More on spyware

February 28, 2007 | Leave a comment

After my thoughts yesterday about web spyware, this post about email spam caught my eye. The author owns his own email domain, so creates a new email address he signs up to; Company A gets companya@domain, Service B gets serviceb@domain, etc. These email addresses are unique and never shared with anyone but the service.

So imagine his surprise when the email address he set up for Performancing.com turned up on a piece of spam.

The likeliest way spammers could have got the address is from Performancing itself, and while he’s stopping short of accusing them of selling his details, the practice absolutely does happen, much more often than you’d think. Think about it this way: there are hundreds upon hundreds of web companies out there. Most of the popular ones have funding of some kind, which investors need to see a return on, but most web companies also don’t make a profit. How can they easily make supplemental income from their existing assets? Through selling on your details.

If any of you have other examples of this practice, let me know – it’d be interesting (and telling) to build up a collection.

The napkin fiction project

I love stuff like this.

Esquire sent 250 napkins to various writers across America, and got nearly 100 of them back, from established novelists to first-time authors. Some of them are fantastic.

There was a collaborative art project on the web around five years ago where people sent notebooks out, which were then filled a page at a time by successive recipients and then returned to the original owner. For the life of me I can’t remember its name, but it always seemed like a neat idea.

Is MyBlogLog spyware?

February 27, 2007 | Leave a comment

There’s been a flurry of activity over the last few days over MyBlogLog, and specifically, whether it secretly tracks advertising clicks. Now owned by Yahoo, the allegation is that the tool is being covertly used to optimise their contextual search product against Google’s Adsense (which we run on the sidebars here on Elgg.net). Techcrunch called this the Yahoo Publisher Network’s Trojan horse, and with good reason: at the time of acquisition, MyBlogLog was on at least 40,000 pages. If it was reporting user activity back to Yahoo for each of those, that’s a very good representative sample to use in refining their product. As a result, the comments at the bottom of the Techcrunch post were full of people wanting to switch networks.

MyBlogLog responded as follows: they don’t secretly track advertising clicks. It’s part of their product.

Because MyBlogLog is largely marketing itself as a widget you slap on your site to see who’s visiting, this seems a little disingenuous. In fact, had it been a desktop application, it would probably have been deemed spyware, which is defined as follows:

Any software that covertly gathers user information through the user’s Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. …

MyBlogLog is a free widget, which comes with a monitoring payload that most users aren’t aware of. It sounds like it fits the definition pretty well, but Internet applications have so far gotten off scot free – because they don’t install themselves into your system, and because web browsers mostly have a hefty wall between those applications and your desktop machine, most web application privacy issues are to do with phishing scams and cross-site scripting attacks.

However, as more and more of our applications work begins to take place on the Internet, this model begins to fall over. We need to take care about what we put on our websites and mash up with our applications – it’s not all benign. There’s big money involved, and when you look at the web 2.0 world in a particular way, it begins to look like a confidence scam designed to make you part with your personal details and be pleased for the privilege. There is a quiet revolution happening in computing, and these ideas are genuinely changing the way we do things for the better. But there are billions of dollars involved, and plenty of hands reaching for a piece of the pie – not everyone can be trusted, and we need to start choosing our web applications with the same scrutiny we use for our desktop ones.

(NB: Because it’s inevitably going to be mentioned, I’m not calling this up because of Explode. The two applications have different purposes, and we don’t consider MyBlogLog a competitor. If you have any concerns about our script itself and what it might be doing, check out our code – it just displays some HTML, and doesn’t perform any click tracking at all.)

Every Explode account is an OpenID

February 26, 2007 | Leave a comment

Dave’s already announced this one, but it needs to be reiterated: every Explode account is an OpenID.

What is OpenID?

OpenID is a simple standard that allows you to log on to multiple sites and services using one identity that follows you around the Internet. The idea is twofold:

1. You only have to remember one username and password.

2. Anyone clicking on your identity will be brought back to your central profile, so you only have one set of information to maintain.

Identity is becoming an issue – note that Windows Vista has an incorporated identity server called CardSpace, which will support OpenID in future versions.

OpenID is an open standard – which means it’s transparent, if you’re interested you can see how it works, and anybody can implement it. That will help drive adoption, and with companies like Verisign, Microsoft, Six Apart and more behind it, the smart money is on it surviving as an identity standard.

Why is Explode important?

Most OpenID providers give you a bare profile. You sign up, and provide some basic information that you’ve probably given a hundred times before, and then when people click back to your central profile they just see that bare site.

When you sign up with Explode, you dictate your interests – so people can find you – and the URL of a site you already have. That might be your own blog, a MySpace profile, a profile here on Elgg.net, or anything else on the Internet with a public web address. That’s what then gets linked to your OpenID.

So now when you use your OpenID anywhere on the Internet, people can click on your profile and see the page you’d really like to represent you.

There’s much more to come. Watch this space!

Next Page »