Security

  • strict warning: Non-static method view::load() should not be called statically in /var/www/freeasinkittens.com/sites/all/modules/views/views.module on line 906.
  • strict warning: Declaration of views_handler_argument::init() should be compatible with views_handler::init(&$view, $options) in /var/www/freeasinkittens.com/sites/all/modules/views/handlers/views_handler_argument.inc on line 0.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /var/www/freeasinkittens.com/sites/all/modules/views/handlers/views_handler_filter.inc on line 0.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /var/www/freeasinkittens.com/sites/all/modules/views/handlers/views_handler_filter.inc on line 0.
  • strict warning: Declaration of views_handler_filter_node_status::operator_form() should be compatible with views_handler_filter::operator_form(&$form, &$form_state) in /var/www/freeasinkittens.com/sites/all/modules/views/modules/node/views_handler_filter_node_status.inc on line 0.
  • strict warning: Non-static method view::load() should not be called statically in /var/www/freeasinkittens.com/sites/all/modules/views/views.module on line 906.
  • strict warning: Declaration of views_plugin_style_default::options() should be compatible with views_object::options() in /var/www/freeasinkittens.com/sites/all/modules/views/plugins/views_plugin_style_default.inc on line 0.
  • strict warning: Declaration of views_plugin_row::options_validate() should be compatible with views_plugin::options_validate(&$form, &$form_state) in /var/www/freeasinkittens.com/sites/all/modules/views/plugins/views_plugin_row.inc on line 0.
  • strict warning: Declaration of views_plugin_row::options_submit() should be compatible with views_plugin::options_submit(&$form, &$form_state) in /var/www/freeasinkittens.com/sites/all/modules/views/plugins/views_plugin_row.inc on line 0.

A small rant about Google Analytics and Privacy Statements

This week I once again had the debate with a site's legal team about how using google analytics violates the privacy of a site's users.

This is not a huge issue for many sites, but if your site has a privacy statement, you are legally bound to adhere to it -- and many privacy statements are explicitly violated by the use of google analytics.

If your privacy statement says that "we log hits to our website by IP number and use that data to better understand how people use our site. No private information about our users is stored and no private data is shared with any company" AND you are using google analytics, you are breaking the law. You have violated your privacy statement.

I argued that the privacy statement of a site using Google Analytics should be clear. "we log hits to our website by IP number and use that data to better understand how people use out site. We use Google Analytics to do this review of website use, so any information that Google has keyed to your IP number will be coorliated with the logs of your visits to our site for whatever purpose Google's policy allows"

the end result was "Visits to this website are logged. These logs of information are used to better understand how people use our site. This analysis is done using the Google analytics service. Google's privacy policy may be found here (with a link to the google analytics Terms of Service page at http://www.google.com/analytics/en-GB/tos.html (see section 8 for privacy related info)

[note that the above privacy statement has been altered to avoid the possibility that you can use a search engine to determine the site, if you get an exact match, or one even close, you have found the wrong site]

here is the (lack of) privacy policy language that is suggested by google at that page:

"This website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.".

So, essentially if you use google analytics you are violating the privacy of those that visit your website.

While they do say that they will not associate the server access information they gather about you by your ip# to any other data they have stored, it does not say anything about the 3rd parties that process data on google's behalf. Think twice before handing over so much data to the Google hive mind/data mine. There are plenty of Free Software tools available for analyzing your web server logs.

ahhhh. i feel better now. time to get back to work.

What are the services though?

You say there are free software tools availabel for analyzing web server logs, but what are they? What do you use?

It is something to be concerned about.

You know, I believe that power engenders corruption. I believe also that in the years to come, Google will become an internet monopolist by their sheer wealth of stored information about individuals and their behaviour. I think it is imperative that users be made aware of Googles uninvited presence and allow them to excercise their right to retake control of their privacy. I've searched for people through Google and am sometimes shocked at how much of "private information" is available because of Googles broad scope of analysis. thank you for bringing this usually unknown background datamining activity to our notice.

Thanks for this information,

Thanks for this information, it was very helpful. Keep up the good work.

This is very helpfull for me

This is very helpfull for me .Thanks

Swrina,
-------------

I'm adding this to our privacy statement

It makes sense to me to let users know, and I was conflicted about it until now. Google collects information, and the users should know about it if they visit your site. Thank you for your opinion which to me is more fact than anything.

Aaron

I'm sometimes amazed of what

I'm sometimes amazed of what we can see with Web Analytics about what happens in a website and I wonder how the privacy notion will evolve in the future. I guess that time will tell. I’m happy to read in WAA’s latest newsletter that they have dedicated a chair to privacy. I guess it will be of interest for everyone in the industry.

Fantastic piece. I'll be

Fantastic piece. I'll be passing it around. Hope to read more from you.

online casino

You know, I believe that

You know, I believe that power engenders corruption. I believe also that in the years to come, Google will become an internet monopolist by their sheer wealth of stored information about individuals and their behaviour. I think it is imperative that users be made aware of Googles uninvited presence and allow them to excercise their right to retake control of their privacy. I've searched for people through Google and am sometimes shocked at how much of "private information" is available because of Googles broad scope of analysis. thank you for bringing this usually unknown background datamining activity to our notice.

http://www.google.com

strangest spam comment in a while

I get a ton of spam comments these days. Many of them seem legit but contain some stupid link to some lame scam loan site or shoe store.
However, this comment just leaves me scratching my head. A spam link to google? really? what's the point? shrug. I guess I'll leave this one here so I can make this silly comment about it.

Strangest Comment

Hello there Eric,

I believe that person was probably testing whether they actually *could* leave a comment with a link in on your site, and the only way to do that is to go through the whole process and submit it, clear cookies and then see if the link appears. It tests for a number of things, whether you have mollom installed, whether you have nofollowed the links, whether you allow anchor text etc., although the fact that this person didn't submit any anchor text also leaves ME scratching MY head too! LOL.

Or, maybe they were just drunk :-)

And to finish this off, here is my own blog - lawn sweeper - shamelessly linked. Remove it if you wish but you can't knock a guy for trying. ;-)

Best Regards,

Tim

I think you are right

It makes sense that it was a test to see what might be possible to post via an automated bot.

Shortly after that post, I changed the settings so comments only show up after I approve them and I don't get around to that often so maybe I should move to mollom.

Thanks for the comment and since your comment is actually on-topic and you are self aware about the shameless nature of your link, I think I'll leave it in.

Through Google

I've searched for people through Google and am sometimes shocked at how much of "private information" is available because of Google broad scope of analysis. thank you for bringing this usually unknown background data mining activity to our notice... thanks

blocking the google hive mind

In an online discussion today, Matt pointed out to me that google analytics is less than useful because it is so easy for people to block the google javascript file via the firefox adblock add on.

Yet another reason to tell clients and friends to avoid getting hooked on google analytics.

So, everyone follow along:

Step one: get firefox ( http://getfirefox.com )
Step two: get the ad block plus addon ( https://addons.mozilla.org/en-US/firefox/addon/1865 )
Step three: open the ad block plus preferences
Step four: click "add filter" and put http://www.google-analytics.com/* in the field; click save

Done, you have no protected yourself (a bit) against the intrusion of google in your life.

For even more anonymity...

Even better, Adblock Plus allows you to subscribe to centrally-maintained lists of sites to block: http://easylist.adblockplus.org/

With EasyList, EasyElement, and the ABP Tracking Filter you'll block google analytics and many other similar services. You can give feedback on the forums if you want to suggest a new item to block, or notice a problem with the lists. Your browser will automatically download new versions when available.

Fcuk google

I agree, download latest firefox (3.5.1 at time of writing)

Then go to add ons (just gooogle firefox add ons) and download:
NoScript (superb and you can block google analytics with it, as well as anything else)
Bad Privacy (deletes all those super cookies and flash lso’s that doing a normal delete all and cleaning out ya temp files won’t get rid off, nor will even a dedicated program like cc cleaner etc as good as that is, so it’s essential in my own opinion)
Ad Block Plus (fantastic lil program)

And others that are good but in no means security related are:
Dictionary (your own language of choice of course)

Tab Mix Plus (for some reason, Mozillas addon page does not have compatitble version with the latest firefox :S wierd, but below is a link to the addonn authors page which goes to a dev link which is totally 100% compatible :)
http://tmp.garyr.net/tab_mix_plus-dev-build.xpi

Colourful tabs (pretty much self explanatory lol)
https://addons.mozilla.org/en-US/firefox/downloads/latest/1368/addon-136...

Hope that helps, adios
Super Rat

PS: actually stop using google is another opinion (also entirely mine lol)
I myself now very happily use Bing http://www.bing.com
I find there page fresher and nicer to use, its easier to say lol, and most importantly results are easily on a par if not far better IMO, especially image search IMO (please note we do not need a load of google lovers telling me im wrong, i have gone to the trouble of explaining this in my OWWWWWN opinion, after years of using google and months of happily using Bing.

Be daring, use something different and see for yourself!
Doesn't have to be Bing that was an example, many others out there…

Also if you use firefox and you want an add on to add Bing as the default search engine in the in built search engine, please go to

https://addons.mozilla.org/en-US/firefox/downloads/latest/10434/addon-10...

AND BING DOESN’T TRACK YOU LIKE GOOGLE DO – lol yet…
But the point is they don’t at present where as google blatantly do!

another big lie: obscurity == security

I was doing some research today, keeping up on new developments in HIPAA compliant software. (HIPAA is U.S. law which regulates the portability, privacy and security of healthcare information)

On the site of a software company that is selling a "secure email system" that they claim is HIPAA compliant, I found the following completely ignorant statement about the relationship between security and free/open source software

"Why does SafetySend use Proprietary Code and Technology?
Because any code or technology that can be purchased is vulnerable. Generic security codes and technology is is considered 'at risk' because of its shared accessibility. SafetySend code and technology is exclusive and not sold or shared. If you can buy security technology, it can be compromised."

This is completely false and misleading.

Before I continue to rant, let me explain that there are two ways of looking at digital security: Security by obscurity or Security by design.

SafetySend believes that there product is secure because the code is kept secret (security by obscurity). There could be very serious holes, but they think that by keeping prying eyes away from the code that no one could ever figure out where the holes are. History has shown that keeping something secret rarely works to keep it secure.

The security by design camp believes that by releasing code for frequent and open auditing, code can truly be made secure. It is not a failure when a security hole is found via such an audit, it is part of the process, it is a good thing as it allows for that hole to be patched.

Technologists have to assume that the entire design of a security system is known -- at least to those that want to compromise your system. The only piece of data that must remain private is the cryptographic key, which also should be easy to regenerate from time to time (and not be a hard-coded part of the application).

Releasing code does not automatically mean it is vulnerable -- any code is vulnerable. The issue is how you handle that reality.

Think of it as the difference between hiding under your bed because you are afraid someone might pick your lock and learning how to pick locks (or hiring a locksmith that knows how to pick locks) to test and make sure your locks are secure.

When security related code is released in Free/Open Source Software, the developers explicitly deny the ideas of security through obscurity, we must design secure code. It has been argued that this publication of source code can actually improve security because the code can be peer-reviewed by anyone.

The end result is that bugs are found and fixed, instead of hidden. Many security holes that are ignored, for example, in proprietary operating systems have been found, published and patched in Linux. This is not despite the open nature, but due to the open nature of the code that it becomes more secure.

PGP is a publicly published codebase for encryption. The fact that it is public has not changed its status as a military grade encryption tool. The argument put forth by the folks at SafetySend to sell their product is completely false.

Keeping insecure code private does nothing to make it more secure or less vulnerable.

Thanks

Every once in a while I find myself talking with a vendor who thinks they'll get anywhere by pulling that particular batch of wool over my eyes and it really pisses me off.

Too many organizations are overwhelmed by anxiety about security and don't really understand the difference between obscurity and real security. In my experience, many organizations also get stuck on the difference between open source software and publishing data for the world to see. I usually go back to the same lock analogy: security by obscurity means that you're relying on the lock-maker to be telling the truth (this lock is secure. trust me.) where as a free and open source lock, by necessity, is available for scrutiny. I can look over the lock design, take the lock apart and study its inner workings: if I do the leg work, I can *know* that this is a well designed lock. I'm not leaving it to trust.

Virus hidden as Facebook Application?

A friend complained on facebook today about an application called PicDoodle that she had installed.

It was supposed to give her a way of drawing fancy things on images and share that fun with her friends.

Instead, she got one of her images with a roughly scrawled heart on the corner and it automatically has been taking names from her friends list and "tagging" the image with their names.

When one of those friends goes to see what they've been tagged in, you end up being told that to see the real fun you have to install PicDoodle too, after installing PicDoodle you apparently don't see anything different but you now have a picDoodle post that starts tagging your friends to get them to install PicDoodle.

So, from what I can find out and from what I've seen so far I can only assume that PicDoodle is essentially a virus, or Trojan horse. It exists to mine the data in your account and share it with whoever wrote the application.

Does this make picDoodle the first successful example of a data-mining privacy violating virus hiding itself as a fun facebook app?

from what I can find, it's the perfect example of why I never allow apps access to my account, no quizzes, no superpokes, no steal my friends list to con them into installing an app that will steal their friends list to con them...

If you're on facebook, go to http://www.facebook.com/apps/application.php?id=35731868204 to block the application from ever accessing your data.

follow-up

info on how to uninstall PicDoodle can be found here http://www.facebook.com/group.php?gid=76716075179

It might be a virus, it might just be a "mistake" as the press release circulating from the folks that made the application says, as they move as fast as possible trying to cover their asses. My vote is still for malicious over mistake. but either way it's a dangerous app that should be avoided

[second update]
I think this is the best summary of the issue I've read so far PicDoodle virus shows Facebook’s true colors

picDoodles

I am already very sick of this and it's misleading info. Why can't face book get the clue and block crap that harasses us or is outright FAKE!

Not the first

I've seen a number of similarly annoying applications. For example, for a while it was common for an application to require you to invite some number of your friends to also use the application before you could begin to use it yourself. Periodically, after public outcry, specific strategies have become banned. But it's still Facebook that sets the terms; another example of the drawbacks of a private corner of the internet managed by and for one corporation. My favourite analogy to explain this to non-technical friends is that Facebook is to the internet what the food court of a shopping mall is to a public park -- at first it looks like public space but if you interfere with the owner's profit motive, you won't be there long.

Bad Face Book App

One of my colleagues installed the PicDoodle Application, and saw similar results. It started tagging random people to random pictures. I don't possess a technical background, but I would assume Facebook slipped up on letting this application through their moderation process. I've heard of people's accounts being hacked because users input private data on sites that look like a link they clicked...but to allow a malicious app through the moderation process is on Facebook.

Frank Brown
Immigration lawyer
Seattle, WA

Thanks for the great tips. I

Thanks for the great tips. I am using facebook for quite a long time but I had never met anything like this. I don't understand why people are doing those things. I mean why they are creating those Trojan horses and viruses? I know that they can steal a valuable information from your computer using Trojans, for example your bank or credit card information. But what is the point of those Trojans in facebook? To get my account information? And what they will do with that information, I can't get it at all. But unfortunately there exists such dummies.. Thanks one more time for the great tip, I will be more careful in my facebook account after reading it. Oh and I will be looking forward to other great articles from you in the future.

Sincerely,

Kevin Tillson (from application development services)