The by Hal Roberts, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Share Alike 3.0 License.
-
Pages
Categories
Archives
-
RSS Links
Hal Roberts
watching technology
from The Berkman Center for Internet & Society
35 Comments
Dear Hal,
It is a very interesting piece you have written here in your blog. I wonder on your “about” page you do not mention your academic background. I would be interested to know your credentials. There is a lot of talk at the moment on the internet about Phorm, NebuAd and other outfits who wish to profile individuals, but alas very little of the debate is disciplined. Whether you have read or are reading law, and whether you have any formal computer science qualifications would greatly interest me.
Hi Richard,
I am not a lawyer. I’m just a lowly computer geek who’s done various computer geeky things (coding, systems, tech consulting, etc) for the Berkman Center for Internet & Society at Harvard Law School for the past six years. Lately, I’ve been spending most of my time at the Berkman Center on research projects that straddle social and technical issues, including a surveillance project that has me looking into dpi monitoring.
This particular case does not require formal computer science or legal qualifications, though. The language in the privacy policy is plain, as is the language in the technical document by Richard Clayton. The privacy policy says that Phorm won’t share its IDs with anyone else, but the technical description they gave to Richard Clayton says that they do.
Notice that I don’t speak to the question of whether Phorm is liable in any way for its violation of its privacy policy. The point of the post is just that Phorm is plainly and obviously violating its own privacy policy and that Ernst & Young should be ashamed that they didn’t find and disclose that violation.
Thank you for helping to spread the word about this. There is a bit of noise in the tubes about this, but still far too little scrutiny. Keep up the good work!
Hal — We have never EVER sold any data about OpenDNS customers to another company.
Two things you seem to miss:
1) We let you revert your address bar behavior. Just login to your account and disable the OpenDNS proxy. The vast majority of our users like it as it makes shortcuts work reliably and gives people their custom guide page. It’s using YDN right now for results, but we hope to switch it to BOSS. If we knew of an API to use Google, we’d obviously love to give our users that choice too.
2) We have never sold, nor do we have any intention of selling any customer data ever. You have completely taken that line from our privacy policy out of context. All that means is that when you click an ad, our advertising partner (Yahoo) will see your IP address and the typo you made that resulted in you seeing the ad you clicked on. Nothing more.
And of course, you can disable logging if you’d like. We provide all logging for your benefit, to show you your stats. If you don’t want it (it’s off by default) we don’t store any logs about your DNS patterns.
Please update your post accordingly.
I understand why the failover works. What I don’t understand is why it suddenly started to work that way. In the past, the address bar also served as a google search bar unless I typed or pasted in an actual URL. The search default was I’m Feeling Lucky — which was a trip directly to the site Google thought was requrested. Otherwise it went to a Google search. Now Google is gone and there is only OpenDNS. For example, if I type in “searls” it goes straight to an OpenDNS (actually, Yahoo) search for searls. Why the change? That’s what I don’t get. I also don’t get how to un-change it. Where is the Firefox setting for address bar behaviors?
Doc — nothing has changed on our end in months.
If you go to about:config in Firefox and look for keyword.url you can change that to whatever you want.
If you want to stop us from responding to address bar search requests, login to your OpenDNS account and turn off “OpenDNS proxy.” Note that if you do that, shortcuts and other typo correction features will start to break.
Doc,
It sounds like the problem is that your network setup got changed somehow so that you are now using opendns as your dns server. Most likely, whatever isp you are connecting through has changed to using opendns as their default dns server. So the change didn’t happen in firefox. It happened in your underlying network configuration as pushed to you by your isp, and firefox is just making the change apparent.
To verify this in windows, go to the command line and type ‘ipconfig /all’. If the dns server listed is opendns, that’s the issue. To get the search as address bar fall through working again, you’ll need to manually change your dns server back to some non-opendns dns server (or call and complain to your isp and get them to change back to a non-opendns dns server for their network).
David,
I’ve edited the text slightly. At the end of the day, yahoo gives you money in return for information about what websites your clients are browsing for. That qualifies as selling your clients’ data. The exception in your privacy policy further allows for a large range of behaviors to which many folks would object. It seems to me, for example, to allow you to affiliate yourself with NebuAd for the purpose of providing more targeted advertising to your clients. There’s a broad range of such possible objectionable activities that fall under the rubric of affiliated advertising services.
What’s most troubling about opendns is that the system is opt-in and opaque to most users, as strongly indicated by the fact that the very bright and technology savvy Doc Searls can’t figure out why his firefox has suddenly broken. That he can opt-out by signing up for an account on your system and wading through the preferences is completely beside the point. A quick look at the search page shows a tiny ‘why am i here’ link in the top right that doesn’t explain at all that opendns has injected itself into the dns process. It’s one thing for someone to visit yahoo voluntarily and submit his info to them. It’s another for the opendns search page to be injected into the browsing session via a deep and opaque mechanism.
I don’t fully agree that “triggering” content will become less commonplace – there’s far too much of a market for juveunile, sexually explicit, profane and violence-based content and there are entire industries with thriving affiliate strategies constantly fueling these sites.
However it would be useful, as you say, for Google to release more information about classification. Although with Google’s track records, there’s little hope they will be this open.
On both my desktop AND the brand new acer one netbook I bought YESTERDAY, suddenly my firefox searches ended in OPEN DNS GUIDE.
I was able to get my searches unhijacked by this ’setting’, back to google.
I am quite mad about this. Why did OPENDNS hack my firefox browsers?
Secondly, NOW if I type in a site manually, instead of a 404 I am getting redirected to OPENDNS GUIDE. I do not have any settings left to change.
Is there a lawyer launching a class action lawsuit against this company, as I would like to write a statement for court about how they took over my browser and cost me several hours of time and I STILL can’t get rid of it?
I think the genius of Google’s model is that the ads on search pages are minimized so that one must click them to learn more. It seems to serve eveyone’s interest:
1. The reader’s screen is not crowded with undesired ads.
2. The advertiser is motivated to give an honest, short description so the clicker-through is genuinely interested.
3. Google is motivated to get a lot of likely ads on the page so that a click-through happens.
Of course, this is an entirely ultilitarian viewpoint.
These are all good reason that straightforward pitches work well on adwords. But the downside of this sort of advertising is that it’s boring and no one reads it. Certainly that is an acknowledged problem with adwords stuff — it’s so prevalent and so unassuming that it’s really easy just to filter it out completely. The traditional counterweight to this problem in advertising is jingle type advertising that does a worse job of the direct sell but attracts more attention.
I think it’s an open (and important) question we haven’t seen (as far as I know) these sort of jingle advertising on adwords yet. The most obvious result is that the ads in themselves lack the cultural impact of the jingles. Traditional forms of advertising have effect not only through the content that they support but also through the content of the ads themselves — encouraging consumers to associate cars with power, perfumes with beauty, and laundry detergent with a happy home life. These messages have historically played an important role in shaping our society but are absent from adwords.
Hi Hal,
Thanks for stopping by my website and giving me the opportunity to address some of the issues that concern you. I’ll take them in the order you mention them.
>biased selection of reviewers
The purpose of the website is get a buzz going and let as many people know about a product as possible. Just as in the real world advertisers and PR people are more likely to give Oprah free merchandise for a review and less likely to give it to person who runs a public access channel show which airs at 2 am.
> Good and bad reviews
I’m not sure if you are aware but PC Magazine as well as many other electronics review publications won’t run a negative review. If a machine does that poorly in their tests they simply don’t publish the review. Secondly we hope that advertisers will use this feedback to improve their products.
>And what about a disclaimer from the blogger
We’ve recently updated this section, if a blogger does keep the item we recommend them putting a disclaimer up. For bloggers who plan on doing reviews regularly we suggest they use the NY Times journalistic guidelines as a starting point.
>review equivalent of link farming
we don’t require that bloggers link to the advertiser, they can do so on their own if they chose to. Again the recently updated FAQ suggests that if bloggers do keep the item they follow google’s guidelines as far as linking.
>legality of the TOS
I’m not a lawyer either, but if you’re going to pick on our TOS could you at least be fair and pick on everyone elses too
http://zi.ma/90b110
if you have any more questions please feel free to contact me at the email listed in this post.
Hi Michael,
Thanks for the response.
The problem with the bias is not that there’s a selection mechanism to pick out the biggest and best blogs. The problem is that it is the companies who are choosing which reviewers get the privilege to review them. To the degree that folks want that privilege (which is an assumption you are building your site upon), they will be encouraged to build reputations for writing favorable reviews. Their readers would ideally balance that incentive by encouraging them to write honest reviews, but without the reviewers telling their readers how they are qualifying and being compensated for the reviews, their readers don’t have all the relevant information to judge the quality of the reviews. So the incentives are all on the side of writing positive reviews.
This setup is not necessarily bad in its own right. If readers want to read reviews by folks picked and paid by the manufacturers to write positive reviews, that’s fine. It’s like reading product descriptions on manufacturer sites, which are useful in many ways, even if they are biased. The problem is that the readers are not being told how the reviews are being generated. Barring full disclosure of the nature of the relationship, readers think they are reading independent reviews of products. As far as I can tell, that’s the point of the site: to create positive grassroots buzz about the products through positive reviews in the apparently independent blogging community. But in the end, it’s a form of an astroturf campaign, because the reviewers are being paid with free products to write positive reviews.
I don’t see where you recommend that reviewers follow the nytimes journalistic guidelines (maybe privately or in the registration process?), but suggesting that companies gift products to reviewers directly contradicts guidelines #35, #36, and #79.
There’s a quick fix to this problem, which is to require or at least strongly suggest that any blogger writing a review include a disclaimer that makes it clear 1) that he was chosen in a competitive process by the reviewed company, 2) that the company is giving him the product in return for writing the review, and 3) that he only posts positive reviews. The current suggested disclosure that “The John Smith Camera Company sent me their new ABC-123 DLSR camera to review” includes none of these key pieces of information.
With proper disclosure, there may be reason to complain about the usefulness of the site and the reviews it generates, but not the ethics of what it’s doing. I’m offering this as a serious proposal, not merely a rhetorical device.
I realize that a similar problem exists in existing mass media reviews, but that does not excuse taking the worst parts of a fraudulent system and exporting to the world of citizen media.
To be fair while I understand your concerns I think the criticism is a little harsh. There is nothing going on here that is any different to what is commonplace amongst the large, mainstream media outlets.
Hi Hal,
There selection process allows merchants to be somewhat selective with who reviews their products. This is built in so merchants don’t have to allow hate blogs or other objectionable material bloggers into the mix. Merchants are generally pretty open I’ve seen more then one occasion where bloggers with less than 20 subscribers were chosen.
Since most bloggers have never received products to review and probably aren’t going to make a habit of it, suggesting lengthy and complicated disclosures is overkill. For bloggers who engage in regular or semi regular reviews yes a different level of disclosure would be a good thing. Not sure why you can’t see the NYT link it’s there perhaps it’s cached on your computer
http://www.viralconversations.com/faq/#b8
You’re making quite a few assumptions about a system that you haven’t participated in any meaningful way. Since we’re recommending that bloggers be honest and disclose if they keep the item, I’m not sure what you’re basing your accusations of fraud upon.
I’ve removed the reference to link farming, since you make clear statements that reviews need not include links. This was a poorly worded metaphor for a system in which supposedly independent media are paid for positively referring to a third party.
I see the nytimes link now. But it’s meaningless in relation to the question of whether bloggers should keep the merchandise because you elsewhere in the same faq suggest that it’s a “good idea” that companies gift the reviewed merchandise to the reviewing bloggers. If you really want the bloggers to follow those nytimes guidelines, you should require or strongly suggest that they not keep the reviewed products, as the nyt guidelines clearly require (see above quoted sections, among others).
You actually include support for keeping a reviewed item and a suggestion to follow the nyt guidlines in adjacent sentences in the linked faq above:
These two sentences together are plainly contradictory. You are saying that bloggers can keep the items they review and they should follow the nyt guidelines, which say that they cannot keep the items they review.
Likewise, you suggest disclosure but offer a sample disclosure that does not offer the key fact that the blogger has been gifted the item: “The John Smith Camera Company sent me their new ABC-123 DLSR camera to review.” That disclosure says nothing about keeping the item.
A proposal:
On the issue of fraud, I’ll be happy to edit my post to state clearly that this is not fraud if you edit the faq to make clear either 1) that a blogger should not keep the items that she reviews or 2) that any blogger who keeps a reviewed items should disclose in the review that she is keeping the item. This policy should be clearly stated and not contradicted elsewhere in the faq.
For example, you could add the following text to the end of the disclaimer faq:
That’s not a lengthy or complicated disclosure, but it makes clear the fact that the company is paying the reviewer with in kind merchandise, which is the important background that the reader has to know to judge the review.
No one should “have” to sign up at opendns just to get there browser working as it used to.
As an IT professional this has really infuriated me as it acts just like any twopenny browser hijacker out there, changing my browsing experience without my say so or permission.
Can’t think of a better way to alienate people from your product than to force it on them and tell them they can get around it by signing up!
Just like the scumware that infects peoples machines telling them they have multiple viruses and the like that can only be removed by paying them $19.99 for their virus removal software (which only removes their hijacker.. sometimes)
I like OpenDNS and have used it for a long time. But now, some of the time, an unresolved IP brings up Yahoo instead. What happened? OpenDNS is there sometimes.
I think OpenDNS is rather clever. I hate how Yahoo pays to hijack the installation of other programs.
It is true that somewhere along the path someone has access to your data. Even the Tor project is not foolproof for you don’t know how many government agencies have set up servers for Tor. However my concern is within China. The last mile, so to speak. Knowing that the other end of the connection could be monitored I have to rely on my trust of the vpn provider. The way I see it a free provider has to get their money from somewhere. Selling your data seems like the chosen method. I pay for my VPN, have used one company for 18 months and am satisfied. Yes, I take my chances even with them but life is a risk and there is no perfect solution. At least I know that my data is secure on the last mile.
[spammish surf bouncer link removed -hal]
The above comment is a terrific example. It looks like a spam comment to me, pointing to a personal vpn service called surf bouncer. But I include it because if you go to the surf bouncer site, there’s no indication whatsoever who is running the company. The company promotes its service as a tool to protect users against dangerous hot spots (among other dangers), but why should users trust a random, unidentified organization with their traffic instead of the local hot spot (which has its own dangers to be sure)?
phobos posted this yesterday, coincidence?
https://blog.torproject.org/blog/circumvention-and-anonymity
We apologize for the confusion here. The anti-censorship ranking service is provided by one of the GIFC partners. It only publishes the popularity ranks of destination websites users visit through our anti-censorship tools. It is similar to alexa.com but is only limited to anti-censorship web traffic.
The ranking service is not authorized to access, nor can it access, the data users transmit on the wire. It is not authorized to release logs containing information on the websites any individual user visits either.
The FAQ for the ranking service was not written properly, as originally “user” there meant website owners who may be interested in getting detailed statistics on how their websites are visited through our anti-censorship tools. We apologize that we have overlooked the wording.
The GIFC partner who runs the ranking service, the World Gates’ Inc, has been notified, and that FAQ entry has been removed. Thank you for discovering the problem.
Peter Li
Global Information Freedom Consortium
Not sure if you’re still monitoring this, but i’ve made a few changes to the FAQ to make search engines and few other people happy and it should be pretty much in line with what you found troublesome as well.
Though FBI get Chinese users’ data it doesn’t matter.
It really matters is that Chinese govt get users’ personal information,that is much more dangerous.
Hal,
My apologies for including the Surfbouncer link. I was just mentioning a service I have found useful and reliable. Regarding your comments, I believe I was clear that no service is completely trustworthy or anonymous. However, in my case the concern is the last mile. If I can get out to the world encrypted it serves my purposes. Others needs may be different. While Tor works, even with the possible problems I mentioned in my first post, it’s main weakness is speed. I find the VPN a faster option overall.
Mai
Hello Hal,
I really like your post and I have translated your original post into chinese here: http://memedarwin.blogspot.com/, sorry for doing that without asking. Please give permission and I will cross-post it to other chinese blogs.
Hi Michael,
This is good news. I think these changes will make your site much stronger and produce better reviews in the long term. I’ve updated the original post and written a new one to reflect the changes.
Very interesting analysis. Thanks for this.
You make me feel both elated to find it (alexa is not very useful in Asia) and supremely fearful of the consequences.
I pay for my VPN, have used one company for 18 months and am satisfied. Yes, I take my chances even with them but life is a risk and there is no perfect solution. At least I know that my data is secure on the last mile.
Essay Help | essay
David Ulevitch of OpenDNS wrote that you can “just login to your [OpenDNS] account and disable the OpenDNS proxy”.
Well, I’d like to echo Neil’s comments above that being forced to create a user account on a service you don’t wish to use in order to disable it is beyond ridiculous, it’s contemptible. Long term you will irritate almost everyone.
In addition, any company whose privacy policy opens with “collects potentially personally-identifying information” is asking for trouble when it suddenly starts collecting that information without your knowledge.
In a word, awesome.
Use non-youtube site, pls.
You are blocked.
[Thanks. Fixed! -hal]
All you have to do to get around OpenDNS typo behavior and still use it as a filter, is to simply, add no redirect add on to firefox. This fixes all the nasty things by opendns, verisign, ect…. and still lets you use their service.
Now you may say, but, you are stealing revenue if you do this. I say I wouldn’t touch those ads anyway. And its only my computer, the rest of my roommates still have the ads.
https://addons.mozilla.org/en-US/firefox/addon/12180
This is the add on that are you searching
David Ulbitch you are scum for hijacking my comp with your garbage then making me have to signup just to disable opendns
27 Trackbacks/Pingbacks
[...] to those offered by Blogpulse, but covering a much broader search population. He’s got an interesting comparison of searches for “digital cameras” – cyclical, with spikes around Christmastime, but [...]
[...] points out that one of the most popular searches in Nigeria is for “Email Extractor Lite 1.4″, a web-based tool designed to extract email addresses [...]
[...] camera v. Nigeria searches over time strikes a blow against that theory: Read the rest of the post here [...]
[...] Although it was designed for advertisers, it has a ton of potential research purposes, which Hal Roberts and Ethan Zuckerman have already begun to think about. For example, since it allows you to look at [...]
[...] draft and join my Berkman partners in crime fun cutting edge media research Ethan Zuckerman, Hal Roberts and Bruce Etling in playing with Google’s amazing new Google Insights for Search, which [...]
[...] privacy questionable methods that we privacy interested folks worry about. They tap into their own extensive search logs, the even more extensive data from the adwords system, the extensive data from their analytics [...]
[...] Hal Roberts / Google Ad Planner: Advertising Surveillance of the Internet [...]
[...] the browsing histories of its users, which is a big step beyond what companies like NebuAd and Phorm were / are trying to do. NebuAd and Phorm are at least adding a variety of pseudonymity and privacy [...]
[...] a remarkable and frightening blog post this morning, Hal Roberts reports that FirePhoenix and two other major circumvention tool companies are selling data on users’ [...]
[...] But the ranking site also advertises a pay service through which you can get not only much more data, but data about individual users. [Hal Roberts] [...]
[...] Hal Roberts / Popular Chinese Filtering Circumvention Tools DynaWeb FreeGate, GPass, and FirePhoenix… Important discovery by Hal Roberts: major China-focused censorship circumvention tools are aggregating and selling web data and will sell you data on the behavior of individual users if you pass their screening test. This is incredibly dangerous and bad practice, and a powerful reminder of how much sensitive data circumvention sites end up holding about their users. (tags: china data security privacy circumvention halroberts berkman dynaweb freespeech) [...]
[...] Lots of folks in China get around the Great Chinese Firewall by using circumvention tools. But at what risk? That’s one of the biggest questions raised by Hal Roberts in this post here. [...]
[...] Original source : http://blogs.law.harvard.edu/hroberts/2009/01/09/p…; [...]
[...] Surf-Verhalten der Nutzer und bieten die gespeicherten und aufbereiteten Daten zum Verkauf an. Das schreibt Hal Roberts vom US-amerikanischen Berkman Center for Internet & Society. Allgemeine, [...]
[...] (further details here) [...]
[...] recent blog post by Hal Roberts at the The Berkman Center for Internet & Society raises concerns about popular anonymizing and censorship circumvention services DynaWeb FreeGate, GPass, and [...]
[...] So what’s the business plan for the companies that make proxies? It appears to be behavioral targeting, according to the Berkman Center blog: [...]
[...] Li from the Global Internet Freedom Consortium has responded in the comments to my post about snooping by Chinese circumvention tools: We apologize for the confusion here. The anti-censorship ranking service is provided by one of [...]
[...] the data for these tools has now removed the faq entry offering to sell the data. Please read my subsequent update for responses from the tool developers and further [...]
[...] reviewers disclose within reviews if they are allowed to keep the products they are reviewing. In a previous post, I pointed out that the site’s policy of encouraging companies to gift reviewed products to [...]
[...] Viral Conversations has changed the language in their FAQ not to encourage gifting of reviewed items and to encourage reviewers to disclose [...]
[...] surfers for a fee, something that poses an even greater privacy risk, according to an analysis (http://blogs.law.harvard.edu/hroberts/2009/01/09/popular-chinese-filtering-circumvention-tools-dynaw…) by Hal Roberts from The Berkman Center for Internet Society at Harvard [...]
[...] Hal Roberts / Popular Chinese Filtering Circumvention Tools DynaWeb FreeGate, GPass, and FirePhoenix… [...]
[...] Popular chinese filtering circumvention tools dynaweb freegate, gpass, and….. POPULAR CHINESE FILTERING CIRCUMVENTION TOOLS DYNAWEB FREEGATE, GPASS, AND FIREPHOENIX SELL USER DATA (Hal Roberts, Berkman Center, 9 Jan 2009) – Update: The site hosting the data for these tools has now removed the faq entry offering to sell the data. Please read my subsequent update for responses from the tool developers and further thoughts. Three of the circumvention tools
[...] the best demonstration of this fact is the video Hal put together earlier today and posted on his blog. It shows GreenDam slowly realizing that it wants to block a Falun Gong site… then blocking [...]
[...] worse position than if you had not attempted to become anonymous. Back in january of this year, Hal Roberts of Harvard University, posted a blog item about GIFC selling user data. If sites such as Dynaweb [...]
[...] to become anonymous. Back in january of this year, Hal Roberts of Harvard University, posted a blog item about GIFC selling user data. If sites such as Dynaweb are prepared to sell user data, then [...]