Google executives faced tough questions Thursday, in a meeting with members of Congress, about changes to the company’s privacy policy scheduled to go into effect March 1.

However, the search giant failed to assuage lawmakers’ privacy concerns stemming from the company’s controversial plans to step up the cross-referencing of data generated by consumers who use its popular online services, says Rep. Mary Bono Mack, R-Calif., who arranged the closed-door briefing.

Pablo Chavez, Google’s public policy director, and Michael Yang, its deputy general counsel, outlined how the company supplies consumers with a number of tools to protect their privacy. Lawmakers questioned whether tools that Google makes available to help consumers control their privacy were user-friendly and effective.

Rep. Joe Barton, R-Texas, says Chavez and Yang “danced around actual details, and instead spoke in generalities, highlighting their efforts to ‘enhance the user experience’ — but at what cost?”

Bono Mack said she expects Google to proceed with its planned March 1 change.

“I don’t know that I got any more clarity than what I’ve been reading in the press,” says Bono Mack. “There’s a big concern in Congress about privacy, on both sides of the aisle.”

Public hearings on Internet privacy are planned for this spring, she says. And Google spokesman Chris Gaither says: “We’re happy to discuss our updated privacy policy with Congress.”

On Thursday, the Google officials were pressed on whether the company’s new policy enables a consumer to easily and completely delete a Gmail message or a record of a search for sensitive information, such as on a medical website.

“Consumers want to know if they hit the delete button, that something truly is deleted,” says Bono Mack.

Gaither made reference to Google’s stated privacy policy. The company aims to ” maintain our services in a manner that protects information from accidental or malicious destruction,” the policy states. “”Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.”

He added that the new privacy policy “does not change our archiving or deletion practices.”

Even so, Bono Mack pushed ahead with a closed-door meeting today at which Google deputy general counsel Mike Yang and public policy director Pablo Chavez briefed her and nine of her colleagues. Rep. Joe Barton, R-Tex., came away unsatisfied.

Barton

“I asked specifically about Google’s deletion policy and got some disturbing answers. I may hit delete, but that doesn’t mean the material goes away immediately,” says Barton. “It was obvious to me, as I left the room, that this company has established this policy so instead of the consumer being the master of the Internet, Google is the master of the consumer. I think that is just wrong.”

Also attending were Representatives G.K Butterfield, D-NC, Cliff Stearns, R-FL, Marsha Blackburn, R-TN, Charlie Bass, R-NH, Adam Kinzinger, R-IL,, Henry Waxman, D-Calif, Ed Markey, D-MA and Diana DeGette D-CO. Here are excerpts from an interview Bono Mack granted Last Watchdog  not long after the closed-door briefing concluded.

Bono Mack

LW: How’d the briefing go?

Bono Mack: I don’t know that I got any more clarity than what I’ve been reading in the press. I’ve been following it pretty closely, and I think Google is trying very hard to calm a nervous public about what they’re doing.

LW: What did Chavez and Yang convey?

Bono Mack: They conveyed that they believe they are giving consumers the tools to protect their privacy. I think the predominant message out of the members who asked questions was, ‘We recognize you say you have the tools, but are they easy enough for consumers to use, are they easy to find, and is it truly, in fact, protecting consumers?’

LW: Did you get any more clarity on how long Google stores user profiling data?

Bono Mack: One of the things I really pushed Google on is, ‘If you want to delete your data, what are the technical challenges?’ They’re not very clear on that. We’re pushing them further on this. Because they say, at one point, that immediate deletion is not always practicable due to the way the archiving systems operate.

I don’t believe that they are as strong on data deletion as they need to be. When you as a consumer try to delete any data that you input in your machine, and you hit delete, you really want to believe that it truly is deleted, wiped out, erased, gone.

But Google says immediate deletion is not always practicable. It says it might be deleted in a reasonable period of time, and ultimately they say they can hang on to it until the storage medium is actually destroyed.

So I asked if that means until you actually take a hammer to the hard drive? And this is the crux of the issue to me. Its’s very problematic, that if the consumer hits delete, then it needs to be deleted.

LW: Did you get into the privacy implications of how Google plans to cross-reference profiling data from search, Gmail, YouTube and its other popular services?

Bono Mack: We got a very nuanced answer from them. They’re saying there are tools at the users’ disposal that give you the ability to opt out. But say you do a Google search for cervical cancer and you forget to sign out. Are you being tracked across all of the other products, and if so, that’s a violation of HIPPA. We’ve gone to great lengths in our society to protect people’s medical information. That question was raised.

LW: That’s a big question. How did they answer and were you satisfied with their answer?

Bono Mack: This is the grayest area of it all. They are saying that they do not track sensitive data like that. I don’t know who determines what’s sensitive and what’s not. And that’s probably another question on another day and a more extensive hearing.

Whether you sign in or you don’t sign in, they know your machine, they know where it is, they basically know who it is. Cookies is the reason they know. But the truth of the matter is, they have the ability to know who your are, whether you’re logged in or not.

LW: Sounds like you still have concerns.

Bono Mack: The biggest concern I have is that the consumer, when they hit delete, they mean delete. And that when the consumer has done a search on something that might be sensitive, whatever it is, when they erase that search, it really is erased. And this is what the Congress and the FTC is going to have to watch.

LW: What happens next?

Bono Mack: We had already planned to have more hearings on privacy on different angles and aspects of the debate. We will have privacy hearings, and I pressed Google to be at the table to help Congress understand what they are doing, and for Google to certainly understand Congress’ concern.

Google deputy general counsel Mike Yang and public policy director Pablo Chavez are preparing to deliver a closed-door briefing on Thursday, says Ken Johnson, Mack’s senior adviser. The audience will be restricted to members of the House Subcommittee on Commerce, Manufacturing and Trade, which Mack chairs. Rep. G.K. Butterfield, D-NC, is the ranking subcommittee member.

Google announced last week that it will consolidate dozens of user agreements for its most popular services into one privacy agreement encompassing them all. Starting March 1, the company will have the ability, policy wise, to correlate what a user does across most of its online services, whether a user accesses them on PC web browser or via any Internet-connected mobile device using the Google Android operating system.

“These changes might not otherwise be troubling but for one significant change to your terms of service: Google will not permit users to opt out of this information collection and sharing across platforms and devices,” Mack says.

All or nothing proposition

Critics object to the all or nothing proposition. Any user of Google search, who also registers to use Gmail, Google Apps, YouTube, Google+, Picasa and other popular Google services, will be covered by the new, over-arching user agreement, says Jeffrey Chester, executive director of the non-profit Center for Digital Democracy.

Chester

“This will make it harder for a user to opt out,” Chester says. “If you like even one of Google’s services, you’ll likely forgo the extra work and knowledge it takes to do more granular privacy control. This decision was designed to help Google boost revenues and avoid a clash with privacy cops in Europe.”

Google asserts that users will maintain “choice and control,” that Google is not collecting any more data than it already does and that its intent is to improve user experience.

Google and Facebook are in a race to actualize — and attempt to dominate — what some prognosticators believe is a mega- billion  online advertising market on the verge of mushrooming.  Each is seeking to compile and leverage behavioral targeting data to woo advertisers. They are redoubling their efforts at indexing and profiling the activities and preferences of users of their free services. But that drive also plays right into the hands of cybercriminals and parties motivated to use profiling data unfairly against individual consumers.

“Google is not being  honest with consumers about why it has made these changes,” says Chester. “The new policy is designed to blunt the impact of Europe’s ePrivacy law requiring forms of opt-in consent for cookies. Google understands European users will likely proactively say yes to all collection.”

Europe’s unease

Meanwhile, The Financial Times reports here that Norwegian public sector agencies will be banned from using Google Apps due to concerns that the service could put citizens’ personal data at risk. That would seem to cut off a toehold in Europe Google achieved by getting the city council of Narvik to use Google Apps for their e-mail.

Last year the town of Odense in Denmark banned use of Google Apps in its schools due to concerns about leaving personal data at risk. The German government is also working on stricter data protection rules  and France  has set up a patriotic venture with France Telecom and Thales to promote French cloud services over US rivals, the Financial Times reports.

“All these moves show that there is still a deep level of concern in Europe about the security of using US-based cloud computing providers, especially if there is any lack of clarity about whether the data is physically being stored,” writes FT correspondent  Maija Palmer. “Unease is exacerbated by the Patriot Act, which requires US companies to hand data over to US authorities, when asked, even if that data is stored in Europe.”

By Byron Acohido

Starting March 1, Google will be capable, policy-wise, of cross-referencing Internet user activity data compiled from its most popular services, including search, Google Apps, Gmail and YouTube.

And it will be able, policy-wise, to do this across all PC web browsers and any mobile device using the Google Android operating system.

The Congressional letter, which was also signed by Rep. G.K. Butterfield, D- N C, asserts that the policy changes “give rise to important questions regarding the impact on Google users.” Bono Mack invites Page to appear before the House Subcommittee on Commerce, Manufacturing and Trade to explain the ramifications of the changes.

“These changes might not otherwise be troubling but for one significant change to your terms of service: Google will not permit users to opt out of this information collection and sharing across platforms and devices,” she says.”Denying users an option to opt out of sharing their information across platforms and devices that they may otherwise strive to keep separate . . . appears to significantly reduce the spirit and substance of ‘meaningful choice.’ ”

Google spokeswoman Samantha Smith declined to say whether Page is inclined to accept the invitation. Smith referred USA TODAY to a blog post put up last Thursday — a day before the date of Bono Mack’s invitation to Page — by Google policy manager Betsy Masiello, titled “Setting the record straight about our privacy policy changes.”

Google asserts that users of its ubiquitous online services, including Google’s crown jewel search service, will maintain “choice and control,” that Google is not collecting any more data than it already does and that its intent is to improve user experience.

Security analysts and privacy advocates worry that Google’s moves to boost advertising revenue could play into the hands of cybercriminals, as well as groups motivated to use data about how people behave online unfairly against them; for instance, to deny insurance coverage, decline to hire someone, or to manipulate voters.

Bono Mack and Butterfield respectfully request that Page appear before Congress no later than Feb. 3.

On Wednesday, the European Union formally proposed strict rules that could restrict much of the systematic tracking and profiling Google and Facebook routinely do of Internet users, as part of delivering targeted ads to them.

If Europe’s new rules are implemented as expected in 2013, the tech rivals could face hefty fines, up to 2% of annual revenue, for any violations. In Google’s case that translates into a maximum penalty of $800 million.

On Tuesday, Facebook Chief Operating Officer Sheryl Sandberg delivered a statistics-filled speech at a tech conference in Munich outlining how Europe’s proposed rules are very likely to stymie the global economy. She reiterated those themes on Wednesday and Thursday while participating in the World Economic Forum in Davos, Switzerland.

Sandberg called for a “regulatory environment that promotes innovation and economic growth.”

Google spokesman Chris Gaither echoed Sandberg’s argument. He says the search giant “supports simplifying privacy rules in Europe to both protect consumers online and stimulate economic growth.”

Cross-device tracking

Meanwhile, refinements announced this week by Google and Facebook, about how each tracks and profiles Internet users, added heat to the domestic debate over the need for new data privacy rules here in the U.S.

Google signaled that it will begin cross-referencing user data compiled from its most popular services, including search, Google Apps, Gmail and YouTube, as well as across all browser PCs and any device using Google Android operating system.

The stickler: Users won’t be permitted to “opt out” of having their Google activities correlated.

Pociask

“The reports of Google’s privacy changes, which will allow no opt out, raises grave concerns for consumers who are growing increasingly concerned about their privacy online,” Steve Pociask, the president of the American Consumer Institute. “Google’s dominance of online search and its history of disdain for privacy protections and consumer transparency makes these changes even more worrisome.

“Whether it’s illegally collecting user data through its Street View product, hiding its privacy policy or settling with the FTC for violating its own privacy policy with Google Buzz, the company has proven that it has little regard for the privacy rights of consumers.”

Both Google and Facebook  are moving to extend intelligence gathering and behavior profiling to mobile devices. Google’s Android operating system runs the popular Droid series of smartphones, and Facebook Timeline features a digital GPS system, says Alisdair Faulkner, CEO of computer-security firm ThreatMetrix.

Meanwhile, the non-profit group SafeGov, which monitors security issues for federal, state and local government agencies, is alarmed that Google’s new policy could put workers who use Google Applications for Government, a paid service, at heightened risk.

“Google should not be data-mining information in e-mails, text messages, searches and documents that workers are putting into Google services,” says Jeff Gould, SafeGov security analyst. “It’s a matter of not making government workers unnecessarily exposed to hackers and to inadvertent disclosures of information.”

Not thinking it through

Google Vice President Amit Singh says Google’s new privacy policy for consumer data is superceded by data privacy provisions in contracts with government agencies and other organization who use the paid version of Google Apps.

“As always, Google will maintain our enterprise customers’ data in compliance with the confidentiality and security obligations provided to their domain,” says Singh.

Gould

But Gould checked the city of Los Angeles’ contract with Google and found that the data-privacy provision referred back to Google’s policy for consumers. “They didn’t think through the consequences for government users,” Gould says.

Meanwhile, Google is busy fielding inquiries from a handful of politicians who’ve proposed legislation that would restrict online tracking and establish rules for data privacy.

“Amazingly, we still don’t have a law that sets the rules of the road for fair information practices that everyone collecting, using, and distributing people’s personal information must adhere to,” says John Kerry, D- Mass.

Kerry and Sen John McCain, R-Ariz., continue to work for passage of the Commercial Privacy Bill of Rights. “Until Congress acts, Google and the rest of its competitors will continue to set that standard themselves. ”

Rep. Ed Markey, D-Mass., notes that “Googling is like breathing for millions of kids and teens – they can’t live without it.” Markey, who has also been critical of Facebook’s tracking practices, is calling on the Federal Trade Commison to review Google’s new no-opt-out policy.

“Consumers – not corporations – should have control over their own personal information, especially for children and teens,” says Markey.

Timeline risks

Facebook is drawing more scrutiny too. It is making mandatory a new, glitzier user interface, called Timeline, that chronologically displays a member’s preferences, contacts and online activities. And its new Open Graph services promotes more and richer preference data to move across  third-party applications to ultimately get integrated into Timeline.  Facebook insists that Timeline does not present any new information nor alter any current privacy settings.

Evans

But Karen Evans, National Director for the US Cyber Challenge, a nationwide program focused specifically on the cyber workforce, says Google and Facebook’s latest advances in the science of indexing and profiling Internet users  could make richer information more readily accessible to ID thieves and cyberspies, as well as to parties motivated to use such data unfairly against consumers.

Online profiles, for instance, are already being used to deny insurance coverage and as a basis for not hiring someone. And political campaigners would love to get their hands on the richest data available to help sway voters during the upcoming presidential elections.

“The consumer should know exactly how the information is to be used and the potential impact it could have them especially younger Americans,” says Evans. “ Many of them play games, watch videos and search on the internet for class projects. The collection and use of the information could have adverse impact on their daily lives. For example, they could be conducting a search because this is an election year for a classroom project. The data could be later used to assume there is a political affiliation when in fact they were preparing for class.”

Gould puts it this way: “If you take the new Google policy and combine it with Facebook Timeline, the danger of hacking attacks for government users is multiplied by ten.”

Gould worries about the all-too-common scenario where an intruder e-mails a government worker pretending to be an acquaintance. “They can put information in an e-mail which they can get from your Facebook Timeline, and trick you into downloading a piece of spyware,” he says.

Heightened cross-referencing of an individual worker’s Google search, Gmail and YouTube activities poses similar risks, he says.

“If you have Facebook Timeline and you have tens of thousands of people using Google apps in government you’re going to get a lot more of these cases accidently disclosing their password, or downloading some kind of spyware, because they got an e-mail they thought was from a friend or acquaintance, and the e-mail seems to know about their past life or interests or concerns, “ Gould says

–By Byron Acohido

For the past two years, each company has experimented with different ways to divine more and more about how people live their lives on the Internet, without sparking a revolt.

But the plans the rivals announced on Tuesday, which critics say could dramatically rev up their respective abilities to gather intelligence on individual Internet users, seem to have struck a chord. An informal and unscientific survey of Web users by USA TODAY found a majority speaking out against the new business practices announced by Google and Facebook.

“It’s dangerous for two companies to have so much personal data, regardless of whether the specific threats of that data consolidation are immediately clear,” says Sarah Downey, a privacy analyst at software maker Abine.

Compelled to tap what many experts predict will be the next big Internet mother lode — online advertising — Google and Facebook laid down very big bets, during a week when European regulators are hashing out strict new rules that could prevent much of what the tech giants seek to do.

Google signaled its intent to begin correlating data about its users’ activities across all of its most popular services and across multiple devices. The goal: to deliver those richer behavior profiles to advertisers.

Likewise, Facebook announced it will soon make Timeline the new, more glitzy user interface for its service, mandatory.

Timeline is designed to chronologically assemble, automatically display and make globally accessible the preferences, acquaintances and activities for most of Facebook’s 800 million members.

Google and Facebook have repeatedly insisted that the changes are intended strictly to improve users’ experiences.

“Facebook works the way it always has,” says spokeswoman Meredith Chin. “There is no new information on Facebook as a result of Timeline, and no privacy settings have been changed with the introduction of it. It’s simply an updated version of the profile.”

But the changes have stirred anger from many consumers. Some, such as Joyce Norman, a writing consultant from Birmingham, Ala., are considering ways to limit their exposure to Google’s and Facebook’s new business practices. “Mine is not a lone voice crying in the wilderness,” says Norman.

Benjammin Gaultney of Montague, Mich., sees it differently, looking forward to the possibility of more appropriate ads coming to his screen. “You have to deal with ads all over the Internet either way,” he wrote on USA TODAY’s Facebook page. “Advertisers could at least try to sell me something I’m actually interested in rather than life insurance.”

Meanwhile, a high-stakes lobbying effort is unfolding in Washington aimed at shaping policies favorable to U.S. tech companies and blunting any potential move to follow Europe’s more conservative proposals to limiting online tracking by companies.

The tech giants sharply increased their lobbying spending last year. Google spent $9.7 million in lobbying in 2011, up from $5.2 million in 2010, says the Center for Responsive Politics. Facebook spent $1.4 million in 2011 vs. $351,000 in 2010.

The driver: advertising revenue. The global online advertising market is expected to swell to $132 billion by 2015, up from $80 billion this year, according to eMarketer. Google and Facebook are putting their abilities to index individuals’ online activity and behaviors into high gear to tap into this market, analysts say.

“If they can make the ads more relevant, the logic goes, they can increase the number of advertisers and the price they can charge per click (on each ad),” says Alex Daley, chief investment strategist at Casey Research. “Because the click will be from more qualified leads — customers who are more interested in the product — they can grow the revenue base.”

But security analysts, privacy advocates and technologists say consumers probably should be very concerned. While making richer behavioral data more readily available to advertisers, Google’s new data-correlating practices and Facebook’s new Timeline and Open Graph, a more powerful way to express preferences on third-party websites, also tend to aid and abet more unsavory uses.

Beware of cybercrooks

Richer personal details are very beneficial to identity thieves and cyberspies, as well as to parties motivated to use such data unfairly against consumers, such as insurance companies, prospective employers, political campaigners and, lately, hacktivists, security analysts say.

“What these unilateral decisions by Google and Facebook demonstrate is a complete disregard for their users’ interests and concerns,” says John Simpson, spokesman for Consumer Watchdog. “It’s an uncommonly arrogant approach not usually seen in business, where these companies believe they can do whatever they want with our data, whenever and however they want to do it.”

Google has a long history of running into privacy problems.

Its Gmail raised hackles early on when the search giant decided to mingle advertising alongside users’ e-mail. The move initially concerned people because the ads’ relevancy was linked to e-mails inside users’ accounts. For example, if a person was writing about buying a car, ads for cars could appear alongside that individual’s e-mail. To many, that felt like a privacy intrusion.

The search giant maintains that such contextual ads, where advertisers can bid on keywords that relate to a users’ content, don’t reveal personal identities. Gmail users can turn some of the ads off, but adjusting the feature requires some work.

Much of this type of product development is the result of Google taking a very engineer-focused approach to mining data rather than serving consumer interests, say industry experts. Google engineers want to play with technology first, but they think about how the product plays with consumers and privacy second, says IDC analyst Karsten Weide.

When Google tried to build its Buzz social network in 2010 from Gmail contacts, it ran into privacy problems. It began publicizing users’ contacts without asking. The Federal Trade Commission last year charged Google with “deceptive privacy practices” in the handling of Buzz.

Google “did not respect” consumers’ expectations of privacy, says Helen Nissenbaum, a professor of media, culture and communication at New York University. “They (Google) seem to be doing the same thing here” with the privacy update.

Under terms of the FTC consent order, Google agreed to a 20-year independent review of its privacy practices.

But the changes announced Tuesday may again set it on a collision course with the FTC.

“We do believe the proposed changes . . .  violate the FTC consent order,” says Marc Rotenberg, executive director of the Washington, D.C.-based Electronic Privacy Information Center. Those changes could subject Google to monetary damages under Google’s agreement with the FTC, says Rotenberg.

But Rachel Whetstone, Google’s senior vice president for public policy and communications, says the company would not have proposed privacy updates that run afoul of the FTC settlement.

“We try to be transparent about the data we collect and give meaningful controls about how data is used,” says Whetstone.

There are also concerns about Google’s recent move to roll activities on its Google+ social network into users’ search results. The opt-in integration of those two Google products mingles profiles, photos and posts of people a user follows on Google+ into the user’s search results if they choose.

Whetstone says it doesn’t raise privacy issues because the information is viewed only by the user.

Facebook’s issues

Facebook has had its own issues, most recently in November when the FTC announced a broad settlement that requires the company to respect the privacy wishes of its users and subjects it to audits for the next 20 years.

The order, which claimed Facebook engaged in “unfair and deceptive” practices in December 2009, stems largely from the way Facebook handled information its users deemed to be private information.

On Tuesday it announced that Timeline will become the default user interface for all members over the next few weeks.

Combined with the addition last week of some 60 apps specifically written for Timeline, consumers can provide a detailed account, often in real time, of the music they listen to, what they eat, where they shop — even where they jog.

The deeper personal data of Timeline — which Facebook users willfully share — are potentially online advertising gold for marketers and advertisers. This is especially crucial, analysts say, as Facebook steamrolls toward an initial public stock offering this year.

The company is under pressure to increase sales and profits to meet the lofty expectations of shareholders, and online advertising is the most logical place to do that. Facebook gleaned 89% of its estimated $4.3 billion in revenue last year, or about $3.8 billion, from online ads, according to eMarketer.

“If Facebook has richer behavioral targeting data than Google, then it has an edge up in relevance,” says Casey Research’s Daley. “And an edge up in relevance is an edge up in revenue.”

Some Wall Streeters believe the changes made by Google and Facebook will have only an “incremental” effect on the battle between the two giants in going after online advertising dollars.

Both companies continue to be dominant in their markets, which “tend to be winner-takes-all markets,” says Ryan Jacob of the Jacob Internet fund. Google continues to hold strength in online search and is a strong player in online video with YouTube and in mobile with its Android operating system, he says.

But “Google has a long way to go before it can be considered a credible competitor to Facebook,” he says.

Google’s moves, if anything, are “somewhat defensive,” he says. “For them (Google) to maintain their position in search, it’s important for them to be players in other areas,” he says.

Channing Smith of money management firm Capital Advisors, which owns shares of Google, is more optimistic. “If it continues to put up numbers for Google+, it can be a competitor to Facebook,” he says.

Rep. Ed Markey, D-Mass., who has already been pressing Facebook to explain its tracking systems, said on Wednesday that he would ask the FTC to take a close look at Google’s new privacy policies.

“Google’s privacy policy changes mean consumers can’t say no to sharing their personal information across Google’s websites,” Markey said. “Consumers, not Google, should be able to make these decisions.”

By Byron Acohido, Scott Martin and Jon Swartz

Contributing: Mike Snider, Roger Yu, Matt Krantz

Orginally published 26 Jan. 2012, USA TODAY print editions. P1B

Caution is spreading among popular file-sharing services known for letting users circulate pirated Hollywood content.

FileSonic, FileServe and Uploaded.to have abruptly cut off the sharing of movies, games and other software just days after the Justice Department closed down Megaupload, the largest such site.

“It looks like the chilling effect has already started,” says Dennis Fisher, editor in chief of security blog Threatpost. “Maybe one of the reasons the U.S. government is going after companies alleged to be hosting infringing content is to serve as a deterrent for others engaging in similar activity.”

Fisher

FBI and Department of Justice officials do not discuss ongoing investigations.

File-sharing services, also referred to as cyberlockers, enable users to easily upload, store and share large files on a server in the Internet cloud. This includes movies, music, gaming applications, software tools, multimedia presentations and the like.

But cyberlocker companies have not come up with a good way to consistently stop copyright infringement. “As soon as you let users trade files back and forth, you really don’t have much control,” says Wade Williamson, senior security analyst at firewall supplier Palo Alto Networks.

The motion-picture industry, for one, has been pushing U.S. regulators to enforce copyrights with respect to film content showing up in cyberlockers.

One recent measure of how widespread the problem is comes from Palo Alto Network’s recent analysis of the Internet traffic at 1,636 companies, with more than 4 million employees, in the second half of 2011.

The analysis found employees at six in 10 companies used Megaupload to download large content files. Overall, 25% of corporate traffic to and from cyberlockers came from Megaupload, which specialized in entertainment content. Some 22% came from Dropbox, a workplace productivity and collaboration service, followed by 15% from MediaFire, another entertainment-oriented service. The next three most-active cyberlockers in corporate settings were entertainment oriented: FileSonic, 4shared and FilesTube.

FileSonic is noteworthy because it has recently begun to establish formal distribution agreements with artists. Those contracts could be frozen if the authorities were to pursue copyright-infringement actions against FileSonic.

Cyberlocker traffic: yellow=MegaUpload; green=FileSonic; grey=RapidShare. Source: Sandvine

FileSonic couldn’t be reached for comment.

“They appear to be able to deliver files in an above-board way,” says Williamson. “In shutting down the ability of their users to trade files back and forth, they may be moving to protect their flank.”

FileSonic, based in the U.K., posted a message on its website: “All sharing functionality on FileSonic is now disabled. Our service can only be used to upload and retrieve files that you have uploaded personally.”

Last December, FileSonic began scanning user uploads in an effort to stop copyrighted material from going on the site.

Meanwhile, Derek Labian, co-founder and CEO of Shenandoah, Texas-based MediaFire, says what’s happened with Megaupload is “concerning” but won’t stop MediaFire from continuing business as usual. MediaFire has 25 million account users.

“We’re a U.S.-based company and follow U.S. law. It’s pretty much that simple for us,” says Labian. FileSonic’s move to disable certain downloads is “pretty drastic,” he says.

It is troubling that legitimate digital storage services should feel compelled to monitor their users, says intellectual property director Corynne McSherry of the San Francisco-based Electronic Frontier Foundation. “In terms of privacy, that should be a concern,” she says.

File sharing has become a major way corporations collaborate with employees and partners and interact with customers. It fuels the sharing of rich content across Internet-connected devices in the home and office and distributed to mobile devices and has emerged as a major component of cloud computing, the delivery of content and services across the Web.

“If legitimate content is housed on the same service that might have infringing content, it gets sucked into this vortex and it’s gone,” says Dennis Fisher, security blogger at Threatpost.com. “I don’t know how much the government or these companies (advocating strict anti-piracy enforcement) have thought this through. I would guess not a lot.”

Federal authorities shut down Megaupload.com, one of the world’s most popular file-sharing sites, Thursday and accused it of costing copyright holders more than $500 million in lost revenue from pirated films, music and other content.

Sandvine's cyberlocker traffic data: yellow=megaupload; grey=rapidshare; green=filesonic

Four executives arrested in New Zealand appeared Friday in an Auckland courtroom to begin extradition proceedings that could take more than a year. Three others remain at large.

According to New Zealand’s Fairfax Media, a defense lawyer raised objections to a media request to photograph the proceedings, but his client, Megaupload chief Kim Dotcom, spoke out, saying he would not object “because we have nothing to hide.”

The judge granted the media access, and ruled that Dotcom and the three other suspects would remain in custody until Monday, the next scheduled hearing in the case.

The five-count indictment, which alleges copyright infringement as well as conspiracy to commit money laundering and racketeering, described a site designed specifically to reward users who uploaded pirated content for sharing, and turned a blind eye to requests from copyright holders to remove copyright-protected files.

It was unsealed a day after technology companies staged an online blackout to protest two related bills in Congress that would crack down on sites that use copyrighted materials and sell counterfeit goods. Congressional leaders agreed Friday to indefinitely delay action on those bills — Stop Online Priacy Act in the House and Protect IP Act in the Senate.

Critics contend SOPA and PIPA don’t so much protect the rights of filmmakers, musicians, writers and artists as they do preserve an antiquated film and music distribution system.

“No law passed in the U.S. is going to have any real effect on whether people steal movies, music and books. That ship has sailed,” Fisher says. “The network of underground sites that traffic in pirated movies and music won’t disappear. It will simply adapt.”

Within 24 hours after U.S. authorities shut down Megaupload servers in Virginia, ABC News reported that the website was accessible again by typing a numeric address in a Web browser. But that address led to a webpage with a message saying work was underway to restore Megaupload, and asking people to spread the word on Facebook and Twitter.

Megaupload may have had a contingency plan with a backup domain and server at the ready to restore services should its main servers go down, something that many Internet companies do, Fisher says.

Hilwa

Al Hilwa, an analyst at research firm IDC, says defining who is responsible for strictly obeying copyright laws is at the heart of the piracy issue. “Shifting that responsibility to the technology providers, networks, hosters and intermediate service providers who make up the file-transfer chain would mean burdening them with escalating costs. That would make them uncompetitive and hurt their growth.” he says.

That law enforcement officers were able to coordinate internationally to take action demonstrates that current laws targeting copyright violators work, says Art Brodsky, a spokesman for Public Knowledge, a Washington, D.C.-based communications and technology advocacy group. “They roped in New Zealand police and the FBI flew down there,” he said. “So why do you need more laws?”

On Friday afternoon, Twitter and Facebook users continued buzzing about the shutdown of Megaupload. Some posted messages such as “R.I.P. Megaupload,” “Missing Megaupload already,” and “Let’s all have 1 minute of silence for Megaupload.”

Meanwhile, federal authorities are investigating disruptions to the Justice Department website and threats to the site maintained by the FBI believed to be prompted by the Megaupload arrests.

The Justice Department website was back online Friday after being hit Thursday evening. An alliance of hackers known as “Anonymous” claimed responsibility.

In a written statement, the Justice Department said its Web server had experienced a “significant increase in activity, resulting in a degradation in service” and that the activity was “being treated as a malicious act.”

The enforcement action against Megaupload and actions by hacktivists was not unprecedented. Something similar happened in May 2006 when authorities shut down movie-sharing site Piracy Bay.

Millions of people use websites such as Megaupload and Bit Torrent to transfer TV shows, movies and music. Other file-sharing sites like You Send It and Dropbox focus on file-sharing for workplace collaboration. And newer file-sharing sites like Spotify focus on file-sharing within social media and mobile devices.

If anti-piracy enforcement actions accelerate, hacktivists can be expected to uniformly retaliate, says Josh Shaul, chief technology officer at Application Security.

“We may be looking at a cycle of more enforcement action, more sites being taken down and more retaliation by hacktivists,” Shaul says. “People will bring up new file-sharing sites in countries where they can’t be taken down, and the cycle will continue.”

The hacktivists are getting better at retaliating quickly. Recruits to help execute distributed denial of service (DDos) attacks are trained and equipped to instantly add the processing power of their individual PCs to the cause.

The constant stream of nuisance requests that cut off public access to the Justice Department and motion picture industry websites came from about 5,635 individuals using a networking tool called a “low orbit ion cannon,” according to messages posted by Anonymous, which claims this to be the largest such attack ever. PCs likely scattered in multiple nations, using tried-and-true technology to make them difficult to trace, were used.

Such attacks formulate spontaneously in Internet Relay Chat rooms. Participants must use their own initiative to set up their PCs ahead of time so they can’t be traced, but the necessary software and training are readily available online.

“The ranks of the hacktivists are swelling,” Shaul says. “More people are willing to stick their necks out on the line and start hacking.”

While Justice says it is illegal for anyone to download pirated content, its investigation focused on the leaders of the company, not end users who may have downloaded a few movies for personal viewing.

Megaupload.com has 150 million registered users, about 50 million hits daily and endorsements from music superstars. The U.S. indictment said founder Dotcom made $42 million last year alone.

The website allowed users to download some content for free, but made money by charging subscriptions to people who wanted access to faster download speeds or extra content. The website also sold advertising.

The movie industry has fought against the site, saying it is making money off pirated material. Though the company is based in Hong Kong and Dotcom was living in New Zealand, some of the alleged pirated content was hosted on leased servers in Virginia, and that was enough for U.S. prosecutors to act.

New Zealand police seized guns, artwork, more than $8 million in cash and luxury cars valued at nearly $5 million after serving 10 search warrants at several businesses and homes around Auckland.

Dotcom is a resident of Hong Kong and New Zealand and a dual citizen of Finland and Germany who had his name legally changed. The 37-year-old was previously known as Kim Schmitz and Kim Tim Jim Vestor.

Of the three others arrested Thursday, two were German citizens and one was Dutch. Three other defendants — another German, a Slovakian and an Estonian — remained at large.

The Electronic Frontier Foundation, which defends free speech and digital rights online, said in a statement that the arrests set “a terrifying precedent. If the United States can seize a Dutch citizen in New Zealand over a copyright claim, what is next?”

Acohido reported from Seattle Contributing: Yamiche Alcindor, Roger Yu and Matthew Barakat in McLean, Va.; Kevin Johnson in Washington; Associated Press

The popular online shoe retailer, a division of Amazon, disclosed on Sunday that hackers cracked its customer database to steal records for some 24 million customers.

The data thieves did not get any payment card numbers, because that data was encrypted, as required under the Payment Card Industry Data Security Standard.

But as is a common practice with many online retailers, Zappos did not encrypt its customers’ e-mail and shipping addresses, phone numbers, the last four digits of the payment card numbers and the account passwords.

Feinman

Retailers do not typically encrypt any data beyond what is required under PCI-DSS rules, which is enforced by VISA and Mastercard, because doing so can degrade a website’s performance, says Todd Feinman, CEO of database security firm Identity Finder.

Feinman says it’s technically trivial for corporations to extend encryption beyond payment card numbers to other consumer data known to hold value in the Internet underground. “Visa and Mastercard fight to protect credit card numbers, but there’s no one fighting for the individual consumer whose e-mail address falls into the possession of hackers,” says Feinman.

E-commerce has come to revolve around account usernames based on a valid e-mail address, and most consumers aren’t aware of the inherent risk that arrangement engenders. Many use the same e-mail address and password to create financial transaction accounts across multiple websites. Cybercriminals know this and are expert at taking full advantage.

Zappos customers should be on high alert for “phishing” e-mail crafted to lure them into divulging sensitive information, such as a Social Security number, or to clicking on a seemingly trustworthy weblink that actually installs a virus.

And they should be aware that the hackers are likely to attempt to use their Zappos account e-mail and password to attempt to find and  access their other online accounts. “The hackers will be crunching the password data to identify where weak passwords have been used – as those users often re-use passwords,” says Stina Ehrensvard, CEO of authentication hardware maker Yubico. “We’re highly likely to see the data being used elsewhere on the Internet in the coming days.”

(UPDATE 17 Jan 2012: Zappos did not store any clear text passwords. What the thieves took were password hashes, alphanumeric strings  substituted for the actual passwords. Free tools, called hash tables, can display password hashes as the associated password. Hash tables are widely available for free use, and particularly effective deciphering hashes for passwords that use simplistic combinations of letters and number.)

The crooks can also make productive use of the last four digits of a victim’s payment card numbers. “It’s one more piece of information to make the consumer think the phishing message is authentic,” says Feinman.

Zappos itself is sending e-mails to its customers asking them to create new passwords for their Zappos accounts. The company recommends users change passwords on any other website where they use the same or similar passwords.

Hsieh

“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” CEO Tony Hsieh said in a blog statement. “It’s painful to see us take so many steps back due to a single incident.”

Notice of the Zappos breach follows the disclosure of the Christmas Eve break-in of Strafor.com, in which hacktivists stole, then posted online, credit card numbers and account logons for more than 50,000 of the online publications’ subscribers.

And 2011 proved to be an unprecedented year for headlines about major database break-ins at Sony, Google, Bank of America, RSA, Lockheed, Epsilon, Nasdaq Directors Desk and the U.S. Chamber of Commerce, among many others.

Security experts and technologists point to several developments that suggest the pattern is likely to continue in 2012.

Example of a hash table

Many corporate system break-ins begin by tricking one employee to click on a corrupted web link or open a poisoned attachment.

Such poisoned messages arrive by e-mail, seemingly from a trusted associate, or, increasingly, circulate in Facebook and Twitter. The increasing use of sharing applications — on workplace computers and mobile devices — multiplies opportunities for clever hackers. Even the largest, most sophisticated corporations are vulnerable.

“This is a harbinger for 2012” says Feinman. “This is the type of thing were going to see all year round.”

Ehrensvard

Yubico’s Ehrensvard agrees. “Until CEOs realize the cost of doing nothing, and ask difficult questions of their teams, we expect to see regular reports of breaches,” she says. “It’s no longer acceptable for a CEO to leave the security of their customers data to others. It is their responsibility when it’s stolen.”

The Zappos breach underscores a need for corporations, especially online retailers, to reassess the risks associated with routinely amassing mountains of customer data, and to consider beefing up database defenses, security experts say.

“As more consumers choose to shop online, it becomes even more critical for retailers to monitor for malicious activity and protect their customer information,” says Mandeep Khera, chief marketing officer at data monitoring firm LogLogic. “This diligence helps protect their brands, and helps avoid compliance penalties.”

Cenzic CEO John Weinschenk at least gives Zappos credit for  transparency.  “Zappos’ response to their loss of customer data should be emulated by other organizations,” he says. “They outlined for their customers exactly what happened, what was stolen, and what it meant for them.

“Zappos took the first step by making this attack and data losses transparent. Now they need to prove to their customers they can be trusted in the future and protect personal information. That will be an ongoing process.”

Hacking technology has become so accessible, and social network-based rabble rousing so prevalent, that hacktivists espousing confused motives can lash out indiscriminately — and cause crushing damage.

That’s the upshot of the Christmas Eve Stratfor.com escapade widely attributed to members of the Anonymous hacking collective. The online global affairs publication relaunched its website today, three weeks after hacktivists posted sensitive data for 50,000 Stratfor subscribers, then shut out the lights. The company has had to hire teams of forensics experts and security consultants to restore operations, including moving its entire e-commerce process to a third-party system, and eliminating the storing of credit information.

Stratfor CEO George Friedman acknowledged that the company had not encrypted customer information. “This was our failure,” Friedman said in a statement. “I take responsibility. I deeply regret that this occurred and created hardship for our customers and friends.”

Friedman believes the attack serves notice about a troublesome new strain of unpredictable censorship arising on the Internet. He elaborates on that notion in this exclusive LastWatchdog interview:

Friedman

LW: What exactly happened?

Friedman: What happened to us was the credit card information was stolen earlier. We knew about that from the FBI. What they did on the 24th was nuked our servers. . . they went into the servers and rooted them, which meant that they destroyed the file structure, which normally means you can’t reover the information. They did that  not only to our primary data bases, they did that to our backups too. They were trying to make it impossible for us to re-emerge.

LW: Why did you become a target?

Friedman: If we’re to believe (the hackers), the reason was that we were the hub of a government-corporate complex, getting information from these people and, I gather, propogandizing. They had built a fantasy image of us as being part of a very powerful group. From our mailing list  they selected all the corporate subscribers, and created this image of us as being an incredibly connected, powerful entity, and that was their justification.

LW: How valid is that profile of you?

Friedman: Not very valid at all. We certainly know people in Washington and all over the world. We have sources. That’s our job. But we have no access to classified or corporate information. That’s simply not what we do. We’re a publishing company.

LW: You’ve been doing this a while.

Friedman: We started Stratfor as a consultancy in 1996. After the Kosovo War we started moving into publishing because we found there was an appetite for international news. At this point, we’re almost entirely a publishing company. There is an audience that wants to understand international affairs more deeply from a non-ideological standpoint, and that’s who we serve. We’re careful and militant about not having an ideology, nor recommending any policy.

LW: What’s a recent representative article?

Friedman: A recent story predicted that there would be a major crisis in U.S. – Iranian relationships because of the vacuum created by the U.S. withdrawing from Iraq and how Iran was in the process of filling the vacuum. . .The point is we do pretty complex stories. We try to do the play-by-play of global affairs without rooting for any team.

LW: Bradley Manning allegedly  leaked a specific set of documents, presumably for deeply-held reasons of conscience. How was this leak any different?

Friedman: It was an attempt to undermine our capacity to do our work. And it has a technical basis, they destroyed our servers and our back ups. One part is the (leaked) credit card information, which were very sorry about because it affected our customers. Another part is the (leaked) e-mails, which will not show much. But the most serious thing is the attempt to destroy our digital capacities.

Individuals now have the ability, with full anonymity, to decide who they like and dislike, and if they dislike them, use their technology to destroy them. We’re lucky in that we have the financial and staff resources to recover. But there are other organizations that can be completely silenced, and never know who silenced them or why they did it.

LW: So we’ve turned a corner?

Friedman: If you want the definition of a new fascism it is faceless people, setting the rules, not forgetting, not forgiving and promising that they’re coming. That’s really a frightening vision of what’s going on. Imagine if this becomes a general activity.

We are entering a very dangerous space now. Anyone can have the skill and knowledge to do this. Any ideology can to it. It’s not as if this is a particular threat from the left or from Wall Street. It can come from anywhere, and anyone who disapproves of you can wreak havoc.

LW: Was spear phishing a contributing factor in the initial breach?

Friedman: I actually can’t talk about that because of the FBI investigation. As soon the lid is off this, I’d love to talk to you about it.

LW: You were offline for three weeks. To what degree have you been able recover?

Friedman: With a great deal of effort we have managed to recover enough to go live today, but without the entire archives. We’re functioning, and the archives will be built back in over the coming weeks. We’re spending a substantial amount of money both on our customer support and recovery. I can’t give you the number because we don’t know what it’s going to be. We’ve got three or four sets of consultants in here. It is going to cost us.

LW: Have many of your subscribers lost faith in you?

Friedman: When I looked at the e-mails we’ve received, and even looking at Twitter today, there was overwhelming support from our subscribers. In one narrative, we’re the saps for letting this happen. In the other, we’re the victims. And it’s interesting that our subscribers are the ones who regard us as the victims. My sense is we have the same relationship with our readers as we had before, regardless.

LW: Anything else you’d like to add?

Friedman: Implicit in the First Amendment is the idea that we all owe each other the right to be heard, and what Anonymous has done is to try to deny us that ability. There used to be a village commons , where everybody gathered to do business and talk. Everyone knew each other. There was no anonymity.

Now we have this global commons. And in the global commons, there is this element of anonymity, which I support. I think it’s a good thing. But it carries with it a responsibility, without which, there’s no accountability.