The Dark Side of Open APIs: Privacy exposed

February 3, 2008 at 2:54 pm | Posted in privacy | Leave a comment
Tags: , , ,

Le faux frog just wrote a piece similar to my 30boxes item.

I’m starting to resent some web services that allow users to find friends by entering their e-mail addresses. Why? That feature can be handy but Flickr and Twitter go too far and allow access to e-mail addresses that have not been explicitly marked public. Futhermore, any webcrawler can use those e-mail addresses to generate profiles of people by making a simple API call.

Spokeo crossed my radar this week after I read about it in Newsweek. I’m not interested in monitoring my friends’ activities across dozens of online communities and social networks but I created an account anyway and entered my e-mail address to see what information about me was freely available. I’d recommend periodically doing the same type of thing on Google. I’ve always called it “ego surfing” but the term never really caught on.

To my surprise, Spokeo listed all of my photos on Flickr and all of my tweets on Twitter during the past two weeks. That felt like a violation of my privacy.

An Email to Yahoo/Flickr regarding privacy leak

January 26, 2008 at 12:44 am | Posted in privacy | 2 Comments
Tags: , , , ,

Here is a copy of my email to Yahoo (for Flickr) Germany (they automatically forward me to the German site, due the my IP I suppose), addressing the privacy issue raised by the 30boxes mashup (I wrote about that here). I picked the ‘Infringement of Privacy’ label, hopefully I’ll get a response, hopefully they’ll fix that problem.

Dear Yahoo,

I just learned that, due to an open API at Flickr, it is now possible to extract and MATCH ones nickname and email address and make that connection public. That means: Knowing someone’s email address suffices to retrieve that person’s flickr account.

This is currently possible using the services of a website called www.30boxes.com. 30boxes offers a calendar services and claims to allow people to do the following:

* organize your stuff
* plan your day
* keep up with your friends

Unfortunately, in their interpretation, a friend is someone whose email address you know (an unfortunate misunderstanding that could also be witnessed in the recent disclosure of shared items to everyone in your contact list at Googlemail)

Similarly, keeping up with your friends at 30 boxes works the following way: Once you have signed up, you can “Find buddies” by entering the email addresses of people you know (of course, knowing someone’s email address does _not_ mean that you are friends!)

30boxes then attempts to retrieve data from the APIs of – among others – Flickr, Twitter, Myspace.

What is disconcerting here is that it, in the case of flickr – matches nicknames and emailaddresses, meaning that the privacy that the nickname offers is jeopardized.

I, for instance, entered the email of a friend (which I am not going to type in here, as I am also going to publish a copy of this email on my blog) and immediately received a link to her flickr account – I am very sure that she isn’t too pleased about this.

I am probably lucky that 30boxes wasn’t able to match my email address with my flickr account (for which ever reason) – nonetheless, I wonder whether:

a) Flickr knows about this vulnerability of their API

b) this vulnerability is covered by the terms and services (I doubt that I would understand the legal language that defines the use of APIs, hence I haven’t checked myself).

In any case: The fact that one HAS the opportunity to chose a nickname does, in my view, suggest that the connection between nickname and email address should also NOT be revealed to third parties nor made public, e.g. publicized in the 30 boxes mashup.

Furthermore: If a user gives out his or her email address, that does not necessarily mean that he or she also meant to allow this person to see his or her flickr account. This is, however, the consequence of opening your api to third parties like 30 boxes.

Your feedback is very much appreciated.

Best wishes

Anaj Blog

I might have to send emails to Twitter, Myspace etc. as well.

30boxes – the consummate end of privacy

January 25, 2008 at 7:04 pm | Posted in Internet | 13 Comments
Tags: , , ,

Ok, we’ve given up privacy a long time ago – Facebook/Studivz probably was the ultimate blow. And here now is the application that brings all the bits and pieces of you on the net together: 30boxes.com. They pretend to be a calendar service, but what disturbs me more is that you can enter anyone’s email, and it’ll tell you where this person has posted data of him or her on the net.

For instance, I typed in my boyfriend’s email address which does NOT give away his real name – and 30boxes gave me his first name and the first letter of his surname. I typed in Lenina’s email address and it produced her flickr account – even though she uses a completely arbitrary user name.

In theory, your email address shouldn’t be visible to anyone on flickr – so how can some shady web application find out whether you’ve got a profile there or not???

Blog at WordPress.com.
Entries and comments feeds.