Online tracking and what you can do to stop advertisers

On Monday, CBS ran a morning segment about targeted online advertising and the growing trend to market to users based on their online activity. They talked about ads targeted to site visitors based on what kind of computer they’re using, what other sites they’ve visited, and what they’ve purchased. But this shouldn’t come as a surprise to anyone who has spent any amount of time shopping online. Companies like Google, Facebook, EBay, Amazon and others are making a mint selling targeted ad space.

This woman has no idea what she's talking about.

The reporter concludes the segment saying, “Is there a way to stop them? Right now there’s not.”

I don’t know what passes for research at CBS, but there are several things you can do to prevent websites from tracking your activity. But before we get into that, let's explore how exactly online advertising works and why these companies are tracking your every move.

How it works

Every time you surf through, let’s say a shopping website (but don’t think that it’s limited to these sites), a third party advertising company that has an agreement with that website is logging your IP address, which pages you visit, how long you stay at those pages, how much you spend, how fast your internet connection is, and about a hundred other things that are combined to build a profile of who they think you are. That profile is then stored in one of your browser’s folders as a “cookie”. Now, pretty much all websites place cookies, but not all are used for advertising – many are important – giving users full access to a site’s features. But, if you have a tracking cookie, as you web surf and go to different sites, that cookie will track your movements and record what you do on those sites.

Furthermore, many sites have agreements with outside companies to whom your click information is forwarded whenever you visit. Let’s say you go on Ford’s website because you’re in the market for a new car. After shopping around for a while, you head over to the New York Times to catch up on news. If both of those companies have a relationship with the same third party advertising company (and it’s often the case that they will) that company might show an advertisement for a brand new Mustang on the New York Times.

Now here’s where it gets even more personal. Think about a company like Google. Google manages my email, my web searches, the route I take in my car, and a lot more. How much does Google know about me? You can bet they’ve got my name, my age, my geographic location, what I search for online, and pretty much every other little detail. Companies like Google have enough information to paint an extremely detailed portrait of their users.

So, what can you do to prevent companies from tracking your online activity?

Part 1: Opt Out

Since there are a few ways to go under the advertising radar, this will be broken into a two-part series. This week, we'll explore "opting out".

1.    Opt Out Cookies

A few years ago, investigators at the U.S. Federal Trade Commission decided that some internet users might not be very excited about having all of their personal data recorded and logged by advertisers. Thus was born the opt-out cookie. For every tracking cookie used by a company there is a corresponding FTC-required opt-out cookie that tells the advertising company they can’t track you.

If you want to go with this approach, it’s important to remember that there is no single blanket cookie that prevents all tracking – you need to download an opt-out cookie for every advertising company. Fortunately, a plug-in is available for most browsers that will maintain a catalogue of these cookies and ensure that yours are up to date.

2.    Do Not Track

Remember the Do Not Call list for telemarketers? This is basically the same thing but for online advertisers.

When you go to a site, information is sent to the site’s servers and in bits called headers. When you use Do Not Track – which is available as a plugin and will soon be available on Internet Explorer – a header is sent to websites notifying them that you are on the Do Not Track list.

Unfortunately, Do Not Track does not apply to sites in closed networks like Facebook and since there is no legal requirement forcing advertisers to go by this list and, from what we’ve seen, most of them choose to ignore it. But hey, it can’t hurt right?

3.    Use browser settings to disallow cookies

Image courtesy of infocarnivore.com

This is the nuclear option. As mentioned briefly above, many websites – especially social networking sites – require cookies to function properly in your browser. To execute this correctly, you’ll have to maintain an ‘allowed’ list so the cookies you do want will come in without any of the bad ones.

Admittedly, this is probably one of the most effective ways to prevent tracking. Unfortunately, it also requires the most upkeep and may not be worth the compromise for most.

Next: Part 2 — Virtual Private Networks

London's Facewatch service goes mobile - everyone gets creeped out

In case you were concerned that the citizenry of the world’s most surveilled region had just a tad too much privacy on their hands, you can now rest easy. In some kind of dystopian 1984 meets Nazi Germany twist, British authorities have released an IOS version of their Facewatch service.

... and so is that guy two tables over.

If you aren’t familiar with Facewatch, you’ll be glad to know it’s just as creepy as the name makes it sound. Facewatch was launched in 2010 and made waves last year after the London riots as an online database that displayed the faces of rioters caught on newsreels or one of the city’s four million surveillance cameras. The brilliance, of course, is that the police could rely on Londoners to report each other to the authorities instead of doing any actual police work.

The logistics were described in a Metropolitan Police Department press release.

The popularity of the app lies in its simplicity. As well as being available on all computers at www.facewatchid.co.uk the Facewatch App works across all smartphone and tablet computer platforms with internet connection and is free to download from the Apple App Store, Android Google Play and Blackberry App World.

A member of the public just has to enter their local postcode into their smart phone or iPad and then click or touch through a selection of unidentified CCTV images of suspects that the police would like to talk to. [Facewatch]

So what’s to stop a Facewatch user from going straight up Stephen Segal on an unsuspecting criminal (or someone who looks kind of like a criminal)? Well, nothing. Facewatch for IOS does, however, include a feature where users can input the name of the suspect and their current address, which is then sent “securely" and confidentially to authorities.

The Coolest Malware of All Time

For the last couple of weeks, businesses around the world have reported their printers have been spewing out countless sheets of paper with only garbage characters printed on them. Turns out, a little virus called Trojan Milicenso was to blame.

According to Symantec, the virus was designed primarily as a delivery method for other malware--typically adware, but, because of a coding fluke, has caused some infected computers to go bonkers on the printer. Admittedly, it's a kind of cool little quirk. 

And this got me thinking. What are the coolest pieces of malware of all time? I know, I know, when you're the one with the infected computer, it's never "cool" to have malware. But, from an outside perspective, you've got to admire the ingenuity behind some of this software, as damaging as it can be. So without further ado, here is The Coolest Malware of all Time:

The Creeper

The granddaddy of all malware, Creeper was the worm that started it all. Written and deployed in 1971 by an engineer named Bob Thomas, Creeper was released on Arpanet – the precursor to the internet. In total fairness, Creeper is not technically malware since it was never designed to actually do any kind of harm – it was merely an experiment in mobile programs. That said, it is the program all other viruses, worms, and Trojans are based off of, so it’s definitely worth noting.

The Creeper was named after a
Scooby Doo villain

The worm infected DEC PDP-10 minicomputers and caused them to display the message, “I’m the creeper, catch me if you can!” Appropriately, a program called “Reaper” was written and deployed to wipe out Creeper.

NIMDA

NIMDA (admin read backwards) was the fastest spreading computer malware ever. And when we say fast, we mean fast. Within 22 minutes of hitting the internet, NIMDA hit the top of the list of reported attacks, becoming the world’s most widespread worm.

The brilliance behind NIMDA was the ways it propagated. Where most malware spread through only one avenue, NIMDA took a multi-pronged approach, spreading through email, shared files, Microsoft IIS security holes, and file transfers. Furthermore, NIMDA would infect thousands of files on each system and even re-infect files already carrying the worm several times over, making it very difficult to get rid of.

NIMDA’s ultimate goal was to create a backdoor for the malware’s author to access the infected computer. However, the real damage was felt in networks being brought to a standstill and entire servers crashing from the heavy traffic load. NIMDA essentially became a mobile Distributed Denial of Service attack.

Commwarrior-A

Commwarrior-A was the first actually relevant virus for mobile devices. Where previous pieces of malware could only spread via Bluetooth (you had to be near another phone to infect it), Commwarrior-A was capable of spreading among Samsung Symbian Series 60 phones through the Mobile Messaging System (MMS). In this way, Commwarrior-A acted a lot like traditional computer viruses that were frequently transmitted in emails. In the end, Commwarrior-A only infected about 50 cell phones and because it didn’t carry a payload, it’s largely believed it was a proof-of-concept, setting the stage for future mobile malware.

ILOVEYOU

Often referred to as “Love Letter”. ILOVEYOU originated on May 5, 2000 in the Philippines and would ultimately spread to tens of millions of computers worldwide through a blank email with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt."

I never knew you felt this way!

Once the probably lonely message receiver opened the attachment, ILOVEYOU would install and begin writing over image files on the infected computer with copies of itself. The worm would then propagate by sending the original email message to the first 50 contacts in Microsoft Outlook’s Address Book.

Entire governments had to shutdown their email systems and billions were spent in response to the damage ILOVEYOU caused. (Most of the money was spent trying to recover overwritten files.)

Stuxnet

If you haven’t heard about this, you’ve been living under a rock. Stuxnet was the U.S.-Israel project codenamed “Olympic Games” designed to take out Iran’s uranium enrichment facilities.

Iran’s uranium enrichment facilities – specifically the Natanz facility – consist of large underground centrifuges operated by control systems. If a control system could be compromised, a virus could damage the centrifuge. This is exactly what Stuxnet did.

Centrifuges at the Natanz Uranium Enrichment Facility

The malware was injected originally by a combination of spies and “unwitting accomplices” through a thumb-drive and would subsequently spread through windows networks and into Siemens industrial software. Once installed, Stuxnet would quietly record what normal enrichment activity looked like, send centrifuges spinning out of control and send back false reports of normal operation. Consequences? The damage caused by Stuxnet forced the head of Iran's Atomic Energy Organization, Gholam Reza Aghazadeh, to resign and it’s estimated that the program successfully destroyed about 1,000 of the 6,000 centrifuges.

North Korea uses computer game to attack the South

If you haven't read about this yet, it's really pretty incredible. Admittedly, after all the recent coverage of Stuxnet and Flame, a country launching a DDoS attack is hardly impressive. In fact, it's almost laughable. That said, there are a couple really intriguing aspects to this story.

If you aren't impressed that North Korea launched a DDoS attack,
 keep in mind that they're hardly using electricity, let alone the internet.

A South Korean newspaper reported yesterday that North Korea has been launching DDoS attacks on a South Korean airport using malware spread through an online video game.

According to the Korea JoongAng Daily, a South Korean video game distributor identified only by his surname, Jo, commissioned a North Korean company in China to develop a new video game. As it turns out, the North Koreans were actually part of the North’s Reconnaissance General Bureau – a fact that Jo was aware of.

 Jo purchased dozens of computer game software for tens of millions of won, which was a third the cost of the same kind of software in the South. The games were infected with malignant viruses, of which Jo knew, an official at the police agency said. 

Jo sold the games to South Korean operators of online games. When people played the games, the viruses used their computers as zombies, through which the cyberattack was launched. [Korea JoongAng Daily]

It seems the big take-away from this story is that cyber warfare is hardly limited to wealthy nations. If North Korea is doing it, you know everyone else is too. But even more importantly, the delivery method for the malware – a video game – is actually pretty brilliant. As we saw in the use of thumb drives to distribute Stuxnet in Iranian facilities, the delivery is often the most important aspect of targeted malware. As users become increasingly wary of traditional delivery techniques like fraudulent websites and phishing scams, it’s not a stretch to imagine we’ll see many more creative attempts at distribution in the very near future.

Anonymous v. India

About 1.2 billion people live in India. And while only a minority of them have internet access, that minority adds up to about 120 million people and is growing quickly. And like the people and governments of so many other countries, the citizens and politicians of India are struggling with digital rights and censorship.

Last weekend, online hacktivist group Anonymous organized public protests against online censorship in India. And while the turnout for the demonstrations was pretty sparse, the group is now calling on Indian citizens to file Right to Information requests of public servants in an effort to expose communications between politicians and ISPs pertaining to censorship.

In one of their signature video messages, Anonymous says that Indian politicians are not only out of touch with the modern internet, but enforcing and encouraging policies that work in opposition to the legitimate pursuit of information and for criminals who know how to game the system.

People of India, we have been watching. We have been noting the perversion of freedoms to the point where barriers are increasingly restrictive. The politicians whose websites are primitive for the previous decade are deciding from their ignorant perches how the internet of today must be. Their lack of understanding of how content is shared, spread or accessed on the internet makes their restrictive plans ridiculous for any criminal who actually would want to bypass those restrictions, while they serve to keep the common man ignorant of anything they do not wish them to know. It is time to expose this ignorant intolerance for what it is.

It should be noted that SumRando in no way endorses illegal file sharing or any type of copyright violation. However, as we’ve previously stated, attempting to enforce intellectual property laws through censorship is never acceptable.

Internet censorship has been a long-standing issue in India and can be traced all the way back to 1999 with the censorship of Pakistani websites. The latest round of controversy stemmed from a High Court decision to block several file-sharing sites including Vimeo and the Pirate Bay that made two popular Bollywood movies available for download. (For a little dose of irony, it’s worth noting that one of those films, “3”, only gained popularity after a song from the movie went viral on the internet.)

So here’s the thing. India appears to be at a crossroads. As the internet-using population grows – again, only about 10% currently surf the web – the country will need to decide what kind of digital landscape they want. Will they follow the oppressive firewall policies we’ve seen in China and Iran? Or will they favor the largely open infrastructure in place in many (but definitely not all) Western countries?