Even so, Bono Mack pushed ahead with a closed-door meeting today at which Google deputy general counsel Mike Yang and public policy director Pablo Chavez briefed her and nine of her colleagues. Rep. Joe Barton, R-Tex., came away unsatisfied.

Barton

“I asked specifically about Google’s deletion policy and got some disturbing answers. I may hit delete, but that doesn’t mean the material goes away immediately,” says Barton. “It was obvious to me, as I left the room, that this company has established this policy so instead of the consumer being the master of the Internet, Google is the master of the consumer. I think that is just wrong.”

Also attending were Representatives G.K Butterfield, D-NC, Cliff Stearns, R-FL, Marsha Blackburn, R-TN, Charlie Bass, R-NH, Adam Kinzinger, R-IL,, Henry Waxman, D-Calif, Ed Markey, D-MA and Diana DeGette D-CO. Here are excerpts from an interview Bono Mack granted Last Watchdog  not long after the closed-door briefing concluded.

Bono Mack

LW: How’d the briefing go?

Bono Mack: I don’t know that I got any more clarity than what I’ve been reading in the press. I’ve been following it pretty closely, and I think Google is trying very hard to calm a nervous public about what they’re doing.

LW: What did Chavez and Yang convey?

Bono Mack: They conveyed that they believe they are giving consumers the tools to protect their privacy. I think the predominant message out of the members who asked questions was, ‘We recognize you say you have the tools, but are they easy enough for consumers to use, are they easy to find, and is it truly, in fact, protecting consumers?’

LW: Did you get any more clarity on how long Google stores user profiling data?

Bono Mack: One of the things I really pushed Google on is, ‘If you want to delete your data, what are the technical challenges?’ They’re not very clear on that. We’re pushing them further on this. Because they say, at one point, that immediate deletion is not always practicable due to the way the archiving systems operate.

I don’t believe that they are as strong on data deletion as they need to be. When you as a consumer try to delete any data that you input in your machine, and you hit delete, you really want to believe that it truly is deleted, wiped out, erased, gone.

But Google says immediate deletion is not always practicable. It says it might be deleted in a reasonable period of time, and ultimately they say they can hang on to it until the storage medium is actually destroyed.

So I asked if that means until you actually take a hammer to the hard drive? And this is the crux of the issue to me. Its’s very problematic, that if the consumer hits delete, then it needs to be deleted.

LW: Did you get into the privacy implications of how Google plans to cross-reference profiling data from search, Gmail, YouTube and its other popular services?

Bono Mack: We got a very nuanced answer from them. They’re saying there are tools at the users’ disposal that give you the ability to opt out. But say you do a Google search for cervical cancer and you forget to sign out. Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.

LW: That’s a big question. How did they answer and were you satisfied with their answer?

Bono Mack: This is the grayest area of it all. They are saying that they do not track sensitive data like that. I don’t know who determines what’s sensitive and what’s not. And that’s probably another question on another day and a more extensive hearing.

Whether you sign in or you don’t sign in, they know your machine, they know where it is, they basically know who it is. Cookies is the reason they know. But the truth of the matter is, they have the ability to know who your are, whether you’re logged in or not.

LW: Sounds like you still have concerns.

Bono Mack: The biggest concern I have is that the consumer, when they hit delete, they mean delete. And that when the consumer has done a search on something that might be sensitive, whatever it is, when they erase that search, it really is erased. And this is what the Congress and the FTC is going to have to watch.

LW: What happens next?

Bono Mack: We had already planned to have more hearings on privacy on different angles and aspects of the debate. We will have privacy hearings, and I pressed Google to be at the table to help Congress understand what they are doing, and for Google to certainly understand Congress’ concern.

Google deputy general counsel Mike Yang and public policy director Pablo Chavez are preparing to deliver a closed-door briefing on Thursday, says Ken Johnson, Mack’s senior adviser. The audience will be restricted to members of the House Subcommittee on Commerce, Manufacturing and Trade, which Mack chairs. Rep. G.K. Butterfield, D-NC, is the ranking subcommittee member.

Google announced last week that it will consolidate dozens of user agreements for its most popular services into one privacy agreement encompassing them all. Starting March 1, the company will have the ability, policy wise, to correlate what a user does across most of its online services, whether a user accesses them on PC web browser or via any Internet-connected mobile device using the Google Android operating system.

“These changes might not otherwise be troubling but for one significant change to your terms of service: Google will not permit users to opt out of this information collection and sharing across platforms and devices,” Mack says.

All or nothing proposition

Critics object to the all or nothing proposition. Any user of Google search, who also registers to use Gmail, Google Apps, YouTube, Google+, Picasa and other popular Google services, will be covered by the new, over-arching user agreement, says Jeffrey Chester, executive director of the non-profit Center for Digital Democracy.

Chester

“This will make it harder for a user to opt out,” Chester says. “If you like even one of Google’s services, you’ll likely forgo the extra work and knowledge it takes to do more granular privacy control. This decision was designed to help Google boost revenues and avoid a clash with privacy cops in Europe.”

Google asserts that users will maintain “choice and control,” that Google is not collecting any more data than it already does and that its intent is to improve user experience.

Google and Facebook are in a race to actualize — and attempt to dominate — what some prognosticators believe is a mega- billion  online advertising market on the verge of mushrooming.  Each is seeking to compile and leverage behavioral targeting data to woo advertisers. They are redoubling their efforts at indexing and profiling the activities and preferences of users of their free services. But that drive also plays right into the hands of cybercriminals and parties motivated to use profiling data unfairly against individual consumers.

“Google is not being  honest with consumers about why it has made these changes,” says Chester. “The new policy is designed to blunt the impact of Europe’s ePrivacy law requiring forms of opt-in consent for cookies. Google understands European users will likely proactively say yes to all collection.”

Europe’s unease

Meanwhile, The Financial Times reports here that Norwegian public sector agencies will be banned from using Google Apps due to concerns that the service could put citizens’ personal data at risk. That would seem to cut off a toehold in Europe Google achieved by getting the city council of Narvik to use Google Apps for their e-mail.

Last year the town of Odense in Denmark banned use of Google Apps in its schools due to concerns about leaving personal data at risk. The German government is also working on stricter data protection rules  and France  has set up a patriotic venture with France Telecom and Thales to promote French cloud services over US rivals, the Financial Times reports.

“All these moves show that there is still a deep level of concern in Europe about the security of using US-based cloud computing providers, especially if there is any lack of clarity about whether the data is physically being stored,” writes FT correspondent  Maija Palmer. “Unease is exacerbated by the Patriot Act, which requires US companies to hand data over to US authorities, when asked, even if that data is stored in Europe.”

By Byron Acohido

On Wednesday, the European Union formally proposed strict rules that could restrict much of the systematic tracking and profiling Google and Facebook routinely do of Internet users, as part of delivering targeted ads to them.

If Europe’s new rules are implemented as expected in 2013, the tech rivals could face hefty fines, up to 2% of annual revenue, for any violations. In Google’s case that translates into a maximum penalty of $800 million.

On Tuesday, Facebook Chief Operating Officer Sheryl Sandberg delivered a statistics-filled speech at a tech conference in Munich outlining how Europe’s proposed rules are very likely to stymie the global economy. She reiterated those themes on Wednesday and Thursday while participating in the World Economic Forum in Davos, Switzerland.

Sandberg called for a “regulatory environment that promotes innovation and economic growth.”

Google spokesman Chris Gaither echoed Sandberg’s argument. He says the search giant “supports simplifying privacy rules in Europe to both protect consumers online and stimulate economic growth.”

Cross-device tracking

Meanwhile, refinements announced this week by Google and Facebook, about how each tracks and profiles Internet users, added heat to the domestic debate over the need for new data privacy rules here in the U.S.

Google signaled that it will begin cross-referencing user data compiled from its most popular services, including search, Google Apps, Gmail and YouTube, as well as across all browser PCs and any device using Google Android operating system.

The stickler: Users won’t be permitted to “opt out” of having their Google activities correlated.

Pociask

“The reports of Google’s privacy changes, which will allow no opt out, raises grave concerns for consumers who are growing increasingly concerned about their privacy online,” Steve Pociask, the president of the American Consumer Institute. “Google’s dominance of online search and its history of disdain for privacy protections and consumer transparency makes these changes even more worrisome.

“Whether it’s illegally collecting user data through its Street View product, hiding its privacy policy or settling with the FTC for violating its own privacy policy with Google Buzz, the company has proven that it has little regard for the privacy rights of consumers.”

Both Google and Facebook  are moving to extend intelligence gathering and behavior profiling to mobile devices. Google’s Android operating system runs the popular Droid series of smartphones, and Facebook Timeline features a digital GPS system, says Alisdair Faulkner, CEO of computer-security firm ThreatMetrix.

Meanwhile, the non-profit group SafeGov, which monitors security issues for federal, state and local government agencies, is alarmed that Google’s new policy could put workers who use Google Applications for Government, a paid service, at heightened risk.

“Google should not be data-mining information in e-mails, text messages, searches and documents that workers are putting into Google services,” says Jeff Gould, SafeGov security analyst. “It’s a matter of not making government workers unnecessarily exposed to hackers and to inadvertent disclosures of information.”

Not thinking it through

Google Vice President Amit Singh says Google’s new privacy policy for consumer data is superceded by data privacy provisions in contracts with government agencies and other organization who use the paid version of Google Apps.

“As always, Google will maintain our enterprise customers’ data in compliance with the confidentiality and security obligations provided to their domain,” says Singh.

Gould

But Gould checked the city of Los Angeles’ contract with Google and found that the data-privacy provision referred back to Google’s policy for consumers. “They didn’t think through the consequences for government users,” Gould says.

Meanwhile, Google is busy fielding inquiries from a handful of politicians who’ve proposed legislation that would restrict online tracking and establish rules for data privacy.

“Amazingly, we still don’t have a law that sets the rules of the road for fair information practices that everyone collecting, using, and distributing people’s personal information must adhere to,” says John Kerry, D- Mass.

Kerry and Sen John McCain, R-Ariz., continue to work for passage of the Commercial Privacy Bill of Rights. “Until Congress acts, Google and the rest of its competitors will continue to set that standard themselves. ”

Rep. Ed Markey, D-Mass., notes that “Googling is like breathing for millions of kids and teens – they can’t live without it.” Markey, who has also been critical of Facebook’s tracking practices, is calling on the Federal Trade Commison to review Google’s new no-opt-out policy.

“Consumers – not corporations – should have control over their own personal information, especially for children and teens,” says Markey.

Timeline risks

Facebook is drawing more scrutiny too. It is making mandatory a new, glitzier user interface, called Timeline, that chronologically displays a member’s preferences, contacts and online activities. And its new Open Graph services promotes more and richer preference data to move across  third-party applications to ultimately get integrated into Timeline.  Facebook insists that Timeline does not present any new information nor alter any current privacy settings.

Evans

But Karen Evans, National Director for the US Cyber Challenge, a nationwide program focused specifically on the cyber workforce, says Google and Facebook’s latest advances in the science of indexing and profiling Internet users  could make richer information more readily accessible to ID thieves and cyberspies, as well as to parties motivated to use such data unfairly against consumers.

Online profiles, for instance, are already being used to deny insurance coverage and as a basis for not hiring someone. And political campaigners would love to get their hands on the richest data available to help sway voters during the upcoming presidential elections.

“The consumer should know exactly how the information is to be used and the potential impact it could have them especially younger Americans,” says Evans. “ Many of them play games, watch videos and search on the internet for class projects. The collection and use of the information could have adverse impact on their daily lives. For example, they could be conducting a search because this is an election year for a classroom project. The data could be later used to assume there is a political affiliation when in fact they were preparing for class.”

Gould puts it this way: “If you take the new Google policy and combine it with Facebook Timeline, the danger of hacking attacks for government users is multiplied by ten.”

Gould worries about the all-too-common scenario where an intruder e-mails a government worker pretending to be an acquaintance. “They can put information in an e-mail which they can get from your Facebook Timeline, and trick you into downloading a piece of spyware,” he says.

Heightened cross-referencing of an individual worker’s Google search, Gmail and YouTube activities poses similar risks, he says.

“If you have Facebook Timeline and you have tens of thousands of people using Google apps in government you’re going to get a lot more of these cases accidently disclosing their password, or downloading some kind of spyware, because they got an e-mail they thought was from a friend or acquaintance, and the e-mail seems to know about their past life or interests or concerns, “ Gould says

–By Byron Acohido

For the past two years, each company has experimented with different ways to divine more and more about how people live their lives on the Internet, without sparking a revolt.

But the plans the rivals announced on Tuesday, which critics say could dramatically rev up their respective abilities to gather intelligence on individual Internet users, seem to have struck a chord. An informal and unscientific survey of Web users by USA TODAY found a majority speaking out against the new business practices announced by Google and Facebook.

“It’s dangerous for two companies to have so much personal data, regardless of whether the specific threats of that data consolidation are immediately clear,” says Sarah Downey, a privacy analyst at software maker Abine.

Compelled to tap what many experts predict will be the next big Internet mother lode — online advertising — Google and Facebook laid down very big bets, during a week when European regulators are hashing out strict new rules that could prevent much of what the tech giants seek to do.

Google signaled its intent to begin correlating data about its users’ activities across all of its most popular services and across multiple devices. The goal: to deliver those richer behavior profiles to advertisers.

Likewise, Facebook announced it will soon make Timeline the new, more glitzy user interface for its service, mandatory.

Timeline is designed to chronologically assemble, automatically display and make globally accessible the preferences, acquaintances and activities for most of Facebook’s 800 million members.

Google and Facebook have repeatedly insisted that the changes are intended strictly to improve users’ experiences.

“Facebook works the way it always has,” says spokeswoman Meredith Chin. “There is no new information on Facebook as a result of Timeline, and no privacy settings have been changed with the introduction of it. It’s simply an updated version of the profile.”

But the changes have stirred anger from many consumers. Some, such as Joyce Norman, a writing consultant from Birmingham, Ala., are considering ways to limit their exposure to Google’s and Facebook’s new business practices. “Mine is not a lone voice crying in the wilderness,” says Norman.

Benjammin Gaultney of Montague, Mich., sees it differently, looking forward to the possibility of more appropriate ads coming to his screen. “You have to deal with ads all over the Internet either way,” he wrote on USA TODAY’s Facebook page. “Advertisers could at least try to sell me something I’m actually interested in rather than life insurance.”

Meanwhile, a high-stakes lobbying effort is unfolding in Washington aimed at shaping policies favorable to U.S. tech companies and blunting any potential move to follow Europe’s more conservative proposals to limiting online tracking by companies.

The tech giants sharply increased their lobbying spending last year. Google spent $9.7 million in lobbying in 2011, up from $5.2 million in 2010, says the Center for Responsive Politics. Facebook spent $1.4 million in 2011 vs. $351,000 in 2010.

The driver: advertising revenue. The global online advertising market is expected to swell to $132 billion by 2015, up from $80 billion this year, according to eMarketer. Google and Facebook are putting their abilities to index individuals’ online activity and behaviors into high gear to tap into this market, analysts say.

“If they can make the ads more relevant, the logic goes, they can increase the number of advertisers and the price they can charge per click (on each ad),” says Alex Daley, chief investment strategist at Casey Research. “Because the click will be from more qualified leads — customers who are more interested in the product — they can grow the revenue base.”

But security analysts, privacy advocates and technologists say consumers probably should be very concerned. While making richer behavioral data more readily available to advertisers, Google’s new data-correlating practices and Facebook’s new Timeline and Open Graph, a more powerful way to express preferences on third-party websites, also tend to aid and abet more unsavory uses.

Beware of cybercrooks

Richer personal details are very beneficial to identity thieves and cyberspies, as well as to parties motivated to use such data unfairly against consumers, such as insurance companies, prospective employers, political campaigners and, lately, hacktivists, security analysts say.

“What these unilateral decisions by Google and Facebook demonstrate is a complete disregard for their users’ interests and concerns,” says John Simpson, spokesman for Consumer Watchdog. “It’s an uncommonly arrogant approach not usually seen in business, where these companies believe they can do whatever they want with our data, whenever and however they want to do it.”

Google has a long history of running into privacy problems.

Its Gmail raised hackles early on when the search giant decided to mingle advertising alongside users’ e-mail. The move initially concerned people because the ads’ relevancy was linked to e-mails inside users’ accounts. For example, if a person was writing about buying a car, ads for cars could appear alongside that individual’s e-mail. To many, that felt like a privacy intrusion.

The search giant maintains that such contextual ads, where advertisers can bid on keywords that relate to a users’ content, don’t reveal personal identities. Gmail users can turn some of the ads off, but adjusting the feature requires some work.

Much of this type of product development is the result of Google taking a very engineer-focused approach to mining data rather than serving consumer interests, say industry experts. Google engineers want to play with technology first, but they think about how the product plays with consumers and privacy second, says IDC analyst Karsten Weide.

When Google tried to build its Buzz social network in 2010 from Gmail contacts, it ran into privacy problems. It began publicizing users’ contacts without asking. The Federal Trade Commission last year charged Google with “deceptive privacy practices” in the handling of Buzz.

Google “did not respect” consumers’ expectations of privacy, says Helen Nissenbaum, a professor of media, culture and communication at New York University. “They (Google) seem to be doing the same thing here” with the privacy update.

Under terms of the FTC consent order, Google agreed to a 20-year independent review of its privacy practices.

But the changes announced Tuesday may again set it on a collision course with the FTC.

“We do believe the proposed changes . . .  violate the FTC consent order,” says Marc Rotenberg, executive director of the Washington, D.C.-based Electronic Privacy Information Center. Those changes could subject Google to monetary damages under Google’s agreement with the FTC, says Rotenberg.

But Rachel Whetstone, Google’s senior vice president for public policy and communications, says the company would not have proposed privacy updates that run afoul of the FTC settlement.

“We try to be transparent about the data we collect and give meaningful controls about how data is used,” says Whetstone.

There are also concerns about Google’s recent move to roll activities on its Google+ social network into users’ search results. The opt-in integration of those two Google products mingles profiles, photos and posts of people a user follows on Google+ into the user’s search results if they choose.

Whetstone says it doesn’t raise privacy issues because the information is viewed only by the user.

Facebook’s issues

Facebook has had its own issues, most recently in November when the FTC announced a broad settlement that requires the company to respect the privacy wishes of its users and subjects it to audits for the next 20 years.

The order, which claimed Facebook engaged in “unfair and deceptive” practices in December 2009, stems largely from the way Facebook handled information its users deemed to be private information.

On Tuesday it announced that Timeline will become the default user interface for all members over the next few weeks.

Combined with the addition last week of some 60 apps specifically written for Timeline, consumers can provide a detailed account, often in real time, of the music they listen to, what they eat, where they shop — even where they jog.

The deeper personal data of Timeline — which Facebook users willfully share — are potentially online advertising gold for marketers and advertisers. This is especially crucial, analysts say, as Facebook steamrolls toward an initial public stock offering this year.

The company is under pressure to increase sales and profits to meet the lofty expectations of shareholders, and online advertising is the most logical place to do that. Facebook gleaned 89% of its estimated $4.3 billion in revenue last year, or about $3.8 billion, from online ads, according to eMarketer.

“If Facebook has richer behavioral targeting data than Google, then it has an edge up in relevance,” says Casey Research’s Daley. “And an edge up in relevance is an edge up in revenue.”

Some Wall Streeters believe the changes made by Google and Facebook will have only an “incremental” effect on the battle between the two giants in going after online advertising dollars.

Both companies continue to be dominant in their markets, which “tend to be winner-takes-all markets,” says Ryan Jacob of the Jacob Internet fund. Google continues to hold strength in online search and is a strong player in online video with YouTube and in mobile with its Android operating system, he says.

But “Google has a long way to go before it can be considered a credible competitor to Facebook,” he says.

Google’s moves, if anything, are “somewhat defensive,” he says. “For them (Google) to maintain their position in search, it’s important for them to be players in other areas,” he says.

Channing Smith of money management firm Capital Advisors, which owns shares of Google, is more optimistic. “If it continues to put up numbers for Google+, it can be a competitor to Facebook,” he says.

Rep. Ed Markey, D-Mass., who has already been pressing Facebook to explain its tracking systems, said on Wednesday that he would ask the FTC to take a close look at Google’s new privacy policies.

“Google’s privacy policy changes mean consumers can’t say no to sharing their personal information across Google’s websites,” Markey said. “Consumers, not Google, should be able to make these decisions.”

By Byron Acohido, Scott Martin and Jon Swartz

Contributing: Mike Snider, Roger Yu, Matt Krantz

Orginally published 26 Jan. 2012, USA TODAY print editions. P1B

The sanctions stem from privacy setting changes Facebook made in December 2009, without asking users’ permission.

The company told users they could keep full control of who could access their content on Facebook when, in fact, the company repeatedly allowed information to be shared and made public, as outlined in the FTC’s 19-page complaint.

The order is expected to give technologists and privacy advocates a new, more effective tool to monitor Facebook’s privacy practices, says Jeff Chester, executive director of the non-profit Center for Digital Democracy.

“We will have to come in and show how Timeline and the ever expanding data targeting practices violate the order,” says Chester. “This order does put the burden on privacy groups to make any safeguards stick. We have a chance to force the company to change the way it does business. ”

Bono Mack

And Federal lawmakers focusing on privacy issues will also be closely monitoring the aftermath of the FTC’s order, says Rep. Mary Bono Mack, R-Calif.

“In many ways this settlement clearly demonstrates that the privacy debate in Washington remains unresolved,” says Bono Mack. “Privacy policies should be transparent and understandable to everyone, and consumers should have an easy-to-understand way to opt out of sharing information, if they choose to do so.”

Facebook CEO Mark Zuckerberg insisted in a blog posting that the company has “a good history of providing transparency and control over who can see your information,” but admitted that “we’ve made a bunch of mistakes.”

IPO, Do Not Track form backdrop

The FTC’s sanction comes as Facebook readies itself for a high-profile initial public offering of stock, expected next spring. Today, co-incidentally on the same day the FTC’s sanction was announced, the Wall Street Journal reported Facebook’s IPO may ring in at $10 billion.

Meanwhile, the company has come under rising criticism in the U.S. and Europe for using Like buttons embedded on millions of websites to monitor Web surfing.

Facebook compiles tracking logs of the webpages viewed by each of its 800 million members, and millions more non-members, the company recently  disclosed in exclusive USA TODAY interviews.

Rockefeller

New federal laws are needed to help consumers “protect their personal information from companies surreptitiously collecting and using that personal information for profit,” says Sen. Jay Rockefeller, D-W. Virg, sponsor of a Do Not Track law that would restrict online tracking.

Rockefeller commended the FTC’s action. “Consumer privacy is a right, not a luxury,” he says. “This action against Facebook is just the first step toward protecting consumer privacy.”

Jules Polonetsky, Director and Co-Chair, Future of Privacy Forum, noted that the FTC order sends a message to other Internet-based companies the they need to get express consent from consumers to alter privacy practices.

“And if you are a custodian of user data, you need to have a formal program in place that ensures that data use and product development are overseen by privacy staff,” says Polonetsky. “These are guidelines that any company that interacts with consumer data would be wise to consider baseline requirements.”

What Facebook shall do

Included in the  8-counts of unfair and deceptive practices outlined in the FTC’s  complaint are charges that Facebook improperly disclosed information to advertisers and continued to display photos and videos even after they accounts were deactivated. The consent order, which must be approved by a judge, requires Facebook to:

• Obtain express consent before overriding users’ privacy preferences.
• Cut off access to a user’s material within 30 days after deletion of an account.
• Establish a comprehensive privacy program covering new and existing products and services.
• Submit to privacy program audits within 180 days and every two years after than for the next 20 years. Monitoring would be handled by an independent professional yet to be named.

Even after the consent order takes effect, Facebook users may not notice anything different. It’s not clear how the FTC’s order could affect Facebooks plans for new services, including “Timeline” pages that digitally map everything a user has ever done on the popular social network, and “Open Graph” applications designed to broadcast a  user’s surfing patterns widely across Facebook.

Chris Conley, a tech and civil liberties attorney at the ACLU’S Northern California affiliate, notes that Facebook’s privacy settings make no reference to Like button tracking.

“There’s no setting for a user to control that,” says Conley. “It’s questionable if something that doesn’t have a privacy setting today is covered by the FTC’s settlement proposal, or how the FTC would respond if Facebook started using this data in unexpected ways.”

A call for opt-in

Marc Rotenberg, executive director of the non profit Electronic Privacy Information Center, noted that the FTC stopped short of ordering Facebook to restore the more rigorous privacy settings that were in effect prior to December 2009.

EPIC and nine other groups filed the complaint that triggered the FTC probe. “If it was unfair to change the privacy settings, then the right response would be to change the settings back,” Rotenberg says.

Steyer

James P. Steyer, CEO of Common Sense Media, added: “It’s incredibly encouraging to see an industry leader like Facebook held to a higher standard of privacy protections. It’s our hope that this decision and its focus on the necessity of opt-in will lead other companies to follow suit. Until large tech companies start listening to the public, this kind of action from the FTC is critical. Government regulation and leadership is essential in order to help protect our privacy – and that of our kids – online.”

A poll by Common Sense Media conducted late last year found 75 percent of parents do not believe social networks were doing enough to keep their kids safe online.

Says Steyer: “With more than 7.5 million kids on Facebook, and even more using digital devices like smartphones and tablet computers, it’s imperative that other leaders in this industry hear the FTC’s message loud and clear: the concept of privacy is definitely not dead – especially for parents – and opt-in must become the standard all other companies employ.”

– By Byron Acohido

Far more quietly, another debate is brewing over a different side of online privacy: what Facebook is learning about those who visit its website.

Facebook officials are now acknowledging that the social media giant has been able to create a running log of the web pages that each of its 800 million or so members has visited during the previous 90 days. Facebook also keeps close track of where millions more non-members of the social network go on the Web, after they visit a Facebook web page for any reason.

Click here to view  an  interactive chart of  how Facebook’s tracking systems work

To do this, the company relies on tracking cookie technologies similar to the controversial systems used by Google, Adobe, Microsoft, Yahoo and others in the online advertising industry, says Arturo Bejar, Facebook’s engineering director.

Facebook’s efforts to track the browsing habits of visitors to its site have made the company a player in the “Do Not Track” debate, which focuses on whether consumers should be able to prevent websites from tracking the consumers’ online activity.

For online business and social media sites, such information can be particularly valuable in helping them tailor online ads to specific visitors. But privacy advocates worry about how else the information might be used, and whether it might be sold to third parties.

New guidelines for online privacy are being hashed out in Congress and by the World Wide Web Consortium, which sets standards for the Internet.

If privacy advocates get their way, consumers soon could be empowered to stop or limit tech companies and ad networks from tracking them wherever they go online. But the online advertising industry has dug in its heels, trying to retain the current self-regulatory system.

Online tracking involves technologies that tech companies and ad networks have used for more than a decade to help advertisers deliver more relevant ads to each viewer. Until now, Facebook, which makes most of its profits from advertising, has been ambiguous in public statements about the extent to which it collects tracking data.

Zuckerberg on Rose show

It contends that it does not belong in the same camp as Google, Microsoft and the rest of the online ad industry’s major players. Facebook CEO Mark Zuckerberg made this point to interviewer Charlie Rose on national TV last week.

For the past several weeks, Zuckerberg and other Facebook officials have sought to distinguish how Facebook and others use tracking data. Facebook uses such data only to boost security and improve how “Like” buttons and similar Facebook plug-ins perform, Bejar told USA TODAY. Plug-ins are the ubiquitous web applications that enable you to tap into Facebook services from millions of third-party web pages.

Facebook spokesman Andrew Noyes says the company has “no plans to change how we use this data.” He also says the company’s intentions “stand in stark contrast to the many ad networks and data brokers that deliberately and, in many cases, surreptitiously track people to create profiles of their behavior, sell that content to the highest bidder, or use that content to target ads.”

Conflicting pressures

Rather than appease its critics, Facebook’s public explanations of how it tracks and how it uses tracking data have touched off a barrage of questions from technologists, privacy advocates, regulators and lawmakers around the world.

Markey

“Facebook could be tracking users without knowledge or permission, which could be an unfair or deceptive business practice,” says Rep. Ed Markey, D-Mass., co-sponsor with Rep. Joe Barton, R-Texas, of a bill aimed at limiting online tracking of children.

The company “should be covered by strong privacy safeguards,” Markey says. “The massive trove of personal information that Facebook accumulates about its users can have a significant impact on them — now and into the future.”

Noting that “Facebook is the most popular social media website in the world,” Barton adds, “All websites should respect users’ privacy.”

After Zuckerberg appeared on the Charlie Rose TV show last week, Markey and Barton sent a letter to the 27-year-old CEO asking him to explain why Facebook recently applied for a U.S. patent for technology that includes a method to correlate tracking data with advertisements. They gave Zuckerberg a Dec. 1 deadline to reply.

“We patent lots of things, and future products should not be inferred from our patent application,” Facebook corporate spokesman Barry Schnitt says.

Facebook is under intense, conflicting pressures.

Li

It must prove to its global financial backers that it is worthy of the hundreds of millions of dollars they’ve poured into the company, financial and tech industry analysts say. Those investors include Microsoft, Goldman Sachs, the Russian investment firm Digital Sky Technologies, Hong Kong financier Sir Ka-shing Li and venture capitalist Peter Andreas Thiel.

The success of the company’s initial public offering of stock, expected sometime next year, hinges in part on Facebook’s ability to move beyond the bread-and-butter text ads that appear on members’ home pages and emerge as a key player in graphical display ads and corporate brand marketing campaigns, says Rebecca Lieb, advertising media analyst at the Altimeter Group.

In advertising, knowing more about consumers’ preferences is key. “More data means better targeting, which means more revenue,” says Marissa Gluck, managing partner of the media consulting firm Radar Research.

To meet rising expectations, Facebook must increase its annual revenue, now estimated at about $4 billion, by double-digit percentage points for years to come, Gluck says. The company is striving to keep its options open to do this. In doing so, it is bumping into pressure from critics who are concerned that leaving online privacy standards entirely in the hands of corporations might not be the best idea.

Ground rules needed

Companies are incorporating tracking data into new business models “without necessarily appreciating the long-term and collective consequences,” says Craig Spiezle, executive director of the non-profit Online Trust Alliance.

Last week, consumer reporter Ric Romero of station KABC in Los Angeles showed how insurance companies monitor Facebook and Twitter, looking for reasons to raise premiums and deny claims. Previously, ABC News reporter Lyneka Little reported on how employers use Facebook information as part of the recruitment process.

Meanwhile, researchers at AT&T Labs and Worcester Polytechnic Institute have documented how tracking data culled from Internet searches and surfing can be meshed with personal information that Internet users disclose at websites for shopping, travel, health or jobs. Personal disclosures made on social networks, along with preference data gathered by new apps for smartphones and tablet PCs, are being tossed into this mix, too.

Privacy advocates worry that before long, corporations, government agencies and political parties could routinely purchase tracking data from data aggregators.

Eckersley

“Tracking data can be used to figure out your political bent, religious beliefs, sexuality preferences, health issues or the fact that you’re looking for a new job,” says Peter Eckersley, technology projects director at the Electronic Frontier Foundation. “There are all sorts of ways to form wrong judgments about people.”

So far, it does not appear that this sort of data correlation is being done, at least not on a wide scale. But in the absence of ground rules, technologists, regulators and privacy advocates worry that companies involved in collecting tracking data could succumb to the temptation to cash in.

Says Michael Fertik, founder and CEO of Reputation.com: “We can only imagine that an advertising company with a richer trove of data will sell more and more of that data.”

Facebook’s trove of data

Facebook for the first time revealed details of how it compiles its trove of tracking data in a series of phone and e-mail interviews conducted by USA TODAY with Bejar, Noyes and Schnitt, as well as engineering manager Gregg Stefancik and corporate spokeswoman Jaime Schopflin. Here’s what they disclosed:

•The company compiles tracking data in different ways for members who have signed in and are using their accounts, for members who are logged-off and for non-members. The tracking process begins when you initially visit a facebook.com page. If you choose to sign up for a new account, Facebook inserts two different types of tracking cookies in your browser, a “session cookie” and a “browser cookie.” If you choose not to become a member, and move on, you only get the browser cookie.

•From this point on, each time you visit a third-party webpage that has a Facebook Like button, or other Facebook plug-in, the plug-in works in conjunction with the cookie to alert Facebook of the date, time and web address of the webpage you’ve clicked to. The unique characteristics of your PC and browser, such as your IP address, screen resolution, operating system and browser version, are also recorded.

•Facebook thus compiles a running log of all your webpage visits for 90 days, continually deleting entries for the oldest day and adding the newest to this log.

If you are logged-on to your Facebook account and surfing the Web, your session cookie conducts this logging. The session cookie additionally records your name, e-mail address, friends and all data associated with your profile to Facebook. If you are logged-off, or if you are a non-member, the browser cookie conducts the logging; it additionally reports a unique alphanumeric identifier, but no personal information.

Bejar

Bejar acknowledged that Facebook could learn where specific members go on the Web when they are logged off by matching the unique PC and browser characteristics logged by both the session cookie and the browser cookie.

He emphasized that Facebook makes it a point not to do this. ” We’ve said that we don’t do it, and we couldn’t do it without some form of consent and disclosure,” Bejar says.

Bejar also acknowledged “technical similarities” in the cookie-based tracking technologies used by Facebook and the wider online advertising industry. “But we’re not like ad networks at all in our stewardship of the data, in the way we use it, and the way we lay everything out,” Bejar says. “We have a very clear and transparent approach to how we do advertising that I’m very proud of.”

Even so, Facebook’s public descriptions of its tracking systems have not satisfied some critics — particularly European privacy regulators. Ilse Aigner, Germany’s minister of consumer protection, last month banned Facebook plug-ins from government websites and advised private companies to do the same.

And Thilo Weichert, data protection commissioner in the German state of Schleswig-Holstein, expressed alarm at how Facebook’s technology could potentially be used to build extensive profiles of individual Web users.

“Whoever visits Facebook or uses a plug-in must expect that he or she will be tracked by the company for two years,” Weichert said in a statement. “Such profiling infringes German and European data protection law.”

Adding fuel to such concerns, Arnold Roosendaal, a doctoral candidate at Tilburg University in the Netherlands, and Nik Cubrilovic, an independent Australian researcher, separately documented how Web pages containing Facebook plug-ins carried out tracking more extensive than Facebook publicly admitted to.

Noyes says Germany doesn’t understand how the company’s tracking technologies work. And he blames “software bugs” for the indiscriminate tracking discovered by Roosendaal and Cubrilovic.

“When we were made aware that certain cookies were sending more information to us than we had intended, we fixed our cookie management system,” Noyes says.

Roosendaal

However, researcher Roosendaal says Facebook’s tracking cookies retain the capacity to extensively track non-members and logged-off members alike. “They have been confronted with the same issue now several times and every time they call it a bug. That’s not really contributing to earning trust.”

Some corporate security executives have become concerned about cybercriminals getting hold of tracking data relayed by Like buttons, then using that intelligence to steal intellectual property. They’ve asked firewall supplier Palo Alto Networks to identify and block traffic from Facebook tracking cookies, while enabling their employees to continue using other Facebook services.

“The concern is that Facebook has rich personal information, which Google doesn’t have,” says Nir Zuk, founder and chief technology officer for Palo Alto Networks. “Combining that personal information with Web browsing patterns could be revelatory.”

–By Byron Acohido

Several new twists have made so-called malvertisements a fast-rising threat to consumers — and a big headache for publishers, advertisers and ad networks, say technologists and security researchers.

The spread of infected online ads has spiked tenfold over the past year, according to research disclosed by security intelligence firm RiskIQ at a recent Online Trust Alliance conference in Washington, D.C.

RiskIQ documented a peak of 14,694 occurrences of malvertisements in May of this year, up from 1,533 in May 2010. Each corrupted ad could have infected the PCs of thousands or millions of website visitors, based on how long the ad ran, says Elias Manousos, CEO of RiskIQ.

Manousos

“In 2011 we observed malvertisements on major sites such as weather.com, foxsports.com, monster.com and usnews.com, just to name a few,” Manousos says.  “In the case of the usnews.com incident the malvertisement utilized a cyber crime tool called the Blackhole Exploit Kit. This tool is sold or rented by the author,  lowering the barrier of entry for the malvertiser.”

Indeed, organized crime gangs have streamlined the process of sneaking viral ads into the distribution system run by advertising networks, causing billions of tainted ad impressions to appear on the top 500 websites over the past 12 months, say technologists and security researchers.

“Malvertisements are a popular and extremely effective mechanism that take advantage of weaknesses within Web browsers,” says Vincent Liu, managing partner of security consultancy Stach & Liu. “The average home computer user faces a high risk of being attacked by malvertisements.”

Thriving ecosystem

Website security firm Armorize recently discovered criminals selling tutorials, tool kits and ad placement services to anyone who wants to get into the malvertising game. “There is a whole ecosystem designed to do this,” says Matt Huang, Armorize’s chief operating officer. “It’s all automated and all on the Internet.”

A recent rash of infections have been triggering bogus security warnings, followed by an offer for fake antivirus protection.

Last month, SpeedTest.net, a popular site that measures home broadband connection speeds, began displaying legit ads carrying instructions to load pitches for Security Sphere 2012. Simply navigating to the site launched the promos, which locked up the visitor’s PC until he or she purchased worthless “protection” for $35.

Doug Suttles, chief operating officer of Web diagnostics firm Ookla, SpeedTest’s parent, says his engineers spotted the attack and cleaned it up within three hours. The criminals, in this case, pioneered a novel technique. They corrupted legit advertisements as they arrived in the ad-handling program, called OpenX, used by the SpeedTest site.

“Most websites aren’t as on top of this as we are,” says Suttles. “We were surprised someone got in. We quickly stripped it out and locked things down.”

Insidious infections

However, tens of thousands of other websites that use the free OpenX ad-handling platform are wide open to this new type of attack, says Armorize’s Huang.

Two of the most insidious attacks involve pitches or Security Sphere 2012 and HDD_Plus. Each locks out use of any other application, while also disabling antivirus and the Windows system restore tool. If you reboot, the promo persists. The easiest course, by design, is to pay $35 to regain full control.

And many victims pay up. A vivid proofpoint:  $163 million banked by the Innovative Marketing ring of scammers who spread promos for SystemDefender. They were busted by FBI last year.

In another recent twist, consumers bedeviled by bogus anti-virus pitches have started bad-mouthing websites they believe triggered the bogus promos. Armorize has documented numerous consumer complaints that have gone viral on Twitter and other social networks, causing a drop in visits to the sites in question.

“Publishers are seeing their traffic and transactions drop in real time,” says Huang. “They are seeing an immediate financial impact from warnings appearing all over Twitter not to visit their site.”

Some ad networks have begun participating in a working group discussing “information-sharing about malvertisers and their ads,” says Steve Sullivan, the Interactive Advertising Board’s vice president of digital supply chain solutions.

The Online Publishers Association, the industry group of major website publishers, has yet to closely examine malvertising. “Obviously, stuff like this is disconcerting to the industry,” says Pam Horan, OPA’s president. “We haven’t done any research in this area, and I haven’t specifically heard anything from the members about this.”

Validation conundrum

Even so, validating ads has become a major conundrum. Web publishers trust the ad networks to continually rotate ads to their Web pages. Meanwhile, the big ad networks, such as Google, Adobe, Microsoft and Yahoo, use automation to pull ads into rotation from a series of smaller networks and agencies.

“The process isn’t flawless, and thus malvertisements end up running in the wild,” says Manousos. “I think awareness is growing and more players in the ad supply chain are committed to working on reducing the number of malvertisements that reach the public.”

Malvertisements are also used to spread stealthy infections that quietly take full control of the victim’s PC, which is then used to steal data, probe deeper into corporate networks and pilfer from online financial accounts.

Consumers can protect themselves by making sure anti-virus programs and all updates for their Web browsers and popular applications, especially Adobe Flash and Adobe PDF, are current. Consumers who want to protect themselves further can use browser plug-ins, such as NoScript and AdBlock, that block all online ads.

Liu, of consultancy Stach & Liu, says a few advertising companies are using scanning and detection mechanisms.

Liu

“But the detection of these malvertisements requires being able to access the content, and in many cases, these companies never even touch the ads,” Liu says. “Instead they pass along the advertisement link to the website, which then passes it along to the user, who ultimately loads the infected content.

“The sheer volume of advertisements served makes it costly and somewhat infeasible to scan all of the advertisements being served,” Liu continues. “Furthermore, the detection capabilities used today are inadequate for detecting all variations of attacks. The attackers have a significant advantage over the advertising companies and that gap is unlikely to close anytime soon.”

Craig Spiezle, the Online Trust Association’s executive director, says publishers, advertisers and the ad networks realize what’s at stake.

“The good news is that there is growing interest of some of the key stakeholders — including Yahoo, Microsoft and Google — on the need to employ countermeasures,” says Spiezle. “It’s clear that validating the ads everyone depends on is a shared responsibility. If consumers don’t trust ads, they may not go to the site, or they’ll start running ad blockers, and that will compromise everyone’s ability to monetize.”

Antivirus giant Symantec has partnered with web app security firm Armorize to offer a cloud-based URL scanning service tuned to spot and thus help to block so-called malvertisements.

Symantec and Armorize unveiled the new service, called AdVantage, at the Online Trust Alliance’s “Realizing the Promise of Trust” forum last month in Washington D.C.

Malvertisements began to gain wide attention in June 2009 after a wave hit the Jerusalem Post and Wall Street Journal websites, followed by another wave of bad ads sneaking onto the New York Times, San Francisco Chronicle and Fox News sites in September 2009, prompting the Gray Lady to run this front page story about the attack.

Click here to see LastWatchdog’s Top Story: 10-fold increase in malvertisements

More waves have followed. In basic attacks, criminals find ways to insert corrupted ads into the rotation of legit ads automatically circulating from myriad ad networks and ad exchanges upstream to major ad networks, such as those run by Google, Adobe and Microsoft. The big ad networks then rotate ads onto high-traffic web sites.

Huang

Armorize co-founder and CEO Wayne Huang, who works from a lab in Taipei, recently discovered an even more insidious type of  attack — one that sneaks ads directly onto  each targeted  Web site, by exploiting security flaws in OpenX, the popular open source ad handling program used by tens of thousands of sites.

In this video, Huang outlines how the attackers corrupted all ads on SpeedTest.net for about three hours. (Technicians at Ookla, SpeedTest’s parent company, luckily spotted the attack and cleaned it up quickly.)

Because the attacks are stealthily deployed at different layers many publishers lack awareness of what’s going on and what to do. However, the ad networks, ad exchanges and analytics companies that comprise the online ad supply chain are starting to pay closer attention, says Craig Spiezle, executive director of the Online Trust Alliance.

Spiezle

“For the past 18 months, OTA and its members have been working to address the mounting threats to the advertising supply chain and ecosystem,” Spiezle says. ” In Sept 2010, we published voluntary guidelines as a first steps to help counter both the operational and technical issues.  At our recent forum, we had a full-day anti-malvertising summit bringing together leaders from around the world to share best practices to help address this threat.”

Website publishers, meanwhile, don’t have to wait for the infrastructure players to tighten down the system. Symantec’s AdVantage service will scan, detect and report all instances of malvertising detected on a Web page.

The scanner analyzes ad tags as they rotate onto the website in near real time. Performance is minimally impacted and there is nothing for the customer to do beyond providing URLs for scanning and protection, says Matt Huang, co-founder and COO of Armorize, told eWEEK.

When a bad ad is detected, the service alerts the publisher, who is then responsible for removing it from the site. Over time, publishers should gain intelligence about the quality of ads arriving from specific ad networks.

“Malvertising poses a serious risk to online publishers and their customers, reputation and revenue,” says Fran Rosch, Symantec Vice President, Identity and Authentication. “Highly publicized malvertising infections can damage the reputation of even the most trusted online sites.”

–By Byron Acohido

LW: Cyberattacks, especially so-called advanced persistent threats that drill deep into corporate systems, continue to accelerate. How come?

Kaspersky: Unfortunatly for enterprises, the bad guys behind Stuxnet and DigiNotar and other such cyberattacks are extremely professional. They devote time and resources to what they’re doing, making them extremely difficult to stop.

LW: What should the good guys be doing?

Kaspersky: Enterprise networks need to be redesigned to where the digital certificate is just one layer. They need much more strict rules about who can get access to internal systems and they need to consider switching off access to certain assets.

LW: Security vendors have been preaching these same best practices for years. What’s different today?

Kaspersky: Today there are so many more attacks than even just two years ago. Companies are getting compromised everywhere, in the United States, Europe and Japan. Thousands of corporations have been attacked in Russia, so now Russia has finally joined the club of victims.

LW: So what’s next?

Kaspersky: We are now in a much bigger arms race. Enterprises will pay more attention to security and have stricter rules for security systems. The bad guys won’t stop. They’ll invest more into new attack technologies. It’s a new level of the arms race.

TL: What does this mean for employees who bring their personal touch tablets and smartphones to work, and spend time during the workday on Facebook and other social networks?

Kaspersky: I’m afraid there’s going to be no more freedom for social network use in certain kinds of strict work environments. Instant messaging and e-mail for personal use needs to be limited. Employees will have a front line computer, with full access, but any personal-use devices mst be disconnected from the corporate environment.

LW: Doesn’t that scenario run counter to the rising popularity of cool mobile devices and our increasing reliance on Web apps and cloud services?

Kaspersky: Yes, it is a big step. But for critical environments, very, very strict rules are needed. It is the only way to fight effectively with the bad guys. Enterprises don’t need to be paranoid. But they must pay attention to security and understand the different scenarios of how the bad guys can get in. They need to understand how much damage can be caused. Risk management must be much more strict.

Ten U.S. consumer and privacy groups, including the American Civil Liberties Union and the Bill of Rights Defense Committee, today joined Reps. Ed Markey, D- Mass., and Joe Barton, R-Tex., in calling on the Federal Trade Commission to launch a formal investigation of Facebook’s practice of collecting and using data about its users Internet activities.

This morning the groups sent this letter to the FTC. Markey and Barton sent this letter earlier this week.

At issue is Facebook’s alleged practice of using it’s Like button, and other mechanisms, integrated into partner Web pages all across the Web, to track its members Web surfing patterns and preferences for news, entertainment and personal topics.

Privacy concerns heightened last week after Facebook launched new features that incorporate such tracking data. Facebook founder Mark Zuckerberg kicked off the annual f8 developers conference in San Francisco last week by introducing “Timeline” pages that digitally maps everything a user has ever done on the popular social network.

And ZuckerBerg also unveiled a new class of “Open Graph”applications designed to broadcast user’s surfing patterns and interests to friends and friends of friends all across Facebook’s user base of 800 million members around the world.

Calabrese

Users have long been able to share information, manually. But the new services automate much of the sharing process, and appear to tap deeper into user data amassed by the company, says Chris Calabrese, legal counsel for the American Civil Liberties Union.

“There’s a loss of user control, here,” Calabrese says. “Combined with the permanent nature of the information, it means there is a lack of the ability for consumers to control and protect their online reputations.”

Antonini

“The new ‘Frictionless Sharing’ features are just more examples of Facebook disregarding the privacy of its users by making sweeping changes that expose personal information without giving users the chance to choose what information they want shared with the world,” said Laura Antonini, research attorney at Consumer Watchdog.

Adrian Short, a London-based  web developer and data analyst, has posted  this essay outlining why he thinks “frictionless sharing” is onerous to people who value privacy. Here’s an excerpt:

Facebook’s Open Graph technology allows third-party websites to tell Facebook what people are doing. It extends Facebook’s Like button to include any action that the site owners think might be interesting to Facebook. Play a song and your music streaming site tells Facebook what you’ve played. Read a newspaper article and Facebook knows what you’ve read. LOL at a lolcat and your LOL gets logged for all time on your indelible activity record. Facebook calls this frictionless sharing, which is their euphemism for silent total surveillance. Once you’ve signed up for this (and it is optional, at least for now) you don’t need to do anything else to share your activity with Facebook. It’s completely automatic.

Facebook spokesman Andrew Noyes says Timeline and the new Open Graph applications are intended to make it easier for users to share music and other content with their friends.

He acknowledged that Facebook does use tracking cookies to monitor and correlate users’ Web page visits, just as Google, Microsoft and other operators of online advertising networks  commonly do. He says Facebook does so responsibly.

“If someone doesn’t want an app story to be seen by their friends, we offer numerous controls both before and after the fact,” says Noyes. “They can choose not take the action on Facebook, remove it from their Timeline, delete it completely, change their privacy settings, or disconnect from the app at anytime.”

Noyes insists that “all the sharing is is opt in and easily controllable.”

Mayer

However, Jonathan Mayer, a researcher at Stanford Law School’s The Center for Internet and Society,  says  Facebook has been attempting to “conflate its new frictionless sharing preferences with user control over third-party tracking.”

Says Mayer: “There’s room for debate whether Facebook’s frictionless sharing adequately provides users with notice and choice of what will be posted to their profile. But Facebook gives users no control over web tracking. In other words, when you’re using a non-Facebook site, you can control what Facebook shares with other users, but you can’t control what you share with Facebook.”

–Byron Acohido