Jefferson's Wheel

KIRO TV (Seattle) has a story on RFID privacy issues: Credit Cards Stolen Without Leaving Wallet (it includes a video demonstration).

German-born Karsten Nohl is a security consultant and PhD student at the University of Virginia. He was in Seattle recently to speak at a technology conference and is known worldwide for hacking into transit systems.

He’s exposed significant security problems with transit cards commuters were told held their personal information secure, but Nohl showed, did not

“Is it all that inconvenient to swipe a card? Does it really have to be tapping? Would, for that perhaps tiny added benefit, now expose your data to everybody in your vicinity? Perhaps not. So, that is a discussion that has to be had. And not just by the companies introducing something new and fancy and forcing everybody to use it, but rather by the consumers, too,” said Nohl.

Kim Hart has written an article covering Adrienne Felt’s study of privacy issues with Facebook applications: A Flashy Facebook Page, at a Cost to Privacy: Add-Ons to Online Social Profiles Expose Personal Data to Strangers, The Washington Post, 12 June 2008.

Ben Ling, director of Facebook’s platform, said that developers are not allowed to share data with advertisers but that they can use it to tailor features to users. Facebook now removes applications that abuse user data by, for example, forcing members to invite all of their friends before they can use it.

“When we find out people have violated that policy, there is swift enforcement,” he said.

But it is often difficult to tell when developers are breaking the rules by, for example, storing members’ data for more than 24 hours, said Adrienne Felt, who recently studied Facebook security at the University of Virginia.

She examined 150 of the most popular Facebook applications to find out how much data could be gathered. Her research, which was presented at a privacy conference last month, found that about 90 percent of the applications have unnecessary access to private data.

“Once the information is on a third-party server, Facebook can’t do anything about it,” she said. Developers can use it to provide targeted ads based on a member’s gender, age or relationship status.

The article also appeared in MSNBC, the Kansas City Star, the Los Angeles Times (Facebook widgets pose privacy risks:Users often give away their personal data and that of friends without knowing when they install the popular social network programs), the Austin American-Statesman (Social networking applications could become a privacy headache), and the Washington Post’s Express edition (FreeRide Lunchtime Reading: Who’s Getting in Your Facebook?).

Electronic Design has an interview with me: Electronic Design Interviews U. of Virginia Computer Prof, Electronic Design, 21 May 2008. The interview focuses on the history of Splint, and the current state and future of program analysis tools.