Schneier on Security

A blog covering security and security technology.

« Refuse to be Terrorized | Main | Identity Theft Cartoon »

December 21, 2007

Privacy Problems with AskEraser

Last week, Ask.com announced a feature called AskEraser (good description here), which erases a user's search history. While it's great to see companies using privacy features for competitive advantage, EPIC examined the feature and wrote to the company with some problems:

The first one is the fact that AskEraser uses an opt-out cookie. Cookies are bits of software left on a consumer's computer that are used to authenticate the user and maintain information such as the user's site preferences.
Usually, people concerned with privacy delete cookies, so creating an opt-out cookie is "counter-intuitive," the letter states. Once the AskEraser opt-out cookie is deleted, the privacy setting is lost and the consumer's search activity will be tracked. Why not have an opt-in cookie instead, the letter suggests.

The second problem is that Ask inserts the exact time that the user enables AskEraser and stores it in the cookie, which could make identifying the computer easier and make it easy for third-party tracking if the cookie were transferred to such parties. The letter recommends using a session cookie that expires once the search result is returned.

Ask's Frequently Asked Questions for the feature notes that there may be circumstances when Ask is required to comply with a court order and if asked to, it will retain the consumer's search data even if AskEraser appears to be turned on. Ask should notify consumers when the feature has been disabled so that people are not misled into thinking their searches aren't being tracked when they actually are, the letter said.

Here's a copy of the letter, signed by eight privacy organizations. Still no word from Ask.com.

While I have your attention, I want to talk about EPIC. This is exactly the sort of thing the Electronic Privacy Information Center does best. Whether it's search engine privacy, electronic voting, ID cards, or databases and data mining, EPIC is always at the forefront of these sorts of privacy issues. It's the end of the year, and lots of people are looking for causes worthy of donation. Here's EPIC's donation page; they -- well, "we" really, as I'm on the board -- can use the support.

Posted on December 21, 2007 at 11:18 AM • 13 Comments • View Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Ask has a partnership with Google relating to serving ads, and as part of that agreement, user searches are shared with Google.

Google still stores user searches, even if Ask.com does not.

Posted by: Tangerine Blue at December 21, 2007 12:45 PM

It probably doesn't need saying, but obviously they don't use an opt-in cookie because that would be bad for business. Same reason spammers and almost everyone else uses opt-out instead of opt-in.

Posted by: John Ridley at December 21, 2007 01:09 PM

This seems like the vision for everything from wireless to search, "Personalization and access control with reduced complexity." The problem is with attacks. One attacker with ten attacks is a problem. All the attackers are hidden (anonymous) and all the users are personalized. Being anonymous doesn't let them target you for ads. It lets the attacker(s) run wild. Also from CNet, "BitDefender says ads placed by Google on Web pages were being hijacked by Trojan software, redirecting inquiries to rogue server." Instead of tracking users, companies might want to think about tracking attackers. Maybe they could then find the rogue servers. Maybe it's an AdWords customer they don't want to offend or something. Watch for new ad blocking software. It's needed. Write some.

Posted by: HAL at December 21, 2007 01:28 PM

Funny! "Google's mission is to organize the world's advertising for maximum exposure to Web users. Unfortunately, annoying Web content often overwhelms the page, causing many users to become distracted and overlook the ads.

That's where Google Content Blocker comes in. It effectively blocks all Web site content, leaving only the advertisements."
Source
http://j-walk.com/other/googlecb/index.htm

Posted by: HAL at December 21, 2007 01:38 PM

How does Google Content Blocker work?
You're probably too dumb to understand the technicalities, but we'll tell you anyway. We install special top-secret proprietary software on your system. When you browser to a Web site, this software examines the document. Ads are displayed, and everything else is hidden.

Posted by: Googledork at December 21, 2007 01:41 PM

"Ask should notify consumers when the feature has been disabled..."

When complying with a court order, they are not permitted to allow the user to detect that anything is being recorded for law enforcement agents.

Posted by: torpesco at December 21, 2007 02:47 PM

Ignore the man behind the court order.

Posted by: Alan at December 21, 2007 03:19 PM

I asked EPIC a question via their form and got a 404 in response
(http://epic.org/cgi-bin/contactus.pl)

I haven't read this thread or studied the EPIC website - but my question was how you compared with the EFF. Join forces? Or - is there a different mission statement from you?

Posted by: AV at December 21, 2007 04:16 PM

@AV

EPIC and EFF are different organizations. They both do great work -- and they're both worth supporting -- but they do different sorts of work.

Posted by: Bruce Schneier at December 21, 2007 04:28 PM

@torpesco: Sometimes that's true, sometimes not. If the datasearch is retroactive (Ask handing over already collected info) then whether Ask can say anything depends on the details of the warrant. If Ask is being told to record future searches, then the warrant (or controlling state law) should specify that Ask not say anything.

Posted by: Harry at December 21, 2007 04:49 PM

I'd be more likely to support EPIC if they learned to spell. Page 2, under the image:

"Assuming that you must impalement an opt-out cookie"

Vlad is turning over in his grave right now.

Also "You could implement based URL based search queries." (note repeated 'based')

Just...not professional. I might give you money if you told me you'd spend it on proofreading...

Posted by: tamoroso at December 21, 2007 05:43 PM

I don't see that using a cookie for opting out is, in general, *inherently* such a bad idea.

Setting aside the (orthogonal) question of whether the "feature" in question ought to be opt-out or opt-in, once you have decided to make it opt-out, setting a cookie appears to me quite clearly to be the Right Way to implement that decision. Of course, this assumes that the cookie is implemented right, i.e., all users who opt out get identical cookies, probably just "UseFeatureFoo=No".

What would the alternative be? That the service provider should populate a server-side database with identification about all users who have provided an opting? This would seem to be rather more worrisome than storing the data client-side (i.e., as a cookie).

Posted by: Henning Makholm at December 23, 2007 02:09 PM

In other news:

An individual had a hard drive replaced. Though the old drive contained sensitive data, the repair store did not return the drive afterwards.

http://yro.slashdot.org/yro/07/12/24/0131228.shtml

Posted by: august at December 24, 2007 12:27 AM