Facebook Beacon shines for last time as part of settlement

Facebook's Beacon has been nothing but trouble since it launched in 2007, spurring numerous user complaints and a class-action privacy suit. The company has apparently learned its lesson, as it has now proposed a lawsuit settlement that involves shutting down Beacon and paying out $9.5 million to a settlement fund.

As quickly as it swooped into Facebook users' lives and revealed their secret purchasing habits to the world, Beacon has now been shut down as part of a lawsuit settlement. Facebook revealed late Friday that its controversial "advertising" feature would be shuttered, saying that the company had "learned a great deal from the experience." Facebook also plans to donate $9.5 million to an organization that fights for online privacy, though the settlement proposal still awaits approval by a judge.

Facebook's Director of Policy Communications Barry Schnitt said in a statement that the whole Beacon ordeal "underscored how critical it is to provide extensive user control over how information is shared." He said the company also learned how to communicate changes to users (you know, instead of just dumping things like Beacon on them without a peep), and that the introduction of Facebook Connect allows for much greater user control over how their Web antics get shared back to friends on Facebook.

"We look forward to the creation of the foundation and its work to educate Internet users on how best to control their privacy; engage in safe social networking practices; and, generally, enjoy themselves more online by having knowledge that gives them a greater sense of control," Schnitt said. "We fully expect the foundation to team with other leading online safety and privacy experts and organizations that have been working diligently in these fields."

Facebook first launched Beacon in November of 2007 as part of a new marketing strategy intended to benefit both advertisers and and Facebook users (more of the former than the latter). A number of companies signed up to be part of the program, meaning that any user activity that took place on their respective websites would be reported back to Facebook and published to users' timelines. Because Beacon was originally set up as an opt-out service instead of opt-in, many users were horrified to find their off-Facebook activities being published to their profiles automatically. Not only did users feel that their privacy was being violated, a number of users complained loudly that Beacon had ruined numerous surprise holiday gifts.

A few weeks after the initial backlash, Facebook founder Mark Zuckerberg posted an apology. He admitted that the company should have handled Beacon differently and said that the default settings had been changed so that publishing off-Facebook activities to users' news feeds would now be off. Instead, users could now opt in on a per-incident or per-site basis.

That didn't stop a class-action lawsuit from being filed in April 2008, alleging that Beacon and Blockbuster (one of Facebook's marketing partners) were in violation of numerous privacy laws by reporting user activity back to Facebook. The complaint said that off-Facebook activities were still being reported back to Facebook (even if users choose not to publish the info), and that Blockbuster's participation constituted a violation of the Video Privacy Protection Act—a law that prohibits video providers from allowing third parties to access identifiable information about someone's renting or buying habits without their express, written consent.

That lawsuit has been making its way through the court system for more than a year and Facebook apparently realized that it wasn't going to win anytime soon. As a result, the company decided to settle, proposing the $9.5 million settlement fund go towards the creation of an independent foundation that would "fund projects and initiatives that promote the cause of online privacy, safety, and security."

Despite Facebook's positively spun PR speak, it's clear that the company has learned a lesson from the calamity that was the Beacon experience. Everything about Beacon's rollout was done poorly, which then tainted the service forever despite Facebook's desperate attempt to right its wrongs. It took a major class-action lawsuit and the launch of an entirely new service (Facebook Connect) for the company to pull the plug on Beacon, but Facebook has learned the hard way that it earned its users by being conscious of privacy (at least compared to MySpace), and that it needs to continue giving users control if it wants to continue growing.

By Jacqui Cheng

SaveMitsos.gr

Why virus writers are turning to open source

Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.

By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.

According to Candid W?est, threat researcher with security firm Symantec, around 10 percent of the Trojan market is now open source.

The move to an open source business model is allowing criminals to add extra features to their malware.

"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," W?est said.

Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.

More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.

Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favor in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.

There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for $350 per time before it went open source, while the Zeus Trojan today sells for between $1,000 to $3,000.

"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations."
--Uri Rivner, RSA

However, head of new technologies at RSA, Uri Rivner, said the move to become open source had not reversed Limbo's decline in fortunes.

"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations.

"At the beginning of it going open source it was big news but people have since stopped investing in it.

"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.

Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking websites and capture the keystrokes and the files saved on an infected computer.

And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.

"If you make (the Trojan) open source, that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's W?est said.

The majority of Trojan infections occur via drive-by downloads, where the malware is automatically downloaded after browsing an infected website, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.

These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an e-mail with a link to an infected file or attachment.

RSA analysts say these new methods have fuelled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.

Nick Heath of Silicon.com reports from London.

Internet firms help Canadian courts ID authors of controversial email

Think you can be anonymous online? Most people simply have no idea how easy it is for law enforcement officials -- and other litigants, like someone suing you -- to gain access to personal email, Google searches, and other online information users think is "theirs."

The latest ominous evidence of this fact comes from our friends to the north. A Canadian court has ordered Google (GOOG) to turn over the identities of anonymous Gmail users who had accused York University faculty members of fraud and dishonesty. Like similar cases in the U.S., the York incident shows just how easy it is for courts to allow authorities to gain access to "our" personal information.

"People need to know that very little information that they give or make available to third parties [like Google] is unavailable to the government or private litigants," says Eric Goldman, director of the High Tech Law Institute at Santa Clara University School of Law. "I think most people are surprised at how relatively easy it is for the government and private litigants to obtain 'their' information."

When York announced its hiring of Martin Singer in January as the first dean of its new Faculty of Liberal Arts and Professional Studies, the university called the professor a "renowned scholar of Chinese history" and quoted university president Mamdouh Shoukri as saying: "York University is fortunate to have attracted such a strong scholar and administrator."

Shortly thereafter, someone circulated an email from an account belonging to a group called "York Faculty Concerned About the Future of York University" among members of the community accusing Singer of "lying about scholarly credentials" and accusing Shoukri of perpetrating "an outrageous fraud." The anonymous group called for the president's resignation and a new search for a dean, according to Canada's National Post.

University authorities were not amused, and won a court order in May compelling Google to turn over the IP addresses linked to the Gmail account. Google, in turn, identified Bell Canada and Rogers Communications as the internet service providers from which the email originated.

Last month, neither of the ISPs opposed a court order requiring them to turn over the contact information of the persons who used the Gmail account. This past week, Justice George R. Strathy of Ontario Superior Court called the orders a reasonable balance between protecting freedom of speech and protection from libel, according to the paper.

David Noble, whom the Post refers to as "an outspoken professor at York," was outed as one person linked to the account. On Friday, he told the paper that York's legal action was "a fishing expedition" and accused the university of "trying to create a chill among faculty."

Noble maintained that the allegations raised about Singer were legitimate. "They are spending enormous sums, for what?" the Post quotes him as saying. "I think they are just desperate to find out who is involved," adding that his colleagues wanted to remain anonymous because they were "afraid of reprisals."

In response, Will McDowell, York's lawyer, defended the action, saying, "Academics enjoy quite extensive latitude in what they say and what they write and what they research at Canadian universities, but I would say this about any of us: The right of free speech is not unlimited."

"Like all law-abiding companies, we comply with local laws and valid legal process, such as court orders and subpoenas," a Google spokesperson said in a statement to DailyFinance. "At the same time, we have a legal team whose job is to scrutinize these requests and make sure they meet not only the letter but the spirit of the law."

York now has the identities of half a dozen people who allegedly had access to the Gmail account.

American laws governing similar situations differ somewhat from Canadian statutes, but the York case is reminiscent of the recent "Skank blogger" ruling, in which a Manhattan Supreme Court judge ordered Google to turn over the e-mail and IP address of an anonymous blogger who called model Liskula Cohen "the skankiest in NYC."

Writing about the case, my colleague Jeff Bercovici noted that the ruling could force anonymous internet cranks to go to greater lengths to shield their identity. "In trying to make people accountable for the vicious things they write online, that judge is only going to force them to cloak their identities ever more effectively," Bercovici wrote.

Google search queries -- obtained by court-ordered warrants -- have been used in numerous criminal cases, including the recent case of a Florida man who was convicted of murder based on evidence that included his own Google research, which included searching on terms like "trauma, cases, gunshot, right chest."

No matter how many precautions we take to remain private or cloak our identity, the authorities and other potential litigants usually have little difficulty obtaining this content. And they do it not by nefarious mean like hacking, but through our very own court system.

Internet users everywhere would do well to take heed. Your emails -- and maybe even your Google searches -- could be one subpoena away from the prying eyes of federal authorities, not to mention private litigants.

by Sam Gustin
Sep 12th 2009

Learn how to protect yourself from identity theft

Did you know that there are numerous steps you can take to protect yourself against identity theft besides just checking your credit report? Here, we talk with an expert and offer tips on what regular people can do to ensure their identities stick with them instead of other shady characters.

Identity theft is big business, and it keeps getting bigger as more and more information about us floats around in an ever data-obsessed society. From every swipe of your credit card to every time you go to the doctor, doors are opened for thieves to snatch information and use it to their advantage. And, as the name implies, it's not just about fraudulent charges showing up on your bank account, either. At worst, you could find that someone has been using your social security number for years to work various jobs or, as in one Chicago student's recent experience, you could even get thrown in jail because a thief using your identity has a warrant out for his arrest. "Oops" doesn't even begin to describe it.

Most Americans know the basic principle of checking their credit reports once a year. Every US citizen can now get a free report from the three major credit bureaus every year to ensure everything is right on their accounts. However, that's the extent of most of our knowledge, and only addresses one facet of identity theft (financial institutions). It turns out there are a number of other preventative measures that can be taken, especially if you're the paranoid type.
Protect against spyware and malware. Seriously.

Electronic theft may not be the most common, but it's the fastest growing, as noted by TrustedID CEO Scott Mitic. (The most common form of ID theft is still via people in your life who have physical access to your stuff—family, friends, your cleaning lady, your waiter, etc.) Still, theft via computer is one of the fastest growing areas and protecting against it is extremely simple. "Go online and find one of the many different companies that provide anti-spyware protection, which everyone should have," Mitic told Ars.

Indeed, many companies even offer free software to do so, such as McAfee's free SiteAdvisor plugin that aims to prevent users from being phished or forced to download malicious software. And, as always, practice safe file and link opening practices from your e-mail: only open files that you are expecting from people you trust, and if you're ever suspicious of a link from somewhere like PayPal or your bank, it's always safest to go to your browser and type in the URL yourself to log in instead of clicking from an e-mail.
Fraud alerts are your friend

People are often advised to place fraud alerts on their files with the credit bureaus after someone has stolen their information, but how often are you told to do it before? As it turns out, paranoid types do it all the time, and it's not such a bad idea either. There are two steps to this: putting a fraud alert on your credit reports, and putting a freeze on your credit. "These two mechanisms work in similar ways—someone cannot simply get your name and address and apply for credit in your name, because lenders must check with consumer first when these freezes are in place," Mitic said. "These are highly effective ways of reducing most of the most dangerous forms of identity theft."

Of course, if you're the type who regularly applies for those department store credit lines to get a discount on your purchase, or you're about to apply for a time-sensitive loan (such as a mortgage on a house), this may be something you'll want to hold off on. However, if you don't usually open up many new credit accounts or if you have had a close call with ID theft, it may be a good idea.
Check for your kids

Children's identities are currently going for a premium, it turns out. And, because most people don't think to check up on their kids' credit reports, the use of their IDs can go on for years (or sometimes even decades) before it ever comes to light. "Consumers and parents should be checking their children's info by going to the three credit bureaus once per year and inquiring as to whether or not there is a credit report," Mitic said. In this case, no news is good news, but if your kid is only 5 and has a report, there could be a problem.

Another way to check on your kid's identity is to request a yearly summary of his or her earnings from the Social Security Administration. Obviously, if your child is too young to work, there shouldn't be any earnings. But, as Mitic pointed out, undocumented workers might get a job with a stolen social security number and, if it's a child's, might be able to use it for many years. If that happens, though, the earnings will be reported on the yearly summary, so it's a good way to make sure things are clean for your child (and you, as well).
Think about your medical identity, too

"What many people don't realize is that their medical insurance is valuable to those who don't have insurance," Mitic said. Your name, address, and insurance information can easily be used by fraudsters to get medical treatments in your name. This is the most serious if someone has used your insurance already for treatment in a life or death situation. "If you end up in the hospital with a split appendix and doctors look at your medical charts, they might think it's not an appendix problem because you've already had yours removed."

Okay, so that's an extreme case, but it could still happen. "Half a million to a million people per year are paying for medical procedures that are not theirs," Mitic warned. (Ouch.) A good idea in this case would be to contact your insurance company once per year to ask for an annual disclosure of benefits processed in your name. This document will show every claim processed for you and you can examine it to make sure every item is legit.
Oh social networking, you minx

We already know that social networking sites can pose a threat to people's machines and networks thanks to the proliferation of malware, but it's also a good medium to steal people's identities and scam "friends." According to Mitic, there have been repeated incidents of people getting messages from friends describing extreme circumstances like a car accident and asking for money.

"Employ a reasonable level of suspicion when someone who is not standing immediately in front of you is asking you for anything," he said. "That's especially true in this era of social networking. The message that seems to be coming from your friend may not be coming from your friend."

Similarly, ensure that your own accounts don't get hacked or stolen by employing best practices when determining your passwords, and of course, don't share your password information (or your secret questions!) with anyone.
Conclusion

The rabbit hole is pretty deep when it comes to little things you could do to protect yourself from identity theft, but these basic steps will help mitigate the large majority of situations. If there's one thing that could be improved upon, it's the fact that each individual entity must be dealt with if you end up finding something fishy—if you find something on your credit report, you must deal directly with the credit agencies and financial institutions. If you find something on your insurance, you must deal with your insurance company and hospitals involved. If it's a case of social security fraud, you have to deal with the Social Security Administration to sort it out. Aside from this inconvenience, though, it's not hard to keep regular checks going on various parts of your life to make sure someone else isn't pretending to be you.