Microsoft, Google and Facebook should do more to protect their users' privacy online, but these types of safeguards conflict with how these technology and Web giants make their profits, according to one expert.
be built into online services by default, but it won't happen so long as
companies, such as Microsoft, Google and Facebook, rely on advertising to make
money, according to a prominent privacy activist.
technology vendors are providing sophisticated applications in exchange for
user data, such as their preferences, online activities and behavior,
Christopher Soghoian, a Washington, D.C.-based graduate fellow at the Center
for Applied Cyber-Security Research, said in his keynote speech at the
Kaspersky Lab Security Analyst Summit Feb. 3. When the companies have to decide
between making money and protecting user privacy, business needs take priority,
he told attendees.
their business models and your privacy conflict, only one will survive,"
not "cheap" to develop, but companies are giving them away in order
to make it easier to collect user data, said Soghoian. Most popular browsers by
default are set to accept cookies that Websites and third-party advertiser
networks can use for online tracking. Apple's Safari accepts cookies from the
Website, but actually disables third-party cookies by default. Apple took the
"responsible route," said Soghoian.
business model relies on Internet users to surrender increasing amounts of
information, Soghoian said. If the interface "sucks," users won't use
the privacy settings effectively and will make mistakes, resulting in data
being exposed. The difficulty is intentional, since companies know that users
are less likely to bother with turning on privacy settings if the options are
hard to find or understand.
Microsoft, Facebook and Twitter all offer HTTPS on their online services to
encrypt connections and prevent malicious attackers from intercepting user data
while in transit. It takes six distinct steps to turn on HTTPS in Microsoft's
Hotmail, and Facebook has been criticized for its confusing array of privacy
pages. Before Google took the step to enable HTTPS by default for all Gmail
users, the HTTPS option was buried at the bottom of the settings pages. It was
the "least important" option, said Soghoian.
are generally not designed by security-minded developers or developers thinking
about the best user experience, but rather by the people who have an
"understanding of human psychology" and are not concerned about the
user's best interest, said Soghoian. What settings are on or off by default is
just as important as what the interface is like, he said.
companies have default settings that are not private and not secure, because
they know consumers will never change these defaults," said Soghoian.
implemented HTTPS, it initially justified the decision to turn off the option
by default by claiming that encryption potentially slowed down page performance
and had additional performance overhead. A difficult privacy question over
encryption and privacy was just "left up to the users," said Soghoian.
switched to using HTTPS by default shortly after it disclosed that Chinese
attackers had breached several Gmail accounts that belonged to U.S. government
Twitter still have HTTPS turned off by default, even though Facebook enabled it
by default for its Tunisian users after reports emerged of the government
eavesdropping on its citizens last year.
often bundled into other software installers. The average Internet user doesn't
want the toolbar but is tricked into installing it. When installing Adobe
Reader, users are opted in by default to install Google Toolbar, and the Java
installer has a similar option for the Yahoo toolbar. Often, users don't even
know how they wound up having several toolbars taking up space at the top of
the Web browser.
defaults lead to good choices," said Soghoian.
deliver a privacy-protecting product for free, said Soghoian. Since Microsoft
and Google can't put tracking technology inside the Web browser itself, they
rely on their advertiser networks Atlas and Doubleclick, to harvest user data
from browser history, headings and user-submitted content.
designed to "spew data all over the Internet," he said.
A version of
Internet Explorer originally had an option for easily enabling privacy settings
at once. The option drove advertising network executives "bananas,"
and they prevailed upon Microsoft to oppose the option. If consumers could turn
on automatic privacy easily, third-party networks would have a harder time
making money. Microsoft "sabotaged" its own product so that every
single time the user closed the browser, the privacy settings were turned back
off in order to keep the advertisers happy, Soghoian said.
being "evil," as it was just a matter of survival, he said.
One way to
address this dilemma is to move away from the free software model to one in
which users pay a small fee to use a version that has all the tracking features
disabled. There should be a way to use the online music-streaming system
Spotify without having a Facebook log-in.
don't have a choice. You have one version of Chrome and one version only,"
can treat data privacy as a public health crisis and use its influence to
promote best practices, such as updating browsers and encouraging secure
configurations, he said.