Online tracking is fueling a heated national debate over whether new do-not-track laws are needed to safeguard consumers’ online privacy. Leaders in the online advertising industry use a version of Privacyscore to self-police the tracking practices of online advertising networks, and thus head off new laws. Privacy experts welcomed the consumer version.

“This certainly is going to be a useful tool for consumers, but it may actually be even more useful in pushing application developers, who don’t like getting poor grades, to look more closely at their own privacy practices,” says Jules Polonetsky, director of the Future of Privacy Forum, a Washington, D.C., think tank on data security.

Facebook’s pervasive Web presence comes with “a responsibility to hold people who are developing apps on their platform accountable for the (privacy) assertions that they’re making,” says Craig Spiezle, executive director of the Online Trust Alliance.

Facebook’s David Swain noted that the company requires app developers to agree to its privacy policies. “If we find an app has violated our policies … we take action,” Swain says.

According to PrivacyChoice, 140 different tracking entities routinely collect information about users of the top Facebook apps. Trackers can correlate that data to profiles of individuals’ browsing behavior across multiple Web pages in order to deliver more relevant ads. “It’s up to users to know the privacy risk of sharing personal data with apps,” says Jim Brock, PrivacyChoice founder and CEO.

Privacyscore’s top score is 100. Deductions are made for sharing data with an excessive number of tracking entities, failing to honor deletion requests, failing to provide an opt-out choice or storing consumer data for long periods.

Gamemaker Zynga, for instance, registers an overall score of 82 for 17 Facebook games. The game Slingo, with 17 million players, scores 80, losing points partly because it connects to 59 trackers. Zynga general counsel Reggie Davis says Zynga welcomes tools such as Privacyscore. And Zynga’s online tutorial, PrivacyVille, rewards its users for learning more about the company’s privacy policies.

—

Those cool mobile devices beloved by consumers carry deep-rooted security flaws that are only now being discovered and addressed.

That’s the upshot of two recent deep examinations of popular mobile devices. The findings highlight how designers of the current generation of smartphones and tablet PCs failed to fully account for the security and privacy implications.

“Today’s smartphones and tablet devices perform the same functions as a PC,” says Dan Hoffman, chief of mobile security at Juniper Networks.“However, the vast majority of devices lack security software and mistakenly rely upon the operating system to keep people safe.”

In one study, Cryptography Research showed how it is possible to eavesdrop on any smartphone or tablet PC as it uses cryptographic keys to protect sensitive operations, such as when a mobile device is being used to make a purchase, conduct online banking or access a company’s virtual private network.

The secret keys can be deciphered, enabling a criminal to use them to access a financial account or a company network, says Benjamin Jun, Cryptography Research’s chief technology officer.

Jun

“These type of attacks do not require the device to be modified and there is usually no observable sign that an attack is in progress,” Jun says.

Cryptography Research is “working with one of the major smartphone and table companies right now to put countermeasures in,” Jun says. No known actual attacks have occurred, he says.

In another theoretical study, researchers at security firm McAfee, a division of Intel, demonstrated several ways to remotely hack into Apple iOS, the operating system for iPads and iPhones.

McAfee’s research team remotely activated device microphones and recorded conversations taking place in the vicinity of the hacked device. They also stole secret keys and passwords, and were able to pilfer sensitive data, including call histories, e-mail and text messages.

“This attack method shows ways that advanced attackers can compromise and control devices indefinitely,” says Ryan Permeh, McAfee’s principal security architect. “This can be done with absolutely no indication to the device user.”

Apple spokeswoman Trudy Muller declined comment.

Security experts and law enforcement officials anticipate that cybergangs will accelerate actual attacks as consumers and companies begin to rely more heavily on mobile devices for shopping, banking and working.

“Responsibility for addressing these security concerns is far reaching,” says Hoffman. “The broader security community needs to assist in providing all users the highest-level of protection.”

An unpatched portion of Java left Mac users prone to the Flashback Trojan, which causes the machine to quietly report to a command and control server for further instructions.

Mac users  can get infected by navigating to a viral web page pre-loaded to deliver a driveby download tuned to exploit this Java vulnerability — much the same as Windows PC users.

The  Russian antivirus company Dr. Web says some 600,000 Macs have been infected, several of which include devices based in Cupertino, California, the home of Apple. So if your Mac has been balky lately, this could be the explanation.

Swiss Army knife

Botnets are used to spread spam and infections, participate in denial of service attacks, hijack online bank accounts etc. Botnets are the Swiss Army Knife of cybercrime. And when your machine is performing bot duties, your processing efficiencies naturally get sapped. It was only a matter of time before this common experience of Windows PC users came home to roost with Mac users.

One commenter to Ars Technica’s coverage noted:

My wife’s first gen core duo macbook pro hard drive is always busy, which i thought was due to limited hard drive space. Even after cleaning out ~15 gigs of space, the OS is slow and often unresponsive, and the HD is clickety clacking all the time. I sure hope I don’t have it. I’m going to check first thing when I get home. Has anyone’s machine here tested positive? If so, does this sound familiar?

Apple has since patched the Java flaw. F-Secure has supplied details on how to diagnose and fix the problem, but warns that the steps are tricky.

Wake up call

“This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats,” says Mike Geide, senior security researcher at Zscaler ThreatLabZ. “And the need to follow best security practices, such as remaining current with patches, is ubiquitous — it doesn’t matter if you’re using Windows, Mac, or even mobile phone.”

Marcus

Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, says the existence of a major Mac botnet comes as no surprise. He advises Mac users to do as Windows PC users do: keep antivirus protection and all Apple patches current.

“Attackers are leveraging years of success from writing PC malware and they’re doing the same thing in the Mac world,” says Marcus. “Cybercriminals will attack any operating system with valuable information, and as the popularity of Macs increase, so will attacks on the Mac platform.”

–By Byron Acohido

Visa and MasterCard acknowledged Friday that they’ve been alerting banks about a major breach of an unnamed payment card processing firm. The Wall Street Journal, citing unnamed sources, named Atlanta-based Global Payments as the processor in question.

Global Payments declined interview requests.

Security blogger Brian Krebs, who broke the story, says thieves cracked into the processor’s systems between Jan. 21 and Feb. 25, and may have swiped more than 10 million credit and debit card transactions records, originating from an unknown number of merchants, banks and credit unions.

Litan

Gartner banking security analyst Avivah Litan says unverified reports point to a New York City street gang with Central American ties taking over ” an administrative account that was not protected sufficiently.”

“I’ve spoken with folks in the card business who are seeing signs of this breach mushroom,” says Litan.

MasterCard issued a statement advising cardholders to contact the financial institution that issued their cards with any concerns. Visa emphasized that no Visa systems were breached.

However, criminals know better than to try to waste time on highly defended systems, and have been consistently successful cracking support system. “Sooner or later they find some weakness in the highly complex chain of systems that they can exploit,” says Geoff Webb, of data security firm Credant Technologies.

Credit card processors have been breached before. Heartland Payment Systems lost 130 million payment card records generated by 250,000 merchants and restaurants in 2008 -2009.

It’s not just card processors that are being targeted. Last year hackers stole payment card information for more than 100 million customers of Sony’s PlayStation Network.

And earlier this year online shoe retailer Zappos disclosed hackers took e-mail and shipping addresses, phone numbers and account passwords for some 24 million customers, data useful for identity theft.

“Any business that’s capturing payment data is a target,” says Mark Bower, analyst at Voltage Security.

Consumers whose debit card account information landed in criminals’ hands with this latest breach are at heightened risk. That’s because gangs are adept at quickly manufacturing faked cards to make large cash withdrawals from ATMs. And the consumer’s cash goes missing until a theft is reported and reimbursement carried out, which can take several days.

“You should always be watching your statements for unauthorized transactions but right now people should be extra vigilant,” says Steve Coggeshall chief technology officer at ID Analytics.

Retailers are also uniquely exposed. Some 46 states have now enacted data breach disclosure laws that require merchants and payment card issuing banks and credit unions to notify customers whose card numbers are stolen.

Many of these data loss disclosure laws impose stiff fines if notifications are not done in a timely manner, says Ted Julian, of Co3, a Cambridge, Mass.-based start-up that helps retailers manage the repercussions of credit card theft.

States could pursue a windfall in fines levied against merchants and card-issuing banks and credit unions who are slow to notify consumers that their credit or debit card number is in criminals’ hands. “Merchants are definitely on the hook for these state disclosures, because they are the ones who have the consumer relationship,” Julian says.

Cyberthieves are stepping up phone-calling scams to pilfer from consumers’ online banking accounts.

In the second half of 2011, Pindrop Security detected more than 1 million fraudulent calls, including 189,439 in December, a 52% spike from the 124,258 calls tracked in July, according to a first of its kind reporte released Thursday.

“Mobile is a growth area for online banking fraud,” says Stan Stahl, president of the Los Angeles chapter of the Information Systems Security Association, a tech professionals group that’s working with financial institutions to stem all forms of online banking fraud.

Many of the bogus calls were tied to caller ID spoofing – a way to place a phone call that causes the recipient’s phone to display a caller ID number that appears to originate from a trusted party.

Phone call spoofers often begin by luring a cell phone user into divulging account information via an automated call or text message that appears to come from the user’s bank. Next, the crooks call the bank, spoofing a patron’s phone number and correctly answering security questions to trick the customer rep into carrying out fraudulent cash transfers or issuing new credit cards to mailing addresses they control.

The use of spoofed calls to hijack online banking accounts is one slice of a thriving, multi-billion dollar online banking fraud industry. Cyber robbers also spread poisoned links on webpages and in e-mail and on social networks to take control of consumers’ PCs. They then embed programs, called banking Trojans, that let them stealthily tap into online banking accounts.

Billions stolen

Based on cases it has worked on with law enforcement and victim companies, Dell SecureWorks estimates that small- and medium-sized businesses in the U.S. and Europe lose as much $1 billion a year from online banking accounts. The financial services industry contends the security of computing devices is the responsibility of the companies and often do not reimburse theft losses from online business accounts.

The financial services industry often does not reimburse such losses. “We’d expect business owners to be a bit more savvy and have more resources at their fingertips,” says Carol Kaplan, spokeswoman for the American Bankers Association. “That doesn’t mean we’re not seriously concerned about the problems small businesses are having, and there continues to be huge gobs of investment into shoring up security.”

Results of an ABA survey of 95 financial institutions, released exclusively to USA TODAY, show the number of commercial account takeovers by cybercrooks rose 260% in 2011 vs. 2009. However, the average loss per victimized company decreased 92% during the same period.

“Financial institutions are becoming more effective at stopping illicit transactions from being executed,” says Doug Johnson, the ABA’s vice president of risk management policy.

Individual consumers are getting hit too, but typically get made whole by the banks — if they catch and report theft from online accounts quickly. In those instances, the banks bear the loss.

“It is incredibly difficult to measure losses from consumer accounts, but it’s probably higher than $1 billion a year,” says Dale Gonzalez, Dell SecureWorks mobile product strategist. Droves of less-skilled cyberthieves, equipped with free, easy-to-use account hijacking tools “are absolutely targeting consumers,” Gonzalez says.

Spoofed call attacks, in particular, are catching on because they are easy to do and difficult to defend, law enforcement  officials and security analysts say. Consumers’ names, phone numbers and e-mail can be purchased inexpensively from hackers who specialize in cracking into databases, like the gang that swiped 24 million customer records from online  shoe retailer Zappos.

Easy pickings

What’s more caller ID spoofing techniques are trivial to master; free and cheap automated programs are readily available on the Internet. In the last six months of 2011, bogus calls were placed in connection with online banking scams directed at 30 of the 50 largest financial institutions in the U.S., says Pindrop CEO Vijay Balasubramanian.

“We are continuing to see this rising trend,” says Balasubramanian. “There appears to be a network effect as word of successful scams gets relayed to other fraudsters.”

ISSA’s Stahl says tech companies and banks need to do more to stem the tide of attacks. Part of the solution: being more transparent to small businesses and consumers about the risks of online banking.

“Online bank fraud is at epidemic levels, there’s no question about that,” Stahl says. “Right now there is inadequate security against the many kinds of attacks that lead to online banking fraud, and that’s only going to get worse, not better.”

Nearly one in five mobile phone users have experienced some type of security threat with their device. That’s the finding of a Cloudmark survey of 1,000 cellphone users, scheduled to be released Tuesday.

Poisoned text messages, nearly non-existent in the U.S. a few years ago, grew 300% in 2010 and 400% in 2011, accounting for about 1% of all text messages. “We’ve gone from totally clean to a trickle,” says Rachel Kinoshito, head of Cloudmark’s security operations. “Most people are seeing about one a month.”

That foothold is part of a broader concern. Variations of scams that infest the Internet, through PC browsers, have begun spreading on a meaningful scale through mobile devices. And it looks like the bad guys are just getting warmed up.

One type of poison text message involves tricking people into signing up for worthless services for which they get billed $9.99 a month. Another type lures them into doing a survey to win a free iPhone or gift card. Instead, the attacker gets them to divulge payment card or other info useful for identity-theft scams.

“Malicious attacks have exploded well beyond e-mail, and we are very aware of their move to mobile,” says Jacinta Tobin, a board member of the Messaging Anti-Abuse Working Group, an industry group combating the problem.

Meanwhile, hackers are repurposing skills honed in the PC world to attacks on specific mobile devices. Particularly, handsets using Google’s Android operating system are frequently the target of hackers. In December, anti-virus company F-Secure tracked down 1,639 unique malicious Android apps — disguised as free apps and circulating on websites across the Internet. That’s up from 48 in January 2011.

One type offered and delivered a free copy of the popular Angry Birds game. But the victim is also unwittingly signed up for a premium-rate texting service and charged an extra $10 a month on his or her phone bill, says F-Secure researcher Sean Sullivan.

Network security company Juniper Networks says the pool of bad apps it has been tracking swelled 86% in February from January. Nearly half of the poisoned Android apps analyzed by Juniper were classic spyware, says Dan Hoffman, head of Juniper’s mobile security business.

“We’ve identified malware that can steal credentials from e-mail and mobile banking applications,” Hoffman says. “These attacks can be devastating.”

The online industry is on high alert. The working group— whose members include AT&T, Verizon, Comcast, Facebook, PayPal and Time Warner— convened in San Francisco last month to join forces on defending new mobile threats.

“We need to stay ahead of what’s happening with mobile abuse, social networking abuse and malware,” says Tobin. “It makes sense for us to collaborate across all these channels.”

For more information about reprints & permissions, visit our FAQ’s. To report corrections and clarifications, contact Standards Editor Brent Jones. For publication consideration in the newspaper, send comments to letters@usatoday.com. Include name, phone number, city and state for verification. To view our corrections, go to corrections.usatoday.com.

SAN FRANCISCO – When Randy Kortering decided to upgrade computer network defenses at Haworth, a $1 billion-a-year office fixtures manufacturer, his chief of security warned him about social-networking use.

“He laid out what was coming through a Facebook connection and how it could very quickly spread a virus that we weren’t prepared to block,” recalls Kortering, vice president of global information services for the Holland, Mich., company.

Kortering began reviewing new security systems designed to closely monitor or restrict, as needed, employee use of Facebook, Twitter, Google, LinkedIn and other popular online services. Because of a surge of headline-grabbing database breaches, many companies attending the massive RSA security conference here this week are following suit.

“The problem is pervasive,” says Jeff Wilson, principal security analyst at Infonetics Research. “Companies of all sizes are definitely re-evaluating what they have installed for IT security.”

Verizon’s annual Data Breach Investigations Report supplies a benchmark. Its 2011 study examined patterns in 800 corporate intrusions, up from 761 in 2010. By contrast, Verizon’s forensic experts were called in to solve 900 database break-ins in the previous six years combined, 2004 through 2009.

This is new terrain. The tech industry’s marquee players are intensifying the collection and sharing of personal information in order to sell more advertising. Yet the implications of companies acquiring beefier security systems to restrict employee access to popular services are difficult to discern.

Security analysts and criminologists say this much is clear: “Spear-phishing” attacks, crafted to get unsuspecting employees to inadvertently seed computer viruses and infections at targeted organizations, are jumping. And the surge of attacks on corporations correlates to the rise in unfettered use of social networks, search engines and Web apps on company networks, analysts say.

These popular free online services have turned out to be a boon for spear phishers, who prowl social networks and use search engines to gather intelligence. “Just like online marketers and advertisers, criminals see a tremendous value in knowing more about their targets,” says Rob D’Ovidio, a criminology professor at Drexel University.

Spear phishers are adept at inhabiting social networks to troll for victims. And they have proved endlessly inventive at crafting e-mails and social-network postings that appear to arrive from a trusted source, while stealthily delivering a malicious payload to gain them access deep inside company networks. The desired booty: customer lists, design documents, patents, financial statements — anything that can be sold in the cyberunderground.

“In most of the high-profile breaches we’ve seen in the past 12 months, hackers used social engineering to get an initial foothold inside the company,” says Hugh Thompson, RSA conference program committee chair. “It isn’t a generic stranger trying to deceive your employees; it’s someone who knows them through online reconnaissance.”

Dark side

Recent studies illustrate this dark side of social networking. Firewall maker Barracuda Networks analyzed Web traffic of 5,500 PC users in 20 nations and found one in 60 Facebook postings, and one in 100 Twitter tweets, carried malicious code.

“The dangers associated with social networking have climbed exponentially,” says Barracuda chief research officer Paul Judge.

Meanwhile, an analysis of Web traffic at 1,636 companies by firewall supplier Palo Alto Networks found a marked increase in employees’ use of Facebook to run Web apps and games, not just read wall postings. In December 2011, employees used Facebook apps three times as often than they did in October 2010; and they used Twitter seven times as often.

Those increases tracked with an uptick in corporate use of Facebook and Twitter for marketing and recruiting, says Palo Alto senior security analyst Wade Williamson.

However, new Web apps are being pumped out so swiftly that many organizations aren’t able to fully grasp the security risks introduced by their employees trying out every cool new app that comes along, Williamson says.

What’s more, companies now routinely permit employees to connect their personally owned smartphones and tablet PCs into company systems, creating myriad fresh pathways into corporate networks.

Apple recently had to quell a furor over disclosures that social network Path and several other makers of apps for iPads and iPhones routinely collected and stored the contents of users’ address books — without asking permission.

The Path revelation underscored how intrinsically porous services delivered to PCs and mobile devices from the Internet cloud can be. Cybercriminals, of course, long ago realized this and continue to take full advantage.

A recent Juniper Networks survey of applications available for all mobile device operating systems, except Apple’s iOS, tallied 28,472 malicious mobile apps in 2011, a 155% increase from the 11,138 malicious apps that existed in 2010. (Apple does not make iOS apps available for independent inspection.)

“Companies are going to have to learn exactly which applications are on their networks, who is using them, why they’re being used and make sure they are being used securely,” Williamson says.

Some companies have already begun doing just that. Haworth’s Kortering was persuaded to upgrade to a next-generation firewall from that can distinguish traffic going to and from specific applications, and block very specific types of traffic deemed non-productive or too risky.

“The easiest thing would be to block everything,” says Kortering. But “we block what we feel is outside of our policies and values.”

Waqas Akkawi, director of information security at global moving company SIRVA, is keeping much closer watch on his company’s network, too. Last fall, SIRVA purchased cutting-edge network access control (NAC) technology from ForeScout Technologies to meticulously manage who gets to log into its networks and to block any malicious programs trying to load from specific devices.

Many of SIRVA’s 3,000 employees, and most of its customers, log in to the company’s network remotely. “I could not say no to anybody because they’d say, ‘Hey, you’re limiting revenue generation,’ ” Akkawi says. “So I said, ‘No problem, you can bring it in.’ ”

Sales of next-generation firewalls and NAC systems are expected to grow robustly over the next five years as more companies come to grips with rising security threats. Many will discover that limiting employee access to social networks and Web apps can also directly help the bottom line, says Chris Rodriguez, network security analyst at Frost & Sullivan.

Haworth, for instance, has used its new firewall to restrict employees from watching streamed videos in the lunchroom because that activity was consuming bandwidth needed on the production side at the fixtures manufacturer. “There’s a lot to be said for the value security tools offer operational-wise, such as the ability to automate tasks and reduce lost productivity,” Rodriguez says.

Unforeseen threats

Even so, it is the capacity for new tools to help corporations protect against as yet unforeseen threats likely to arise from employees’ escalating use of social networks, Web apps and mobile devices that’s generating buzz at the RSA conference.

Some security experts worry about the chronological nature of Facebook’s new Timeline interface, which went live for most users this month.

No evidence has surfaced that spear phishers have begun mining Timeline. And Facebook spokeswoman Meredith Chin says that Facebook essentially works the way it always has and that Timeline surfaces no new information, nor does it change any privacy settings.

However, a cottage industry appears to be taking shape to more systematically broker stolen Facebook account logons. Aviv Raff, chief technology officer at threat alert service Seculert, tracked down a criminal server set up to continually harvest data from tens of thousands of infected PCs. Raff found an unusual program running in the background.

“They created specific code to extract just the Facebook credentials,” Raff says. “We found logon credentials for over 45,000 different Facebook accounts.”

Criminals use stolen logons to pose as a trusted source in attempts to dupe employees into clicking a poisoned link or opening an infected document, says Anup Ghosh, chief scientist at browser security firm Invincea. “With Timeline,” he says, “literally years worth of status updates, photo uploads and links can be pored through to create convincing personalized messages.”

The White House on Wednesday unveiled a strongly worded “Consumer Privacy Bill of Rights’’ as the linchpin for a drive to get Congress to pass new laws protecting consumers privacy as they surf the Internet.

The announcement came as Maryland Attorney General Douglas F. Gansler and attorneys general from 35 other states sent a letter to Google complaining about a new privacy policy which will give the search giant greater latitude to track people using computers and mobile devices, with no way to opt out of being tracked.

One of the seven privacy rights, unveiled at a press conference by Commerce Secretary John Bryson guarantees consumers the “right to exercise control over what personal data organizations collect from them and how they use it.”

The Commerce Department will now commence a series of meetings inviting privacy advocates, consumer groups and key players in the tech and online advertising industries to hash out “enforceable privacy policies,” Bryson said.

In a statement, President Obama said, “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online. As the Internet evolves, consumer trust is essential for the continued growth of the digital economy. “

Meanwhile, the Digital Advertising Alliance an industry trade group, announced it has begun work on a more visible and effective Do Not Track mechanism to add to a self-policing system in effect for all of the consortium’s members. The Federal Trade Commission separately has backed a call for a Do Not Track system buttressed by new federal laws.

Daniel Weitzner, the White House deputy chief technical officer, said the Obama Administration’s goal is to get Congress to draft and pass new privacy laws using the privacy bill of rights as a framework.

“We now have a much more focused blueprint” Weitzner said. “We’ll use our bully pulpit to get legislation passed based on these principals.”

The push comes as Google, Facebook and Apple have come under fire from some members of Congress and the FTC for tracking consumers as they use their PCs and mobile devices on the Internet, often without asking permission.

The Attorney Generals are seeking a delay is implementation of Google’s new privacy policy — which is set to take full effect  on March 1. The AGs now join several members of Congress and numerous privacy advocates and consumer group in protesting the fact that anyone who uses multiple Google services can not opt out of the new policy, which makes it easier for Google to cross reference activities across its most popular services, including search, Gmail, Google Apps, YouTube, Picasa and Google+.

The Obama administration recognizes that “we need to make meaningful changes to preserve consumer trust and confidence,” says Craig Spiezle, executive director of the non-profit Online Trust Association. “At the same time, we need to preserve innovation. Balancing the two is a challenge.”

Getting a divided Congress to pass any hard-edged privacy legislation is another challenge.

“The real question is how much influence companies like Google, Microsoft, Yahoo and Facebook will have in their inevitable attempt to water down the rules that are implemented and render them essentially meaningless,” says John Simpson, spokesman for Consumer Watchdog. ” I am skeptical about the ‘multi-stakeholder process’, but am willing to make a good faith effort to try it.

Simpson and others remain concerned about the Commerce Department’s role in shaping consumer privacy protections. ” Commerce’s job — quite correctly — is to promote the interests of business, not protect consumers,” he says. “If nothing else, the report demonstrates the growing concern about online privacy. Perhaps this is one of the few issues where true bipartisan action will be possible this year.”

USA TODAY, 22Feb2012, P1B

Mud-slinging between tech rivals is nothing new. But the red hot issue of online privacy has pushed it to another level.

Last week Google scrambled to deflect criticism that it tracked the online activities of users’ of Apple’s Safari web browser against their wishes, by circumventing an anti-tracking mechanism.

On Tuesday the search giant lashed out at Microsoft in response to allegations that it has been doing much the same to users of Windows Internet Explorer browser.

Google and Facebook have been under pressure from Congress and the Federal Trade Commission to disclose more about their tracking techniques.

Widespread tracking

Ironically, this latest tempest, stirred up by Microsoft, could widen the spotlight and invite scrutiny of Microsoft’s own tracking practices, and those of Microsoft, Apple, Twitter, Amazon and thousands of web companies in the hunt for online advertising revenue, says Al Hilwa, software applications analyst at IDC.

“The web industry has gravitated towards advertising as the primary source of income and (tracking) data is the fuel the industry runs on,” Hilwa says.

In a blog posting on Monday, Microsoft corporate vice-president Dean Hachamovitch accused Google of issuing tracking mechanisms designed to bypass technology called P3P. Internet Explorer uses P3P to screen the privacy policies of any entity engaged in online tracking to determine if they’re up to snuff.

Google senior vice president Rachel Whetstone responded by blasting P3P as “largely non-operational.” As proof, she pointed to a 2012 Carnegie Mellon research report revealing some 11,000 websites routinely by-pass P3P.

‘We have to lie’

Cranor

The professor who ran that study, Lorrie Faith Cranor, says many website operators bypass P3P by mistake, while others do it on purpose to circumvent Microsoft’s attempt at grading privacy policies.

Google and Facebook, Cranor says, are in the latter group. Each use tracking mechanisms that bypass P3P so that popular features, such Facebook’s Like button, and Google Gmail logon services. Otherwise those features would not work.

Google essentially says, ‘we have to lie because if we didn’t lie we couldn’t do these cool features,” Cranor says.

Whetstone contends that channeling tracking mechanisms through P3P makes little sense. “It is impractical to comply with Microsoft’s request while providing modern web functionality,” she says

Hachamovitch, meanwhile, insists that Google should “commit to honoring P3P.”

Yet, the 2010 Carnegie Mellon study found even some Microsoft websites bypass P3P, as do sites from Godaddy, Hulu and Amazon.

“My students and I discovered that Google, Facebook and thousands of others essentially have bogus privacy policies,” Cranor says. “In some cases they put them in place on purpose. In other cases, it may be mistakes in computer code, or the person running the website might be doing whatever it takes to make it (tracking mechanism) run properly.”

Google came under fire today by several members of Congress after a Stanford University grad student disclosed how the search giant has been tracking the online activities of users of Apple’s Safari web browser, despite the default use of a browser mechanism to block such tracking.

Jonathan Mayer, a grad student and privacy researcher, wrote about Google’s Safari tracking techniques in this blog posting. Mayer’s findings got wide attention after the Wall Street Journal featured it in a news story published Friday morning.

Rachel Whetstone, Google’s senior vice president of communications and public policy, says the Journal “mischaracterizes what happened and why.”

Whetstone

Whetstone says the Safari browser “contained functionality that then enabled other Google advertising cookies to be set on the browser.” She says Google’s engineers “didn’t anticipate that this would happen.” The search giant has started removing these advertising cookies from Safari browsers, she says.

Even so, backlash has followed. Rep. Mary Bono Mack, R-Calif., is asking Google to reappear before Congress to explain how it tracks the online activities of iPhone and iPad users. Bono Mack moderated a closed door briefing two weeks ago at which two Google executives answered questions about a major privacy policy change the search giant is about to make.

Bono Mack

“Google has some tough new questions to answer in the wake of this latest privacy flap, and that’s why I am asking them to come in for another briefing.” Says Bono Mack. “These types of incidents continue to create consumer concerns about how their personal information is used and shared.”

Meanwhile, Representatives Ed Markey, D-Mass., Joe Barton, R-Tex., and Cliff Stearns, R-Fla., fired off a letter to the Federal Trade Commission asking the agency to investigate whether Google’s Safari tracking violates a standing consent order that restricts Google from misrepresenting its privacy policies.

“Google’s practices could have a wide sweeping impact because Safari is a major web browser used by millions of Americans,” the letter states. “We are interested in any actions the FTC has taken or plans to take to investigate whether Google has violated the terms of its consent agreement.”

Sen. Jay Rockefeller, D-WV,weighed in, indicating Google may have to answer to the U.S. Senate, as well.

“According to press reports, Google circumvented consumer choice and may have paved the way for third-party ad networks—including Google’s own DoubleClick—to track consumers against their will,” says Rockefeller. “If so, this practice may have violated the company’s own stated privacy practices. I fully intend to look into this matter and determine the extent to which this practice was used by Google and other third parties tocircumvent consumer choice.”

The FTC already is dealing with legal action taken last week by the Electronic Privacy Information Center asking a federal court judge to order the agency to enforce that same standing consent order Markey, Barton and Stearns want applied to the Safari tracking snafu. EPIC filed suit to get the FTC to enforce the consent decree to stop Google from making a sweeping privacy policy change on March 1. Should Google move ahead with that March 1 change, it can begin to more readily index and profile users of its search, Gmail, Google Apps, YouTube, Picasa and other popular services. And consumers wishing to patronize more than one of these free services will have no way to say no to such profiling practices.

EPIC also wrote to the FTC today, urging the agency to enforce the consent order with respect to Google’s practices tracking Safari users. EPIC’s letter contends that Google “took elaborate measures to circumvent the Safari privacy safeguards, and it benefited from the misrepresentations by the commercial value it surreptitiously obtained.”

Mayer, the Stanford researcher, also described how the techniques Google has been using to track Safari users have also been used by three other online ad companys: Vibrant Media, Media Innovation and PointRoll, whose parent company is Gannett, USA TODAY’s parent company.

A Gannett spokeswoman told the Wall Street Journal that the Safari tracking techniques PointRoll uses were part of limited test.

–Byron Acohido