Web mash-ups infringe on data privacy

Data protection authorities are waiting for a crisis before acting to protect personal information exposed in the growing number of mash-up applications...

Data protection authorities are waiting for a crisis before acting to protect personal information exposed in the growing number of mash-up applications appearing on the web.

The privacy implications of new technologies such as mash-ups are too complex and unpredictable for data protection working groups to address, said Moulinos Konstantines, a Greek data protection official seconded to the European Network and Information Security Agency (Enisa).

Petros Belimpasakas, a principal researcher at Nokia's Tampere research centre, said people care about threats to their privacy, despite their willingness to disclose information on social networking sites. "Even small bits of information, such as a birthday, can be revealing because they are often part of a social security number."

He said the number of US firms that had sacked staff because of what had appeared on Facebook had doubled in a year from 4% to 8%.

Belimpasakas quoted a Cambridge University study of social network sites' privacy policies and peoples' use of them. "Most collect more data at sign-up than they need to manage the site, but almost none tell you what they do with the information," he said.

But even talking about privacy policies put off potential users, the study found. As a result, social networking sites limit overt discussion of privacy issues.

This has disturbing implications with advanced applications like mash-ups, which combine data from multiple sources.

One example was where information about a user's friends on Facebook was added to a Google map which then displayed the cheapest flight and nearest hotel to each friend.

Belimpasakas called for all mash-ups to use the OAuth protocol, which protects third-party disclosures. He called for similar protection for information disclosed via geo-location applications.

It is increasingly possible to use a mobile phone's camera to send a picture of a building to a central database which then reveals what facilities it has, such as restaurants, art galleries or even the location of one's friends in the building, he said. This means a vast increase in the amount of data traffic transmitted and revealed to third parties, such as the mobile network operator.

This is a privacy problem in itself, but there are more, Belimpasakas said. Access devices are closely associated with the mobile account holder. If they are lost or stolen, there is a track to the account holder. In addition, all the account holder's data accessible via the phone is vulnerable to theft and misuse.

"We are starting to see a multi-dimensional privacy problem that goes beyond the web and the PC," he said.

Read more on IT risk management