But with the rush to make websites “2.0 compliant,” companies are throwing privacy and security considerations out the window in hopes of riding this new wave of catch-phrase coolness.
If you aren’t familiar with Sillycon Valley’s latest and greatest VC-fundable buzzword, Wikipedia says that Web 2.0 refers to the next generation of Internet-based services, such as social networking and community-based sites, that let people collaborate and share information in new ways. Wikipedia itself is a prime example of this new era of interactivity and collaborative community.
Legend has it, however, that the best definition of Web 2.0 was overheard last Spring in a bar in San Francisco. “I’m not really sure what it is,” one drunken dotcommer reportedly said, “but I’m told it’s going to revolutionize the Internet business in India.”
Indeed, outsourced programmers from Bangalore to Mumbai, and everywhere else in the world, are riding the 2.0 wave by adding new customization and personalization features to every tired old website they can get their hands on.
One of the classic signs of a website trying to position itself as a 2.0 venture is the creation of an API, an Application Programming Interface, through which it allows other websites or software developers to access its capabilities and exchange data.
Excellent examples of APIs include the capability for website designers to incorporate Google and Yahoo maps and driving directions directly into their existing website. When your favorite restaurant embeds driving directions on their homepage, you may have an API to thank.
The proliferation of APIs and other types of data feeds, including Real Simple Syndication (RSS), have created the Internet cultural phenomenon known as the “mash-up,” in which sometimes multiple data sources are pulled together to create entirely new services. A great example is Zillow.com, which pulls property tax data, housing sales reports, and overlays it atop street maps and satellite images to show home values and to visualize real estate trends.
There’s no question that by making the content of their sites more easily accessible through APIs, companies are helping to create some really new and exciting services for consumers, all the while expanding the market for their existing products and services.
In my opinion, however, not every mashup, API, or user-driven experience is a smart idea.
Recently a colleague of mine suggested I try a service called Meebo which allows you to send and receive instant messages from all the major IM services through one interface. All you have to do is give Meebo your usernames and passwords for all your accounts and let them be the intermediary for all your online interactions thereafter.
This sent a chill down my spine. For services like Yahoo!, AOL, and Google, the username and password for your IM service also gives access to your email, your public and private photo albums, your calendar, your address book, and in some cases your billing information and other personal data. This is not information that anyone should hand over very easily.
Knowing full well that most consumers aren’t as jaded and suspicious as me, I took a quick spin through Meebo’s About Us section of their website and learned that if I signed up, the keys to my online realm would be under the care of people like “Biz Guy,” Mr. Sparkle, an Abraham Lincoln re-enactor, and someone called “Server Chick,” who “just quit her day job.”
The site also provided a link for something called “privacy principles,” which stated that while the company is very committed to security, “we’re not all the way there yet.”
Ironically, those candid revelations make Meebo among the most honest and forthright of all the Web 2.0 start-ups regarding the risks arising from such experiments in openness and wide-eyed trust.
While start-ups like Meebo are busily creating new possibilities for privacy and security disasters, the established Internet companies are also rushing headlong into their own potential problems. Among them is the current front-runner for my “Greatest Looming Web 2.0 Disaster Award”: the new API for the Yahoo! Mail service.
Earlier this month, Yahoo! announced that they were opening up their mail system to third-party developers who want to create applications that incorporate access to users’ Yahoo! email accounts. By utilizing the API, which reportedly includes an updated user login and authentication process, any developer can add the ability for users to send and receive email messages via their existing Yahoo! Mail account from within that developer’s proprietary application.
The idea is to make it easier for the Web 2.0 development community to integrate Yahoo! Mail into various new and interesting experiences, allowing Yahoo! to be more deeply embedded in the Internet of tomorrow.
But in my mind, the benefits of opening up the system are outweighed by the potential to create even more sophisticated kinds of “man in the middle” hacker attacks and new twists on the growing epidemic of “phishing.”
Phishing is the process by which hackers trick users into providing their usernames and passwords by creating sham versions of websites that masquerade as legitimate. Phishing works because most users aren’t very skeptical or discriminating when they are asked to log into their email, online banking account, eBay or PayPal account, or other online service.
Even if there is a way to secure the login process and to make it less susceptible to being replicated by phishers, there’s still the matter of ill-intentioned application developers.
What’s to stop a dastardly developer from sniffing out user’s passwords during the login process, or once the login has been authenticated to misappropriate the cookie or other security token once it has been issued? What’s to stop a malicious programmer from capturing every email message passing through the application and using it for other purposes?Oddly enough, when I think of those who could profit from creating a new interface and passing all of a Yahoo! user’s email through its systems for parsing and manipulation, first in line is Yahoo!’s archrival, Google.
Google has promised users of its Gmail service that, through the wonders of sifting through your email box with its supercharged content sniffers, they will be able to serve advertisements based on the content of your email messages. By using the API process, could Gmail create an interface for users to import the mail from Yahoo and further erode its rival’s advertising reach?
Just think: One day Gmail might also be able to deliver Yahoo! users a nagging email from their spouse, along with advertisements for divorce lawyers, discounts for dating services, and a sale price on the autobiography of Lorena Bobbitt – half-off, of course.
This is less a security problem than a business problem – but it’s one that I think about when trying to decide when to start short-selling Yahoo! stock.
For me, the biggest problem with ill-conceived “Web 2.0 compliance” is that it’s making it even harder to teach users how to protect themselves.
Just as we are getting users trained to be more suspicious of folks who ask them to log in via seemingly legitimate interfaces, systems like Meebo and the Yahoo! Mail API work to add further confusion as to what a “legitimate” login screen can look like.
Some of today’s Web 2.0 concepts are absolutely amazing and changing the face of the Internet for the better. But in the rush to ride this new wave, too many companies are blinded by coolness and forget the fundamentals.
I only hope that more of today’s Web 2.0 entrepreneurs will go back and spend some time with Privacy and Security 101, before their users – and their exciting ideas – get burned.