Privacy

Posts filed under Privacy

Beware Sears Spyware

Filed in Social IssuesTags: Computers, Internet, Privacy, Technology

Slashdot posts about Sears installing spyware under the guise of the "My SHC Community" service. Instead of an innocuous service, users who agree to install the software get ComScore spyware, including a software proxy capable of tracking every transaction performed on the internet - from web sites visited, to login credentials, to emails.

More information from the CA Community Advisor Security Research Blog, which indicates that the spyware has been found on the sears.com and kmart.com websites.

If you see a pop-up window soliciting participation in "My SHC Community" do not pass go, do not collect $200, close the pop-up. Better yet, avoid doing business - if at all possible - with companies that would attempt to install spyware (especially companies that do so as deceptively as this).

Facebook, Beacon, and Privacy Rights

Filed in Social IssuesTags: Internet, Privacy, Technology

Recently, social networking site Facebook has undergone intense scrutiny and backlash for the implementation of its third-party advertising system called Beacon.

For those unaware of the Beacon application, here's a brief primer. Beacon is a JavaScript application used by third-party web sites (such as epicurious, travelocity, blockbuster, etc.) in conjunction with Facebook. The third-party website implements JavaScript code that sends certain data to Facebook. These data may include movies rented at Blockbuster, recipes searched at epicurious, or travel plans booked on travelocity. The websites send these data to Facebook, and if the user of the third-party website can be identified as a Facebook user, the data are published in that user's update feed.

Without re-hashing the explanations given elsewhere, see here for more technical details of the application. Others have listed the third-party websites that have implemented Beacon.

You may be asking yourself why you should care; well, here's why: these third-party websites are sending your personally identifiable user data to Facebook - whether or not you are a Facebook member (as is demonstrated by the previous link explaining the technical details).

It appears that much of the scrutiny has been on Facebook's implementation of the application, and the site's publishing of user-identifiable data. That scrutiny was much-deserved, and Facebook has made significant changes both to the implementation of Beacon and to their privacy policy. In fact, Facebook users can now opt-out of the application entirely - at least on the Facebook side.

However, it appears to me that a lot of heat has been placed on Facebook, and not enough on the third-party websites. While it is somewhat more comforting to know that Facebook will not publish user-identifiable information without my approval, the fact remains that all those data are still sent from the third-party websites to Facebook. If those data are tied to a user who has opted out of the application, Facebook has simply indicated that it will discard, not save, and not publish those data.

While I think Facebook has handled the implementation of Beacon poorly, I have a far greater problem with the third-party websites, who have implemented the Beacon application without any notice to or prior approval from its users. (In fact, one lawyer has speculated that Blockbuster is in clear violation of a law that prohibits the release of movie rental data.)

Facebook would certainly be in the wrong for publishing such data without user permission; however, the third-party websites that gather and send those data to Facebook have committed a far more egregious wrong. Sending to a third party data about my purchases and other activities without my permission has to be a clear violation of any worthwhile privacy policy.

Personally, I don't have a problem with the Beacon application; I only oppose its current implementation. Websites should be free to implement the application, but it should be done openly, and in an opt-in manner. If BrandNameWebsite wants to implement Beagle, and send data about my purchases to Facebook, it should give prior notice to its users, update its privacy policy, and require users to opt-in to having their data collected and sent.

Fortunately, you have options to control your experience with the Beagle application. As mentioned previously, you can opt-out entirely on the Facebook side. You can also use various browser plug-ins to notify you of websites using the Beagle application and to block the application altogether. (Websites that use the application put a few lines of JavaScript code into their website. That code makes a remote call to a known directory on the Facebook website. The plugins work by detecting and/or blocking the URL for the JavaScript code on the Facebook website.)