Privacy

SPOTLIGHT ON SECURITY

The Great Google Cookie Caper

Google’s privacy practices came under fire again last week for undermining the privacy practices of someone else. Namely, Apple.

Apple is one of the few browser makers that turns off by default a website’s ability to push third-party cookies to a Web surfer.

Cookies can perform a valuable service to users. If you want your home page on Google to be laid out in a certain way every time you land on it, for example, a cookie for the site does that for you.

However, cookies can also be used to track where you go on the Web and feed that info back to third-party marketers.

Plusses and Minuses

The problem with blocking third-party cookies is it can also interfere with some of Google’s services, like +1.

To address that issue, Google created a workaround so that Safari users using the default settings could still use +1. An unforeseen consequence of the workaround, though, was to enable third-party cookies.

The company didn’t anticipate that this would happen, and it has now started removing these advertising cookies from Safari browsers, Google Senior Vice President for Communications and Public Policy Rachel Whetstone said.

It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information, she added.

Google isn’t alone in dodging Safari’s default settings. According to Stanford University researcher Jonathan Mayer, other firms gaming the browser include Vibrant Media, Media Innovation Group and PointRoll.

“From a technical perspective, these companies have been exploiting a bug/vulnerability,” Roel Schouwenberg, a senior researcher with Kaspersky Lab, told TechNewsWorld. “The public should be very worried and upset.”

Another security expert downplayed the significance of Google’s action. “It’s a lot of hoopla over a very narrow issue,” Ben April, a senior threat researcher with Trend Micro, told TechNewsWorld.

“This is not a very serious security issue,” added Symantec Security Response Engineering Director Joe Chen.

If a user is concerned about the issue, he told TechNewsWorld, there are antivirus programs that will alert a user when any website tries to push a third-party cookie to them. Then the user has the option of accepting it or not.

Nevertheless, these kinds of privacy stories will continue to appear until the industry squarely addresses the issue, maintained Chet Wisniewski, a security advisor with Sophos.

“It’s an inevitability that we have to interact with these companies, whether we’re big fans of their products or not,” he told TechNewsWorld. “The question is, are they going to keep playing shenanigans like this or are they going to be adults and say, this is what we’re going to do, this is what we’re not going to do, and if they trip they can be held liable for it.”

FTC Raps Kid Apps

The FTC released a report last week criticizing Apple, Google and makers of mobile apps for collecting data about children without their parents’ permission, as well as being obscure about what data is collected and how it’s used.

The agency said it would be investigating app developers, Apple and Google to determine if privacy violations have been occurring.

Apple Protects Users’ Contacts

After a mobile social networking app called “Path” got caught sipping contact information from iPhones without their owners’ knowledge, Apple stated that it would address the issue with a future update of its iOS operating system.

As it has done with location services, Apple said, any app wishing to access contact data will require explicit user approval in a future software release.

Google Patches Wallet

Google fixed a vulnerability in its mobile wallet app that allowed unauthorized users to tap into prepaid credit accounts previously created on an Android phone. The fix prevents a prepaid card from being re-provisioned to another person.

After the widespread publication of the vulnerability on Feb. 9, Google shut down the use of prepaid cards with its wallet. That service was restored after issuing the fix.

Breach Calendar

  • Feb. 11:
  • A teenage hacker from Morocco broke into a porn site owned by Manwin Holding and posted to the Internet a sampling of some 350,000 pieces of information from users of the site.

  • Feb. 12:
  • Cryptome, a Wikileaks-like site, was breached and malware planted on its servers designed to infect visitors to the site.

  • Feb. 14:
  • The Wall Street Journal reported that Canadian telecommunications giant Nortel was repeatedly breached for almost 10 years, allowing hackers based in China to steal technical papers, R&D reports, business plans and other documents.

  • Feb. 15:
  • DHI Mortgage informed its customers that personal information, including Social Security numbers, may have been compromised when its Internet Loan Prequalification System was breached on Feb. 10.

  • Feb. 15:
  • University of North Carolina-Charlotte‘s computers were breached; the nature and amount of information stolen is undetermined.

Security Calendar

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Privacy

Technewsworld Channels