Privacy worth piffling pennies to polled punters

Consumers are prepared to pay more for goods in exchange for more privacy but the difference comes down to pennies rather than pounds.

A lab study sponsored by ENISA, the European Union security agency, confronted participants with a choice of whether to buy identical goods from two online vendors, one of which offered a lower price but wanted personal details such as government-issued ID number and mobile phone number that the other more expensive vendor didn't request.

Where the prices on offer were the same, the lab rats stayed away from the privacy-violating online retailer. However the aversion wasn't strong and a price discount of just 0.50 (0.42) was enough to tempt consumers into choosing the privacy-invading provider.

The experiment involved 443 people and a choice between two online cinema vendors. The cheaper chain asked users for their mobile number and permission to send them marketing messages via email. Both requested the name, email address and date of birth of prospective buyers. The study was run by researchers at the German Institute for Economic Research (DIW Berlin) and the University of Cambridge.

When prices were the same, the privacy-friendly chain established a market share of 83 per cent. Even when the privacy-busting chain offered bargain prices, a sizeable minority (29 per cent) willingly paid extra to avoid handing over their mobile phone number. This share drops to 9 per cent for those prepared to pay extra to avoid marketing emails.

The survey is one of the few of its type to date. Sren Preibusch, a member of the University of Cambridge team, said the experiment showed that privacy-friendly services were capable of attracting a healthy niche market.

"A sizeable proportion of consumers are willing to pay a higher price for privacy," he writes. "Online businesses can capitalise these concerns. Privacy-friendliness is a win-win for online retailers and their customers."

The lab tests were supplemented by field surveys of 2,300 participants that broadly confirmed the earlier findings.

More details on the study, entitled Monetizing Privacy: An Economic Model for Pricing Personal Information can be found here.

Consumer privacy has hit the headlines over recent weeks with concerns over the lack of transparency over privacy practices employed by many mobile application developers, but the issue is wider than that and also affects web-based services. A post on the Cambridge University's Light Blue Touchpaper blog discussing the experiment in greater depth and discussing the concept of privacy as a currency for web-based services can be found here.

Symantec buys mobile app management firm

Symantec has bought privately held mobile application management firm Nukona. Terms of the deal, announced Tuesday, were undisclosed.

The purchase, along with the earlier acquisition of mobile device management firm Odyssey Software, will allow Symantec to develop and market products that support the growing trend of allowing workers to bring their own devices to work.

Nukonas technology offers the ability to natively protect and control iOS, Android and HTML5 apps. The software offers the ability to "protect and isolate corporate data and applications across both corporate owned and personally owned devices", according to Symantec.

Met Police will use 1980s software to police Olympics

"Fileless" malware installs into RAM

Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs.

The researchers arent quite sure how unusual it is, describing it as both unique and very rare, but no matter how scarce this type of malware is it does sound rather nasty as it uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process. That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process.

Once under your machines guard, the malware tries to attack Windows User Account Control so it install the Lurk Trojan and connect to an associated botnet. That installation attempt is the malwares key task, as living in RAM means fileless malware wont survive a system reboot.

That the malware is able to do so is down to a known Java vulnerability, CVE-2011-3544 to be precise. Snoracle has long-since patched that hole. Another mitigating factor that will hopefully make this a short-lived attack is the fact Kaspersky picked it up in ads served only on Russian web sites. The security company has informed the ad-serving company and the offending code has been withdrawn.

But researcher Sergey Golavanov also warns we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process. that "we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process.

Rutgers student guilty, faces 10 years for webcam spying

Rutgers student Dharun Ravi is facing a possible ten years in prison after he used his webcam to spy on a gay roommate and broadcast the resulting video.

In 2010, Ravi's 18-year old roommate, Tyler Clementi, was filmed with an unidentified partner by Ravi and a friend, who then showed the footage around their campus and announced that more footage would be coming. Clementi, who had only just come out to his parents, killed himself shortly afterwards by jumping the George Washington bridge, leaving a suicide note on Facebook reading "Jumping off the gw bridge, sorry."

Ravi was charged with 15 indictments, including invasion of privacy, bias intimidation, tampering with evidence and a witness, and hindering apprehension. The jury took two days to consider its verdict, and found him guilty of bias intimidation (considered a hate crime), and of tampering with evidence Ravi had attempted to delete evidence of his activities after Clementi committed suicide.

"These acts were purposeful, they were intentional, and they were planned," prosecutor Julia McClure told the jury on the first day of the trial, CNN reports. She claimed that Ravi "was bothered by Tyler Clementi's sexual orientation."

Ravi's lawyers argued that it was a simple prank gone horribly wrong, and that Ravi had simply been immature. "He hasn't lived long enough to have any experience with homosexuality or gays," his attorney Steven Altman said in closing arguments. "He doesn't know anything about it. He just graduated high school."

While the case sparked a national debate on the problems of gay bullying, it also highlighted the fact that cyberbullying is relatively easy to prove in a legal context. Twitter feeds, computer hard drives, and text messages were all used to define exactly what happened, to the extent that both sides did not dispute the events themselves just the motivations behind them.

The court did allow Ravi to appeal, and he is now free on $25,000 bail. He faces ten years in prison and deportation to his native India, after turning down a plea deal that would have seen him do 600 hours of community service and receive counseling. Fellow student Molly Wei, who also participated, took a deal to testify against her friend in exchange for 300 hours of community service and undergoing a course on cyber bullying.