Consumer Advocates Seek a ‘Do-Not-Track’ List - New York TimesThis idea of a “do not track” list is very interesting but also very problematic. Right off the bat is the problem of how a website would know NOT to track you. If the default is that you be tracked, you would need to pass some kind of token to every website that you wish not to track you. This would probably be a cookie, which would would be vulnerable to deletion every time a user clears her cookies. It also puts the responsibility on the user to keep track of all the websites which might track her information and maintain that preference across all of them.This is very different from the phone number based “do not call” list, where the marketer can check against a list of numbers they should not call. In this case, the user hits the website out of the blue, and the website needs to work out whether to track or not. One solution would be for there to be some kind of universal identifier that all websites could check against the list, but this is certainly replacing one kind of tracking with a much worse kind.This could all be avoided if the default was set to “do not track” and users could opt in. Of course, almost no one would bother to opt in to the targeted tracking. This is a problem because it is exactly this kind of targeted advertising that makes so many free Internet services possible right now. Without ad targeting the advertising revenue would likely be too low to make the services viable. As usual, I am in favor of the user controlled opt out of privacy technology, without requiring the consent or support of the tracking websites. If you don’t want to be tracked, tools exist (like Anonymizer) to prevent that tracking. Just use them.

Steroid bust shows Feds can still get at “private” and “secure” e-mail

It appears that Hushmail was able to turn over cleartext emails to the government when presented with a court order. This points out the importance of understanding the security model of the security tool you are using. For example, secure web pages (SSL protected) only protect the data as it moves between your browser and the remote web server. It does nothing at all to protect the data once it arrives.

Incorrect assumptions about a security model can lead you to take actions that you might not otherwise. This can put you at significant risk. Many solutions are very robust against specific threats while offering no protection at all against other threats. Understanding what is and is not protected by a solution is critical BEFORE you actually start to use it to protect important information.

Yahoo scolded for helping China imprison dissident - MSN Money

Yahoo! was taken to task in a congressional hearing for handing over information to the Chinese government that lead to the imprisonment of a dissident reporter. There is certainly much that could be said about standing up to oppressive governments and the risks of locating infrastructure in such countries.

I think one of the most important lessons to take away is to take more personal responsibility for your own security and privacy. Information collected by the services we all use is archived almost indefinitely. Today the problem may be China, but who knows which government may turn oppressive over the next 10 years. Even the US government has a history of witch hunts.

Internet users must be proactive about their security. Tools exist to enable people in China to use the Internet freely without any censorship or monitoring. Anonymizer provides such a service free to Chinese users. A number of other organizations do the same. Encryption, anonymity, and privacy tools can largely de-claw the modern police state, but only if they are used consistently.