UW Computer Security Research and Course Blog

Article

As most of you know, social networks are rapidly becoming ubiquitous, with hundreds of millions of users between Facebook (62 million), Myspace (>100 million), and Linkedin (>17 million).  Naturally, many companies are trying to take advantage of this fact by letting users leverage their social networks, and now we’re starting to see search engines join the mix.  Delver is one of these.

The title of the referred article sums up the issues nicely, so I’ll just quote it here: “A new website will offer personalized search results based on the user’s social network”.  To clarify, you tell Delver what your name is, and then Delver crawls publicly available information about you (the article gives “public LinkedIn profile” as an example).  Of course, the amount of public information may be limited, and as such you can actually give Delver login information for these social networking sites so it can login as you and crawl as much information about your friends as it can find to help make your search queries more convenient.  How convenient remains to be seen, and more details about this can be found in the article

A service like this is inherently a security hazard.  No matter what precautions are taken, the user will still be giving his username and password to a third-party site.  This is problematic because with a regular site, an adversary who wants to get login information has three points of attack: the client machine (trojan), the connection (man-in-the-middle), or the server machine (..SQL injection?/hacking).  If you give your information to a third-party site, there are two additional points of attack: the third-party server and the connection between the third-party server and the social networking site.  Only the weakest link needs to be vulnerable, and by adding in a third party the number of links is almost doubled.

At first thought this system really didn’t have a reasonably secure solution, but then I thought of one possibility: a single central service like OpenID.  So how is this different from the previous problem?  Well, instead of giving your login and username to random-possibly-insecure-cool-gimick-website-A to log in to random-social-network-website-B, you can keep all your login information on one single server that the community trusts to keep under lock and key (and firewall).

There aren’t any obvious ethical issues here, but there are some possible societal impacts here.  Would people care if your friends discovered your posted content not through Facebook’s search engine, but through the search engine of some other site?  Who’s to say that Delver wouldn’t cache information from Facebook on their servers to “enhance” your experience?  What happens if the user’s friend then chooses to remove a picture from Facebook — can we trust that Delver will detect this and remove the picture from their cache as well?

Lastly, what will people think?  It’s hard to say.  One possibility is that people won’t care.  The odds that this company will become popular enough to become a household name in a tech-savvy house hold is extremely low, just because many specialty search engines do.  People might also be angered by the possibility that content that they uploaded to a social networking site for viewing only by their friends may end up in other places as well without their permission.