FaceBook, Google, Yahoo: Don’t shoot, we’re the good guys!

Last week I was fortunate to attend Kuppinger Cole’s European Identity Conference  in Munich and follow a track session where representatives of Google, Microsoft and FaceBook were lined up in a panel in order to get a good grilling by the mainly European audience about Information Security and Privacy. FaceBook actually was conspicuous by its absence, but I had a chance to ask Dave Recordon a similar question at an OpenID summit the previous day.

When asked about ‘informed user consent’ in OpenID Connect Dave replied: “We have extensive privacy protection options available. The user is very much ‘in control’ by clicking his/her desired privacy settings. Is that before or after clicking on the FaceBook login button I wondered?

Just think of it like this, said Google’s Eric Sachs: “Every Oauth enabled login is one less clear text Username and password transmitted over the Internet and one more vector of phishing attack removed.” OAuth provides a method for users to grant third-party access to their resources without sharing their passwords. It also provides a way to grant limited access (in scope, duration, etc.).

OAuth 2.0 seems to be the major innovation behind an OpenID Connect request.

The Oauth 2.0 logo

 

Luck would have it that Larry Drebes, founder of Janrain, had taken the place of the FaceBook representative. So with my previous blog post in mind I went straight for the jugular with a question for Larry asking him: “If people complain about privacy intrusion by FaceBook and Google, wasn’t his company evil squared?

Let me remind you that janrain offers Relying Party web sites technology that makes it possible to collect and join together  pieces of social data from different sources in order to build a more comprehensive profile of unwitting users, even if they themselves try to spread their love around by clicking on different NASCAR log-in buttons whenever possible.

Larry responded that the social network authentication brokerage service they offer actually doesn’t store any data. The user’s information is only fleetingly used and held in virtual memory only for as long as the Oauth transaction takes to complete. From that point of view there are no negative privacy implications of course.

On the other hand janrain do offer Relying Party Service Provider customers a tool kit that allows RPs to accept social logins and automatically store the user’s associated profile data in a lightweight database they can host themselves if they like. 

Isn’t that a bit like the manufacturer of anti-personnel land-mines saying it’s not them laying the mine field?

My main take away message from the conference is that privacy advocates like me should not despair, even if in their own companies they are sometimes viewed as the lone prophet’s voice.

Privacy Protection is what one day will set Identity Service Providers apart and become a critical success factor rather than a ‘pain in the neck’.

Advertisements

About lasancmt

Passionate about Identity Management Disgusted at #ukip and #brexit
This entry was posted in Identity Providers, Privacy, User Subject and tagged , , , , , , , . Bookmark the permalink.

6 Responses to FaceBook, Google, Yahoo: Don’t shoot, we’re the good guys!

  1. Adam Blackie says:

    Hello lasancmt,
    I will be running a workshop with students at UCL in London, UK the week. The subject is privacy and their approach to it. Do you mind if I reproduce your blog post in full? It will get them thinking a little more deeply about the subject.
    Adam.

  2. lasancmt says:

    Hi Adam,
    Of course I am delighted you make use of my blog post in this way.

    By the way: You may also like to take a look at the work Prof David Chadwick is doing at Kent Univeristy School of Computing.

    His work shows an example how it should be done in my personal opinion.

    The paper describing the underlying technology can be found here

    http://www.w3.org/2011/identity-ws/papers.html

    Its paper number 8.

    The two attribute selection screens can be found at:

    http://pupomio.dyndns-server.com:8080/munichdemo/ExampleEtomes

    http://pupomio.dyndns-server.com:8080/munichdemo/ExampleCouncil

    Please let me know, even better, comment on my blog what the general reaction of the students was.

    Is it true they don’t care about privacy? Is privacy ‘dead’ as Oracle’s Larry Ellison and Google’s Eric Schmidt famously said?

    Kind regards,
    Marcus

  3. It’s of course a bit silly to comment on your own blog post but I came accross this citation from Kim Cameron in The Register and thought, he expresses the same sentiment I had writing this post, so here it goes:

    “Cameron said that he was disappointed about the lack of an industry advocate championing what he has dubbed “user-centric identity”, which is about keeping various bits of an individual’s online life totally separated”

    While this is a personal blog and not a Verizon work blog, we do of course take this issue very serious in Verizon.

  4. lasancmt says:

    Today I was alerted to another blog from Mathijs R. Koot that again puts the finger on this increasingly sore spot. Mathijs shows us how relatively easy it was for him, within the space of a month, to scrape together the profiles of 35.000.000 Google Profiles and stick them in a SQL database. While doing nothing illegal, Mathijs points out: “ My activities are directed at inciting, or poking up, debate about privacy — NOT to create DISTRUST but to achieve REALISTIC trust — and the meaning of ‘informed consent’ “.

    • Adam Blackie says:

      This is a really useful piece of work, thanks for posting it here.
      I am still gathering data around attitudes to privacy so will not have any real analysis for some time yet, however it has become clear to me that many people are in denial about the effect that digital media is having on their long term privacy. Using aliases as a disguise is the most common reaction, but it only takes a few links to other databases for an analyst to overcome this disguise in most cases.
      My personal view on the trust issue is that we have some way to go with the technology suppliers’ (eg. Google, Facebook, LinkedIn, YouTube etc) understanding of the notions around privacy. Once users trust that they understand the issues and are openly addressing them we will see a reduction of the angst around privacy. – See http://www.Altly.com, for a privacy oriented rival to Facebook

  5. Pingback: Identity Laws, Principles, Directives and Commandments: Which to Follow? | IdentitySpace

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s