Here’s more on the Plaxo discussion about the security of data held by the contacts managment service.
Plaxo has kindly responded to my earlier post about the security issue raised by Britain’s Lodoga (their comments are definitely worth reading). I’ve also had a chance to talk to the folk at Lodoga about the problem. One or two points worth making.
- Lodoga point out it’s not just Plaxo that are — or were; they moved quickly to fix the problem – vulnerable to this kind of attack. Many, if not most, websites that use forms are. So Plaxo could quite reasonably claim they’re being unfairly singled out here.
- Plaxo say that the vulnerability is limited to specific attacks on specific individuals. This could be misleading. As Lodoga points out, it’s the very specificity of the attack that’s worrying. In such cases, and like some phishing cases, the attack could be aimed at certain companies, and certain individuals, in order to extract data for more complex and broad attacks (for example, to impersonate someone to hijack data, fool other people into giving up data or even control a website). Just because the vulnerability is limited doesn’t mean it’s not a vulnerability.
Plaxo ‘correct’ a couple of points in my earlier point, which themselves need clarifying. It comes down to a couple of basic questions:
If I use Plaxo, is my address book stored on Plaxo’s servers?
Plaxo quote me as saying ”that information will be stored in Oliver’s contact details on Plaxo’s servers in addition to whatever data he adds”, and respond thus: ”Storing a person’s address book on our servers is an option, not a requirement for using the service (we refer to this as web-enabling your address book). Users can select this option when installing Plaxo, or change this option anytime through their preference settings. Enabling this option has certain benefits such as automatic backups, quick restore capabilities, enhanced synchronization capabilities and Web access, but it is still an option.”
Well, up to a point. It’s true that as a Plaxo user you can elect to prevent your contacts from being stored on Plaxo’s computers. But once again, it’s not a straightforward process, and unless my configuration is weird, having your data stored at Plaxo is set as a default, as far as I can work out, and the option to change it can only be found in the ‘Advanced’ tab of the Preferences window. What’s more, the option is called ‘Allow web acccess to contacts’ (i.e. not ‘Store copy of your contact data on Plaxo servers’, or something more explanatory. If you try to uncheck it, you’ll get a warning message: ‘Are you sure you want to disallow web access to your account? Doing this will also disallow you from synchronizing your address book on multiple computers and disable much of Plaxo’s functionality.” It then gives three options: Yes, No and Cancel (what’s the diffrerence between No and Cancel, exactly?) All this is hardly a way to reassure the wary. (If you do go ahead and uncheck this option there’s no way that I can see of confirming that your data has been removed from Plaxo’s servers; synchronizing your data does not result in any message to incidate the deletion has taken place.) My verdict: This option is not transparent and only likely to be pursued by the more advanced user. It needs to be more clearly presented, the warning dialog needs to be rephrased (or preferably removed, since it tries to dissuade the user from selecting it) in the early stages of setting up data.
Plaxo make a couple of other points in this regard: You don’t have to Plaxo your whole address book, just those folders you want to. True, but within those folders — and for most users, that means their complete address book — there’s only two states: all stored at Plaxo, or none.
If I don’t use Plaxo, what can I do to avoid having my data stored at Plaxo?
First off, the issue is: How do I find out if Plaxo is storing my data? I wrote: “There’s no way for a non-user to tell whether your data is being stored at Plaxo unless you email all your contacts” to which Plaxo adds: “Well I suppose this is only partially incorrect. This statement is true regardless of Plaxo – there is no way for anyone to tell whether your data exists in someone elses address book.”
The only ‘incorrect’ bit of the statement I can find in Plaxo’s answer is this: You could also find out whether your data is being stored at Plaxo if you receive an update request from someone who uses Plaxo. Plaxo’s Stacy Martin says, “Personally, I feel this is one of the benefits to receiving Update Requests from Plaxo members. The Update Requests at least tells me who maintains my information. It gives me cause to follow up with the person to request the remove my information if I desire (as you mentioned, we also provide this as a courtesy to make that request on your behalf).”
Once again, I’m not sure this is a plus. It comes down to what many users see as the intrusiveness of Plaxo. If you have to respond to an email to opt out of something — either by creating a fake contact, sending an email to your friend requesting they delete you from their contact list, or asking Plaxo to do it for you — then you have, in the eyes of many, abused their privacy. Many users have complained to me about receiving dozens of these ‘update’ requests, which are sent very, very easily from an unschooled Plaxo user. So any argument that posits these updates are a benefit is not going to be a popular argument, since it requires the recipient to take action to avoid further requests: An intrusive form of spam if ever there was one.
More importantly, Plaxo does not contradict the basic idea here, namely that there’s no easy way to find out if Plaxo has your data, and there’s no easy way to remove it if they are. Stacy’s response is philosophical: do we control our own data anyway, and do we have the right to ask others to delete our data if they do choose to store it? Well yes, it’s true to a certain extent. Any Tom, Dick or Harry can have our email address in their address book, and if we’ve learned nothing from recent viruses, it’s that our email address can pop up in the oddest of places.
But while this may hold true in the cases of individuals, Plaxo is treading on dangerous ground by arguing the same with what is a commercial service. Users are extremely sensitive about their private information being held by companies, governments and institutions without their knowledge or consent. In the case of companies the issue is particularly sensitive, for two important reasons:
- Companies have shown that they cannot be trusted to stick to their promises about not making commercial use of that information, by altering privacy policies, by transferring ownership of the data to a company that has not made the same commitments about the privacy of that data, or just by misleading the user. The short history of e-commerce has been a disastrous loss of trust on the part of the public in this issue. So while you may not care that much about an individual holding your data in their Outlook address book, if a corporation has that data on their servers is quite a different matter. Users do care, and companies that try to sidestep the matter face a hostile audience.
- Secondly, security. Lodoga has proven that web servers with web access are not safe places. Their theoretical attack has been plugged, but there are likely to be many more. It’s not a useful argument to say that such attacks are limited, and have to be specific to be successful. That is not the point. The point is that if you store your address book on Plaxo you, and everyone in your address book, are vulnerable. So, while it’s true that your personal data is never completely safe — someone could steal someone’s PDA which happens to have your address data on, say — having that same data stored on Plaxo’s servers is a different matter. It’s there, and everyone knows it’s there. It’s a clear target for someone looking to leverage such data for a broader attack.
So, I have to conclude that answering the question with a philosophical discussion about ‘ownership of data’ is steering the reader away from the core issue: Plaxo is a well-known, well signposted store of data that is valuable to others, criminal or otherwise, and that data may include your own personal data, without you being able to a) find out and b) do much about it.
It’s good that Plaxo go to the trouble of answering such questions, and I hope this post takes the discussion further forward. I should once again point out for the record that I still use Plaxo, although I’ve now disabled the ‘web access’ component, meaning, I hope, that my data — and any of yours which I happen to have in my Outlook — is no longer on Plaxo’s servers.