Oink’s Data Privacy Breach: Download the Data of Any User with Their Own Export Tool

in , ,

Cristina Cordova, at her blog::

When Oink shut down yesterday, I used their export tool so that I could do something useful with the information I gave them. In requesting my data, which I did simply by filling out a form with only my username, I received the email below. In looking at the link, it seemed that my publicly available username (cristina) called for the download. The screenshot shows a simple link ending in "cristina-export.zip". So, curiously, I tried replacing my username with Kevin Rose’s: http://oink-prod.s3.amazonaws.com/kevinrose-export.zip (go ahead, click it). You’ll get a zip file of every item he has ever added, rated or reviewed. You’ll also get every photo he has ever uploaded to Oink. I began thinking about what access I gave to Oink – did I somehow allow them to make all of my data publicly available without my consent? Well, I tried exploring their privacy page, but it seems to conveniently redirect to their data export page. I hope in the Milk team’s next steps at Google, they place a higher value on user data and privacy. Next steps at Google placing higher value on data and privacy? HA!

Hashing For Privacy In Social Apps

in

Matt Gemmell, on the subject of social apps uploading raw user data instead of hashing the data:

From talking to many developers about this privacy intrusion during the past week, it quickly became disturbingly clear to me that many aren’t familiar with hashing at all. This is also predictably (and entirely forgivably) true for the many journalists who have covered the story, unintentionally distorting the issue due to lack of education in the field. This article, therefore, aims to introduce the concept of hashing in a clear, straightforward, and no-degree-required way, suitable for journalists and casual readers as well as programmers and software engineers. I’ll also explain why it’s suitable for preserving the privacy of contact information whilst still allowing for social functionality, and I’ll touch on whether or not you really need to store that contact information (hashed or not) in the first place. He goes on to outline the things he touched on in the paragraph above. This is a must-read article for any web or app developer.