Privacy should be built into online services by default, but it won't happen so long as companies, such as Microsoft, Google and Facebook, rely on advertising to make money, according to a prominent privacy activist.
Major technology vendors are providing sophisticated applications in exchange for user data, such as their preferences, online activities and behavior, Christopher Soghoian, a Washington, D.C.-based graduate fellow at the Center for Applied Cyber-Security Research, said in his keynote speech at the Kaspersky Lab Security Analyst Summit Feb. 3. When the companies have to decide between making money and protecting user privacy, business needs take priority, he told attendees.
"When their business models and your privacy conflict, only one will survive," said Soghoian.
Browsers are not "cheap" to develop, but companies are giving them away in order to make it easier to collect user data, said Soghoian. Most popular browsers by default are set to accept cookies that Websites and third-party advertiser networks can use for online tracking. Apple's Safari accepts cookies from the Website, but actually disables third-party cookies by default. Apple took the "responsible route," said Soghoian.
The advertising-based business model relies on Internet users to surrender increasing amounts of information, Soghoian said. If the interface "sucks," users won't use the privacy settings effectively and will make mistakes, resulting in data being exposed. The difficulty is intentional, since companies know that users are less likely to bother with turning on privacy settings if the options are hard to find or understand.
Google, Microsoft, Facebook and Twitter all offer HTTPS on their online services to encrypt connections and prevent malicious attackers from intercepting user data while in transit. It takes six distinct steps to turn on HTTPS in Microsoft's Hotmail, and Facebook has been criticized for its confusing array of privacy pages. Before Google took the step to enable HTTPS by default for all Gmail users, the HTTPS option was buried at the bottom of the settings pages. It was the "least important" option, said Soghoian.
The interfaces are generally not designed by security-minded developers or developers thinking about the best user experience, but rather by the people who have an "understanding of human psychology" and are not concerned about the user's best interest, said Soghoian. What settings are on or off by default is just as important as what the interface is like, he said.
"These companies have default settings that are not private and not secure, because they know consumers will never change these defaults," said Soghoian.
When Google implemented HTTPS, it initially justified the decision to turn off the option by default by claiming that encryption potentially slowed down page performance and had additional performance overhead. A difficult privacy question over encryption and privacy was just "left up to the users," said Soghoian.
The company switched to using HTTPS by default shortly after it disclosed that Chinese attackers had breached several Gmail accounts that belonged to U.S. government officials.
Facebook and Twitter still have HTTPS turned off by default, even though Facebook enabled it by default for its Tunisian users after reports emerged of the government eavesdropping on its citizens last year.
Toolbars are often bundled into other software installers. The average Internet user doesn't want the toolbar but is tricked into installing it. When installing Adobe Reader, users are opted in by default to install Google Toolbar, and the Java installer has a similar option for the Yahoo toolbar. Often, users don't even know how they wound up having several toolbars taking up space at the top of the Web browser.
"Good defaults lead to good choices," said Soghoian.
Google can't deliver a privacy-protecting product for free, said Soghoian. Since Microsoft and Google can't put tracking technology inside the Web browser itself, they rely on their advertiser networks Atlas and Doubleclick, to harvest user data from browser history, headings and user-submitted content.
Browsers are designed to "spew data all over the Internet," he said.
A version of Internet Explorer originally had an option for easily enabling privacy settings at once. The option drove advertising network executives "bananas," and they prevailed upon Microsoft to oppose the option. If consumers could turn on automatic privacy easily, third-party networks would have a harder time making money. Microsoft "sabotaged" its own product so that every single time the user closed the browser, the privacy settings were turned back off in order to keep the advertisers happy, Soghoian said.
They weren't being "evil," as it was just a matter of survival, he said.
One way to address this dilemma is to move away from the free software model to one in which users pay a small fee to use a version that has all the tracking features disabled. There should be a way to use the online music-streaming system Spotify without having a Facebook log-in.
"Consumers don't have a choice. You have one version of Chrome and one version only," said Soghoian.
Governments can treat data privacy as a public health crisis and use its influence to promote best practices, such as updating browsers and encouraging secure configurations, he said.