Sophos Cloud Optix
Graham Cluley’s recent article about stealth-mode social networking newbies Connect.me has stirred up a lot of controversy.
The Connect.me site has exactly two pages – at least, it does if you don’t sign up. The main page simply invites you to Reserve your username and get early access; this page takes you to a second page which simply says Login with [Facebook] [Twitter] [LinkedIn]. That’s how you login, even if you’re an existing user.
Oh. There’s a link on the main page which opens up a half-screen of About text. The important part of this is: “We believe privacy, control, and portability are requirements, not features.” The highlighted words look as though they’re links to further information, but they’re not.
Graham’s article provoked numerous comments agreeing with us – some said that a site which asks you to sign up with no indication of (indeed, which deliberately suppresses) its proposed business is Just Plain Wrong. But others roundly said that we were unfair, and ought to have given these newcomers time to show us what they were all about before expressing an opinion.
Well, we've finally had a response from someone called Drummond Reed, claiming to be from Connect.me.
I'm going to continue the controversy on Graham's behalf, by quoting and responding to Mr Reid.
Then I'll ask you, our Naked Security readers, to vote on the issue.
Here we go.
Hi Graham, this is Drummond Reed from Connect.Me. Great post! We couldn't agree more about the need to address privacy concerns around social sign-in.
Hi, Drummond.
If you agree, why don’t you make a point of showing that you agree, and that you care, on your site itself? (Your site now has a privacy policy – and not much else about what it’s up to – but you added it only after the controversy broke.)
Your post seemed to have help fuel the sign-up rate at Connect.Me today.
That’s nice for you. Ironic, of course, but nice for you. In return, could we ask you to return the favour by saying something meaningful on your site about what you plan to do with the information you collect?
What will you store? Where will you store it? How do you intend to use it in future? Most importantly, how do I contact you to withdraw my permission to keep it? And how long will you take to delete it?
It will be great fodder for conversation at SXSW this weekend.
Have a good time, Drummond. (I’m sincere with that wish.) But talk is cheap. And SXSW isn’t about security, privacy and on-line identity, is it? It’s about musical and filmic content – creating it and publishing it.
How about coming to a security conference as well, and throwing yourself into the conversations you get at that sort of event? If you can make it to Infosec in London, England, in April (or to AusCERT in Queensland, Australia, in May) I’d like to invite you to the Sophos stand.
We’ll love to have someone from connect.me take part in a panel discussion on our stand – and we’ll buy the beers.
To put any fears to rest, we're not scammers. We're people from the Internet identity and privacy space working to help make a better, safer social web.
Thanks. That makes me feel better. I think.
But I’ve read words that are equally earnest, and which sound just as sincere, from Advance Fee Fraudsters, from peddlers of fake anti-virus, and from those call centres which say they’re from Microsoft and they’ve phoned especially to help.
The point is that if you really care about privacy, you shouldn’t ask people to enter into any sort of on-line social contract without explaining who you are, what your intentions are, and what mechanisms you have in place – now and for the future – to protect that privacy.
In fact, it’ll almost be worse if you guys really do turn out to be legitimate. Because the tens or hundreds of thousands of users who’ve taken a risk on you and got away with it will be more inclined to take risks again. Next time they do, it probably won’t be Drummond Reed, Nice Guy of the Net.
Please be more open and less marketroidistic! I suspect we agree about the end result. But not about how you have gone about reaching it.
And now, Naked Security readers, what do you think? Please vote in our poll:
Seems like the shortest privacy policy that I've ever read. Almost like someone who didn't have a law degree wrote it. Usually I skim those because of all the "We" and redundancy statements they make. And also cause they are like 10 to 20 pages long. They also usually longer for the social websites because of all of your information they take in. I could have even written what is on their website.
A short privacy policy isn't necessarily bad 🙂 (It may be contraindicated in a world in which the other guy can come at you with a lawyer, but there you go.)
But this is the bit which worries me:
"At this time, we use Social Connectors such as Facebook Connect, Twitter and LinkedIn for two purposes only:
1. To provide a simpler login experience for our users
2. To allow our users to share news, updates or information about themselves or Connect.Me"
So you login to connect.me with an existing "social connector"- e.g. to Facebook – so that you can, ah, use that "social connector" to do exactly what it's already intended for, viz. "to share news, updates or information about themselves or Connect.Me" (or, indeed, to share news about anything you like).
If that is indeed the ONLY purpose, aside from simplicity, for which they rely on your Facebook, etc. login, then…help me here, guys…
…why not just log in to Facebook, etc. and be done with it?
I don't think boycotting it will really work. Also, I can't see a law prohibiting this capable of existing. People will always be trying to do similar things (whether safe and legitimate or for mal-intentions). It's the layman that needs to be trained to not be so gullible, carefree, and oblivious. They seem to never learn though. I think info security and safe computing will become increasingly popular among these people as time goes on and as we rely more on technology / incorporate it more into our daily lives.
Who owns Connect.me? The privacy policy states that the site is owned by "Respect Network Corporation" based in San Francisco.
Google the Corporation and you get exactly one result – connect.me!
A whois search reveals an address of 321 11th Street San Francisco, which is a multi-occupation office building, but there's no mention of a website/identity for "Respect Network Corporation"
Is there no requirement in the US for a business to provide accurate contact details on it's website?
As for the comment "We're not scammers" – That ranks alongside "this transaction is 100% risk free" as perhaps the biggest indicator that something's amiss. When did Facebook ever advertise "we're honest folks, honestly!"
I'm all for startups creating a buzz about their offering, but not by witholding vital information and undoing the work done by sites such as Naked Security to educate people about protecting their online privacy.
"To put any fears to rest, we're not scammers. We're people from the Internet identity and privacy space working to help make a better, safer social web."
Wow, thats the most vague statement ever. Somewhere, someone is just celebrating their win at buzzword bingo.
I'm not signing up with these folk till I know more, no way …
To a certain point the user that signs up to such a site is responsible for their own actions. Some scam site could post "I'm a SCAM" and people would probably still sign up. It’s like that classic pop-up that asks you to insert your card and bank details to check if you've been a victim of on-line fraud.
On the other hand I am quite curious as to who and what these guys are/up to and the only way were going to find out is wait and see. It is possible that they aren't the most intelligent bunch and don't realise that they look like a scam.
—Anyway I'd be up for signing up and reserving my name using a fake account so they don't have any personal details. All the fun with none of the risk.
For what it's worth, Drummond has been heavily involved in identity and privacy projects for quite a while. His work on XDI/XRI, i-Names, i-Numbers and link contracts is one example of a group finally getting most of it right.
All that stuff was structured for YOU to own and control all your data, manage it in one place and share it via revocable link contracts with others instead of having to enter and update it in hundreds of different places. I've built some of their principles into some of my own tools and platforms.
I don't know much about connect.me, but personally, I have enough trust in Drummond not to have concerns. I signed up for i-Names and have been pretty happy about that, but I haven't even signed up on connect.me yet, so I really have no idea why thousands of people who don't know Drummond would be storming the field to give away their social contact information.
I thought they were only inviting friends, setting up viral twitter posts may have been premature.
Your words of caution are quite sensible.
-art
after you have your friends and family all in one place its going to be easier for these scammers and the government to find and identify you. The scam is probably just getting a real census of the ppl in the world before the government makes the decision as to population control,And how thier gonna get rid of everybody. Scary but i read sumin last year about whats to come in the future.,with the Government and technology and it was scary and wish i'd never put anything on the internet.
Did anyone see the episode of BBC drama Hustle recently about the nasty football agent? SPOILER ALERT for those who have not yet watched it off their generic personal video recorder… but…
The twist at the end was that Ash (Robert Glenister's character) had a bump on the head which made him unable to tell a lie. Ridiculously convoluted plot twist aside, the con still succeeded, despite him saying to the "mark": "Don't give us your money, you'll never see it again, it's a con". The mark was so greedy and gullible he assumed this was a huge joke and transferred half a million smackers right there and then.
So yes, greed, ignorance, desire to get ahead of your peers, vanity…. will all make people take stupid risks even against the strongest good advice. Human nature is a wonderful, bizarre and deeply flawed thing!
Here's what Drummond Reed has to say about the connect.me launch on his blog: http://www.equalsdrummond.name/?p=418
I know and trust Drummond, so I plan to track connect.me. But I'm not willing to sign up for it yet. I find it very ironic that he would execute this type of stealth launch–demanding my twitter credentials to reserve a connect.me name. Perhaps he's gathering data about people's disregard for privacy protection.
I highly doubt that those behind connect.me are running some case study to show how people are careless with their data. I also doubt that, if they WERE doing this, it would stop people from continuing to be so careless.
I agree that it is unlikely to be a case study of this kind, but that doesn't stop me wishing it were.
They could then automatically port all the accounts onto a sister site (with a name such as "scam.me"?) as a kind of one-stop shop for those who make their living from happy clickers – it would be deserved, educational, funny & practical.
#7 on the ToS certainly grants them the rights to at least make a 'gullible gallery' of mug shots 🙂
It's cool baby, I'm from the internet.
SXSW Interactive has been running since at least 2006, and does deal with privacy/security/identity issues at least peripherally. Twitter premiered there in 2007, and it’s a conference a lot of services like to use as a launchpad from stealth-mode.
Stupidest thing they've done is presume we care about stealth mode and launch at SXSW.
If anything, this has been a simple failure in disclosure of business practices and the underlying business model. Being in stealthmode is no excuse for lack of transparency, however.
Seems that Connect.me is looking to bridge the divide between consumers and restrictive legislation around privacy. Instead of the typical black v white posturing between legislators and consumer advocacy groups, Connect.me is creating a grey space where consumers can gain greater explicit control over how, when and why marketers interact with them across devices and experiences.
Consumers gain the ability to turn the tap on and off on their own terms. They gain the advantage of (hopefully) higher value (read relevant) communications.
Marketers gain access to a high-value, highly segmented audience that are self-qualified through explicit opt-in.
I don't know about you – but would you prefer politicians develop *your* personal privacy policy or would you want to manage it yourself. Understandably, this is a big leap of faith to entrust your data to a private sector enterprise; but the benefits could outweigh the risks.