Tom Anthony's blog has an article on how to detect whether someone is logged in to a given social network, eg: Facebook, Google etc..
You can run it here: Social Network Login Status Detector Demo
A few things stuck me:
- I logged into Facebook earlier today and then closed the browser window - I was still logged in to Facebook
- Similarly for Twitter
- Going to www.google.com or www.google.co.uk showed the Sign In button, however it did appear according to the status detector demo above that I was still logged in. In order to log out I needed to login and then logout.
Given that some sites, particularly Facebook, have been caught tracking user behaviour when that user is not logged in (google search results here), this is quite worrying from the stand point that such tracking could occur even when you think you are not using a service or not logged in.
Before panic sets in, I'm not at this moment overly concerned about privacy (I am but...) but rather basic security and the fact that user could be accidentally revealing their behaviour.
I actually think that most of these kinds of accidental incidents and problems are more attributable to stupidity or less controversially, lack of knowledge, ie: Hanlon's Razor:
Never attribute to malice that which is adequately explained by stupidity.
or better still a quote by the journalist and UK civil servant Sir Bernard Inggam:
Many journalists have fallen for the conspiracy theory of government. I do assure you that they would produce more accurate work if they adhered to the cock-up theory.
I think this better explains what is going on with the current trend for secondary data collection from Apps such as those found on most mobile devices, ie: from the CNet article "Report says be aware of what your Android app does". Part of the problem is the education and knowledge of the programmers and developers in developing security and privacy aware systems and secondly the available features for security and privacy protection both on the devices and as presented to the users of those devices.
Now I lay part of the blame on the developers of the user experience and part on the users - mainly due to the fact that people seem not to care about setting their security and privacy settings, though it must be admitted that the user interfaces aren't really intuitive and many of these concepts rely upon the users being rather knowledgeable about these features. I certainly don't think Privacy by Design principles help either - they are targeted at the wrong people. I'm not saying these principles are wrong or bad or unwanted but rather their targeting is off. On the other hand, this is certainly is not a trivial problem for the user experience developers, so maybe I'm being too harsh here.
One problem regarding privacy is that there still is no good formal underlying theory and practice for the developers, unlike security which is relatively mature and well defined. In fact I perceive the state we're in now is very, very similar to the level of immaturity the we saw when the masses of developers first started to develop networked systems and used network programming techniques (cf: leaky abstractions); and even the very first web based applications in the early '90s.
Maybe part of the problem is that in many cases privacy is still being framed in terms of security, that is confidentiality - which is partially correct but to my opinion, security is about protection of the information exchange and privacy is about protection of the content and meaning of that exchange.
It takes, I believe, about 10 years to understand these problems in the wider development community and probably another 10 to develop the theory and techniques such that they become common knowledge to the developers. Sadly at this time, I see too many incidents where despite the emphasis on guidelines, processes etc, the technical guys: the architects, the developers etc are all too forgotten.
Ultimately privacy and security are in the hands of the developers and if we don't address the problems they face through better tools, programming languages, development techniques, analysis techniques etc, then we're going to see issues such as those presented in the beginning occur in the future, malicious or more commonly not.
No comments:
Post a Comment