Slashdot Mirror

← Back to Stories (view on slashdot.org)

Websites Still Failing Basic Privacy Practices

Posted by kdawson on from the after-all-these-years dept.

DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"

10 of 205 comments (clear)

  1. It's a good thing by XanC · · Score: 5, Insightful

    That Firefox saves the nasty warnings for Web sites that are encrypted!

  2. but realistically by Anonymous Coward · · Score: 5, Insightful

    HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it. Also, address and date of birth aren't usually considered confidential, even if you might not want to publish them.

    This isn't a lot different than many of those post-card questionnaires many people fill out and mail in.

    I think in this case, it's more important what they do with the information once they receive it.

    That said, I think there should be default encryption wherever possible automatically.

    1. Re:but realistically by blueg3 · · Score: 4, Insightful

      What they're trying to point out is that while it may be rare that anyone is out to steal your personal information, people stealing personal information in general is quite common.

      While this may bear a passing resemblance to the birthday paradox, it isn't the birthday paradox. It's like when people claim that X has something to do with relativity. They're almost always wrong. The birthday paradox is a very particular statistical error, and this isn't it. :-)

      It's actually easier, anyway, to point out that someone trying to specifically steal "your" credentials just isn't the way it's done. That's a rare attack, because the investment is high compared to the reward. It's far easier to, say, run a credential-harvesting script in a local Starbucks with free wireless every day for a couple of weeks. (It's also rare, though more devastating, to just grab the personal information off of their server.)

  3. Right... by Anonymous Coward · · Score: 4, Insightful

    "XXXXX is committed to maintaining your trust by protecting personal information we collect."

    Means nothing when every website harvesting your info says that.

    1. Re:Right... by Ethanol-fueled · · Score: 4, Insightful

      Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form

      People actually do that? Legend has it that some folks still fill out meatspace paper rebate forms so that they could wait 60 days to receive a 65-cent check in the mail.

  4. Re:Nobody considers that import by DigitAl56K · · Score: 4, Insightful

    That level of privacy is not considered important by anybody.

    It is by me (obviously) ;)

    You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?

    With specific regard to "trust", here you have a website asking for a bunch of personal information without taking the most basic precautions to protect it in transit and without an SSL certificate that identifies the owners to inform you where the data might really be going to.

    It was enough to make me cancel out.

  5. Re:Nobody considers that import by tokenturtle · · Score: 5, Insightful

    Exactly. The junk mail that's in my mailbox every day has more detailed information on the outside of the envelope. This is really a non-issue.

  6. Re:Nobody considers that import by DigitAl56K · · Score: 4, Insightful

    If your junk mail shows your date of birth and password I'd be worried. It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.

    BTW what has happened to /. tonight? If Google switched their login page to http would nobody care?

  7. Re:Nobody considers that import by Zero__Kelvin · · Score: 4, Insightful

    You missed the real story, to wit:

    "Internet users still can't seem to get the basics of privacy and security on the Web pulled together. Web users still offer up information they consider to be private and sensitive, on the almost zero chance they will win a Wii, to companies about which they know little or nothing. They still believe the company can and should be trusted with their data, based solely on the fact that the companies products have a little brand recognition ..."

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  8. Re:Nobody considers that import by Kent+Recal · · Score: 4, Insightful

    Exactly. This "article" is yet another bad joke (slashdot disappoints a lot lately).

    Dear "DigitAl56K": If you're so worried about losing your first and lastname on the interwebs then why the hell do you participate in retarded lotteries?
    Here's a little secret: If you don't push that submit button then nobody will ever get your information!