Archive for the ‘Identity’ Category

File Under: Identity, Security
Jan
28
2010

EFF Reveals How Your Digital Fingerprint Makes You Easy to Track

By

Think that turning off cookies and turning on private browsing makes you invisible on the web? Think again.

The Electronic Frontier Foundation (EFF) has launched a new web app dubbed Panopticlick that reveals just how scarily easy it is to identify you out of millions of web users.

The problem is your digital fingerprint. Whenever you visit a site, your browser and any plug-ins you have installed can leak data. Some of it isn’t very personal, like your user agent string. Some of it is more personally revealing, like which fonts you have installed. But the what if you put it all together? Would the results make you identifiable?

As the EFF says, “this information can create a kind of fingerprint — a signature that could be used to identify you and your computer.”

The EFF’s test suite highlights what most of us probably already suspect — we’re readily identifiable on the web. We ran the test on a Mac using Firefox, Safari and Google Chrome, all of which leaked enough data to make us identifiable according the EFF’s privacy explanations.

The purpose of Panopticlick is to show you how much you have in common with other browsers. The more your configuration mirrors everyone else’s, the harder it would be to identify you. The irony is, the nerdier you are — using a unique OS, a less common browser, customizing your browser with plug-ins and other power-user habits — the more identifiable you are.

For example, say you’re running Firefox on Ubuntu with the Gnash plug-in instead of Flash — way to stick it to the man — but you’re also showing up with a unique configuration of browser, OS, installed fonts, plug-ins and more which can be combined to identify you via a unique online fingerprint.

So what can you do to make yourself less identifiable? Well, by disabling cookies, the Flash plug-in, the Java plug-in and most of our extensions we were able to blend in better. Actually, the fact that we didn’t have Java or Flash turned on made us more identifiable in those categories, but it also denied the test access to our installed fonts and other bits of data, so overall, less identifiable.

Obviously that approach has a downside — without Flash there’s not much in the way of online video, a lack of cookies will cause issues with logins, and without Java, you won’t be able to crash your browser or cause it to get hung up for hours.

In short, the disabling method isn’t much fun. Strange though it may seem, the best way to lose the unique online fingerprint is to blend in with the herd. As the EFF points out, mobile browsers are hardest to identify since there are few customization options and, for the most part, one version of Mobile Safari looks just like another.

By the same token, if you want to blend in, stick with stock system fonts, run Windows XP, use Firefox with no add-ons and turn off cookies. You’ll be much harder to identify.

We should point out that, no matter how well you blend in the fingerprint test, you are of course still identifiable by your ISP. Advertisers and websites generally can’t access the information your ISP has on you, but of course governments — with the cooperation of your ISP — always can. So don’t think just because you’ve eliminated your fingerprints no one knows who you are.

Front door photo: Brian Lane Winfield Moore/Flickr (CC)

See Also:

Tags: , ,
File Under: Browsers, Identity
Jan
14
2010

Mozilla Gets Ready to Weave Syncing Into Firefox

By

Mozilla’s Weave, a free add-on for Firefox that syncs your personal data across multiple PCs and mobile devices, has reached the release candidate stage and is just about ready to make its way into Firefox proper.

The Weave team is hoping to get Weave 1.0 out before Firefox 3.6 arrives, though the add-on will not be integrated into the browser itself until a Firefox future release.

Eventually Firefox will offer built-in syncing and Weave will become just another feature. But for now, at least you’ve got the add-on and an easy way to sync bookmarks, tabs, personas and other Firefox data across all your various computers.

Since the new version of Weave is a release candidate not a whole lot has changed since the last beta release we told you about. According to the announcement post, Weave RC1 offers faster startup times and offers better integration with Fennec, the mobile version of Firefox.

Other changes include some more improvements during syncing, for example, your tabs are now immediately available when you set up a second computer. The new version also fixes an issue that would trigger the Weave master password prompt when you launched Firefox.

Weave 1.0 still isn’t a final release, but in our experience Weave is stable enough for everyday use. If you’d like to give it a try, head over the Mozilla Add-ons page and install Weave. If you’re updating from an earlier release make sure you update all your computers, having different versions of Weave on synced PCs can cause problems.

See Also:

Tags: , ,
File Under: Identity, Security, UI/UX
Jan
13
2010

Warning: This Site May Be Sharing Your Data

By

Aza Raskin, head of user experience at Mozilla, is leading a charge to make privacy settings more explicit to users by creating visual cues in the browser. Raskin’s idea uses a set of small icons to denote the limits of a website’s privacy policy.

Raskin likens the idea to how Firefox (and other browsers) currently handle phishing attack warnings, using visual icons and simple language.

For the active social web user, keeping track of which bits of your data are public and which are private on different sites is a chore. Some websites share your photos, status updates, your list of friends, who you’re following and other data on the open web by default. Some share nothing. The rest are somewhere in the middle.

Part of the problem is the privacy policies themselves. They are complex, mind-numbingly long legal documents. We routinely ignore them, breezing past them by clicking “I agree.” Dangerous behavior, indeed.

Raskin and his supporters have borrowed some ideas from the way Creative Commons licensing works, and the way licensing options are denoted on content sites. Originally, the idea was to create a Creative Commons model for privacy policies — that is, a common, readable, reusable set of policies much like the Creative Commons licenses for content — but that plan was abandoned because policies differ too much from site to site. There’s no easy boilerplate for privacy like there is for content publishing.

But the icon concept remains: A website creates a privacy policy and chooses from a limited set of standard icons that reflect the written policy. Is your profile public by default? Your photos, or status messages? Each setting has its own icon, and the group of settings are indicated by a short stack of icons. The icon set is then detected by the browser and displayed to the user. If there are no icons chosen, the browser offers a warning along the lines of its phishing warning, something like: Be careful, this site might be giving away or selling your data.

Raskin is very clear that, so far, this is a work in progress. There are, as of yet, no icons designed, and the details of how they would be implemented remain vague. Nor has Mozilla made any official announcement that it would support such a system.

However, recent events have proven there’s clearly a need for a standardized, front-and-center privacy notification system. In December, Facebook began a shift towards looser default privacy settings that encourage users to share more of their data. Just last week, Facebook CEO Mark Zuckerberg, in an interview with TechCrunch’s Mike Arrington, noted that people’s notions of privacy on the social web evolve often, and that social web sites will have to continually update their own privacy policies to reflect those changes. As a result, Facebook’s new defaults will offer less privacy. Zuckerberg’s words set off a fierce debate on the topic, with Marshall Kirkpatrick of ReadWriteWeb presenting the clearest counterargument that changing social mores should not lead to looser default privacy settings on the social web.

We’ve often said the browser is the most logical place to display identity and privacy information to the user. As people surf from site to site, they should be able to see, at a glance, what level of privacy they’re currently working with. Raskin’s model sounds like a pretty good plan, though implementing it might be a bit more difficult.

One obvious problem: What’s to stop a site from using icons that are totally different than what the written policy actually says? Raskin and crew want the icons to supersede the written policy so, in that scenario, the written policy is trumped by the icons and the user retains their rights. Whether or not an icon can legally trump a written document is something Raskin doesn’t directly address, and, as one commenter points out, the situation gets much more complex when you start considering international legal systems.

If you’ve got ideas or would like to participate in the discussion, head over to Raskin’s blog or sign up for the upcoming privacy workshop hosted at Mozilla on Jan. 27 (see Aza’s post for full details).

See Also:

Tags: , ,
File Under: Identity, Social
Jan
5
2010

Rethinking Web Logins With OpenID Connect

By

Even with all the support OpenID enjoys within the tech industry, it’s no secret that the identity management technology still confuses the hell out of most web users.

One of OpenID’s biggest proponents thinks part of the problem lies in the name.

Identity guru and noted open source advocate Chris Messina breaks it down in a post on his Factory City blog, where he lays out his ideas for making OpenID “both easier and sexier” for the general web audience.

Consider OpenID in the shadow of Facebook Connect, its far more successful competitor based on Facebook’s proprietary platform. Forget that Facebook is much more widely known than OpenID — the real problem is that Facebook Connect is attached to an actual thing you can log in to, a website you can visit, a company you’ve heard of.

OpenID, on the other hand, is more nebulous. Your identity… on the web… portable… everywhere… what?

Everyone knows what Facebook is, so add “Connect” to the familiar Facebook logo and most people can work out what’s probably going to happen — the site you’re using is going to connect to your Facebook account, and some information about you and your friends will be shared between the two.

OpenID lacks the brand recognition of Facebook, not just because of Facebook’s fame, but because Facebook is a website and OpenID is an abstraction.

Messina suggests adding “Connect” to OpenID so that it mirrors Facebook Connect, Twitter Connect and other sign-in systems might help. And Messina’s rebranding — the snazzy black button above — is certainly a step up from OpenID’s current logo and branding.

As for the “connect” aspect, Messina gives a layman’s definition of OpenID as “a technology that lets you use an account that you already have to sign up, sign in, and bring your profile, contacts, data, and activities with you to any compatible site on the web.”

In order to do that, however, Messina is proposing more than just a name change. He’s suggesting that OpenID be repackaged as a profile of the OAuth WRAP protocol. The idea is that OAuth WRAP could handle the actual connections between the websites sharing data and OpenID would then offer a standardized way to pass along profile data, relationships, access controls, and activities (what you’ve “liked,” “loved,” “favorited,” etc.).

So, how would that simplify OpenID for new users? For one, it would help solve the “NASCAR problem” — current implementations of OpenID often display a half-dozen or so sign-in options, and the effect is similar to the garish mish-mash of ads covering NASCAR vehicles. It’s visually and psychologically confounding.

Messina’s design would mean that, instead of an assortment of rainbow-colored logos from Yahoo, Google, Microsoft and other OpenID providers, there would simply be the singular black button above. He admits that after you click the shiny black button, the NASCAR problem might still be there on the next step — at least for now — though he does promise some additional screenshot mockups and suggests that “the browser could handle this at an earlier stage.”

See Also:

Tags: ,
File Under: Identity, Social, UI/UX
Dec
17
2009

OpenID: Over One Billion (Potentially) Served

By

OpenID, the single sign-on solution which allows you to use a unified identity across the web, now boasts one billion potential users. Providers like Google, Yahoo and WordPress have adopted the technology, providing nearly everyone on the web with easy access to an OpenID account.

OpenID lets you log in to your favorite website using only your e-mail address or a URL — your blog’s address, a profile page on a social network or your social network username/password. Using one of those identifiers, you can log in to any website or service where OpenID is welcome, saving you the trouble of having to keep track of dozens of account names and passwords. There are also companion technologies that help you automatically fill out a profile and connect you with your friends once you’re logged in to a new social website.

For a long time, OpenID was a fringe technology, and few large players supported it. In January 2008, Yahoo and AOL were the first major destination sites to host OpenID accounts. 2009 has seen everyone from Microsoft to Facebook to the U.S. Government embracing OpenID. In addition to the one billion accounts coming from OpenID providers, the OpenID foundation says that nearly 9 million websites will allow you to login using your OpenID credentials.

The short story is that OpenID is now well established on the web. But the story doesn’t end there.

Sadly, one billion potential users does not one billion users make. Many people with OpenID accounts remain blissfully unaware of OpenID and what it can do for them. OpenID also faces strong competition from proprietary ID solutions like those of Facebook or Twitter.

OpenID interfaces are another problem we’ve covered before — different sites use vastly different sign-in forms which has creates confusion for less-than-savvy web users. Couple that with Facebook’s far simpler Facebook Connect tools and you begin to see why OpenID doesn’t have one billion actual users.

The good news is that the OpenID Foundation and its partners have been working hard to streamline the login process and improve the usability of OpenID on those 9 million sites that accept OpenID.

We’re excited to see that what began as little more than a grassroots effort to solve the problem of remembering too many usernames and passwords, has turned into a massive, web-wide effort to create better, portable identity tools. So even if OpenID hasn’t seen the widespread adoption of other login systems, it certainly set the ball rolling among the web’s social networking technicians.

See Also:

Tags: , ,
« OLDER POSTS