Monday, July 27, 2009
Facebook can't tell a friend from a hole in the groundBurton Group's Ian Glazer has done some follow-up on his "Privacy Mirror" Facebook application with more shocking results. Evidently, if you and one of your friends both add the same application then the application treats your personal data as if it were also a friend - ignoring your "application privacy" settings. And it does this without informing you in any way.
Not good. Not good at all.
Wednesday, July 22, 2009
Mirror, mirror on my screen tell me what PII is seen...The Burton Group's Ian Glazer just created "Privacy Mirror", a "...Facebook application to see what #FB tells 3rd party developers ." If you're on Facebook you might want to check this out. Do you really want to "share" all that info (and all your friends' info) with some nameless, faceless app developer?
Thursday, July 31, 2008
OpenID - the denoument?There's been much agitation for Facebook to join the likes of MySpace and Yahoo! in the OpenID community. But when Facebook recently announced it's "Connect" service (a service to port ID information among various web sites), without a link to OpenID, much angst was experienced in that vocal group of supporters of the open source identity protocol. In particular, Sxip's Dick Hardt - one of the co-founders of the OpenID Foundation - mused about the future of so-called "user-centric" identity. Earlier (in "Facebook Connect - fatal blow for OpenID?") Hadt said: "Given the momentum and immediate value of a Facebook identity system and the lack of OpenID RP deployment, one wonders if the identity opportunities of OpenID have passed."
Other co-founders (Johannes Ernst, David Recordon) tried (with smoke, mirrors and whistling in the dark) to refute Hardt but, in my opinion, failed miserably. OpenID is a victim of its own early success. Too many people, with too many conflicting agendas signed on in the hope of designing OpenID in their image. From the early fights over iNames through the querulous (and tedious) fights about Attribute Exchange, security and other aspects of a mature identity protocol there was resistance from the majority of the developer base who really only wanted an easy way to login to blogs. Nothing wrong with that. A simple, somewhat reliable way to ease the authentication process for blog comments while fending off robots and spammers is a worthy goal.
Perhaps this is the time for the visionaries within the OpenID community, those who have the vision of what a full-fledged open-source identity protocol should be, to bow out of that movement and form another one. Or, perhaps put their time and energy behind an existing movement such as the Bandit Project's DigitalME initiative. They could even create an STS (Security Token Service) to bridge OpenID and the InfoCard system so that they could be "true to their roots."
OpenID, it seems, is never going to be a secure, robust, full-featured identity system so let's stop pretending that it can be. Let it be what it is and let's move on.
© 2003-2006 The Virtual Quill, All Rights Reserved Home