“Virtual Backpack is a stroke of genius…”

John Bird, founder of the Big Issue

The service is aimed at young homeless and vulnerable people, who run a high risk of losing such details (for example, due to theft or loss), although it could easily have wider applications. The service allows quick and easy access to these details, and also offers a platform for recording other personal details, previous addresses, work experience and useful contacts. Through integration with Microsoft’s Live Services, users can also access email, photo and document storage facilities.

“Virtual Backpack is a safe and secure place to store vital information and is a huge asset for any young person facing homelessness”

Lord Mayor of Birmingham

The potential of such a service is obvious, and although I can see a few possible issues, it’s a great idea. The developers are now hoping that local authorities will pay a licence fee to get access for their citizens, although I’d be interested to see a more centralised approach given the potentially transient nature of some of the target audience. Either way, this is a product to watch out for.

Biased results are a risk of online polls

I’ve just updated my list of social media lessons learned the hard way with details of an online poll which appears to have backfired.

In summary, part of a multi-million pound advertising campaign by Christian charity Alpha International has potentially backfired when an online poll on their website, asking whether people believed in God, showed an abnormally high 98% saying ‘No’ (source: The Register).

Alpha International has suggested that the skewed results are down to an online sting, with Spokesman Mark Elsdon-Dew adding: “I don’t think this is indicative of people’s faith in this country.” This seems highly likely – especially as the poll allows multiple (in fact unlimited) responses on the same computer. Many online polls use cookies, IP logging or such to prevent people from responding to a poll more than once – on each subsequent visit to the poll page, the user would normally be taken straight to the results page instead. Without this, the accuracy of your poll is at risk from repeat responses.

It’s not clear whether the skewed results were the result of an automated sting, using software to generate high numbers of repeated responses, or a manual sabotage, with willing individuals logging on and submitting multiple responses. It seems probable that it was one or the other – it’s unrealistic to expect that kind of response from the normal users of such a site, who are more likely to be in the ‘Yes’ or ‘Probably’ camps.

Organised sabotage?

A quick Google search reveals all sorts of online discussion around the poll, one of which explicitly invites fellow members to head over to the poll and “make it look even worse”. Within 2 days, 80 people had replied to that post, one of whom had spotted the technical flaw in the poll:

Ooooo – it lets you vote more than once. Vote early and vote often folks!

Other more productive replies talk about the lack of decent response options, with one person pointing out:

So they have “yes”, “no”, and “probably”… where’s “probably not”?

(to which I’d also add a middle option of “Don’t know”)

Luckily for Alpha International, the completely inaccurate results are obvious to all, potentially lessening the damage done. But, it has to be asked, what was the point of the survey in the first place? What would the ideal response have been for Alpha International?

This is a crucial question when considering online polls. Are we using them for real fact-finding, or are we just trying to prove a point? I recently saw a site which asked for parent’s opinions about local school closures. For me, this seemed a little unwise. A strongly negative response may have adversely affected any attempt by the authority to close schools, whilst a strongly positive response would have seemed rigged. That site did at least employ cookies to limit multiple responses, but with such an emotive subject it wouldn’t be hard for campaigners to direct vast numbers of people to the poll to make their opinions heard.

Quantity vs quality

And there is another risk of online polls, which is the lack of qualitative reinforcement. Quantitative figures can only show us some of a picture – if we are really trying to gage public opinion we should be entering into discussions, teasing out issues which we may not have thought of, and possibly even turning around some of the negative responses by offering valid counter-arguments and supporting information.

In conclusion

The Alpha poll is a perfect example of how over-simplified, under-restricted public polls can seriously backfire. They can be handy for giving people a quick and easy way of starting to engage in a discussion, but only really serve as the start of such a process. Adding forum functionality, to allow people to qualify their response, is an ideal way of taking this further, allowing pollsters to engage and discuss. Without this, polls are at best a fairly worthless set of figures, and at worst a PR nightmare waiting to happen.

When I first noticed the attack, my immediate assumption was that the hackers had exploited a vulnerability in my WordPress installation. My response was to remove the blog entirely and restore the affected index.html file on my root directory (my portfolio homepage). I intended to reinstall the blog last night, but in the end did not have time. And it’s a good job that I didn’t, given that the host company restored the sites their end this morning.

I actually only thought to contact my host company this morning when I spotted this thread on a forum, where someone reported the exact same attack which I had suffered. The suggestion there was that it was the result of a wider attack on the host, and when I contacted Namesco to check this, they confirmed it to be the case. I replied suggesting that it would have been nice if they had told me this as soon as they spotted the problem, saving me a lot of time and worry, but apparently that isn’t possible (see below).

Anyway, I’m back in business and all is well. The experience has given me cause to think again about security issues, and I plan to look more closely at WordPress security soon (this attack had nothing to do with WP, but it wouldn’t hurt to beef up security nevertheless). Look out for more on that soon.

EDIT: The reply from my host company, saying that notification about such problems isn’t possible:

With this type issue its not possible to contact customers about this. The reason for that is that the servers that hold the domain names do not have a record of the hosting account / customer account to which they belong to in the control panel. Also as not all sites were affected the time it would take to determine which customers had been affected, and then identify their contact details would pull recourses away from resolving the issue.

There are a number of websites / companies that will monitor websites for you (some free and some paid for) like site uptime.com, totalnetworx.co.uk which can alert you should the site go down. Its worth pointing out however that depending on how they monitor the website false alerts are possible.

Accordingly, if anyone can recommend a good monitoring service, as per the above suggestion, I’d be pleased to hear about it.

According to the official statement, to “prevent identity confusion, Twitter is experimenting with a ‘Verified Account’ feature [...] working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis.”

An example of a verified Twitter account

As the Guardian’s Technology Blog observes, many questions are as yet unanswered, and the focus appears to be on celebrities accounts just now. It’s a step in the right direction, but will it come at a cost?

Speculation has been rife on how Twitter will convert its success to profit. It’s possible that a ‘premium’ account model may be introduced, and account verification could well be a feature of that. The result would be many organisations being effectively held to ransom – forced to upgrade to a verified account to avoid the risks discussed in my previous post.

And the task of verifying all these accounts will be huge. As the Guardian article points out, ‘celebrity accounts’ include everything from

Britney Spears and Oprah down to the thousands of members of various sports teams, rock bands, parliaments, TV and radio stations, and so on.

All of the above have a brand or reputation to protect, so all would benefit from this type of verification. Twitter says that they’ll be starting with

well-known accounts that have had problems with impersonation or identity confusion. (For example, well-known artists, athletes, actors, public officials, and public agencies)

But it doesn’t say whether that will be limited to US public agencies, and it specifically says it won’t be supporting businesses just yet.

Twitter are inviting people who have had problems with fraudulent accounts to contact them via a dedicated feedback form, and in the meantime they are promoting the reciprocal link method (but they would, wouldn’t they – telling organisations that they need to link to Twitter from their homepage for security reasons is one clever piece of self-promotion).

This move has certainly addressed a major concern, and it’s great to see Twitter being proactive in this way. How they roll it out remains to be seen, but it’s good news so far.

Cybersquatting 1.0

Cybersquatting traditionally refers to the practice of:

registering, trafficking in, or using a domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else

Wikipedia article on Cybersquatting

This practice has been around for over a decade and many countries now have specific legislation against it. But with the increase of Social Media platforms, which allow you to choose a username which then dictates the URL of your account’s public profile (for example, www.twitter.com/prettysimple) the potential for a new kind of Cybersquatting is born.

Cybersquatting 2.0

In Ken Fischer’s sobering post on Gov 2.0 Spoofing, he suggests that there is a significant risk of individuals posing as officials:

…all it takes is one person believing one source is the voice of a government and acting on it to cause at the least embarassement (sic) and at the worse some harm.

Ken Fischer – Gov 2.0 Spoofing is here

Fischer recommends a simple technique to allow users to authenticate an account by following a reciprocal link to an official government and back again. But this could be considered onerous and it is likely that many users will not bother. As with most security issues, the onus has to be on the content owner.

The risks of Cybersquatting in a Web 2.0 world

Brand dilution

My own organisation has had cause for concern recently when an unofficial Twitter account surfaced. Luckily this appears to have been set up by a well-meaning employee, rather than a prankster or potential cybersquatter, and is now directing people to the official account. But this still presents the problem of watering down our message and causing confusion amongst citizens who wish to follow us. We now have an official one, in addition to the unofficial one.

Trust

Most Social Media relies heavily on building up trust with those who follow you. Any compromise of that trust through a proliferation of illegitimate accounts will stunt the success of genuine engagement and potentially damage the brand. If it becomes hard to prove authenticity without laborious methods, users may easily be scared off.

Hard to integrate

With traditional cybersquatting, once you’d taken control of a domain which was found to be illegally cybersquatting it was easy to integrate that domain into your estate (e.g. by setting up a re-direct). But with many of the Social Media platforms, this isn’t the case. Twitter, for example, does not allow you to merge accounts. So the unofficial account that I mentioned earlier will either continue to exist (and continue to dilute the brand) or cease to exist and lose the 50+ followers that it has already built up. Either way, the unofficial account got the better username (EdinburghCC, as opposed to Edinburgh_CC for the official one) and there’s no obvious way of rescuing that.

Criminal intent

Worse-case scenarios see situations where citizens think they are engaging with officials, and therefore surrender personal information which could be seriously misused.

Naming conventions

Looking at this list of Council Twitter accounts, I’m surprised by the lack of naming conventions. Most seem to have adopted the approach of councilname followed by CC or DC etc. But there’s no overriding consensus, and many have used far different names (for example, Sunderland (@Sunderland_UK), Southampton (@citycouncil09) and Croydon (@yourcroydon). There is therefore huge potential there for cybersquatters to set up shop, and we have very few options for closing the loopholes (unlike with standard web domains, where in the public sector registration of gov.uk Second Level Domains is restricted, or in the private sector where you would develop a brand protection strategy to mitigate against domain fraud by purchasing vulnerable domains).

Conclusion

Most heavy users of Social Media sites have probably come across instances of name-squatting – or at least cases of mistaken identity. There have been many high-profile stories involving people posing as celebrities, and even the great Tim Berners-Lee will find a shock in store if he ever wants to start Tweeting – someone has taken @timbernerslee and claims to be holding it for him (at what price, we wonder?).

It’s clear that organisations need to be aware of this issue, whether or not they are using the platforms themselves. It is their responsibility to protect their brand, as well as to protect their customers from fraudulent accounts. For public sector organisations this is perhaps even more crucial, and there is a clear need for stronger guidance and policy. Let’s just hope it doesn’t take a serious incident to get more people thinking about the issue.

Edit: Twitter have now introduced Account Verification.

Further reading

• Social Media Squatting – top sites to think about
• List of UK Council Twitter accounts
• How to handle Name-Squatting on Twitter et al
• …and the brilliantly titled Sydney Morning Herald article: All that Twitters is not gold: enter the squatters

• Free and easy to set up
• Possible to allow multiple users to access and contribute to documents
• Available (not blocked by our corporate filters and excellent uptime)

But the major question I wanted an answer to was around security. As soon as information leaves our internal corporate network, there are security issues which need to be considered.

Secure protocol

In his article, Warning: Google Docs is not safe, Legal Andrew looks at issues around Google Docs’ security and privacy. His conclusion is that although he’d trust it with ‘mundane information’, he won’t be using it for ‘mission-critical’ content.

Google’s own take on the subject is a lot more positive, as demonstrated by a response to a question on getsatisfication.com:

There are two tips which can greatly improve your safety:
1) When using an unencrypted wireless connection or some other network you don’t really trust, use https://docs.google.com instead of http://docs.google.com. The extra ‘s’ means ‘secure’; all traffic is encrypted. The only down-side is it’s a little bit slower.
2) When you use someone else’s computer (especially at an Internet cafe or at a hotel), don’t forget to logout of your Google account. And when logging in, don’t check “remember my password”. Pretty obvious.

Here at Google we use Docs to store all our confidential documents, spreadsheets and presentations. We use the same servers and we have no worries about people being able to see our data.

Neil Fraser, Google Rep

The secure protocol option is definitely a good feature, although until recently I tended to access Google Docs by simply tapping in ‘docs’ in my Firefox Google searchbar, then following the top link. This would get me there in seconds, but by default did not direct to the secure version (Google Docs isn’t secure by default because the secure protocol can be slower, as Neil mentions).

Neil’s second point raises a serious issue around our ability to trust those with the relevant log-in details to use them appropriately (important to note that this is a universal risk, and not a problem with Google Docs specifically).

Privacy glitch

But if Google’s assurances have waylaid some of your fears, let me draw your attention to last month’s rather embarrassing security glitch (as reported by cnet):

“We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document,”

Official Google statement, quoted on TechCrunch.

Sharing

And a more recent bombshell has again rocked Google’s boat. Only last week, security consultant Ade Barkah wrote a blog post about the security issues with Google Docs. In it, he suggests:

1. that embedded images are not afforded the same security as documents themselves
2. that people you share a document with can see previously inserted diagrams with some simple URL hacking to access other revision versions
3. that people who you have stopped sharing with can, in some cases, get access back again

Google’s official response was swift and made a lot of sense, but my concern is that their solution was essentially to tell us what we were doing wrong to allow these breaches (for example, in response to point number 2, we should be creating a new document before sharing, to get rid of the revision history). They are now producing additional documentation to cover these issues more thoroughly – but is everyone likely to read these?

In my opinion, the average user shouldn’t have to think about security issues. He or she should be protected from that by people who know the subject a lot better – who know the loopholes and have covered our tracks for us. The average user may or may not care about security, or they may simply not have thought about the risks – it doesn’t matter.

If I’m having to worry about whether I’m making my data insecure by not doing things the right way, then I’d say that by default that system is not secure. It’s summed up perfectly by the need to insert the ‘s’ in the URL yourself – it’s not Google’s problem, it’s ours.

Of course, for the price (free) Google Docs does offer real value and a generally excellent service, and I’ll continue to use it for my own documents. But as a corporate solution, I think we may need to keep looking.

UPDATE 9th April: I raised this issue on the Public Sector Forums and have had an interesting response from Deborah Fern, who points out part 8 of the Data Protection Act which states:

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data Protection Act

Although Google Docs is US-based, they are signed up to the Safe Harbour Agreement, which does offer some form of protection.

Deborah also suggests that if you’re asking people to create an account to access a service, as in my original scenario, you become the Data Holder and are therefore responsible for what happens to that data.

UPDATE 14th April: Another comment from Helen Lea points to an interesting article over at The Big Money – Google’s Cloudy Day.

The BBC today reports that Spotify has been hacked and users’ details stolen. When I signed up for the service a few weeks ago I was a little annoyed that they were insisting that I give them not only a name and e-mail address (probably fair enough) but also an address and date of birth. Why!? There is a premium account option, for which you must pay, so I understand why they need certain details for that. But if I’m just registering for the free account, they really don’t need these details.

So I did what I often do in these situations; I gave a false name (or just initials if the site accepts them), a false date of birth (I usually make a note of this for each account so that I can recall it if I ever need to) and a false postcode (taken from a famous landmark or nearby public building, and again noted down). True, this is probably in breach of most sites’ acceptable use terms, but then again letting hackers steal my details is against my ‘acceptable website behaviour’ terms.

Actually, the attack on Spotify occurred in late 2008, before I’d signed up, so I wouldn’t have been affected on this occasion. Nevertheless, I hate giving out personal details at the best of times, and especially when I can see no reason for it.

Lessons for the day

• Website owners – always ask for the barest minimum of user details, where required, or at least make those details optional where possible. Then store them securely.
• Website users – protect your personal details. The security of those details is only as good as the weakest site which holds them.

I thought I’d mention a couple of things I’ve done since taking over the account. The lessons learned apply to any similar function, not just Survey Monkey.

SSL enabled

Firstly, I was surprised to see that the account did not have SSL enabled. This costs just $100 extra a year which, for a organisation such as mine, is peanuts. Compare that with the disasters that could await if not using a secure protocol and it’s a no-brainer. Sadly this only really came to my attention when I heard about a survey we’d run to gather parent’s opinions on school buildings. A local parent council blog had flagged up the potential security risk, and quite rightly so. We were asking for a few personal details, although to be fair these were not mandatory. Even so, those unaware of the difference between http and https may not have appreciated the risks (however small) and that’s not really on. Needless to say we’ve now upgraded, so people’s response are collected securely at their end and the results are downloaded securely at this end.

Friendly URLs

Secondly, a nice “courtesy feature”* is the ability to request friendly URLs. So instead of the usual string of alpha-numeric characters you can get something that actually makes sense (e.g. www.surveymonkey.com/mysurvey). This is really useful, especially if there’s a chance that people may need to type in the address, or if you want to refer to it in print. To underline the great customer service, I requested one to be set up and it took just a couple of hours.

Something to be aware of, if also using SSL, is that your users will need to include the https:// at the start of the URL. If they just type in from the www… they’ll get directed to the insecure version. Survey Monkey does not offer the ability to always redirect to the secure version, which they say is for the benefit of any systems that can not access the secure pages.

*Presumably a “courtesy feature” is something they’ll probably do, but aren’t obligated to. Hopefully, then, they’ll continue to offer this (and for free).

Loop to start

You’ve got various options for where to direct the user on completion of the survey (i.e. to a thank you page, another website, or even close the window). Another option, though, is to loop the user back to the start of the survey. This function has proved useful recently when we used Survey Monkey as the basis for an audit. Each auditor would typically be looking at 5 or more things, each requiring a unique response, so once one audit was complete they’d be going straight back into the survey to do another. The ‘loop to start’ function was, obviously, the perfect solution for this.

Invitations by e-mail

A tremendously useful feature is the ability to set up Survey Monkey to e-mail a list of recipients with an invitation to complete your survey. Each recipient gets a unique URL, enabling the system to track who has and hasn’t responded. This then means that you can easily send reminders targeted only at those who are yet to respond.

I thought it worth mentioning this function in the privacy statement that I am developing to accompany any surveys, and accordingly included this on the front page of the survey:

If you arrived at this survey via an e-mail invitation, it will be possible for us to link your answers with your e-mail address. Any information you provide will be kept secure and only used for evaluating the results of the survey.

The essence of the Register’s article, Google Analytics – Yes, it is a security risk, is that any third party javascript you include on your pages could open you up to vulnerabilities. You are essentially at the mercy of the owners of that code, trusting them not to do anything malicious. And there are plenty of things they could do, including stealing session cookies and form data, or even executing a ‘cross site script proxy’ attack, which could surrender control of a user’s login session.

So how big is the risk? There are a couple of factors to consider:

Firstly, how well can the script owner be trusted? A company such as Google can probably be trusted quite a bit, although we’re not just talking about the integrity of the company’s ethics. We also need to consider how seriously they take security themselves – how stringent are their own practices? Again, we can be fairly sure that Google is pretty hot on best security practices, so the risk is relatively low. The same might not be true of other third party sites.

Secondly, how big a target is your site? The case referred to in the Register’s story was Barrack Obama’s website. That site is obviously going to be a huge target for potential hackers, with security an immensely important subject. Sites with a lower profile can reasonably be assumed to be less of a target, although the risks can still not be discounted entirely.

In a recent forum post discussing this issue, the following advice was given:

if you must use external JScript, make sure it is a trusted source, and by trusted, I don’t just mean the company and their reputation, but also their own security practises, and do not under any circumstances link 3rd party JScript to a “secured” or sensitive area of a site

This seems to be pretty sensible, and is something we will need to consider from now on, not just in relation to Google Analytics, but when looking at linking to any third party script. Better safe than sorry…