WIRED:Online privacy is proving to be hard, much harder than technologists previously thought, writes DANNY O'BRIEN
I FIRST heard of Samy around about the time a million other people did. In 2005, aged 19, he wrote a piece of code that, when added to his MySpace profile, caused anybody who read that profile to automatically add him as a friend.
More ingeniously, it also automatically added the same code to their profiles, meaning that anyone who looked at those profiles also became Samy’s friend. Such advantage-taking of system bugs are called “exploits”. I rather like the Enid Blyton tone of that title, at least when such exploits are harmless fun.
Samy ended up doing 90 days community service for his exploit. Perhaps that was fair, although I can’t help feeling that a script that ‘friends’ random passersby, then gives away its presence with the message “Samy is my hero”, is probably the best result that MySpace could have hoped for.
Security holes can have far more damaging effects, when kept quiet and used by criminals.
Last week, Samy got another footnote in the annals of internet security. He published a code that showed how to create an “evercookie”. Cookies are little spots of data that websites can put on your machine so they can recognise you in the future.
Think of them like that dab of ultra-violet paint a nightclub gives you on your hand on your first visit.
To my mind, cookies are fairly low in the hierarchy of privacy- invading software, largely because you can spot them relatively easily, and modern web browsers have good ways of managing them.
If you don’t want to be recognised by a website, you can delete your cookies. If you want to keep an eye on who is monitoring you, you can set your browser to tell you when a cookie is being deposited on your machine, or you can switch on “private browsing” that will hide cookies from their original creators and throw new cookies away at the end of the browsing session.
Few of us do any of this, but the fact that we have these tools at our disposal makes cookie-abuse relatively transparent. It also means that cookies get more headlines than more insidious privacy threats – again, because they’re a rather obvious way of people-tracking.
We’re less aware of, for instance, how much data a website might be reselling to some other company or how much data it keeps on us. We know where we are with a cookie.
Samy’s new evercookie program was a demonstration that we can’t always be sure even of that. His code rifles through a grab-bag of lesser-known ways of creating the same UV dab in ways that are far harder to keep an eye on.
Adobe’s Flash plug-in, used by sites like YouTube to show video and Popcap to play games, has its own cookie storage system. The very latest browsers have more arcane and experimental ways to accept cookie-like deposits.
If those fail, Samy’s code uses browser behaviour that was never meant to be used for cookies, like its history list of past-visited sites, to store data and uniquely identify a visitor.
Is evercookie an exploit? Not in the computer security sense, but it is an adventure of sorts – an open, guided tour of the tricks already being used, or potentially usable, by less scrupulous websites to track and monitor your behaviour.
So can these loopholes be closed, just as MySpace learned to lock down the holes in its security when Samy first showed them? Maybe. Some of the flaws are already being worked on by browser developers and Samy’s depiction of them will put further pressure on them to fix these privacy leaks.
Samy’s work may point to a wider, systemic problem however. Last year, my former employer, the Electronic Frontier Foundation, launched Panopticlick. Panopticlick wasn’t as subversive as Samy’s evercookie, but its research may indicate a deeper problem.
All the Panopticlick website does is attempt to fingerprint you from the data about your computer that your web browser handily hands over to a website. Most of that information is supposed to help site designers better respond to different users’ needs.
Browsers happily inform web servers that they are “Safari 5.0.2” or “Internet Explorer 8.0”; they will also tell anyone who wants to hear which fonts you have, what time zone you’re in, what your screen size is.
None of these, by themselves, is particularly unique or incriminating, but by combining them, a webserver can gradually build up a potentially unique fingerprint. A large majority of visitors to Panopticlick were fingerprintable in this way, making any need for a dab of a cookie irrelevant.
Ironically, some of the most fingerprintable were those who otherwise use privacy-protecting features like refusing cookies or blocking Flash. Using these features is so rare that it made those users stand out and be even more identifiable.
Online privacy is proving to be hard, much harder than technologists previously thought.
If we’re going to get better at it, we need more benign exploit publicisers showing us the problems. MySpace may have faded from the web, but for exposing such privacy flaws, Samy’s still my hero.