All posts tagged ‘Identity’

File Under: Identity, Security

EFF Reveals How Your Digital Fingerprint Makes You Easy to Track

Think that turning off cookies and turning on private browsing makes you invisible on the web? Think again.

The Electronic Frontier Foundation (EFF) has launched a new web app dubbed Panopticlick that reveals just how scarily easy it is to identify you out of millions of web users.

The problem is your digital fingerprint. Whenever you visit a site, your browser and any plug-ins you have installed can leak data. Some of it isn’t very personal, like your user agent string. Some of it is more personally revealing, like which fonts you have installed. But the what if you put it all together? Would the results make you identifiable?

As the EFF says, “this information can create a kind of fingerprint — a signature that could be used to identify you and your computer.”

The EFF’s test suite highlights what most of us probably already suspect — we’re readily identifiable on the web. We ran the test on a Mac using Firefox, Safari and Google Chrome, all of which leaked enough data to make us identifiable according the EFF’s privacy explanations.

The purpose of Panopticlick is to show you how much you have in common with other browsers. The more your configuration mirrors everyone else’s, the harder it would be to identify you. The irony is, the nerdier you are — using a unique OS, a less common browser, customizing your browser with plug-ins and other power-user habits — the more identifiable you are.

For example, say you’re running Firefox on Ubuntu with the Gnash plug-in instead of Flash — way to stick it to the man — but you’re also showing up with a unique configuration of browser, OS, installed fonts, plug-ins and more which can be combined to identify you via a unique online fingerprint.

So what can you do to make yourself less identifiable? Well, by disabling cookies, the Flash plug-in, the Java plug-in and most of our extensions we were able to blend in better. Actually, the fact that we didn’t have Java or Flash turned on made us more identifiable in those categories, but it also denied the test access to our installed fonts and other bits of data, so overall, less identifiable.

Obviously that approach has a downside — without Flash there’s not much in the way of online video, a lack of cookies will cause issues with logins, and without Java, you won’t be able to crash your browser or cause it to get hung up for hours.

In short, the disabling method isn’t much fun. Strange though it may seem, the best way to lose the unique online fingerprint is to blend in with the herd. As the EFF points out, mobile browsers are hardest to identify since there are few customization options and, for the most part, one version of Mobile Safari looks just like another.

By the same token, if you want to blend in, stick with stock system fonts, run Windows XP, use Firefox with no add-ons and turn off cookies. You’ll be much harder to identify.

We should point out that, no matter how well you blend in the fingerprint test, you are of course still identifiable by your ISP. Advertisers and websites generally can’t access the information your ISP has on you, but of course governments — with the cooperation of your ISP — always can. So don’t think just because you’ve eliminated your fingerprints no one knows who you are.

Front door photo: Brian Lane Winfield Moore/Flickr (CC)

See Also:

File Under: Identity, Security, UI/UX

Warning: This Site May Be Sharing Your Data

Aza Raskin, head of user experience at Mozilla, is leading a charge to make privacy settings more explicit to users by creating visual cues in the browser. Raskin’s idea uses a set of small icons to denote the limits of a website’s privacy policy.

Raskin likens the idea to how Firefox (and other browsers) currently handle phishing attack warnings, using visual icons and simple language.

For the active social web user, keeping track of which bits of your data are public and which are private on different sites is a chore. Some websites share your photos, status updates, your list of friends, who you’re following and other data on the open web by default. Some share nothing. The rest are somewhere in the middle.

Part of the problem is the privacy policies themselves. They are complex, mind-numbingly long legal documents. We routinely ignore them, breezing past them by clicking “I agree.” Dangerous behavior, indeed.

Raskin and his supporters have borrowed some ideas from the way Creative Commons licensing works, and the way licensing options are denoted on content sites. Originally, the idea was to create a Creative Commons model for privacy policies — that is, a common, readable, reusable set of policies much like the Creative Commons licenses for content — but that plan was abandoned because policies differ too much from site to site. There’s no easy boilerplate for privacy like there is for content publishing.

But the icon concept remains: A website creates a privacy policy and chooses from a limited set of standard icons that reflect the written policy. Is your profile public by default? Your photos, or status messages? Each setting has its own icon, and the group of settings are indicated by a short stack of icons. The icon set is then detected by the browser and displayed to the user. If there are no icons chosen, the browser offers a warning along the lines of its phishing warning, something like: Be careful, this site might be giving away or selling your data.

Raskin is very clear that, so far, this is a work in progress. There are, as of yet, no icons designed, and the details of how they would be implemented remain vague. Nor has Mozilla made any official announcement that it would support such a system.

However, recent events have proven there’s clearly a need for a standardized, front-and-center privacy notification system. In December, Facebook began a shift towards looser default privacy settings that encourage users to share more of their data. Just last week, Facebook CEO Mark Zuckerberg, in an interview with TechCrunch’s Mike Arrington, noted that people’s notions of privacy on the social web evolve often, and that social web sites will have to continually update their own privacy policies to reflect those changes. As a result, Facebook’s new defaults will offer less privacy. Zuckerberg’s words set off a fierce debate on the topic, with Marshall Kirkpatrick of ReadWriteWeb presenting the clearest counterargument that changing social mores should not lead to looser default privacy settings on the social web.

We’ve often said the browser is the most logical place to display identity and privacy information to the user. As people surf from site to site, they should be able to see, at a glance, what level of privacy they’re currently working with. Raskin’s model sounds like a pretty good plan, though implementing it might be a bit more difficult.

One obvious problem: What’s to stop a site from using icons that are totally different than what the written policy actually says? Raskin and crew want the icons to supersede the written policy so, in that scenario, the written policy is trumped by the icons and the user retains their rights. Whether or not an icon can legally trump a written document is something Raskin doesn’t directly address, and, as one commenter points out, the situation gets much more complex when you start considering international legal systems.

If you’ve got ideas or would like to participate in the discussion, head over to Raskin’s blog or sign up for the upcoming privacy workshop hosted at Mozilla on Jan. 27 (see Aza’s post for full details).

See Also:

File Under: Identity, Social, UI/UX

OpenID: Over One Billion (Potentially) Served

OpenID, the single sign-on solution which allows you to use a unified identity across the web, now boasts one billion potential users. Providers like Google, Yahoo and WordPress have adopted the technology, providing nearly everyone on the web with easy access to an OpenID account.

OpenID lets you log in to your favorite website using only your e-mail address or a URL — your blog’s address, a profile page on a social network or your social network username/password. Using one of those identifiers, you can log in to any website or service where OpenID is welcome, saving you the trouble of having to keep track of dozens of account names and passwords. There are also companion technologies that help you automatically fill out a profile and connect you with your friends once you’re logged in to a new social website.

For a long time, OpenID was a fringe technology, and few large players supported it. In January 2008, Yahoo and AOL were the first major destination sites to host OpenID accounts. 2009 has seen everyone from Microsoft to Facebook to the U.S. Government embracing OpenID. In addition to the one billion accounts coming from OpenID providers, the OpenID foundation says that nearly 9 million websites will allow you to login using your OpenID credentials.

The short story is that OpenID is now well established on the web. But the story doesn’t end there.

Sadly, one billion potential users does not one billion users make. Many people with OpenID accounts remain blissfully unaware of OpenID and what it can do for them. OpenID also faces strong competition from proprietary ID solutions like those of Facebook or Twitter.

OpenID interfaces are another problem we’ve covered before — different sites use vastly different sign-in forms which has creates confusion for less-than-savvy web users. Couple that with Facebook’s far simpler Facebook Connect tools and you begin to see why OpenID doesn’t have one billion actual users.

The good news is that the OpenID Foundation and its partners have been working hard to streamline the login process and improve the usability of OpenID on those 9 million sites that accept OpenID.

We’re excited to see that what began as little more than a grassroots effort to solve the problem of remembering too many usernames and passwords, has turned into a massive, web-wide effort to create better, portable identity tools. So even if OpenID hasn’t seen the widespread adoption of other login systems, it certainly set the ball rolling among the web’s social networking technicians.

See Also:

File Under: Web Basics

Google’s Blogger Service Joins the OpenID Dance

openid.jpgNot to be outdone by Yahoo’s recent OpenID announcement, Google has announced that Blogger URLs can now be used as OpenID identities. With two very large announcements back to back, OpenID availability is fast approaching critical mass.

To use the new Blogger OpenID support you’ll need to be using the beta version of Blogger and you’ll have to enable the new features in the user profile section. Once you do that, any time you encounter a site that accepts OpenID, just plugin in your Blogger or Blogspot domain address and you’ll be able to login.

Blogger’s OpenID support isn’t entirely new, the service already allowed OpenID as a means of authenticating when posting a comment on a blog.

In other words, Blogger’s support is now two-way, providing a URL for logging in elsewhere and also accepting OpenID URLs as a way to login to Blogger (at least in the comments). On the other hand, Yahoo’s forthcoming service will only provide an OpenID.

Continue Reading “Google’s Blogger Service Joins the OpenID Dance” »

Plaxo With Sauce: PIM Site Now Supporting OpenID And Microformats

Plaxid
Plaxo is the latest high profile web service to announce support for OpenID, the standard for online identity management. Plaxo’s recently unveiled beta of Plaxo 3.0 has been updated to offer support for OpenID and the company says it plans to become an OpenID provider in the near future.

In addition to the OpenID support, Plaxo is now encoding contact and event information in the microformats hCard and hCal in an effort to both improve the site’s ease-of-use and raise the profile of microformats.

Both OpenID, which is a decentralized single sign-on system that enables you to securely use the same login information across multiple sites, and microformats, which are standards-based markup formats that wrap calendar events, contact information and more in code which allows them to be easily shared with other services, are fast becoming de rigueur for web platform services.

Continue Reading “Plaxo With Sauce: PIM Site Now Supporting OpenID And Microformats” »