OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] Google to base ads on surfing behaviour

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Mon Mar 16 2009 - 17:59:51 CDT


Bipin Gautam wrote:

> google is evil : http://news.zdnet.co.uk/internet/0,1000000097,39625962,00.htm

That's news? 8-)

> "These ads will associate categories of interest " say sports,
> gardening, cars, pets " with your browser, based on the types of sites
> you visit and the pages you view,"
> ...
> As with any other cookie, this tracking file can be cleared by the
> user at any time. By visiting Google's ad-preferences page, the user
> can opt out of having their surfing habits tracked, or input their own
> preferences for the subject matter of ads they would like to see.
>
> However, as clearing the browser's cookies would effectively remove
> the opt-out cookie itself, Google has also released a plug-in for
> browsers that provides a permanent opt-out from the service.
> ...

Whatever happened to "default deny"?

Oh, that's right -- it wouldn't be in _Google's_ interest to require
surfers to opt into Google breaching their privacy.

As the US government doesn't seem to care much, if at all, about
protecting the privacy rights of its citizens (in fact, do US citizens
actually have any legally-protected privacy rights worth talking about?),
perhaps the EU should step up here and fine the crap out of Google until
it "fixes" this latest egregious assault on our privacy...

...

And would it be churlish to point out that Google is breaking its own
principles with this move?

Bipin has already alluded to the much-vaunted "do no evil" doctrine
(actually, it is "You can make money without doing evil" -- point six at:

   http://www.google.com/corporate/tenthings.html

and arguably does not preclude "but you can make more money by doing
evil" if you read the whole thing), but there are others, perhaps most
pertinent here are in:

   http://www.google.com/corporate/software_principles.html

   Software Principles

   At Google, we put a lot of thought into improving your online
   experience. We're alarmed by what we believe is a growing disregard
   for your rights as computer users. We've seen increasing reports of
   spyware and other applications that trick you in order to serve you
   pop-up ads, connect your modem to expensive toll numbers or hijack
   your browser from the site you're trying to visit.

Yet it seems that it is acceptable for Google to breach reasonable
expectations of privacy "behind the scenes" (these principles seem aimed
at client-side, rather than server-side, shenanigans -- hmmmm...).

   We do not see this trend reversing itself. In fact, it is getting
   worse. As a provider of services and monetization for users,
   advertisers and publishers on the Internet, we feel a responsibility

...to ensure those trends continue?

No -- actually, it continues:

   to be proactive about these issues. So, we have decided to take
   action. As a first step, we have outlined a set of principles we
   believe our industry should adopt and we're sharing them to foster
   discussion and help solve the problem. We intend to follow these
   guidelines ourselves with the applications we distribute (such as the
   Google Toolbar and Google Desktop). And because we strongly believe
   these principles are good for the industry and users worldwide, we
   will encourage our current and prospective business partners to adopt
   them as well.

...but again, we won't apply these principles to the service side of our
industry and actions.

How gloriously myopic, or is that two-faced?

The second of these proposed software principles is described thus:

    UPFRONT DISCLOSURE

   When an application is installed or enabled, it should inform you of
   its principal and significant functions. And if the application makes
   money by showing you advertising, it should clearly and conspicuously
   explain this. This information should be presented in a way that a
   typical user will see and understand -- not buried in small print that
   requires you to scroll. For example, if the application is paid for by
   serving pop-up ads or sending your personal data to a third party,
   that should be made clear to you.

But, again, not if it's Google, DoubleClick, et al. twiddling bits on the
back-end...

And a few sections later:

   SNOOPING

   If an application collects or transmits your personal information such
   as your address, you should know. We believe you should be asked
   explicitly for your permission in a manner that is obvious and clearly
   states what information will be collected or transmitted. For more
   detail, it should be easy to find a privacy policy that discloses how
   the information will be used and whether it will be shared with third
   parties.

But, again, not if it's Google, DoubleClick, et al. twiddling bits on the
back-end...

...

And to add another security-related issue to this thread, I'd rather that
Google and DoubleClick spent some time and effort on fixing a couple of
DoubleClick's biggest problems rather than on adding AdSense tracking
integration to DoubleClick's cookie mechanisms.

First is that DoubleClick really needs to work on not accepting "dodgy"
ads such as the "fake AV" ads and such they've been serving increasingly
often of late.

Second, and much bigger, DoubleClick also needs to fix a huge security
flaw across the whole of doubleclick.com. doubleclick.com is an open
redirector farm. Depending on your school of thought, that might be
considered what is known in web app security circles as a form of cross-
site scripting (or XSS) flaw. This has been abused by spammers, phishers
and malware spreaders in the past and fixing it won't be trivial as the
whole DoubleClick business model is based on this behaviour and the
common, Q&D fix for this type of problem (referer-checking based
solutions) is unviable when the expected referrers are virtually any
domain on the planet (as required by DoubleClick's distributed ad serving
business model). It took Google the best part of a decade to (mostly)
fix its own open redirector problems, but that should mean it can provide
some valuable input to its new stablemate...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/