Competition in privacy policies finally starting
For many years privacy advocates have claimed that if users were fully informed and aware of privacy policies then they would vote with their feet. Privacy policies would become part of the free market decision making process, in addition to price, brand, reputation, convenience, etc.
It appears this process is actually starting to take place in one industry: search engines. It is likely that they have been the first because of the significant public focus on privacy issues around search over the last few years.
First Google said they would “anonymize” their logs after 18 months, which they later shortened to 9. Yahoo countered with 13 months and has now gone to 90 days. I talked about Google’s 18 month policy back in March 2007. In August 2007 I mentioned a CNET Report on privacy ratings for Search engines.
This tit for tat shortening of the identifiable log retention policies suggests that pressure around this issue is meaningful to the search engine giants. What is somewhat less clear is whether the pressure is from the market, or from the media / politicians / government.
It is still the case that the logs are not actually deleted, but rather the source IP address and user ID cookies are stripped out. There is a good Wikipedia article on the scandal around a release of “anonymized” AOL search information, and how it was still possible to identify individual users in the data.
The real proof of this trend towards privacy policy competition will be when we see elements of privacy policies being promoted front and center on diverse websites as part of their competitive positioning / marketing.
- Lance Cottrell
December 23rd, 2008 at 12:37 pm
Hi Lance, I just discovered today that using Anonymizer TNS (total net shield) is next to useless for average web users like me.
I clicked on a site called http://www.decloaked.net and it correctly gave both the anonymizer IP and MY REAL IP. This site uses both java script and flash in order to find my real IP address.
I called your office and the tech support lady seemed baffled why I’d be concerned that my IP was “leaking”…..this after paying your company to effectively anonymize my browser!
WTF? I told her that I did a quick google search to find firefox tools that would give me a browser “switch” to disable flash and java, and found a number of them, but could she please recommend the best one? Once again…..”crickets”….
I wonder how many of your loyal customers, LIKE ME, have been under the misguided assumption that we are “anonymous” to websites, when this simple decloaking script can ferret out our real ID IP, without even viewing flash or using java apps?
December 29th, 2008 at 10:30 am
It is a big concern that the search engines are keeping and releasing this information. Thank you for publishing this information so we can be informed consumers.
January 9th, 2009 at 4:42 pm
@Bob,
I tried that site several times and it never came up.
Also, to be a bit extra safe with firefox, I recommend no script.
January 11th, 2009 at 6:24 pm
Bob, the problem here is with active content. We have researched that website. What it is doing is having you run a local program on your computer that makes a connection out which bypasses the Anonymizer proxies. This is why our documentation suggests that you disable active content.
Once you allow a hostile website to run things on your computer, you are basically toast. They could disable local software, and even send your personal information directly from your hard drive over the Internet to the attacker.
I am sorry to hear that you did not get a good answer from our support. Firefox has reasonable setting built right in to the browser for blocking this kind of content. I don’t think we have a current recommendation for a best of breed tool to bring this to the front in FireFox.
January 20th, 2009 at 2:53 am
Hi Lance
What records are maintained and released at Anonymizer.com in comparison to the big search engines? How does the USA PATRIOT Act impact the privacy of Anonymizer.com users?- Thanks
January 20th, 2009 at 3:19 pm
Great question. Anonymizer has a significant amount of information about our customers based on their billing information. That would include name, address, CC number etc. That would be discoverable.
We keep no information at all about what users look at using Anonymizer for Web surfing. Since there are no logs of that, they can not be captured by government order.
In general we keep the absolute minimum amount of information required to actually deliver our services.
The PATRIOT Act has not imposed any obligation to create or maintain usage records, so it has not had any real impact.
January 28th, 2009 at 11:20 am
Will you inform us if in fact Anonymizer does become obligated to create or maintain usage records?
January 29th, 2009 at 1:19 pm
Will Anonymizer equip their software with 1024 bit encryption?
January 29th, 2009 at 1:29 pm
Hubert, yes I will certainly make it public should law or policy change to require us to create or maintain usage records.
January 30th, 2009 at 6:25 am
Rob, the full time SSL in the anonymous surfing is already 1024 bit RSA for the public key side. Were you thinking of a different part of the application?
March 14th, 2009 at 4:15 am
It’s the first time I comment here and I must say you share genuine, and quality information for other bloggers! Great job.
p.s. You have an awesome template . Where have you got it from?
March 19th, 2009 at 2:28 pm
I found a very private Search engine called ixquick.com They do not even save your IP address. and there is a SSL option available for sensitive searching.
March 20th, 2009 at 5:51 am
G: It is good to be able to search without them keeping your IP, but you are vulnerable again as soon as you click on any of the search results and leave the search engine sight. That is why I think that privacy tools need to be separated from the sites that are being visited. It also eliminates some conflicts of interest.
Hydraulic Jacks: Thanks. Our web design team did the template internally.
May 4th, 2009 at 3:28 pm
Would it be possible in the future to increase the Total Net Shield SSH tunneling from 128-bit (correct me if I’m wrong) to 384-bit or 512-bit?
May 21st, 2009 at 5:39 am
We are doing a re-design on all of our products, which will include improvements to the encryption.
I think you might be confusing the public key lengths with symmetric key length. 128 bits is quite good for symmetric keys. 256 bits is the longest symmetric key used in standard encryption systems.
Public keys need to be much longer to get the same level of security. 1024 bits is the minimum. 4096 bits is much better but rarely used.
June 15th, 2009 at 4:53 pm
I’ve noticed in IE Lan Settings in Proxy Settings; Advanced, under Servers, the “Socks” area is blank. Despite having checked “Use the same proxy server for all protocols.”, an IM service reports its connections are through normal or rather direct connections without a proxy. But when say a program called HTTP-Proxy is configured, the socks is sucessful and thus the IM service says so. Could this mean Total NetShield doesnt protect Live Messenger, except Yahoo..
June 23rd, 2009 at 3:05 am
That is interesting. I know my team has already seen your post and is looking in to this. Each IM protocol needs to be handled by Total Net Shield in a different way. We will be coming out with a completely new version of our services soon which bypasses this issue.
December 9th, 2009 at 12:13 am
I have switched to http://www.vpnmessenger.com, because of this issue, this offers full IP address change
May 12th, 2010 at 6:52 pm
Interesting blog post, thanks for sharing it with us.