Sometimes the most basic principles of security are overlooked by the designers of applications. For example, I get a convenient e-mail every month like the following:
This is a reminder, sent out once a month, about your mailman.rice.edu mailing list memberships. It includes your subscription info and how to use it to change it or unsubscribe from a list.
...
Passwords for xxx@yyy.edu List Password // URL ---- -------- listname@mailman.xxx.edu THE COMPLETE PASSWORD IN THE CLEAR
That’s right! not only does it store my password, it conveniently e-mails it to me, in the clear, over an unencrypted connection, every month, just in case I’ve forgotten it. Now, this server is run by the information technology department at a fair size, relatively tech savvy university. One that ought to know something about information security. Admittedly, it is only the password to a mailing list, and so it is not protecting any tremendously confidential data, but, it does protect data that someone thought was important enough to protect with a password…
There seem to be a few lessons that can be learned from this behavior. Most fundamentally, there is a need for a “hermeneutic of suspicion” when it comes to data security. The fact that a server is run by a reputable agency does not mean that it should be assumed to operate safely. If I had given the same password to the mail list server that I used for other sites, I would potentially have had those accounts compromised by the unintelligent behavior of the mail list server. By isolating separate providers, and trusting each of them with the minimum amount of data necessary, I am able to limit the amount of damage that I can receive if any given account is compromised.
Still, this doesn’t change the fact that I do interact with various on-line services, and do exchange sensitive information with them. Since, as an individual, I can’t survey the security infrastructure of each service, I am taking a calculated risk each time I share information with them. In this way, there can be no assumption of absolute data security; simply a question of probabilities. What are the odds that my bank compromises my account data, that GMail fails to protect my e-mails, that Facebook shares my private pictures with the world? Obviously, the odds are non-zero. However, I do choose to share personal information with those services, and many others. In doing so, I am accepting a certain risk that they will fail be to be good stewards of that information.
Thus, while there is an implicit agreement between myself and any web service that I use, to the effect that that service will protect my information from unauthorized third parties, there is also an implicit calculation that I must make: am I willing to take the risk that the service will fail to live up to our agreement? If I am willing to take that risk, I share the information. If I am not, then I must withhold it.