igor - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Facebook, Google, Mozilla raise the bar with new user privacy controls

News roundup: New settings and options to boost user privacy and security are emerging on major websites, but is it enough?

While user privacy and security concerns have headlined recent news, several prominent companies have released new privacy controls in hopes of easing users' fears.

Facebook's privacy-enhancing "experiment"

On June 1, Facebook Inc. announced via blog post its move to enhance email privacy with the release of an "experimental new feature" that allows users to add OpenPGP public keys to their profile. The OpenPGP keys, which users can opt to share from their profile with or without enabling encrypted notifications, provide end-to-end encryption for email notifications sent from Facebook to a user's email account. This feature can be especially helpful when it comes to password reset notifications.

On Tuesday, Facebook announced a further step for improved user security: in order to "reflect a new and more secure industry standard," application developers will have to start using SHA-2 certificate signatures rather than SHA-1. The SHA-1 standard will be retired January 1, 2016, but apps connecting to Facebook must be updated by October 1, 2015.

In recent years, Facebook has taken other measures to keep users secure, including deploying HTTPS by default and offering a Tor option for improved privacy.

Google's new tool -- and privacy questions answered

Google Inc. is also taking strides to reinforce its security and address user privacy concerns.

The company announced a preview of Android M at Google I/O on May 28, highlighting the fact that users will have more control over app permissions than ever before.

The company then took two additional steps forward Monday.

In the announcement of its "My Account" -- a new "hub for managing Google settings" -- Google said users will have quick access to settings and tools that help "safeguard your data, protect your privacy and decide what information is used to make Google services work better for you."

Google also published a new website -- privacy.google.com -- which "candidly answers" questions users may have about the company, such as "What data does Google collect?" and "What does Google do with the data it collects?"

The new site also explains how the company puts relevant ads on websites without selling a user's personal information, how encryption and spam filtering keep users safe, and how user data can help "customize the Google experience."

Google's Keep My Opt-Outs not opting out

Not all of Google's privacy controls achieve gold, however.

In January 2011 when Google announced the availability of its "Keep My Opt-Outs" -- a browser plugin that allows users to permanently opt out of online ad personalization, it boasted that a plugin would not clear when a browser's cache was deleted (like a cookie may), making it a more effective -- and permanent -- "do not track" mechanism.

However, in a blog post published Monday, security researcher Jonathan Mayer highlighted the privacy extension, which purportedly has more than 400,000 users worldwide, "isn't nearly as effective as Google claims it is."

In his research, Mayer found the last revision of the extension's internal cookie list -- the list by which businesses are blocked -- was last updated in October 2011 and didn't include key industry players, such as Facebook.

Mayer also found the extension doesn't work properly when a user enables Chrome's private browsing mode.

Mayer suggested users relying on Keep My Opt-Outs switch instead to Disconnect or Privacy Badger.

Ex-Mozilla engineer pushes for Tracking Protection

Former Mozilla Corp. software engineer Monica Chew and former Mozilla intern and Columbia University student Geogios Kontaxis received an award at the Web 2.0 Security and Privacy Workshop in late May for their paper on new Firefox Tracking Protection technology.

Tracking Protection goes beyond Mozilla's "Do Not Track" feature -- a voluntary setting requesting websites to not track user data -- to block cookies and other tracking technologies such as fingerprinting.

In their research, Chew and Kontaxis found the Tracking Protection privacy control effectively blocked user activity tracking by blocking requests to tracking domains. Chew and Kontaxis demonstrated a 67.5% reduction in the number of HTTP cookies sent during a crawl of the Alexa top 200 news sites. Tracking Protection, Chew and Kontaxis stated, also offers performance benefits; in the test of the Alexa top 200 websites, the researchers experienced a 44% median reduction in page-load times and a 39% reduction in data usage.

However, while available, Mozilla does not have the Tracking Protection turned on by default, and it requires more than a click of a button to turn on. Users must go through a series of steps to activate it.

Chew took to her blog to push the importance of Tracking Protection -- and the problem with advertising.

"I believe that Mozilla can make progress in privacy," Chew wrote, "but leadership needs to recognize that current advertising practices that enable free content are in direct conflict with security, privacy, stability, and performance concerns -- and that Firefox is first and foremost a user-agent; not an industry-agent."

"Advertising does not make content free," she continued. "It merely externalizes the costs in a way that incentivizes malicious or incompetent players to build things like Superfish, infect one in 20 machines with ad injection malware, and create sites that require unsafe plugins and take twice as many resources to load -- quite expensive in terms of bandwidth, power, and stability."

"It will take a major force to disrupt this ecosystem and motivate alternative revenue models" Chew concluded. "I hope that Mozilla can be that force."

In other news

  • A report released Wednesday by TeleSign concluded only 30% of consumers are extremely or very confident that passwords are sufficient in maintaining online account security. Researchers who surveyed 2,020 adults in the U.S. and U.K. found while users are afraid of compromised passwords, few have the awareness or education to implement additional controls. "The number one tip most experts give for increasing account security and stopping the fallout from data breaches is to turn on two-factor authentication," said Steve Jillings, CEO of TeleSign. "Yet our research shows that the majority of consumers (61%) do not know what two-factor authentication is, even though its available on almost every account, free to the consumer and just waiting to be turned on." Researchers also found users have an average 24 online accounts, yet only use six unique passwords to protect them; 73% of accounts use duplicate passwords. Those surveyed also admitted they rarely change their passwords; 47% are using a password that hasnt been change in 5+ years, while 77% have a password one year or older.
  • In addition to releasing the research, TeleSign also launched its "Turn It On" campaign Wednesday to raise awareness of two-factor authentication. The campaigns website -- https://www.turnon2fa.com/ -- highlights the benefits of 2FA -- including that "its free and easy, it protects your identity, it stops hackers and it's available on most major websites today." The website also offers the "ultimate guide to 2FA" with detailed, step-by-step instructions telling users how to enable free 2FA on websites and apps of everything from email, shopping and social media to developer, education and government. "With our Turn It On campaign," said Jillings, "TeleSign is starting the dialogue directly with consumers, empowering them to take a few simple steps to better protect their online accounts and all of the valuable financial and other sensitive personal information inside."
  • CloudFlare Inc. System Engineer Ben Cox published a blog post Wednesday claiming public SSH keys could be cracked due to weak encryption and then used to access GitHub projects. Cox said repositories for Spotify, Python and the U.K. government among others were all potentially at risk of infiltration. Cox collected more than 1.3 million public SSH keys from GitHub between December 27 and January 9 using a GitHub feature allowing users to look at account public SSH keys. Cox found that while 97.7% of the keys used the RSA algorithm, only 93.9% used 2048-bit keys; 4% used 1024-bit keys. Two keys Cox found used only 256 bits, and seven used 512 bits. Cox also found a number of keys weakened because of a Debian OpenSSL random number generator seed that was found and patched in May 2008. Cox disclosed the issue to GitHub in February; the company has since revoked all vulnerable and weak keys. "It would be safe to assume," Cox wrote, "that due to the low barrier of entry for this, the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker."
  • A report released Tuesday by cloud security provider OpenDNS Inc. highlighted the potential issues Internet of Things communications may bring to an enterprise. "The 2015 Internet of Things in the Enterprise Report" highlights vulnerabilities enterprises must be aware of, including not only that they are new avenues for remote exploitation of corporate networks, but also that IoT devices -- including wearables that "continuously beacon out to servers -- even when not in use" -- are susceptible to highly publicized and patchable vulnerabilities including Heartbleed, FREAK and POODLE, as well as SSL flaws. Researchers also concluded "highly prominent technology vendors" are operating IoT platforms in "known bad Internet neighborhoods" -- where providers also host malicious domains -- which puts users at risk. "This report shows conclusively that IoT devices are making their way into our corporate networks, but are not up to the same security standards to which we hold enterprise endpoints or infrastructure," said Andrew Hay, director or security research at OpenDNS. "Our hope is that by using this report, security professionals and researchers can better understand the security implications of the IoT devices in their own environments."

Next Steps

Check out more about balancing user privacy and security

Learn more on password security, two-factor authentication, SSH and Internet of Things security

Dig Deeper on Web application and API security best practices