Reacting to details of Facebook’s tracking practices disclosed in LastWatchdog’s page 1A story in print editions of USA TODAY, Sen. Jay Rockefeller, D – W. Virg., said he intends to invite Facebook and others to a hearing to explain how they are using personal information.

“The USA Today story is disturbing,” says Rockefeller, sponsor of a Do-Not-Track bill that would empower consumers to limit ad networks from tracking where they go online. “No company should track customers without their knowledge or consent, especially a company with 800 million users and a trove of unique personal data on its users.”

Facebook spokesman Andrew Noyes noted that Facebook tracking systems are used to personalize content and help boost security. He also said that the company’s tracking practicies are spelled out in its Privacy Policy and Help Center web pages. “We appreciate Sen. Rockefeller’s interest in protecting consumer privacy and look forward to discussing this with him,” Noyes says.

Meanwhile, Rep. Mary Bono Mack, R-Calif., who chairs the House Subcommittee on Commerce, Manufacturing and Trade, directed her staff to bring in Facebook officials next week for a briefing to learn more about the wave of pornographic and violent images that spread through Facebook’s automated content-sharing systems. “The Chairman is very concerned about what took place and wants to make certain – to the extent possible – that it doesn’t happen again,” says spokesman Ken Johnson.

Bono Mack

Among the questions Bono Mack wants answered: How many people were impacted? What actually happened? How did it happen? Could the vulnerability be used to gather users’ personal information? What is Facebook doing to prevent future intrusions?

Noyes pointed out this CNN news story praising how Facebook responded to the systemic attack on its content-sharing technologies. “Protecting the people who use Facebook from spam and malicious content is a top priority for us,” says Noyes. “Our team responded quickly to eliminate most of the spam caused by this incident. We are now working to improve our systems to better defend against similar attacks in the future.”

Joseph Steinberg, CEO of Green Armor Solutions, says that the porn and gore spam attack is another reason users should not rely on Facebook’s security and privacy settings.

“Facebook has never been the poster child for security,” Steinberg says. “This situation reinforces that concept. If some form of beach occurred and information that you configured to be viewable by only your friends became viewable by the entire world it is unlikely that Facebook is going to compensate you. But they can gather information about you and advertise to you. In many ways, you are Facebook’s product, not its customer.”

Far more quietly, another debate is brewing over a different side of online privacy: what Facebook is learning about those who visit its website.

Facebook officials are now acknowledging that the social media giant has been able to create a running log of the web pages that each of its 800 million or so members has visited during the previous 90 days. Facebook also keeps close track of where millions more non-members of the social network go on the Web, after they visit a Facebook web page for any reason.

Click here to view  an  interactive chart of  how Facebook’s tracking systems work

To do this, the company relies on tracking cookie technologies similar to the controversial systems used by Google, Adobe, Microsoft, Yahoo and others in the online advertising industry, says Arturo Bejar, Facebook’s engineering director.

Facebook’s efforts to track the browsing habits of visitors to its site have made the company a player in the “Do Not Track” debate, which focuses on whether consumers should be able to prevent websites from tracking the consumers’ online activity.

For online business and social media sites, such information can be particularly valuable in helping them tailor online ads to specific visitors. But privacy advocates worry about how else the information might be used, and whether it might be sold to third parties.

New guidelines for online privacy are being hashed out in Congress and by the World Wide Web Consortium, which sets standards for the Internet.

If privacy advocates get their way, consumers soon could be empowered to stop or limit tech companies and ad networks from tracking them wherever they go online. But the online advertising industry has dug in its heels, trying to retain the current self-regulatory system.

Online tracking involves technologies that tech companies and ad networks have used for more than a decade to help advertisers deliver more relevant ads to each viewer. Until now, Facebook, which makes most of its profits from advertising, has been ambiguous in public statements about the extent to which it collects tracking data.

Zuckerberg on Rose show

It contends that it does not belong in the same camp as Google, Microsoft and the rest of the online ad industry’s major players. Facebook CEO Mark Zuckerberg made this point to interviewer Charlie Rose on national TV last week.

For the past several weeks, Zuckerberg and other Facebook officials have sought to distinguish how Facebook and others use tracking data. Facebook uses such data only to boost security and improve how “Like” buttons and similar Facebook plug-ins perform, Bejar told USA TODAY. Plug-ins are the ubiquitous web applications that enable you to tap into Facebook services from millions of third-party web pages.

Facebook spokesman Andrew Noyes says the company has “no plans to change how we use this data.” He also says the company’s intentions “stand in stark contrast to the many ad networks and data brokers that deliberately and, in many cases, surreptitiously track people to create profiles of their behavior, sell that content to the highest bidder, or use that content to target ads.”

Conflicting pressures

Rather than appease its critics, Facebook’s public explanations of how it tracks and how it uses tracking data have touched off a barrage of questions from technologists, privacy advocates, regulators and lawmakers around the world.

Markey

“Facebook could be tracking users without knowledge or permission, which could be an unfair or deceptive business practice,” says Rep. Ed Markey, D-Mass., co-sponsor with Rep. Joe Barton, R-Texas, of a bill aimed at limiting online tracking of children.

The company “should be covered by strong privacy safeguards,” Markey says. “The massive trove of personal information that Facebook accumulates about its users can have a significant impact on them — now and into the future.”

Noting that “Facebook is the most popular social media website in the world,” Barton adds, “All websites should respect users’ privacy.”

After Zuckerberg appeared on the Charlie Rose TV show last week, Markey and Barton sent a letter to the 27-year-old CEO asking him to explain why Facebook recently applied for a U.S. patent for technology that includes a method to correlate tracking data with advertisements. They gave Zuckerberg a Dec. 1 deadline to reply.

“We patent lots of things, and future products should not be inferred from our patent application,” Facebook corporate spokesman Barry Schnitt says.

Facebook is under intense, conflicting pressures.

Li

It must prove to its global financial backers that it is worthy of the hundreds of millions of dollars they’ve poured into the company, financial and tech industry analysts say. Those investors include Microsoft, Goldman Sachs, the Russian investment firm Digital Sky Technologies, Hong Kong financier Sir Ka-shing Li and venture capitalist Peter Andreas Thiel.

The success of the company’s initial public offering of stock, expected sometime next year, hinges in part on Facebook’s ability to move beyond the bread-and-butter text ads that appear on members’ home pages and emerge as a key player in graphical display ads and corporate brand marketing campaigns, says Rebecca Lieb, advertising media analyst at the Altimeter Group.

In advertising, knowing more about consumers’ preferences is key. “More data means better targeting, which means more revenue,” says Marissa Gluck, managing partner of the media consulting firm Radar Research.

To meet rising expectations, Facebook must increase its annual revenue, now estimated at about $4 billion, by double-digit percentage points for years to come, Gluck says. The company is striving to keep its options open to do this. In doing so, it is bumping into pressure from critics who are concerned that leaving online privacy standards entirely in the hands of corporations might not be the best idea.

Ground rules needed

Companies are incorporating tracking data into new business models “without necessarily appreciating the long-term and collective consequences,” says Craig Spiezle, executive director of the non-profit Online Trust Alliance.

Last week, consumer reporter Ric Romero of station KABC in Los Angeles showed how insurance companies monitor Facebook and Twitter, looking for reasons to raise premiums and deny claims. Previously, ABC News reporter Lyneka Little reported on how employers use Facebook information as part of the recruitment process.

Meanwhile, researchers at AT&T Labs and Worcester Polytechnic Institute have documented how tracking data culled from Internet searches and surfing can be meshed with personal information that Internet users disclose at websites for shopping, travel, health or jobs. Personal disclosures made on social networks, along with preference data gathered by new apps for smartphones and tablet PCs, are being tossed into this mix, too.

Privacy advocates worry that before long, corporations, government agencies and political parties could routinely purchase tracking data from data aggregators.

Eckersley

“Tracking data can be used to figure out your political bent, religious beliefs, sexuality preferences, health issues or the fact that you’re looking for a new job,” says Peter Eckersley, technology projects director at the Electronic Frontier Foundation. “There are all sorts of ways to form wrong judgments about people.”

So far, it does not appear that this sort of data correlation is being done, at least not on a wide scale. But in the absence of ground rules, technologists, regulators and privacy advocates worry that companies involved in collecting tracking data could succumb to the temptation to cash in.

Says Michael Fertik, founder and CEO of Reputation.com: “We can only imagine that an advertising company with a richer trove of data will sell more and more of that data.”

Facebook’s trove of data

Facebook for the first time revealed details of how it compiles its trove of tracking data in a series of phone and e-mail interviews conducted by USA TODAY with Bejar, Noyes and Schnitt, as well as engineering manager Gregg Stefancik and corporate spokeswoman Jaime Schopflin. Here’s what they disclosed:

•The company compiles tracking data in different ways for members who have signed in and are using their accounts, for members who are logged-off and for non-members. The tracking process begins when you initially visit a facebook.com page. If you choose to sign up for a new account, Facebook inserts two different types of tracking cookies in your browser, a “session cookie” and a “browser cookie.” If you choose not to become a member, and move on, you only get the browser cookie.

•From this point on, each time you visit a third-party webpage that has a Facebook Like button, or other Facebook plug-in, the plug-in works in conjunction with the cookie to alert Facebook of the date, time and web address of the webpage you’ve clicked to. The unique characteristics of your PC and browser, such as your IP address, screen resolution, operating system and browser version, are also recorded.

•Facebook thus compiles a running log of all your webpage visits for 90 days, continually deleting entries for the oldest day and adding the newest to this log.

If you are logged-on to your Facebook account and surfing the Web, your session cookie conducts this logging. The session cookie additionally records your name, e-mail address, friends and all data associated with your profile to Facebook. If you are logged-off, or if you are a non-member, the browser cookie conducts the logging; it additionally reports a unique alphanumeric identifier, but no personal information.

Bejar

Bejar acknowledged that Facebook could learn where specific members go on the Web when they are logged off by matching the unique PC and browser characteristics logged by both the session cookie and the browser cookie.

He emphasized that Facebook makes it a point not to do this. ” We’ve said that we don’t do it, and we couldn’t do it without some form of consent and disclosure,” Bejar says.

Bejar also acknowledged “technical similarities” in the cookie-based tracking technologies used by Facebook and the wider online advertising industry. “But we’re not like ad networks at all in our stewardship of the data, in the way we use it, and the way we lay everything out,” Bejar says. “We have a very clear and transparent approach to how we do advertising that I’m very proud of.”

Even so, Facebook’s public descriptions of its tracking systems have not satisfied some critics — particularly European privacy regulators. Ilse Aigner, Germany’s minister of consumer protection, last month banned Facebook plug-ins from government websites and advised private companies to do the same.

And Thilo Weichert, data protection commissioner in the German state of Schleswig-Holstein, expressed alarm at how Facebook’s technology could potentially be used to build extensive profiles of individual Web users.

“Whoever visits Facebook or uses a plug-in must expect that he or she will be tracked by the company for two years,” Weichert said in a statement. “Such profiling infringes German and European data protection law.”

Adding fuel to such concerns, Arnold Roosendaal, a doctoral candidate at Tilburg University in the Netherlands, and Nik Cubrilovic, an independent Australian researcher, separately documented how Web pages containing Facebook plug-ins carried out tracking more extensive than Facebook publicly admitted to.

Noyes says Germany doesn’t understand how the company’s tracking technologies work. And he blames “software bugs” for the indiscriminate tracking discovered by Roosendaal and Cubrilovic.

“When we were made aware that certain cookies were sending more information to us than we had intended, we fixed our cookie management system,” Noyes says.

Roosendaal

However, researcher Roosendaal says Facebook’s tracking cookies retain the capacity to extensively track non-members and logged-off members alike. “They have been confronted with the same issue now several times and every time they call it a bug. That’s not really contributing to earning trust.”

Some corporate security executives have become concerned about cybercriminals getting hold of tracking data relayed by Like buttons, then using that intelligence to steal intellectual property. They’ve asked firewall supplier Palo Alto Networks to identify and block traffic from Facebook tracking cookies, while enabling their employees to continue using other Facebook services.

“The concern is that Facebook has rich personal information, which Google doesn’t have,” says Nir Zuk, founder and chief technology officer for Palo Alto Networks. “Combining that personal information with Web browsing patterns could be revelatory.”

–By Byron Acohido

Several new twists have made so-called malvertisements a fast-rising threat to consumers — and a big headache for publishers, advertisers and ad networks, say technologists and security researchers.

The spread of infected online ads has spiked tenfold over the past year, according to research disclosed by security intelligence firm RiskIQ at a recent Online Trust Alliance conference in Washington, D.C.

RiskIQ documented a peak of 14,694 occurrences of malvertisements in May of this year, up from 1,533 in May 2010. Each corrupted ad could have infected the PCs of thousands or millions of website visitors, based on how long the ad ran, says Elias Manousos, CEO of RiskIQ.

Manousos

“In 2011 we observed malvertisements on major sites such as weather.com, foxsports.com, monster.com and usnews.com, just to name a few,” Manousos says.  “In the case of the usnews.com incident the malvertisement utilized a cyber crime tool called the Blackhole Exploit Kit. This tool is sold or rented by the author,  lowering the barrier of entry for the malvertiser.”

Indeed, organized crime gangs have streamlined the process of sneaking viral ads into the distribution system run by advertising networks, causing billions of tainted ad impressions to appear on the top 500 websites over the past 12 months, say technologists and security researchers.

“Malvertisements are a popular and extremely effective mechanism that take advantage of weaknesses within Web browsers,” says Vincent Liu, managing partner of security consultancy Stach & Liu. “The average home computer user faces a high risk of being attacked by malvertisements.”

Thriving ecosystem

Website security firm Armorize recently discovered criminals selling tutorials, tool kits and ad placement services to anyone who wants to get into the malvertising game. “There is a whole ecosystem designed to do this,” says Matt Huang, Armorize’s chief operating officer. “It’s all automated and all on the Internet.”

A recent rash of infections have been triggering bogus security warnings, followed by an offer for fake antivirus protection.

Last month, SpeedTest.net, a popular site that measures home broadband connection speeds, began displaying legit ads carrying instructions to load pitches for Security Sphere 2012. Simply navigating to the site launched the promos, which locked up the visitor’s PC until he or she purchased worthless “protection” for $35.

Doug Suttles, chief operating officer of Web diagnostics firm Ookla, SpeedTest’s parent, says his engineers spotted the attack and cleaned it up within three hours. The criminals, in this case, pioneered a novel technique. They corrupted legit advertisements as they arrived in the ad-handling program, called OpenX, used by the SpeedTest site.

“Most websites aren’t as on top of this as we are,” says Suttles. “We were surprised someone got in. We quickly stripped it out and locked things down.”

Insidious infections

However, tens of thousands of other websites that use the free OpenX ad-handling platform are wide open to this new type of attack, says Armorize’s Huang.

Two of the most insidious attacks involve pitches or Security Sphere 2012 and HDD_Plus. Each locks out use of any other application, while also disabling antivirus and the Windows system restore tool. If you reboot, the promo persists. The easiest course, by design, is to pay $35 to regain full control.

And many victims pay up. A vivid proofpoint:  $163 million banked by the Innovative Marketing ring of scammers who spread promos for SystemDefender. They were busted by FBI last year.

In another recent twist, consumers bedeviled by bogus anti-virus pitches have started bad-mouthing websites they believe triggered the bogus promos. Armorize has documented numerous consumer complaints that have gone viral on Twitter and other social networks, causing a drop in visits to the sites in question.

“Publishers are seeing their traffic and transactions drop in real time,” says Huang. “They are seeing an immediate financial impact from warnings appearing all over Twitter not to visit their site.”

Some ad networks have begun participating in a working group discussing “information-sharing about malvertisers and their ads,” says Steve Sullivan, the Interactive Advertising Board’s vice president of digital supply chain solutions.

The Online Publishers Association, the industry group of major website publishers, has yet to closely examine malvertising. “Obviously, stuff like this is disconcerting to the industry,” says Pam Horan, OPA’s president. “We haven’t done any research in this area, and I haven’t specifically heard anything from the members about this.”

Validation conundrum

Even so, validating ads has become a major conundrum. Web publishers trust the ad networks to continually rotate ads to their Web pages. Meanwhile, the big ad networks, such as Google, Adobe, Microsoft and Yahoo, use automation to pull ads into rotation from a series of smaller networks and agencies.

“The process isn’t flawless, and thus malvertisements end up running in the wild,” says Manousos. “I think awareness is growing and more players in the ad supply chain are committed to working on reducing the number of malvertisements that reach the public.”

Malvertisements are also used to spread stealthy infections that quietly take full control of the victim’s PC, which is then used to steal data, probe deeper into corporate networks and pilfer from online financial accounts.

Consumers can protect themselves by making sure anti-virus programs and all updates for their Web browsers and popular applications, especially Adobe Flash and Adobe PDF, are current. Consumers who want to protect themselves further can use browser plug-ins, such as NoScript and AdBlock, that block all online ads.

Liu, of consultancy Stach & Liu, says a few advertising companies are using scanning and detection mechanisms.

Liu

“But the detection of these malvertisements requires being able to access the content, and in many cases, these companies never even touch the ads,” Liu says. “Instead they pass along the advertisement link to the website, which then passes it along to the user, who ultimately loads the infected content.

“The sheer volume of advertisements served makes it costly and somewhat infeasible to scan all of the advertisements being served,” Liu continues. “Furthermore, the detection capabilities used today are inadequate for detecting all variations of attacks. The attackers have a significant advantage over the advertising companies and that gap is unlikely to close anytime soon.”

Craig Spiezle, the Online Trust Association’s executive director, says publishers, advertisers and the ad networks realize what’s at stake.

“The good news is that there is growing interest of some of the key stakeholders — including Yahoo, Microsoft and Google — on the need to employ countermeasures,” says Spiezle. “It’s clear that validating the ads everyone depends on is a shared responsibility. If consumers don’t trust ads, they may not go to the site, or they’ll start running ad blockers, and that will compromise everyone’s ability to monetize.”

Antivirus giant Symantec has partnered with web app security firm Armorize to offer a cloud-based URL scanning service tuned to spot and thus help to block so-called malvertisements.

Symantec and Armorize unveiled the new service, called AdVantage, at the Online Trust Alliance’s “Realizing the Promise of Trust” forum last month in Washington D.C.

Malvertisements began to gain wide attention in June 2009 after a wave hit the Jerusalem Post and Wall Street Journal websites, followed by another wave of bad ads sneaking onto the New York Times, San Francisco Chronicle and Fox News sites in September 2009, prompting the Gray Lady to run this front page story about the attack.

Click here to see LastWatchdog’s Top Story: 10-fold increase in malvertisements

More waves have followed. In basic attacks, criminals find ways to insert corrupted ads into the rotation of legit ads automatically circulating from myriad ad networks and ad exchanges upstream to major ad networks, such as those run by Google, Adobe and Microsoft. The big ad networks then rotate ads onto high-traffic web sites.

Huang

Armorize co-founder and CEO Wayne Huang, who works from a lab in Taipei, recently discovered an even more insidious type of  attack — one that sneaks ads directly onto  each targeted  Web site, by exploiting security flaws in OpenX, the popular open source ad handling program used by tens of thousands of sites.

In this video, Huang outlines how the attackers corrupted all ads on SpeedTest.net for about three hours. (Technicians at Ookla, SpeedTest’s parent company, luckily spotted the attack and cleaned it up quickly.)

Because the attacks are stealthily deployed at different layers many publishers lack awareness of what’s going on and what to do. However, the ad networks, ad exchanges and analytics companies that comprise the online ad supply chain are starting to pay closer attention, says Craig Spiezle, executive director of the Online Trust Alliance.

Spiezle

“For the past 18 months, OTA and its members have been working to address the mounting threats to the advertising supply chain and ecosystem,” Spiezle says. ” In Sept 2010, we published voluntary guidelines as a first steps to help counter both the operational and technical issues.  At our recent forum, we had a full-day anti-malvertising summit bringing together leaders from around the world to share best practices to help address this threat.”

Website publishers, meanwhile, don’t have to wait for the infrastructure players to tighten down the system. Symantec’s AdVantage service will scan, detect and report all instances of malvertising detected on a Web page.

The scanner analyzes ad tags as they rotate onto the website in near real time. Performance is minimally impacted and there is nothing for the customer to do beyond providing URLs for scanning and protection, says Matt Huang, co-founder and COO of Armorize, told eWEEK.

When a bad ad is detected, the service alerts the publisher, who is then responsible for removing it from the site. Over time, publishers should gain intelligence about the quality of ads arriving from specific ad networks.

“Malvertising poses a serious risk to online publishers and their customers, reputation and revenue,” says Fran Rosch, Symantec Vice President, Identity and Authentication. “Highly publicized malvertising infections can damage the reputation of even the most trusted online sites.”

–By Byron Acohido

LW: Cyberattacks, especially so-called advanced persistent threats that drill deep into corporate systems, continue to accelerate. How come?

Kaspersky: Unfortunatly for enterprises, the bad guys behind Stuxnet and DigiNotar and other such cyberattacks are extremely professional. They devote time and resources to what they’re doing, making them extremely difficult to stop.

LW: What should the good guys be doing?

Kaspersky: Enterprise networks need to be redesigned to where the digital certificate is just one layer. They need much more strict rules about who can get access to internal systems and they need to consider switching off access to certain assets.

LW: Security vendors have been preaching these same best practices for years. What’s different today?

Kaspersky: Today there are so many more attacks than even just two years ago. Companies are getting compromised everywhere, in the United States, Europe and Japan. Thousands of corporations have been attacked in Russia, so now Russia has finally joined the club of victims.

LW: So what’s next?

Kaspersky: We are now in a much bigger arms race. Enterprises will pay more attention to security and have stricter rules for security systems. The bad guys won’t stop. They’ll invest more into new attack technologies. It’s a new level of the arms race.

TL: What does this mean for employees who bring their personal touch tablets and smartphones to work, and spend time during the workday on Facebook and other social networks?

Kaspersky: I’m afraid there’s going to be no more freedom for social network use in certain kinds of strict work environments. Instant messaging and e-mail for personal use needs to be limited. Employees will have a front line computer, with full access, but any personal-use devices mst be disconnected from the corporate environment.

LW: Doesn’t that scenario run counter to the rising popularity of cool mobile devices and our increasing reliance on Web apps and cloud services?

Kaspersky: Yes, it is a big step. But for critical environments, very, very strict rules are needed. It is the only way to fight effectively with the bad guys. Enterprises don’t need to be paranoid. But they must pay attention to security and understand the different scenarios of how the bad guys can get in. They need to understand how much damage can be caused. Risk management must be much more strict.

Hackers this summer have pioneered ways to forge the digital certificates intended to assure the authenticity of Web pages where you type sensitive data into forms, as highlighted by the recent bankruptcy declaration of Dutch certificate authority DigiNotar.

It turns out that the bad guys have also begun to steal copies of validly-issued certificates that companies use to authenticate, not just Web pages, but also software applications and documents, such as PDFs. Cybercrooks have begun to use stolen certificates to help disguise malicious applications they’re constantly trying to install on your Internet-connect computing device, according to antivirus firm ESET.

Qbot caper

In one cutting-edge caper, ESET researcher Robert Lipovsky found someone making criminal use of a digital certificate stolen from global consulting firm Towers Watson.

Lipovsky discovered the perpetrator using Towers Watson’s digital signature to disguise copies of the Qbot Trojan, a nasty piece of malicious software that turns over control of an infected PC to the attacker.

“Towers Watson just learned of this potential issue,” company spokesman Mike McNamara said late Wednesday. “Our security team is now looking into it to verify whether or not there is an integrity issue with our certificate.”

Revoked certificates a pain

ESET security evangelist Stephen Cobb says Towers Watson — or any entity whose stolen digital certificate gets put into play by criminals — will eventually have to scramble to keep its Web pages, software apps and documents from being stymied. “It’s a huge pain if you have a certificate stolen because then it could get revoked,” says Cobb.

Goretsky

ESET has recently documented similar attacks built around use of stolen digital signatures to help disguise copies of the infamous ZueS Trojan. It’s nearly impossible for researchers to trace how certificates get stolen. One plausible scenario is that they are getting pilfered from the hard drives of the millions of infected PCs, or bots, in control of the cyberunderground, says Aryeh Goretsky, a distinguished researcher at ESET. Any simple data harvesting program activated on a botted PC would do the trick.

“It seems likely a bot somewhere got lucky and managed to harvest a digital code-signing certificate, which was then used or sold,” says Goretsky. “There are all sorts of files on computers which can be valuable to criminal hackers. Really, any kind of file or data which has some value as a trust mechanism has value to an attacker.”

Future-proofing attacks

It has become relatively easy for top crime groups to circumvent antivirus filters and other defense mechanisms while systematically infecting PCs. So Goretsky theorizes that the group behind the stolen-certificates attacks may be conducting research; in other words, the clever rats plotting to stay several steps ahead of the cat.

The bad guys could be anticipating security features in the next generation of operating systems that will require more pervasive reliance on digital certificates, says Goretsky.

“They may be future-proofing, testing new attacks to see if they get a better response rate,” Goretsky says. “These aren’t stupid people. They’ll try all sorts of ways to optimize what they’re doing and to stay in a position to keep pushing out their malware.”

The direct and indirect ramifications of LulzSec’s unprecedented hacktivist rampage will take some time to fully play out.

However, it seems clear that consumers, corporations and governments will likely experience troublesome collateral damage for some time to come.

The Australian government, for instance, is advising citizens to change and vary their Facebook, PayPal, Xbox Live and other online account logins because scammers have begun using some of the 62,000 stolen social network and webmail logins made public by LulzSec on 16June2011.

It’s noteworthy that downloads of that batch of logins reportedly numbered 2,100 in the first 4 minutes after release. It’s likely that active and wannabe cyber scammers did some, if not most, of the downloading.

Raevsky

That’s a small example of potential escalating  chaos;  LulzSec grabbed sensitive data from Anguilla, Brazil, Zimbabwe, Australia, Arizona, Sony, PBS, Fox, Nintendo, InfraGard, AT&T, IBM, Disney and others. While a precise accounting is difficult, one can presume that some, if not most, of any data pilfered by LulzSec from those organizations has been leaked publicly, or soon will be.

LulzSec at one point dumped a file containing 750,000 logins and passwords stolen from a variety of sources on  The Pirate Bay.   “Lost in the media frenzy and the self-promotional aspects of LulzSec is the fact that innocent individuals are being affected,” says Alexey Raevsky, CEO of data security firm Zecurion.

On Saturday, 24June2011, the group unexpectedly announced it was disbanding. The next day, a member of the group told the Associated Press that the group didn’t dissolve under pressure from law enforcement, but because “we’re getting bored of us.” The hacker declined to be identified, but he verified his membership by posting a pre-arranged message to the group’s Twitter feed.

New breed of hacktivists

Disrupting corporate and government web sites primarily to make a political statement has occurred since the early 1990s. But LulzSec has pushed hacktivism to another level.

On 21June 2011, British authorities arrested a 19-year-old Essex man, Ryan Cleary, for allegedly operating a server used for private communications between LulzSec’s leaders. Instead of laying low, LulzSec — a play on Laugh-out-loud Security — announced shortly afterward that it had hacked the Brazilian federal government’s website, as well as energy giant Petrobas’ site.

Shulman

“Imagine a group of people running around a city breaking windows,” says Amichai Shulman, chief technical officer at tech security firm Imperva. “LulzSec has crossed a line because of the intensity and high profile of its activities.”

Traditionally, hacktivists will overwhelm a targeted web site with nuisance requests, temporarily cutting off access to the site. Sometimes they will deface the site’s home page.

But LulzSec appeared to be driven by complex motives, not the least of which is the sheer pleasure of destroying things, security experts say. LulzSec bored into databases to steal e-mail addresses and passwords, account logins and other data. It then indiscriminately posts the information. Since bursting onto the Internet in May, the group has:

• Released source code for Sony’s developer network and a network map of Sony BMG.
• Stolen large volumes of e-mail from Sony Pictures’ websites in France, Russia and Portugal, and Sony Ericsson Canada.
• Posted administrative e-mails and passwords for 55 porn sites.
• Posted names, passwords and e-mail addresses for 180 members of InfraGard, an FBI-affiliated organization that works to prevent hostile acts against the U.S.

“Personally, I think they (LulzSec) are going into the garbage can of history,” says  Shulman. “They were extremely unfocused in their goal and gained attention mainly due to the relative intensity of their activity and lack of other good media topics.”

LulzSec — which splintered from the more serious-minded hacktivist group Anonymous — heralded its escapades via Twitter announcements and press releases posted on its website, lulzsecurity.com. It also maintained two phone lines to take hacking requests.

Beyond the direct damage it inflicted, LulzSec inspired copycats and pointed the way for profit-minded cybercriminals to sweep in and steal even more data from targeted organization, says Chet Wisniewski, senior security advisor at antivirus firm Sophos.

One copycat is a 19-year-old  Lebanese hacker going by the nickname, “Idahc,” who has disrupted and stolen data from Sony websites in Portugal, Canada and elsewhere. Idahc told Forbes’ reporter Andy Greenberg that his vigilante activities were aimed at pushing “Sony to pay more attention on their security and to show everyone that IT security is fundamental.”

“Hacktivists foster the flow of stolen data into the public Internet,” says Wisniewski. “The collateral damage is very concerning. The type of information they’re stealing may seem innocuous when, in fact, it can be used to commit serious crimes.”

The recent arrest of Cleary in connection with LulzSec’s escapades set in motion potboiler subplots. Rival hacker groups, including The Ninja Team and Team Poison, have expressed envy and denigrated LulzSec members’ hacking skills.

The Ninja Team put up the website lulzsecexposed.blogspot.com at which it claims credit for leading police to Cleary. The site brimmed with details about LulzSec’s key operatives, including photos, home nations, profiles and even archived logs of chat channel discussions between LulzSec members as they carried out hacks.

More arrests anticipated

Tal Be’ery, a senior researcher at Imperva, says the material seems genuine, and appeared to be help police tighten the dragnet around LulzSec’s top brass. That includes the group’s clear leader, nicknamed Sabu, said to be close to 30, intelligent, and resentful of authority figures and successful people.

“When you’re running this kind of operation for a long time, especially with not very concrete plans, you’re bound to make mistakes,” says Be’ery. “I would be very surprised if all the major participants aren’t arrested fairly soon.”

Luis Corrons, PandaLabs researcher who has worked with police, agrees that the heated rivalries between hacking groups could factor in. Law enforcement, he says, is “smart enough to accept any information that can help them to arrest these cybercriminals.”

Sabu is said to be based in the United Kingdom or Brazil, the site of recent major hacks. Another key LulzSec member, Topiary, is reportedly the least skilled hacker. Topiary is said to be a quick-witted wisecracker who operates Lulzsec’s Twitter account and handles donations and payments for services rendered.

$52 billion spent on security

LulzSec’s disbanding notwithstanding, big companies and government agencies likely will have to rethink their approach to tech security.

Spending on information technology security already is growing faster than spending on general technology. And corporate and government tech buyers will have to dole out even more to defend against profit-minded cyberthieves and spies looking to swipe state and corporate secrets.

In fact, global spending on security products and services is expected to reach $71 billion by 2014, up from $55 billion today, according to Lawrence Pingree, research director for Gartner.

The recent hacking escapades of LulzSec underscore how hacktivists, motivated by the desire to express an ideology, have shaped a new kind of threat that’s gaining steam.

“We’re seeing loose communities of like-mind people combine their abilities and harness the power of crowds,” says Jonthan Penn, strategy analyst at Forrester Research. “This is the dark side of the same kinds of things we’re seeing support the popular uprising in the Middle East.”

On Saturday, 25June2011, LulzSec cut short cyberattacks that included a burst of hacks following the June 21 arrest of 19-year-old Ryan Cleary from his parents home in Essex, England. Cleary has been pegged as the alleged system administrator for one of the servers use for IRC chat conversations by the core members.

Corrons

“LulzSec disintegrated because they are afraid,” says  Corrons, of PandaLabs. “This case is really important for law enforcement agencies, as they cannot afford to have criminals running free after so much damage has been done.”

Imperva CTO Shulman says Cleary’s arrest could point the way to Sabu and other leaders. “I think they have agitated the law enforcement agencies enough to really go after them,” says Shulman. ” And they left many footprints so it’s quite plausible they can be tracked down.”

If captured and convicted, LulzSec members likely will face stiff sentences, says Josh Shaul, chief technology officer of Application Security.

“The members of Lulz that want to continue hacking will do so,” says Shaul. ” Some may rejoin Anonymous or other groups participating in the AntiSec campaign. Others may move on to pursue more profitable uses of their skills. We should assume that none of these folks have hacked for the last time.”

Since members appear to be dispersed around the globe, capture and prosecution are complex. “It is difficult to pinpoint a single person or group of individuals who may be responsible,” says John D’Arcy, information technology professor at University of Notre Dame.

D’Arcy anticipates that derivative hacktivist groups “will continue to proliferate and perhaps form alliances that can be even more threatening to businesses and governments. The threat is by no means over; what we have seen so far is really the tip of the iceberg because the existing security technologies cannot withstand a determined group of professional hackers.”

Morally neutral tools

Clawson

Whatever happens, LulzSec is expected to help tech security suppliers gain a more sympathetic ear from prospective customers. Penn says LulzSec’s spree heightens the concerns raised by the celebrated case of U.S. Army Private Bradley Manning, who is being prosecuted for releasing Pentagon and U.S. embassy documents to the anti-secrecy group, Wikileaks.

“We have long seen the hacker world embrace technologies that are designed for personal or employee productivity,” says Penn. “It’s a side effect of the Internet’s power to create political groups that fall outside traditional political boundaries.

‘It seems unavoidable,” Penn continues. “Tools are morally neutral and can be exploited for both good and ill. ”

Security companies remind tech buyers that in addition to new hardware and software, they need to be “educated on the potential repercussions of a data breach,” says Pat Clawson, CEO of security firm Lumension.

Clawson argues that both industry and government have failed to do enough to understand and address the problem of cyber attacks.

“Today, the reality and impact of cyber crime needs to be shared with everyone,” says Clawson. ” While sirens probably don’t need to be installed today, users do need to be educated. Public service announcements, billboards, mobile messaging, and of course a Facebook campaign would be a good place to start. So would the implementation of a school curriculum – starting with the youngest of students.”

The tech giants continue to say very little about a roiling controversy over recent disclosures that iPhones and Android smartphones keep precise track of each user’s whereabouts every day.

“It’s arrogance demonstrated with a very loud megaphone,” says Michael Robinson, senior vice president of Levick Strategic Communications. “They’re saying, ‘Who are you to question us?’”

Apple has declined to issue any statement; the company has ignored LastWatchdog’s e-mail and voice-mail interview requests. Google typically issues an extensive blog post written by a senior executive to explain gaffes. This time, however, the company issued a three-sentence statement asserting that it obtains permission to run all Android location tracking services, and that location data is not traceable to individual users.

But Google’s brief  statement is a bit misleading, says Los Angeles-based researcher Samy Kamkar. “Most people will hit yes’ as they really don’t have a choice if they wish to use the GPS/location features of the phone,” says Kamkar. “Additionally, while it’s true the data is ‘anonymized’, it’s still trackable with a unique identifier to your phone that’s always sent with those requests. Thus, they know where person X is at all times.”

Daniel Keeney, crisis management expert at DPK Public Relations, opines that silence can be a strategically sound response under certain circumstances. “I liken the tracking situation to last year’s outrage over Facebook’s privacy failings,” says Keeney. “Over time, Facebook instituted changes to improve privacy protections, but that passage of time also allowed the issue to cool off. ”

Losing control of the message

All Apple iPhones and iPads sold since June 2010 collect time-stamped location coordinates sometimes as often as every few minutes and stores them in a file that can be easily accessed by anyone in possession of the device. Google goes a step further. For some time now, Android handsets have not only been collecting location data, they’ve also been transmitting them back to Google for use in advertising campaigns.

Robinson believes that by staying silent, Apple and Google risk losing control of a message that location tracking technology embedded into popular iPhones and Android handsets are desirable and mostly benign.

“In a crisis, you want to over communicate and define the narrative before it’s defined for you,” says Robinson, who advises senior Wall Street executives and U.S. politicians. “Silence only fuels fear and speculation.”

Franken

Sen. Al Franken, D-Minn., today announced that he has scheduled a  May 10 hearing and asked Apple and Google to testify.  Separately, Illinois Attorney General Lisa Madigan called for a meeting with Apple and Google representatives about location tracking. And U.S. Representative Ed Markey, D – Mass., is calling for a full Congressional investigation of both companies’ location tracking systems.

“The same technology that has given us smartphones, tablets, and cell phones has also allowed these devices to gather extremely sensitive information about users, including detailed records of their daily movements and location,” says Franken. “This hearing is the first step in making certain that federal laws protecting consumers’ privacy—particularly when it comes to mobile devices—keep pace with advances in technology.”

Privacy advocates are cheering all of these developments. “Consumers don’t want their smart phones outsmarting them or their kids,” says Jeffrey Chester, executive director for the Center for Digital Democracy, adding that a wave of civil lawsuits for invasion of privacy is likely.

Meanwhile, the milestone privacy rights bill recently proposed by Sen. John Kerry, D-Mass., and Sen. John McCain, R-Ariz., will likely get a boost, says Michael Fertik, founder and CEO of Reputation.com.

“The Kerry McCain bill would give more control over private information but needs to include mobile privacy features explicitly,” says Fertik. “Politically, this is a universal issue. If you’re a liberal, you probably don’t like people taking your data without your consent. If you’re a conservative, you probably don’t like invasion of privacy. And if you’re a libertarian, you probably don’t like that your data are being taken without your knowledge or consent.”

Inner workings come to light

As the issue heats up, so will scrutiny of the inner workings of smartphone location tracking. Last fall, student researchers at Duke and Penn State, with help from Intel, published results of an experiment, dubbed Tainted Droid, in which they found 15 of 30 popular Android apps systematically sent location data to ad networks in a variety of patterns.

The researchers randomly selected the apps from heavily-downloaded free programs listed in news, weather, entertainment and social networking categories in Android Market, the official apps store monitored by Google.

They discovered that some of the apps transmitted location data only when displaying ads, while others did so even when the user was not running the app. Some transmitted location data as often as every 30 seconds.

“We found it surprising that the location information was shared with ad networks without further explanation or notification,” says Jaeyeon Jung, one of the researchers, who is working on a follow-up experiment examining location reporting for more than 100 Android apps.

Similarly, more details about the iPhone’s location tracking system are coming to light. With Apple maintaining silence, The Wall Street Journal ran a test that shows iPhones collect and store location information even when location services are turned off.

“Tech companies still haven’t figured out how to respond to privacy defects,” says Jonathan Mayer, a researcher at Stanford’s Center for Internet and Society. “No, you cannot ignore them. Yes, you will get roughed up until you acknowledge and address them.”

By Byron Acohido

If not, are you willing to disable GPS and Wireless on your iPhone or Android phone?

At the moment, those are two central questions spinning out of the revelations last week that Apple iPhones and Google Android phones keep precise track of each user’s whereabouts every day.

Sen. Al Franken, D-Minn., and Rep. Edward Markey, D-Mass., sent separate letters late last week to Apple CEO Steve Jobs asking him to supply details about how and why iPhones and iPads compile and store detailed time-stamped logs of each user’s location.

Markey

And Markey on Saturday called for a formal congressional investigation of both Apple and Google. “Unprotected personal location information could be a treasure trove for troublemakers,” says Markey. “Predators shouldn’t be able to hack into an iPhone or Android to find out for themselves, with devastating consequences for families.”

The letters to Jobs came after two British researchers, Alasdair Allan and Pete Warden, revealed their discovery of a location-logging mechanism quietly introduced by Apple for iPhones and iPads in early- to mid-2010.

Kamkar and Google car

On Friday, Google came under scrutiny. The Guardian disclosed the existence of a similar location-logging feature on Android phones, a discovery made by a Swiss researcher, Magnus Eriksson; and the Wall Street Journal verified evidence gathered by Los Angeles-based researcher Samy Kamkar, showing how most Android phones worldwide have been actively sending GPS location coordinates, as well as the coordinates of any nearby WiFi networks, back to Google for at least the past six months.

Apple did not respond to interview requests. Google’s senior manager of public affairs, Chris Gaither, said the company is not doing interviews. Instead, the search giant issued a brief statement confirming that location data, indeed,  is being transmitted back to Google servers but asserting that it refrains from tracing such data to specific individuals. Here is the full text of Google’s statement:

All location sharing on Android is opt-in by the user. We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices. Any location data that is sent back to Google location servers is anonymized and is not tied or traceable to a specific user.

The tech and privacy communities are abuzz with discussions. One big risk for Apple patrons is if your iPhone or iPad is lost or stolen, says IDC applications development analyst Al Hilwa. “It makes it super easy to come up with schemes to spy on users, such as people spying on spouses or bosses spying on employees,” says Hilwa.

Wang

Meanwhile, Google’s confirmation that it has been actively collecting individuals’ location data is even more troubling to some experts, Dr. Chenxi Wang, security and risk analyst at Forrester Research, for one.  ” To me, this is even more serious than the iPhone location logging findings on April 21st, because there is no evidence yet that Apple is actively tapping into that location file saved on the phone.”

Wang says Apple’s location logging signifies “potential for misuse, should Apple decides to transmit this data to an Apple server, for instance.” By contrast,  Google is already actively collecting this information – transmitting the information intermittently to Google, with unique IDs that tie the location information to a specific phone, she says.

Location services all the rage

Apple and Google are in an intense competition to dominate one of tech’s hottest new sectors: services pivoting around knowing the precise location of the consumer. Geo-location apps — like Foursquare Gowalla, Brightkite, Loopt and Where.com –  were all the rage at the recent South By Southwest Interactive conference in Austin.

Revenue derived from so-called location-based services are expected to swell to $8.3 billion by 2014, up from $2.6 billion in 2010, according to tech industry research firm, Gartner.

Allan, the British researcher, last week stumbled upon a file stored on the hard drive of his MacBook laptop containing 29,000 time-stamped locations—a log of everywhere he had traveled in the previous 300 days. The file originated on his iPhone and was automatically copied to his laptop when he synced the two devices.

Warden

Alan’s research partner, Warden, created a software application that plots the time-stamped location data on an interactive map. The application is simple to download and free to use by any Mac owner.

Warden is working on a version for people who sync iPhones to Windows PCs. “We don’t know exactly what triggers the logging,” says Warden. “We see logging happening with intervals as frequent as every couple of minutes to much longer, and we don’t know what the pattern is.”

It is not clear whether Apple intends to somehow make this data available to location-based marketeers. Location data is being increasingly used to personalize online ads, to help parents keep track of their teens, and to help prevent mobile payment scams, says Forrester’s Wang.

“None of these scenarios justify storing a year’s worth of location data,” says Wang. “It continues to surprise me how companies always elect the privacy-invasive features as default.”

They know where you live

Kamkar, the Los Angeles researcher, says he has discovered that all recently purchased Android phones are set up to continually report specific GPS coordinates as well as the coordinates of WiFi networks in nearby homes and businesses back to Google.

He says Google can correlate timing and frequency of phone usage to pinpoint an Android owner’s home address. “If your phone is at the same location during night hours, they know where you live,” says Kamkar. “If your phone location is on the move, they can guess that you’re in a car and even calculate how fast your car is moving.”

Kamkar says Android handsets also continually track coordinates of any nearby WiFi systems, even those that are encrypted. “If you have an Android phone, Google knows where you are,” says Kamkar. “Even if you don’t own an Android phone, but your neighbor does, Google can triangulate who you are by tracking your wireless network.”

The only way to disable such tracking by your Android phone is to disable the GPS and Wireless functions, he says.

But most people, especially those under 30, aren’t apt to disable cutting-edge features, says Fran Maier, president of TRUSTe, which certifies website privacy programs.

Maier

On Wednesday , TRUSTe plans to release survey results showing 44% of 18- to 20-year-olds say they feel secure and in control when using their mobile devices. “Privacy is a big deal now, even among younger people,” says Maier. “But they believe they’re smarter and more adept at managing their information than older people.”

Even so, Sen. Franken notes in his letter to Jobs that “there are numerous ways” location data “can be abused by criminals and bad actors.” And Rep. Markey asks Jobs if he is concerned about how the “wide array of precise location data logged by these devices can be used to track minors, exposing them to potential harm.”

Tech analysts and privacy experts say Google is likely to face similar questions.

“There appears to be this enormous industry operating behind closed doors with business models premised on the collection of massive amounts of detailed information,” says Hilwa. “Only governmental regulatory bodies can inject sanity back into this state of affairs.”

By Byron Acohido

Two researchers, Alasdair Allan and Pete Warden, earlier this week revealed their discovery of the location logging feature, which is integrated into iPads and iPhones that use i0S 3.2, which Apple rolled out in April 2010, and the subsequent iOS 4.0, as well.

The revelation has sent shock waves to the community of analysts and experts who follow the mobile space. And today Rep. Ed Markey, D-Mass., weighed in expressing concerns for the average citizenry, especially minors.

Markey send a letter letter to Apple CEO Steve Jobs asking him to supply details about how the feature works and what it is intended for, asking Jobs to reply by May 19. In the letter, Rep. Markey asks Apple to respond to these questions:

• Is it accurate that Apple iPhone keeps track of where iPhone users go, saving this information to a file on the device that is then copied to the owner’s computer when the two are synchronized?

• Did Apple intentionally develop this functionality in order to log the locations of users?

• How does Apple collect this customer location information?

• Does Apple use this information for any purpose? Has Apple used this location information for any commercial purpose?

• Is it possible for customers to disable this feature?

• Given the widespread usage of iPhones and iPads by individuals under the age of 18, is Apple concerned that the wide array of precise location data logged by these devices can be used to track minors, exposing them to potential harm?

“Apple needs to safeguard the personal location information of its users,” says Markey. “Collecting, storing and disclosing a consumer’s location for commercial purposes without their express permission is unacceptable and would violate current law.”

More expert observations:

Hilwa

Al Hilwa, Program Director, Application Development Software, IDC

Apple needs to answer questions on this. Does any of their software running on the device periodically send this data to mother ship? Can other apps access this data and copy it to other back-end systems? How do you turn it off? Why is the data stored on the device in the first place?

Is it bad policy? Yes, because it is not done at the user’s discretion and there does not appear to be a way to either stop the tracking or erase the data for the general user

Is it harmful? Potentially! It makes it super easy to come up with schemes to spy on users. People spying on spouses or bosses spying on employees are two abuses that are enabled by this.  The spying can happen years after the fact because the data appears to live forever, so there is a long period of exposure.

And because the data is backed up, it proliferates creating an even bigger attack surface. Overall, it is always bad to collect data without user awareness.

However, software collects all kinds of data, for example browsers collect history data which can also be abused. In the case of browser histories the browser vendors are of course very aware of it, even though there are many people who are not aware of it.

Why was this done? One possibility is simple programmer carelessness such as not cleaning up debugging code before releasing the software. Apple needs to respond soon, potentially with an OS update that can erase the data and disable its collection.

Wang

Dr. Chenxi Wang, Vice President & Principal Analyst, Security and Risk, Forrester Research.

This discovery has sent shock waves through the high tech community. “What? This file contains my whereabouts for the past year? WTF?” was most people’s first reaction when the news broke.

I can imagine a number of reasons why Apple would want to collect this data and how they might use it. Device tracking, for instance, is a popular parental control feature that users want. Think your teenager lied to you about his/her whereabouts yesterday? No problem, just log into MobileMe and verify the location tracking information. Similarly, a credit-protection app can be instructed to report the phone’s general location at the time of a suspicious credit card transaction—if the card is used in England and the credit card owner’s phone is in Alabama, hmm..something could be amiss here.

But none of these scenarios could conveniently justify storing a year’s worth of location data, and even stranger is the fact that the phone automatically syncs this data to the host. Mind you, not all data from the phone is transferred to the host during the synchronization—Apple really intends to keep this data around. But why?

Legal experts are quick to point out that the mere collection of this data isn’t illegal. Sure, other GPS-enabled devices may collect this type of information as well. But on a device like iPhone/iPad where so many other activities can happen at the same time, the risk is different.

The first question we must ask is how this file can be accessed. It’s not immediately clear whether any apps could access the file. Typically, an iPhone app would ask for the user’s permission in order to access system resources such as GPS info. But that is enforced through the operating system APIs. Since what we talk about here is a plain file, which, from the sounds of it, is not in the “protectionComplete” class (ProtectionComplete means the file remains encrypted as long as the device is locked. The strongest protection class for file system objects on iOS). It’s unclear if the operating system prevents other apps from accessing the information.

Another critical question is that why Apple didn’t present an “opt-out” option to this tracking feature, or better yet, present it as an “opt-in” only feature. It continues to surprise me (well, I guess it shouldn’t surprise me anymore) how companies always elect the privacy-invasive features as default.

Some blogs I read yesterday talked about the danger of having this information available on the sync-ing host. If the host is compromised, this data would be available to intruders. True, but if your sync-ing host is compromised, you’ve got a bigger problem to worry about – ever heard of Apple’s “Escrow keybag” concept?

The real danger, in my opinion, isn’t in the existence of these logs. It is in the potential that the information contained within could be misused. Imagine if you are able to correlate this data with the user’s activity stream, you can then determine precisely where I bought a Starbucks coffee, where I gassed up my car, where I looked up a restaurant on the Yelp app, and where I checked into a flight. If this isn’t a complete invasion of privacy, I don’t know what is.

As mobile technologies continue to penetrate our everyday lives, privacy becomes an increasingly elusive notion. Consumers must sometimes make a choice between the loss of privacy and the convenience of the “always connected” lifestyle. But consumers cannot make that choice if they are not given the necessary information. C’mon, Apple, let the consumers decide that they want other apps or services prying into their every move, don’t do it for them.

By Byron Acohido