« A Grab Bag of Random Thoughts | Main | *yawn* Hump Day, Finally »

Web 2.0 vs. Privacy & Security

I've been thinking a lot lately about the impact of Web 2.0 on information security. I've read Tim O'Reilly's seminal "What Is Web 2.0" article that defines this new trend. I've attended Dion Hinchcliffe's Web 2.0 training. I've read (most of) The Long Tail and The World Is Flat. I get it. I understand this new surge in the Internet economy. I see myriad opportunities for monetization for anything that can be sold effectively online, for ad revenue, for social networking, and for further redefining the customer relationship experience.

In the end, I do not see how any of this changes the fundamental issues within Privacy and Security. It does, however, potentially make things worse. Here's my take on some of these fundamental issues:

* The Web 2.0 Paradox: Consumers are encouraged to push all their data to the intarweb, blindly trusting that corporations will handle that PII, etc., properly. Yet, the corporations do not have a fully vested interest in actually spending much money to protect that data. Corporations encourage this behavior because the more consumers push their data out, the more reason they have to visit the recipient sites, resulting in more uniqs and increased ad revenue. However, at the same time, these same corporations are declaring caveat emptor. They expect consumers to read and understand all shrinkwrap licenses/agreements (written by corps, for corps), and they also expect consumers to backup their own data. As technologists we think "yeah, so, I know how to deal with this, and kids growing up with this should, too." Ok, I agree, but to a certain point. We still have an intermediary generation that has not grown up with this technology, but likes to avail itself of new technology. There are limits to what education, training, and awareness can do for them.

* Dumbing Down the Consumer: I'll be the first to admit that kids these days understand and use technology in ways that I find amazing. However, I also do not believe that these kids understand the security concerns inherent in these advances. Studies are starting to show that kids understand privacy issues (see here). But what about security? It's unclear that there is a commensurate expectation that corporations will properly protect and handle PII. At any rate, one of the goals of Web 2.0 seems to be lowering the bar for technical savvy in order to participate in this ever-expanding world. For corporations, this is a Good Thing (tm). The less savvy a user has to be to leverage a site, the broader the audience that can be reached, meaning the easier it becomes (in theory) to monetize the offering. But, in providing these easier interfaces (albeit with potentially greater end-user control), we are effectively decreasing the technical competency of the user pool, increasing the likelihood that people won't fully understand what they're up against, they won't appreciate the inherent security and privacy concerns, and they will blindly trust that corporations will behave properly, even if they have no fiscal motivation to do so. In essence, the average IQ of the Internet population decreases with the ubiquity of access and increasing simplicity of site navigation.

* Dumbing Down the Developer: In addition to making the interface easier for the consumer, we're also seeing tools developed that make coding and creation a much easier prospect. Which is all good and fine, if people know what they're doing. But there is an inherent danger in having a decreasing number of corporatized people creating tools for the mass development world. Do we really trust these tools? Do we know what they really do? Salon.com had an article about this in September titled Why Johnny can't code. Also, what happens if the tool everyone is using has introduced a flaw in all the apps/sites that it was used to create? Now we see the platform extended beyond the OS to the development tool, and face potentially the same types of problems that malcode has represented for decades.

* Legislative/Regulatory Catch-up (or About Face?): Especially in the U.S., legislation and regulations are still behind the curve in protecting consumers from data mishandling. The EU is definitely tracking on this better. For example, Germany has a law that states that all PII is owned by the consumer, not the corporation. This includes billing records. As such, if a consumer cancels service and requests that their data be deleted, the corporation is legally obligated to remove all that information, including from archives/backups. This law exemplifies the Web 2.0 mantra that the consumer owns the experience. We need more laws like this.

* Data Security: The full gamut of traditional concerns apply, but are of even greater importance. While corporations may not have a legal or regulatory driver to protect consumer data, their reputations are increasingly at stake based on what they do with the data entrusted to them. As such, access management, data privacy protection, backups, business continuity, and application security (including secure coding) should be top concerns. The sooner companies realize, understand, and accept that security threats are a direct influence on the bottom line, the sooner the Web 2.0 giant can be aligned with sound security practices. The sooner we can make a coherent financial argument to executives on this correlation between the bottom line and corporate success, the more successful we will be in getting security best practices integrated into development and operational environments. This issue perhaps sounds remarkably familiar (it is). The twist, however, is that Web 2.0 puts an increased focus on the consumer-driven experience. Betray the consumer and you may lose your business altogether. This reality is closer today than it was 7 years ago when the bubble burst.

* The Externality Game: Bruce Schneier has spoken numerous times about security as an externality. If the corporation doesn't feel pain in mismanaging data or trust placed with them, then what's their motivation in conforming to good practices? Ultimately, the solution is a combination of consumers taking control of the fate of corporations and government placing legislation with significant financial penalties in place to protect those consumers. Fortunately, Web 2.0 provides a new, unique method for consumers to flex their might in influencing other consumers to boycott or avoid badly behaving corporations. However, corporations still aren't fully motivated or required to disclose their bad behavior, meaning consumers can't always be well-informed. Tools like seller rating systems go part of the way toward remedying some of this concern, and now it's just a matter of new mashups being developed to extend this further.

* Chasing the Data: One of the key tenets of Web 2.0 is the concept of mashups - a 3rd party site that pulls together information and/or services from 2 or more sites into one dynamic interface. I think we'll continue to see the growth of this approach in the coming years. It opens up one big headache for consumers: where's the data actually being stored? If I visit a mashup site, the potential exists that data I share through that site may not actually be saved on that site, but could in fact be saved at a combination of the 2+ sites that are being mashed up. Just because I have an agreement that I understand with the mashed site does not necessarily mean the same thing for the original sites that are being pulled into the mashup (or vice versa - liking agreements on source sites does not equate to liking the mashup site's agreement). This may also introduce issues of downstream liability. And then there are the potential issues with aggregation. What if mash-up siteA is leverage siteB and siteC that are actually owned by the same mega-corp? The consumer may not want mega-corp to have their aggregate data, yet will be unwittingly sending it over.

* Who Owns the Layers: Just a brief point here, without getting into corporate politicking. Have you noticed the return of the telecom monopoly? AT&T and Verizon come to mind, as does the whole Net Neutrality battle. One company may own your experience at Layers 1-3. Corporations providing these great "free" Web 2.0 services own Layers 6-7. P2P and file sharing protocols are being attacked by the ever-popular targets RIAA, MPAA, and their crutch the DMCA. To quote a friend, "The only thing we're free to do is establish sessions and close them, everything else has somebody's paws on it." This is perhaps the great irony of Web 2.0. It looks and feels like FOSS, until you start looking closely and realize that the whole thing is owned end-to-end by corporations. Unless a law comes along that stipulates that the consumer owns their data at all times and in all places, then corporations are going to assume otherwise.

* Universal IDs: One of the hot new things is OpenID and how the consumer now can have a universal ID which they control. All good and fine, but this OpenID also lowers the bar for consumer profiling. And, with the beauty of the information age, this also means that we can profile in an extremely granular way. But where do we stop? For example, what's to stop Law Enforcement from creating their own mashup (for their use only, of course), using an OpenID to track individuals, perhaps to the point of seeking so-called "terrorists"? Maybe this sounds ok on the surface, until we imagine the abuses, such as China has pursued for decades in suppressing free speech. If a consumer speaks out on their blog against the current government, what threshold will need to be crossed before the government identifies them as an agitator? This is not to say that there aren't potential benefits, particularly in terms of unlocking the long tail to market better to consumers. It just provides the start of the slippery slope argument. We need keep in mind the need to balance civil liberties against universal trackability. Why does privacy need to be an illusion?

(*Note: A special thanks to my friend Bob Alberti of Sanction, Inc., for proof-reading and providing input on this posting.)



TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/217

Listed below are links to weblogs that reference Web 2.0 vs. Privacy & Security:

» New Threats in Web 2.0 from The Falcon's View
I've previously blogged about how I don't think, fundamentally, Web 2.0 represents a change in information security. It represents some new challenges, but the base goals are still the same -- Confidentiality, Integrity, Availability. I was able to att... [Read More]

Post a comment

About

This page contains a single entry from the blog posted on January 28, 2007 1:34 PM.

The previous post in this blog was A Grab Bag of Random Thoughts.

The next post in this blog is *yawn* Hump Day, Finally.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.