THE MOST AFFLUENT CONSUMERS, AND those who have used the Internet for the longest period of time, are also the most likely to delete cookies, according to a new Jupiter Research report. The recent study, "Profile of the Cookie Deleter," follows up on a Jupiter Research study released in April that stunned the online ad industry with the revelation that 40 percent of Internet users delete cookies at least once a month. Both reports were based on the same March survey of 2,337 online adults.
Sixty percent of consumers who have been online for more than five years reported deleting cookies, compared with 34 percent of consumers who have only been online for less than one year, according to the new report. Households with incomes over $60,000 a year also were more likely to delete cookies than less affluent households.
The recent report further revealed that a high proportion of consumers manually erased cookies, as opposed to using software to do so. Fifty-six percent of male respondents and 47 percent of female respondents said they manually rid their computers of cookies. Thirty percent of men said they use cookie-deleting applications, as did 24 percent of women; 31 percent of men and 20 percent of women said they actively block new cookies.
The findings indicate that people who are more experienced in Internet use also are the most motivated to take steps to protect themselves online--regardless of whether those steps are misplaced, said Eric Peterson, the Jupiter Research lead analyst on the report.
"There's a disconnect bewteen tenure and understanding," said Peterson. "Tenure correlates well with interest and motivation and the ability to download anti-virus applications," he said. But he added that online experience doesn't necessarily go along with understanding the inner workings of browsers or online security and privacy.
When questioned about their attitudes toward cookies, about four out of 10 respondents indicated they believed that deleting or blocking cookies protected online privacy and security. At the same time, only about three out of 10 respondents agreed that cookies saved them time online, by rendering it unnecessary to reenter information on Web sites.
Consumers showed a clear age divide when it came to paying attention to privacy or security. Only 33 percent of respondents between the ages 18 and 24 said they paid attention to stories and articles about Internet privacy and security, compared to 62 percent of those ages 45 and older.
After Jupiter Research released its April report on cookie erasures, other similar reports emerged. For example, earlier this month, BURST! Media reported that 38 percent of consumers said in a recent survey that they deleted cookies at least once a month.
Thursday, June 23, 2005
Monday, June 20, 2005
Working on a computer? Mum's the secret password
By Carissa Hohmann
TX. Weber High
We live in an "easy access" world. We like things simple, we like things fast, and we don't have time for complications.
In our fast-paced, frozen-pizza lives, we often eliminate even the complications meant to protect us. Time is one of our biggest worries, so without a thought, we often gamble with our own security just to gain a few more precious seconds.
This flaw is especially true when it comes to the Internet. Many teens think of the Internet as one big playground. And why shouldn't they?
The Internet is a place where things can be bought without spending gas money, friends can be talked to without making eye contact and homework can be done without library books. It makes things fast, simple and, consequently, perfect for us.
But that assumption is wrong.
Internet accounts also hold loads of personal information, and information means power. As intimidating as it sounds, it's true: Nothing can be bought without a credit card number, no registration can be completed without a date of birth, and no friendly e-mail can be stored without personal information enclosed. The Web knows a lot about you, and it could turn on you at any moment
You're probably thinking, "I am smart with my information," so this doesn't apply to you. You know there are safeguards to protect your parent's credit card number every time you order off eBay. You don't pass important personal information and numbers out like cookies while on the Web. Up to this point, you probably think you're pretty savvy.
However, only one thing is stopping the whole world from accessing any information you have ever given out or received on the Web, and that one thing is a word -- your password.
That single word has more power than you think.
Many teens -- and adults -- fail to think of their passwords as gateways to highly personal information.
"My good friend has my passwords," said Weber High junior Logan Bell. "I trust her, so I know that she wouldn't, like, tell anyone in the world about it."
Yet, if your password were to fall into the wrong hands, culprits could easily begin their games of manipulation and deceit. Once inside your account, anyone can be you. They can read messages you've received, delete messages so you'll never receive them and even write nasty messages with your own good name attached.
To save time and hassle, passwords are revealed over cellphones, taped to the monitor of the family computer, programmed automatically into systems and shared nonchalantly with best friends.
Those are some of the worst mistakes you can make, security-wise. You never know who is listening when you are on a phone. Believe it or not, you might not be alone when you believe you are, people might be listening when you trust they're not, and you might be talking louder than you think you are.
You may still be thinking you always know who's on your computer, who's listening and who you can trust, so none of the above applies to you. You are wrong.
People can be curious, people can be tempted, and people can be brutal. No one really knows what other people are capable of.
Do not share your password, even with your closest friend. High school is an especially vulnerable time for manipulators, and keeping your business to yourself is one of the finest precautions you can possibly take to protect yourself.
Prevention is the best way to avoid complications, which just waste time. So, do yourself a favor and save time -- and, possibly, money -- by taking the time and effort necessary to keep your passwords safe. It's simple, and it might save you a lot more time than it ever cost you.
That's right, it's going to save you time and energy, and we all know how much we like the idea of that.
Carissa Hohman will be a Weber High senior this fall. E-mail her at pariskrod@msn.com.
TX. Weber High
We live in an "easy access" world. We like things simple, we like things fast, and we don't have time for complications.
In our fast-paced, frozen-pizza lives, we often eliminate even the complications meant to protect us. Time is one of our biggest worries, so without a thought, we often gamble with our own security just to gain a few more precious seconds.
This flaw is especially true when it comes to the Internet. Many teens think of the Internet as one big playground. And why shouldn't they?
The Internet is a place where things can be bought without spending gas money, friends can be talked to without making eye contact and homework can be done without library books. It makes things fast, simple and, consequently, perfect for us.
But that assumption is wrong.
Internet accounts also hold loads of personal information, and information means power. As intimidating as it sounds, it's true: Nothing can be bought without a credit card number, no registration can be completed without a date of birth, and no friendly e-mail can be stored without personal information enclosed. The Web knows a lot about you, and it could turn on you at any moment
You're probably thinking, "I am smart with my information," so this doesn't apply to you. You know there are safeguards to protect your parent's credit card number every time you order off eBay. You don't pass important personal information and numbers out like cookies while on the Web. Up to this point, you probably think you're pretty savvy.
However, only one thing is stopping the whole world from accessing any information you have ever given out or received on the Web, and that one thing is a word -- your password.
That single word has more power than you think.
Many teens -- and adults -- fail to think of their passwords as gateways to highly personal information.
"My good friend has my passwords," said Weber High junior Logan Bell. "I trust her, so I know that she wouldn't, like, tell anyone in the world about it."
Yet, if your password were to fall into the wrong hands, culprits could easily begin their games of manipulation and deceit. Once inside your account, anyone can be you. They can read messages you've received, delete messages so you'll never receive them and even write nasty messages with your own good name attached.
To save time and hassle, passwords are revealed over cellphones, taped to the monitor of the family computer, programmed automatically into systems and shared nonchalantly with best friends.
Those are some of the worst mistakes you can make, security-wise. You never know who is listening when you are on a phone. Believe it or not, you might not be alone when you believe you are, people might be listening when you trust they're not, and you might be talking louder than you think you are.
You may still be thinking you always know who's on your computer, who's listening and who you can trust, so none of the above applies to you. You are wrong.
People can be curious, people can be tempted, and people can be brutal. No one really knows what other people are capable of.
Do not share your password, even with your closest friend. High school is an especially vulnerable time for manipulators, and keeping your business to yourself is one of the finest precautions you can possibly take to protect yourself.
Prevention is the best way to avoid complications, which just waste time. So, do yourself a favor and save time -- and, possibly, money -- by taking the time and effort necessary to keep your passwords safe. It's simple, and it might save you a lot more time than it ever cost you.
That's right, it's going to save you time and energy, and we all know how much we like the idea of that.
Carissa Hohman will be a Weber High senior this fall. E-mail her at pariskrod@msn.com.
Friday, June 17, 2005
Marketers seek to make cookies more palatable
Online marketers are scrambling to protect one of the key tools of their trade: the cookie.
Faced with reports showing that more and more computer users regularly delete the tracking files automatically downloaded by Web browsers, marketers and Web site publishers are launching a "cookies can be good for you" campaign. They argue that cookies -- small files that Web sites use to identify users and to serve up targeted ads -- don't deserve their bad reputation and shouldn't be lumped together with such Web scourges as spyware and viruses.
"There is a culture of fear in the marketplace" when it comes to consumer attitudes toward cookies, says Nick Nyhan, president of New York-based Dynamic Logic Inc., which uses cookies to measure the impact of online ads for companies such as General Motors Corp., PepsiCo Inc. and Yahoo Inc. "The industry needs to respond to that fear."
Mr. Nyhan recently co-founded www.safecount.org, an organization aimed at putting a friendlier face on cookies. Microsot Corp., a large Web publisher in its own right, is on the group's advisory board. One key goal of the group is to persuade companies that make antispyware programs to spare legitimate cookies when scanning users' computers for lurking threats. Many of these programs remove cookies when sweeping hard drives clean of unnecessary or harmful files.
Other industry groups have started task forces to address the cookie problem and have successfully lobbied Congress to keep cookies out of antispyware legislation. Meanwhile, marketers aren't betting the farm on being able to change attitudes toward cookies. Some companies are experimenting with creative, and sometimes controversial, approaches that would let sites serve up targeted ads even if a user has deleted his cookies.
Cookies date to the early days of the Web, and are important to helping Internet companies know who their users are. But in recent years, the emergence of spyware and viruses has made consumers increasingly suspicious about files that are automatically downloaded to their computers. Cookies are by and large benign compared with spyware, which is malicious software aimed at hijacking a user's computer or stealing personal data. Still, privacy advocates say computer users generally dislike the notion of being tracked online, even if their personal details aren't being used.
Marketers, meanwhile, counter that cookies serve plenty of useful features consumers may not realize -- such as automatically filling in a username on a site that requires logging in, or helping a weather site remember a ZIP Code so that it can show a local forecast on return visits.
Some marketers are starting to talk to Web publishers about the possibility of providing consumers more information about cookies and how they're used. For example, visitors to a Web site might click on a "more information" button next to an ad to find out about cookies. Such information might be helpful, says Charlie Tillinghast, publisher of MSNBC.com, but not if the notices only tell users they'll get more relevant ads if they allow cookies -- a common argument used by marketers to justify cookies. He suggests publishers focus on using cookies to provide personalized content and other information that gives "some real value back to the user."
Another possible strategy for online marketers: target makers of antispyware software who may be misleading consumers about the dangers of cookies, says Trevor Hughes, executive director of the Network Advertising Initiative, an industry group.
Mr. Hughes and others want software makers to draw a big distinction between spyware and cookies. When antispyware programs scan computers, they often turn up lists of hundreds or even thousands of unnecessary files. But the vast majority of those files tend to be cookies that users accumulate from visiting legitimate Web sites, and pose no security threat.
Major Web browsers already include a way for users to manage cookies, including whether to block them. As a default setting, Microsoft's Internet Explorer blocks some "third-party" cookies, which can be used by advertising companies to track users across multiple sites. (Some antispyware programs are more lenient to first-party cookies, or those downloaded directly from the Web site being visited.)
Microsoft's free antispyware program, still in a "beta" test version, doesn't detect cookies. "Since they are files, not programs, they do not pose a potential security threat like spyware and other potentially unwanted software," says Brendan Foley, senior product manager for Windows AntiSpyware. A spokeswoman for Microsoft says its role in Safecount, the pro-cookie group, is not a factor in its decision to not flag cookies in its antispyware program. She says the company continues to evaluate the antispyware program, and changes could still be made.
Safecount wants to create a "good list" of Internet companies that have shown they meet certain standards in their use of cookies, such as not collecting personal information like names, addresses and phone numbers of users. The group hopes to persuade the software makers to ignore such cookies when cleaning users' computers.
But some makers of antispyware programs doubt consumers would go for such a plan. "Most end users mistrust cookies," says Richard Stiennon, vice president of threat research at Webroot Software Inc., which makes a popular antispyware program called Spy Sweeper. He says many users of Spy Sweeper are as interested in removing unnecessary files that may be clogging their hard drives as they are in protecting themselves from scams. Such users aren't likely to distinguish between good and bad cookies.
One Internet marketing-services company that uses cookies, New York-based United Virtualities, says it has chosen to fight fire with fire rather than try to engage antispyware makers in talks. When antispyware companies use a "technology trick" to zap cookies, "the response has to be technological," says the company's founder, Mookie Tenembaum.
The company has begun marketing a technology known as a persistent identification element, or PIE. The tool uses features in Macromedia Inc.'s popular Flash software, which is used for designing and viewing animated online ads, to secretly make backup copies of a user's cookies before they are deleted. A handful of Web publishers and advertising companies are using the technology to track users, according to Mr. Tenembaum, though he declines to name them.
But some online marketers have objected to PIE, saying the practice is deceptive. Eric Peterson, an analyst with Jupiter Research, says the tool isn't the "right thing to do." Mr. Peterson wrote a report this year that drew attention to the problem of cookie deletion in the online ad business. It found that as many as 39% of online users may be deleting cookies monthly.
For its part, Macromedia, which recently agreed to be acquired by Adobe Systems Inc., has not received consumer complaints about the use of PIE, says Kevin Lynch, chief software architect. The company has posted instructions on its Web site to show consumers how to turn off the tracking feature.
Despite increased cookie deletion and cookie blocking, some online marketers say the Internet remains far more effective than other media in allowing marketers to measure consumer behavior. And online advertising continues to grow. In the first quarter, Internet ad revenue rose 26% to a record $2.8 billion, according to the Interactive Advertising Bureau.
"We need to untangle the issue of cookies from the darker regions of Internet mojo," such as spyware, says Jarvis Coffin, chief executive officer of Burst Media LLC, an online advertising broker. But "side by side with other media, I still think the Internet is doing an exceptional job."
Write to David Kesmodel at david.kesmodel@wsj.com
Faced with reports showing that more and more computer users regularly delete the tracking files automatically downloaded by Web browsers, marketers and Web site publishers are launching a "cookies can be good for you" campaign. They argue that cookies -- small files that Web sites use to identify users and to serve up targeted ads -- don't deserve their bad reputation and shouldn't be lumped together with such Web scourges as spyware and viruses.
"There is a culture of fear in the marketplace" when it comes to consumer attitudes toward cookies, says Nick Nyhan, president of New York-based Dynamic Logic Inc., which uses cookies to measure the impact of online ads for companies such as General Motors Corp., PepsiCo Inc. and Yahoo Inc. "The industry needs to respond to that fear."
Mr. Nyhan recently co-founded www.safecount.org, an organization aimed at putting a friendlier face on cookies. Microsot Corp., a large Web publisher in its own right, is on the group's advisory board. One key goal of the group is to persuade companies that make antispyware programs to spare legitimate cookies when scanning users' computers for lurking threats. Many of these programs remove cookies when sweeping hard drives clean of unnecessary or harmful files.
Other industry groups have started task forces to address the cookie problem and have successfully lobbied Congress to keep cookies out of antispyware legislation. Meanwhile, marketers aren't betting the farm on being able to change attitudes toward cookies. Some companies are experimenting with creative, and sometimes controversial, approaches that would let sites serve up targeted ads even if a user has deleted his cookies.
Cookies date to the early days of the Web, and are important to helping Internet companies know who their users are. But in recent years, the emergence of spyware and viruses has made consumers increasingly suspicious about files that are automatically downloaded to their computers. Cookies are by and large benign compared with spyware, which is malicious software aimed at hijacking a user's computer or stealing personal data. Still, privacy advocates say computer users generally dislike the notion of being tracked online, even if their personal details aren't being used.
Marketers, meanwhile, counter that cookies serve plenty of useful features consumers may not realize -- such as automatically filling in a username on a site that requires logging in, or helping a weather site remember a ZIP Code so that it can show a local forecast on return visits.
Some marketers are starting to talk to Web publishers about the possibility of providing consumers more information about cookies and how they're used. For example, visitors to a Web site might click on a "more information" button next to an ad to find out about cookies. Such information might be helpful, says Charlie Tillinghast, publisher of MSNBC.com, but not if the notices only tell users they'll get more relevant ads if they allow cookies -- a common argument used by marketers to justify cookies. He suggests publishers focus on using cookies to provide personalized content and other information that gives "some real value back to the user."
Another possible strategy for online marketers: target makers of antispyware software who may be misleading consumers about the dangers of cookies, says Trevor Hughes, executive director of the Network Advertising Initiative, an industry group.
Mr. Hughes and others want software makers to draw a big distinction between spyware and cookies. When antispyware programs scan computers, they often turn up lists of hundreds or even thousands of unnecessary files. But the vast majority of those files tend to be cookies that users accumulate from visiting legitimate Web sites, and pose no security threat.
Major Web browsers already include a way for users to manage cookies, including whether to block them. As a default setting, Microsoft's Internet Explorer blocks some "third-party" cookies, which can be used by advertising companies to track users across multiple sites. (Some antispyware programs are more lenient to first-party cookies, or those downloaded directly from the Web site being visited.)
Microsoft's free antispyware program, still in a "beta" test version, doesn't detect cookies. "Since they are files, not programs, they do not pose a potential security threat like spyware and other potentially unwanted software," says Brendan Foley, senior product manager for Windows AntiSpyware. A spokeswoman for Microsoft says its role in Safecount, the pro-cookie group, is not a factor in its decision to not flag cookies in its antispyware program. She says the company continues to evaluate the antispyware program, and changes could still be made.
Safecount wants to create a "good list" of Internet companies that have shown they meet certain standards in their use of cookies, such as not collecting personal information like names, addresses and phone numbers of users. The group hopes to persuade the software makers to ignore such cookies when cleaning users' computers.
But some makers of antispyware programs doubt consumers would go for such a plan. "Most end users mistrust cookies," says Richard Stiennon, vice president of threat research at Webroot Software Inc., which makes a popular antispyware program called Spy Sweeper. He says many users of Spy Sweeper are as interested in removing unnecessary files that may be clogging their hard drives as they are in protecting themselves from scams. Such users aren't likely to distinguish between good and bad cookies.
One Internet marketing-services company that uses cookies, New York-based United Virtualities, says it has chosen to fight fire with fire rather than try to engage antispyware makers in talks. When antispyware companies use a "technology trick" to zap cookies, "the response has to be technological," says the company's founder, Mookie Tenembaum.
The company has begun marketing a technology known as a persistent identification element, or PIE. The tool uses features in Macromedia Inc.'s popular Flash software, which is used for designing and viewing animated online ads, to secretly make backup copies of a user's cookies before they are deleted. A handful of Web publishers and advertising companies are using the technology to track users, according to Mr. Tenembaum, though he declines to name them.
But some online marketers have objected to PIE, saying the practice is deceptive. Eric Peterson, an analyst with Jupiter Research, says the tool isn't the "right thing to do." Mr. Peterson wrote a report this year that drew attention to the problem of cookie deletion in the online ad business. It found that as many as 39% of online users may be deleting cookies monthly.
For its part, Macromedia, which recently agreed to be acquired by Adobe Systems Inc., has not received consumer complaints about the use of PIE, says Kevin Lynch, chief software architect. The company has posted instructions on its Web site to show consumers how to turn off the tracking feature.
Despite increased cookie deletion and cookie blocking, some online marketers say the Internet remains far more effective than other media in allowing marketers to measure consumer behavior. And online advertising continues to grow. In the first quarter, Internet ad revenue rose 26% to a record $2.8 billion, according to the Interactive Advertising Bureau.
"We need to untangle the issue of cookies from the darker regions of Internet mojo," such as spyware, says Jarvis Coffin, chief executive officer of Burst Media LLC, an online advertising broker. But "side by side with other media, I still think the Internet is doing an exceptional job."
Write to David Kesmodel at david.kesmodel@wsj.com
Wednesday, June 15, 2005
The Media Maze: The Illusion of Choice
When we give consumers more choice and, hence, control, are we really giving them what they want?
Conversations regarding the plethora of choice that people have today in terms of their media consumption is now a mainstay of marketing conferences and a given when planning advertising. So much so, it’s practically cliché to say that the modern consumer lives in a world rich with options, from what kinds of products to chose, to where they get their news and when they watch programming.
This unmooring of media from time and place is the next biggest thing happening to the consumption, impact and practice of media since the dawning of the commercial internet itself.
For the first online users with phone-cradle modems, or plodding through Prodigy’s walled garden on a 2,400 baud-rate modem, it might be hard to imagine how this is going to influence what I like to call the “always on” generation, but it should be among the primary concerns of marketers, advertisers, agencies and media companies alike when considering the architecture of media’s future.
PDAs, mobile phones, DVRs, laptops and PSPs are just the beginning. Think about a time when people will have inexpensive, high-resolution digital paper, to which can be downloaded regular updates of the day’s news by walking past (or through) a wireless network, with users setting up an auto-pay for a per-usage charge. Or have portable, expandable compact viewing screens on which to view programming on a whim.
The sociological implications are uncertain and tend towards both the utopian and the dystopian. For example, there may be democratized content and Thomas Friedman’s “flat world” of collaboration on the one hand and the replacement of practiced knowledge with information-by-reflex and actions borne without deliberation and a sense of consequence on the other.
What is certain now is that all of this lends itself towards more and more personalization of the products and media we consume.
By Jim Meskauskas
Conversations regarding the plethora of choice that people have today in terms of their media consumption is now a mainstay of marketing conferences and a given when planning advertising. So much so, it’s practically cliché to say that the modern consumer lives in a world rich with options, from what kinds of products to chose, to where they get their news and when they watch programming.
This unmooring of media from time and place is the next biggest thing happening to the consumption, impact and practice of media since the dawning of the commercial internet itself.
For the first online users with phone-cradle modems, or plodding through Prodigy’s walled garden on a 2,400 baud-rate modem, it might be hard to imagine how this is going to influence what I like to call the “always on” generation, but it should be among the primary concerns of marketers, advertisers, agencies and media companies alike when considering the architecture of media’s future.
PDAs, mobile phones, DVRs, laptops and PSPs are just the beginning. Think about a time when people will have inexpensive, high-resolution digital paper, to which can be downloaded regular updates of the day’s news by walking past (or through) a wireless network, with users setting up an auto-pay for a per-usage charge. Or have portable, expandable compact viewing screens on which to view programming on a whim.
The sociological implications are uncertain and tend towards both the utopian and the dystopian. For example, there may be democratized content and Thomas Friedman’s “flat world” of collaboration on the one hand and the replacement of practiced knowledge with information-by-reflex and actions borne without deliberation and a sense of consequence on the other.
What is certain now is that all of this lends itself towards more and more personalization of the products and media we consume.
By Jim Meskauskas
Longtime online users most likely to delete cookies, Jupiter says
The longer a consumer has been online, the more likely he is to report manually deleting cookies, according to a recent report from JupiterResearch. Jupiter found that only 34% of users online for less than a year say they delete cookies, compared with 60% of consumers with more than five years of online tenure.
In addition, men are slightly more likely to act against cookies then women, according to Jupiter. 56% of men say they manually delete cookies, 30% say they use applications that delete cookies, and 31% say they actively block cookies. That compares with 47%, 24% and 20% of women, respectively, Jupiter says.
Attitudes toward cookies also changed with age. Jupiter found that 28% of those ages 18 to 24 years old believe cookies are an invasion of online privacy and security, compared with 36% of those ages 25 to 34, 39% of those 35 to 44, 42% of those ages 45 to 54, and 43% of those ages 55 and older.
In addition, men are slightly more likely to act against cookies then women, according to Jupiter. 56% of men say they manually delete cookies, 30% say they use applications that delete cookies, and 31% say they actively block cookies. That compares with 47%, 24% and 20% of women, respectively, Jupiter says.
Attitudes toward cookies also changed with age. Jupiter found that 28% of those ages 18 to 24 years old believe cookies are an invasion of online privacy and security, compared with 36% of those ages 25 to 34, 39% of those 35 to 44, 42% of those ages 45 to 54, and 43% of those ages 55 and older.
Behavioral Targeting Firm Hires Privacy Consultant
THE RELATIVELY NEW MARKETING TOOL of behavioral targeting--which, in some cases, depends on monitoring consumers as they go from page to page--already has raised eyebrows among both online executives and privacy advocates.
Now, in hopes of heading off privacy-related criticisms at the pass, behavioral targeting company AlmondNet recently tapped a privacy consultancy--Chapell & Associates--to develop a privacy strategy.
With the move, AlmondNet joins the growing roster of behavioral targeting companies that have recently hired privacy officers. Tacoda, for instance, hired former Real Media co-founder Mark Pinney as CFO and chief privacy officer last November. Claria, which recently launched a behavioral targeting network, also last year brought in a chief privacy officer--D. Reed Freeman Jr., a former Federal Trade Commission lawyer.
AlmondNet's business model differs slightly from companies such as Tacoda and Revenue Science--which use cookies to track users through specific publishers' sites--and Claria's, which relies on tracking the surfing behaviors of the 40 million users who have downloaded its ad-serving software.
AlmondNet uses cookies to track the search history of users across the Web, then serves ads to users based on their search history. To power its network, AlmondNet relies on partnerships with Internet service providers and adware companies.
The centerpiece of the company's current privacy policy is a link to the opt-out page on every ad they serve. The words "powered by AlmondNet" appear in the ad, and if users click on that link, they are taken directly to the opt-out page. The users must retain the company's cookie on their computer, however--if the file is deleted, the user will begin seeing AlmondNet ads again.
Roy Shkedi, the CEO of AlmondNet, said the company hasn't yet received any complaints about its privacy practices. "We want to have a privacy-friendly behavioral-targeted ad service, so we retained Chapell & Associates to help us make sure that our strategy is in the forefront," he said.
But it's clear that others in the industry are concerned about how consumers will respond to such techniques, especially as they become more common and better-known. Speaking at a behavioral targeting conference last month, Tribal DDB CEO Matt Freeman said: "How we do it will make all the difference ... We have a bad history of misusing the things we can do."
Alan Chapell, of Chapell & Associates, said that the behavioral targeting space has come under a good deal of scrutiny because of consumer ire over adware and spyware.
But, he said, best practices for behavioral targeting remain a bit murky. The dilemma facing the companies is that to effectively target ads, they need to have a lot of data collected about consumers, but consumers aren't always so interested in providing it. "You need to have a score of information on consumers, but consumers have indicated that they might not be comfortable with that level of data sharing," he said. "But on the other hand, they're also not comfortable with ads that are not relevant to them."
Privacy expert Ari Schwartz, an associate director at the Center for Democracy and Technology, said that devising best practices shouldn't be that difficult. Rules laid out in the late 1980s by the Paris-based Organisation for Economic Cooperation and Development are a good starting point, he said.
Those standards, initially created to guide governments in using data collected about citizens, state that information should be collected fairly and lawfully, with the consent of the subject. The guidelines also state that data should be collected with a specific purpose in mind at the time of collection, used only by the authority of law or with the consent of the subject, and kept secure. Companies collecting data should be open about their practices of collecting data, allow individuals to find out if there's any data about them, and be accountable for compliance with all standards.
In practice, companies that do not tie any identifiable personal data and delete the information after a short time would largely follow the OECD's guidelines. "If you're talking about the best practices, we would look towards something that deletes historical information, and does not [use] personally identifiable information," Schwartz said.
Now, in hopes of heading off privacy-related criticisms at the pass, behavioral targeting company AlmondNet recently tapped a privacy consultancy--Chapell & Associates--to develop a privacy strategy.
With the move, AlmondNet joins the growing roster of behavioral targeting companies that have recently hired privacy officers. Tacoda, for instance, hired former Real Media co-founder Mark Pinney as CFO and chief privacy officer last November. Claria, which recently launched a behavioral targeting network, also last year brought in a chief privacy officer--D. Reed Freeman Jr., a former Federal Trade Commission lawyer.
AlmondNet's business model differs slightly from companies such as Tacoda and Revenue Science--which use cookies to track users through specific publishers' sites--and Claria's, which relies on tracking the surfing behaviors of the 40 million users who have downloaded its ad-serving software.
AlmondNet uses cookies to track the search history of users across the Web, then serves ads to users based on their search history. To power its network, AlmondNet relies on partnerships with Internet service providers and adware companies.
The centerpiece of the company's current privacy policy is a link to the opt-out page on every ad they serve. The words "powered by AlmondNet" appear in the ad, and if users click on that link, they are taken directly to the opt-out page. The users must retain the company's cookie on their computer, however--if the file is deleted, the user will begin seeing AlmondNet ads again.
Roy Shkedi, the CEO of AlmondNet, said the company hasn't yet received any complaints about its privacy practices. "We want to have a privacy-friendly behavioral-targeted ad service, so we retained Chapell & Associates to help us make sure that our strategy is in the forefront," he said.
But it's clear that others in the industry are concerned about how consumers will respond to such techniques, especially as they become more common and better-known. Speaking at a behavioral targeting conference last month, Tribal DDB CEO Matt Freeman said: "How we do it will make all the difference ... We have a bad history of misusing the things we can do."
Alan Chapell, of Chapell & Associates, said that the behavioral targeting space has come under a good deal of scrutiny because of consumer ire over adware and spyware.
But, he said, best practices for behavioral targeting remain a bit murky. The dilemma facing the companies is that to effectively target ads, they need to have a lot of data collected about consumers, but consumers aren't always so interested in providing it. "You need to have a score of information on consumers, but consumers have indicated that they might not be comfortable with that level of data sharing," he said. "But on the other hand, they're also not comfortable with ads that are not relevant to them."
Privacy expert Ari Schwartz, an associate director at the Center for Democracy and Technology, said that devising best practices shouldn't be that difficult. Rules laid out in the late 1980s by the Paris-based Organisation for Economic Cooperation and Development are a good starting point, he said.
Those standards, initially created to guide governments in using data collected about citizens, state that information should be collected fairly and lawfully, with the consent of the subject. The guidelines also state that data should be collected with a specific purpose in mind at the time of collection, used only by the authority of law or with the consent of the subject, and kept secure. Companies collecting data should be open about their practices of collecting data, allow individuals to find out if there's any data about them, and be accountable for compliance with all standards.
In practice, companies that do not tie any identifiable personal data and delete the information after a short time would largely follow the OECD's guidelines. "If you're talking about the best practices, we would look towards something that deletes historical information, and does not [use] personally identifiable information," Schwartz said.
Tuesday, June 14, 2005
Privacy concerns lead reasons for cookie deletion
Privacy concerns lead reasons for cookie deletion
Concerns about privacy are a leading reason for consumers to delete cookies, according to a new study released by Burst Media. The study also found that 38.4% of those surveyed delete Internet cookies once a month.
44.9% of consumers surveyed said they delete cookies in the process of removing all unsolicited downloads and 44.6% said they delete cookies because they don’t want their web-surfing activities monitored.
Consumers also said they deleted cookies because they don’t feel personal information is safe when cookies are on their computers (34.6%); because their spyware program suggested they should (31.6%), and because they don’t want anyone to know when they’re on a web site (22.1%).
Men were more likely than women to say they have deleted Internet cookies, 54.5% versus 41.8%. One-third of respondents between 14 and 24 years of age, 52.6% of respondents between 25 and 54 years, and 47.4% of respondents 55 and older reported they have deleted cookies.
In the 25-54 years segment, 58.4% of men and 47.4% of women said they have deleted cookies. In addition, 60.6% of those who delete cookies say they delete all Internet cookies, 28.2% say they keep some cookies they know they need or want, and 11.2% say they only delete cookies from unfamiliar web sites.
When asked whether cookies should be eliminated, 26.5% said yes, 25.8% said no, and 47.7% said they were unsure, according to the Burst study.
Burst, an Internet ad services and sales rep company, surveyed more than 10,000 web users 14 years or older.
Concerns about privacy are a leading reason for consumers to delete cookies, according to a new study released by Burst Media. The study also found that 38.4% of those surveyed delete Internet cookies once a month.
44.9% of consumers surveyed said they delete cookies in the process of removing all unsolicited downloads and 44.6% said they delete cookies because they don’t want their web-surfing activities monitored.
Consumers also said they deleted cookies because they don’t feel personal information is safe when cookies are on their computers (34.6%); because their spyware program suggested they should (31.6%), and because they don’t want anyone to know when they’re on a web site (22.1%).
Men were more likely than women to say they have deleted Internet cookies, 54.5% versus 41.8%. One-third of respondents between 14 and 24 years of age, 52.6% of respondents between 25 and 54 years, and 47.4% of respondents 55 and older reported they have deleted cookies.
In the 25-54 years segment, 58.4% of men and 47.4% of women said they have deleted cookies. In addition, 60.6% of those who delete cookies say they delete all Internet cookies, 28.2% say they keep some cookies they know they need or want, and 11.2% say they only delete cookies from unfamiliar web sites.
When asked whether cookies should be eliminated, 26.5% said yes, 25.8% said no, and 47.7% said they were unsure, according to the Burst study.
Burst, an Internet ad services and sales rep company, surveyed more than 10,000 web users 14 years or older.
Monday, June 13, 2005
Advocacy Group Makes New Push To Dissuade Companies From Using Spyware
AS PART OF AN ONGOING initiative against spyware, the Center for Democracy and Technology has, in the last month, quietly reached out to ten Fortune 500 businesses which in the past have advertised with companies that have engaged in troubling practices. The hope, said Ari Schwartz, associate director at the center, is that the companies contacted will develop and implement guidelines that encourage transparency in advertising, and discourage the use of adware/spyware that is installed without users' permission. The center started with ten Fortune 500 companies, from a list of 25 drawn up by adware/spyware consultant Ben Edelman. All 25 have previously advertised online with companies known for questionable practices, said Schwartz.
The initiative is still in its early stages, Schwartz said. "We're seeing how to move forward, and how this will work out over time," he said.
At least a few major companies already follow guidelines that discourage spyware and some forms of adware. For instance, last July, Verizon Communications--after being named as a supporter of adware/spyware by Edelman in June 2004--announced that it would implement new adware guidelines. Among other requirements, the Verizon policies mandate clear branding of the source of pop-ups, easy-to-follow removal instructions, clear and conspicuous notice, and downloading processes that "ensure informed consent from computer users before the software is downloaded."
Some of the companies contacted by the Center for Democracy and Technology also have standards in place that prohibit spyware--but, said Schwartz, the chain of middlemen involved in online advertising makes it difficult for companies to even realize when their guidelines are violated.
by Wendy Davis, Monday, Jun 13, 2005 6:00 AM EST
The initiative is still in its early stages, Schwartz said. "We're seeing how to move forward, and how this will work out over time," he said.
At least a few major companies already follow guidelines that discourage spyware and some forms of adware. For instance, last July, Verizon Communications--after being named as a supporter of adware/spyware by Edelman in June 2004--announced that it would implement new adware guidelines. Among other requirements, the Verizon policies mandate clear branding of the source of pop-ups, easy-to-follow removal instructions, clear and conspicuous notice, and downloading processes that "ensure informed consent from computer users before the software is downloaded."
Some of the companies contacted by the Center for Democracy and Technology also have standards in place that prohibit spyware--but, said Schwartz, the chain of middlemen involved in online advertising makes it difficult for companies to even realize when their guidelines are violated.
by Wendy Davis, Monday, Jun 13, 2005 6:00 AM EST
Tuesday, June 7, 2005
Hotmail threatened by MSN flaw
A cross-scripting security hole allowed malicious hackers to steal cookies from Hotmail users and get access to their accounts
Microsoft took part of its MSN Web site offline over the weekend, after it learned of a flaw that could let an attacker gain access to Hotmail accounts, the company said.
The MSN Web site, http://ilovemessenger.msn.com/, contained a so-called cross-site scripting flaw, a Microsoft representative said on Monday. In its initial review of the issue, the company found that an attacker could use the vulnerability to obtain "cookies" from Hotmail users by getting them to click on a malicious URL. That could then grant access to those email accounts, the representative said.
Hotmail is one of the world's most popular Web-based email services, with more than 200 million active accounts, according to Microsoft.
Microsoft's acknowledgement of the Hotmail issue comes after the security hole was disclosed on Saturday by Alex de Vries, a Dutch programmer, on the Net-Force Web site for security enthusiasts. Cross-site scripting flaws are errors in Web site design, not in Web browsers, and were discovered more than five years ago. Microsoft has described the flaws as serious security vulnerabilities.
Hotmail customers are no longer at risk, according to Microsoft. "The 'I Love Messenger' Web site has been disabled," the company representative said in an email statement. The site, which hosts emoticons, display pictures and backgrounds for MSN Messenger, Microsoft's free instant messaging service, will be restored once the issue has been resolved, the company said. On Monday afternoon PT, the I Love Messenger Web address was redirecting users to the main MSN Messenger Web site.
The Hotmail and MSN flap comes within a week after Microsoft acknowledged that its South Korean MSN Web site had been hacked. Attackers placed malicious software on the news section of MSN Korea in an attempt to steal passwords for "Lineage," a popular online game in Asia.
Microsoft took part of its MSN Web site offline over the weekend, after it learned of a flaw that could let an attacker gain access to Hotmail accounts, the company said.
The MSN Web site, http://ilovemessenger.msn.com/, contained a so-called cross-site scripting flaw, a Microsoft representative said on Monday. In its initial review of the issue, the company found that an attacker could use the vulnerability to obtain "cookies" from Hotmail users by getting them to click on a malicious URL. That could then grant access to those email accounts, the representative said.
Hotmail is one of the world's most popular Web-based email services, with more than 200 million active accounts, according to Microsoft.
Microsoft's acknowledgement of the Hotmail issue comes after the security hole was disclosed on Saturday by Alex de Vries, a Dutch programmer, on the Net-Force Web site for security enthusiasts. Cross-site scripting flaws are errors in Web site design, not in Web browsers, and were discovered more than five years ago. Microsoft has described the flaws as serious security vulnerabilities.
Hotmail customers are no longer at risk, according to Microsoft. "The 'I Love Messenger' Web site has been disabled," the company representative said in an email statement. The site, which hosts emoticons, display pictures and backgrounds for MSN Messenger, Microsoft's free instant messaging service, will be restored once the issue has been resolved, the company said. On Monday afternoon PT, the I Love Messenger Web address was redirecting users to the main MSN Messenger Web site.
The Hotmail and MSN flap comes within a week after Microsoft acknowledged that its South Korean MSN Web site had been hacked. Attackers placed malicious software on the news section of MSN Korea in an attempt to steal passwords for "Lineage," a popular online game in Asia.
Freeing Metrics From Fraud and Rejection
Coremetrics' June release claims to deliver more accurate Web analytics, and adds a first party-cookie solution and a visualization tool.
by Alexandra DeFelice Tuesday, June 07, 2005
Coremetrics announced Coremetrics 2005, its June release designed to increase accuracy by allowing e-commerce organizations to remove fraudulent or rejected orders from their analytic reporting measurements. It also issues first-party cookies, allowing companies to gather more information about customers who typically reject third-party cookies. Last, it includes a visualization tool that provides comprehensive analysis of customer Web-browsing patterns.
The company has three objectives with Coremetrics 2005: accuracy, flexibility, and enhanced domain expertise for retail, financial services, and travel. John Squire, vice president of product management for Coremetrics, says, "The biggest [objective] is to enhance the accuracy of all the data we've collected." This issue is being addressed with Coremetrics Transaction Reconciliation, which allows businesses to deal with orders or applications that are canceled or rejected in the back office with data submitted from the Web browser. "Web analytics is about demand, but it doesn't bring in what's going on offline," Squire says. "Coremetrics is bridging that application process that every online company goes through."
Roughly 6 percent of online orders e-commerce organizations receive are rejected or canceled because of suspicions of fraud, according to an online-fraud report. Financial services institutions see common application rejections due to insufficient funds. The new tool allows companies to take those factors into account when measuring conversion rates and other metrics, according to Squire. For example, if a bank is getting a number of loan applications submitted from a particular site, but most of those applications are rejected, advertising on that site may be more trouble than it's worth.
Another feature of Coremetrics 2005 is TruePath, an integrated visualization tool that provides complex scenario event modeling. It builds a funnel, grouping pages to a key event. For example, if a company has a loyalty program it wants people to sign up for, it can track the pages an individual jumped from that eventually resulted in the sign-up. "Most applications use sales as a key metrics point. Coremetrics allows any event to be a key metrics and then ties that back to what helped [the company] do this," Squire says. "We've recognized companies' analytics and IT time is very scarce, so [now] they can set these paths up quickly, determine if they're successful, and then decide what action they want to take going forward."
Another enhancement is a first-party cookie tool for customer data collection, available through a hosted domain, which will allow clients to upgrade from existing third-party tracking without any loss of historical customer profiles, according to Coremetrics. Using such techniques, the company says its clients typically see anonymous rates below 1 percent of all visitor traffic compared to as high as 20 percent when leveraging third-party cookies.
Eric Peterson, senior analyst with Jupiter Research, sees an increasing trend toward third party-cookie rejection. "We have oodles and oodles of proof that says this is a problem, so vendors should be focused on this," he says. "Cookie deletion is still an issue, but at least they're doing something, they're being proactive about it." Peterson lauds Coremetrics' decision to address the fraud issues companies must deal with when attempting to gather accurate metrics, and is confident in the vendor's ability to provide useful solutions. "We're going to see them really tackle fraud and [application rejection]. It increases the accuracy."
by Alexandra DeFelice Tuesday, June 07, 2005
Coremetrics announced Coremetrics 2005, its June release designed to increase accuracy by allowing e-commerce organizations to remove fraudulent or rejected orders from their analytic reporting measurements. It also issues first-party cookies, allowing companies to gather more information about customers who typically reject third-party cookies. Last, it includes a visualization tool that provides comprehensive analysis of customer Web-browsing patterns.
The company has three objectives with Coremetrics 2005: accuracy, flexibility, and enhanced domain expertise for retail, financial services, and travel. John Squire, vice president of product management for Coremetrics, says, "The biggest [objective] is to enhance the accuracy of all the data we've collected." This issue is being addressed with Coremetrics Transaction Reconciliation, which allows businesses to deal with orders or applications that are canceled or rejected in the back office with data submitted from the Web browser. "Web analytics is about demand, but it doesn't bring in what's going on offline," Squire says. "Coremetrics is bridging that application process that every online company goes through."
Roughly 6 percent of online orders e-commerce organizations receive are rejected or canceled because of suspicions of fraud, according to an online-fraud report. Financial services institutions see common application rejections due to insufficient funds. The new tool allows companies to take those factors into account when measuring conversion rates and other metrics, according to Squire. For example, if a bank is getting a number of loan applications submitted from a particular site, but most of those applications are rejected, advertising on that site may be more trouble than it's worth.
Another feature of Coremetrics 2005 is TruePath, an integrated visualization tool that provides complex scenario event modeling. It builds a funnel, grouping pages to a key event. For example, if a company has a loyalty program it wants people to sign up for, it can track the pages an individual jumped from that eventually resulted in the sign-up. "Most applications use sales as a key metrics point. Coremetrics allows any event to be a key metrics and then ties that back to what helped [the company] do this," Squire says. "We've recognized companies' analytics and IT time is very scarce, so [now] they can set these paths up quickly, determine if they're successful, and then decide what action they want to take going forward."
Another enhancement is a first-party cookie tool for customer data collection, available through a hosted domain, which will allow clients to upgrade from existing third-party tracking without any loss of historical customer profiles, according to Coremetrics. Using such techniques, the company says its clients typically see anonymous rates below 1 percent of all visitor traffic compared to as high as 20 percent when leveraging third-party cookies.
Eric Peterson, senior analyst with Jupiter Research, sees an increasing trend toward third party-cookie rejection. "We have oodles and oodles of proof that says this is a problem, so vendors should be focused on this," he says. "Cookie deletion is still an issue, but at least they're doing something, they're being proactive about it." Peterson lauds Coremetrics' decision to address the fraud issues companies must deal with when attempting to gather accurate metrics, and is confident in the vendor's ability to provide useful solutions. "We're going to see them really tackle fraud and [application rejection]. It increases the accuracy."
How Can You Protect Your Financial Identity
Jun. 7, 2005 - The announcement from Citigroup that it lost 3.9 million
customer data files should cause all of us to take pause about the
safety of our financial identity. This announcement comes only a
couple of months after Bank of America lost information on 1.2 million
customers. While there is nothing you can do to prevent your financial
institution from losing computer data storage tapes, there are a
number of proactive measures you can take to protect your identity.
customer data files should cause all of us to take pause about the
safety of our financial identity. This announcement comes only a
couple of months after Bank of America lost information on 1.2 million
customers. While there is nothing you can do to prevent your financial
institution from losing computer data storage tapes, there are a
number of proactive measures you can take to protect your identity.
1) Do not count on corporate America to notify you.
Only one state (California) has laws that require a company to notify
individuals if their personal information has been possibly stolen.
Therefore, you need to be proactive in monitoring your credit history.
2) Keep an eye on your credit.
Take advantage of the recent law that allows consumers to order a free
copy of their credit report (will make it to the East Coast this spring).
According to the Public Interest Research Group, one in four credit
reports has errors that are serious enough to disqualify consumers
from opening a bank account, purchasing a home home or evening getting
a job! Citigroup is encouraging its customers to enroll in a free credit
monitoring service for 90 days.
3) Take proactive steps with anything personal you do online.
For example, when paying your bills online, it is vital to make sure
your computer is armed with the most up-to-date anti-virus software
as well as some type of security or firewall protection. Most sites
require a password and PIN which only work when your Internet browser
is secure and up-to-date.
4) Do not leave your footprints.
Do not check the box that says save password and delete the cookies from
your browser often. When banking online, do not save your information.
You would not leave your drivers license and bank account information
with a teller when you visit a bank, so do not leave this information
on the Internet!
5) Consider identity theft insurance.
The major credit bureaus are now offering identity-theft insurance for
around $100 a year. For example, Equifax will provide you with unlimited
credit reports, alert you to major changes in your history and provide
$20,000 worth of identity-theft insurance. Additionally, policy holders
will have a special hotline they can call if their identity is stolen
and are also entitled to up to $4,000 for lost salary in case you have
to take a leave of absence to fix any credit-related issues. Before
you sign up for this insurance, contact the provider of your homeowner's
insurance as you may already be covered if your identity is stolen.
Citigroup on Monday said the lost data files only affect accounts with
CitiFinancial. If you have one of these accounts and are concerned your
identity may have been compromised, you should call your local CitiFinancial
branch. Additionally, you can call the dedicated hotline Citi has set
up at 1-866-452-2484.
How To Avoid Being 'Phished'
- Do not use Web links in a suspicious e-mail to access a Web page.
Instead, call the company or type the main Web address directly into
your browser. - Do not disclose personal information online unless it
is over a secure connection. You know a Web site is secure if it
begins with https:// rather than http://. - Download a free Web browser
toolbar that will alert you if you try to access a known phishing
Web site. The Anti-Phishing Working Group recommends Earthlink's ScamBlocker,
which can be downloaded for free at http://www.earthlink.net/earthlinktoolbar. - Check your credit card and bank statements and other online accounts
regularly to ensure there are no discrepancies. - Make sure your computer
has the most up-to-date security patches.
If you receive phishing e-mails, forward the entire message, header
included, to the following places:
- Anti-Phishing Working Group: reportphishing@antiphishing.com
- Federal
Trade Commission: mailto:sapm@uce.gov%20
Additionally, you should file a complaint with the Internet Fraud Complaint
Center of the FBI (www.ifccfbi.gov) and notify the company that has been
victimized.
Google's Long Memory Stirs Privacy Concerns
When Google Inc।'s 19 million daily users look up a long-lost classmate, send e-mail or bounce around the Web more quickly with its new Web Accelerator, records of that activity don't go away.
In an era of increased government surveillance, privacy watchdogs worry that Google's vast archive of Internet activity could prove a tempting target for abuse.
Like many other online businesses, Google tracks how its search engine and other services are used, and who uses them। Unlike many other businesses, Google holds onto that information for years.
Some privacy experts who otherwise give Google high marks say the company's records could become a handy data bank for government investigators who rely on business records to circumvent Watergate-era laws that limit their own ability to track U.S. residents.
At a time when libraries delete lending records as soon as a book is returned, Google should purge its records after a certain point to protect users, they say.
"What if someone comes up to them and says, 'We want to know whenever this key word comes up'? All the capability is there and it becomes a one-stop shopping center for all these kinds of things," said Lauren Weinstein, an engineer who co-founded People for Internet Responsibility, a forum for online issues.
Google officials say their extensive log files help them improve service, fight fraud and develop new products, and unlike many other online companies, it seems willing to pay for the enormous storage capacity needed to save the data.
"If it's useful, we'll hold on to it," said Nicole Wong, a Google associate general counsel.
Google complies with law-enforcement investigations, Wong said. She declined to comment on the frequency or scope of those requests. From the ground up, Google designs its offerings to minimally impact user privacy, Wong said. Google doesn't share the information it collects from visitors with outside marketers. Employees must get executive approval before they examine traffic data, she said.
Google logs the numerical IP address of each computer that visits many of its sites, and deposits small bits of code known as "cookies" on users' machines to automatically remember preferences like which language they use, she said. Users can reject cookies if they wish, but some services like Gmail, Google's e-mail, will not work without them.
It's difficult to tie cookies and IP addresses to a particular person, Wong said. The IP address of a computer can change every time it signs on to the Internet, and different services use different cookies so the company doesn't know, for example, that a particular Gmail user has visited the Web site of an abortion providers.
Policies Could Change
But absent regulation, there's nothing to prevent Google from linking together those cookies in the future, said Chris Hoofnagle, who heads the West Coast office of the Electronic Privacy Information Center.
"Events can change corporate culture, and those who use the Google service may experience a shift in the definition of 'evil,"' Hoofnagle said, referring to the company's "Don't be evil" motto.
Rivals like Yahoo Inc. and Internet service providers such as Time Warner Inc.'s America Online also track user activity. But ISPs generally don't hold onto such information for more than a month because storage costs and privacy concerns can mount quickly, said Stewart Baker, a Washington lawyer who has represented ISPs in law-enforcement matters.
"If you don't have a reason to keep a bunch of data around, it's probably prudent to get rid of it," he said.
Yahoo declined to say how long it holds on to its log files. Google's generous mail service creates risks as well. While AOL purges customer e-mail from its servers after 28 days unless users specify otherwise, Gmail encourages users to hold onto their messages indefinitely.
Most people don't know that a 1986 law gives less protection from government searches to messages more than six months old, said Ari Schwartz, an associate director at the Center for Democracy and Technology.
"That doesn't mean that Google needs to change its technology, but they do need to do some consumer education," he said.
Even when a user deletes a message it may remain on company servers, according to the Gmail privacy policy.
Some don't see Google's long memory as a bad thing.
"You wouldn't want them to throw away all the queries that have been done - that's like throwing away history," said Danny Sullivan, editor of the trade publication Search Engine Watch.
Weinstein doesn't think so.
MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes
By Libe Goad
One week after hackers exploited a weakness in the MSN Korea Web site, Microsoft admitted to taking down part of its MSN site over the weekend after learning about a flaw that would allow hackers to access Hotmail accounts.
Reports say the MSN Web site, ilovemessenger.msn.com, contained a cross-site scripting flaw. That means someone could potentially use to site to obtain user data via "cookies," or bits of user data, by having MSN customers click on a malicious URL. Once someone clicked the URL, hackers would be able to access their personal e-mail accounts. ADVERTISEMENT
A Microsoft spokesperson said customers are no longer at risk from the issue because the "I Love Messenger" Web site has been disabled, and visitors to the site are being redirected to the general MSN Messenger site. Microsoft says it will restore the "I Love Messenger" Web site once the investigation is complete and the issue has been resolved.
* Microsoft Intros MSN Virtual Earth
* MSN Gets Ready for RSS Push (eWEEK)
* Microsoft Planning 'Lower Rights' IE 7.0 (eWEEK)
* Microsoft Plugs Phishing Hole on Xbox360 Site (eWEEK)
The flaw was initially reported by 20-year-old Dutch programmer Alex de Vries on Net-Force.nl, a security enthusiast Web site. On the site, de Vries said, "I found out many big sites are still vulnerable to certain exploits."
After finding vulnerabilities in the Web sites of NASA, Time Magazine, CBS and the CIA, he moved on to Hotmail with the perception that it'd be "unhackable."
"I had to search for about an hour and a half (unlike NASA and CIA, which took me only about 15 minutes), but with success," de Vries said on the site. "Together with [another hacker], I've tested my theory, and in no time, I was reading the content of his inbox."
He then informed Microsoft Corp. of the security flaw and created a tutorial titled "How to Hack Hotmail," although he added the obligatory statement that it should be used for enthusiast purposes and not for malicious intent.
Cross-site scripting flaws are caused by problematic Web site design. Microsoft first posted information about them in February 2000, calling these flaws a "serious security vulnerability."
Users can find more information about these flaws in the Microsoft help section or in this Knowledge Base article, which describes how users can make sure that their computers are not vulnerable to this threat.
The article tells users to turn off Active Scripting in the Restricted zone and make all e-mail run in the Restricted zone. It also warns Web surfers to visit only trusted Web sites; avoid clicking hyperlinks in e-mails; and be careful of how they surf to a site, by typing the URL directly into the browser or by using a secure bookmark or favorite.
"As a best practice, users should always exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources," the Microsoft spokesperson said.
If users fall victim to a cross-site scripting attack, the Microsoft site recommends that they close the Web browser, restart it and visit a safe Web site, then delete all of the cookie files on the computer. For users of the Internet Explorer browser, Microsoft gives more specific details on how to allay a scripting attack.
During the MSN Korea attack last week, hackers placed malicious code on the site's news section in an attempt to steal user login information for Lineage, a hugely popular multiplayer online game in South Korea. Then, when anyone with a vulnerable Web browser visited the site, they'd be infected with the Trojan that would steal and record the keystrokes of Lineage players.
The site remained hacked for several days before Microsoft fixed it and called law enforcement in for a full investigation. No one reported being affected by the attack.
One week after hackers exploited a weakness in the MSN Korea Web site, Microsoft admitted to taking down part of its MSN site over the weekend after learning about a flaw that would allow hackers to access Hotmail accounts.
Reports say the MSN Web site, ilovemessenger.msn.com, contained a cross-site scripting flaw. That means someone could potentially use to site to obtain user data via "cookies," or bits of user data, by having MSN customers click on a malicious URL. Once someone clicked the URL, hackers would be able to access their personal e-mail accounts. ADVERTISEMENT
A Microsoft spokesperson said customers are no longer at risk from the issue because the "I Love Messenger" Web site has been disabled, and visitors to the site are being redirected to the general MSN Messenger site. Microsoft says it will restore the "I Love Messenger" Web site once the investigation is complete and the issue has been resolved.
* Microsoft Intros MSN Virtual Earth
* MSN Gets Ready for RSS Push (eWEEK)
* Microsoft Planning 'Lower Rights' IE 7.0 (eWEEK)
* Microsoft Plugs Phishing Hole on Xbox360 Site (eWEEK)
The flaw was initially reported by 20-year-old Dutch programmer Alex de Vries on Net-Force.nl, a security enthusiast Web site. On the site, de Vries said, "I found out many big sites are still vulnerable to certain exploits."
After finding vulnerabilities in the Web sites of NASA, Time Magazine, CBS and the CIA, he moved on to Hotmail with the perception that it'd be "unhackable."
"I had to search for about an hour and a half (unlike NASA and CIA, which took me only about 15 minutes), but with success," de Vries said on the site. "Together with [another hacker], I've tested my theory, and in no time, I was reading the content of his inbox."
He then informed Microsoft Corp. of the security flaw and created a tutorial titled "How to Hack Hotmail," although he added the obligatory statement that it should be used for enthusiast purposes and not for malicious intent.
Cross-site scripting flaws are caused by problematic Web site design. Microsoft first posted information about them in February 2000, calling these flaws a "serious security vulnerability."
Users can find more information about these flaws in the Microsoft help section or in this Knowledge Base article, which describes how users can make sure that their computers are not vulnerable to this threat.
The article tells users to turn off Active Scripting in the Restricted zone and make all e-mail run in the Restricted zone. It also warns Web surfers to visit only trusted Web sites; avoid clicking hyperlinks in e-mails; and be careful of how they surf to a site, by typing the URL directly into the browser or by using a secure bookmark or favorite.
"As a best practice, users should always exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources," the Microsoft spokesperson said.
If users fall victim to a cross-site scripting attack, the Microsoft site recommends that they close the Web browser, restart it and visit a safe Web site, then delete all of the cookie files on the computer. For users of the Internet Explorer browser, Microsoft gives more specific details on how to allay a scripting attack.
During the MSN Korea attack last week, hackers placed malicious code on the site's news section in an attempt to steal user login information for Lineage, a hugely popular multiplayer online game in South Korea. Then, when anyone with a vulnerable Web browser visited the site, they'd be infected with the Trojan that would steal and record the keystrokes of Lineage players.
The site remained hacked for several days before Microsoft fixed it and called law enforcement in for a full investigation. No one reported being affected by the attack.
Friday, June 3, 2005
Men Warier of Internet Cookies
NEW YORK Men are much more likely to delete Internet-tracking cookies from their computers, according to a new survey.
Men were found to be more fearful that cookies track them online. While 48 percent of women said they deleted cookies because they slow their computer, 35 percent of men identified that as a reason. In contrast, 47 percent of men said they deleted cookies because they do not want their Web activity monitored versus 41 percent of women.
The poll found that privacy trumps security concerns when it comes to cookie deletion. About two-thirds of respondents said cookies allow someone to track their online activities, while just 30 percent said cookies provided a better Internet experience. Of those who deleted cookies, 61 percent did so monthly.
"Some of the more technical things, like frequency capping, [consumers] don't understand," said Chuck Moran, market research manager at Burlington, Mass.-based Burst. "There's a lack of knowledge where cookies may make it a more pleasant online experience."
Overall, the survey found cookie-deletion rates in line with surveys done by Jupiter Research and Nielsen//NetRatings, as well as empirical data from aQuantive and WebTrends. A little more than 38 percent told Burst they delete cookies monthly.
Burst found wide consumer ignorance of what cookies do, with only 22 percent saying they knew "a lot" and 28 percent replying they knew "some."
"There's an opportunity for the industry -- I don't know how you do it -- to educate people about the value of Internet cookies and what they do to make your Internet experience better," Moran said.
--Brian Morrissey
Men were found to be more fearful that cookies track them online. While 48 percent of women said they deleted cookies because they slow their computer, 35 percent of men identified that as a reason. In contrast, 47 percent of men said they deleted cookies because they do not want their Web activity monitored versus 41 percent of women.
The poll found that privacy trumps security concerns when it comes to cookie deletion. About two-thirds of respondents said cookies allow someone to track their online activities, while just 30 percent said cookies provided a better Internet experience. Of those who deleted cookies, 61 percent did so monthly.
"Some of the more technical things, like frequency capping, [consumers] don't understand," said Chuck Moran, market research manager at Burlington, Mass.-based Burst. "There's a lack of knowledge where cookies may make it a more pleasant online experience."
Overall, the survey found cookie-deletion rates in line with surveys done by Jupiter Research and Nielsen//NetRatings, as well as empirical data from aQuantive and WebTrends. A little more than 38 percent told Burst they delete cookies monthly.
Burst found wide consumer ignorance of what cookies do, with only 22 percent saying they knew "a lot" and 28 percent replying they knew "some."
"There's an opportunity for the industry -- I don't know how you do it -- to educate people about the value of Internet cookies and what they do to make your Internet experience better," Moran said.
--Brian Morrissey
Thursday, June 2, 2005
New study shows how internet cookies crumble
Do men put a greater premium on online privacy? A new study conducted by Burst! Media finds that men are much more likely to delete internet cookies than women. A survey of 10,000 internet users age 14 and older finds that 54.5 percent of males report deleting cookies from their computers while 41.8 percent of women do so. It suggests men are either more internet savvy or want to protect their privacy more. The study also revealed that there’s a large segment of people who know nothing about or have ever heard of cookies, 30.4 percent. Cookies are pieces of code stored on a computer that help deliver and measure internet marketing campaigns. But fears over security threats seem to have internet users removing them from their systems. Just over 42 percent agreed with the statement “Internet cookies make my computer susceptible to viruses” and another 42 percent agreed with “Internet cookies make my computer unsafe for personal information.” Slightly more than 31 percent said they deleted cookies from their computers because their spyware program suggested they do so.
Cookie Deletion: How It Affects Media Buyers
If you're an online marketer, you're sure to have heard the buzz about cookie deletion. Jupiter Research, among others, finds Internet users delete cookies more frequently than they used to, and certainly more than anyone suspected.
Some say it's because of anti-spyware programs that wrongfully identify cookies as security threats and encourage users to delete them. Others presume last year's release of the Windows XP Service Pack 2 is to blame, as it forces users to make a decision about deleting cookies they weren't prompted to make before. Consumers' misguided belief that cookies invade their privacy could also be a factor.
Whatever the case, analysts say the trend stands to cause serious problems for online advertisers.
Like many media buyers, you probably wonder why. You've heard talk of cookies. You know they're used for Web measurement. But unless you're heavily involved in campaign management, work next to a campaign analyst, or eavesdrop on your agency's tech team, your cookie knowledge probably stops there.
Countless buyers and online strategists haven't participated (or been particularly interested) in Internet technology or back-end campaign operations, cookies included. In this case, you should cozy up to the tech experts. Understanding the cookie's purpose is essential, because deletion has a direct effect on the success of all online campaigns.
The Cookie's Purpose
Technically, a cookie is a small string of text stored on a user's computer by a Web site server. It will later be retrieved or referenced by the user's Web browser. The cookie contains a unique code that allows the site publisher to anonymously identify the user and, depending on the type of cookie (i.e., a temporary "session" cookie or a more permanent "persistent" cookie), track her as she interacts with the site. The code is usually assigned to the user on her first site visit and is referenced each time she returns until the cookie is either deleted or expires.
Cookies generally have four purposes:
Measure site and campaign traffic.
Measure a campaign's effectiveness by tracking user actions after ad exposure.
Identify audience traffic patterns and aid in targeted ad delivery.
Cap ad impression delivery.
Deletion's Fallout
Considering these purposes, you can start to understand the problem. When cookies are deleted, publishers can't accurately measure site traffic. Media buyers can't make informed decisions about which sites to utilize or estimate their audience reach. If a cookie is deleted between the time a consumer sees an ad and when he makes a purchase, you'll also have difficulty determining the buy's origin and gauging the ad placement's effectiveness.
There are also long-term repercussions. Without frequency capping, marketers may unknowingly run campaigns that create negative impressions of their clients' brands.
Disturbing as these consequences may sound, cookie deletion likely won't be the end of online advertising. There are several things media buyers and marketers can do to improve the situation, in fact.
Two Solutions
The first is education. Know what percentage of your audience deletes cookies so you can better analyze your campaigns. Media buyers can no longer assume the statistics they get are precise, whether they originate from a third-party measurement firm or their own proprietary software. Jupiter Research recommends site publishers spend more time scrutinizing their users' actions and pass the information on to marketers for comparison with their own findings.
Marketers can also look to alternative measurement solutions, such as those offered by United Virtualities. Its Persistent Identification Element (PIE) delivers Flash MX files to users along with traditional cookies. The result is the restoration of deleted cookies, along with added measurement capabilities; Flash files are more difficult to delete than cookies and are therefore more likely to remain where they're placed.
The cookie deletion dilemma is still fairly new. Additional solutions are likely headed our way. In the meantime, this is one technology issue marketers must watch. Cookies are essential to our industry. Unless we're prepared, this one's sure to come back to bite us.
Some say it's because of anti-spyware programs that wrongfully identify cookies as security threats and encourage users to delete them. Others presume last year's release of the Windows XP Service Pack 2 is to blame, as it forces users to make a decision about deleting cookies they weren't prompted to make before. Consumers' misguided belief that cookies invade their privacy could also be a factor.
Whatever the case, analysts say the trend stands to cause serious problems for online advertisers.
Like many media buyers, you probably wonder why. You've heard talk of cookies. You know they're used for Web measurement. But unless you're heavily involved in campaign management, work next to a campaign analyst, or eavesdrop on your agency's tech team, your cookie knowledge probably stops there.
Countless buyers and online strategists haven't participated (or been particularly interested) in Internet technology or back-end campaign operations, cookies included. In this case, you should cozy up to the tech experts. Understanding the cookie's purpose is essential, because deletion has a direct effect on the success of all online campaigns.
The Cookie's Purpose
Technically, a cookie is a small string of text stored on a user's computer by a Web site server. It will later be retrieved or referenced by the user's Web browser. The cookie contains a unique code that allows the site publisher to anonymously identify the user and, depending on the type of cookie (i.e., a temporary "session" cookie or a more permanent "persistent" cookie), track her as she interacts with the site. The code is usually assigned to the user on her first site visit and is referenced each time she returns until the cookie is either deleted or expires.
Cookies generally have four purposes:
Measure site and campaign traffic.
Measure a campaign's effectiveness by tracking user actions after ad exposure.
Identify audience traffic patterns and aid in targeted ad delivery.
Cap ad impression delivery.
Deletion's Fallout
Considering these purposes, you can start to understand the problem. When cookies are deleted, publishers can't accurately measure site traffic. Media buyers can't make informed decisions about which sites to utilize or estimate their audience reach. If a cookie is deleted between the time a consumer sees an ad and when he makes a purchase, you'll also have difficulty determining the buy's origin and gauging the ad placement's effectiveness.
There are also long-term repercussions. Without frequency capping, marketers may unknowingly run campaigns that create negative impressions of their clients' brands.
Disturbing as these consequences may sound, cookie deletion likely won't be the end of online advertising. There are several things media buyers and marketers can do to improve the situation, in fact.
Two Solutions
The first is education. Know what percentage of your audience deletes cookies so you can better analyze your campaigns. Media buyers can no longer assume the statistics they get are precise, whether they originate from a third-party measurement firm or their own proprietary software. Jupiter Research recommends site publishers spend more time scrutinizing their users' actions and pass the information on to marketers for comparison with their own findings.
Marketers can also look to alternative measurement solutions, such as those offered by United Virtualities. Its Persistent Identification Element (PIE) delivers Flash MX files to users along with traditional cookies. The result is the restoration of deleted cookies, along with added measurement capabilities; Flash files are more difficult to delete than cookies and are therefore more likely to remain where they're placed.
The cookie deletion dilemma is still fairly new. Additional solutions are likely headed our way. In the meantime, this is one technology issue marketers must watch. Cookies are essential to our industry. Unless we're prepared, this one's sure to come back to bite us.
BURST Media Reports Consumer View of Cookies: 'Don't Understand Them, can be Good, But, Should be Deleted'
BURLINGTON, Mass., June 2 /PRNewswire/ -- To the online industry Internet, cookies are a simple piece of code that a website or web server stores on a user's machine to improve website viewing and effectively deliver and measure online marketing campaigns.
Consumers, however have a different view. To better understand the issues surrounding Internet cookies, BURST! recently surveyed over 10,000 web users 14 years and older about their knowledge and perception of Internet cookies, as well as the extent of and reasons for cookie deletion.
Nearly one-third (30.4%) of respondents say they know "Nothing/Never Heard of" Internet cookies. Only one in five respondents (21.6%) say they know "A lot" about Internet cookies; 28.1% say they know "Some information, but not a lot", and 19.9% say they know "A little".
Majority Who Understand "A Little" Acknowledge Benefits of Cookies
Respondents who knew at least "a little" about Internet cookies, were asked whether they agree or disagree with a series of statements about Internet cookies including both positive (user benefit) and negative (user detriment) statements. Among the positive statements, over half of respondents agree that Internet cookies "Keep them from having to refill personal information" when visiting a shopping or commercial website (58.2% agree). Similarly, 55.6% of respondents agree that Internet cookies "Allow [them] to enter sites they have registered with" without reentering a username/password each time they visit. Few respondents disagree with these statements; for both statements about one-third of respondents are unsure.
Only one-quarter (29.9%) of respondents agree with the statement "Internet cookies allow [them] to have a better online experience" -- one-in-five (22.8%) disagree, and 47.2% were unsure. The 14-24 year old segment is the only age group to differ significantly from the overall result -- with 35.3% agreeing with the statement "Internet cookies allow [them] to have a better online experience".
Respondents rejected the statement "Internet cookies can keep me from seeing the same online advertisement over and over again". In fact, only one out of five (23.6%) respondents agree with this statement -- and one-third (34.9%) disagree. Additionally, all age segments reject the statement that Internet cookies prevent the same advertisement from being shown to them repeatedly; including the core adult (25-54 years) segment of which only 22.7% agree and 36.0% disagree.
Negative Perceptions of Cookies - Privacy Issues
Two-thirds (66.2%) of respondents agree with the statement "Internet cookies allow someone to track my online activities".
Overall, less than one-half of respondents agree with the statements: "Internet cookies slow down my computer" (47.2%), "Internet cookies make my computer susceptible to viruses" (42.2%), "Internet cookies make my computer unsafe for personal information" (42.1%), "Internet cookies show ads on my computer screen" (39.1%), and "Internet cookies harm my computer" (26.5%).
Respondents who deleted cookies from their computer were presented with a list of potential reasons why they might delete cookies from their computer. Overall, the top reasons chosen were "I remove anything I did not request to be downloaded" (44.9%), and "I don't want my web-surfing activity monitored" (44.6%). These were followed closely by "They slow my computer down" (40.9%) -- which, for women, is the top reason for deleting Internet cookies (48.3%).
Other reasons to delete Internet cookies: "I don't feel my personal information is safe with them on my computer" (34.6%), "My spyware program suggested that I should" (31.6%), "No particular reason, don't want them" (27.3%), "I don't want anyone to know when I am on their website" (22.1%), and "They will harm my computer" (16.4%).
About Half of Respondents Say They Delete Cookies - 38.4% Monthly
Survey respondents were also asked what should be done about Internet cookies -- near equal numbers agree (26.5%) as disagree (25.8%) with the statement "Internet cookies should be eliminated"; and nearly one-half (47.7%) of respondents say they are unsure.
Slightly less than one-half (48.1%) of respondents say they have deleted Internet cookies from their computer. Additionally, men are more likely than women to say they have deleted Internet cookies, 54.5% versus 41.8%. Among age segments, one-third (37.7%) of respondents 14-24 years, 52.6% of respondents 25-54 years and 47.4% of respondents 55 years and older report deleting Internet cookies. It is important to note that within the core adult (25-54 years) segment nearly three out of five (58.4%) men report deleting Internet cookies. Also, within this important age segment, 47.4% of women say they have deleted Internet cookies.
The BURST! study found that 38.4% of respondents say they delete Internet cookies at least once a month. This number increases to 42.1% among adults 25- 54 years. Additionally, 60.6% of respondents who delete Internet cookies say they delete "all Internet cookies". Fully one-quarter (28.2%) of respondents say they keep some Internet cookies they "know they need or want", and 11.2% say they delete Internet cookies only from unfamiliar websites.
"Privacy and security issues taint online users overall perception of Internet cookies. Nevertheless, only one-out-of-four say they want Internet cookies 'eliminated'," says Chuck Moran, BURST! Media's Market Research Manager. "There is significant opportunity for the Interactive industry -- including content publishers, agencies and clients as well as third parties to build user understanding of and trust in Internet cookies."
BURST! Media ( is an Internet ad services and online ad sales rep company that delivers more than 4 billion adhttp://www.burstmedia.com)vertising impressions for over 2,000 websites every month, BURST! reaches approximately 1 in 3 people online and is among the 15 largest online media properties in terms of unique visitors and reach.* By providing thousands of web publishers with tools and expertise from ad sales to email newsletter tools and community forums for learning, BURST! helps publishers generate sustainable revenue. BURST! also markets AdDesktop, a competitively-priced, ASP ad management solution that helps web publishers securely target, serve, track and report the performance of online advertising campaigns. The company, founded in 1995, is based near Boston, and was recently named the 11th fastest growing private company in Massachusetts by the Boston Business Journal.
*(according to comScore Media Metrix)
--------------------------------------------------------------------------------
Source: BURST! Media
Consumers, however have a different view. To better understand the issues surrounding Internet cookies, BURST! recently surveyed over 10,000 web users 14 years and older about their knowledge and perception of Internet cookies, as well as the extent of and reasons for cookie deletion.
Nearly one-third (30.4%) of respondents say they know "Nothing/Never Heard of" Internet cookies. Only one in five respondents (21.6%) say they know "A lot" about Internet cookies; 28.1% say they know "Some information, but not a lot", and 19.9% say they know "A little".
Majority Who Understand "A Little" Acknowledge Benefits of Cookies
Respondents who knew at least "a little" about Internet cookies, were asked whether they agree or disagree with a series of statements about Internet cookies including both positive (user benefit) and negative (user detriment) statements. Among the positive statements, over half of respondents agree that Internet cookies "Keep them from having to refill personal information" when visiting a shopping or commercial website (58.2% agree). Similarly, 55.6% of respondents agree that Internet cookies "Allow [them] to enter sites they have registered with" without reentering a username/password each time they visit. Few respondents disagree with these statements; for both statements about one-third of respondents are unsure.
Only one-quarter (29.9%) of respondents agree with the statement "Internet cookies allow [them] to have a better online experience" -- one-in-five (22.8%) disagree, and 47.2% were unsure. The 14-24 year old segment is the only age group to differ significantly from the overall result -- with 35.3% agreeing with the statement "Internet cookies allow [them] to have a better online experience".
Respondents rejected the statement "Internet cookies can keep me from seeing the same online advertisement over and over again". In fact, only one out of five (23.6%) respondents agree with this statement -- and one-third (34.9%) disagree. Additionally, all age segments reject the statement that Internet cookies prevent the same advertisement from being shown to them repeatedly; including the core adult (25-54 years) segment of which only 22.7% agree and 36.0% disagree.
Negative Perceptions of Cookies - Privacy Issues
Two-thirds (66.2%) of respondents agree with the statement "Internet cookies allow someone to track my online activities".
Overall, less than one-half of respondents agree with the statements: "Internet cookies slow down my computer" (47.2%), "Internet cookies make my computer susceptible to viruses" (42.2%), "Internet cookies make my computer unsafe for personal information" (42.1%), "Internet cookies show ads on my computer screen" (39.1%), and "Internet cookies harm my computer" (26.5%).
Respondents who deleted cookies from their computer were presented with a list of potential reasons why they might delete cookies from their computer. Overall, the top reasons chosen were "I remove anything I did not request to be downloaded" (44.9%), and "I don't want my web-surfing activity monitored" (44.6%). These were followed closely by "They slow my computer down" (40.9%) -- which, for women, is the top reason for deleting Internet cookies (48.3%).
Other reasons to delete Internet cookies: "I don't feel my personal information is safe with them on my computer" (34.6%), "My spyware program suggested that I should" (31.6%), "No particular reason, don't want them" (27.3%), "I don't want anyone to know when I am on their website" (22.1%), and "They will harm my computer" (16.4%).
About Half of Respondents Say They Delete Cookies - 38.4% Monthly
Survey respondents were also asked what should be done about Internet cookies -- near equal numbers agree (26.5%) as disagree (25.8%) with the statement "Internet cookies should be eliminated"; and nearly one-half (47.7%) of respondents say they are unsure.
Slightly less than one-half (48.1%) of respondents say they have deleted Internet cookies from their computer. Additionally, men are more likely than women to say they have deleted Internet cookies, 54.5% versus 41.8%. Among age segments, one-third (37.7%) of respondents 14-24 years, 52.6% of respondents 25-54 years and 47.4% of respondents 55 years and older report deleting Internet cookies. It is important to note that within the core adult (25-54 years) segment nearly three out of five (58.4%) men report deleting Internet cookies. Also, within this important age segment, 47.4% of women say they have deleted Internet cookies.
The BURST! study found that 38.4% of respondents say they delete Internet cookies at least once a month. This number increases to 42.1% among adults 25- 54 years. Additionally, 60.6% of respondents who delete Internet cookies say they delete "all Internet cookies". Fully one-quarter (28.2%) of respondents say they keep some Internet cookies they "know they need or want", and 11.2% say they delete Internet cookies only from unfamiliar websites.
"Privacy and security issues taint online users overall perception of Internet cookies. Nevertheless, only one-out-of-four say they want Internet cookies 'eliminated'," says Chuck Moran, BURST! Media's Market Research Manager. "There is significant opportunity for the Interactive industry -- including content publishers, agencies and clients as well as third parties to build user understanding of and trust in Internet cookies."
BURST! Media ( is an Internet ad services and online ad sales rep company that delivers more than 4 billion adhttp://www.burstmedia.com)vertising impressions for over 2,000 websites every month, BURST! reaches approximately 1 in 3 people online and is among the 15 largest online media properties in terms of unique visitors and reach.* By providing thousands of web publishers with tools and expertise from ad sales to email newsletter tools and community forums for learning, BURST! helps publishers generate sustainable revenue. BURST! also markets AdDesktop, a competitively-priced, ASP ad management solution that helps web publishers securely target, serve, track and report the performance of online advertising campaigns. The company, founded in 1995, is based near Boston, and was recently named the 11th fastest growing private company in Massachusetts by the Boston Business Journal.
*(according to comScore Media Metrix)
--------------------------------------------------------------------------------
Source: BURST! Media
Antiforensic Tools
It's important to protect your company's data. But how do you know whether what you think you've erased is actually unrecoverable?
By Simson Garfinkel
Regular readers of this column know of my obsession with recovering deleted information from used hard drives, USB tokens and other kinds of storage media. And I'm hardly the only person with this interest. Increasingly, disk forensic tools such as Guidance Software's EnCase and AccessData's Forensic Toolkit are not used just for solving crimes: Forensic tools are fast becoming a staple of civil lawsuits between corporations and in disciplinary proceedings against employees. These days, it seems, whenever there's a chance that somebody has deleted a file to hide evidence of wrongdoing, some forensics expert is standing by to recover that file for a fee.
Not surprisingly, there's also a growing number of products on the market designed to frustrate these experts. Some of these programs, such as Webroot Software's Window Washer and CyberScrub's Privacy Suite, are marketed as tools for protecting people's privacy. But there are also programs (Robin Hood Software's Evidence Eliminator, for example) marketed explicitly to people who want to hide information from government, police and employers.
All of these programs have legitimate uses within organizations. For example, if you have a computer for public use in a reception area, you might want to set up a program like Window Washer to automatically erase the computer's browser history, webpage cache, cookies and other data records every few hours. This will protect both your employees and your visitors.
On the other hand, your employees could be using these kinds of tools to hide evidence of inappropriate behavior at work—such as viewing pornography. So be sure you understand who in your organization is using these tools, and why.
Computers are handed down a lot inside the modern organization. Frequently, the newest and fastest machines are given to the most highly paid executives. A year later, those executives are "refreshed" with new computers, and the old machines are given to other employees. CSOs need to make sure that the data on those computers is properly erased—that the hard drive is sanitized—before a computer is reassigned. But don't despair, antiforensic tools can help here too.
I have seen cases where entry-level employees have been given desktops that contained sensitive information such as personnel reports, product plans or even e-mail of senior management. Sometimes the files are visible without any special tools. Other times the files have been "deleted" but can still be recovered using a special program. In one case, a woman I know was given a laptop that contained both the business and personal e-mail of a former salesman who had just quit the company. The disk also had a substantial amount of pornography. Luckily, the woman was not looking to sue.
In another case, a student in a class that I was teaching borrowed a USB token from a friend to complete an assignment on forensics. The student was told to make an "image" of the token's contents and then look for deleted files. Not only did the student find photos that his friend had deleted—he found photos on the USB token that had been deleted before the token had even been purchased! Apparently the token had been used, repackaged and sold as new. If my student had been a mandatory reporter and the USB token had contained child pornography, a criminal investigation might have resulted.
Wipe Clean and Restart
The most reliable way to sanitize a computer is to wipe the hard disk clean and then reinstall its operating system from scratch. Don't use the Windows Format command to wipe the disk, however. Although Windows has an option for a "Quick Format," if you leave this box unchecked, Windows still doesn't erase the contents of the disk. Instead, it reads the blocks to make sure each actually works. This doesn't match most people's expectation of what Format should do, but Microsoft hasn't bothered to fix this command in more than 20 years.
Instead of using Format, you'll need to use a program that's specifically designed to "clear" or "wipe" the disk. My favorite program right now is Darik's Boot and Nuke (DBAN), a free program available on the Internet. To use DBAN, you download the ISO file from dban.source forge.net and burn it onto a CD-ROM. Then you put the CD into the computer you want to wipe and reboot. DBAN starts up, confirms that you really want to erase the disk, and then zeroes all the drive's data. You also can tell DBAN to overwrite the disk with one or more passes of random data, though this additional step is not necessary.
But now you have a problem: A wiped computer is useless until you reinstall the operating system and all of its applications. Organizations that manage hundreds of PCs typically reinstall using an "image" or "drop" that contains their version of Windows and all of their licensed applications. Programs like Symantec's Norton Ghost can copy this image onto a wiped computer over the network or from a CD-ROM or DVD. The big advantage to this approach is consistency: Every user has the same software installation, which minimizes support costs.
If your organization sanitizes by reimaging the hard drive, take a trip to the IT department to make sure the technicians are in fact sanitizing the computers before they drop on the new image. Ask to see the program they use to do the wipe. The next user of the computer won't know the difference, but if the computer hasn't been sanitized then there is sure to be information in the "unused" space of the hard drive that contains files belonging to the computer's previous owner. That's because programs like Ghost don't overwrite the entire hard drive either.
Disk sanitization is more complicated in organizations that don't use a program like Norton Ghost. In these cases, you must rebuild the wiped computer from scratch. First, you need the original distribution disks and activation codes for both the operating system and the applications. Then you need to reinstall all of the security patches and application updates before you can safely put the computer on a network. What's worse, this process can uncover compatibility problems that were previously hidden: Sometimes older equipment doesn't work with newer drivers or with applications that are installed in the wrong order.
As a result, many organizations—and most individuals—don't wipe and reinstall. Instead, they simply delete all of the files they can find, and then once again use an antiforensics program like Privacy Suite to find the files that might have been forgotten and to make all of the deleted files unrecoverable.
CSOs need to make sure that the data on a computer is properly erased—and the hard drive is sanitized—before the computer is reassigned.
While it's easy to test a disk-wiping program—just run a forensic tool on the disk and make sure it doesn't have any data on it—programs that perform selective file sanitization are harder to certify. Indeed, there's good evidence that these programs frequently leave behind at least some information on the disk that their users would rather have deleted (say, the salaries of the executive team).
After Microsoft added file-sanitization features to the Windows XP program CIPHER.EXE, Guidance Software published a white paper by Kimberly Stone and Richard Keightley with the provocative title "Can Computer Investigations Survive Windows XP?" The paper's conclusion was a resounding yes. Apparently the approach that CIPHER.EXE uses to make deleted files unrecoverable is to create a single big file filled with random data. As the file grows, the Windows operating system takes more and more blocks off the disk's "free list" and allocates those blocks to the file. This is the same technique that programs such as Privacy Suite use to make deleted files unrecoverable.
But this approach isn't perfect. It doesn't get all of the unused blocks: Because of the way the file system operates, some blocks are left behind—unused but unallocatable at the moment. Frequently, these blocks have data from a previous use. The big-file approach also doesn't overwrite the contents of very small files that are not stored in individual blocks on the NT file system. And it doesn't obscure the names of deleted files.
Last December, graduate student Matthew Geiger at Carnegie Mellon University reviewed Window Washer, Neo-Imagic Computing's Windows & Internet Cleaner, and Privacy Suite to see if they actually did what they claimed. To test these programs Geiger took a clean computer, installed a file-sharing program, did some Web browsing, loaded additional confidential data and then set the privacy-protecting programs to work. Then he analyzed the hard disks with Forensic Toolkit. Geiger's conclusion: "All three privacy tools failed to eradicate some sensitive information. In one case, the tool failed to wipe any of the records it had deleted."
What's particularly troubling about Geiger's study was his assessment of the product reviews written about these programs. It seems that none of the reviewers had actually tested the programs to see if they worked. Instead, the reviews were written mostly from a user's perspective—do the programs have easy-to-use interfaces and a good feature set?
Antiforensic programs shouldn't be necessary. Windows and other operating systems should have provisions for removing personal data, and deleted files should actually be removed from the disk. Until that day, however, these tools are a necessary part of any CSO's arsenal.
By Simson Garfinkel
Regular readers of this column know of my obsession with recovering deleted information from used hard drives, USB tokens and other kinds of storage media. And I'm hardly the only person with this interest. Increasingly, disk forensic tools such as Guidance Software's EnCase and AccessData's Forensic Toolkit are not used just for solving crimes: Forensic tools are fast becoming a staple of civil lawsuits between corporations and in disciplinary proceedings against employees. These days, it seems, whenever there's a chance that somebody has deleted a file to hide evidence of wrongdoing, some forensics expert is standing by to recover that file for a fee.
Not surprisingly, there's also a growing number of products on the market designed to frustrate these experts. Some of these programs, such as Webroot Software's Window Washer and CyberScrub's Privacy Suite, are marketed as tools for protecting people's privacy. But there are also programs (Robin Hood Software's Evidence Eliminator, for example) marketed explicitly to people who want to hide information from government, police and employers.
All of these programs have legitimate uses within organizations. For example, if you have a computer for public use in a reception area, you might want to set up a program like Window Washer to automatically erase the computer's browser history, webpage cache, cookies and other data records every few hours. This will protect both your employees and your visitors.
On the other hand, your employees could be using these kinds of tools to hide evidence of inappropriate behavior at work—such as viewing pornography. So be sure you understand who in your organization is using these tools, and why.
Computers are handed down a lot inside the modern organization. Frequently, the newest and fastest machines are given to the most highly paid executives. A year later, those executives are "refreshed" with new computers, and the old machines are given to other employees. CSOs need to make sure that the data on those computers is properly erased—that the hard drive is sanitized—before a computer is reassigned. But don't despair, antiforensic tools can help here too.
I have seen cases where entry-level employees have been given desktops that contained sensitive information such as personnel reports, product plans or even e-mail of senior management. Sometimes the files are visible without any special tools. Other times the files have been "deleted" but can still be recovered using a special program. In one case, a woman I know was given a laptop that contained both the business and personal e-mail of a former salesman who had just quit the company. The disk also had a substantial amount of pornography. Luckily, the woman was not looking to sue.
In another case, a student in a class that I was teaching borrowed a USB token from a friend to complete an assignment on forensics. The student was told to make an "image" of the token's contents and then look for deleted files. Not only did the student find photos that his friend had deleted—he found photos on the USB token that had been deleted before the token had even been purchased! Apparently the token had been used, repackaged and sold as new. If my student had been a mandatory reporter and the USB token had contained child pornography, a criminal investigation might have resulted.
Wipe Clean and Restart
The most reliable way to sanitize a computer is to wipe the hard disk clean and then reinstall its operating system from scratch. Don't use the Windows Format command to wipe the disk, however. Although Windows has an option for a "Quick Format," if you leave this box unchecked, Windows still doesn't erase the contents of the disk. Instead, it reads the blocks to make sure each actually works. This doesn't match most people's expectation of what Format should do, but Microsoft hasn't bothered to fix this command in more than 20 years.
Instead of using Format, you'll need to use a program that's specifically designed to "clear" or "wipe" the disk. My favorite program right now is Darik's Boot and Nuke (DBAN), a free program available on the Internet. To use DBAN, you download the ISO file from dban.source forge.net and burn it onto a CD-ROM. Then you put the CD into the computer you want to wipe and reboot. DBAN starts up, confirms that you really want to erase the disk, and then zeroes all the drive's data. You also can tell DBAN to overwrite the disk with one or more passes of random data, though this additional step is not necessary.
But now you have a problem: A wiped computer is useless until you reinstall the operating system and all of its applications. Organizations that manage hundreds of PCs typically reinstall using an "image" or "drop" that contains their version of Windows and all of their licensed applications. Programs like Symantec's Norton Ghost can copy this image onto a wiped computer over the network or from a CD-ROM or DVD. The big advantage to this approach is consistency: Every user has the same software installation, which minimizes support costs.
If your organization sanitizes by reimaging the hard drive, take a trip to the IT department to make sure the technicians are in fact sanitizing the computers before they drop on the new image. Ask to see the program they use to do the wipe. The next user of the computer won't know the difference, but if the computer hasn't been sanitized then there is sure to be information in the "unused" space of the hard drive that contains files belonging to the computer's previous owner. That's because programs like Ghost don't overwrite the entire hard drive either.
Disk sanitization is more complicated in organizations that don't use a program like Norton Ghost. In these cases, you must rebuild the wiped computer from scratch. First, you need the original distribution disks and activation codes for both the operating system and the applications. Then you need to reinstall all of the security patches and application updates before you can safely put the computer on a network. What's worse, this process can uncover compatibility problems that were previously hidden: Sometimes older equipment doesn't work with newer drivers or with applications that are installed in the wrong order.
As a result, many organizations—and most individuals—don't wipe and reinstall. Instead, they simply delete all of the files they can find, and then once again use an antiforensics program like Privacy Suite to find the files that might have been forgotten and to make all of the deleted files unrecoverable.
CSOs need to make sure that the data on a computer is properly erased—and the hard drive is sanitized—before the computer is reassigned.
While it's easy to test a disk-wiping program—just run a forensic tool on the disk and make sure it doesn't have any data on it—programs that perform selective file sanitization are harder to certify. Indeed, there's good evidence that these programs frequently leave behind at least some information on the disk that their users would rather have deleted (say, the salaries of the executive team).
After Microsoft added file-sanitization features to the Windows XP program CIPHER.EXE, Guidance Software published a white paper by Kimberly Stone and Richard Keightley with the provocative title "Can Computer Investigations Survive Windows XP?" The paper's conclusion was a resounding yes. Apparently the approach that CIPHER.EXE uses to make deleted files unrecoverable is to create a single big file filled with random data. As the file grows, the Windows operating system takes more and more blocks off the disk's "free list" and allocates those blocks to the file. This is the same technique that programs such as Privacy Suite use to make deleted files unrecoverable.
But this approach isn't perfect. It doesn't get all of the unused blocks: Because of the way the file system operates, some blocks are left behind—unused but unallocatable at the moment. Frequently, these blocks have data from a previous use. The big-file approach also doesn't overwrite the contents of very small files that are not stored in individual blocks on the NT file system. And it doesn't obscure the names of deleted files.
Last December, graduate student Matthew Geiger at Carnegie Mellon University reviewed Window Washer, Neo-Imagic Computing's Windows & Internet Cleaner, and Privacy Suite to see if they actually did what they claimed. To test these programs Geiger took a clean computer, installed a file-sharing program, did some Web browsing, loaded additional confidential data and then set the privacy-protecting programs to work. Then he analyzed the hard disks with Forensic Toolkit. Geiger's conclusion: "All three privacy tools failed to eradicate some sensitive information. In one case, the tool failed to wipe any of the records it had deleted."
What's particularly troubling about Geiger's study was his assessment of the product reviews written about these programs. It seems that none of the reviewers had actually tested the programs to see if they worked. Instead, the reviews were written mostly from a user's perspective—do the programs have easy-to-use interfaces and a good feature set?
Antiforensic programs shouldn't be necessary. Windows and other operating systems should have provisions for removing personal data, and deleted files should actually be removed from the disk. Until that day, however, these tools are a necessary part of any CSO's arsenal.
Wednesday, June 1, 2005
This headline was written just for Me!
These days it seems more and more people are buying into the idea that mega-companies can mass-produce human individuality.
In the online universe, there's so much fake Me that I'm getting sick of Myself. I can now redesign my access to most Web sites so that I look at My Weather on My Yahoo! or start a virtual library of My Search History on My Web. I can control, amend and adjust My Queue on Netflix and add or delete from My Shopping Cart or My Account on almost every e-commerce site.
I guess it's supposed to mean something to me that I can customize a pair of Nikes with my own ID, or that I can get a Carrie-style necklace with my own name at Wal-Mart. I'm drowning in personalized marketing gimmicks, often misplaced and sometimes bizarre.
Every day brings a new slew of customize-me bids. Williams-Sonoma will hand-forge a branding iron with my monogram, so I can "personalize steaks and chops." My latest favorite came just before Mother's Day, when Personalization Mall e-mailed me my "very own" "exclusive" offer: I could order six "personalized roses," with the greeting of my choice screened onto the petals of the most cliched bud in the florist's shop. To think I could have moved my mom by imprinting something really unique, like "Happy Mother's Day!"
Even the federal government's getting into personalization. The Agriculture Department now fights the McDonald's-on-every-corner culture with a high-fiber, low-fat campaign on MyPyramid.com, where you can build your own dietary guidelines. The Postal Service is convinced customers will pay up to three times more for "an exciting new product that lets you take your own photographs and turn them into U.S. postage!"
Once the Internet made communication anonymous and faceless, and location irrelevant, online marketers faced a whole new challenge in attracting buyers and keeping their loyalty. The tactics they've adopted are familiar - they were created by spammers years ago. But while I'm used to casually deleting unwanted e-mails that are personally labeled and crazily off base, it's a different breed of weird when my bank site thinks that "Hello, LastNameFirstInitial!" is going to make me feel warm and fuzzy about our relationship.
What I really feel is that I'm being watched. Thanks to "cookies," the personal trail of browsing and clicking-to-buy crumbs that our logons leave behind, marketers already can discern our individual reading habits, vacation preferences and the color of the roots of our hair. But they want more, posing increasingly intrusive questions just to give us full access to their products.
This Internet trend irks me for the same reason that I prefer waiting to pick up drugs at the pharmacy to standing in line at Starbucks. There are just some places where it's nice to be a number. I need everyone within earshot knowing the contents of my cup the way I need the grocery store clerk getting on the loudspeaker and commenting on the absorbency of my toilet paper. Imagine if they announced your prescription the way they do your grande, double shot, half-caff, skinny mocha with extra foam.
It wasn't identity theft or spam avoidance that originally provoked me, years ago, to enter fake names and false e-mail addresses on these nosy Web sites. Part of the allure of going online has been to enjoy the privacy of anonymity, not to prove that I'm MyOwnPerson. (Not affiliated with MyOwnPerson.com.)
I admit that when I log into My Yahoo!, it's nice that it goes straight to my local weather and movie times. And I like personalization technology that connects people to other people.
Amazon and Netflix, for example, use collaborative-filtering technology to match customer profiles and suggest books or movies accordingly. With Netflix, my friends and I can opt to share access to "Movies You Both Hate" (or love) - letting us recommend movies to one another online. At least the service encourages kinship rather than isolation.
But that's the exception. Self-expression isn't supposed to be a selling point. Next time these marketers want to use MyPersonality to sell me something, I'd thank them to remember it's none of TheirBusiness.
In the online universe, there's so much fake Me that I'm getting sick of Myself. I can now redesign my access to most Web sites so that I look at My Weather on My Yahoo! or start a virtual library of My Search History on My Web. I can control, amend and adjust My Queue on Netflix and add or delete from My Shopping Cart or My Account on almost every e-commerce site.
I guess it's supposed to mean something to me that I can customize a pair of Nikes with my own ID, or that I can get a Carrie-style necklace with my own name at Wal-Mart. I'm drowning in personalized marketing gimmicks, often misplaced and sometimes bizarre.
Every day brings a new slew of customize-me bids. Williams-Sonoma will hand-forge a branding iron with my monogram, so I can "personalize steaks and chops." My latest favorite came just before Mother's Day, when Personalization Mall e-mailed me my "very own" "exclusive" offer: I could order six "personalized roses," with the greeting of my choice screened onto the petals of the most cliched bud in the florist's shop. To think I could have moved my mom by imprinting something really unique, like "Happy Mother's Day!"
Even the federal government's getting into personalization. The Agriculture Department now fights the McDonald's-on-every-corner culture with a high-fiber, low-fat campaign on MyPyramid.com, where you can build your own dietary guidelines. The Postal Service is convinced customers will pay up to three times more for "an exciting new product that lets you take your own photographs and turn them into U.S. postage!"
Once the Internet made communication anonymous and faceless, and location irrelevant, online marketers faced a whole new challenge in attracting buyers and keeping their loyalty. The tactics they've adopted are familiar - they were created by spammers years ago. But while I'm used to casually deleting unwanted e-mails that are personally labeled and crazily off base, it's a different breed of weird when my bank site thinks that "Hello, LastNameFirstInitial!" is going to make me feel warm and fuzzy about our relationship.
What I really feel is that I'm being watched. Thanks to "cookies," the personal trail of browsing and clicking-to-buy crumbs that our logons leave behind, marketers already can discern our individual reading habits, vacation preferences and the color of the roots of our hair. But they want more, posing increasingly intrusive questions just to give us full access to their products.
This Internet trend irks me for the same reason that I prefer waiting to pick up drugs at the pharmacy to standing in line at Starbucks. There are just some places where it's nice to be a number. I need everyone within earshot knowing the contents of my cup the way I need the grocery store clerk getting on the loudspeaker and commenting on the absorbency of my toilet paper. Imagine if they announced your prescription the way they do your grande, double shot, half-caff, skinny mocha with extra foam.
It wasn't identity theft or spam avoidance that originally provoked me, years ago, to enter fake names and false e-mail addresses on these nosy Web sites. Part of the allure of going online has been to enjoy the privacy of anonymity, not to prove that I'm MyOwnPerson. (Not affiliated with MyOwnPerson.com.)
I admit that when I log into My Yahoo!, it's nice that it goes straight to my local weather and movie times. And I like personalization technology that connects people to other people.
Amazon and Netflix, for example, use collaborative-filtering technology to match customer profiles and suggest books or movies accordingly. With Netflix, my friends and I can opt to share access to "Movies You Both Hate" (or love) - letting us recommend movies to one another online. At least the service encourages kinship rather than isolation.
But that's the exception. Self-expression isn't supposed to be a selling point. Next time these marketers want to use MyPersonality to sell me something, I'd thank them to remember it's none of TheirBusiness.
Subscribe to:
Posts (Atom)