Story first appeared in the Wall Street Journal.
Major websites such as MSN.com and Hulu.com have been tracking people's online activities using powerful new methods that are almost impossible for computer users to detect, new research shows. Unfortunately, security solutions may not be effective against these so called "supercookies".
What 'History Stealing' Is
The new techniques, which are legal, reach beyond the traditional "cookie," a small file that websites routinely install on users' computers to help track their activities online. Hulu and MSN were installing files known as "supercookies," which are capable of re-creating users' profiles after people deleted regular cookies, according to researchers at Stanford University and University of California at Berkeley.
Websites and advertisers have faced strong criticism for collecting and selling personal data about computer users without their knowledge, and a half-dozen privacy bills have been introduced on Capitol Hill this year.
Many of the companies found to be using the new techniques say the tracking was inadvertent and they stopped it after being contacted by the researchers.
The associate general counsel at MSN parent company Microsoft Corp., said that when the supercookie was brought to their attention, and they were alarmed by it. It was inconsistent with their intent and their policy. He said the company removed the computer code, which had been created by Microsoft.
WSJ reports so-called 'supercookies' reside in web sites that are tracking web users' activities and can continue to track users after they click a box to remove cookies from their computer.
Hulu posted a statement online saying it acted immediately to investigate and address the issues identified by researchers. It declined to comment further.
The spread of advanced tracking techniques shows how quickly data-tracking companies are adapting their techniques. When The Wall Street Journal examined tracking tools on major websites last year, most of these more aggressive techniques were not in wide use.
But as consumers become savvier about protecting their privacy online, the new techniques appear to be gaining ground.
A Stanford researcher identified what is known as a "history stealing" tracking service on Flixster.com, a social-networking service for movie fans recently acquired by Time Warner Inc., and on Charter Communications Inc.'s Charter.net.
Such tracking peers into people's Web-browsing histories to see if they previously had visited any of more than 1,500 websites, including ones dealing with fertility problems, menopause and credit repair, the researchers said. History stealing has been identified on other sites in recent years, but rarely at that scale.
The researchers determined that the history stealing on those two sites was being done by Epic Media Group, a New York digital-marketing company. Charter and Flixster said they didn't have a direct relationship with Epic, but as is common in online advertising, Epic's tracking service was installed by advertisers.
The chief executive of Epic, says his company was inadvertently using the technology and no longer uses it. He said the information was used only to verify the accuracy of data that it had bought from other vendors.
Both Flixster and Charter say they were unaware of Epic's activities and have since removed all Epic technology from their sites. Charter did the same last year with a different vendor doing history stealing on a smaller scale.
Gathering information about Web-browsing history can offer valuable clues about people's interests, concerns or household finances. Someone researching a disease online, for example, might be thought to have the illness, or at least to be worried about it.
The potential for privacy legislation in Washington has driven the online-ad industry to establish its own rules, which it says are designed to alert computer users of tracking and offer them ways to limit the use of such data by advertisers.
Under the self-imposed guidelines, collecting health and financial data about individuals is permissible as long as the data don't contain financial-account numbers, Social Security numbers, pharmaceutical prescriptions or medical records. But using techniques such as history stealing and supercookies "to negate consumer choices" about privacy violates the guidelines.
Until now, the council has been trying to push companies into the program, not kick them out.
Last year, the online-ad industry launched a program to label ads that are sent to computer users based on tracking data. The goal is to provide users a place to click in the ad itself that would let them opt out of receiving such targeted ads. (It doesn't turn off tracking altogether.) The program has been slow to catch on, new findings indicate.
The industry has estimated that nearly 80% of online display ads are based on tracking data. Only 9% of the ads they examined on the 500 most popular websites—62 out of 627 ads—contained the label. They looked at standard-size display ads placed by third parties between Aug. 4 and 11.
The industry says self-regulation is working. The labeling program has made tremendous progress.
Several Microsoft-owned websites, including MSN.com and Microsoft.com, were using supercookies.
Supercookies are stored in different places than regular cookies, such as within the Web browser's "cache" of previously visited websites, which is where the Microsoft ones were located. Privacy-conscious users who know how to find and delete regular cookies might have trouble locating supercookies.
Supercookies have also been found on Microsoft's advertising network, which places ads for other companies across the Internet. As a result, people could have had the supercookie installed on their machines without visiting Microsoft websites directly. Even if they deleted regular cookies, information about their Web-browsing could have been retained by Microsoft.
Microsoft's representative said that the company removed the code after being contacted, and that Microsoft is still trying to figure out why the code was created. A spokeswoman said the data gathered by the supercookie were used only by Microsoft and weren't shared with outside companies.
Separately last month, researchers at the University of California at Berkeley, found supercookie techniques used by dozens of sites. One of them, Hulu, was storing tracking coding in files related to Adobe Systems Inc.'s widely used Flash software, which enables many of the videos found online, the researchers said in a report. Hulu is owned by NBC Universal, Walt Disney Co. and News Corp., owner of The Wall Street Journal.
Hulu was one of several companies that entered into a $2.4 million class-action settlement last year related to the use of Flash cookies to circumvent users who tried to delete their regular cookies.
The Berkeley researchers also found that Hulu's website contained code from Kissmetrics, a company that analyzes website-traffic data. Kissmetrics was inserting supercookies into users' browser caches and into files associated with the latest version of the standard programming language used to build Web pages, known as HTML5.
In a blog post after the report was released, Kissmetrics said it would use only regular cookies for future tracking. The company didn't return calls seeking comment.
For technology and electronics related news, visit the Electronics America blog.
For national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical
blog.
For law related news, visit the Nation
of Law blog.
For real estate and home related news, visit the Commercial and
Residential Real Estate blog.
For organic SEO and web optimization related news, visit the SEO Done Right blog.
Showing posts with label personal information. Show all posts
Showing posts with label personal information. Show all posts
Tuesday, April 17, 2012
Thursday, April 5, 2012
Utah Medicaid Database Hacked
Story first appeared in the Chicago Tribune.
SALT LAKE CITY (Reuters) - A data security breach at the Utah Health Department, believed to be the work of Eastern European hackers, has exposed 24,000 U.S. Medicaid files bearing names, Social Security numbers and other private information, state officials said on Wednesday.
The intrusion initially appeared to have affected claims representing at least 9 percent of the 260,000 clients of Medicaid in Utah. But because each file often contains information on more than one individual, the full extent of the breach is probably wider, officials said.
Medicaid is a federal-state program that helps pay for healthcare for the needy, the aged and disabled. The state determines eligibility and which services are covered, and the federal government reimburses a percentage of the state's expenditures.
Hudachko said the Technology Services Department notified state health officials Monday evening about the cyber attack.
Technology Services had recently moved the claims in question to a new server, allowing the hackers "to circumvent the server's multi-layered security system," according to officials.
He said the cyber attack is believed to have originated in Eastern Europe, based on a suspicious Internet Protocol, or IP, address, but investigators are still trying to pinpoint the precise source. It is possible that an outsourced IT Security Solution could have prevented this issue.
GRAVE CONCERNS
Utah state Senator Allen Christensen, who also is a practicing dentist, said each compromised claim is going to have two parties involved - both the recipient and the provider.
The chairman for the Utah State Health and Human Services Committee, expressed grave concerns over the impact on the Medicaid population in Utah and suggested the database was left vulnerable by human error. An outsourced IT Security Solution would have been a good option to alleviate any possible human error.
State officials said they were examining all servers and reviewing policies and procedures to ensure effective security measures are in place.
The compromised files also contain individuals' names, addresses and other private information.
State Health officials are urging all their Medicaid clients and providers to keep a wary eye on their bank accounts and other personal records. Customers whose Social Security numbers are found to have been compromised will receive free credit monitoring services, officials said.
For more technology related news, visit the Electronics America blog.
SALT LAKE CITY (Reuters) - A data security breach at the Utah Health Department, believed to be the work of Eastern European hackers, has exposed 24,000 U.S. Medicaid files bearing names, Social Security numbers and other private information, state officials said on Wednesday.
The intrusion initially appeared to have affected claims representing at least 9 percent of the 260,000 clients of Medicaid in Utah. But because each file often contains information on more than one individual, the full extent of the breach is probably wider, officials said.
Medicaid is a federal-state program that helps pay for healthcare for the needy, the aged and disabled. The state determines eligibility and which services are covered, and the federal government reimburses a percentage of the state's expenditures.
Hudachko said the Technology Services Department notified state health officials Monday evening about the cyber attack.
Technology Services had recently moved the claims in question to a new server, allowing the hackers "to circumvent the server's multi-layered security system," according to officials.
He said the cyber attack is believed to have originated in Eastern Europe, based on a suspicious Internet Protocol, or IP, address, but investigators are still trying to pinpoint the precise source. It is possible that an outsourced IT Security Solution could have prevented this issue.
GRAVE CONCERNS
Utah state Senator Allen Christensen, who also is a practicing dentist, said each compromised claim is going to have two parties involved - both the recipient and the provider.
The chairman for the Utah State Health and Human Services Committee, expressed grave concerns over the impact on the Medicaid population in Utah and suggested the database was left vulnerable by human error. An outsourced IT Security Solution would have been a good option to alleviate any possible human error.
State officials said they were examining all servers and reviewing policies and procedures to ensure effective security measures are in place.
The compromised files also contain individuals' names, addresses and other private information.
State Health officials are urging all their Medicaid clients and providers to keep a wary eye on their bank accounts and other personal records. Customers whose Social Security numbers are found to have been compromised will receive free credit monitoring services, officials said.
For more technology related news, visit the Electronics America blog.
Subscribe to:
Posts (Atom)
