2

This answer[link] to another question here talks about OpenID and data espionage. I quote:

[Data espionage] Why let them gather the detailed statistics from many consumer site and help them build personal profiles of people? Who knows what they'll do with it? Sell it, use it to adjust their marketing tactics, submit it to CIA?

This has been also a concern of mine. If you use Yahoo, Yahoo now has a track of all the sites you went to (and signed with your OpenID).

I'm wondering if this issue has been addressed more thoroughly. I think we here are the best people to have this discussion, because we're unbiased developers who don't get paid by OpenID or any provider (Yahoo, Google, etc.). What do you think about this?

Community
  • 1
sameold
  • 137
  • 4

3 Answers3

4

I am the author of that answer that raised your concern.

Let me first try to ease you, you can use OpenID and ignore the issue. It will certainly work and you are perhaps not that important guy to be a target of some secret plot.

This aside there is a genuine issue with this type of data collection. But it's not just about OpenID. There are more examples you encounter in your everyday:

  • OpenID (the point of this question)
  • Gravatars (basically like tracking images)
  • Facebook, Twitter and other social media buttons "graciously" offered to implant into the sites worldwide
  • Files you distribute over a CDN (Content Delivery Network) like jQuery library located on Google or Microsoft servers to profit from their caching in the users' browsers. That concern was even raised in the Pro ASP.NET MVC 2 Framework book by Steven Sanderson.
  • Google Analytics. There were even talks in Germany at the government level to ban it in the country or even EU-wide.
  • Tracking cookies, the focus of a recent EU initiative to force sites to explicitly ask for a permission to store non-essential cookies
  • Google's Chrome browser and Android OS which track WLANs in the neighborhood and regularly submit the data (MAC addresses etc.) to Google

The point with many "free" services is that they do not generate any explicit income but only result in serious expenditures (traffic). Gathering data is basically the only means to monetize them. And offering them for free is a great way to get users into the mousetrap.

The fact that it is not my paranoia is effectively confirmed by those issues beginning to get addressed at the governments level worldwide.

I've only suggested that you stay aware of those trends and avoid getting involved wherever possible.

  • Wow, this convinces me it's more serious than we're willing to talk about. But to answer your question, this isn't the only thing about OpenID. I do have other concerns with OpenID related to it being prone to phishing. Someone could get the OpenID login information by directing the user to a form that just looks like the original form. If the user's account has been phished, I as another third party site am at risk. The password was stolen from the user, and the attacker could use the phished login to get the user's data on my site as well as any other site the user is on. – sameold Jun 06 '11 at 18:23
4

Not a direct solution, but I use OpenID delegation (from a hostname I control) because it means I can easily switch OpenID providers and don't need to go through the hassle of setting up my own with SSL and everything.

Since all sites know me as http://openid.mydomain/mylogon, I am able to seamlessly switch providers if a particular provider starts doing evil.

Darien
  • 3,453
  • 2
  • 19
  • 18
  • Wasn't aware of delegation. This isn't the same as being an OpenID "Provider" yourself on your domain, or is it? – sameold Jun 06 '11 at 18:27
  • 2
    @sameold Delegation isn't the same as being a provider. Being a provider requires you run a server that handles OpenID requests. With delegation, you just [edit the header of a page at a URL you own](https://www.myopenid.com/help#own_domain) and use that URL as your OID. This is cool because you don't have to run your own server, but if the provider you use isn't doing what you want, you can change providers without editing every account you ever used OpenID for -- they still use the same URI to identify you, it just points them at a different provider. – HedgeMage Jun 06 '11 at 19:32
2

That would depend on the individual provider of OpenId so of course it's difficult to answer it for all cases. The more likely risk of data espionage can be learned by studying actual cases of data security breaches and it more often comes down more to failures of security practices and social engineering attacks than evil behavior on the part of the providers themselves.

Turnkey
  • 1,697
  • 9
  • 10
  • @Turkey, I don't mean that the OpenID provider (google, yahoo) gets attacked and compromised. I mean the OpenID provider is collecting information on your usage on the web, beccause _you_ are telling them all that information. – sameold Jun 06 '11 at 17:53
  • Understand, the only way to tell of likely issues would be reading TOS and privacy policy. Beyond that it will come down to trust. If TOS are violated by then you would have recourse to sue. I was just saying the more likely risk would come from the data being compromised, but of course is also worth worrying about the other as well. As a developer it would be good to get as much information as you can before trusting your customers to them. – Turnkey Jun 06 '11 at 17:59