[facebook and canadian privacy laws]

Time is up for Facebook to find a way to live up to Canada's privacy law after this country's privacy watchdog gave the social-networking website one month to close its "serious privacy gaps."

And if Jennifer Stoddart, Canada's privacy commissioner, isn't satisfied with Facebook's final response Monday, she has two weeks to take the California-based company to Federal Court in Ottawa to try and get a court order requiring it to change its business practices to comply with Canada's Personal Information Protection and Electronic Documents Act, the country's private-sector privacy law.

[...]

The privacy probe began last year when the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa filed an 11-part complaint, alleging Facebook violated key provisions of Canada's private-sector privacy law.

In addition to an "overarching" concern relating to the "confusing" or "incomplete" way in which Facebook provides information to users about its privacy practices, Stoddart concluded Facebook's policy to indefinitely keep the personal information of people who have deactivated their accounts is contrary to the act.

[...]

But the bigger dispute over Facebook sharing personal information to companies that operate third-party applications on its site is another matter, he said.

In order to download popular games and quizzes, Facebook users must consent to share all their personal information, except their contact details. These companies, totalling nearly one million, operate in 180 countries.

Read more here: http://www.canada.com/technology/Facebook%20must%20satisfy%20Canada%20privacy%20commissioner%20Monday/1899277/story.html

[Google eyes Canada rollout of discreet Street View]

From Reuters UK

"Google Inc is considering a Canadian launch of its Street View map feature, which offers street-level close-ups of city centers, but would blur people's faces and vehicle license plates to respect tougher Canadian privacy laws, the Web search firm said on Monday.

Canada's privacy commissioner told Google in August that the feature -- which offers a series of panoramic, 360-degree images of nine U.S. cities -- could violate Canadian laws if it were introduced without alterations.

Some of the pictures feature people who can clearly be identified, which contravenes Canadian legislation on privacy.

"We are thinking about launching it outside the United States, including Canada, and we're looking at how it would have to be different in Canada compared to its U.S. version," said Peter Fleischer, Google's global privacy counsel.

"We would launch Street View in Canada in keeping with the principles and requirements of Canadian law ... that means we know we'll have to focus on finding ways to make sure that individual's faces are not identifiable in pictures taken in Canada and that license plate numbers are not identifiable in Canada," he told Reuters in an interview.

Google had been approached by a number of Canadian cities seeking to be featured, he said."

Read the rest of the article here.

[cctv + traffic wardens = super wardens!]

'Super wardens' go on patrol
Alan Salter
23/ 5/2007

PRIVATELY-employed `super wardens' are to go on patrol in Greater Manchester wearing head-mounted video cameras.

The 20 parking attendants, who work for NCP Services, will be the first in the country to be issued with the equipment.

Their main role is to issue parking tickets but under legislation brought in last year they will also have powers to give on-the-spot fines for anti-social behaviour.

Salford council has asked the wardens to issue penalties up to £80 for offences which include littering, flyposting and allowing dogs to foul the pavement. NCP will use the film as evidence to back up their wardens if any fine is challenged and also in the event of any attack or abuse.

In some cases the footage could be handed to police and used in court.

The first wardens fitted with the RoboCop style cameras will go on patrol in Salford from the NCP HQ in Eccles next month.



"Tony" the Traffic Warden with his CCTV headset

The use of head-mounted cameras was piloted by British Transport Police in Manchester last year and Greater Manchester Police followed suit seven months ago in Little Hulton, Salford, when two officers began using them on the beat.

Local authorities were given greater powers to tackle anti social behaviour under the 2006 Clean Neighbourhoods Act and Salford is one of the first to take advantage of the legislation.

Coun Derek Antrobus said: "We have 20 parking attendants walking around the city and we decided that they might as well look at more than just cars. One of the biggest issues on people's minds is the disrespect that some are showing to our environment. The police have not got the resources when they are chasing criminals so this makes a lot of sense.

"We will be monitoring it very carefully and hopefully the residents of Salford will notice the difference."

NCP's James Pritchard said: "Salford council is very keen to do this and we told them that we were happy for our parking attendants to get involved but they would need a better way of getting evidence.

"The cameras will give a much better standard of evidence in case of disputes or assaults on the attendants.

"We are more than happy to work with the police and pass on any evidence we gather. It can only help them to have people out on the streets with a camera all the time.

"Our attendants do a very good job but they are not police officers and they have very specific powers. It makes the job more interesting."

From the Manchester Evening News.

[digitally literate students = teachers' worst nightmare]

PAUL SHUKOVSKY AND NINA AKHMETELI at Seattle PI report how a student is battling a 40 day suspension from school because he posted a youtube video of his teacher. Not only was the video made without the knowledge of the teacher but the content is extremely inflammatory. The video libelliously raises various questions about the teacher including her hygeine habits (or lack of) while casting aspersions on her professional merit. While people watching the video (parents, students, etc...) might feel the video is warranted - is this really the "due course" for such complaints? The student has gone to court to appeal his suspension citing the U.S. Constitution's First Amendment guarantee of freedom of speech.



Hot on the heels of this youtube video kafafel the bbc reports that Keele University has threatened all students with disciplinary action if any of them post defamatory comments on the internet on sites like Facebook and MySpace. The University says: "Students may face legal action from the members of staff concerned for defamation and harassment."

While students are becoming more digitally literate - using digital cameras, creating and manipulating videos, uploading them, sharing them - teachers must remain extra vigilant (while not quite becoming paranoid!) in the classroom unless they want to become the lastest teacher "forcibly retired" (as the youtube video claims is the case with Joyce Mong). Is this cyberbulling? The online harassment of teachers is causing some to consider leaving the profession because of the defamation and humiliation they are forced to suffer," the UK Education Secretary Alan Johnson says.

[no privacy online - online fingerprints are ba-ack]

New Software Can Identify You From Your Online Habits

IF YOU thought you could protect your privacy on the web by lying about your personal details, think again. In online communities at least, entering fake details such as a bogus name or age may no longer prevent others from working out exactly who you are.

That is the spectre raised by new research conducted by Microsoft. The computing giant is developing software that could accurately guess your name, age, gender and potentially even your location, by analysing telltale patterns in your web browsing history. But experts say the idea is a clear threat to privacy - and may be illegal in some places.

Previous studies show there are strong correlations between the sites that people visit and their personal characteristics, says software engineer Jian Hu from Microsoft's research lab in Beijing, China. For example, 74 per cent of women seek health and medical information online, while only 58 per cent of men do. And 34 per cent of women surf the internet for information about religion, whereas 25 per cent of men do the same.

While each offers only a fairly crude insight, analytical software could use a vast range of such profiles to perform a probabilistic analysis of a person's browsing history. From that it could make a good guess about their identity, Hu and his colleagues last week told the World Wide Web 2007 conference in Banff, Canada.

"It could make a good guess about your identity from your browsing history"

Hu's colleague Hua-Jun Zeng says the software could get its raw information from a number of sources, including a new type of "cookie" program that records the pages visited. Alternatively, it could use your PC's own cache of web pages, or proxy servers could maintain records of sites visited. So far it can only guess gender and age with any accuracy, but the team say they expect to be able to "refine the profiles which contain bogus demographic information", and one day predict your occupation, level of qualifications, and perhaps your location. "Because of its hierarchical structure - language, country, region, city - we may need to design algorithms to better discriminate between user locations," Zeng says.

However, Ross Anderson, a computer security engineer at the University of Cambridge, thinks the idea could land Microsoft in legal trouble. "I'd consider it somewhat pernicious if Microsoft were to deploy such software widely," he told New Scientist. "They are arguably committing offences in a number of countries under a number of different laws if they make available software that defeats the security procedures internet users deploy to protect their privacy - from export control laws to anti-hacking laws."

From issue 2604 of New Scientist magazine, 16 May 2007, page 32

[boo! it's google]

WHO'S AFRAID OF GOOGLE?
Firms in Silicon Valley and beyond fear search giant's plans for growth

For a company that pledged to not be evil, Google makes a lot of enemies.

From Madison Avenue to Hollywood, some of industry's most powerful entities are marshaling their forces to combat a company that has risen to the top of the business world in less than a decade.

Fear is the motivating factor. And with every passing quarter, there is more to be worried about if you count Google as a competitor.

Since going public in 2004, the Internet giant's market value has grown to dwarf Disney and McDonald's combined. Earlier this year, it became the most visited Web property in the world and was named the world's most valuable brand. And its runaway success in search and advertising has big corporations like AT&T and Microsoft crying monopoly without a trace of irony.

In perhaps the greatest testament to Google's power, media reports surfaced late last week that its archrival Yahoo was considering teaming up with Microsoft in an effort to compete.

"Essentially, the new Microsoft is Google," said Jeff Clavier, a prominent Silicon Valley investor in startups.

In an interview with reporters Thursday, Larry Page, Google's co-founder, addressed the perception, saying, "I think, as we get bigger and more successful -- and things have gone very well for us -- it's natural for people to think this." But he denied that Google is anything to fear, adding that his firm has learned from previous examples of companies behaving badly.

Since its founding nine years ago by Sergey Brin and Larry Page, Google has grown into one of world's the most formidable companies. Few others compare in terms of profits, profile and ambitions.

But, as a result of its success, Google has attracted some powerful detractors. Silicon Valley executives fret that Google's success will decimate startups and drive up salaries. Madison Avenue is concerned about the company selling all kinds of advertising, including offline pitches in newspapers and on radio and television. Privacy advocates fret over the vast amounts of information Google collects about its users. And Hollywood is upset about widespread piracy on Google's video service, YouTube. Some entertainment companies are even bringing legal action.

Google says it is innocent on all counts. In fact, the company claims to be a boon to the aggrieved by helping their businesses prosper. Of course, it doesn't hurt to have Wall Street on your side. The company's stock remains lofty, closing Thursday at an astonishing $461 per share.

In Silicon Valley, though, some people aren't as bullish on Google.

King of the valley

In the valley's cutthroat culture, Google is the equivalent of king. And as in many monarchies, the subjects are both submissive and restive.

Rich Skrenta, chief executive of Topix, a local news and community forums Web site in Palo Alto, described Google as being so ahead of everyone else that there is no real No. 2. Startup executives cower at mounting a challenge, he said.

"It's past fear -- it's the stages of grief, it's resignation -- and now everyone's depressed," Skrenta said.

Trying to build another Google-like search engine, he said, is futile. The only hope is to build a company outside of Google's crosshairs, in a niche category that has no clear winner yet.

"Grow a spine, people!" Skrenta implored Silicon Valley on his blog recently, hoping to rally the troops. "Get a stick and try to knock G's crown off."

Even the big guys are squirming, epitomized by last week's revelation that Yahoo and Microsoft had recently talked about merging or partnering to close the gap with mutual rival Google. Discussions about an acquisition are no longer active, according to the reports, although the door is still open for the companies to cooperate in some way.

Of course, those challengers, whatever their size, will have to hire the best and brightest to succeed. That can be costly, however, given Google's deep pockets and penchant for bidding wars.

James Currier, a former venture capitalist and serial entrepreneur who sold the social networking site Tickle to job site Monster.com, said that a company on whose board he serves recently lost a prospective employee to Google. The worker, whom he described as a genius, turned down an offer of $120,000, plus stock options, in favor of a $375,000 salary from Google.

"Google is sucking the oxygen out of the system," said Currier, who has a new startup in San Francisco, Ooga Labs.

But then he voiced the mixed feelings that many executives have about Google: "You can't blame them, though. If I were them, I'd be doing the same thing."

Indeed, Google has a complex relationship with Silicon Valley. Many, such as Currier, admire the company even as they tick off a few grievances.

Rather than operating independently, Google's business is intertwined with thousands of others. Many Web sites depend on the ads Google farms out to them for revenue.

Without the money, many startups would be unable to exist. To a point, Google gets credit for fueling the current Internet boom.

"It's a wonderful thing for consumers," Currier said.

View from Madison Avenue

But Google leadership in online advertising also spooks advertisers. No executive wants to be too dependent on a single company to funnel them customers.

Google will take in 32.1 percent of all U.S. online ad revenues in 2007, according to eMarketer. In search advertising, the company's share will be a more daunting 75.6 percent.

Increasingly, Google is trying to bolster its ad business by expanding to other kinds of marketing, such as online banners, as well as to newspapers, radio and television.

Take Google's agreement last month to pay $3.1 billion for DoubleClick, a company that helps advertisers place their banners across the Web. The acquisition would add significantly to Google's brawn by making it a power player in a new line of business.

Several companies, public advocacy groups and, on Tuesday, the New York State Consumer Protection Board urged the Federal Trade Commission to take a careful look at the merger for fear that it would create an Internet colossus. None other than Microsoft and AT&T, which have had their own antitrust issues, asked that regulators take a close look.

Eric Schmidt, Google's chief executive, responded to complaints at a recent conference, saying "Give me a break" and calling Google's share of the $1 trillion global advertising industry minuscule.

"This is an emergent business with lots of different choices," Schmidt said. "End users have choices, advertisers have choices."

Google's plan to take on all kinds of advertising has Madison Avenue worried. Agencies see Google as potential competition in helping clients create and place advertising.

The only solace is that, so far, Google's offline initiatives have had limited success. But the efforts are nascent, and the company is putting a lot of ammunition behind them.

"It's like the telephone company owning the wires and the towers," Daniel Stein, chief executive of EVB, an ad agency in San Francisco, said of Google's advertising muscle. "But I don't think Google is going to flex that power."

A new villain in Hollywood

Copyright is another area that has generated major headaches for Google. To listen to Hollywood talk, the company has as much respect for the law as Jack the Ripper, given the profusion of pirated video clips on YouTube.

Hoping to crack down on illegally posted video, Viacom sued Google last month for $1 billion for alleged copyright infringement. Google denies any responsibility for the clips, which are posted by users, and said that it takes them down when asked.

"Old media companies are wrestling with YouTube," said Andrew Heyward, former president of CBS News. "The exposure can be very important.

"On the other hand, this is copyrighted content that is expensive to create. Someone has to pay for news; it's not free."

In the meantime, NBC Universal and News Corp. gave Google a big poke in the eye last month by agreeing to create a YouTube rival. The project, to premiere by summer, will make legal, full-length clips available on Yahoo, AOL, Microsoft and MySpace.

Video isn't the only copyright battle Google is trying to fend off. A separate attack by the publishing industry is aimed at Google's copying of millions of library books to make the contents searchable online.

Google building Big Brother?

Fear of Google also extends to its amassing of vast amounts of information about user behavior. Privacy advocates have called the repository of search query histories and e-mail the ultimate Big Brother that law enforcement and civil litigators could use to glean juicy personal information.

Kurt Opsahl, a senior staff attorney for the Electronic Frontier Foundation, a digital rights group in San Francisco, gave the example of a Google user who has HIV but has not told anyone. Anyone who poked around in the user's search record could be tipped off about the secret if the user searched frequently for information about AIDS.

"People can get sensitive about that kind of information being known. But if Google didn't keep that information, people wouldn't be able to get to it," Opsahl said.

In response to the complaints, Google vowed recently that it would make it harder to link users to what they search for online. Under the plan, the company would shroud the information it collects about users in anonymity after keeping it for 18 to 24 months. Opsahl said the idea doesn't go far enough.

Google is by far the most popular search engine among consumers, with 53.7 percent of the U.S. search market in March, according to Nielsen//NetRatings. Yahoo was a distant second at 21.8 percent.

That dominance puts Google in a key position to control information. Links that appear at the first results page become, in effect, a definitive source, whatever the topic.

For businesses, placement in the search engine can mean life or death because customers inevitably spend their money with those that are high on the list. Companies that fall into disfavor on Google amid the frequent changes to its search algorithm are often incensed, and some have gone so far as to sue, albeit unsuccessfully.

Nowhere is Google's control of information more controversial than in China, where it built a search engine that censors results deemed dangerous by the Chinese government.

Human rights groups and members of Congress have attacked Google over the matter, comparing the company to a Nazi collaborator. Google responded that it censors reluctantly under the theory that providing some information to China's residents is better than none at all.

Not quite an 'evil empire'

Despite Google's power, few say the company strikes as much fear in them as Microsoft did during the 1990s, when its near-monopoly on computer operating systems earned it the nickname "evil empire." Google's spotty track record with new products -- few outside of search have much of a following -- and intense competition with other Internet companies keeps it a step below.

"With Google, there is still choice," said Chris Le Tocq, an analyst for Guernsey Research, "so I'm not sure if the 'evil empire' epithet can be equally applied."

But he cautioned that the warning sign will come when Google becomes so dominant that customers cannot do without it. How well will Google deal with its customers' problems then?

In any case, Ellen Siminoff, chief executive of Efficient Frontier, a Mountain View search engine advertising company, said that power shifts quickly in the technology industry, judging from recent history.

"There was a time when Netscape could do no wrong and a time when AOL could do no wrong, and then Yahoo could do no wrong," she said. "Now Google can do no wrong, but that can change."



--------------------------------------------------------------------------------
Wary of Internet giant
Google's long tentacles have many running scared:

Silicon Valley: Concerned that Google's outsize ambition is squashing startups and raising salaries in the tech industry.

Madison Avenue: Fears that Google is taking over the advertising business and making established ad agencies irrelevant.

Hollywood: Takes umbrage at widespread piracy on Google's YouTube video service, claiming it violates copyright law.

Privacy advocates: Worry that Google's collection of personal information will create a massive database that can be mined by government.

Source: Chronicle research



--------------------------------------------------------------------------------
Google by the numbers
In less than a decade, Google has become a corporate colossus. Here are some examples of its muscle:

12,238

Number of employees.

$10.6 billion

Revenue in 2006.

$3.1 billion

Profit in 2006.

53.7 percent

Share of the U.S. search market.

528 million

Global unique users in March.

$143.5 billion

Market capitalization.

$461.47

Share price.

Source: Google, Chronicle research

E-mail Verne Kopytoff at vkopytoff@sfchronicle.com.

This article appeared on page A - 1 of the San Francisco Chronicle

[Google searches web's dark side]

One in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user's PC.

Researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to "in-depth analysis".

About 450,000 were capable of launching so-called "drive-by downloads", sites that install malicious code, such as spyware, without a user's knowledge.

A further 700,000 pages were thought to contain code that could compromise a user's computer, the team report.

To address the problem, the researchers say the company has "started an effort to identify all web pages on the internet that could be malicious".

Phantom sites

Drive-by downloads are an increasingly common way to infect a computer or steal sensitive information.

They usually consist of malicious programs that automatically install when a potential victim visits a booby-trapped website.

"To entice users to install malware, adversaries employ social engineering," wrote Google researcher Niels Provos and his colleagues in a paper titled The Ghost In The Browser.

Finding all the web-based infection vectors is a significant challenge and requires almost complete knowledge of the web.
Google researchers
Avoiding attacks

"The user is presented with links that promise access to 'interesting' pages with explicit pornographic content, copyrighted software or media. A common example are sites that display thumbnails to adult videos."

The vast majority exploit vulnerabilities in Microsoft's Internet Explorer browser to install themselves.

Some downloads, such as those that alter bookmarks, install unwanted toolbars or change the start page of a browser, are an annoyance. But increasingly, criminals are using drive-bys to install keyloggers that steal login and password information.

Other pieces of malicious code hijack a computer turning it into a "bot", a remotely controlled PC.

Drive-by downloads represent a shift away from traditional methods of infecting a computer, such as spam and email attachments.

Attack plan

As well as characterising the scale of the problem on the net, the Google study analysed the main methods by which criminals inject malicious code on to innocent web pages.


It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets.

Widgets are small programs that may, for example, display a calendar on a webpage or a web traffic counter. These are often downloaded from third-party sites.

The rise of web 2.0 and user-generated content gave criminals other channels, or vectors, of attack, it found.

For example, postings in blogs and forums that contain links to images or other content could unwittingly infect a user.

The study also found that gangs were able to hijack web servers, effectively taking over and infecting all of the web pages hosted on the computer.

In a test, the researchers' computer was infected with 50 different pieces of malware by visiting a web page hosted on a hijacked server.

The firm is now in the process of mapping the malware threat.

Google, part of the StopBadware coalition, already warns users if they are about to visit a potentially harmful website, displaying a message that reads "this site may harm your computer" next to the search results.

"Marking pages with a label allows users to avoid exposure to such sites and results in fewer users being infected," the researchers wrote.

However, the task will not be easy, they say.

"Finding all the web-based infection vectors is a significant challenge and requires almost complete knowledge of the web as a whole," they wrote.



Story from BBC NEWS

[cctv lip-reads]

"'Read my lips...'" used to be a figurative saying. Now the British government is considering taking it literally by adding lip reading technology to some of the four million or so surveillance cameras in order identify terrorists and criminals by watching what everyone says. Perhaps the lip-reading cameras and the shouting cameras will find something to talk about."

From Slashdot

---

A List of Big Brother-type Gadgets from infowars.net

• Talking/Shouting cameras - In an incredibly Orwellian move, loudspeakers are being fitted to surveillance cameras throughout major cities, allowing CCTV operators to bark commands at people who drop litter, act in an aggressive manner or loiter. Some of these cameras will even use the voices of children who will be recruited from schools to take part in the scheme and will be shown round CCTV operating rooms on school trips, learning how wonderful the big brother state is and how forcing people to behave in a certain way in public is the essence of a free society.



• X-Ray firing cameras - Documents leaked from the Home Office have revealed that the government is looking into using X-ray technology cameras by concealing them in lamp posts to "trap terror suspects". The cameras allow operators to see through people's clothes and look for suspicious items.



• Eavesdropping cameras - London police and councils are considering monitoring our conversations in the street using high-powered microphones attached to CCTV cameras that can pick up "aggressive tones" on the basis of 12 factors, including decibel level, pitch and the speed at which words are spoken.



• Face scanning cameras - linked into a national database software will allow cameras to scan hundreds of faces a second in crowds of people.



• Behaviour monitoring cameras - These devices are programmed to sound an alarm when they spot suspicious behaviour, such as waiting somewhere for a prolonged period of time or just walking in a suspicious way. These have already been deployed in airports and train stations.

[american universities and Truth]

Stanley Kurtz writes:

Last week I attended the premiere of Indoctrinate U, Evan Coyne Maloney’s documentary about campus political correctness. It’s a fun and powerful piece of work that deserves a wide audience. The film features plenty of encounters between Maloney and college officials who, after being embarrassed by Maloney’s questions, invariably summon police to have him evicted. These confrontations are entertaining, but the real force of this film flows from Maloney’s recounting of a series of incidents of campus political correctness. I had never heard of any of these cases. Yet each of them is remarkable.

from Evan Coyne Maloney's (the producer of Indoctrinate U) site.

[Google's $3.1 billion deal for the online advertising firm DoubleClick could put the company at odds with itself]

Internal conflicts often happen in finance, when investment banks find themselves advising both sides in a merger. And it happens in agribusiness, energy and other industries where giant companies with fingers in many pies are both buyers and sellers of the same commodity. But it is particularly common in technology and media.

The DoubleClick deal has prompted Microsoft and IBM and others to ask the Federal Trade Commission to investigate the deal on antitrust grounds. And privacy advocates worry that Google will not live up to its pledge to keep the customer data collected by DoubleClick out of the hands of Google's search managers.

But the thorniest conflicts could arise from DoubleClick's Performics division.

Performics helps its clients get better position in search results. Essentially, it works to game the systems of Google, Yahoo and other search engines.

"Google is treading in dangerous waters right now," writes Ross Dunn of WebProNews.com. Google's search results "are supposed to be unbiased and highly relevant," but with Performics, "Google is put into the conflicted position of trying to generate profits by providing result-oriented organic ranking services for its own 'unbiased' organic search results."

The worry, in other words, is that Google's search results could be compromised by operating a division with an interest in skewing those results in favor of clients.

[...]

"Google is treading in dangerous waters right now," writes Ross Dunn of WebProNews.com. Google's search results "are supposed to be unbiased and highly relevant," but with Performics, "Google is put into the conflicted position of trying to generate profits by providing result-oriented organic ranking services for its own ‘unbiased' organic search results."

The worry, in other words, is that Google's search results could be compromised by operating a division with an interest in skewing those results in favor of clients.


To continue reading the CNet article click here.

[google ≠ privacy]

Google's Data-Storing Feature Fuels Privacy Fears
By Joseph Menn, Times Staff Writer
April 21, 2007

"Facing worries about its tracking Web surfers' every move, Google Inc. is now offering a feature to track Web surfers' every move.

Its free Web History service is strictly voluntary — Google users can sign up to have the Internet giant keep detailed records of every website they visit so they can easily find them again later.

The feature is similar to that offered by Web browsers, except the data are stored on Google's servers instead of users' computers and there's no set time after which it is erased.

Web History's quiet debut this week came as privacy advocates continued to raise alarms about the prospect of Google combining its collection of information on individuals with that of DoubleClick Inc. Google has agreed to acquire the New York-based company, which distributes Web ads and tracks where the majority of people go on the Internet, for $3.1 billion.

Three consumer groups filed a complaint over Google's privacy practices with the Federal Trade Commission on Friday, asking it to investigate before approving the DoubleClick deal.

The Electronic Privacy Information Center and two allied groups make a novel argument: Although Google discloses how it retains data in its privacy policy, the search engine goliath is engaging in deceptive practices because most Google users don't know that their search queries can be tied to them, the groups say.

The complaint to the FTC cites a 2006 poll by the Ponemon Institute, a Michigan-based research group that studies privacy issues. When Google users were asked whether they believed that the company captured data that could be used to identify them, 77% said no.

In fact, Google ties search queries to the Internet address associated with a specific computer. The Mountain View, Calif.-based company said last month that it would "anonymize" the data by stripping those addresses from its records after 18 to 24 months.

"Polling information can be persuasive in establishing a reasonable belief that the data aren't identifiable," said privacy attorney Chris Hoofnagle, who worked at the Electronic Privacy Information Center and is now at the Berkeley Center for Law & Technology. "They've got a shot, but it's still a stretch."

In a statement, Google said the electronic privacy group's complaint was "unsupported by the facts and the law." It said that the trust of its users was essential, that its privacy policies were clear and that its users were given choices about what would be done with their information.

Google says the personal data it collects allow it to customize its search and other services, making them more useful for consumers.

Gartner Inc. analyst Allen Weiner agreed that Google users benefited from the practice but said it was a trade-off most people were uncomfortable with. Still, he said, Google continues to push the boundaries because "in order to continue to evolve its product, it truly needs for some of these things to be overcome."

Privacy concerns also have arisen over DoubleClick. A public outcry in 2000 ended the ad company's efforts to use people's names and Internet addresses in tracking online habits. In 2002, it settled lawsuits by state attorneys general and consumers over its privacy practices and promised to tell consumers more about their ability to block tracking software.

Google and DoubleClick took pains this week to explain that because only DoubleClick's advertising clients own the data about where Web surfers go, Google cannot simply merge that information with the profiles it has.

But Richard M. Smith, a privacy and security researcher, said Google could instead give its data to DoubleClick's clients.

"It doesn't matter if it is in one big database," Smith said. "It will go the other way."

DoubleClick referred questions on that theory to Google, which declined to make an executive available for comment.

As for the new Web History offering, Smith notes that Google already collects lists of websites visited when people use its Toolbar and PageRank functions.

Web History, Smith said, "illustrates to people directly how much information Google is capable of collecting."

[privacy policy - i think not...]

*Beware of other sites infiltrating your address book...sadly, Flixster is not the only one.* (See this article from two years ago!)


Is Flixster a Big Fat Spammer? Are They Accessing Your AOL or Hotmail Address Book? The Answer to at Least One of These is Yes!

Recently I started getting invitations to join Flixster from both friends and complete strangers. Obviously, this was spam, but why were these complete strangers sending it to me? (For that matter, why were these friends inviting me to join Flixstr, which is a social networking site geared towars movie reviews?)

Here’s what the typical spam invitation for Flixster looked like:
–
To: me@example.com
Subject: John D has sent you a private message

http://www.flixster.com/servlet/invite/619917699cmcA619918163Btlkhlp3Cm

John D

This note was sent via Flixster by John D (johndoe@hotmail.com) to me@example.com. If you prefer not to receive emails like this, tell us here: http://www.flixster.com/DoNotSend.jsp?e=me@example.com.
–
Then I noticed two curious things: 1. All the spam was coming from AOL and Hotmail accounts - real AOL and Hotmail accounts of real people, and 2. It was coming not just to me, but to role accounts at our organization - for example support@example.com. These people had really contacted us for support at one time or another, but a generic role account would hardly be a friend to whom you would send an invitation.

Then I got email from someone, a professional contact with an address at AOL, asking me (and everyone else in his address book) to please ignore the invitation to join Flixster which appeared to come from him but which, he said, had actually been sent by Flixster.

So, what is actually going on?

We decided to investigate, and here is what we found:

Once you join Flixster, Flixster commandeers your address book - your list of all of your personal contacts in your AOL (or Hotmail, Yahoo or Gmail) address book - and sends out an invitation to join Flixster “from” you. Oh sure, you enable them to do it - but clearly enough people are unaware of what they are doing that it’s causing a problem.

How?

Flixster is getting their AOL (and Hotmail, and Yahoo, and Gmail) passwords!

Read on.

Using AOL as an example, when you first sign up for Flixster using an AOL email address, after you select a username and password, the very next screen prompts you for your AOL password!

Here’s that screen - look how compelling it looks that you should give them your AOL password!:



If you use a Gmail address, you can get the same screen, only with the Gmail logo. Same for Hotmail and Yahoo.

Once you give them your password, they grab everyone’s email addresses from your AOL, Hotmail, Yahoo or Gmail address book, and spam them with the invitation. In your name using your email address.

And they access your AOL account before you ever get to the next step. Even though they make you feel as if you have complete control over the process by telling you “On the next page you will be able to select whom to invite”, they already have your contacts by that point. How do we know they access your account first? Watch what happens if you give them the wrong password:



How compelling does that look?

Now, who do we blame for all this? Flixster for asking for the password? The user for giving it to them? After all, the user had to take an affirmative action to send you the invitation spam. But, do they feel compelled to send it? Do they even understand what they are doing?

Do they feel that their ISP has approved this or even partnered with Flixster because Flixster has placed their ISP’s logo right next to the password prompt?

Is this phishing in plain sight?

For their part, Flixster is not only unrepentant about their tactics, but brag about them. An article in American Venture Magazine following Flixster’s getting $2million in VC funding last month, included the following:

“But the site has also grown due to its aggressive viral marketing practices that have raised the hackles of some potential users. Such practices might include the automated selection of your email account’s entire address book in order to send a Flixster invitation to all of your contacts. (Emphasis ours.)

But such practices are becoming increasingly more common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget.

“I attribute our success to a combination of both of those,” Greenstein said. “We make it easy to invite your friends. Other sites don’t provide good ways for people to spread the word. And, we tried to build a really compelling site.”

Flixster’s Terms of Service start out by saying: “I can’t believe you really clicked on this. What are you trying to find out? Here is our privacy policy (link to privacy policy).”

If you actually go on to read their Terms of Service, however, you’ll find that they mention nothing at all about this. Nothing. One way or the other. But they do, ironically, state that it is a violation of their Terms of Service to “Create a false or misleading identity of, including, but not limited to, a Flixster employee, or falsely state or otherwise misrepresent your affiliation with a person or entity, for the purpose of misleading others as to the identity of the sender or the origin of a message or to harvest or otherwise collect information about others.”

Oh, and it’s also a violation to “Disseminate any unsolicited or unauthorized advertising, promotional materials, ‘junk mail’, ’spam’, ‘chain letters’, ‘pyramid schemes’, or any other form of such solicitation, or to “Harvest or collect email addresses or other contact information of Members, including usernames, from the Flixster.com website by electronic or other means.”

But, it’s ok, because their entire TOS is governed by their privacy policy, which states very clearly:

“Our Just-Say-No-to-SPAM Policy

We do not send SPAM of any kind. The only email you will get from us is a weekly update of the latest movies and quiz questions and, of course, any personal messages sent directly to you by your friends.”

Me? I’ve now got a Just-Say-No-to-Flixster Policy.



NOTE the comment from one of Flixster's founders:

Hi Anne,

I am one of the founders of flixster. I happened upon your article via technorati.

As a social community on the web, we take issues of email privacy and permission very seriously. Obviously i am saddened by the way your article describes us. Let me clarify a couple things…

1. We do allow users to access common web-address books to select friends to invite. The whole point of flixster is sharing movie ratings with friends - so making it easy to invite people is very important for us. (This is also incredibly common practice around the web - see yelp/facebook/myspace and many others that also offer it. Plaxo actually offers a popular widget to allow any site to offer this feature).

2. We don’t do anything tricky or misleading. The invite friends screens are all clearly explained (visible even in your slightly fuzzy screenshots) and to actually send anything the user must click a button labelled “send invitations” on a screen with their friends names and a list of checkboxes.

2. We use the user’s credentials only to retrieve the contact list and then do not store them in any way. We absolutely don’t do anything malicious or affect their account in any way.

3. The user is then ALWAYS given the list of contacts and asked to select whom to invite. We do not invite anyone they do not select. Of course we want people to invite friends to come try our site - but it absolutely does not benefit us to send invites they didn’t intend and end up with angry users.

4. Once registered, users can control their settings on every single email we send - from weekly movie summaries to new friend requests. If you choose, you can receive no email from us at all.

5. We never sell, rent or buy email addresses from anyone. We are a small company. The intro to our terms of service was intended to be funny. In no way does it reflect us taking privacy issues lightly - which is exactly why we wrote our privacy policy in such clear terms.

Anyway, if you have any questions or want to discuss with me, drop me a note at the email above. i appreciate that your efforts are to help protect people from malicious or dangerous sites - a noble endeavor - i’m really sorry that you felt like our site fell into that category.

Sincerely,
Joe G