Security

What we think is reasonable, commonplace, or even possible in terms of protecting or violating online privacy shifts constantly. Recent developments in tools and techniques for tracking online behavior and identifying individuals from supposedly anonymized data sets should cause us to reevaluate what is possible. Katherine McKinley of iSEC Partners published a detailed analysis of how popular browsers and browser extensions handle cookies and other methods of local data storage used for tracking users in her December, 2008 paper Cleaning Up after Cookies (PDF). McKinley tested the ability for browsers and extensions to clear the private data as well as “private browsing” features. She found that most browsers attempted to clear previous stored private data, but often left some data accessible. She found that Adobe Flash did not attempt to remove this data and in fact stored it in such a way that it circumvented most privacy protections offered by browsers. iSEC Partners created an online version of the test used in the article to allow individuals to test their own configurations. It is available at Breadcrumbs Tracker. ...

John Gruber’s Daring Fireball pointed me to Jakob Nielsen’s Alertbox column Stop Password Masking, which resulted in a thoughtful and interesting thread of conversations and a few experimental solutions. Password masking refers to the practice of displaying an alternate character, usually a star or a bullet in place of the actual characters typed into a password field. The idea is that this prevents another party from viewing the password while it is entered. Nielsen argues that in most cases masked passwords are not needed since should surfing is not a major issue and that this is even less of an issue on mobile devices. He says masked passed passwords often reduce usability by increasing the number of errors since users cannot see what they are typing. This problem is further compounded on mobile devices where typing is more difficult and slower. Since users are less certain about what they are typing, they are much more likely to choose passwords that are simplistic or copy and paste the passwords from less secure locations. Nielsen says that high value password forms should offer an optional checkbox for masking passwords so that they can be used on an as needed basis. ...

Duping users into revealing their private data goes back decades, but it wasn’t until the late-1990s that “phishing” became the word to describe the practice. Today, phishing costs banks, service providers, and consumers billions of dollars per year, and companies are working frantically to limit the damage. A survey by Gartner estimated that more than three and a half billion dollars were lost to phishing in the United States in 2007 alone. ...