Someone, most likely Congressman Anthony Weiner, sent out a picture of a man’s genitalia to the wide world of Twitter. It has resulted in an explosion of coverage in the US media in the past few days. Congressman Weiner’s response to the picture was odd, in particular he said “the photograph does not look familiar to me…But before I say anything I want to make sure that nothing was manipulated about it, that it wasn’t taken – that something wasn’t dropped into my account or taken out.” Which immediately led political satirist Stephen Colbert to take to Twitter with a series of messages entitled “I cannot say with certitude that this is not part of my body” along with a link to a ridiculous image.
But Congressman Weiner’s protests might not so quickly be overlooked. Ars Technica did some digging and found out that Yfrog, a common service used to send pictures through Twitter (and on which the offending picture appeared), is completely unsecured. Or rather Yfrog’s security measure was obscurity. And as the old saying among IT goes: “Security through obscurity is no security at all.” The Yfrog service used open email accounts to which anyone could send photos and it would appear on Twitter as though the Twitter account linked to the Yfrog account sent the picture. Specifically,
The yFrog e-mail addresses given to users aren’t public, but they also aren’t hard to crack with some patience and some brute force. As noted by the Daily Dot, the format includes the user’s twitter name, a period, and a random word between five and six characters @yfrog.com (for example, mine might be something firstname.lastname@example.org). And because yFrog apparently accepts submissions to those secret e-mail addresses from any account, any prankster who has guessed the random dictionary word could send a photo to Weiner’s account as if it were from Weiner himself.
Many services that offer users a way to send in submissions to a unique e-mail address require the user to register the specific addresses that he or she will be sending from in order to avoid this kind of mixup—Tripit, for example, won’t accept e-mail submissions from you unless you send from one of the e-mail addresses that you have associated with your account. But yFrog apparently does not do this, and neither does the Yahoo-owned Flickr—probably one of the most well-known among online image sharing services. (I confirmed this by sending an e-mail to my Flickr account’s secret e-mail address from an unknown account and it went right through, no questions asked.) And since I have my Flickr account automatically tweet photos to my Twitter account, well, let’s just say that I hope nobody pulls a Weiner on me anytime soon. Sorry in advance, mom.
So does this absolve the Congressman from any wrong doing? No, but it should serve as a reminder to everyone out there who uses online services. Despite how comfortable or familiar you are with using a service, it is difficult to guarantee that is secure and private from prying eyes. Even secure services like email get hacked if your password is not up to snuff. If the tale ended there, with the Congressman’s reputation tarnished, that would be one thing. He is a public figure and took the position knowing he was going to be held up to public criticism.
But on the flip side of the the debacle is the young woman who received the picture, Gennette Cordova. By receiving the offending picture she also has received unbridled media attention. Pictures, comments and the like from her online accounts, some stretching back years, have come under intense scrutiny of the press, the curious, and the malevolent. From a letter she penned to the New York Daily News:
The last 36 hours have been the most confusing, anxiety-ridden hours of my life. I’ve watched in sheer disbelief as my name, age, location, links to any social networking site I’ve ever used, my old phone numbers and pictures have been passed along from stranger to stranger.
My friends have received phone calls from people claiming to be old friends of mine, attempting to obtain my contact information. My siblings have received tweets that are similar in nature. I began taking steps, though not quickly enough, to remove as much personal information from the Internet as possible.
All of this is so outlandish that I don’t know whether to be pissed off or amused, quite frankly. This is the reality of sharing information online in the 21st century. Things that I never imagined people would care about are now being plastered all over blog sites, including pictures of me from when I was 17 and tweets that have been taken completely out of context.
Information which we share about ourselves online should never be considered private. Always make the assumption that anything that makes its way to the Net could someday be found. It doesn’t matter if it was in a confidential email to a friend; a locked down social media profile; or a private online storage account – with enough time and energy it can be found.
Know it and live by it. Make sure your clients know it too.