How Pop-Ups Could Brand You a Pervert or Crook

[David Farber <dave () farber net>]

Begin forwarded message:

From: pfir () pfir org
Date: December 12, 2006 8:57:48 AM JST
To: pfir-list () vortex com
Subject: [ PFIR ] How Pop-Ups Could Brand You a Pervert or Crook
Reply-To: PFIR - People For Internet Responsibility announcement list  
<pfir () pfir org>


                 How Pop-Ups Could Brand You a Pervert or Crook

                  http://lauren.vortex.com/archive/000203.html



Greetings.  A "New York Times" article today
( http://www.nytimes.com/2006/12/11/technology/11push.html )
explores the problem of Web-based "pop-up" ads being used to
artificially inflate Web traffic.

I'd like to point out a potentially much more serious problem
related to pop-ups that can access arbitrary Web sites -- they could
be used for purposes that could get innocent Web users into major
legal problems.

The issue of sites triggering unsolicited access to other sites is
not new.  In an IP message over a year ago ("Google's new feature
creates another user privacy problem" --
http://lists.elistx.com/archives/interesting-people/200506/ 
msg00190.html ),
I discussed how Google's triggering of top item "prefetch" in
returned search results could result in Firefox browsers visiting
the referenced site -- and collecting any associated cookies -- without
users' knowledge (I also suggested ways to prevent this behavior).

The essential problem is that Web logs that record users' access to
sites would record such visits as if they had been voluntarily
initiated by those users.  If those destinations happen to be sites
with various forms of "illicit" materials that could be the subject
of government or other investigations that would go digging through
associated access logs...  Well, you can imagine the possible
complications.

Google's prefetch behavior is an example of a well-intended feature
with unfortunate negative side-effects.

On the other hand, the sorts of nefarious pop-ups described in the
NYT piece have much greater potential for intentionally serious
sorts of damage, since they can be far more flexible and directed
than simple Web prefetches, and so could put innocent consumers at
even greater risk.  They might not only access pages that could get
people arrested (perhaps c-porn?), but also download files that
could trigger RIAA and/or MPAA "automatic" lawsuits, or any number
of other nightmare scenarios.

It's fair to ask why anyone might want to set loose such technical
monsters on innocent victims.  The simple answer is that there are
quite a few people out there who just want to score a point -- to
prove that they can do it -- plus of course the sick minds who enjoy
watching other people suffer.

If nothing else, this specter is yet another reason to block all
pop-ups routinely and to disable browser prefetch as appropriate.
Most of all it is a reminder to authorities that just because
particular entries are present in subpoenaed Web logs, does not
necessarily mean that they are accurate representations of user
intent.  In many cases you may actually be looking at victims, not
perpetrators.

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
   - International Open Internet Coalition - http://www.ioic.net
Founder, CIFIP
   - California Initiative For Internet Privacy - http://www.cifip.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

_______________________________________________
pfir mailing list
http://lists.pfir.org/mailman/listinfo/pfir


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/