May 2011 Archives

PII2011 is underway out in Seattle and I am, sadly, stuck here in DC.  However, thanks to the magic of the intertubes I can follow along. 

Ashkan Soltani (@ashk4n) tweeted out an image of the geolocation ecosystem that I wanted to cross post here.  Awesome graphic.  Check out the #PII2011 hash tag to follow along with the conference.



Source: http://ashkansoltani.org/img/location_ecosystem.jpg

Hackers keep companies honest

New Zealand Hacker Aldo Cortesi (@cortesi) published a great article showing yet another vulnerability associated with mobile devices and the data they share: De-anonymizing Apple UDIDs with OpenFeint. Using a tool he wrote himself that executes a man-in-the-middle attack against SSL (HTTPS) encrypted traffic, he was able to deconstruct traffic from his Apple iPhone to various application providers.  For his write up, he chose OpenFeint which boasts a 75M user base.

Man-in-the-Middle Attack: Alice and Bob believe they have a secure connection; however, Mallory has injected herself into the stream and can view the conversation.  For the purposes of this post: Alice is your iPhone, Mallory is Aldo, and Bob is OpenFeint's servers.  Photo from Wikipedia.

Aldo set out to examine the Application Programming Interfaces (API) and the data that was passed back and forth, specifically concentrating on the Unique Device Identifier (UDID) of an Apple device and how it could be associated (or linkable) to other identifying data sets.  His results were not wholly unsurprising -- given the increased inter-connectivity of the world more and more data sets are being linked together. Aldo demonstrated a linkability between UDID and GPS coordinates, exposing a geolocation privacy risk to the person who carries the device. He also demonstrated a linkability to facebook profiles and profile pictures. 

Legitimate privacy risks?

OpenFeint users had to opt-in to the connection to facebook -- they, ideally, should have known what data could be transferred back and forth. OpenFeint only serves up an image through the Facebook Content Distribution Network (CDN); however, the CDN embeds the Facebook profile ID into the image URL thus giving the information needed to link back to a profile & a name.

The GPS data linkage is simply annoying.  Why does a game provider need GPS data?  Why does it need to store it and why is returned through API calls?

Well the only person that can see this data is me...right?  Wrong.


The largest risk is that OpenFeint is returning all of this data unauthenticated.  Anyone can query, based on a UDID, and get this information back.  That is a huge privacy risk, as it exposes a user's information to any Mallory on the internet. 

More and more data is being generated every day.  New platforms, services, and communication methods are being developed.  As companies strive to capture market share they will most likely neglect stupidly trivial things -- like authentication(!) -- in order to get to market before their competition. This won't stop, but there will always be a hacker in the background to keep the company honest in how they handle our data.  Kudos.
Back in mid-April, I posted about a video that had made its way across my screen (see: Using social media to disseminate policy...brilliant). The video was produced to disseminate the Victoria Department of Justice's social media policy. 

I thought this was an absolutely fantastic move and spent some time trying to find a point of contact there.  After poking around the Victoria Department of Justice website, I fired off an e-mail to their Freedom of Information office and crossed my fingers.

While waiting for a response, I reached out to a few folks in the strategic communications community and ask them to supplement my list of questions with ones they would enjoy seeing answered.

That e-mail was eventually routed to Darren Whitelaw (@darrenwhitelaw), who kindly responded and agreed to answer some questions. Darren is the General Manager of Corporate Communications in the Strategic Communications Branch of the Victoria DOJ.

The Q&A below provides some great insight for governments and corporations still struggling to engage social media. Darren's responses shed light on a government agency willing to engage thoughtfully and with purpose. The policy put forward by the Victoria DoJ clearly lays out the policy for the organization and also gives some great tips for personal use. I'd like to thank Darren for his time in answering the questions below.