RE: Web 2.0 security end-user survey - please input questions

Hi all,

I never posted here so a few words about me.
I am an R&D engineer with Orange (the European Telco); I work usually in the field of security and privacy.

Here are several questions that bother me about social networks and the associated lost of privacy.

For example one recruiter could Google the Web to better understand the life of a job candidate, which could uncover some undesirable things as forgotten photos from students parties or strange connections, for example to be interested in UFO or have connections with human right organisations. Sometimes it could also create mistakes or quid pro quo for example by showing unpleasant things done by a person with a homonym name.

What would be interested would be to have a "controllable and erasable past" at will. I think an "erasable past" feature could be currently created on the current Internet without much work. An obvious way to do it is to store the photos and personal interest in special places that could be referenced from the social sites and removed at will. Another way involving the social web site is to have a hierarchy of layers on this web site giving the minimum info to the casual web user and more and more info to special users. There are even more sophisticated but easy to achieve schemes to forbid Google or whatever to cache the info. 
So there is no technical challenge in this "erasable past" thing.

I see the following challenges for the "controllable and erasable past".
- Controlling the private information dissemination by others is a challenge, for example it could be done by discovering private information. This is not easy task: What is private information? How to have low false positive or negative alerts?
- Have a way to prove that some information is or is not about me. I don't believe in cryptography to bring a socially acceptable solution here.
- Managing this private information in a way easy to understand and use by the casual user and also socially acceptable is another difficult challenge. 

Best regards,


-----Message d'origine-----
De : [] De la part de Giles Hogben
Envoyé : mercredi 13 août 2008 13:22
À :
Objet : Web 2.0 security end-user survey - please input questions

Dear All,
ENISA (European Network and Information Security Agency) has commissioned a survey to be conducted by research company YouGov on Web 2.0 security and privacy issues. The aim is to collect data on the attitudes and experiences of end-users in wrt security and privacy in Web 2.0 scenarios. This will be input to a paper we will issue in November on Web 2.0 security and privacy aimed at political decision-makers. 

We are currently soliciting suggestions for questions. Pling members will doubtless have many useful suggestions. If your organisation would like to propose some questions in this area, please send me ( ) your suggestions by Monday 18th August.

Here are some examples of proposed questions so far:

* I have problems figuring out whether a source is trustworthy
* I give away my email account details to invite friends to a social application
* I have had problems resolving a dispute arising from a Web 2.0 application.
* It is easy to verify a person's age reliably
* I can control the use of my personal information in social networks. (Perhaps "I have been surprised by use of personal information in social networks")
* Have you ever refused to enter data on a website because the website appears untrustworthy? Because of privacy concerns?
* Would you use an online banking aggregation service?
* Service providers should censor content to protect minors.
* Which of the following are Web 2.0 features (end-user content, SOA, rich user-interfaces ....)

FYI our working definition of Web 2.0 is:

*	Rich browser-based applications including Asynchronous Javascript XML (AJAX) and flash applications.
*	End-user-generated web content: content generated using a browser-based application rather than being uploaded directly to a web-server. Such content is often subject to radically different or less well-defined security and regulatory regimes from content generated and controlled directly by the service-provider. 
*	Client-side code, community-based widgets, user-defined code, community-based software, Ajax, IFrames, etc... 
*	Co-operative dynamic services deriving content and functionality from multiple sources, jurisdictions and Legal Entities. Examples are so-called mash-ups and dynamically composed web-services and content syndication. E.g. Opensocial, Google Mashups etc...


Giles Hogben

Network Security Policy Expert
European Network & Information Security Agency (ENISA)
Tel: +30 2810 391892
Fax: +30 2810 39000

Received on Wednesday, 13 August 2008 12:43:44 UTC