Microsoft, Google and Facebook should do more to protect their users' privacy online, but these types of safeguards conflict with how these technology and Web giants make their profits, according to one expert.
Privacy should
be built into online services by default, but it won't happen so long as
companies, such as Microsoft, Google and Facebook, rely on advertising to make
money, according to a prominent privacy activist.
Major
technology vendors are providing sophisticated applications in exchange for
user data, such as their preferences, online activities and behavior,
Christopher Soghoian, a Washington, D.C.-based graduate fellow at the Center
for Applied Cyber-Security Research, said in his keynote speech at the
Kaspersky Lab Security Analyst Summit Feb. 3. When the companies have to decide
between making money and protecting user privacy, business needs take priority,
he told attendees.
"When
their business models and your privacy conflict, only one will survive,"
said Soghoian.
Browsers are
not "cheap" to develop, but companies are giving them away in order
to make it easier to collect user data, said Soghoian. Most popular browsers by
default are set to accept cookies that Websites and third-party advertiser
networks can use for online tracking. Apple's Safari accepts cookies from the
Website, but actually disables third-party cookies by default. Apple took the
"responsible route," said Soghoian.
The advertising-based
business model relies on Internet users to surrender increasing amounts of
information, Soghoian said. If the interface "sucks," users won't use
the privacy settings effectively and will make mistakes, resulting in data
being exposed. The difficulty is intentional, since companies know that users
are less likely to bother with turning on privacy settings if the options are
hard to find or understand.
Google,
Microsoft, Facebook and Twitter all offer HTTPS on their online services to
encrypt connections and prevent malicious attackers from intercepting user data
while in transit. It takes six distinct steps to turn on HTTPS in Microsoft's
Hotmail, and Facebook has been criticized for its confusing array of privacy
pages. Before Google took the step to enable HTTPS by default for all Gmail
users, the HTTPS option was buried at the bottom of the settings pages. It was
the "least important" option, said Soghoian.
The interfaces
are generally not designed by security-minded developers or developers thinking
about the best user experience, but rather by the people who have an
"understanding of human psychology" and are not concerned about the
user's best interest, said Soghoian. What settings are on or off by default is
just as important as what the interface is like, he said.
"These
companies have default settings that are not private and not secure, because
they know consumers will never change these defaults," said Soghoian.
When Google
implemented HTTPS, it initially justified the decision to turn off the option
by default by claiming that encryption potentially slowed down page performance
and had additional performance overhead. A difficult privacy question over
encryption and privacy was just "left up to the users," said Soghoian.
The company
switched to using HTTPS by default shortly after it disclosed that Chinese
attackers had breached several Gmail accounts that belonged to U.S. government
officials.
Facebook and
Twitter still have HTTPS turned off by default, even though Facebook enabled it
by default for its Tunisian users after reports emerged of the government
eavesdropping on its citizens last year.
Toolbars are
often bundled into other software installers. The average Internet user doesn't
want the toolbar but is tricked into installing it. When installing Adobe
Reader, users are opted in by default to install Google Toolbar, and the Java
installer has a similar option for the Yahoo toolbar. Often, users don't even
know how they wound up having several toolbars taking up space at the top of
the Web browser.
"Good
defaults lead to good choices," said Soghoian.
Google can't
deliver a privacy-protecting product for free, said Soghoian. Since Microsoft
and Google can't put tracking technology inside the Web browser itself, they
rely on their advertiser networks Atlas and Doubleclick, to harvest user data
from browser history, headings and user-submitted content.
Browsers are
designed to "spew data all over the Internet," he said.
A version of
Internet Explorer originally had an option for easily enabling privacy settings
at once. The option drove advertising network executives "bananas,"
and they prevailed upon Microsoft to oppose the option. If consumers could turn
on automatic privacy easily, third-party networks would have a harder time
making money. Microsoft "sabotaged" its own product so that every
single time the user closed the browser, the privacy settings were turned back
off in order to keep the advertisers happy, Soghoian said.
They weren't
being "evil," as it was just a matter of survival, he said.
One way to
address this dilemma is to move away from the free software model to one in
which users pay a small fee to use a version that has all the tracking features
disabled. There should be a way to use the online music-streaming system
Spotify without having a Facebook log-in.
"Consumers
don't have a choice. You have one version of Chrome and one version only,"
said Soghoian.
Governments
can treat data privacy as a public health crisis and use its influence to
promote best practices, such as updating browsers and encouraging secure
configurations, he said.
Email
Print
