Now days, when you get a job in an industry that pays half decent wages, they typically require you to setup an account with some web services. Maybe it's Dropbox. Perhaps it is Google. One is probably a project or schedule management tool. There are also plenty of job specific services you might need. For software development, you will probably need an account with Github or some other software subversion repository. Just to get a decent job, you typically need at least a Facebook account and a LinkedIn account. If you change jobs, your new job will probably use a slightly different set of services, requiring you to setup several more accounts. During your lifetime, you may go through 5 or 6 jobs (and that number seems to be increasing). If each job requires you to sign up for 3 different web services, you will have 15 to 18 of them by you retire. You will probably forget about at least half of them. Most of the other half will be useless to a retiree
If you decide to get a college degree, you will also see this problem. Your English teacher will probably expect you to sign up for an account with an anti-plagiarism service. Your math teacher might encourage you to sign up for a free tutoring service, and advanced math teachers will want you to get an account with some company so you can get the student edition of their math software for cheap or free (and then you will be stuck only knowing how to use an extremely expensive piece of proprietary software; that's another discussion). Many teachers like file repository software like Dropbox, but every teacher likes something different, so expect to be required to sign up for 2 to 4 of these services (or more, depending on the major). There are also major specific services you may need. For Computer Science, you will probably be expected to get a Github account and maybe an Amazon Web Services account. For any kind of art related major, you can expect to sign up for an account with at least one website that serves as an art repository and gallery, like Deviant Art or Flickr. You may also be expected to get an account with some popular art forum (though, again, different teachers will prefer different options). In Electric Engineering, you will probably be expected to sign up for an account with at least one company that produces complex components like micro-controllers, for access to programming libraries, tutorials, and datasheets. In Physical Education or any other health related discipline, you will probably need accounts for various medical sites, maybe a few forums, and possibly some nutritional data repositories. Communications majors will likely be required to sign up for at least 20 accounts, including social media services, web forums, and even advertising services. Depending on your major, you could end up with 5 or 10 more accounts. Now, admittedly, some of them will be necessary for your jobs when you graduate, but again, while there is some overlap, it is very common for different employers to use different services. As before, probably at least half of them will be useless once you graduate.
Now, this might seem like a trivial and benign problem. Unfortunately, it is not. There are many problems this causes. The least harmful is the extra space taken up by unused accounts. Every account for a web service uses some amount of storage space. There are already a huge number of unused accounts spread over the internet, wasting a lot of space. This is fairly easily mitigated though. Service providers can delete accounts that have been inactive for a certain period of time. If they want to keep the accounts open, just in case, they can buy more storage space, and when the cost is spread out among a large number of services, it can seem pretty small. This is a problem, but it is not a critical one.
A worse problem is privacy. If you have 20 accounts with different web services, you have probably already forgotten about half of them, unless you use them all very regularly. All of those accounts hold some amount of your private information. I'll discuss the security related things later, but for now, let us look at information that could be misused, but which is not a critical security risk. The first, and most obvious one is credit card information. Skirting around the subject of security (you did willingly give this information to these services), credit card data can be used in many ways. It could be used to run credit checks. It could be used to track you and your purchasing behavior. Some of this is easy, some is more difficult, but a lot of this is possible and legal if you willingly gave the company your information. Your physical address, phone numbers, and email address are all private information that could be misused without breaking the law, if you provided them willingly. Some of these services might suddenly decide to start sending you ads a few years down the road, when their business is struggling. You might get junk mail and telemarketing calls as well. If one of these services is bought out, the buyer might decide to sell your personal information (not necessarily legal, if the original company agreed not to, but it happens anyway). This is not necessarily a critical problem, but it could definitely cause a lot of inconvenience.
The worst problem is security. We have discussed legitimate abuse of private information and some illegitimate abuse that is only indirectly related to security. Security itself is not just about abuse by the service provider though. The more accounts you have, the higher the odds are that at least one provider has poor security. In fact, a majority of web services use security that is well below the accepted security standards for web. Even something as simple as how your password is stored on their server can make a huge difference. It is a well known fact that a vast majority of people use the same password or small set of passwords for all of their accounts. If a hacker can get your password from the most trivial site, he can probably use it to hack into all of your other accounts. If you have 10 or 20 different accounts, the odds that one of them has fairly weak security is very high. All it takes is one. The more accounts you have, the worse your odds are for getting hacked on all of your accounts. This can give an attacker access to all of the private information you have on all of your accounts. And, hackers do not have business ethics, high legal liability, and high profiles like the service providers do, so they are far less likely to avoid abuses of your data. In fact, this is one of the most common techniques used by identity thieves to get your private information. They don't have to hack into your bank. They just have to hack into that Sony account to get your password, which they can then use to log into your bank account with ease, regardless of your bank's security.
There are ways to mitigate all of these. The first is up to the service providers, and it only affects end users by increasing the prices of paid services. The second can be mitigated by researching service providers before signing up for accounts (though, your employer or professor may still insist) and by asking for service providers to cancel your accounts and delete your information when you are done using them. There is no law stating that they have to comply (this may be in the works though), and in some cases, the law may even require them to retain records, but many providers will comply when they can legally do so. The third can be mitigated by always using different usernames and passwords for every account. Good luck with this though. Password managers can help, but they just shift the point of weakness. Remembering 20 passwords is extremely difficult, so you may be tempted to write them all down, but that is often worse than a password manager. Using one really good password can also help a little, but if someone hacks the service provider's database, it will not matter how good your password is. The only fool proof solution is to have 20 highly secure and totally different passwords, and then to memorize them all. Like I said, good luck.
This is actually a pretty big problem. A lot of people in positions of authority think it is appropriate to impose security risks on other people, without any accountability. If an employer or professor requires you to use an insecure service, there is no responsibility for harm caused if your information is misused. If you do your research and find that a certain service is a high risk, typically your only option will be to quit your job or drop the class. If the class is required for your major, you might have to switch majors to avoid the security risk. If you are lucky, you might find sympathy, but often people are so set in their ways that they will risk the safety of everyone else to avoid change. This is a very serious problem, and anyone involved in perpetuating it should seriously consider the consequences.
I understand that many times, the use of web services is valuable and even necessary. This does not justify putting others at risk though. Those choosing what services to use, and those approving such decisions, have a moral responsibility to make sure that those services meet accepted security standards. Those being required to use such services should also make sure they meet accepted standards, and when they do not, those people should band together in protest. Frankly, I think colleges should regulate what services professors are allowed to make mandatory. If a professor needs a file repository service, the school should provide an option that it has verified as compliant with accepted security standards. The school does not need to run the service (in fact, in my experience colleges are often poor at running such services internally). It just needs to have a standard in place. If a professor chooses to use a service that is outside of school policy, there should a policy specifically exempting students from being required to use that service as a condition of their grade (and the professor should be required to notify students of this policy wherever such a service is used). In other words, use of such a service should be optional, and students should not be expected to have any knowledge or understanding of course material that is offered only through unapproved services (note that this article is about services that require accounts, not free services that do not require accounts). (Obviously, colleges doing this should also have an approval procedure to add services to the list.) Businesses would do well to also adopt policies requiring security assessments of any service that is required as part of the job, and no service which has not passed such an assessment should be allowed to be used as a mandatory part of the work. In short, people in positions of authority over others should have some sort of regulations set in place to avoid putting their subordinates at risk. Sometimes such regulations will fail (even following accepted security standards does not make a site immune to hacking, just much more resistant), but this is not an excuse to avoid them altogether. No one should be allowed to put someone else at undue risk as a condition of their education or employment without any accountability.
No comments:
Post a Comment