52 posts tagged “privacy”
2010
The new Facebook API exposes the events you attend to anyone on the Internet. I’m generally impressed by the new set of Facebook APIs—they’re a whole lot easier to work with than the older stuff—but they’re also clearly a bit half-baked and the privacy model needs some urgent work. The Graph API allows to to see all “open” events that any user has attended or is attending, which can exposes things like their friend’s home addresses. Yes, this means you can stalk Mark Zuckerberg.
A new Buzz start-up experience based on your feedback. Buzz is switching to the more obvious model: use existing Gmail behaviour to suggest a list of people to follow, rather than auto-following them. It feels pretty clear to me that this is how following recommendations should work.
WARNING: Google Buzz Has A Huge Privacy Flaw. Interesting one this: by default, Buzz creates a public profile for you that lists the people you follow—but your default set of followers is derived from the people you contact most frequently using Gmail. This means users of Buzz may inadvertently reveal their most frequent contacts, which is an issue for people like journalists with anonymous sources, unhappy employees seeking new work or even people having e-mail based affairs.
2009
Google Dashboard. New Google product which shows exactly how much information Google have stored against your account, all on one page. This is a really useful tool, and hopefully will help set a powerful precedent for other sites to follow.
You Deleted Your Cookies? Think Again (via) Flash cookies last longer than browser cookies and are harder to delete. Some services are sneakily “respawning” their cookies—if you clear the regular tracking cookie it will be reinstated from the Flash data next time you visit a page.
TOSBack | The Terms-Of-Service Tracker. Fantastic idea (and implementation) from the EFF—a site that currently tracks 44 website policy documents and highlights changes to them using a diff engine (from Drupal). A global RSS feed is available—it would be useful if individual feeds for different sites and organisations were also provided.
On the Anonymity of Home/Work Location Pairs. Most people can be uniquely identified by the rough location of their home combined with the rough location of their work. US Census data shows that 5% of people can be uniquely identified by this combination even at just census tract level (1,500 people).
For the record, I'm a noted privacy freak and I don't pretend to speak for anyone else on this topic. I know that resistance is futile. I continue to believe that there is a great divide on sensitivity about privacy - you've either had your identity stolen or been stalked or had some great intrusion you couldn't fend off, or you haven't. I'm in the former camp and it colors the way I view and think about privacy online. It makes me indescribably sad to see how clearly I and others in my camp are losing this battle.
2008
eval() Kerfuffle. The ability to read supposedly private variables in Firefox using a second argument to eval() will be removed in Firefox 3.1.
Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and - possibly - sky marshals. Everything else - all the security measures that affect privacy - is just security theater and a waste of effort.
2007
Google Reader ruins Christmas (via) New sharing feature automatically reveals shared items to Gmail contacts, causing political rows.
Deconstructing Facebook Beacon JavaScript. How Facebook’s new Beacon service (also known as “Facebook ruined Christmas”) actually works.
Is Facebook Really Censoring Search When It Suits Them? Apparently MoveOn’s group “Petition: Facebook, stop invading my privacy!” stopped showing up in search results for “privacy”—the search claimed 17 results but suspiciously only showed 16.
Amazon Gets an SLA (But I Still Can’t Use It). “Ontario’s Freedom of Information and Protection of Privacy Acts (FIPPA) don’t allow me to store sensitive information (e.g., students’ work) in jurisdictions that permit secret warrants, like those mandated by the USA PATRIOT Act.”
Designing for a security breach
User account breaches are inevitable. We should take that in to account when designing our applications.
[... 545 words]Firefox 3 Antiphishing Sends Your URLs To Google. Stories like this crop up every now and then, but no one ever seems to mention that the Google Toolbar has been doing this since it was released (more than five years ago) provided you have PageRank display turned on.
Sun’s OpenID IdP: Real vs Fake. The thinking behind Sun’s decision to allow users of their OpenID provider to pick fake names and assign personal e-mail addresses.
Sun’s OpenID IdP: Data Governance. Lauren Wood explains the checklist used to ensure Sun’s OpenID provider adequately respected user privacy and data governance (what happens to the data that is stored).
It's still a privacy concern. If, for example, I work at and post from Microsoft all day and my identicon is that of the MS Proxy Server then I would be able to identify other mefi users who are my co-workers because our identicons would match.
Visual Security: 9-block IP Identification. Smart (and pretty) trick for showing a representation tied to a commenter’s IP address without affecting their privacy.
2004
non-consensual http user tracking using caches. Interesting security issue involving HTTP caching headers
2003
Thirty five year old cookies
I’m finding myself slightly confused about the Google backlash washing around the blogosphere, which is summarised quite well by Gavin Sheridan. Most of the arguments against using Google unsurprisingly centre around privacy issues, in particular the “35 year cookie”. I was under the impression that cookies could only be set for a maximum of a year, but having checked Netscape’s Cookie Specification and RFC 2965 it appears I was mistaken.
[... 566 words]