SiliconFilter

Why Security Researcher Who Discovered iPhone Location Data Long Ago Almost Went Unnoticed

/

As more information about the “secret” location-data file on Apple’s iPhone 4s and iPad 3Gs becomes available, the story surrounding this discovery is becoming more about the people involved than the location data itself. As it turns out, Alex Levinson, a student at the Rochester Institute of Technology, had long discovered this file in his research and work with forensic firm Katana Forensics. Katana Forensics produces a tool called Lantern, which can extract this data and map it in Google Earth’s KMZ format. Levinson also presented his findings in an IEEE journal all the way back in 2007. So why did the blogosphere and mainstream press go crazy about this affair yesterday (including me) and why was Levinson, who emailed virtually all major publications about this yesterday afternoon Pacific Time, ignored by all but a few outlets (again: including me)?

Note: a lot of this is inside baseball about how the blog sausage is made. If that’s not of interest to you, here is the tl;dr: Levinson’s email to the press was flawed and his research was only available in academic publications.

Why Was Levinson Mostly Ignored?

Talking to Gigaom’s Bobbie Johnson, Levinson explained his findings in detail, but also made this observation:

He adds that the press missed the story first time around, and now seems more focused on the horror of data storage than the reality (there, for example, is no evidence that the data is sent back to Apple at the moment).

‘I do blame the press somewhat for sensationalizing them without recourse,’ he says. ‘I emailed 20 of the top media outlets who covered this, linking them to my side — none of them replied, except a famous blogger who cursed me.’” (my emphasis)

To his point about missing the story the first time around: it’s a point well taken, but I should also note that his research was published in 2007 in the Hawaii International Conference for System Sciences 44 – not a publication most journalists and bloggers read at bedtime. He also published more about this in a book on iOS forensic analysis, but that, too, isn’t something even those of us who did a bit of research on this topic yesterday could have easily spotted. The sad reality is, neither the press nor blogosphere was going to pick up on this story unless somebody made us aware of it. As far as I know, nobody did.

As to why he was ignored yesterday: Every day, press and bloggers get pitches from “experts” about various topics. The reality is, we ignore 99% of those (and no, it wasn’t me who cursed at him). There were a few problems with Levinson’s pitch that made it even easier to ignore:

a) he didn’t use bcc and cc’ed everybody on the list (a pet peeve of reporters and other cubicle dwellers alike). Given the amount of emails flowing into most bloggers’ and reporters’ inboxes, emails like that immediately go to the bottom of the pile, especially after the second comment about the missing bcc arrives. A rookie PR mistake.

b) none of the pertinent information (links to the old publication etc.) was in the email – just a link to a blog post and to a blog nobody had ever heard of. Also, statements like “You will want to read this” and “it would be in your best interest to review what I have to say” are something most of us read about 50 times a day and just ignore.

The fact that I failed to see the value in Levinson’s pitch is obviously nothing to be proud of, but I thought you deserved a bit more of an explanation for why this story went mostly unnoticed the first time around and why Levinson’s voice was not heard until the news cycle was already over. I’m glad it’s being heard loud and clear now.



8:55 am


Mozilla's Asa Dotzler: "Chrome Team is Bowing to Pressure from Google's Advertising Business"

/

Among the major browser vendors, Google’s Chrome is currently the only one that has not signed on to use the Do Not Track feature that Mozilla has been lobbying for. While Microsoft, Apple, Firefox and Opera have either already implemented this feature or will do so soon, Google is still holding out. According to Mozilla’s director of community development Asa Dotzler, the “Chrome team is bowing to pressure from Google’s advertising business and that’s a real shame.” Indeed, Dotzler says in his blog post, this situation is similar to what happened when Netscape released version 7.0 of its browser.

For Netscape 7.0, which according to Dotzler “was basically Mozilla 1.0 with a Netscape theme and a couple of proprietary Netscape features,” Netscape decided to remove the pop-up blocker that Mozilla 1.0 had just developed. The Netscape team had to bow to the pressure of AOL/Netscape as those sites depended on advertising money (including pop-up ads) to fund their work. The next version of Netscape did include the pop-up blocker, but excluded all Netscape/AOL/Time-Warner sites from this by default.

Pressure from Advertisers – Or Something Else?

It’s hard to say if it’s really pressure from Google’s advertising side that is keeping Chrome from supporting the Do Not Track feature. In its current form, browsers that support this feature just sent a header to the server that tells the publisher and advertiser that this particular user is opting out from being tracked. In its current form, this feature is – at best – a public demonstration that you would like to opt out, but advertisers don’t have to honor it. Indeed, you can’t even know if advertisers have seen it and intent to respect your choice. As such, pleading support to a feature that currently has no real effect is pretty easy at this point.

This could change in the long run, though. Given that various government agencies have started to look into online tracking and its privacy implications, online advertisers have every interest in supporting this feature if they want to continue to self-regulate without interference from Washington. In the comments on his post, Dotzler rightly notes that it’ll be impossible to get 100% of advertisers to agree to using this feature. Once you get a majority of them on board, though, you can “shame the remaining 20% by telling the user when they visit those sites that those sites aren’t honoring their wishes”

So what do you think? Is the Chrome team under pressure from the rest of Google to ignore this Do Not Track feature? Or is Google just waiting to see what happens and will implement this later?



10:37 am


Don't Track Me: Google Makes Opting Out of Ad and Data Tracking Easy

/

About two years ago, Google launched a browser plugin that allowed users to opt out of the company’s ads tracking mechanism. By tracking your moves around the Internet, Google – and most other advertising companies – can ensure that you see relevant ads (read: ads you are likely to click) on the pages you visit. Today, just a few hours after Mozilla announced its plan to offer a do-not-track tool for Firefox, Google announced its own Chrome plugin that allows users to permanently opt out of personalized ads and data tracking from not just Google but a wide range of other online advertising companies as well.

According to Google, there are currently 50 advertising companies that are part of the Network Advertising Initiative (NAI), including the 15 largest ad networks, that will now let you opt out of data tracking through this plugin. While the add-on is currently only available for Google’s own browser, the company has released the source code on an open-source basis and plans to make it available for other browsers as well.

Keep My Opt-Outs Chrome Web Store

Until now, Google’s opt-out mechanism – and that of its competitors – worked reasonably well, but every time you cleared your browsers’ cookies, you would lose your settings. This new tool makes your choices permanent.

Once you have installed the plugin, you can head over to About Ads, the “Self-Regulatory Program for Online Behavioral Advertising” to check if the plugin works.

So what changes once you install the plugin? According to Google, “you may see the same ads repeatedly on particular websites, or see ads that are less relevant to you.” Not much of a price to pay if you want to keep your browsing habits a bit more private.

Clearly, Google isn’t doing this just out of the goodness of its heart. There has been a lot of pressure on online advertising companies to enhance their users’ privacy. In the U.S., for example, the FTC just issued a major report on Internet privacy in December that endorses the idea of a “do-not-track list.” Instead of dealing with federal regulations, the advertising industry would obviously prefer to self-regulate and plugins like this are a step in this direction.

google_opt_outs.jpg



10:47 am