Our 2008 Privacy Values Survey ended this morning at 12:01 am on September 29, 2008. Thank you to the more than 2,000 survey respondents over the course of the survey.

Thank you for your interest! Please check back in a few months to see the survey results.

Previous survey results can be found in the following publications:

Earp, J.B.; Antón, A.I.; Aiman-Smith, L.; Stufflebeam, W.H., “Examining Internet privacy policies within the context of user privacy values,” IEEE Transactions on Engineering Management, vol.52, no.2, pp. 227-237, May 2005

Carlos Jensen, Colin Potts, Christian Jensen, “Privacy practices of internet users: Self-reports versus observed behavior,” International Journal of Human-Computer Studies, vol. 63, no. 1-2, pp. 203–227, 2005.

Vail, M. W.; Earp, J. B.; Antón, A. I., “An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies,” IEEE Transactions on Engineering Management, vol.55, no.3, pp.442-454, Aug. 2008

By Jeremy Maxwell and Dr. Annie I. Antón

Hackers recently broke into Governor Palin’s personal Yahoo email account and, subsequently, several of personal emails and family photos were posted on the internet [See: BBC Article].
This recent case reminds us that we must be careful with the information we divulge online as well as the information that is requested of us online. Consider that the responsible hacker was able to guess Governor Palin’s answers to the security questions that Yahoo used by doing some simple Internet searching [See: PCWorld].

This attack could be considered a social engineering attack [See: Social Engineering Fundamentals]–– social engineering attacks are not technical attacks, but instead aim to trick the victim into divulging personal information. Phishing and trojan horses are also examples of social attacks. The Governor Palin attack, however, is similar to the attack described by Herbert Thompson, where an attacker can gain access to user accounts simply by using information available on the internet, usually using some sort of password resetting service that asks personal questions to validate the identity of the user. If this private information is well known, than anyone could impersonate the identity of the victim. Sources of information can include public records such as driving or court records, blogs, social networking websites, personal websites, etc. The lesson here is to avoid posting private information in a public setting. Most people would not post their Social Security number or the password to their email account on their blog, but the information they do post might be enough.

So before you post the name of your first pet on Facebook or MySpace or on your blog, think about whether it can be used to fraudulently impersonate you at a later date.

[Update: Fixed minor grammar error]

Google recently announced their new open source browser, called Chrome, via a comic book. Although slated for release sometime today, the link mentioned in the comic book (http://www.google.com/chrome) appears to be down is now up! The 38-page comic book is surprisingly informative, mildly entertaining, and certainly a unique way to release a new product, but don’t let the playfulness of the announcement fool you. Chrome has many important features, including a privacy-enhancing feature called “Incognito.”

Incognito is a user-visible feature that enables a private browsing mode. Private browsing is a relatively simple concept with tangible benefits to privacy. Under normal operation, a browser will store information about a user’s browsing history. Stored information could include sites visited, data downloaded, searches conducted, or even personal information entered. Under private browsing mode, that same browser simply doesn’t store this type of information. Essentially, a browser has no memory of what users do when private browsing is enabled.

Although private browsing is conceptually simple, it is not easy to implement because everything the browser does is affected by private browsing. Apple’s Safari browser has had a private browsing mode since version 2.0 (April 2005). Currently in version 3.1.2, Safari still is the only major browser to have a built-in private browsing mode. However, Safari’s private browsing mode isn’t perfect.

Private browsing was a planned feature for Firefox 3.0, but was dropped before the release because the developers “didn’t want to put something in that was half baked.” The Mozilla Wiki describes the current state of this feature and provides a link to a Firefox plugin called Stealther, which provides some private browsing features.

Microsoft has announced that they will include a private browsing feature, called InPrivate, in their next version of Internet Explorer. Microsoft’s effort seems to be even more ambitious than simply not storing data locally. For example, a Microsoft blog post describes a feature, called InPrivate Blocking, that would add the ability to block browsing information that would normally flow to third party sites.

Clearly, private browsing mode is not a trivial engineering task, but Chrome has some fundamental advantages over the “big three” that may simply make real private browsing easier to implement and maintain. Since Chrome will have Incognito on its first release there is less code that needs to be re-engineered to respect a private browsing mode. Also, Chrome uses a separate process for each tab, whereas a traditional browser only has a single process for all of its tabs. Multiple processes make it easier to sandbox tabs. As a result of these strict separations, it could be possible that Chrome would allow individual tabs to go “Incognito” while others act normally.

It is difficult to predict what sort of impact Chrome will have on the browser market, web application development, or Internet privacy, but if Chrome will have any impact, then it must compete with the “big three.” They are big for a reason, and a comic book isn’t going to solve that problem.

[ Update: Google has officially released Chrome at the following URL: http://www.google.com/chrome ]