Intellect or Insanity

0.
Erez Wolf reports about a serious security problem which resulted from hacking an Israeli website and stealing the usernames, emails and passwords of 32,561 accounts. The database of that commercial website contained user login details: usernames, emails and passwords, where using the presumption that most people use the same login details for most websites, allowed Turkish hackers to hack and deface many user accounts in Facebook, as well as other sites, who depended on the login details in the database. In the Turkish website containing the list, there are more indications of websites hacked, including account details of 70,000 other accounts.

1.
We can point out two problems: the first, which we all know we do, is using the same password in more than one website. Even security experts do it (we call it bitch password) in unimportant websites. The problem is that most people cannot remember more than a few passwords so they use the same password over and over. More than 20% of the passwords people use are in a short 5,000 password list; moreover, people use their birthdate, phone number or SSN as their passwords.

2.
The first problem, however, is the layperson’s problem. The second problem is the law authorities problem. The hacked website kept the passwords in retrievable format in case the user forgets it. Meaning: the password was saved in plain text in the database, and accessible to more than just the website’s administrator. The common method to retain passwords is Password Hashing, which means that the passwords are unilaterally encrypted and the password could only be authenticated, but never restored. By using this method, you could never send the user his own password but only reset it when the user forgets it. Therefore, you need to authenticate the user’s identity in a different form, like email; this ties the user identity and allows more credibility in e-commerce, but has other implications as well.

By using this method, if the database is hacked, there is no way to use the passwords (with one exemption, if the password is a dictionary word and by using Cain & Able). Therefore, you can be certain that if your database is stolen, no one could use it.

3.
The problem becomes a tad more legal when you understand the Israeli Privacy Protection Act which defines Information Security in clause 7 as “protection of the Data’s integrity, or protecting the data from disclosure, use or copying, and all without legal authority”. Clause 17 states that an owner of a database, its manager or the holder of it are all liable for the database security and integrity; meaning, that the owner of this website, and whoever provided him with the information security services, are liable for the data protection here and may face criminal sanctions. However, up to today, no criminal charges were brought against people who violated the data protection clauses, but it seems that this time, the the Israeli Law, Technology and Infromation Authority should apply its legal power and apply sanctions.

4.
When the authority wants more and more power, where amongst other powers is the power to search databases, it shows it has the intent to enforce the law. On the other hand, the leak of 30,000 records of usernames and passwords show how the lives of people may be hurt solely because of faulty data protection procedures. In any other case where thirty thousand people would suffer damages, the case would seem different. When Heftziba, a big contractor, became insolvent, it left 4,300 people homeless or with half-built apartments. People became angry, sued and criminal charges were brought.

5.
The information in the database is highly personal, it is dangerous and there are people who are liable for its leak, will they go to prison? I doubt it. However, they did not apply means to protect the data and no reasonable security person would allow what they did. Someone has to pay.

[Originally Published in Hebrew]

0.
It is only a matter of time until both the Facebook Application Developers and Facebook Users join together and tell Facebook “there is no taxation without representation” while requesting Facebook both to amend its terms of service for enhanced privacy and allow application developers to rely on business models that are not subject to Facebook’s whims. The sanction, if not understood, is not mass removal of accounts, but blocking Facebook’s 3rd party services when not browsing in Facebook, therefore harming Facebook’s new found business model.

1.
The reason? Facebook has been vigorously expanding its control over both user information and application developers. It began today when Facebook coerced Zynga into an agreement to use Facebook Credits as its currency after a long dispute, and will continue when Facebook will do so to other application developers.

2.
Facebook forgot that it is solely a conduit, the incumbent who provides connection between users, other users and applications. It is not a core application and its business model is not based on being such. Two years ago, I wrote that “In a year or two Facebook’s shareholders will come to their senses and start asking money from the leading hundred applications, as they are allowed to do” … “when you develop a Facebook application or any other social network based application, you’re writing your source code on ice; it’s more than reasonable to assume that Facebook won’t charge you anything and will never shut you down. The problem starts when you want to establish a business model on something that’s more than “more than reasonable” (like investing your pension funds). That’s why, like you wouldn’t deploy a real product without contracting your deployment contractor, you really should consider doing the same with Facebook”.

3.
The time has come when Facebook wants to have its day. Facebook Application Developers raise capital from investors, some VCs target only Facebook apps, other VCs invest in another icy road, iPhone Apps raise capital as well, and quite a lot of it. The iPhone app store is also known to block applications, especially when those applications compete with Apple’s business models. Some day, Venture Capitalists will say to application developers that they will not invest in applications where the conduit may revoke them at any time and for no reason. Therefore, application developers will have to look for stable business models, such as using OpenID as a social network or allowing data portability, applications may prefer to use old social models or rely on Twitter as a social network instead of Facebook, just so they will not be coerced into using a currency of choice. No one will develop for a platform that has no stability (this is why, by the way, net neutrality is so important)

4.
Users, from the other end of the scope, will negotiate with Facebook. Explaining that it may not be as simple as Facebook reckons, and that without users, it is a mere conduit, connecting sockets and bits. “If you want us to stay here“, they will say, “you have to grant us our rights. We want to have the privacy of our choice, we want to have the ability to control, and if you grant us those rights, we will grant you the information you need to sell to ³rd parties“.

5.
Without such negotiations, Facebook is doomed. Funds will not invest in companies who develop Facebook Applications, as these applications have no solid business model, and Users will leave (or block) Facebook. It will remain with a magnificent apparatus that is left unused. And when unused, it will be sold, like scrapmetal.

Sometimes, we prefer to lose our privacy in exchange for comfort; we do so when we store our contacts on a cellular phone or when we print business cards which we exchange with strangers; the social interaction itself is a difficult and dangerous transaction. However, the real danger lies where privacy and comfort decide to interact, in involuntary exchange of information.

Today’s, Techonomy, a conference about the interaction between technology and economy, was held in Tel-Aviv. The winners of the Start-up competition were face.com. face.com provides a face recognition platform for social networks (in the meantime) which locates images of you and your friends in other users’ tagged photos. face.com’s face recognition is quite amazing and has the ability to find you even when you’re in the background or wearing sunglasses. They are currently in closed alpha, and I had the pleasure to play with it for a few minutes before writing this blogpost (which was sufficient to know that it’s quite efficient).

However, my main concern comes from face.com’s database. face.com can recognise faces of your facebook contacts even though they are not in your albums, but in friends’ albums. This means that by cross indexing a relatively small amount of facebook connectors, face could retain (or store) the facial recognition of a high percentage of users.

Here comes the privacy issue from the privacy freak; however. Now, take Israel’s new attempt to establish a biometric and face database and their recent attempts for installing cctvs and imagine the hypothetical scenario where our benevolent dictator comes and asks face.com’s database in order to examine a suspect in terrorism or issues a warrant to require face.com to search for a specific missing/suspected person in social networks and/or cctvs. Can face.com actually refuse such generous offer?

When face.com only indexes my own photos, and only tags me if I gave my consent (and not opted out) then it’s all yet consensual waiver of privacy; privacy in exchange for comfort, what we usually do. However, when it’s other’s faces, without their consent or knowledge, such a database might be extremely dangerous. I’d love to inspect the guts of face.com’s database and see how can they protect users’ privacy without limiting this application, but if they manage to do that, well, let them sell it to our government

[Also in Hebrew]

0.

“You acknowledge and agree that Facebook may at any time in its sole discretion, without liability, with or without cause and with or without notice: (a) terminate this Agreement; (b) terminate or suspend your access to Facebook Platform, Facebook Properties and/or the Facebook Site or any portion or feature of any of them; and/or (c) remove, block, delete or disable access to your Facebook Platform Applications and/or or any Facebook Platform Application Content, including without limitation if we determine, in our sole discretion, that your Facebook Platform Application or any Facebook Platform Application Content is unsuitable for Facebook Platform, Facebook Site or Facebook Users (…)

1.
While the blogoshpere and the technological sections in the newspapers are running around the Web 2.0 buzz (and some of the 3.0 buzz as well), We keep forgetting where the real bubble for this technology lies. When Om Malik explained yesterday at TWS2008 that advertisers are the ones impeding the net from developing and dot com startups that develop Facebook applications without any business models get millions of dollars in funding, there’s only one question: when will people realise what Facebook‘s real business model?

2.
Google shut down a few blogs which opposed Barack Obama, possibly because Obama supporters tagged them as spam. It was ll executed by automatic systems where the censorship was made by private entities, but it doesn’t actually matter, as Blogspot’s terms of service state that “Google may, in its sole discretion, at any time and for any reason, terminate the Service, terminate this Agreement, or suspend or terminate your account”.

3.
Constitutional Law is probably dead and irrelevant; what was the private sector until recently  was settled in under “Private Law” or “Civil Law”, but today everything changed: Companies that develop applications for social networks or webservices are subjected to the new constitutional law, the Terms of Service.: The problem begins when stable business models that companies build upon and get their funding due to them are based on social networks’ grace. This is not a stable agreement, but a unilateral agreement that grants the social network (or the search engine) an exclusive right to terminate the agreement and prevent the company from operating. (And it’s important to understand that when I relate to facebook in this post I also mean any other social network or webservice like Twitter that allows 3rd party applications)
4.
Now, some might say that Facebook’s income and  value are derived from the amount of applications it has. Cynicists may say something completely different: Facebook’s value is derived from its ability to monetize the applications that those will be able to run on the platform.
Mark Zuckerberg, Facebook’s founder, photo by KK+ under cc-by-nc-sa license.

5.
In a year or two Facebook’s shareholders will come to their senses and start asking money from the leading hundred applications, as they are allowed to do. Their policy would be similar to this: An application with less than a million users may run freely, but once you obtained a million users, you’ll pay us one US$ per user. That’s fair, isn’t it? And then what? will these companies shut down and go home? not really.

6.
It’s crucial to understand that when you develop a Facebook application or any other social network based application, you’re writing your source code on ice; it’s more than reasonable to assume that Facebook won’t charge you anything and will never shut you down. The problem starts when you want to establish a business model on something that’s more than “more than reasonable” (like investing your pension funds). That’s why, like you wouldn’t deploy a real product without contracting your deployment contractor, you really should consider doing the same with Facebook.