Cybercriminals Encrypt Your Files, Demand $100 Ransom to Decrypt

October 29, 2009

This year has seen the escalation of many existing types of online crime and the introduction of entirely new exploits – including extortion – as criminals push into micro-payment revenue models and further diversify their revenue streams.
The most recent example of this is the LoroBot ransomware that encrypts popular file extensions on the users computer then demands a $100 for the decryption software.

If your computer becomes infected with the LoroBot, you may find yourself unable to open your documents, spreadsheets, photos, pdf’s and other common file types and instead see a ransom note informing you that your files have been held hostage (Image from ZDNet).

lorobot1

According to researchers from CA who found the ransomware, this particular bot appears to be mostly a bluff, but it demonstrates a new tactic in the ransomware arena which to date had focused primarily on locking users out of their computers entirely.

As the price to obtain ransomware continues to drop in underground markets, (average price is between $15 and $30) more cybercriminals will leverage these tools – and drive the demand for more exploitive innovation in this area.

Read the full article New LoroBot ransomware encrypts files, demands $100 for decryption on ZDnet.

Comments Off | In The News | Tagged: , , , , , | Permalink
Posted by Linda Criddle

“Framework for a Safe Internet:

October 20, 2009

Know the facts, understand the issues, shape the future.”

The Safe Internet Alliance, today hosted a Capitol Hill educational event and discussion entitled,

The event featured three expert panels of a diverse group of panelists, from technology and software companies including AOL and Microsoft to industry associations like the National Cable and Telecommunications Association.

The event commenced with a keynote speech from Commissioner Pamela Jones Harbour of the Federal Trade Commission who stressed the importance of cross-collaboration between the government and private sector in developing safe Internet initiatives. In her speech Commissioner Harbour also highlighted emerging crime patterns against consumers online and different methods of user empowerment.

The three panels explored perspectives of internet users in the U.S., online risks and cyber crime in the U.S., ways to make the Internet safe and the emerging technologies  that will offer to aid in creating a safe Internet.

“Safe Internet Alliance launched in May, to bring together the many voices and stakeholders involved in online safety and cyber security issues,” said Linda Criddle, president of Safe Internet Alliance. “Today’s event provided a platform for experts in Internet safety and security to share their knowledge, increase public awareness and highlight the demand for a safe Internet.”

“Having an accurate, collective understanding of the Internet’s opportunities is critical to creating a framework where the industry, organizations, lawmakers and consumers can meaningfully address concerns around privacy, safety and security,” Criddle continued. “We hope after today’s event that the members of Congress, Congressional staff, and public who attended understand this and will consider the Safe Internet Alliance an umbrella resource for any issue related to creating a safe Internet across the full spectrum of online services.”

Comments Off | Linda's Blog | Tagged: , , | Permalink
Posted by Linda Criddle

As Online Dating Grows, So do Scams

October 18, 2009

Online dating can claim some remarkable results:

  • There are now about 1,400 online dating sites in North America.
  • In 2007 one in eight married couples met first online, that number continues to increase.
  • 40% of the US single population now uses online dating sites, roughly equal to 40 million people, according to Match.com,
  • Match.com grows by 60,000 new members daily.
  • Americans who search for love online spend over 2 hours a night talking to prospective dates
  • Over $500 million dollars have been spent so far this year on internet dating sites according to Iovation.
  • Forrester Research reports that online dating is now the third largest producer of revenue out of all paid content sites, generating $957 million in 2008; a figure the firm predicts will grow 10 percent by 2013.

That’s a lot of people representing a lot of money.

When done with caution, online dating can be safer than meeting people in the “real” world because you have more time to get to know someone before meeting him or her in person. I personally know many happy couples who would never have met their spouses had it not been for online dating sites.

But dating online requires you take steps to protect yourself…

Predators follow their prey

As in any environment, abusers, criminals and predators follow wherever potential victims can be found, and with the number of online daters soaring, it should come as no surprise that crooks from around the world are hard on dater’s heels.

Last month Google found that search terms like “online dating” and “free dating” are getting the most hits from fraudsters in African countries, and police forces around the world are bracing for an explosion in scams as East African countries move from dialup to broadband speeds in June 2010 allowing African scammers to rival counterparts in former soviet block western countries.

Common progression in a dating scam

  1. The scammer posts an attractive photo (stolen) and fake profile on a dating website.
  2. Scammer sends a mass message to members with canned text.
  3. If the scammer gets a reply, they begin showing interest in the victim and ask if the victim wants to know more about the scammer.
  4. At some point the scammer will share their email address in an attempt to get the victim out of the monitored dating environment and away from any safeguards that help protect the victim’s identity. They may want to converse via IM, phone calls, even webcams. They may suggest sexually explicit interactions via web cam or compromising photos of the victim for resale and/or blackmail later.
  5. Conversations progress until the scammer believes they have secured the victim’s trust and emotions, and then begin introducing a story about how they are having difficulties and need your help in some way. The story will be customized to further gain sympathy and affection from the victim.
  • At some point the scammer will ask for money (sent as cash, money orders, merchandise, or currency exchange through a service like Western Union). Or suggest you pay for a plane ticket so you can meet, or ask you to accept shipment of items to forward to someone else, or to cash a check for them and place the money in a specific account (you’ll be stuck when the check bounces and you have to cover the cost).
  • As long as the victim continues to believe, the scammer will keep asking for money. In some cases victims loose tens of thousands of dollars.

Learn more about romance scams at RomanceScams.org

Not all dating are equal when it comes to protecting your safety.

The first rule of thumb is to trust your instincts when interacting with a potential date. Select your online dating service carefully. Look for an established, popular site with plenty of members and a philosophy that matches your own.

Some sites do extensive background screening, have active moderation teams watching for scams, and strict privacy measures to help protect you, others have no such safeguards in place. I can’t recommend a site that offers you no protection. With 1,400 online dating sites to choose from, select what works for you.
Follow these safety tips:

  1. Maintain anonymity to protect your identity. Don’t include your full name, phone number, where you work, or detailed location information in your profile or during early communications with potential dates. Stop communicating with anyone who presses you for this type of information.
  2. Use the e-mail system provided by the dating service rather than your own e-mail address to maintain your privacy.
  3. Be smart about choosing profile pictures. Make sure your photos reflect what you want to say about yourself. Provocative pictures may attract the wrong people. Make sure that your images do not contain identifying information such as nearby landmarks or a T-shirt with your school or company logo.
  4. Check to see if a potential date has a good reputation among other daters on the service.
  5. Be realistic. Read the profiles of others with skepticism. As you correspond or talk on the phone, ask questions, seek direct answers, and note any inconsistencies. Look for danger signs such as a display of anger, an attempt to control you, disrespectful comments, or any physically threatening or otherwise unwelcome behavior.
  6. If a person becomes abusive, report it and block that person from contacting you again using the dating site settings.
  7. When you decide to meet, create a safe environment. Keep first dates short, and agree to meet in a public place during a busy time of day, Make sure somebody knows where you’re going. If your date doesn’t look like his or her photo, walk away and report that person to the dating service.
  8. If a date asks you for a loan or any financial information, no matter how sad the hard luck story, it is virtually always a scam and you should report it.

With dating scams increasing, you simply can’t afford to date online without knowing how to spot and avoid risks.

Linda

Comments Off | Linda's Blog | Tagged: , , , , , , | Permalink
Posted by Linda Criddle

Raleigh ISSA Chapter to Host Fifth Annual Information Security Conference

October 9, 2009

On Thursday, October 15th, 2009, the Raleigh ISSA Chapter will host its fifth annual InfoSeCon (Information Security Conference), the Triangle’s premier information security conference.

ISSA (Information Systems Security Association) is the largest international non-profit organization of security professionals. With seven years of activity and more than 170 members, the Raleigh Chapter is the perfect indication of the thriving security industry and the drive for professional education and training in the region.

This year’s Triangle InfoSeCon is expected to draw hundreds of IT and security professionals from across the state to Raleigh for a full day of security-focused sessions with some of the industry’s top professionals and speakers, including featured speakers from leading international security conferences.

Attendees will enjoy special keynotes by John McCumber, Senior Programs Manager, Public Sector Group, Symantec Corporation and Linda Criddle, President, LOOKBOTHWAYS, Inc., then attend sessions of interest from the twelve breakouts in the three tracks: Governance, Risk and Compliance; Infrastructure and Virtualization Security; Web Security and Application Security.

Due to its growth in recent years, the Triangle InfoSeCon has moved to the larger facilities of the McKimmon Conference and Training Center in Raleigh, N.C., allowing for more attendees, easier parking and additional space for meeting and sponsors.

The Triangle InfoSeCon Conference is open to the public and offers exceptional value in discounted registration rates for ISSA Members, ($30), sister organizations and government employees ($40) and the general public ($65) until October 9th. After that date, all registrations are $85.

To view this year’s speakers and session details, and to register online, please visit the conference site at www.TriangleInfoSeCon.com.

Comments Off | In The News | Tagged: , | Permalink
Posted by Linda Criddle

Soldiers Personal Data Still Leaking Online

October 4, 2009

Washington Post - Soldiers Personal Data Still Leaking Online

Sensitive personal data – including Social Security numbers, blood types, cellphone numbers, e-mail addresses, and the names of soldiers’ spouses and children – belonging to tens of thousands of U.S. soldiers continues to be compromised via P2P networks. As recently as this week computer users in countries like Pakistan and China have downloaded this information according to Tiversa, a company specializing in P2P intelligence.

According to the Washington Post, Tiversa saw personally identifiable data on Special Forces soldiers on servers in Pakistan in May and notified military criminal investigators. This isn’t the first breach, in April 2008, Tiversa found spreadsheets of Army promotions with personal data of 60,000 soldiers, as well as data on several thousand civilians and soldiers from the 1st Signal Brigade, and information about soldiers in the 3rd Special Forces Group.  

The Army’s Special Operations Command confirmed that data was breached, but insisted it was an isolated incident, that those involved in the breach had been punished, and that they now have measures in place to reduce the chances of a breach happening again.

Robert Boback, chief executive of Tiversa, said such precautions are not sufficient safeguards. “Every company, agency and defense contractor will say that they have a policy against P2P on company-owned equipment and blocking, usually through intrusion detection,” he said. “The fact remains that these documents are still going out.”

Given the tremendous sacrifice our soldiers are making to protect the safety of others, it is a sad reflection on the state of Internet (in)security that we are unable to defend our own troops.

Read the full article from the Washington Post here

Linda

Comments Off | In The News | Tagged: , , , , | Permalink
Posted by Linda Criddle

New York Times Hosts Rogue Ad in Security Breach

September 15, 2009

The New York Times was hit with a malicious “anti-virus” ad over the weekend in a very sophisticated attack that exploited a weakness in how the company receives advertising. This attack was a classic example of a current trend in cybercrime according to a new IBM report that found, “The presence of malicious content on trusted sites has increased, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites.”

Unsuspecting New York Times users saw a very realistic   – yet malicious – ad claiming their computer had malware running.

The ad advised users remove the malware by running a full computer scan using a product called “Personal Antivirus” to find and remove the infections.

Users were then told to buy the antivirus program in order to stay safe.

The criminals behind this sophisticated attack exploited five vulnerabilities – one vulnerability on the part of the NYT, four vulnerabilities common to consumers:

  1. Fundamental security weaknesses in the advertising systems used by trusted websites
  2. Consumers’ fundamental trust in reputable companies and their websites - Any ad that appears on a trusted site by association gains a stamp of legitimacy in consumers’ eyes and they let their guard down.
  3. Consumers’ lack of technical savvy – For less experienced users, seeing a pop up that warning them their computer is infected makes them inclined them to panic. While panicked they grasp at the ‘remedy’ in front of them rather than question why the ad appeared, wonder why they have never heard of this anti-virus product, or conduct a bit of research to find a reputable antivirus product.
  4. Consumers’ failure to secure their computers – An alarmingly high percentage of consumers still do not have the necessary security software installed, or up-to-date, on their computers. These consumers are more likely to fall for this type of exploit because they know they are exposed. Consumers with appropriate security are more likely to turn to their existing (legitimate) tools to check for infections.
  5. Consumers faith in slick graphics – if it looks professional, it must be legit

While consumers cannot increase the security of trusted sites (the company’s responsibility; in this case the New York Times scrambled to remedy the issue), consumers can eliminate their own susceptibility towards this type of malicious social engineering by carefully evaluating who, and what, they trust.

Most consumers still follow the assumption that if I trust “A”, and “A” appears to vouch for “B”, then I can trust “B”, but there are far too many assumptions in this equation that threaten your safety and security.

Misplaced trust

  • No matter how trusted a friend or family member is, if that person is using a compromised computer, they may be unwitting distributors of malware.
  • Friends of friends – particularly those you or your friends have never met in person – may not deserve any trust, let alone trust in accepting links.
  • “Legitimate” companies may not deserve your trust. Neither the size of a company, nor its popularity is reason to give it unqualified trust. For example: Google accepts money to place malware in its sponsored links.  Facebook’s Terms & Conditions give them more rights to your content than they should be trusted with. Echometrix’s Sentry Parental Control Software sells kids conversations (they claim to anonymize the kids) to advertisers.
  • Websites of companies who would never dream of tarnishing their reputation by accepting malicious advertising can be hacked or exploited – as seen in this NYT example.
  • News feeds, unwittingly promote malicious links as criminals engineer search engine results. 
  • Phishing sites may look identical to a reputable site but by inadvertently mistyping the URL or by following a link that purports to be the legitimate site you may find yourself far off track.
  • Tweeters may place malicious links – and other’s may inadvertently re-tweet these on their posts. These can be particularly hard to identify as they frequently shorten the URL’s so you don’t know the real site being pointed to.

The art of Internet Self Defense

This type of exploit where criminals leverage the weaknesses in online advertising delivery systems to distribute malicious ads on legitimate sites is going to increase. You need to be able to defend against it, and a few simple preventative measures can go a long way.

  1. Make sure you have security software and it is up-to-date. This will usually block malware from downloading to your computer.
  2. Do not download files, particularly executable files (they have a .exe at the end of the file name), unless you have verified it is safe.
  3. Stay in control and steer yourself to websites, don’t be pulled by links that may or may not take you where you want to go. If the link looks interesting, go find it yourself using your search engine. That way the ad’s link can’t pull you onto a site riddled with malware or land you on a phishing site.
    1. Searching the web without using tools that identify malicious websites for you is asking for trouble – you simply will not be able to tell which sites are legitimate.
      You need to use a product that visibly identifies for you the potential for malicious code on search results. I happen to use McAfee’s Site Advisor tool on all my machines, but both Firefox and Internet Explorer have features you can use to alert you to malicious sites, and several other companies offer similar services.

  4. Keep a healthy level of skepticism and slow down. Knee-jerk reactions do not give you time to evaluate the authenticity of the ad, its promises or its links, nor do they let you check the facts. Don’t panic over warnings, jump to accept ‘offers’, believe someone wants to give you money, or respond to a plea for help.  If you take the time to think things through and check the facts, you are much more likely to avoid well-placed-but-malicious links, will be much less likely to give away your information, or fall for other exploits. Checking the facts is easy online, look on a site like Snopes.com for to see if they report the ad as fraudulent, enter the company name into a search engine and see if there are warnings about it.

Linda

Comments Off | In The News | Tagged: , , , | Permalink
Posted by Linda Criddle

“Unprecedented State of Web Insecurity” Says New IBM Report

September 15, 2009

“There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity,” said IBM’s X-Force Director Kris Lamb in a new and sobering report.

“Two of the major themes for the first half of 2009 are the increase in sites hosting malware and the doubling of obfuscated Web attacks,” Lamb said. “The trends seem to reveal a fundamental security weakness in the Web ecosystem where interoperability between browsers, plugins, content and server applications dramatically increase the complexity and risk. Criminals are taking advantage of the fact that there is no such thing as a safe browsing environment and are leveraging insecure Web applications to target legitimate Web site users.” “The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted.”

The data behind these conclusions is stark:

  • The number of new malicious Web links discovered in the first half of 2009 increased by 508%
  • The presence of malicious content on trusted sites has increased, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites.
  • Web application attacks with the intent to steal and manipulate data and take command and control of infected computers has significantly risen.
  • There were 3,240 new vulnerabilities discovered in the first half of 2009, yet 49% of all vulnerabilities disclosed in the first half of 2009 had no vendor-supplied patch at the end of the period.
  • Known PDF vulnerabilities in the first half of 2009 already surpass disclosures from all of 2008.
  • Trojans account for more than half of all new malware with a nine percent increase over the first half of 2008. Information-stealing Trojans (see bottom of article for definition of Trojans) are the most prevalent malware category.
    • A similar survey, by BitDefender, measuring malicious attacks between January and June 2009 found that Trojan-type malware now account for 83% of the global malware detected in the wild.
  • Phishing has decreased dramatically. Analysts believe that banking Trojans are taking the place of phishing attacks geared toward financial targets.

What this means to you

In spite of the serious threats and stark warning, the answer isn’t to unplug your computer and head for the hills. Instead, it is essential that you make sure your computers and internet connections are secure with proactive protection software that automatically updates; that you use strong, unique passwords and you keep them private; and you learn to avoid socially engineered exploits. It also means that every family member and/or anyone else who uses your computer(s) follow the same security rigor.

  1. Secure your computer. If your computer isn’t protected from Trojans, viruses and other malware your financial information and passwords and identity will be stolen. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use one of the excellent free services.
  2. Secure your Internet connection - make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here.
  3. Use strong passwords. A weak password is all it takes for someone to steal it. If you use the same password on multiple sites (or everywhere) you are asking for real trouble. Passwords do not have to be hard to remember, just hard to guess.
  4. When searching, Do NOT assume sponsored sites are safe. Because I use McAfee Site Advisor (it’s free), I see a warning notifying me of the risk. Without a tool like this, you have no way of judging if the site is legitimate or going to give you malware, spam, etc… There are other companies offer similar services; pick one and use it!
  5. Trust is Key. Know the Site. Know the User. Know the Company. Misplaced trust will land you in a world of trouble.
    1. You can no longer assume that links within trusted sites are safe. IBM’s research highlights the increase in malicious content placed on trusted sites.
    2. Be cautious and stay in the driver’s seat. Instead of clicking on a link, copy the URL into a search engine query and look at the results. Does the site have a positive safety rating? Don’t be pulled by links that may or may not take you where you want to go. This is particularly true with ‘shortened’ or ‘mini’ links used on sites like Twitter. If you do now have 100% confidence that the link is going to take you to a legitimate site, look up the material yourself.

Linda

What is a Trojan? In technology, a trojan is a term used to describe software that appears to be useful but contains malicious code that enables hackers to access and take over the computer remotely. Once controlled hackers can use the machine for a variety of criminal purposes including stealing identities (e.g. passwords, security codes, credit card information), installing additional malware, downloading or uploading files, deleting or modifying a user’s files, keystroke log the user’s activity, make the computer part of a botnet, and so on.

Comments Off | In The News | Tagged: , , , , , , , , | Permalink
Posted by Linda Criddle

Digg Announces a “Nofollow” Policy to Better Protect Consumers

September 8, 2009

Congratulations to Digg. In an effort to reduce the amount of link spam on Digg, a social news website where people can discover and share content online, the company announced a change in their policy towards questionable links.

Spammers use sites like Digg to post their links in an attempt to drive lots of traffic to their sites. In addition to direct clicks by users, the spammers know that search engines are likely to rate their link as more important if their URL is found on Digg.

By adding a “rel=nofollow” tag to every link that Digg doesn’t trust to be legitimate, the company effectively instructs search engines to ignore the link so that it doesn’t positively influence the link’s ranking and bring it higher up in search results that consumers see. This undercuts the effectiveness of some types of search engine spam, and improves the quality of search engine results that you receive. The nofollow policy is applied to questionable links in stories, profiles and comments.

Digg’s VP of Engineering, John Quinn, commented on the change today in a blog informing users of the change:

We’ve made a few changes to the way Digg links to external sites that may impact some folks in the SEO [search engine optimization] community. These changes reduce the incentive to post spammy content (or link spam) to Digg, while still flowing ’search engine juice’ freely to quality content. We’ve added rel=”nofollow” this code is an HTML to any external link that we’re not sure we can vouch for. This includes all external links from comments, user profiles and story pages below a certain threshold of popularity.

This work was done … in an effort to look out for the interests of content providers and the Digg community.

Digg did not disclose how they determine which sites they mistrust, and that’s probably for the best as it doesn’t give spammers insight they may use to circumvent the blocks.

It is great to see companies that proactively protect consumers. Hats off to Digg.

Linda

Comments Off | In The News | Tagged: , , , | Permalink
Posted by Linda Criddle

What the Fraud!

September 2, 2009

The following article is the first interview in a series between Jessica Walker who rites Safer in the City for SaferDates.com and Linda Criddle. SaferDates will be running interview segments twice a week on their site or the next few weeks.

What the Fraud!

“Safer in the City” by Jessica Walker

Segment One

Jessica: What should our members do to prevent their identity and or financial information (i.e. credit cards, account numbers) from being stolen on or offline?

Linda: A few key steps can make a real difference in protecting your identity and financial information.

Consider what information about you is online – Search to find the total set of information that you – and others – have shared about you online. What have you posted, friends posted, family members, employers, schools, groups, associations, clubs, teams, and church groups, posted?  If you donate to charities, do their sites place your name and amount of donation on their sites? Have you ever posted a resume? (There is nothing wrong in posting resumes, but restrict contact and address information until you’re actually interviewing, and TAKE IT DOWN when you’ve landed the job!). Check online county records; if you own property find out how much information is available on you and your property – I’ve seen cases where in addition to the basic information, the registrar’s office also displays information about floor plans, and loan papers – which include the name of the lending institution, the loan number, and people’s SSN’s and signatures.  Look to see if they show power of attorney documents, what information is available on your birth certificate, and of any children’s birth certificates. If previously married and divorced what information can be gleaned from these records? Once you have a firm understanding of your footprint of possible exposure, work to remove, or have removed, any information that you don’t feel is appropriate. Discuss with others where your privacy boundaries are so that they do not over-share about you, and ask others for their boundaries so you can be respectful of their safety and privacy needs as well.

Secure your computer. If your computer isn’t protected from viruses and other malware your financial information, your passwords, and everything else you store on your computer or do online will be abused. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use one of the excellent free services.

Use strong passwords. Passwords do not have to be hard to remember, just hard to guess. Never use information about yourself as a password. They need to be long (8 or more characters) and use uppercase, lowercase, numbers and symbols. This isn’t hard to do. For example text messaging short-codes can really help make this easy – 2BorNot2B? (To be or not to be, that is the question) or MaybeL8r (maybe later).

Check your credit history and freeze your credit. I’d guess that less than 10% of people consistently check their credit histories to ensure nothing is damaging their credit scores. By law, you have the right to three FREE reports each year. You may choose to pay to have a company monitor your credit for you, but unless you’ve had real trouble with ID theft in the past this is probably not a necessary expense. If you are not actively seeking a line of credit now or in the next month, freeze your credit. This is one of the simplest things you can do, but a step that few actually take. This blocks anyone from taking out a loan or opening a new credit card in your name. It’s easy to do – contact one of the credit bureaus – and is either free or low cost depending on their criteria.

Only purchase from reputable online stores. The price may be cheaper at a store with no reputation, but you don’t want to gamble with your financial information. To find out if a store has a good reputation, the Better Business Bureau has an online site where you should be able to look up this information. Keep all purchase confirmation emails in case you need to dispute something.

Beware of scams. Far too many people ‘give’ away their information to criminals by falling for scams in email and on the web. NEVER use a link provided to you to get to a site, find the URL yourself. You want to be in the drivers seat when going to sites online – that way you end up where you intended to, not on a clever fake site.

Physical world requirements. In addition to the safety steps above, physical items need additional protections. Shred financial documents; far too many people are careless with financial materials yet more ID theft is still carried out the good old dumpster diving way. Protect your possessions like your wallet and purse because a significant amount of ID theft is done by someone the victim knows, including parents, siblings, children and close friends.

Comments Off | In The News | Tagged: , , , , , , | Permalink
Posted by Linda Criddle

Facebook Users, You can Thank the Canadians for Improved Privacy and Transparency

September 1, 2009

For more than a year, Canada’s privacy commission, under the leadership of Jennifer Stoddard investigated Facebook’s privacy policies and tools. They found that Facebook gave “confusing or incomplete” privacy information to subscribers and gave developers “virtually unrestricted access to Facebook users’ personal information.”

Under pressure to change, Facebook today announced plans to improve their service. “Our productive and constructive dialogue with the Commissioner’s office has given us an opportunity to improve our policies and practices in a way that will provide even greater transparency and control for Facebook users,” said Elliot Schrage, Vice-President of Global Communications and Public Policy at Facebook. “We believe that these changes are not only great for our users and address all of the Commissioners’ outstanding concerns, but they also set a new standard for the industry.”

Here are the specific changes Facebook will be making according to their Press Statement:

  • Updating the Privacy Policy to better describe a number of practices, including the reasons for the collection of date of birth, account memorialization for deceased users, the distinction between account deactivation and deletion, and how its advertising programs work.
  • Encouraging users to review their privacy settings to make sure the defaults and selections reflect the user’s preferences.
  • Increasing the understanding and control a user has over the information accessed by third-party applications. Specifically, Facebook will introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings.

Facebook announced, “work on the planned changes will begin immediately. However, some changes will take some time before they are visible. For example, updates to the Privacy Policy will require a notice and comment period for users. In addition, the changes to how users share information with third-party applications will require significant time and resources, both for the updating and testing of the new Facebook API, and for third-party application developers to reprogram and test their applications. Facebook anticipates this entire process will take approximately 12 months.

Thank goodness. These changes are a long time in coming, and every Facebook user will benefit from the work now being undertaken. This is a significant step towards recognizing users’ right to privacy, choice, and transparency. 

Until the changes are in place (up to a year from now), I recommend that you do not use 3rd party applications, and that you carefully review the safety/privacy settings you currently have in place.

Linda

Comments Off | In The News | Tagged: , , , , , | Permalink
Posted by Linda Criddle

« Previous Entries
Next Entries »
Follow

Get every new post delivered to your Inbox.

Join 1,703 other followers