Privacy and security often stand and fall with a password. It is therefore extremely important to keep one’s passwords secret, especially in regard to services that carry a high risk of abuse.
Email accounts are one important example, since unauthorized access to one can reveal sensitive information such as private messages and contact information, thereby endangering not only the privacy of the account holder, but that of his or her contacts as well. (Of course, email encryption can add a layer of protection.)
Because of the above, I was disappointed to see a popular social networking site incite their users to provide their email passwords so that the site would be able to log in to the email accounts of the users in order to scan for friends.—This, however, was only the beginning of the story. Consider the following (slightly abbreviated) email exchange (in which the Subject: line, throughout, contained the social networking site’s slogan for their “give us your email password” campaign):
From me to the social networking site:
Please do not incite users to give you their email passwords. Although I am sure that you treat such passwords responsibly, your example sets the scene for e.g. phishers to obtain similar information.
Additionally, the terms of service of many email providers prohibit users from disclosing their passwords to anyone. Thus, complying with your request might place such users in a disadvantageous position should they ever end up in litigation or some other dispute with the provider.
Their first reply:
[We do] not insist on the password you have with the email address. We require a valid email address and the password is of your choice.
Moreover, [we are] committed to handling customer information with the highest standards of security measures and it is not possible for someone to hack your information stored [in our service], unless he/she has your –– account password [for our site].
I hope this clarifies.
My reply to them:
In order for your system to log into a customer’s mailbox to find those friends, surely the customer needs to give you the correct password for that mailbox.
Please understand that regardless of how well you protect that password, it is wrong to convince users to give their passwords to any third party, because it is then easy for phishers and other criminals to exploit the situation, either through saying “we are [the social networking site]; give us your password”, or “since you can give your password to [the social networking site], of course you can also give it to us”.
Their second reply:
I understand your concern.
[We have] very robust Privacy (sic) and Security (sic) policies and we take enough measure (sic) to safe guard (sic) our customers (sic) data stored on our servers.
[We do] not send spam, maintain spam mailing lists, or support the activities of spammers. We are focused on building a profitable, viable business and community that our members can trust. Compromising that trust by selling or sharing member information would not only violate our own Privacy Policy, a legally binding document, but would undermine our own code of ethics and ability to become a successful company.
At this point, I gave up.
Those replies were sent from the abuse address of the social networking site. It is highly disturbing that even those people, who should be security specialists, seem to lack a basic understanding of Internet fraud and of its prevention. My point, of course, was not mainly whether the social networking site handles the email passwords of their users carefully, but above all that accustoming users to provide their email passwords to any third party whatsoever is dangerous and wrong!
What do you think? Am I just out there, did I not phrase myself clearly enough, or is there some other reason for what I interpret as clue-deficiency on the part of the social networking site in question?
Post a Comment