Websites Still Failing Basic Privacy Practices

DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"

Read The Fine Print

[candude43]

Or the official rules.

Neither Sponsor nor SoftCoin are responsible for lost, late, incomplete, stolen , misdirected or illegible plays, registrations, entries, Code requests, email, postage due mail or replies to Code requests which are returned as undeliverable mail; or for any computer, telephone, satellite, cable, network, electronic or Internet hardware or software malfunctions, failures, connections, or availability, or garbled, corrupt or jumbled transmissions, service provider/Internet/website/use net accessibility, availability, or traffic congestion, or any technical error, or unauthorized human intervention , or the incorrect or inaccurate capture of registration, Code, entry or other information, or the failure to capture, or loss of, any such information. Neither Sponsor nor SoftCoin are responsible for any incorrect or inaccurate information, whether caused by Website users, tampering, hacking, or by any of the equipment or programming associated with or utilized in the Promotion and assume no responsibility for any error, omission, interruption, deletion, defect, delay in operation or transmission, communications line failure, technical error, theft or destruction or unauthorized access to the Promotional Website.

It's hard to believe that they are "committed to maintaining your trust by protecting personal information" when they disavow any responsibility if it's stolen. But I think that's pretty standard boilerblate.

Re:but realistically

[blueg3]

That's not at all the birthday paradox.

Don't blame P&G or Duracell

[bugs2squash]

It probably wasn't really their website you were entering your details into anyway...

Re:Nobody considers that import

[CRC'99]

It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.

Riiight - because people can easily sniff traffic at an ADSL DSLAM, wait no, at the L2TP router, wait not even there, oh - at the upstream to a Tier 1 ISP, no, not their either... So where exactly is someone going to sniff your data?

Oh, you're talking about someone on your LAN or Wifi access point? Well then, you have bigger issues!

Even if you're stuck on a cable node, most of the equipment I've seen filter other peoples data out via MAC of the cable modem - so you can't even sniff there...

This being said, where would the so-called 'privacy breech' sniffing take place?

Re:It's a good thing

[stfvon007]

Well i went to the site and changed http to https, and it brought up the page on an encrypted connection. looks like they aren't forcing you to submit it in the open after all.

Re:but realistically

[gringer]

I think they're trying to point out that it's a problem if anyone gets anyone else's data, rather than anyone getting a particular person's data (namely your own). This seems fairly similar to the Birthday Paradox.

http://en.wikipedia.org/wiki/Birthday_paradox#Same_birthday_as_you [wikipedia.org]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Nobody considers that import

[telbij]

I don't challenge your thesis, but your example stinks. First of all, the biggest problem as far as privacy is concerned is the database being sold to other companies. The next biggest problem is the database being outright stolen by crackers. Sniffing your POST as it goes across the wire is the least of your worries.

Second, it's just not reasonable to call https standard privacy practice in this case. Standard security practice is to use SSL for "sensitive" information. But it's not standard to consider name, birthdate and address sensitive. You can argue that it should be, but don't try to redefine reality by calling something standard that's not.

Stop making stuff up.

[Anonymous Coward]

"You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?"

1. The form did not/does not require a password.

2. No password recovery systems I've seen in the last 10 years use either your address or DOB as the key. That information is too readily available in the public records...like the phone book. (If you disagree please point out a site/system that does use it).

3. You're worried about the privacy of your address and yet you're signing up for a contest that collects your name for marketing purposes...

4. P&G clearly states they use SSL for sensitive information and they clearly state what they believe sensitive information to be: "When we collect or transmit sensitive information such as a credit card number or health information, we use Secure Sockets Layer (SSL) encryption for added protection. Your browser indicates that SSL is in place by displaying either an unbroken key or a closed lock at the bottom of your browser window." http://www.pg.com/privacy/english/privacy_statement.html#tab2

Re:Ignorance at work

[Ritchie70]

Afraid I don't understand actually.

OK, the merchant shouldn't have your card # on file.

But wait, actually, according to my understanding of current PCI rules, they can have it on file, so long as it's secure from hacking. Not fraud, hacking.

Fraud = an employee steals the number or is fooled into giving it away.
Hacking = IT security breach causes the loss.

So if they wrote it on a piece of paper and put it in a file drawer, it's fine.

If it's in electronic format, that's something they have to prove is secure - or, assuming they're a minor merchant, they have to claim is secure.

Now, we all know how easy it is to fool someone into giving you the card number, but once again, that would be fraud, and is not really covered by the PCI standard afaik.

Re:It's a good thing

[robo_mojo]

It only takes adding an "s" in the form element...

And a valid signed cert, if the site owner doesn't want his users getting annoying warnings...

Re:Sallie Mae e-mailed me my SSN number regularly

[mpaulsen]

It's not hypothetical. SallieMae has sent that email to the wrong person, and it did prove to be easy to crack. In fact, your post sounds an awful lot like... http://www.ownrecognizance.com/salliemae.html [ownrecognizance.com]

They stopped this practice recently
Do you have any details? I'd like to see their announcement of the change.

Re:It's a good thing

[Covener]

When is this "sometimes" you speak of?
If it's >form action="https://server.tld/page.ext"> the data is submitted via https. Period. If you're already on a HTTPS site, a >form action="page.ext"> as enough.
Of course if the site uses JavaScript to read the values and transfer it by other means, that connection should be encrypted too. But if you temporarily disable JavaScript, you're safe.

He surely means in the case the form action explicitly lists http; changing the protocol of the referring page doesn't accomplish anything.

Suggestion: OpenVPN

[toby]

is a great solution [openvpn.net] (Windows, OS X, Linux, *BSD, Solaris, etc). Once you've started the daemon, it's available everywhere you go, transparently. Just proxy your web surfing, mail access through the VPN server.

(Of course in the FA's example, it only encrypts half of the transmission - to your proxy - but it's these edge networks that are generally most vulnerable - home wireless, Starbucks, random offices, hotels, airports and local ISPs. That said, never forget the NSA is listening [eff.org] on core networks.)

Re:but realistically

[holophrastic]

a few things. first, the cert has nothing to do with the encryption. the cert isn't a security tihng, it's a third-party vouching system. if you trust the company in the first place, the cert does nothing for you anymore.

as for the actual encryption, if you indeed believe that someone may be intentionally intercepting your transmissions, then yes the encryption is important when transmitting your credit card information. But it's purely a transmission thing. the https encryption only solves someone intercepting packets during transit.

but on the other end, the company has your card information in plain text. you have no control over what they do with it, nor who gets to see it. that's just you trusting them. but you're not just trusting them, you're trusting everyone with physicall access their systems -- like their janitors, and the punk who repairs their chairs.

but in truth, really none of it matters at all because if you're using a major credit card, you aren't responsible for fraudulent charges. they can steal your card, use it a million times, you get the statement, refuse to pay it, and your credit card company deals with the problem. All of the steps that you can take to lessen the risk of credit card theft do absolutely nothing for you -- they just help your credit card company by sparing them the trouble. It was never your problem. That's the benefit of a credit card over interac.

it's funny, all of those horrible credit card anti-fraud things are marketted as though they are features for you, they aren't. they're annoying and aggrevating, and make it more difficult to use the card -- but they save the credit card company time and money. "keeping your card number safe", it was never my card number, it's their card number leslie.