Last week I was fortunate to attend Kuppinger Cole’s European Identity Conference in Munich and follow a track session where representatives of Google, Microsoft and FaceBook were lined up in a panel in order to get a good grilling by the mainly European audience about Information Security and Privacy. FaceBook actually was conspicuous by its absence, but I had a chance to ask Dave Recordon a similar question at an OpenID summit the previous day.
When asked about ‘informed user consent’ in OpenID Connect Dave replied: “We have extensive privacy protection options available. The user is very much ‘in control’ by clicking his/her desired privacy settings. Is that before or after clicking on the FaceBook login button I wondered?
Just think of it like this, said Google’s Eric Sachs: “Every Oauth enabled login is one less clear text Username and password transmitted over the Internet and one more vector of phishing attack removed.” OAuth provides a method for users to grant third-party access to their resources without sharing their passwords. It also provides a way to grant limited access (in scope, duration, etc.).
Luck would have it that Larry Drebes, founder of Janrain, had taken the place of the FaceBook representative. So with my previous blog post in mind I went straight for the jugular with a question for Larry asking him: “If people complain about privacy intrusion by FaceBook and Google, wasn’t his company evil squared?
Let me remind you that janrain offers Relying Party web sites technology that makes it possible to collect and join together pieces of social data from different sources in order to build a more comprehensive profile of unwitting users, even if they themselves try to spread their love around by clicking on different NASCAR log-in buttons whenever possible.
Larry responded that the social network authentication brokerage service they offer actually doesn’t store any data. The user’s information is only fleetingly used and held in virtual memory only for as long as the Oauth transaction takes to complete. From that point of view there are no negative privacy implications of course.
On the other hand janrain do offer Relying Party Service Provider customers a tool kit that allows RPs to accept social logins and automatically store the user’s associated profile data in a lightweight database they can host themselves if they like.
Isn’t that a bit like the manufacturer of anti-personnel land-mines saying it’s not them laying the mine field?
My main take away message from the conference is that privacy advocates like me should not despair, even if in their own companies they are sometimes viewed as the lone prophet’s voice.
Privacy Protection is what one day will set Identity Service Providers apart and become a critical success factor rather than a ‘pain in the neck’.