Internet

Group calls privacy protection measures ineffective

Web surfers who believe they have taken adequate steps to protect their privacy online may be in for a rude awakening, according to new privacy reports.

Web surfers who believe they have taken adequate precautions to protect their personal data online may be in for a rude awakening, according to new privacy reports showing that preferences for high security frequently revert to low security without notice.

Privacy consultants Interhack this week illustrated the point through an obscure privacy glitch they say affects certain versions of Netscape Communications' Web browser. According to Interhack, a Netscape security feature could potentially expose people to online snooping by overriding "opt out" preferences that block Web sites from gathering data.

"People who thought that they have opted out almost certainly have been opted back in at some point," said Matt Curtin, Interhack CEO.

At stake, according to Interhack, is the way Netscape treats digital markers, or "cookies," placed on Web surfers' computers. While cookies can be used to track online behavior, they also can perform a host of useful functions, such as instructing Web sites not to collect data about a specific person.

Advertisers say cookies are a useful way to keep track of preferences and make it more convenient to surf the Web, but privacy advocates say cookies are too easily deleted or corrupted to trust to the crucial gate-keeping function.

"Using cookies isn't the ultimate solution (for protecting privacy)," said Ari Schwartz, a policy analyst at the Center for Democracy and Technology. "If you're interested in opting out of cookies, every time you switch computers or browsers, you need to reset your preferences."

Such glitches point to deeper problems over policies that require people to opt out of data-gathering systems rather than opt in. In an opt-out system, Web sites assume they can gather data unless they are told they can't. In an opt-in system, Web sites assume they can't gather data unless they are expressly given permission to do so.

Losing opt-in information is far less damaging to privacy, because the default goes back to not collecting data.

Interhack said the problem can be demonstrated with older Netscape browsers by activating and later deactivating a preference that rejects the use of cookies altogether. Activating the feature "Do not send or receive cookies" deletes the entire cookie database, including cookies that tell Web sites not to gather personal data. If the preference is later deactivated, sites that had previously been barred from tracking someone via cookies are once again free to do so.

Interhack said users of Netscape Communicator versions 4.5, 4.6, 4.72, 4.73 may be affected by the problems.

Netscape downplayed the issue and defended the security features on its browser.

"Netscape has long had preferences in Navigator that allow users to control the way that their browser handles cookies," said Netscape spokeswoman Catherine Corre. "We are continuing to improve on that control with...Netscape 6.

"This is the way the Netscape browser was designed; this is not a bug, nor a design flaw," Corre added.

Another bug reported by Interhack involves DoubleClick and the prerelease version of Netscape 6. DoubleClick's cookies send information that is case-sensitive and will not interact properly with protocols in Netscape's new browser, according to Interhack's Curtin.

Curtin said the latter problem is with DoubleClick, not Netscape.

Jules Polonetsky, chief privacy officer at DoubleClick, acknowledged that DoubleClick's cookies do not work with the beta version of Netscape's new browser, but that there is not a privacy issue, because cookies are inoperable with the browser. He added that his company is modifying its ad servers to ensure that DoubleClick cookies interact properly with the final release of Netscape 6.

But privacy advocates say this kind of technical glitch is a prime illustration of why opting in is the only way to give consumers control of their privacy on the Web.

"It just illustrates Security, privacy issues make Net users uneasyhow preposterous and inappropriate DoubleClick's scheme is to burden the consumer with having to opt out," said Jason Catlett, president of advocacy group Junkbusters, which publishes free cookie management software. "It's like asking people to wear a sticker on their lapel asking (DoubleClick) not to follow them around. They should have that right in the first place."

The use of cookies has long been a flash point in the war over online privacy.

Earlier this year, Sen. Robert Torricelli, D-N.J., issued a proposal that would make it unlawful for companies to collect personal information online without first getting permission from the consumer. Other lawmakers also are grappling with Net privacy issues with hopes of updating privacy laws to apply to the current day.

Meanwhile, new technologies are coming out that will give Web users more control of their personal information.

On June 21, the World Wide Web Consortium, the main standards-setting body for the Web, will release a beta version of a standard called the Platform for Privacy Preferences (P3P) in conjunction with Microsoft and IBM, among others. The standard will help consumers better understand how sites track visits and pass along information to other parties.