At: ashok.org.uk/2007/phoney-privacy
I'm unsurprised at recent developments at Oxford as over-zealous proctors fine students for misbehaviour using evidence from Facebook.
I think there's some real trouble with people understanding quite what they're publishing, and to whom.
Worse than that, I think people have a false sense of security when they tag their updates as 'friends only' on sites like Twitter, Facebook and so forth.
You get none of the upside of your postings not being fully part of the Web, people can't, from the Web in general, link to your posts; if you write something useful, it won't turn up in search results in the future.
However, you also get all of the downside of having published them quite publicly. Miss New Jersey was recently blackmailed over some pretty tame pictures leaked from her Facebook account. I've little sympathy for the blackmailer, but their job was hardly made difficult. If you wanted to target an individual, then Facebook only makes it easier.
Whenever there is a security bug in these sites, expect people who can make something of it to swoop in. And in this fabulous "Web 2.0" world, we'll see more of those bugs. If I were a (morally challenged) technologically-savvy tabloid journalist with an eye on the next five or ten years, I'd be spidering as much information as possible from these sites every time there was a flaw. Armed with that, you just need to wait for a current university student to make their way through to public life, and the tabloid story writes itself. I hope we get more mature about things like this, and not club people for experimenting while growing up. I suspect we'll just get greyer and duller people in public life instead.
More worrying than targeted attacks, however, are the catch-all exploits that are possible. For example, after reading an academic paper about a clever attack technique, it took me little time to apply it to Twitter. I'm pretty sure I could throw up a Web page which would harvest the private twitters of any friends of visitors to the page, so long as they were logged in on Twitter at the time.
This is slightly odd. You are relying on the behaviour of your friends' computer to keep your messages private.
I reported this to Twitter several months ago, and have followed up once, but basically got nowhere.
It wouldn't be too hard to break this particular attack, but defending against all the things like it is pretty tricky. "Web 2.0" techniques make this much harder. Having such powerful scripting in the browser is a problem. People tend to leave the scripting turned on all the time, as otherwise an awful lot of sites break. That's a bit much where you just want to read some words on a site you don't really trust.
I guess I should mail Twitter a third time about it, and give them a deadline for full disclosure. I love Twitter, and they have lots of tricky problems to deal with, it just worries me when privacy ones aren't treated seriously.
Tagged: Rants, Security, Technology, Web
Posted at 04:12 EDT, 20th July 2007.
No comments. Add one.