Outsourcing

How private is your Web-based service?


As I have said many times before, the two major components of security are privacy and control over your resources. Each of these plays a part in the other.

Remote Web-based service providers are generally concerned about controlling their resources. Using such a Web-based service means that even if there is a failure to maintain such control, it does not directly affect you unless the loss of control gets so bad that it actually interferes with your service or increases your prices -- and the latter effect does not even matter in the case of free services. For instance, if some malicious security cracker compromises a server at Hotmail and starts running an FTP server there without authorization, it probably will not affect your service, but if the Hotmail interface is replaced by a "h4xx0rz3d! pwn3d!" page, it obviously makes it difficult to make use of the Hotmail service. Privacy, however, is another matter.

Speaking strictly in terms of security, employing a Web-based service such as a Webmail provider can offer some benefits in that it offloads maintaining control of resources to the service provider. It can also create some problems for privacy, however.

  • Many Web-based service providers make users' information available to third parties -- usually referred to as "partners," in the terminology used in privacy policy statements.
  • It is often the case that what law enforcement personnel could acquire from a personal computer only with a search warrant, they could acquire from a Web-based service provider with nothing more than a subpoena.
  • Even when a Web-based service provider has a good privacy policy, that does not necessarily guarantee that some disgruntled or unethical employee of the provider cannot violate the terms of that policy.
  • Encrypted content, such as encrypted e-mails, must still be accessible. If that access is gained by way of a simple Web interface, that means decryption is happening on the server -- which, in turn, means that your decrypted content exists on a system outside of your direct control. This is one of the downsides of letting someone else worry about maintaining control of resources, and it's part of the reason the Hushmail incident discussed below was possible.
  • Because these service providers typically rely on their reputation for providing privacy to their customers to make a profit, their first priority is to protect that reputation. This is not always synonymous with protecting privacy.

Even (previously) well-regarded security-focused service providers are sometimes discovered to be more susceptible to customer privacy violations than people think. For example, in 2007 the Canada-based Hushmail encrypted e-mail service gave unencrypted copies of customers' private e-mails to United States law enforcement agencies -- something Hushmail's online documentation might lead one to believe wasn't even possible.

This does not mean you should never use a Web-based service, of course. There are many cases where the privacy of a particular bit of data is not of critical importance. Just be sure you know what information you should and should not trust to a Web-based service provider.

As a general rule of thumb, trust nothing to any Web-based service provider that you would not trust to TechRepublic. When setting up your account at TR, you have to provide an e-mail address, a username, and a password -- which means you should not have to worry about these things being used in a similar manner at Gmail, Yahoo! Mail, or even Hotmail -- though there are those who suggest one should not use some Webmail services at all because they allegedly provide user data to spammers. This general approach to trusting Webmail providers with your e-mail address, username, and password is especially appropriate since you should not be reusing important passwords for these Web-based service provider accounts anyway.

On the other hand, you should not be putting your usernames, passwords, and e-mail addresses into your forum posts here at TechRepublic, let alone any credit card or social security numbers. For the same reasons, avoid sending that information in e-mails through Gmail, Hotmail, Yahoo! Mail, or any similar services. Do not put such sensitive information into documents composed with Google Docs, either.

That does not mean you cannot use Google Docs to compose your grocery list, though, or that you cannot trust Yahoo! Mail enough to send an e-mail mentioning a public event. Part of security awareness is being aware when security policy is getting too paranoid to be useful.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

3 comments
Jaqui
Jaqui

If a service is available through the internet, it is accessible by all. The only time that the above MAY not be true is if the service is only available through an encrypted session, such as the secure socket layer. [ May because if you are being specifically targeted by someone, they can capture copies of the packets that set up the secure session and still read it in real time, as well as a copy of the encrypted packets can be broken in time. ] I have always made it my practice to only put information online I don't care if it is publicly available. This precludes the use of online banking services though, since I don't want my banking information publicly available. :D As one of the Hosts of the BBC's Top Gear found out, exposing information publicly is asking for it. http://www.guardian.co.uk/money/2008/jan/07/personalfinancenews.scamsandfraud

dawgit
dawgit

You bring up some good points in this blog. It may sound pase to some here, but a to lot of folks passing by, it's good info. Useing Common Sense is always a good idea anyway. I think a lot of people need to be reminded of that from time to time. You've done that here. -d

apotheon
apotheon

It's intended to be a reminder or an eye-opener, depending on the experience of the reader. It's a good idea to keep from getting complacent about privacy concerns like this, of course, and I aim to help in that regard. Thanks for the comments.