Privacy

A study by Princeton researchers came to light earlier this month, revealing that over 400 of the world's most popular websites use the equivalent of hacking tools to spy on you without your knowledge or consent.

Using session replay scripts from third-party companies, websites are recording your every act, from mouse moves to clicks, to keylogging what you type, and extracting your personal info off the page. If you accidentally paste something into a text field from your clipboard, like an address or password you didn't want to type out, the scripts can record, transmit, and store that, too.

What these sites are doing with this information, and how much they anonymize or secure it, is a crapshoot.

Among top retail offenders recording your every move and mistake are Costco, Gap.com, Crate and Barrel, Old Navy, Toys R Us, Fandango, Adidas, Boots, Neiman Marcus, Nintendo, Nest, the Disney Store, and Petco.

Tech and security websites spying on users include HP.com, Norton, Lenovo, Intel Autodesk, Windows, Kaspersky, Redhat.com, ESET.com, WP Engine, Logitech, Crunchbase, HPE.com (Hewlett Packard Enterprise), Akamai, Symantec, Comodo.com, and MongoDB.

Other sites you might recognize that are also using active session recording are RT.com, Xfinity, T-Mobile, Comcast, Sputnik News, iStockphoto, IHG (InterContinental Hotels), British Airways, NatWest, Western Union, FlyFrontier.com, Spreadshirt, Deseret News, Bose, and Chevrolet.com

After several days of radio silence, VPN provider PureVPN has responded to criticism that it provided information which helped the FBI catch a cyberstalker. In a fairly lengthy post, the company reiterates that it never logs user activity. What it does do, however, is log both the real and assigned 'anonymous' IP addresses of users accessing its service.

In a fairly lengthy statement, PureVPN begins by confirming that it definitely doesn't log what websites a user views or what content he or she downloads. However, that's only half the problem. While it doesn't log user activity (what sites people visit or content they download), it does log the IP addresses that customers use to access the PureVPN service. These, given the right circumstances, can be matched to external activities thanks to logs carried by other web companies.

If for instance a user accesses a website of interest to the authorities, then that website, or various ISPs involved in the route can see the IP address doing the accessing. And if they look it up, they will find that it belongs to PureVPN. They would then ask PureVPN to identify the real IP address of the user who was assigned the observed PureVPN IP address at the time it was observed.

Now, if PureVPN carried no logs -- literally no logs -- it would not be able to help with this kind of inquiry. That was the case last year when the FBI approached Private Internet Access for information and the company was unable to assist .

But in this case, PureVPN does keep the records of who was assigned each IP address and when, and so the user can be readily identified (albeit with the help of the user's ISP too).

See the full explanation in the article from torrentfreak.com

TorrentFreak sums up:

It is for this reason that in TorrentFreak's annual summary of no-logging VPN providers , the very first question we ask every single company reads as follows:

Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user/users of your service? If so, what information do you hold and for how long?

Clearly, if a company says yes we log incoming IP addresses and associated timestamps, any claim to total user anonymity is ended right there and then.

While not completely useless (a logging service will still stop the prying eyes of ISPs and similar surveillance, while also defeating throttling and site-blocking), if you're a whistle-blower with a job or even your life to protect, this level of protection is entirely inadequate.

Leila has two identities, but Facebook is only supposed to know about one of them.

Leila is a sex worker. She goes to great lengths to keep separate identities for ordinary life and for sex work, to avoid stigma, arrest, professional blowback, or clients who might be stalkers (or worse).

Her "real identity"--the public one, who lives in California, uses an academic email address, and posts about politics--joined Facebook in 2011. Her sex-work identity is not on the social network at all; for it, she uses a different email address, a different phone number, and a different name. Yet earlier this year, looking at Facebook's "People You May Know" recommendations, Leila (a name I'm using using in place of either of the names she uses) was shocked to see some of her regular sex-work clients.

Despite the fact that she'd only given Facebook information from her vanilla identity, the company had somehow discerned her real-world connection to these people--and, even more horrifyingly, her account was potentially being presented to them as a friend suggestion too, outing her regular identity to them.

Because Facebook insists on concealing the methods and data it uses to link one user to another, Leila is not able to find out how the network exposed her or take steps to prevent it from happening again.

See the full article from gizmodo.com

Facebook denies it, but maybe the most obvious explanation is that Facebook is somehow inferring connections from the proximity of people's phones.

Lobbyists for Google, Facebook, and other websites are trying to stop the implementation of a proposed law in the US that would strengthen consumer privacy protections online.

Representative Marsha Blackburn last week proposed a bill that would require broadband providers and websites to obtain users' opt-in consent before they use Web browsing history and application usage history for advertising and other purposes or before they share that information with other entities. The rule in Blackburn's BROWSER Act is similar to a previous proposal blocked by Republicans in Congress and President Donald Trump.

Currently the internet industry claims to be self regulating with mechanisms in which websites let visitors opt out of personalized advertising based on browsing history. However these rules do not restrict internet companies from gathering such intrusive personal information.

Naturally, lobbyists are trying to stop this from taking effect. The Internet Association yesterday issued a statement claiming that the bill will somehow diminish consumer experience and will stifle innovation. The Internet Association's founding members include Google, Facebook, Amazon, Dropbox, eBay, Microsoft, Netflix, PayPal, Reddit, Spotify, Twitter, and about 30 other Web companies.