• NebuAd Opt-Out Promises Are Nebu-Lous

Personally, the whole issue is somewhat alien to me. I cringe on behalf of friends of mine who use work addresses for personal mail because it just seems like a bad idea. At the very least, if something were to happen as in the case that was ruled on this week, I’d be faced with having to argue for a right to privacy I could have just as effectively kept by taking some common sense steps.

Anyhow, here’s Mike Elgan’s solution:

“The software industry could create stand-alone memo software, or build in memo functionality into e-mail software, that very clearly brands or labels e-mails as official company memoranda. (In fact this already exists to some degree.) The sender — and the receiver — would understand the status of these electronic documents because they would be clearly marked as such. These would be backed up and retained in perpetuity, available to management and others in the company and admissible in court as evidence. Further, they would be encrypted and unavailable, including to IT staff (a recent survey revealed that one third of IT staff routinely use their admin privileges to read employee e-mail and other sensitive documents).

“Then, the courts should go further than the 9th U.S. Circuit Court of Appeals did this week and rule that all regular e-mail and all text, including e-mail provided directly by employers, is protected, private speech. Only sender and receiver could legally read it. In other words, it would be treated exactly as many people assume it’s already treated, which is like casual spoken conversation.

“This system would remove the current, unacceptable state of affairs where people believe their communication is private, then later someone comes along and says ‘gotcha! — we recorded everything!’

One problem with that is the way companies and organizations word their acceptable use policies. Theoretically, under the terms of a lot of them, there’s no need for a special “official” bit to be flipped on each communication, because it’s against the AUP for any communications over the company network to be anything but official in the first place.

And most AUPs, even the one involved in the case the court just ruled on, effectively remove any expectation of privacy. The police department that just lost the appeal had a problem partially because its own supervisors ignored the AUP they were supposed to be enforcing for a very long time before suddenly reversing themselves.

Elgan points out that most people don’t really understand how compromised their workplace privacy is, and I agree with that assertion. At the same time, I don’t think the onus lies on employers to subsidize a software layer to help employees out in that regard, and I don’t understand how any company in an industry with strict records retention requirements or with a need to ensure trade secrets or other sensitive information could live with a solution like this.

(Link)

“Under Wednesday’s ruling by the 9th U.S. Circuit Court of Appeals, employers that contract an outside business to transmit text messages can’t read them unless the worker agrees.

“Users of text-messaging services ‘have a reasonable expectation of privacy’ regarding messages stored on the service provider’s network, Judge Kim Wardlaw wrote in the three-judge panel’s unanimous opinion.

“The ruling limits employers’ access to employee e-mail on internal servers.

“The text-message part of the ruling will affect more employers than the e-mail portion because most U.S. companies pay outside parties for text-messaging but keep e-mail on internal servers, analysts said.” — (Link) (via)

The thing is, once you read the decision (136KB PDF), it becomes clear there were more than a few extenuating circumstances.

The police department involved in the ruling, for instance, had supervisors who assured employees that their communications wouldn’t be audited. Consequently, the court reasoned, the department’s subsequent decision to read the text messages in question constituted an unreasonable search.

Past cases the ruling cites also indicate some sense of its underlying logic, including one that read “We conclude that [the employee] would enjoy a reasonable expectation of privacy in areas given over to his exclusive use, unless he was on notice from his employer that searches of the type to which he was subjected might occur from time to time for work-related purposes.”

On the other hand, the EFF’s Jennifer Granick thinks the ruling is about as expansive as the AP describes. Here are the grafs from her entry that answer any qualifications I thought I sensed:

“This ruling has two privacy friendly results. First, the police need a warrant to get your email and text messages if stored for less than 180 days. Second, even if your employer pays for your use of third party text or email services, your boss can’t get copies of your messages from that provider without your permission. Wow.

“The next issue the Ninth Circuit decides is that text messages are protected by the Fourth Amendment. The DOJ and others have argued that because email and text messages are stored by third parties that have the practical ability to read them, senders and recipients have no expectation of privacy in those messages and thus they receive no constitutional protection from unreasonable searches and seizures. The Ninth Circuit rejects this view, as a panel of the Sixth Circuit did in a landmark ruling last year, Warshak v. US. It holds that text messages, and presumably emails, are like letters or packages, and are protected even though the shipper could open them.

“One of the more complicated Fourth Amendment issues is the effect of acceptable use policies, monitoring policies or other terms of service that say that the service provider or employer reserves the right to monitor or audit the messages. While those policies may give employers or service providers the right to read messages, the question was whether law enforcement therefore could do so as well. Here, the Ninth Circuit followed its prior ruling in United States v. Heckenkamp which held that a student did not lose his reasonable expectation of privacy in information stored on his computer, despite a university policy that it could access his computer in limited circumstances while connected to the university’s network. (Full disclosure: Granick represented Heckenkamp in the first round of motions to suppress in the case.) The Court thus rejected a binary view of privacy, that user consent to access for some purposes destroyed the expectation of privacy for every purpose, including warrantless or unreasonable government searches. Unless there is regular monitoring and access, people retain a legitimate expectation of privacy in their messages.”

She also links to Orin Kerr, who notes that there are some potential points of confusion in the ruling.

“Perhaps the most repellent part of this bill (though that’s obviously a close competition) is 802(c) of the telecom amnesty section. That says that the Attorney General can declare that the documents he submits to the court in order to get these lawsuits dismissed are secret, and once he declares that, then: (a) the plaintiffs and their lawyers won’t ever see the documents and (b) the court is barred from referencing them in any way when it dismisses the lawsuit. All the court can do is issue an order saying that the lawsuits are dismissed, but it is barred from saying why they’re being dismissed or what the basis is for the dismissal.

“So basically, one day in the near future, we’re all going to learn that one of our federal courts dismissed all of the lawsuits against the telecoms. But we’re never going to be able to know why the lawsuits were dismissed or what documents were given by the Government to force the court to dismiss the lawsuits. Not only won’t we, the public, know that, neither will the plaintiffs’ lawyers. Nobody will know except the Judge and the Government because it will all be shrouded in compelled secrecy, and the Judge will be barred by this law from describing or even referencing the grounds for dismissal in any way. Freedom is on the march.”

(Link)

“The ACLU is joining with activists from the Ron Paul campaign, represented by Break the Matrix, Rick Williams and Trevor Lyman, and civil liberties writer Glenn Greenwald of Salon, and leading liberal bloggers including, Jane Hamsher of firedoglake, Matt Stoller of Open Left, John Amato of Crooks and Liars, Howie Klein of Down with Tyranny, Digby, Josh Nelson of The Seminal and activist Josh Koster to tell Congress that we will not let them ignore the Constitution or give immunity to telecoms which deliberately broke our laws for years.

“This group of Strange Bedfellows is mobilizing a broad-based left-right coalition of office holders and candidates, public interest groups and individuals who are devoted to preserving basic constitutional liberties to join in the fight. The goal is to work together to impede the corrupt FISA/telecom amnesty deal.”

(Link)

I got that link from Glenn Greenwald, who wrote up a detailed summary of the campaign’s goals, which include electoral punishment of pro-amnesty Democrats.

Nutshell:

“So Phase I, to begin immediately, will focus on ad campaigns against two Democratic pro-amnesty incumbents with no primary challenger (Hoyer and Carney), and one pro-amnesty Democratic incumbent with a credible primary challenge very shortly. Phase II will involve a massive money bomb, to be planned by the same people who were behind the money bombs that raised millions and millions of dollars for the Ron Paul presidential campaign. The dates and other details for that will be announced shortly.

“The plan there is to raise an extraordinary amount of money — dwarfing the $90,000 raised in the last 24 hours — by going to all of the various constituents of each member of this coalition in order to fuel a real campaign in defense of civil liberties, constitutional protections and the rule of law. The money raised will be used to oppose and punish those vulnerable members of Congress who continue to support the evisceration of our constitutional framework and core civil liberties, while supporting candidates and office-holders who meaningfully oppose that assault.

“The Beltway establishment needs to be trained to understand that there is a real constituency for defending our constitutional framework. Thus far, that constituency has been dormant and fragmented, and thus ignored. That, more than anything, is what needs to change, and this coalition and the initial two-phase strategy is intended to be merely a start towards changing that, and will continue regardless of the outcome of this FISA/amnesty vote.”

The entire entry is worth a read. Greenwald notes that Barack Obama has been mailing this response to people inquiring about his stance on telco immunity:

“Giving retroactive immunity to telecom companies is simply wrong. Thankfully, the most recent effort to pass this legislation at the end of the legislative year failed. I unequivocally oppose this grant of immunity and support the filibuster of it. I have cosponsored Senator Dodd’s proposal that would remove it from the current FISA bill and continue to follow this debate closely. In order to prevail, the proponents of retroactive immunity still have to convince 60 or more senators to vote to end a filibuster of this bill. I will not be one of them.”

The New York Times has called on Obama to consider expending some effort on the issue.