Posted 9:11 AM (1) comments

Shame on Google

Ben Adida takes Kim Cameron to task ("Privacy Advocacy Theater") for taking Google to task ("The Laws of Identity smack Google") Ben claims that Cameron is over reacting ("Come on, Kim, this was accidental data collection by code that the Google Street View folks didn’t even realize was running. ") But I'm here to say that Kim was spot on.

As Cameron notes in his reply:

"My argument wasn’t about the payload data that was collected accidentally. It was about the device identification data that was collected on purpose. "

As Kim rightly points out, collecting SSID and MAC addresses (as Google says they did on purpose) is just as heinous - perhaps even more so - then collecting the contents of data packets. MAC addresses persist. The MAC address of the computer I'm using to type this entry is the same one that is used when I get my email, talk to my bank, shop at amazon (and other places) chat on Facebook, etc. That MAC address is an attribute of my identity just as much as my street address is. More so, since I don't need to mention my street address to pay cash at the grocery store.


Kim, as he so often is on issues of identity and privacy, is right on this one. Neither Google, nor anyone else, should be collecting data which can be correlated to a MAC address, or to any other identifier attribute of a person's identity. The only exceptions should be: a) opt-in authorization by the user (i.e., "loyalty cards"); or b) properly executed law enforcement warrants.

Labels: Google, privacy

Posted 12:37 PM (3) comments

Google, OpenID and Chris Messina

Today's announcement that Chris Messina is joining Google is certainly good for Chris, probably good for Google - but what about the openID Foundation?

As of today, Google has 3 members of the Board of Directors, their corporate rep (Eric Sachs), and "community" reps Messina and Joseph Smarr. That's 3 out of the 19 board members.

I should note that Yahoo has two members, a corporate one (Raj Mata) and a community one (Allen Tom), as does Microsoft (Mike Jones and Dick Hardt).

I do think that any corporate member should be prohibited from also having employees hold community seats. Not that I have any indications that messrs. Messina, Smarr, Hardt or Tom would vote against their own principles, but people's principles are influenced by those of the culture in which the perform their daily employment tasks.

Over and above that consideration, though, should be the desire to avoid even the appearance of a conflict of interest.

Maybe it's time the Foundation adopted a rule prohibiting such perceived conflict.

Labels: Google, Microsoft, openid, Yahoo

Posted 9:40 PM (0) comments

Makes me look nice...

The Register's Ted Dziuba makes me look like a group-hugging flower-child with his latest story ("OpenSocial, OpenID, and Google Gears: Three technologies for history's dustbin"):

"What about OpenID, the best damned federated authentication scheme the world has ever seen, but nobody in the world can figure out how to use?"

or

"This situation gets really dangerous when you start to involve people from San Francisco. Every person who lives in San Francisco has the intention of starting a nonprofit organization of some sort. Therefore, if you collect a bunch of Web 2.0 engineers in San Francisco, the inevitable outcome is the OpenSocial Foundation: a nonprofit organization that only exists to support an API for programming social network applications."

Peace and love, children.

Labels: Google, openid, social networks

Posted 8:39 AM (0) comments

Google-oops

A big tip o'the hat to Kim Cameron who today points out a security white paper from US-CERT describing an incredibly bad - and incredibly naive - security vulnerability in Google's SSO implementation.

The kicker isn't that there is a vulnerability, but, as Kim says, "the surprising fact is that the errors made are incredibly basic."

The Google wunderkind evidently ignored major parts of the SAML spec (while claiming to be SAML compliant) leaving the SSO completely open to the most basic insider attack. More incredibly, they extended this vulnerability to third parties so that their insiders could get in on the attack!

Gogle just turned ten, but it's thinking is more like that of a 17-year-old, one who knows what they want to do and can't be bothered to cross all the t's and dot all the i's in their head-long rush for personal fulfillment. They also think they'll live forever, and that they discovered sex (drugs, rock & roll, whatever). It's a very dangerous age but - if they survive it - they may go on to do great things. My hope is that the rest of us survive it, also.

Labels: Google, SSO