Oink’s Data Privacy Breach: Download the Data of Any User with Their Own Export Tool

Cristina Cordova, at her blog::

When Oink shut down yesterday, I used their export tool so that I could do something useful with the information I gave them. In requesting my data, which I did simply by filling out a form with only my username, I received the email below. In looking at the link, it seemed that my publicly available username (cristina) called for the download. The screenshot shows a simple link ending in "cristina-export.zip". So, curiously, I tried replacing my username with Kevin Rose’s: http://oink-prod.s3.amazonaws.com/kevinrose-export.zip (go ahead, click it). You’ll get a zip file of every item he has ever added, rated or reviewed. You’ll also get every photo he has ever uploaded to Oink. I began thinking about what access I gave to Oink – did I somehow allow them to make all of my data publicly available without my consent? Well, I tried exploring their privacy page, but it seems to conveniently redirect to their data export page. I hope in the Milk team’s next steps at Google, they place a higher value on user data and privacy. Next steps at Google placing higher value on data and privacy? HA!

iOS Address Book Access Should Prompt The User For Permission

Marco Arment has chimed in, from a developers perspective, on the subject of Path's using Address Book data without asking the user permission first:

When implementing these features, I felt like iOS had given me far too much access to Address Book without forcing a user prompt. It felt a bit dirty. Even though I was only accessing the data when a customer explicitly asked me to, I wanted to look at only what I needed to and get out of there as quickly as possible. I never even considered storing the data server-side or looking at more than I needed to. This, apparently, is not a common implementation courtesy.

iPhone Address Book Privacy

Jason Kottke:

13 out of 15! Zuckerberg's cell phone number! Maybe I'm being old-fashioned here, but this seems unequivocally wrong. Any app, from Angry Birds to Fart App 3000, can just grab the information in your address book without asking? Hell. No. And Curtis is right in calling Apple out about this...apps should not have access to address book information without explicitly asking. But now that the horse is out of the barn, this "quiet understanding" needs to be met with some noisy investigation. What happened to Path needs to happen to all the other apps that are storing our data. There's an opportunity here for some enterprising data journalist to follow Thampi's lead: investigate what other apps are grabbing address book data and then ask the responsible developers the same questions that were put to Path. Well put.

How Facebook Tracks Users and Non-Users Alike

Ben Brooks, writing on Brooks Review:

Byron Acohido reporting on Facebook tracking cookies:

Facebook thus compiles a running log of all your webpage visits for 90 days, continually deleting entries for the oldest day and adding the newest to this log. If you are logged-on to your Facebook account and surfing the Web, your session cookie conducts this logging. The session cookie additionally records your name, e-mail address, friends and all data associated with your profile to Facebook. If you are logged-off, or if you are a non-member, the browser cookie conducts the logging; it additionally reports a unique alphanumeric identifier, but no personal information. Later Arturo Bejar, Facebook’s engineering director, is quoted as saying: “But we’re not like ad networks at all in our stewardship of the data, in the way we use it, and the way we lay everything out,” Bejar says. “We have a very clear and transparent approach to how we do advertising that I’m very proud of.” So I guess the real question is, do you trust Bejar, and therefore Facebook, in general when they say these things? What about now: Adding fuel to such concerns, Arnold Roosendaal, a doctoral candidate at Tilburg University in the Netherlands, and Nik Cubrilovic, an independent Australian researcher, separately documented how Web pages containing Facebook plug-ins carried out tracking more extensive than Facebook publicly admitted to. I just don’t buy anything Facebook is saying these days. Ben has been on a roll with good commentary. I quoted entirely to much of his piece, but did so anyway because I didn't know how quote just one part without leaving out the main point of his piece. Therefore, please please go to his site and subscribe to his RSS.