Google making more inroads into privacy?

[Spathiphyllum]

Phishing Protection feature Firefox 2:

3. What information is sent to Mozilla or anti-phishing partners when Phishing Protection is enabled?

When Phishing Protection is used in default mode, no information about the sites you visit is sent to Mozilla or anti-phishing partners. Rather, sites are checked against a local list that is downloaded to your computer and updated on a regular basis. When sites are checked against online anti-phishing services such as Google, the address of each web site you visit is sent to the online service over a secure SSL connection.

Now, since the default is to download a local list of phishing sites which can be compared locally on a single node, then privacy risks are non-existent insofar as this "anti-phishing" tool is used. However, should one select to keep a dynamic anti-phishing list on a per-request basis, then you are agreeing to send your browsing history, presumably every single one of them as long as the option is enabled, to another site (i.e. Google) to use that data as they wish. Presumably if one selects this option, then one is aware of the release of "private" data, so one assumes the risk/reward of enabling this feature.

Keep your eyes open on this tool and others like it. Inevitably, the default option will migrate over to dynamic comparisons and then on to dynamic comparisons only... meanwhile, data mining of your private info will be harvested even further.

On the upside, Mozilla has publicly documented the tool, so endusers are at least notified of the process. Buyer beware.

Personally, I disable this new Mozilla feature though I use one like it on my firewall whereby a list is updated locally to serve as the comparison list for phishers. Should it ever become dynamic on a per-request basis, it's getting yanked off immediately. Risk/reward ratio would be too high for me.

[Bellthorpe]

Phishing Protection feature Firefox 2:

Keep your eyes open on this tool and others like it. Inevitably, the default option will migrate over to dynamic comparisons and then on to dynamic comparisons only... meanwhile, data mining of your private info will be harvested even further.

Why would I care? Google doesn't know that the list from my PC comes from my name.

Personally, I disable this new Mozilla feature though I use one like it on my firewall whereby a list is updated locally to serve as the comparison list for phishers.

Why do you need this tool? Surely you can recognise a phishing email?

[Spathiphyllum]

Why would I care? Google doesn't know that the list from my PC comes from my name.

Google is one giant vacuum and repository of data. They need but one unique identifier to your node to at least correlate time, IP, and request. Consider an expanding collection of databases run by Google and an algorithm that searches each based on IP and then ties them all together. Do you use any Google tools? They have an IP association with your account. Do you use AdSense? They have an IP association with your account. Do you perform searches with Google's engine? They have an IP association with your search. Do you have a Google toolbar in your browser? I guess you can see where this is going.

That's why you might want to care. A digital dossier is being built on your browsing habits and you are providing it both involuntarily and voluntarily. Google is the best in the business at data aggregation, correlation, distribution, and extraction and it is expanding its horizons continually. Call it another Borg. Data mining is the next frontier and you can bet that's where Google and like data accumulators will be. Someone needs to separate the wheat from the chaff and make no mistake, Google is poised to make lots of bread.

Why do you need this tool? Surely you can recognise a phishing email?

Phishing is not limited to email. Yes, HTML spam in an email is a dancing, flashing neon sign that says "Delete Me!". Phishing HTML via normal GETS isn't nearly as recognizable these days... unless it is your habit to review the source code of every site you visit. Maybe checking sites where POSTing is used, that would be a reasonable solution (i.e. read code for the POST submission), but do you do that for all sites you visit? Since you are presumably computer savvy, maybe you do. Do you think your kids, mother, father, or siblings have the same degree of online experience to recognize phishing code? Do you they have the discipline or patience to do this consistently? Do you?

I don't have the patience to do this because it is terribly inefficient and time consuming. Or at least I don't since I now have firewalls do that time-consuming stuff for me.

[Vin DSL]

Do you use any Google tools? They have an IP association with your account. Do you use AdSense? They have an IP association with your account. Do you perform searches with Google's engine? They have an IP association with your search. Do you have a Google toolbar in your browser? I guess you can see where this is going.

Um...

You forgot the most important one of all -- Google PageRank...

[Vin DSL]

BTW, Firefox 2.0.0.1 is available now...

[Spathiphyllum]

You forgot the most important one of all -- Google PageRank...

Just tack it on to the list.

BTW, Firefox 2.0.0.1 is available now...

Exactly why I started this post. I was curious to know the difference in the 0.0.0.1 leap in versions after yesterday evening's notice of the update and they specifically mentioned the anti-phishing tool for 2.0.0.x. I knew it was there and had it disabled already because the perpetual requests for a new phishers list was botching my firewall (1 request/minute/node) ad infinitum. Curious, I decided to read some fine print and found the tie to Google a bit discomforting. I actually had it set originally to download the list, but the browser decided to perform dynamically from Google despite my preferences being toggled to use the compiled list from Mozilla.

I wonder when Google buys Mozilla?

[Vin DSL]

I don't understand...

Were you using a local list, or Google, when you had the firewall problem?

[Vin DSL]

n/m

I see it now!

I did a netstat, and there's a worm sig at: http://whois.domaintools.com/72.14.253.93

That must be the anti-phishing tool at work, even though I'm using a local list.

Hrm...

[the_ancient]

I think the major problem here is not that google, or any other company , is activly collecting this kind of data.

the bigger problem is the fact that no one takes privacy seriously. Everyone seems to have the "if you doing nothing wrong you have nothing to hide" mentality today :sad:

[Vin DSL]

How odd!

Doesn't seem to matter if I have the anti-phishing tool turned on or off. When I crank up Fx, there's a whole array of connects to Google taking place, like a classic worm sig!

These lay in wait several minutes after shutting down my browser too...

Wonder if it's because I'm using their search bar?!?!?

[JPC-Nick]

Google does many things the average person would never think of.

Think of this

They search the web for you, have your ip and now are offering a checkout service.

hmmm market demographics anyone?

[Spathiphyllum]

That must be the anti-phishing tool at work, even though I'm using a local list.

Yep.

Wonder if it's because I'm using their search bar?!?!?

Nope. Well, some of it could be, but the GETs for Google content happen w/o their search bar, too.

Mozilla must be proxying a Google server which distributes the compiled list. Presumably, the phishing list is supposed to be independent and handled by Mozilla. I'm not sure if it was dynamic checking that my firewall was impeding or just the repeated request to D/L the compiled list from a Google server. Either way, it was disrupting my network and was a redundancy I didn't need.

[Spathiphyllum]

...market demographics anyone?

Absolutely. They'll likely be able to target customized online advertising via these mechanisms. Correlate your purchasing, your email communications (via Gmail), your search history, and IP tracking and funnel specific ads to you if you use any freely distributed tools from Google which tie in to your browser. That Google Bar, while providing utilities to make browsing convenient, will likely report that your node is online and ready for content to be delivered by other Google mechanisms.

Amazing how upset we get if government collects such data, but if Google does it, we don't bat an eye. Big Brother is not going to be Uncle Sam.

[Frank Broughton]

Ya all need to learn the power of proxomitron!

[Vin DSL]

Ya all need to learn the power of proxomitron!

No kidding!

Funny how forward thinking that author was, huh?