When Benjamin Jun received a winter catalog in the mail from Nike with a personal URL on the cover, he didn’t realize the wealth of information that would soon be available to him online. Jun, Vice President of technology at Cryptography Research, said that once online he was able to access a database showing what those he knew had purchased at various Nike stores. The site (and the entire winter campaign) is now down, but social media mashups such as this raise serious questions about companies that combine various databases–often without our direct consent.
This week Facebook has come under scrutiny for its new social media network. While logged into Facebook a simultaneous visit to one of Facebook’s partner sites will reveal what your Facebook friends think of content on that site. The application also allows you to be interactive with your Facebook friends on the partner site, extending your social media experience.
However, the application also allows third parties to collect data about you and your friends, making public (in some cases) data that you may have marked as “friends only” within the privacy settings on the Facebook side. More ominously Facebook is allowing its partner sites to store this demographic and marketing information indefinitely.
On Monday, four senators –including Charles Schumer of New York, Michael Bennet of Colorado, Mark Begich of Alaska and Al Franken of Minnesota—wrote to Facebook CEO Mark Zuckerberg with several privacy concerns, including asking why is it so difficult for customers to opt out of this new networking platform? Indeed, there are multiple settings within Facebook that must be tweaked in order to restrict private information.
The true dangers lie beneath the surface, beyond the mere marketing information of likes and dislikes.
In his talk last month at the 2010 RSA Conference, Jun spoke about the underlying assumptions being made by the site designers (not just at Nike and Facebook or their partners) who are incorporating mashup strategies–assumptions that might not be true. For example, the process of authorization for credentials on a social networking site is very different from the process of obtaining credentials on an e-commerce or online banking site. Site developers might be tempted to accept the APIs from a popular social media site as a way to increase revenue. Jun says the application designers should instead avoid or at least carefully consider the information being passed to them from another source.
To prevent unintended access, Jun advocates the creation of a “session manager,” one more hoop in the security chain. While it’s always controversial to propose slowing down the consumer experience, the session manager would receive credentials from a third-party site, vet the data, then prompt for additional authentication if necessary.
Simply passing credentials from one site to another without reevaluating is dangerous, said Jun. He cites, in particular, the three R’s of application development: redirects, renegotiation and reconnections. It is within these that gaps of trust among different systems that could allow bad actors access to sensitive data without proper authentication. Jun says in the case of the Nike solicitation for authentication there was only a unique URL on the cover of the catalog. Anyone reading the mailing could have gone online as him.
I for one do not need to know what news stories my friends are reading right now—let them surprise me later in a real (not virtual) conversation. Nor do I need to see what my friends are buying from an e-commerce site; really, I’m probably the last person to go online, learn that someone I know bought a pair of blue running shorts, size medium, and say “Hey, order me a pair also!” Just because the crowd is doing something doesn’t mean I’m going to do it.
But for many, social networking is a way of life, a connection to others. For them, let’s get the security right. With online data leakage occurring in new and surprising ways these days, why take the chance of sharing databases without providing additional back-end controls?Originally published in Forbes.com