terriko: Evil Soup (evil soup)
2012-03-28 12:13 pm

Web Insecurity: Apparently consumers do care about privacy

Cross-posted from Web Insecurity

I often get into discussions about whether people really do care about privacy, given that they give away personal information regularly when they share with friends via Facebook or other services. A recent report suggests that people do care, at least when it comes to banking and shopping:

The Edelman study released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations. For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information. An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.

The blog of the Office of the Canadian Privacy Commissioner (from which I drew this quote) sums it up in the title: Privacy: Not just good business, but good for business.

But I have to wonder, do these numbers indicate that privacy-preserving businesses will be winning customers, or will we simply see claims of privacy that aren't backed up by carefully constructed systems? Do consumers really care about privacy or do they just say they care? How will consumers evaluate potentially spurious privacy claims? In Canada we at least have the privacy commissioner who brings issues to light, and worldwide we have the Electronic Frontier Foundation, but while both organizations are astute and do their best, privacy claims are something that will need to be evaluated by organizations like Consumer Reports that are used by consumers when making decisions about where they spend and keep their money. Right now, by and large, we only hear about the relative privacy of an organization when a breach occurs.

I attended a talk on Internet voting yesterday and the speaker quoted an official in DC who claimed that, "voters like internet voting, so it must be secure," which is really quite a terrifying quote if you think about it. The speaker joked, "does this mean that because my kid likes cake, it must be healthy?" It really clearly demonstrates first that users of the system have very little understanding of its safety (despite strides in the area, internet voting as currently implemented is rarely secure) but also that officials who roll out such systems have little understanding of the flaws of the system and are much too willing to overlook them for convenience sake. If this is the case with voting, it's hard to believe that business would avoid such cognitive mistakes.
terriko: Evil Soup (evil soup)
2012-02-08 01:00 pm
Entry tags:

"Active" Facebook users

There's an interesting article up on NYT regarding Facebook's definition of "active users" for the purpose of its IPO. Here's the boing-boing link to the story for those who are sick of NYT's paywall nonsense interacting badly with privacy settings. But really, the interesting part is this:

In other words, every time you press the “Like” button on NFL.com, for example, you’re an “active user” of Facebook. Perhaps you share a Twitter message on your Facebook account? That would make you an active Facebook user, too. Have you ever shared music on Spotify with a friend? You’re an active Facebook user. If you’ve logged into Huffington Post using your Facebook account and left a comment on the site — and your comment was automatically shared on Facebook — you, too, are an “active user” even though you’ve never actually spent any time on facebook.com.

“Think of what this means in terms of monetizing their ‘daily users,’ ” Barry Ritholtz, the chief executive and director for equity research for Fusion IQ, wrote on his blog. “If they click a ‘like’ button but do not go to Facebook that day, they cannot be marketed to, they do not see any advertising, they cannot be sold any goods or services. All they did was take advantage of FB’s extensive infrastructure to tell their FB friends (who may or may not see what they did) that they liked something online. Period.”

The article goes on to point out that at least Facebook tries to count engaged users, unlike the way Twitter or Google have been criticized for counting users. So don't be too hard on them for that.

But here's the real kicker, and the first thing I thought of when I saw the paragraphs above:

The big question is how Facebook can put all of its “active,” er, engaged users in front of advertising?

So... will we see small ads with every like button? Am I going to get ads stuck on the end of the text messages I get with my friends' status updates? Having had this "flaw" in their numbers pointed out, it may behoove Facebook to demonstrate how this is an untapped resource on the advertising front... It's actually tempting to brainstorm about this as a creativity exercise, no matter how obnoxious excessive monetizing seems to me as a user.
terriko: (Default)
2011-02-17 12:38 am

Recent writings: Wordpress themes considered harmful, confessions, and my sexy gamer guy-pals

Bunch of posts elsewhere:

Web Insecurity: Free Wordpress themes considered harmful

It's illegal in many places to compromise someone's site to force them to serve up spammy links. But it's not illegal to put them in a Wordpress theme and then offer it for free...

Web Insecurity: To whom are you confessing?

The Catholic church has given its blessing to a new iPhone app that helps you prepare for confession. The Office of the Privacy Commissioner of Canada isn't so sure they'd approve it, though, pointing out the the developer collects a lot of information and doesn't provide a policy about how it will be used.

Geek Feminism: “How could they not have known?!”

A post about how our male compatriots are often floored by the sort of sexism women deal with daily. Also about FatUglyorSlutty.com, troll visualizations, and ...

*grin* In that post, I wrote "my male gamer buddies don’t have people freaking out or getting, er, excited when they speak on voice chat" and it took some effort to resist adding "but some of them should. Yum." Seriously, some of my gaming buddies have incredibly sexy voices and on the entirely too rare occasion when one of them sings on teamspeak... mmm...

I know, TMI, but I've wanted to brag about my hot gamer guys all day. ;)
terriko: (Default)
2011-01-17 11:11 pm
Entry tags:

Web Insecurity: Facebook now enabling annoying phone calls and paper junk mail?

New post up over on Web Insecurity. Here's a preview:

Facebook now enabling annoying phone calls and paper junk mail?

Sophos points out that Facebook has made yet another change to the way it handles your information: this time, allowing third-party developers access to contact information on Facebook.

Now, part of me wants to just shrug: it's always been technically possible for third party developers to get access to this information because of the current state of web security.

Read the rest here.

(But the short version is that you might just want to take your phone number and address out of your facebook profile.)
terriko: (Default)
2011-01-07 02:16 am

Recent writings: privacy, young scientists, academia

Some fun recent stuff:

And then some more sad stuff in the form of a round-up of the links I've seen lately about women leaving academia. Poignant for me given that I've got a contract that'll take me away from academia... although I'm actually leaving mostly for the "work that has impact" reason and not so much for the others.

And then one thing that I didn't write (but I wish I had):

Let's say that fighting sexism is like a chorus of people singing a continuous tone. If enough people sing, the tone will be continuous even though each of the singers will be stopping singing to take a breath every now and then. The way to change things is for more people to sing rather than for the same small group of people to try to sing louder and never breathe.

Isn't that just the way of it? Thanks Mary for sharing that one.
terriko: (Default)
2010-12-14 01:14 am

Web Insecurity: A brutally honest privacy policy

Short post up on Web Insecurity about a hilariously, brutally honest privacy policy. An excerpt from the policy:

So just to recap: Your information is extremely valuable to us. Our business model would totally collapse without it. No IPO, no stock options; all those 80-hour weeks and bupkis to show for it. So we’ll do our very best to use it in as many potentially profitable ways as we can conjure, over and over, while attempting to convince you there’s nothing to worry about.

You can read the whole policy here or you can read my summary and commentary on Web Insecurity.
terriko: (Default)
2010-11-03 12:22 pm

Web Insecurity: Security Costs vs Benefits: Should companies deploy SSL to deal with Firesheep?

Yesterday, I talked about why end-users don't care about security and how that actually makes a certain amount of sense for them since the cost of behaving more securely can overwhelm the cost of an actual breach.

However, what I didn't talk about is whether this is true for companies. A single security breach in a single user account maybe doesn't cost a company much, but if breaches get common enough that they start losing users, it could be a problem with a much higher cost.

While users trying to protect themselves from curious folk with firesheep are counseled to use a VPN, website owners can choose to do encryption right from their end using SSL. But it was thought that SSL was computationally costly and even environmentally costly due to the supposed need for extra electricity and machines.

But who's been looking at what those costs actually are?

Read the rest at Web Insecurity
terriko: (Default)
2010-11-02 01:49 pm

Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?

Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.

He was appalled that people, even when warned, would ignore a security flaw, but it's actually well known that people reject advice. The interesting part of the story comes with Cormac Herley's paper "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" -- it turns out that it makes perfect sense that people refuse to do security things, and fixing the flaws that firesheep draws attention to is just another example of where security advice just isn't worth following.

You can read the full version of this post on Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?
terriko: (Default)
2010-10-29 01:25 am

WebInsecurity:Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

Originally posted on Web Insecurity, but it's short so this is a full cross-post.

Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

This maybe shouldn't surprise anyone, but Mashable is reporting that Facebook Lobbied to Kill Social Networking Privacy Act in the USA.

It's one thing to believe that privacy isn't important, or to make mistakes that expose users, but paying people to lobby against privacy legislation that might protect your users seems like a big step further. It makes me concerned as a user of the service.

Incidentally, Facebook has already broken Canadian privacy law (they're not the only ones), and likely the laws of several other countries, so I guess it makes sense that they wouldn't want to run afoul of further laws... but I really wish they'd do this by handling privacy issues better rather than paying people to make sure the laws don't come into effect. Maybe the law was simply ill-conceived (I haven't read it) but this really doesn't sound like the actions of a socially-responsible company. Very disappointing.
terriko: (Default)
2010-09-22 12:43 am

Web Insecurity: Privacy and Twitter Lists

Crossposted from Web Insecurity. Please comment there if you want to comment!

privacyI think twitter may have among the simplest privacy settings of any social network. Your choices are either everything you post is public, or everything you post is private.

But simple does not mean that things will stay private. Just like everything on the internet, the minute you post something someone else might choose to share it. Some researchers have actually studied how often people retweet private content on Twitter.

Something I haven't seen studied, however, is how private information can leak out through twitter lists.

Twitter allows you to make lists of people who you'd like to have grouped together. For example, I have a list of technical women who I follow. These are women in technology who I've met in person or interacted with extensively online, and I really made it for my own personal use but since it's a public list others can (and do) follow it. Presumably they're looking for more cool women to expand their social networks.

Twitter allows you to see what lists a person has been added to, and this is where it gets interesting. Let's take a look at the lists of which I am a member and see what we can learn about me.

Here's a few things you can get a glance:

Wait... what? Despite the fact that I explicitly chose to say a more generic "Canada" in my profile information, my current city can be determined by the fact that it shows up in several of the lists I'm on. There's of course no way to be sure that any of this is true, but when more than one person lists me as being in Ottawa it seems fairly reasonable to guess.

I'm not personally concerned (obviously, since I'm talking about all this information in a public blog post!) but some folk are much more private than I am.

So what are your options if you want to hide this information? Well, if I don't like the lists I'm on, I can... uh... There's no apparent way to leave a twitter list. I suspect one could block the list curator, but the people revealing your location are most likely to be actual real life friends: people you wouldn't want to block. So you'd have to resort to asking nicely, but that's assuming you even notice: while you can get notifications of new followers, you do not get notified when you're added to a list. I've been asked about exactly two of the lists I've been put on (thanks @ghc!) so obviously it's not the social norm to ask (I certainly have never asked anyone I've listed!)

A quick check says I can usually get the current (and sometimes some former) cities for many of my friends, as well as information related to their occupations, interests, and events they've attended. For most of these people, I know this isn't information they consider private either. But it's obviously possible that this could be a problem... I wonder how many people it affects in a negative way?

Maybe this is a potential little workshop paper if I have time to analyse a whole bunch of twitter lists. Anyone want to lend me a student who's interested in social media privacy?

Edit: A note for those concerned about not being that privacy-violating friend. You can make twitter lists private if you want (it's just not the default), so just do that for the lists you think are sensitive and you're good to go!
terriko: (Default)
2010-08-19 03:22 pm

Webinsecurity: Privacy: Not just for people who are doing bad things

This is a cross-post from my web security blog.

I'm happy to see that Gizmodo is already recommending that people disable Facebook Places in as much as you really can. And the article has a nice step-by-step on how to limit the amount your friends can (accidentally or intentionally) violate your privacy.

But I take issue with the fact that their examples were "you're lying to your girlfriend" and "you're cheating on your wife." Seriously? I know they were trying to be funny, but the implication you get from the article is that privacy should only matter in this way if you've got something to hide. But that's not the case:

What about a parent who doesn't want to advertise to strangers the exact geo-location of the parks his kids play in every day?

What about a woman who has received threats from unpleasant people who feel that women should not be involved in open source software?  (I wish I were kidding, but this happened to me, and other people receive threats from disturbed individuals online.)

What about someone shopping for an engagement ring who meets a friend at the mall?

There's plenty of reasons one might prefer privacy. I think maybe we would do well to include this sort of example in articles, so that even those living utterly honest lives will realize that privacy is important to them and people they care about.
terriko: (Default)
2010-05-12 02:29 pm

Web Insecurity: Will privacy issues herald the end for Facebook?

New post up at Web Insecurity: Will privacy issues herald the end for Facebook?

We're starting to see suggestions that the facebook ecosystem actually could collapse, not just that some tech people wish it would.


The question for Facebook is "at what point will enough people leave?" and the answer right now may be, "when they have somewhere else to go." And that next big thing may have to provide some pretty strong privacy guarantees to woo over enough audience.

As usual, Facebook fascinates me as a social statement, as much as it horrifies me as a security person. But seriously, when the facebook games are talking jumping ship and students are saying that facebook is uncool, we might have to accept that this boat isn't going to float much longer. And for those who haven't heard, the new pretender to the throne is Diaspora although I admit I haven't looked at it seriously.
terriko: (Default)
2010-05-08 12:18 pm

Web Insecurity: Why Facebook is like your psycho ex

Wrote a Web Insecurity post last night: Why Facebook is like your psycho ex.

But websites are about as trustworthy as the worst psycho ex: you never know when policies will change, the website will get bought out by someone who has different policies and now controls your data, or someone will exploit a security hole in the website. At least ex-friends aren't usually bought by megacorps who profit from selling all their mementos of your relationship. And probably, unlike websites, 64% of your friends don't have a security flaw.

Been a while since I wrote for that blog, but I'm going back into research mode since paper writing season is over for me, and I'm over my flu, so I'm hoping I'll be able to write more. But what really inspired me was an entertaining if spammy email from $security_company's social networking delegate claiming that I'm a "leading blogger" within the web security industry. Some "leading blogger" when I hadn't posted since February!
terriko: (Default)
2010-02-17 03:20 pm

Web Insecurity: How Foursquare can help people steal your stuff. Want to buy some privacy insurance?

New post to Web Insecurity:

How Foursquare can help people steal your stuff. PS - Want to buy some privacy insurance?

I talk a bit about the totally awesome PleaseRobMe.com and meditate a little on what it would take for people to care about privacy in a way that would keep them safe. Conclusion? They never will, so if I really want to make money I should be selling privacy insurance. If only I could figure out how to make that work... Can't you just imagine a team of lawyers descending upon your mother to do damage control when your friends' drunken antics get leaked through Facebook?
terriko: (Default)
2009-10-26 02:59 am
Entry tags:

Why you aren't wrong to hate new Facebook

Every time Facebook makes a major change, you can hear outrage spread across the globe. Polls spring up with "Do you hate the new Facebook?" and yes is always in the lead. Your friends whine about it incessantly in their status messages. Petitions start asking Facebook to change things back.

It's easy to dismiss the fuss as a bunch of people who need to learn to move on. But it turns out, people are not wrong to hate every change in Facebook. They just might not be right for the reasons that they think.

As a web security researcher, I spend a lot of time thinking about what makes sites more secure, or more insecure. Every major change is likely to introduce new bugs, even as it may fix others. And the way the security model of the web works, any "minor" bug might result in major damage to you, as an individual. People store their whole lives on Facebook, and that means that a minor bug might let anyone in on their own, private stuff.

So every time the interface changes, you should probably be afraid that Facebook may be accidentally or intentionally allowing the entire world access to your stuff.

Does that mean "I hate the new Facebook!" is the new "GIRLS ONLY, NO BROTHERS ALLOWED!!!!" taped to the door? As in, you're worried Dad will leave the door open after vacuuming and you'll find your brother has played with your toys? Uncool, but really, no one who's over the age of 14 will care?

Turns out the security reality says the stakes are a lot higher. Many people keep a lot of private stuff in Facebook. It's more like Facebook said they were coming in to paint your apartment walls, but they rearranged all the furniture too and you have this feeling that they left the door unlocked and thus let strangers traipse through your apartment, maybe installing a wiretap and stealing your panties while they're there. Facebook makes a lousy landlord. Or at least a creepy one.

I don't know how to end this post. As long as Facebook is your landlord, you're subject to their whims, and you might as well get used to it. But if changes in Facebook leave you feeling maybe a little violated, that's probably exactly how you should feel.