Dr. Frank Kardasz. January 6, 2018
There is an interesting discussion at the Freedom-to-Tinker site http://bit.ly/2AzKTDV about data collection services that invisibly place Java scripts in browsers, then subsequently permit form-fill pages to enter user passwords at some websites. User interaction is not required for the collection services to intercept user information.
At Security Now, Episode 644, the 17-minute mark, Steve Gibson provides an interesting summary of the disturbing data-intercept process.
According to the reports, an alarmingly long list of “socio-demographic” information is collected including date of birth, occupation, loans, insurances, vehicle make and model, sexual preferences, and many other items. Users are typically unaware that the websites employ the data collection services. According to the reports, names and addresses are not collected.
Does the Unlawful Intercept Law Apply?
19 U.S. Code 2511 states in part that it is unlawful to intentionally intercept any wire, oral, or electronic communication. There are exemptions in the law of course, but I am having trouble finding the exemption that permits sneaky scripts and automatic password filling features to be placed on a users browser without their consent.
I am left to wonder how this behind-the-scenes scripting and password capturing is NOT a violation of telecommunications intercept laws. Where did users give away those privacy rights? Is there an exemption clause buried in a user agreement somewhere at the data-sucking websites?
Dodging those Spys
After reading the Freedom-to-Tinker article and listening to Security Now, I opened my various browsers one at a time and “opted-out” at http://static.audienceinsights.net/ and then also blacklisted the following sites from each of my browsers:
static.audienceinsights.net
api.behavioralengine.com
More Browser-Tightening
The secret scripting approach to surreptitiously collecting user information by the data collection services is disturbing. I hope that security-conscious browser vendors will act to further tighten security for the purpose of thwarting the data pirates.
=-=-=-=-=-=
Thanks to Gunes Akar for his work and Steve Gibson for his analysis on this topic.
=-=-=-=-=-=
References
Acar, G. (December 27, 2017). No boundaries for user identities: Princeton Web Transparency & Accountability Project. Web trackers exploit login managers. Freedom To Tinker. Retrieved from https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/#comment-28994
Gibson, S. (January 2, 2018). Security Now Episode 644. (Video beginning at 17-minute mark). Retrieved from https://twit.tv/shows/security-now/episodes/644 Transcript retrieved from https://www.grc.com/sn/sn-644.htm
U.S. Code › Title 18 › Part I › Chapter 119 › § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited. Retrieved from https://www.law.cornell.edu/uscode/text/18/2511
=-=-=-=-=-=
What is the difference between Java and JavaScript? See: https://java.com/en/download/faq/java_javascript.xml
What is HTML?
See: https://www.computerhope.com/jargon/h/html.htm
What is a Browser?
See: https://www.computerhope.com/jargon/b/browser.htm
What is the difference between Java and JavaScript? See: https://java.com/en/download/faq/java_javascript.xml
What is HTML?
See: https://www.computerhope.com/jargon/h/html.htm
What is a Browser?
See: https://www.computerhope.com/jargon/b/browser.htm
=-=-=-=-=-=
No comments:
New comments are not allowed.