* Posts by incloud

7 publicly visible posts • joined 29 Oct 2013

Fancy that! Google was keen on 'draining the swamp' in 2013

incloud

Ad domains should use Do-Not-Track

The W3C Do-Not-Track recommendation includes a mechanism (the Tracking Status Resource http://www.w3.org/TR/tracking-dnt/#status-resource) allowing third-party domains on a site, (e.g. belonging to servers that present ads - or anything else), to identify themselves in machine-readable and standardised way. If browsers could be set to block content that does not identify itself in this way, this would go a long way to solving the malware and mal-advertising problem.

European Commission straps on Privacy Shield

incloud

Do Not Track and PrivacyShield

The Annex || document lays out 7 principles that US companies must abide by once they agree to be covered by PrivacyShield, including Notice, Choice and Access.

Principle 1) Notice. They have to declare who they are, including contact information, what types of data they collect, what their purposes are for collecting it, what third-parties they will share it with etc.

Principle 2) Choice. You must have choice over limiting use and disclosure of your personal data, usually an opt-out but there must be an opt-in for "sensitive" data. This has been diluted by obscure legalese but in the end whatever offered has to be "essentially equivalent" to the relevant requirement in EU DP law - freely given, specific, informed, unambiguous affirmatively given consent.

Principle 6) Access. You must have access to the data the company hold about you, and be able to correct, amend or delete it. This is also a pale imitation of the EU DP rights to object, access and erase but ultimately will have to be equivalent.

In the context of online data flows the W3C Do Not Track recommendation includes most of the building blocks needed to implement these principles. There is an extensible Tracking Status Resource that can be used to declare the notice requirements, a signal that can indicate a persons right to object to data collection, and API giving the continuous capability to register or revoke consent.

From the outset Do Not Track was designed to give people visibility of and control over the hundreds of third-party resources embedded in many websites, even in cases where the website owner has not contracted with the third-parties or taken responsibility for their privacy practices.

The clearest way for any US company offering third-party resources is to show their support and compliance with the PrivacyShield priciples would be to properly implement Do Not Track.

Google turns cookie monster on AdSense, DoubleClick clients

incloud

Google should stop passing the buck, and support Do Not Track

As a site must obtain a user's consent before doubleclick.com or google.com cookies are placed or used (to at last comply with the 2009 e-privacy directive), how is that consent signalled to Google so the cookies or other tracking techniques are not used?

Surely the only way to do this reliably and transparently is to use the W3C recommended DNT (Do Not Track) signal.

Designed to communicate a user's choice not to be tracked, this recommendation also describes the reciprocal signal DNT:0, set via server placed JavaScript, in order to communicate a user's "freely given, specific, and informed" consent to be tracked across multiple domains, i.e. from a first-party site to its embedded third-parties..

The agreed wording for the definition of "tracking", after much argument and deliberation between all parties including representatives of the on-line advertising industry and Silicon Valley companies is:

"Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties."

Instead of leaving the mess for its AdSense customers to deal with, when will Google finally agree to respect the Do Not Track signal?

Shambolic search for new head of EU privacy watchdog halted

incloud

Re: Abolish the EU

Yes, we could bring back trade barriers and continental war. While we are at it we should restore feudalism and the divine right of kings.

NSA, UK hacked Yahoo! and Google data center interconnects – report

incloud

Why NSA also needs access to US servers' real-time data

It is not surprising that NSA/GCHQ would want to gain access to traffic directed at Google's (and others') servers. The PRISM program gives them access to stored data e.g. contents of gmail emails etc. but an important aspect of these traffic flows is that they contain persistent cookies.

The main fibre links may be tapped but the spooks need a way to extract streams of packets going to or from targeted individuals. They need a persistent common identifier present in the packets so they can thread them together. It is difficult to use IP addresses for this because they are often temporary and shared. For example IPv4 addresses are often only tied to a particular home for a few days, and even then are being shared by every computer user in a family using the NAT protocols. Similarly IPv6 addresses often have anonymous addresses via auto configuration, and this will probably become more common.

Cookies used by Google Analytics, Doubleclick, Yahoo etc. exist in most packets directed at their servers, are specific to each browser/device and last for years. Because elements addressing content held on these servers exist on most web sites, for instance Google Analytics tracker tags exists on over 70% of the most popular 100,000 websites, every visit to them will create a cascade of packets directed at the third-party servers, and NSA/GCHQ can get a cloned copy of these.

These cookies provide are far more reliable and permanent way to track each individual's web activity.

Blighty's laziness over IPv6 will cost us on the INTERNETS - study

incloud

IPv6 supports stateless address autoconfiguration which means a device's source address can be automatically changed every few hours or days. This is far more privacy enabling then IPv4 NAT because your ISP does not own a database containing your address mapping, and can not share it with a third-party (legally anyway). No web site or third-party server will be able to track you for more than a short period without using a persistent cookie.

This feature needs to be easily available in your device, as it is for example with Microsoft Windows. Interestingly this is not available in some mobile devices such as Android. This needs to be required by law.