Full Disclosure mailing list archives
Re: Google to base ads on surfing behaviour
From: Stephen Menard <smenard () nbnet nb ca>
Date: Wed, 18 Mar 2009 20:57:46 -0300
NASTY TRUTHFUL EVALUATION NICK WATCHOUT FOR THE BLACK TRUCKS Nick FitzGerald wrote:
Bipin Gautam wrote:google is evil : http://news.zdnet.co.uk/internet/0,1000000097,39625962,00.htmThat's news? 8-)"These ads will associate categories of interest " say sports, gardening, cars, pets " with your browser, based on the types of sites you visit and the pages you view," ... As with any other cookie, this tracking file can be cleared by the user at any time. By visiting Google's ad-preferences page, the user can opt out of having their surfing habits tracked, or input their own preferences for the subject matter of ads they would like to see. However, as clearing the browser's cookies would effectively remove the opt-out cookie itself, Google has also released a plug-in for browsers that provides a permanent opt-out from the service. ...Whatever happened to "default deny"? Oh, that's right -- it wouldn't be in _Google's_ interest to require surfers to opt into Google breaching their privacy. As the US government doesn't seem to care much, if at all, about protecting the privacy rights of its citizens (in fact, do US citizens actually have any legally-protected privacy rights worth talking about?), perhaps the EU should step up here and fine the crap out of Google until it "fixes" this latest egregious assault on our privacy... ... And would it be churlish to point out that Google is breaking its own principles with this move? Bipin has already alluded to the much-vaunted "do no evil" doctrine (actually, it is "You can make money without doing evil" -- point six at: http://www.google.com/corporate/tenthings.html and arguably does not preclude "but you can make more money by doing evil" if you read the whole thing), but there are others, perhaps most pertinent here are in: http://www.google.com/corporate/software_principles.html Software Principles At Google, we put a lot of thought into improving your online experience. We're alarmed by what we believe is a growing disregard for your rights as computer users. We've seen increasing reports of spyware and other applications that trick you in order to serve you pop-up ads, connect your modem to expensive toll numbers or hijack your browser from the site you're trying to visit. Yet it seems that it is acceptable for Google to breach reasonable expectations of privacy "behind the scenes" (these principles seem aimed at client-side, rather than server-side, shenanigans -- hmmmm...). We do not see this trend reversing itself. In fact, it is getting worse. As a provider of services and monetization for users, advertisers and publishers on the Internet, we feel a responsibility ...to ensure those trends continue? No -- actually, it continues: to be proactive about these issues. So, we have decided to take action. As a first step, we have outlined a set of principles we believe our industry should adopt and we're sharing them to foster discussion and help solve the problem. We intend to follow these guidelines ourselves with the applications we distribute (such as the Google Toolbar and Google Desktop). And because we strongly believe these principles are good for the industry and users worldwide, we will encourage our current and prospective business partners to adopt them as well. ...but again, we won't apply these principles to the service side of our industry and actions. How gloriously myopic, or is that two-faced? The second of these proposed software principles is described thus: UPFRONT DISCLOSURE When an application is installed or enabled, it should inform you of its principal and significant functions. And if the application makes money by showing you advertising, it should clearly and conspicuously explain this. This information should be presented in a way that a typical user will see and understand -- not buried in small print that requires you to scroll. For example, if the application is paid for by serving pop-up ads or sending your personal data to a third party, that should be made clear to you. But, again, not if it's Google, DoubleClick, et al. twiddling bits on the back-end... And a few sections later: SNOOPING If an application collects or transmits your personal information such as your address, you should know. We believe you should be asked explicitly for your permission in a manner that is obvious and clearly states what information will be collected or transmitted. For more detail, it should be easy to find a privacy policy that discloses how the information will be used and whether it will be shared with third parties. But, again, not if it's Google, DoubleClick, et al. twiddling bits on the back-end... ... And to add another security-related issue to this thread, I'd rather that Google and DoubleClick spent some time and effort on fixing a couple of DoubleClick's biggest problems rather than on adding AdSense tracking integration to DoubleClick's cookie mechanisms. First is that DoubleClick really needs to work on not accepting "dodgy" ads such as the "fake AV" ads and such they've been serving increasingly often of late. Second, and much bigger, DoubleClick also needs to fix a huge security flaw across the whole of doubleclick.com. doubleclick.com is an open redirector farm. Depending on your school of thought, that might be considered what is known in web app security circles as a form of cross- site scripting (or XSS) flaw. This has been abused by spammers, phishers and malware spreaders in the past and fixing it won't be trivial as the whole DoubleClick business model is based on this behaviour and the common, Q&D fix for this type of problem (referer-checking based solutions) is unviable when the expected referrers are virtually any domain on the planet (as required by DoubleClick's distributed ad serving business model). It took Google the best part of a decade to (mostly) fix its own open redirector problems, but that should mean it can provide some valuable input to its new stablemate... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google to base ads on surfing behaviour Bipin Gautam (Mar 16)
- Re: Google to base ads on surfing behaviour Nick FitzGerald (Mar 16)
- Re: Google to base ads on surfing behaviour James Matthews (Mar 17)
- Re: Google to base ads on surfing behaviour Stephen Menard (Mar 18)
- Re: Google to base ads on surfing behaviour Nick FitzGerald (Mar 16)