The Take Back Your Privacy site offers simple ways to file complaints.

Don't like what a website has done with your personal information? Don't understand its privacy policies? A new privacy complaint site is now open for business--created by an Internet freedom and privacy advocacy group in Washington, D.C. called the Center for Democracy and Technology (CDT).

Complaints can be shared with your social network via sites like Twitter and Facebook, and also forwarded to the Federal Trade Commission (FTC). If enough complaints surface, it's possible that the FTC will launch an investigation into whether a website is violate existing laws.

The larger point is to create a cudgel to get Congress interested in enacting comprehensive Internet privacy legislation. CDT has already put out a pretty good guide to online privacy problems, explaining existing and often narrowly-written patchwork of court rulings and laws, most of them falling hopelessly behind rapid technological advances.

"In the past ten years, the ability of Internet companies to collect and aggregate information has increased dramatically," says Leslie Harris, the group's president. But while some states have taken action, Congress has not. "We see next year as the first time in a decade that we will have serious debate in Congress on whether we will have comprehensive privacy laws."

Among other things, says Harris, "we ought to have a tool that takes you out of online tracking; with one click, you delete all tracking devices that have been put on your computer." Users should also have the power to force Internet companies to delete personal data, such as search requests, after the passage of a reasonable period of time, she adds.

While researching today's story about crafty phishing techniques, I came across some statistics that reveal the lifespan of various types of nefarious Internet schemes. The chart below, put together by Milcord, a company that collects real-time data about botnets, shows that spammers survive for a couple of months, while phishers typically make it only about five to ten days. Malware schemes are in between.

The chart shows the respective lifespans of botnets engaged in phishing, spam, and malware distribution. The data is for botnets that use a trick called flux to extend their lifespans. Credit: Milcord

What's the reason for this time difference?

Alper Caglayan, Milcord's president, thinks it's due to the nature of the victim. "Phishing targets well-known brands, like Citibank, Bank of America, eBay, or Paypal," he says. "Obviously, these folks are willing to spend a lot of money defending their brands."

Though ordinary people are the ones who ultimately get burned, phishers can affect the reputations of companies with deep pockets. Caglayan says that some security companies offer service-level agreements that promise to get a phishing site hosted in the U.S. taken down in under an hour.

Spam, on the other hand, has no such highly-motivated opponents. While it's a nuisance to everyone, no particular company suffers publicly for it, and therefore, the money to halt it simply isn't there.

Most individuals may want someone to do something about spam, but they end up relying on anti-virus software or intervention from law-enforcement agencies.The motivation to go after and shut down the botnets just isn't the same.

In separate presentations at the Black Hat computer security conference in Las Vegas this week, two researchers revealed flaws with the system that protects credit card and password transactions online.

The Secure Socket Layer (SSL) protocol implements the padlock that appears in a browser's address bar--an outward symbol that the underlying communication between browser and server is secure and that the Web page is what it claims to be.

Dan Kaminsky and Moxie Marlinspike separately demonstrated a number of problems with SSL, some immediate and some that could become an issue within the next 18 months. Some of these issues are caused by inconsistencies in how SSL is implemented in the browser compared with how SSL is implemented by the certificate authorities that form the backbone of the system.

Rumblings about this infrastructure have been going on for some time--late last year, researchers Alexander Sotirov and Marc Stevens showed that an outdated algorithm could undermine the system. Later, Marlinspike released a tool that an attacker could use to capture supposedly secure information.

Later today at Black Hat, Sotirov plans to show further problems with "extended validation" SSL certificates, which are supposed to provide a more secure version of the system.

Last year at Black Hat, Kaminsky revealed a major flaw affecting a vital piece of Internet infrastructure that matches website addresses to the servers that hosts their pages. Kaminsky said in a press conference yesterday that the "creaking" of the SSL infrastructure is a sign that it's time to look for a new solution. He suggests DNSSEC, a protocol meant to secure the system for looking up website addresses. Kaminsky believes that it could be designed to guarantee a page's identity at the same time it links a user to a requested server. Other researchers, however, including some of Kaminsky's collaborators, don't agree that DNSSEC is the solution, and think there are ways to bolster SSL without discarding it.

Regardless of how people decide to fix the problems revealed at Black Hat, the takeaway is that much of the infrastructure supporting the Internet is straining with the weight of unintended responsibility.