back to article Mozilla takes on web data miners with privacy icon release

Mozilla has pushed out a series of privacy icons that tell web surfers how their online data might be used depending on what site they've visited. The open source browser maker's user interface design guru, Aza Raskin, who announced just last week that he was leaving Mozilla in January, released an alpha version of the icons …

COMMENTS

This topic is closed for new posts.
  1. g e

    Registration tactic

    If, like me, you have your own domain and wildcarded email (e.g. google apps mail) then it's always an idea to register with sites like hootsuite@mydomain.com, yahoogroups@mydomain.com, facebook@mydomaincom, etc

    Then if spam comes to somesite@mydomain.com you know who sold your email addy.

    1. Tom 35

      Not just for spam

      It also makes it a bit harder for data sharing outfits to link your different accounts as belonging to the same person.

    2. M Gale

      That works most of the time...

      ...however on more than one occasion, I've opened the email client to find a hundred emails to "port1@", "port2@", etc, etc.

      Still, that's what whitelists are for I suppose.

    3. JimC

      >you know who sold

      I used to do that but...

      - I decided it didn't help knowing the SObs had sold me email address

      - in any case the email address was as likely to have leaked through malware attacks or poor security as it was to have been sold...

    4. primeatech.com
      Thumb Up

      Agreed...

      I always register with a spam email address if I am unsure of the site, such as bbcSPAM@primeatech.com or facebookSPAM@primeatech.com.

      You will be surprised at how emails you do not get when you include the word SPAM in the email address, roughly a 15-1 difference between emails that do not have the word SPAM and the ones that do have the word SPAM as part of the email address.

    5. McWibble

      <insert witty title here>

      ...or if you don't own your own domain but instead have an address like myname@generic-isp.com then you can add a plus sign and the site name after your own name so it becomes myname+facebook@generic-isp.com, myname+register@generic-isp.com, etc...

      Used this method myself quite a lot with my gmail account...

    6. James 139

      Indeed

      This is a good idea, but sometimes its not been sold, its been randomly guessed, stolen (as in hacked from the website somehow) or obtained because someone else uses a similar system and got compromised.

    7. neverSteady
      Thumb Up

      Indeed

      It also allows you to send an invoice to said company for $500. They won't pay, but they will most likely remove your email address from their sell lists.

    8. CraigRoberts

      GMail

      Gmail does that too - yourusername+anystring@gmail.com allows you to customise your email address on their free service... Very handy.

    9. Allan George Dyer
      Coat

      This works fine...

      Until somesite starts searching the submitted addresses for its own name, and substitutes "competitorofsomesite@mydomain.com" in the addresses it sells.

      Good thing they haven't figured that one out yet, keep it a secret everyone, OK?

    10. Phil Endecott

      Re: Registration tactic

      > register with sites like hootsuite@mydomain.com, yahoogroups@mydomain.com,

      > facebook@mydomaincom, etc

      Yes, I've been doing this for a decade or so. Most of the spam comes from:

      - Addresses harvested from bugs.debian.org, where bug reporters' email addresses are not obfuscated. This is my single largest source of spam, by far.

      - Companies whom I've bought things from who "forget" that I opted out of their "marketing emails", or whose "click here to unsubscribe" forms just don't work. This includes many apparently-legitimate well-known businesses.

      - Friends who have, presumably, suffered some sort of malware attack that has copied their address book (maybe one message per month).

      The number of cases where one company seems to have sold my email address to another is very small. I can recall two:

      - Watford Electronics seems to have sold or given my address to another company (I forget the details now, it was a few years ago).

      - The address that I gave to RBS WorldPay was used to send spam from one of their competitors. I suspect that might have been an ex-employee taking a customer list with them, or something.

      So in summary, my experience is that the sale of email lists is not a huge problem compared to (a) harvesting from websites like bugs.debian.org and (b) companies sending spam to their own (ex-)customers, ignoring their opt-out requests.

  2. twunt

    Abuse

    What's to stop someone using the icon, and still using your data anyway?

    Pointless.

    - Block all third party cookies

    - Install Ablock Plus with Easy List and Easy Privacy

    - Install Ghostery / No Script / TACO depending on how paranoid you are

    Or just clear your cookies after every sesssion.

    1. Lee Dowling Silver badge

      Agreed

      Agreed. If you're selling my data anyway, you obviously don't care about my privacy. And it's like all things online - if I don't GIVE you the information, you can't USE that information poorly (a.k.a. Facebook syndrome - don't put your mobile number on there, and people can't suck your mobile number from it!).

      Funny that you have to wear the equivalent of a web-condom for every site you go to. But then asking thousands of separate, globally-distributed entities to all respect even a single set of laws is wishful thinking, let alone respect your advertising preferences.

  3. Graham Marsden

    What's useful...

    ... is having your own domain.

    That way, when XYZsite wants an e-mail address you can create an e-mail address at XYZsite@mydomain.co.uk so if you subsequently get spam it makes it blatantly obvious who has been profligate with your details.

    1. M Gale
      Thumb Up

      Yep.

      And strangely enough, I have yet to have any emails to "bofh@" that don't come from Team Reg in one shape or another.

      Go El Reg!

      (already-declared caveats about spammers trying brute force still apply)

    2. Fatman

      RE: What's useful...

      Then turn around, and forward that spam back to XYZsite.

    3. Jonathan Walsh
      Boffin

      Re: What's useful...

      Or just get a standard gmail account and use the + trick i.e somename+facebook@gmail.com would get to somename@gmail.com

      1. Ben Tasker

        @Jon

        Bad news is that it doesn't work!

        Or to be more accurate, a lot of sites (I'd say especially those who wish to spam) won't allow the + in the email address. They either truly believe it's an invalid address, or they are trying to stop people using that trick.

        That said, when a site returns "Invalid Email Address", it does tend to make you decided to go elsewhere

      2. Anonymous Coward
        Anonymous Coward

        gmail (and other providers) with extensions

        "Or just get a standard gmail account and use the + trick i.e somename+facebook@gmail.com would get to somename@gmail.com"

        You don't think the spammers are smart enough to figure that out? Filtering the bit after the out of gmail addresses isn't exactly rocket science, so if the seller of the addresses gives a damn about being found out, they'll just filter the addresses before selling them.

        The + function is a handy way to filter legitimate e-mails into different folders (or color-coded stars, or whatever metaphor google is using these days), but it's not really all that useful as a spam fighting tool.

    4. Jeremy 2

      Or...

      Domains are nice but even without, you can just use the old +appendage trick:

      somebody+facebook@gmail.com

      A lot of mail providers will deliver mail addressed as such to the username specified before the + symbol so even without a domain, you know who's messing you about. Kinda like the old 'fake middle initial' trick for snail mail. Don't ask me to be more specific about which mail providers support this, though - way too much Christmas booze consumed already but Gmail definitely do.

      On topic, these icons will never gain widespread use. Well, the 'good' icon might but with one having a green outline and the other red, the latter basically screaming 'WE SELL YOUR INFO' from the page, no company that does is going to put them up voluntarily.

    5. heyrick Silver badge

      Don't need a domain for that.

      Yahoo! mail offers up to 500 "disposable" accounts, based around a prefix. So we could have vulturecentral-facebook@yahoo, vulturecentral-google@yahoo, vulturecentral-somecrapsite@yahoo and so on. I don't think I have more than two dozen, if that.

      The downside? You have to set up each address.

      The upside? Delete a spammed address, it's no longer your problem.

  4. DrXym

    What is needed but it wouldn't be perfect

    Is for someone to sign up to as many sites as possible with some pseudos with unique ids and then measure the volume and origin of any spam they can receive. Compare the amounts of spams to the site T&C and name & shame the offenders. That info could certainly be encapsulated into some kind of add-on that browsers could reference.

  5. Anonymous Coward
    Flame

    Meanwhile, Mozilla And Google Conspire

    ...to get all the URLs you type in. It's all done for your security, af cooorze. You don't believe it ? Just plug a firewall in between or use WireShark. And I am not talking about the search box in the right - I am referring to the main URL box !

  6. Charlie Clark Silver badge
    FAIL

    The perils of self-certification

    Just like P3P this is just another touchy-feely attempt to to fill a gap in regulation. What's needed is consistent and co-ordinated data protection legislation that is also effectively enforced.

  7. Gannon (J.) Dick
    Boffin

    Past tense ?

    I like any ideas which enhance privacy, including having your own domain.

    But why the past tense ? ... we've already collected your personal information and may or may not do something smarmy with it ... I can see this icon appearing on webform "thank you" pages, by which time it will be too late.

    Wouldn't it be better to flag the first offender in the History List and require the flag to be reset by the user ? And no spammers, there is no soft reset available. There should be some way to poll the flag so that a subsequent page's form can refuse submission until the flag is set (or reset).

  8. gimbal
    Happy

    What if

    ...they'll give some portion of your information to your advertisers, but only that which you've explicitly volunteered to volunteer to whom? The case of FaceBook comes to mind.

    Still seems like a nifty novelty, though, even if it's a bit overly simplistic to address that one case

  9. Anonymous Coward
    Thumb Down

    I have taken on a few of these organisations

    I really hate the people and companies who show absolutely NO scruples in considering people as numbers in a profit and loss spread sheet.

    People and companies that do this - I am not too sure about outing them as the lists grow endlessly, but if they profit from exploiting you, instead of providing a quality product and or service at a competitive price, then they are exploiters and manipulators, and not worthy of my time or their being hired by me ever again.

  10. ABCD
    FAIL

    You are both wrong

    The last time you were right was like 10-15 years ago. Since dictionary/combination spam attacks came along nobody really needs to know your email address to spam you. They can "figure" out it by guessing and by trying random combinations. And if they do so, you will blame a company/site for having given out your email address that never actually did so, neither by purpose, nor by having been hacked or something.

  11. Anonymous Coward
    Anonymous Coward

    Horrible icons

    The letters "AD" make them specific to English. Aren't icons supposed to be a language-neutral alternative to language-specific text?

    1. Rob - Denmark
      Joke

      Works in Danish

      Where "AD" means the same as "YUCK" in English, so still works for us ;o)

    2. Ole Juul

      Language

      "The letters "AD" make them specific to English. Aren't icons supposed to be a language-neutral alternative to language-specific text?"

      I basically agree with you but Iconese is culture dependent and far from universal. English is still one of the most understood languages on the web.

  12. Mike007 Bronze badge

    me too

    see above regarding domains, but even if you can't buy a domain there are also free subdomains (dyndns etc?), not sure about the validation for google apps for example (i use my own domains), but i guess there's a way to get a free subdomain hosted with a free mail provider without splashing out on a £2/year domain name

    didn't freeserve used to give emails in the form of anything@user.freeserve.co.uk? (specified as a single address, but the reality was it functioned as a wildcard), perhaps if ISPs did that more often that would be useful?

    you can also with many providers use user+sitename@domain to turn a single address in to site-specific addresses, however different providers implement it differently (some use - instead of +) and those email addresses might not work properly (some address validation scripts incorrectly reject addresses with a + in), and if a large number of people started doing that then it's trivial to scrub the lists back to user@domain

    posted using an account which has the email address elreg@domain...

  13. OffBeatMammal

    don't need a domain

    for both hotmail and gmail you can create sub-addresses to see where the crap is coming from

    eg if your email address is MyName@hotmail.com you can add +Sender to the bit before the @ and see where it came from ... eg if you sign up for EvilSite using MyName+EvilSite@hotmail.com the mail still gets delivered to MyName@hotmail.com but you see it includes +EvilSite (also works with Windows Live customer domains, so I guess it would work the same with gmail apps)

  14. Anonymous Coward
    Anonymous Coward

    moneysupermarket

    Bastards, one sleepy evening while trying to sort some insurance out quickly stupidly put my phone number in the webform, it would not complete until i had done so, i actually put my real number in thinking that i would be contacted by the insurance company.

    Oh boy, i have been receiving 4 or 5 spam sms's a day every since, numerous cold calls.

    Luckily i have an android phone and i can mark numbers as spam and reject them but i gave that number in good fath and they totally abused it and sold it to so many companies that attempting to stop it is impossible.

    a clear icon for the sleepy at keyboard people will help, or the absence of one will..

    It's juts another layer of needed security.

    1. Robert E A Harvey

      echo

      I've had that problem. Worse, I work abroad so I get charged for receiving sms spam.

      If a web site insists on a phone number, I either use their own or 0207 944 1212 (whitehall 1212)

    2. wim

      what company ?

      so that the reg user base can decide not to do business with them

  15. Christopher Martin

    Bad choice of words?

    Of course we don't give out your data to advertisers. The data we've collected about you isn't YOUR data. Its OUR data. And we do with it whatever the hell we want.

  16. Doug Glass
    Go

    Huh?

    Moziolla wants to put the brain power for determining what's good for you with parties other than the user. I believe strongly in personal responsibility and people doing their own work. Comes from years being a teacher I guess. Just because you see the icon on a website has no relevance to it actually working or doing the job you as a user think it's doing. There are lots of ways to protect yourself if you'd just take the time to learn. And sometimes the right thing to do is keep your sorry a$$ away for bad places. No matter, as soon as they create foolproof "safety devices" they'll just create a better class of fool. In the long run you'll be better off expecting to be savaged by the internet, plan for it, and execute the recovery plan as needed. But people are lazy and have come to expect their protection to come from the outside, so this flawed idea is likely to take off. Makes a good marketing ploy too: "Use our site; we protect you 100% with the click of a button". Yeah right, and pills you can only buy before the sun comes up will increase your manhood too.

  17. Ellie K
    Gates Horns

    Dual lines of protection

    The first thing to look for is a site Privacy Policy. Or if using a sub-domain like Google Sites, mentioning that the domain privacy policy applies. Only after seeing some kind of basic privacy statement (we use DART, we don't or do use Google Analytics, session id tracking etc), would I bother to check for these Privacy Icons. Finland's Web-Of-Trust (WOT) and various levels of VeriSign "blessings' require a privacy policy.

    Actually, it would take a lot of nerve to post a privacy policy AND the Mozilla Privacy Icons, yet track and misuse site visitor data. But I'm sure it has and will happen......

This topic is closed for new posts.