Websites Still Failing Basic Privacy Practices

DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"

It's a good thing

[XanC]

That Firefox saves the nasty warnings for Web sites that are encrypted!

but realistically

[Anonymous Coward]

HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it. Also, address and date of birth aren't usually considered confidential, even if you might not want to publish them.

This isn't a lot different than many of those post-card questionnaires many people fill out and mail in.

I think in this case, it's more important what they do with the information once they receive it.

That said, I think there should be default encryption wherever possible automatically.

Right...

[Anonymous Coward]

"XXXXX is committed to maintaining your trust by protecting personal information we collect."

Means nothing when every website harvesting your info says that.

Re:Right...

[Ethanol-fueled]

Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form

People actually do that? Legend has it that some folks still fill out meatspace paper rebate forms so that they could wait 60 days to receive a 65-cent check in the mail.

Re:Nobody considers that import

[DigitAl56K]

That level of privacy is not considered important by anybody.

It is by me (obviously) ;)

You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?

With specific regard to "trust", here you have a website asking for a bunch of personal information without taking the most basic precautions to protect it in transit and without an SSL certificate that identifies the owners to inform you where the data might really be going to.

It was enough to make me cancel out.

Re:Nobody considers that import

[tokenturtle]

Exactly. The junk mail that's in my mailbox every day has more detailed information on the outside of the envelope. This is really a non-issue.

Re:Taxcut http

[rriven]

It does not matter when you fill the form. As long as when you clicked submit and it went to a https page you are safe.

That is how all the sites that don't handle CC or SSN's do it. It reduces overhead and load time. Even gmail did until recently.

Re:but realistically

[Anonymous Coward]

HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it.

You've fallen for the birthday paradox. The relevant probability is not whether somebody who wants your data is on the same subnet as you. The relevant probability is whether somebody who wants personal data is on the same subnet as somebody who doesn't want to give it to them. This is a massively more probable event.

Re:Nobody considers that import

[DigitAl56K]

If your junk mail shows your date of birth and password I'd be worried. It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.

BTW what has happened to /. tonight? If Google switched their login page to http would nobody care?

Re:Nobody considers that import

[dreohio99]

Your information is already out there in public records. Google your phone number and see what comes up. If the form asked for SSN or driver's license number I would be a bit more cautious. As far as passwords, it is already considered a bad practice to use the same one on a shopping website as your bank or credit card account websites.

Re:Taxcut http

[FLEB]

Actually, I've heard this discussion come up before-- generally, you want the login form SSL encrypted, as well, to verify the identity and integrity of the form. Otherwise, it leaves the possibility for phishing, poisoned DNS, or a man-in-the-middle attack that rewrites the form to submit to a malicious intermediary. (Granted, a person viewing the code could see that last one, but I know I certainly don't eagle-eye the action param on every form I submit before I hit "go".)

Re:Nobody considers that import

[Zero__Kelvin]

You missed the real story, to wit:

"Internet users still can't seem to get the basics of privacy and security on the Web pulled together. Web users still offer up information they consider to be private and sensitive, on the almost zero chance they will win a Wii, to companies about which they know little or nothing. They still believe the company can and should be trusted with their data, based solely on the fact that the companies products have a little brand recognition ..."

Re:Nobody considers that import

[Kent Recal]

Exactly. This "article" is yet another bad joke (slashdot disappoints a lot lately).

Dear "DigitAl56K": If you're so worried about losing your first and lastname on the interwebs then why the hell do you participate in retarded lotteries?
Here's a little secret: If you don't push that submit button then nobody will ever get your information!

Re:Nobody considers that import

[cycleguy55]

Yeah, the only people that want that level of data are those involved in identity theft. Given the number of people who have had their lives turned upside down through identity theft, we should all be vigilant - including challenging any and all Web sites that don't use proper practices to protect personal information.

"maintaining your trust"

[iminplaya]

How can they maintain something they'll never have?

Re:Nobody considers that import

[antic]

Easy publicity for Duracell. Have someone complain about a non-issue with your competition, and get free press.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:It's a good thing

[palegray.net]

While the responsibility does lie with the consumer to take appropriate technical measures to safeguard his personal information, is it too much to ask for a company to make SSL the default when submitting information?

It only takes adding an "s" in the form element...

Re:but realistically

[blueg3]

What they're trying to point out is that while it may be rare that anyone is out to steal your personal information, people stealing personal information in general is quite common.

While this may bear a passing resemblance to the birthday paradox, it isn't the birthday paradox. It's like when people claim that X has something to do with relativity. They're almost always wrong. The birthday paradox is a very particular statistical error, and this isn't it. :-)

It's actually easier, anyway, to point out that someone trying to specifically steal "your" credentials just isn't the way it's done. That's a rare attack, because the investment is high compared to the reward. It's far easier to, say, run a credential-harvesting script in a local Starbucks with free wireless every day for a couple of weeks. (It's also rare, though more devastating, to just grab the personal information off of their server.)

Re:but realistically

[Anonymous Coward]

The birthday paradox is a very particular statistical error, and this isn't it.

Yes, it is. The birthday problem is simply this:

Given a set S, what is the probability P(S) that there exist elements (x, y) in S such that x <> y and p(x, y) is true?

The "paradox" comes about because most people misread the above to mean:

Given a set S and an element of the set x, what is the probability P(S, x) that there exists an element y in S such that x <> y and p(x, y) is true?

They're two different problems, but when worded right most people don't recognize that they're different.

Re:but realistically

[holophrastic]

I certainly agree with your first sentiment -- not everything needs to be encrypted. I certainly see the value in encrypting cash and effetively-cash information -- like credit card information. But honestly when it comes to simple privacy information, https is way over-kill. I don't want to slow the web down by 300% just to encrypt everything. Not only is it not necessary -- it's not like packets are intercepted frequently -- but it's by far no where near the weakest link.

I've been to, and photographed, bank machines that use external modems, loose and visible cables, and simple network jacks that could be easily by-passed. You're mail in most physical mailboxes is wide open for viewing. Hey, your licence plate is just sitting in your driveway.

But by far, don't worry about the guy stealing your packets. Worry about the 16 year-old at the gas station that takes your credit card. The secretary at whatever company that answers the phone, the customer service agent. These people are all effectively able to intercept your packets, and you talk to them willingly as customer service for every company you've ever called where you weren't talknig to the owner.

Our industry here is one where the principles of security have matured to the point where it seems like everything needs to be high-security. But in reality, every other industry on this planet is wide open by comparison.

I'm reminded of something as simple as the sign at my local performing arts theatre that reads "no audience members beyond this point", engraved into a plackard beside the door to back-stage. However the door itself is unlocked. I go back after every performance to express my appreciation.

Security for security sake is not only stupid, it's dangerous. It's what had me removing my shoes crossing the border last week. And in the end, after all of the security, I still wound up flying into and out of the U.S. with a knife in my pocket that everyone -- including myself -- missed entirely.

Security is necessary only to the point where something needs securing -- that means it has value, someone wants it, and someone is trying to take it. That last part is vital to the equasion. Securing something that no one is trying to steal is a waste of effort, money, resources, time, and other liberties. You know, like three hours at an airport to take a $35, 25 minute flight.

What the OP fails...

[BrokenHalo]

...to mention is that the whole point of a lot of those online forms (such as competitions etc) is to provide an opt-in to any kind of marketing dreck the the site owner (or any of his mates) cares to send you.

The best way to keep your personal information private is to not hand it out. I know that should be obvious, but the fact seems to escape people when they appear to be being offered free ponies (or whatever).

Re:but realistically

[speedingant]

If information is freely flying through the air, without encryption, does that mean he is doing something wrong?

Re:but realistically

[Library Spoff]

my online dvd rental company (dvdrental.cd-wow.com) emailed me to tell me i needed to update my credit card details - my card runs out at the end of the month. Their ssl cert ran out the end of July. When i contacted them to tell them this they basically said "Don't worry about it, it's all secure, your details don't leave the uk" etc.

As i'll be adding new card info they won't be getting my business until it's fixed...

Re:Nobody considers that import

[whoisjoe]

I did google my phone number (although I admit that its a mobile phone). All I got were references to the area code and exchange, and one reference to my wireless provider.

Re:slashdot

[blitzkrieg3]

Except that doesn't make any sense. How do they know you're a subscriber when you haven't logged in yet?