15. August 2010 · Comments Off on Taxonomy of Social Networking Data · Categories: Privacy · Tags: ,

Bruce Schneier recently blogged about his A Taxonomy of Social Networking Data essay in the IEEE Security & Privacy magazine. There are six categories of data: Service, Disclosed, Entrusted, Incidental, Behavioral, and Derived.

It’s also clear that users should have different rights with respect to each data type. We should be allowed to export, change, and delete disclosed data, even if the social networking sites don’t want us to. It’s less clear what rights we have for entrusted data — and far less clear for incidental data. If you post pictures from a party with me in them, can I demand you remove those pictures — or at least blur out my face? (Go look up the conviction of three Google executives in Italian court over a YouTube video.) And what about behavioral data? It’s frequently a critical part of a social networking site’s business model. We often don’t mind if a site uses it to target advertisements, but are less sanguine when it sells data to third parties.

09. May 2010 · Comments Off on New New Adobe Flash privacy feature will force e-commerce sites to alternative authentication methods · Categories: Authentication, Privacy · Tags: , ,

Adobe Flash Player 10.1 will make "its privacy settings more prominent and explicit to the user and also supports private browsing, which lets a user browse without logging his browsing history on his machines," according to an article in Dark Reading. The side effect is that e-commerce sites which have been using Flash's Local Storage to store machine ID's without the user's consent or knowledge will no longer be a viable machine authentication method.

This is actually good news because e-commerce sites will be forced to use technology designed specifically for authentication rather than relying on this Adobe externality.

28. April 2010 · Comments Off on Blippy’s security/privacy strategy – do they deserve to survive? · Categories: Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management · Tags: , ,

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our
services in a manner that does or is intended to mislead, confuse,
deceive, or harass others.

Serial Accounts: You may not create serial accounts or
relationships in order to evade the block tools or to otherwise disrupt
the Services.

Name Squatting:You may not engage in name-squatting (creating
accounts for the purpose of preventing others from using those account
names or for the purpose of selling those accounts). Accounts that are
inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content
that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link
to malicious content intended to damage or disrupt another user.s
browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a
variety of ways for users to interact with one another. You may not
abuse these tools for the purpose of spamming users. Some of the
behaviors we look at when determining whether an account is spamming

  • The user has followed and unfollowed people in a short time
    period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

26. April 2010 · Comments Off on Google discovers privacy flaw in Facebook Graph API · Categories: Privacy · Tags: , , ,

The UK-based Guardian posted a story today that an engineer from Google discovered a flaw in Facebook's Graph API where all events you have participated in or are planning to participate in cannot be kept private.

My reactions are (1) given Facebook's privacy policy trajectory, I am not surprised, and (2) given the threat that Facebook represents to Google, I am not surprised that a person from Google found the flaw.

If anything is going to blunt Facebook's popularity, it's going to be privacy issues. And I say this despite the long history of consumers willingness to give up privacy to gain convenience, e.g. Debit Cards.

05. January 2010 · Comments Off on FTC to investigate cloud computing · Categories: Legal, Privacy · Tags: , , ,

ReadWriteEnterprise is reporting via The Hill, that "the Federal Trade Commission (FTC) has opened an investigation into the privacy and security implications of cloud computing."

Given the FTC's aggressive Red Flags Rule program, I would not be surprised if more regulations will be forthcoming. BTW, after many delays, the Red Flags Rule is planned to go into effect on June 1, 2010.

12. September 2009 · Comments Off on Protect yourself – Anonymized data really isn’t · Categories: Identity Theft, Privacy · Tags: , ,

Just in case you thought there was any hope of maintaining personal privacy, forget it. In fact you must assume your personal information is exposed and take steps to prevent identity theft.

Ars Technica reported this week that law professor Paul Ohm published a paper describing how easy it is to identify specific individuals from "anonymized" data that is released for research purposes and his recommendations for minimizing this type of abuse.

Ars Technica, quoting from Paul Ohm's paper, described the process a graduate computer science student used in the mid-90's to identify then governor William Weld of Massachusetts from "anonymized" health records released by the Massachusetts Group Insurance Commission.

Data is anonymized by removing "personally identifiable information" like name, address, and Social Security number. The anonymized data is useful for further statistical analysis by a variety of researchers.

The graduate student showed that she could "reidentify" individuals 87% of the time with only three pieces of information – zip code, date of birth, and sex. The key to her process is the availability of voter rolls, which you can buy for a small fee from any town, at least in Massachusetts. These voter rolls provide the name, address, zip code, birth date, and sex of every voter.

Professor Ohm's call for a reexamination of privacy laws and tougher regulation is admirable as this may protect you against disclosure of medical conditions and the like that can be used against you.

However, the biggest threat right now is identity theft. You must assume that your personal information is out there for anyone who wants it. Therefore you must take steps to limit the risk of identity theft. Start by reviewing the offerings of the three credit agencies Equifax, Experian, and TransUnion.