Traditional news outlets and the blogosphere are full of hacking reports and privacy invasions on social networking and cloud computing platforms. This is opportunity – opportunity to bring the right technologies to the party but sadly just another opportunity for your personal information to be taken without your consent. Take just a few recent examples:
Ian Glazer created Privacy Mirror to demonstrate the privacy flaw in Facebook applications (e.g., anytime you “Allow” your personal information to be read). His results show that 3rd party developers get more information than your “Application Privacy Settings” allow.
It appears what’s going on is that if Alice and Bob both have authorized the same application, that application no longer respects either user’s Application Privacy settings. Instead, it respects the Profile Privacy settings of each person. In essence, App X acts (from a privacy settings point of view) as if it were a friend of Alice and Bob and not a third-party application.
The net result is that 3rd party application developers get ALL your information and not just what you've authorized them to get. This is so bad in fact that Facebook has a complaint against them filed in Canada. What makes it worse is that Facebook does a terrible job informing you of how your information can be accessed. From the Privacy Commissioner in Canada:
On the remaining subjects of third-party applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information, the Assistant Commissioner likewise found Facebook to be in contravention of the Act and concluded that the allegations were well-founded. In these four cases, there remain unresolved issues where Facebook has not yet agreed to adopt her recommendations. Most notably, regarding third-party applications, the Assistant Commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users’ personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers.
Another example. Last month the cloud applications from Google (Google Docs) that Twitter executives use were hacked and corporate information and user account information was taken. Username and password protection to cloud applications holding this kind of information is not acceptable.
Twitter accounts are hacked so often now it seems mainstream. Just today I got a direct message in Twitter from someone I know that was clearly SPAM. Later this person tweeted an apology to all their followers that their account was hacked. Twitter account hacks are usually to spread spam but again your account information is and should be private, right? Username and password to social networking sites is not good enough.
Security related, this week a successful distributed denial of service attack occurred which stopped Twitter but only slowed down Facebook and LiveJournal. While this attack was apparently politically motivated to deny social networking services it demonstrates how sophisticated hacking has become. This was a coordinated and simultaneous attack across multiple platforms involving likely thousands of computers. If this is the security threat we need to step up security and privacy controls commensurately.
The use of social networking and cloud computing applications is skyrocketing and it is a great market to be in. Unfortunately, in the time-to-market race for these companies it appears proper privacy controls and security controls is lagging.
As I said at the beginning of this post this is opportunity. This is the opportunity for multi-factor authentication, trust, and identity federation technologies to protect who you are online and what you can do. This is also opportunity for your personal information to be taken. For now a good rule of thumb – if you don’t want the public to know it, don’t put it in your profile.
Posts
0 comments:
Post a Comment