How to Avoid a Legal 500 Error With Your Privacy Policy
Avoid a Legal 500 Error. Debug your privacy policy.
Legal Programming
By Aaron Titus
I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.
In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.
Is Cloud Computing Right for Your Business?
By Craig Nelson – special guest to The Security Catalyst
Is Cloud Computing right for your business?
Cloud Computing.
Is it right for you? Sure.
Is it right for your business? <crickets>
By now, many have adopted a “cloud”-based service for personal use (sometimes without even realizing it). The definition of “cloud” can be a bit fuzzy at times, but to keep it simple: it’s a service provided over the Internet (“the big cloud”). This cloud includes services (from “smaller clouds”) from providers that offer hosted email, backups, document editing, picture sharing, and even password storage.
By linking all of the “clouds” together via fancy software (running on our desktop or elsewhere), our computing experience is much more fulfilling (and certainly more complex).
Given the vagueness of the definition, we can all rest assured that we are on the cutting edge by using “clouds” for our personal productivity.
But, when will “the cloud” be adopted and considered mainstream by the small, medium, and enterprise businesses of the world?
Three reasons businesses choose the cloud
The business reasons cited for using “the cloud” are likely one or more of the following:
1. Lack of time or expertise (including security) to build and maintain an in-house solution.
2. Seeking the advantage/speed of new features that are released quickly.
3. It’s cheap (either free, or subscription fees).
Beyond simple points, consider the depth and complexity of each.
Software technology can be complex to learn, install (correctly), and run (correctly). It only takes one mistake to reinforce the fact that essential tasks — such as patching, backup and restore, and monitoring — are expensive and time consuming.
With a finite amount of time and resources, many chose to focus on the business and leave the technical challenges to someone else (the cloud provider).
At the end of the day, this boils down to ensuring the service is running with the right features to drive a fulfilling and non-frustrating computing experience.
Can the cloud be more secure?
Many security breaches are due to improper configuration and lax administration and maintenance.
These issues can be pushed into the providers hands, who can manage “low level infrastructure issues” in a cost-efficient way through economies of scale. When a security defect is discovered, it’s likely the provider can quickly patch all of the instances of the software, and centrally determine if the defect had any consequence (i.e. it was used to compromise data).
If additional security is desired, additional security controls can be applied – matched to the value of the information. For example, organizations concerned about protecting the privacy of their data may choose to encrypt it before backing it up into a cloud-based solution. The encryption will cost some additional CPU time, and add a bit more complexity to the restoration process. However, it’s a cost that that can be readily accepted.
The Cloud – Personal
At a personal level, “the cloud” allows a consumer to do more with less, and allocate valuable time and money in other ways.
Individuals sitting on the sidelines — who don’t trust the cloud — will dwindle over time as reasonable mitigations are developed to alleviate concerns. For example, many online backup providers offer the ability to encrypt data with keys that are unknown to them (thus partially alleviating the concern that the provider’s employees can view data stored by its customers. I say partially because you still need to trust that the software is doing what they say!).
New services (such as Lastpass) are emerging to protect the most secret of our secret information (passwords). A few years ago, I couldn’t imagine that such a service would be widely adopted. However, now, it seems to be trickling into the “essential software” list of well-respected technologists.
The Cloud – Business
It’s a bit different at the business level.
Many businesses today are sitting on the cloud sidelines. This is because using the cloud for business purposes isn’t quite mainstream. From an architectural perspective, there are questions pertaining to the performance and manageability of cloud-based resources, and if the focus should be on “private clouds” (locally hosted resources that use similar patterns and practices related to cloud computing) rather then “public clouds.”
IT shops, who for the last 10 years have been fighting patch management, auditing, and other security issues, need time to understand if the cloud can meet the dizzying array of requirements that have emerged from the “post-9/11 security boom.”
Is the cloud right for business?
So, is “the cloud” right for your business? This is a serious decision – one that could cost a business its reputation. Thus, it has to be answered with clear conviction rather than the typical illusion associated with security.
Here’s a start: ask these three questions and discuss the answers with your team – including your security pros – to start to find out:
1 – What regulations is the business subject to? What operational principles and policies does the business have? Can the cloud provider provide an adequate level of support? If not, can deficiencies be mitigated?
2 – Does the cloud provider offer security controls that allow an adequate level of protection? If not, can deficiencies be mitigated?
3 – Does the cloud provider offer a level of operational transparency, so appropriate metrics and logs can be used for monitoring and reporting?
About Craig Nelson
Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com). His expertise and education is in incident response, computer forensics, and security architecture.
On tap at The Security Catalyst for February
Greetings from Myrtle Beach!
February at the Security Catalyst Online
We did it.
The house is rented. We packed, sold or donated most of our “stuff.” We loaded up the RV and headed south.
More important, we are liberated. I feel grounded, connected and free.
The purpose of this change is to live simply and engage with more people – to seek experiences over “stuff.” Part of our focus on learning and living deliberately allows me more time to focus on the programming and content we provide through the Security Catalyst Online Experience.
In addition to our contributors powerful insights forged in the trenches (more below), this month we welcome some guest voices (and topics).
On tap for February
Our contributors have some great insights to share, including:
- The key to effective communication and overall success when working with others from Trish
- Martin explains how disruptive change, when well planned, crisply executed, and continually adjusted can enable organizations to “jump the curve” and function well above where they were previously
- Why we need more attention focused on the consequences of actions with a challenge to help prevent and reduce fraud from Sharon
- Using compliance to your advantage without doing damage; as a result – decision makers may be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts from Dennis
- Aaron shares how to avoid legal 500 error with privacy policies
And I’ll be climbing back into the writing saddle – and sharing my focus for the year with the awareness that works™ column.
Guest Voices
Craig Nelson – a good friend from the beginning of my career – chimes in with his insights on how businesses can determine if “the cloud” is right for them.
We might sneak in another guest voice or two (and try to convince them to stick around for the balance of the year!).
Engagement is the key to success
I invite you to read, consider and engage: likes, dislikes and constructive challenges are welcomed!
Connecting and engaging in person is a rich experience, indeed.
To that end, we’ll be leaving Myrtle Beach in the middle of February and traveling to San Franciso with stops planned in Atlanta, Dallas, and Phoenix.
Are you along the way?
If so, I’d love to explore how we work together.
The Three Elements of Action
Your meeting was supposed to last just 45 minutes, but the first 35 have been devoted to the first agenda item. Most eyes have glazed over and you are the only one speaking. Just as tired as everyone else you say, “OK, so we all agree that we’re going to do that?” Hearing no objection, you move on to the next subject.
You are relieved to move on, but don’t be surprised when you have to rehash the same subject at the next meeting. Do not mistake movement for progress; your discussion was an utter failure because it lacked the fundamental element to any progress: An Action Item.
Every action item is comprised of three things:
- A Person
- A Deliverable
- A Date
Absent one of these three things, a decision is not an action item. It is a wish. All would-be “action items,” “goals,” or “decisions” which fail to include one or more of these components were a waste of your breath and their time. Action items must be clear, measurable, and have accountability. Unless you want to rehash the same issue at the next meeting, never walk away without identifying a person, a deliverable and a date for each action item, regardless of the subject matter. Let’s analyze some would-be “action items” from actual meetings:
Assignment 1: “Development of a power point presentation to train staff.”
| Person | None. |
| Deliverable | A powerpoint presentation. However, the subject matter of the presentation is not clear in this context. |
| Date | None. This presentation will never be late, because it’s never due. |
| Outcome | Inaction. This is a wish, not an action item. |
Assignment 2: “Staff will take decisive action aimed within the next 30 days at having the new privacy policy ready to be trained upon.”
| Person | Nobody, or more specifically, everybody. Note the excessive use of passive voice. An action assigned to everybody is nobody’s responsibility. |
| Deliverable | None. If you can tease a deliverable out of this, you deserve a raise. What exactly does “decisive action” and “ready to be trained upon” mean? |
| Date | 30 Days. However, this date doesn’t mean much because there’s no deliverable or assignment. |
| Outcome | Inaction. This is a wish, not an action item. |
Assignment 3: “Jane Davis should work with the Communications Department to discuss the issue of posting the entire training program on the website for free downloading to all visitors.”
| Person | Jane Davis. |
| Deliverable | Hold a discussion with the Communications Department. Although they probably intend for Jane to post the training program, her only assignment is to have a discussion. It might have been written better, “coordinate with the Communications department to post the training program in by the end of the month.” |
| Date | None. |
| Outcome | Inaction. This is a wish, not an action item. |
Assignment 4: “Kevin Jones will identify key end-users, such as educational and other relevant organizations, and develop a database of end-users, by the end of January.”
| Person | Kevin Jones. |
| Deliverable | Database of end-users. Of course, with this responsibility, Kevin must also have the authority and resources to execute the assignment. |
| Date | January 31st. |
| Outcome | Action. This is an action item. |
The three components of action are a person, a deliverable, and a date. Here’s your assignment: Next time you lead a meeting, don’t rest until you identify the three elements of action for every assignment. It’s the single most effective thing you can do to shorten meetings and avoid rehashing the same issue again in the future.
So let’s evaluate my assignment:
| Person | You. |
| Deliverable | Require a person, deliverable, and a date for every assignment you make. |
| Date | Your next meeting. |
| Outcome | Shorter, more effective meetings, happier employees, and real action. This is an action item. |
6 Things Every CEO Should Know About Privacy Policies
Privacy Policies and Practices are like Ying and Yang. Image under license from stock.xchange.
Writing a privacy policy is a careful balance: Being realistic about what you can perform, protecting and instilling confidence in your customers, facilitating business growth and adaptation, complying with law, and above all, being honest.
Your privacy policy and security practices are the subject of federal, state and international laws, as well as FTC regulation. The FTC regulates unfair and deceptive consumer practices, and has a history of privacy policy enforcement actions. In fact, it is currently hosting a series of “Privacy Roundtable” discussions, focusing on behavioral advertising, social networking, mobile marketing, data aggregation and correlation, data brokering, cloud computing, and other now-common practices.
With increasing scrutiny on privacy policies and practices, here are six things every CEO should know about their company’s privacy policy.
Be Honest
Your mamma was right: Honesty is the best (privacy) policy. Be up front about what you do (or may do in the future) with your customer’s personal information. Many privacy policies make one of three “honesty” mistakes: 1. Over-Promising, 2. Under-Promising, 3. Omission. Each carries liability, so it is better to avoid any of the three.
Don’t over-promise. Your company may be held responsible for the representations in your privacy policy. Look out for phrases like “state-of-the-art,” “everything in our power,” or “our highest priority.” If your company really does use “state-of-the-art” technology to protect privacy, good for you. But you probably don’t, so be honest about it. While you may think that such phrases are just feel-good fluff, the FTC has brought actions against companies who fail to provide the state-of-the-art consumer protections they promised, even though they used otherwise reasonable practices.
Don’t under-promise. FTC guidelines and many state laws require that your company takes reasonable and appropriate measures on a case-by-case basis. It may be tempting to try and disclaim all duties to protect your customers, especially if you’ve had a breach. But this approach has pitfalls. First, it is impossible to disclaim all duties to your customers’ privacy. Second, you may scare away potential customers, or invite scrutiny (as Facebook well knows). Third, FTC actions have indicated that businesses cannot take a “wait-and-see” approach to consumer privacy. Instead, companies have a duty to act reasonably and detect problems before they cause loss, particularly if the they have made privacy promises to their employees or customers.
Tell the whole truth. Another temptation is to remain conveniently silent on a privacy issue you’d rather not talk about. This is also a risky strategy, because state laws (such as California, Texas, and soon-to-be Massachusetts, to name a few) impose specific disclosure requirements. Whether or not required by law, failure to disclose important privacy practices can spark FTC enforcement action as a deceptive consumer practice.
Be Complete & Conspicuous
Aside from potential FTC action, California law requires any company which holds personal information about a Californian to identify the types of information it collects about customers, explain how the consumer may change or update the personal information, and identify an effective date. The law also imposes an affirmative duty to disclose whether information will be disclosed to third parties for marketing purposes. California law also requires that a link to your company’s privacy policy be conspicuous. Most of the time, a link from the home page or in the footer will be sufficient.
A privacy policy is legally compliant when it addresses all of the various legal and regulatory requirements, but it is only complete when it addresses the full range of your unique business practices. For some organizations, that may be broader than you think. For example, a typical University engages in educational, financial, healthcare, network provider, non-profit, and goods and services activities on behalf of their students. That’s why there can be no such thing as a “boilerplate” privacy policy.
Privacy Policy Must Reflect (Changing) Practices
Like Ying and Yang, privacy Policy and Practice are complementary and inseparable. One consistent pattern of FTC actions is that updated information security practices are necessary to protect consumers’ privacy. As FTC guidelines indicate, “Good security is an ongoing process of assessing risks and vulnerabilities… Your business practices and privacy policy must be consistently updated to reflect current best practices and available technology.”
Get it Right the First Time
Even though your privacy policy must adapt to changing business needs, privacy policies cannot be retroactively modified. This issue is important in the following scenario: Suppose that your company decides it wants to sell customer personal information to marketers, but your privacy policy states that personal information “will not be shared with third parties without [customers'] explicit consent.” Changing the policy to allow you to sell personal information may apply prospectively, but new policy provisions will not apply to existing customers, without their consent. This can even apply to a transfer of personal information in a bankruptcy proceeding.
That’s why it’s important to get it right the first time. Your company’s privacy policy must allow you enough wiggle-room to adapt to future conditions, be complete, and still protect your customers. If you need to materially change your policy, make sure that you have the infrastructure to determine which version of your policy applies to which customer. It matters.
If You Say it, Do it
We’re all familiar with the Miranda phrase, “anything you say can and will be used against you …” by the FTC. If you make a representation in your privacy or security policy, you’d better be able to live up to it. FTC enforcement actions demonstrate that website owners must adhere to any statements of privacy or security, whether the statement is made online or offline.
Each representation about privacy or security is treated as a “privacy promise.” Feel-good marketing fluff does not belong in a privacy policy, because even “fluff” can create duties or liability, even if the duty is not required by law. Explicit security-related promises (such as a promise to use “state-of-the-art technology”) requires that the company take affirmative and ongoing steps to ensure that sufficient security is provided.
For example, in 2004 Gateway Learning Corp found itself the target of an FTC Deceptive Practice enforcement action for renting its customer list to marketers, even though their privacy policy said they wouldn’t. In recent years the FTC has taken similar action against Eli Lilly & Co., Microsoft, Guess, Inc., Tower Records, and Petco.com to name a few.
If your privacy policy says it, then do it.
It’s Your Business
As a soon-to-be attorney, I can say * that you should have a lawyer review your privacy policy. Lawyers help the privacy policy comply with legal and regulatory requirements, but it’s your responsibility to make sure that the policy is complete. In fact, I would go so far as to say that 30% of a privacy policy is compliance, and the other 70% is completeness.
If those numbers are any indication, they mean that your privacy policy should have 70% of its input from the Customer Service Department, the Accounting Department, Sales, Marketing, and perhaps even R&D. Without their feedback it will be impossible to document your important privacy practices and create a complete privacy policy. Privacy policies are not legalese and magic words. They are a blueprint of vital business processes. There is one sure way to get in trouble: Relegate your privacy policy to the legal department, and fail to get cross-departmental participation in its drafting. Banishing your privacy policy just to the lawyers may get you in trouble because the end result may be compliant, but incomplete And ironically, an incomplete privacy policy is a non-compliant policy.
Take Charge
As a CEO, COO, or Managing Director, you should do three things:
- First, read your privacy and security policy. If it confuses you, it will confuse your customers. If it confuses your customers, it might be interpreted as deceptive by the FTC.
- Second, make sure you can live up to your privacy policy. Watch out for buzzwords like “state-of-the-art,” “everything within our power,” “always,” and “never.” Make sure that you haven’t painted yourself, your customers, or your employees into a corner.
- Third, update your privacy policy to reflect your business practices, or update your business practices to match your policy. Being honest and complete about your business practices is tough work, but will pay dividends long-term.
* No bias, and a healthy dose of sarcasm. In this case the author wishes to think of his opinion on the lawyers as an expert opinion rather than a biased one. In the author’s experience, there is occasionally little difference between “expert” and “biased” opinions.
Amplifying the Good: The Security Catalyst Online Experience 2010
As the snow starts to cover the ground in Upstate New York, my thoughts are already turning to the year ahead. I’m not at all disenchanted with the Holidays; I’m just excited about the journey ahead with the Catalyst onTour RV adventure. Equally exciting to me is the programming that will be presented by the Security Catalyst in 2010.
The Security Catalyst is designed to be a clearinghouse of bright ideas from a collection of passionate and thoughtful professionals. I believe that more voices, more perspectives, and more discussions are essential to influencing the positive change we need. To that end, we have spent the last few months sharpening our focus – based on the needs of the industry – and developing themed columns and a revised approach to producing readable, actionable content.
We will introduce the bulk of the series in December, and continue rolling out new features and opportunities to engage as the year progresses. So as I travel the country to meet with as many people as possible, we will shine an increasingly bright light toward the future on the pages of the Security Catalyst Online.
The Security Catalyst Online Experience: Amplify the Good
Our mission is simple: amplify the good. A dozen contributors give of their time and experience to help advance the profession. Take a moment to consider the diverse programming prepared for 2010. Each of the contributors spent a few weeks developing a column and outlining key ideas and concepts to guide what we share in the coming year.
We’re working on a production cycle and are implementing a peer review process in 2010. In the coming weeks, I’ll showcase the contributors, reveal more about their series and provide the opportunity to engage with them – for the benefit of everyone!
We welcome feedback – comments, questions and challenges – to help shape our efforts and provide outstanding value for you and your efforts.
Security Social Worker — by Trish Smith
Trish Smith explores the perspective of a licensed MSW on the information security field. In the overall spectrum of topics, which all center on the juncture of technology and people’s thoughts, feelings, and behaviors, Trish’s focus will be on people and how to turn a change concept into reality.
Foundational Identity Management – by Ioana Bazavan Justus
Ioana Bazavan Justus will share her extensive experience in implementing Identity Management at Fortune 50 companies in a 14-part series that is focused not on the technology, but on the process pitfalls and data preparation – the aspects that, if ignored, will make an IAM implementation fail. I’ve known Ioana for over a decade, and her ability to understand, explain and get results is amazing. I’m really excited about this series.
Organized Fraud Prevention – by Sharon Shaw
Sharon Shaw is more than an expert on preventing fraud – she is passionate about sharing ideas, insights and strategies that bring a new focus by explaining the (sometimes hidden) challenges every organization faces. She then provides thoughtful, straightforward solutions.
Leading from the Front – by Martin Fisher
Martin Fisher is a leader (my word, not his) that has engaged me in great conversations about leadership, management and the future of the industry we both serve. He’s agreed to share his thoughts and the secrets of his success to help influence positive change in 2010.
Security From Scratch – by Dennis Kuntz
Dennis Kuntz is gifted in a lot of ways, and I originally wanted to call this the “one man band” given his musical prowess. However, since he’s embarking on an effort to build security from scratch, we deemed it to be a more fitting title. We’re still tweaking the outline – but the goal is to harness collective experience and provide clear insights to the challenge many of us face: building security into an existing organization. Where to start? What to do? And what really matters… tune in and find out.
The Privacy Advantage – by Aaron Titus
Aaron Titus is focusing on the positive aspects of privacy. Instead of dwelling on the shortcomings of privacy, Aaron will set forth the keys to turning a focus on privacy into an advantage.
Security… Psych! – by Jeff Kirsch
Jeff Kirsch blends security with psychology – not only an interest for him, but a vocation for his wife. Jeff will share insights that improve the way we practice security based on how we think, behave, and learn.
Managing Your Compliance – by Jim McFee
Jim McFee knows compliance. He knows audits. As someone that has sat on “both sides of the desk” Jim is ready to share two decades of experience on how to set up and run and effective compliance and audit program. Emphasis on how to actively manage audit and compliance for outstanding – and harmonious – results.
Awareness that Works – by Michael Santarcangelo
Starting in January, Michael Santarcangelo (your humble Catalyst) will share his unique and effective approach to building “awareness that works.”
Ioana got started in November, and the balance of the contributors will introduce their columns this month, with a nugget or two to ponder and digest over the holidays. By January, we’ll be running full tilt – loaded with ideas, insights and success for 2010.
Firefox Patch Tuesday
by Carl Anctil
Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.
Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.
If we look back and remember how networking has evolved over the years, we will notice a pattern. Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.
When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.
What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.
We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.
Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).
Privacy Commons for Government
by Aaron Titus
“Unconferences” (hat tip to identitywoman) are great opportunities to network, gather and share information. They attract bleeding-edge leaders on emerging problems and technologies. My most recent unconference was Congress Camp 2009, organized by the Open Forum Foundation. The gathering focused (broadly) on social networking tools and Web 2.0 for government. It was well attended by advocates who want to reach Congress, and over-worked hill staffers who use IE6 and must cope with information overload. We also got a preview of GovLuv.org. If you have an interest in social networking and government, I highly recommend looking at some of the blog articles.
Creative Commons for Privacy
Privacy Bar Camp DC
Image based on Three Poppies by Federico Ferrari.
by Aaron Titus
In late June, 2009 I attended the Privacy Bar Camp DC (Twitter: @PrivacyCampDC) organized by Shaun Dakin with support from the Center for Democracy and Technology, and conducted at the Center for American Progress. I confess that I attended primarily to aid my job search (psst… that was a shameless, self-promoting plug), but ended up having a great time. Bar camps have an ingenious format which promotes a high degree of participation, interaction, and brainstorming. They have nothing to do with a state legal bar, nor camping. And the genius is, they don’t have an agenda. Read more
Scrubbing The Web
by Carl Anctil
I have been using Privoxy for many, many years. It was actually called the Internet Junkbuster when I was first introduced to it. In early 2000 when I started getting into security and privacy, it was one of the first tools I began using to disguise my user-agent string.
Modifying a user-agent string is a simple way to avoid malware infections from websites that use the user-agent string as a method to determine the browser type and version in order to infect or hijack a browser (most common with IE). I modify the user-agent string to this day. However, what I do now is pretty subtle. I add or remove a single dot somewhere within the string. This way, if someone quickly glances at logs, my new customized user-agent string doesn’t stick out like a sore thumb.
Another reason I like using Privoxy is to block banner adds. Especially today, with all the XSS vulnerabilities going around, this is quick and simple way to eliminate this threat. I also believe in cookie management. Privoxy can be used to manage your browser cookies and how they interact with websites. You can block them altogether or modify them to force a particular behavior, such as whether they are session cookies or permanent cookies. I know this is possible from within the browser, but Privoxy offers many more options and more flexibility for cookie management. It’s really cool stuff once you get into cookies and the how and why they work.
Privoxy is an effective tool for controlling tracking web bugs. Web bugs are tiny 1×1 images used to report back to a company (website) whether you have opened or visited a certain page. Once this 1×1 image is rendered by the browser, various statistics are sent back to the requesting server such as the IP address, date and time, browser version and type, etc. This information is usually sent directly to a third party which usually is an advertising company. But there are other uses for this technology such as by some services that will advise you when an email (including webmail) has been read.
Lastly, I like Privoxy because I can also control the referrer. When a connection is made to a website, the browser will let the web server know which URL it came from. This is called the referrer. With Privoxy it’s possible to modify or block the referrer string that is sent to a web server when a new connection is made. This way web servers think you browsed directly to the url instead of having clicked from a link (being referred by).
Privoxy is a proxy. It runs in the background. I install it locally on every computer I have. I have it run locally on the loopback interface, which is the default. The browser will need to be configured to use the local proxy for it to perform the necessary scrubbing. For myself, Privoxy is simply another tool or software like antivirus, antispyware, etc. It doesn’t matter whether I’m on Windows, Mac or Linux, I install and use Privoxy when possible.
Engage with Michael
-
Journey Into the Breach
