Internet privacy snafus that left us speechless (images)
Think your information is safe with "them"? Think again. The words may change but the song has remained the same.
The new normal: Internet privacy snafus
Let's not beat around the bush: Welcome to the new normal.
The Federal Communications Commission recently wrapped up its probe of Google Street View, another in a series of examples where governments and privacy advocates butted heads with tech companies over their propensity to overstep certain -- perhaps, ill-defined -- red lines governing user privacy and information on the Internet.
But Google's not the only offender. Though the names change, the song remains the same over the last decade and a half. Indeed, there has been no shortage of "mistakes" to remind us that Internet privacy remains a work in progress -- as the following slides make painfully clear.
Give it up to Google for thinking big. And indeed there was major ambition behind Street View, a Google project to photograph and map out the streets of the world. Cool, right? What was uncool was the revelation that Google wound up secretly scarfing up personal locations from millions of people during the process of its information gathering.
Turns out that this particular case was one of several government investigations examining how Google's Street View cars actually collected the personal and private data of individuals via wireless networks while mapping cities in more than 30 countries. The cars were supposed to collect just the locations of Wi-Fi access points but inadvertently also collected e-mail and text messages, passwords, Internet-usage history, and other data from unsecured wireless networks for four years. Google said that it didn't do anything purposely untoward while the government countered that, yes, there actually was a much bigger problem in the way companies treat the (supposedly) private information of people in our ever-increasing cyber lives.
Google blamed a lone engineer acting without authorization, though the government claims that several people -- including a manager -- had been informed. The Federal Communications Commission was exasperated with Google's cooperation, ultimately fining the company $25,000 and complaining in a report that Google had obstructed its investigation.
On a scale of 1 to 10, Facebook rates a solid 5. Over its brief history, the company has time and again managed to annoy its users by announcing tweaks to the service that invariably raised all sorts of privacy concerns with nearly everyone not named Mark Zuckerberg.
Early on, there was the uproar over the advertising program Beacon. "We've made a lot of mistakes building this feature, but we've made even more with how we've handled them," Zuckerberg wrote after backing down.
The company has promised to keep its nose clean and signed off on a settlement with the FTC late in November, requiring Facebook to give “prominent notice” and first obtain consumers' “express consent before their information is shared beyond the privacy settings they have established.” The list of particulars compiled by the FTC goes back to 2009 when Facebook changed the site so that certain information users may have designated as private was made public. Without advance approval. Other highlights from the hit parade include:
Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data -- data the apps didn't need.
Facebook said it complied with the U.S.- EU Safe Harbor Framework governing data transfer between the U.S. and the European Union. Untrue, said the FTC.
Facebook told users they could restrict sharing of data to limited audiences. The reality, according to the FTC: Electing "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
Facebook had a "Verified Apps" program which it claimed certified the security of participating apps. Untrue, said the FTC.
Facebook promised users that it would not share their personal information with advertisers. Untrue, said the FTC.
Despite claiming that photos and videos would be inaccessible after users deactivated or deleted their accounts, Facebook allowed access to the content, according to the FTC.
In March 2011, Twitter signed off on a deal with the FTC resolving charges that it had deceived consumers by failing to safeguard their personal information. The company was essentially put on extended probation for the next 20 years during which it is forbidden from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.”
Its security program is also subject to an independent audit every other year for the next decade.
I’m quite sure that Path CEO Dave Morin would have forgone his 15 minutes of fame without anyone twisting his arm. In February, the popular photo-sharing app was found to upload users' entire address books to its servers without first asking permission. Morin didn’t make his life any easier when he first responded by saying that Path’s actions were an “industry best practice.” After the inevitable Internet uproar, Morin apologized and said the company would delete the data it collected and would henceforth ask permission before taking address book information.
Apple was found to be keeping a log of information on user whereabouts that was freely available for anyone who managed to get their hands on the data. The April 2011 controversy arose after researchers discovered what looked to be secret files on the iPhone that tracked user location stored on the device, without the permission of the device owner. Apple said that the data was not for the purposes of tracking where people are. Instead it was to help the company's devices zero in on their location using information from part of a larger database. The company promised that a future software update would cut down the time this data was stored on the phone, and that it would be encrypted.
In 1999, Microsoft Hotmail suffered a glitch which made private e-mail accounts available to anyone with a Web browser. Microsoft was forced to black out most of the site, leaving millions of users without access. This was about 12 hours after the company was notified of the security hole.
In 1999, Intel found itself in the crosshairs after acknowledging that the Pentium III chip would carry a unique serial number that can be read by the computer's software. The company said this would help promote "digital content protection" and prevent counterfeiting of Intel processors. Privacy advocates didn’t buy that argument. Instead, they said, Intel was trying to install the equivalent of a “super-cookie” that would follow people as they surfed around the Internet and result in more spam. It didn't take long, however, before the outcry grew so loud that Intel backed down and disabled the Pentium ID feature.
In 2005, Sony BMG got into trouble when copy protection software got installed automatically on Windows PCs when customers played their CDs. Like other record labels at the time, Sony was seeking ways to crack down against people making unauthorized copies of music files and then uploading them to the Internet.
However, the installation of a so-called rootkit was found to interfere with the operating system and left the door open to malware infection. The blowback was intense and led to several lawsuits. Critics said that rootkits were frequently used by virus makers to burrow inside of Windows. It got so bad that Microsoft felt compelled to label part of the copy protection Sony used as spyware. Sony was forced to recall more than 4.7 million CDs as well as offer to replace 2.1 million CDs that it sold.
In late 2011, software from a Mountain View, Calif.-based startup called Carrier IQ, which provides tracking tools to carriers and phone vendors, was found to be collecting data without consumers' knowledge and without their ability to opt out of the data collection. There had also been speculation that the content of the messages and keystrokes was being logged, but Carrier IQ denied those claims. And independent security experts also found no evidence of keylogging by the software.
The company was also incorrectly accused of being a "rootkit keylogger." While that turned out not to be true, the software raised other privacy concerns, such as being able to record and transmit a list of URLs visited when using Wi-Fi, when the contents of encrypted HTTPS URLs are leaked, and so on. Sprint later disabled the software in devices running on its network. (Sprint also said at the time that it would not use any of the information collected from Carrier IQ.)
Yahoo suffered a huge PR black eye after it cooperated with Chinese officials who sought the e-mail accounts of political dissidents. The company was later sued by several Chinese political activists who complained that Yahoo’s collaboration led to their imprisonment for allegedly distributing state secrets over the Internet. During a televised congressional hearing in 2007, Yahoo Chief Executive Jerry Yang and General Counsel Michael Callahan suffered a public tongue lashing -- at one point being told that their company’s China policy was “spineless.”
Talk about your legendary "ops" moments. In 1998, a customer service representative at America Online -- that was the official name back then -- gave a Navy investigator private information about a subscriber. The Navy used that info to order the subscriber's military discharge for supposedly admitting that he was gay. Even more outrageous, during a court hearing, the investigator said he never identified himself. AOL later said that its representative had made a mistake. "This was a case of human error under very unusual circumstances," AOL explained.
AOL also figured in in one of 2006's bigger privacy scandals when it published the search histories of more than 650,000 of its users . Even though AOL apologized and removed the file from its Web site, the database had already been mirrored, exposing life stories expressed in some 21 million search queries.
The database did not include names or user identities. But it did list a unique ID number for each user thus making it possible to view the search terms that users of a single account typed in while using AOL Search during a three-month period.