Vista Feed API Raises Privacy Concerns
Microsoft is promoting a new “Unified Feed Parsing API” for Windows Vista (formerly Longhorn) that helps developers integrate syndicated feeds (RSS 0.9x, RSS 1.0, RSS 2.0, Atom 0.3, and Atom 1.0) into desktop applications. This is, for the most part, a really good thing for the syndicated feed space. Unfortunately, there is a fly in the ointment…
Redmond recently published a list called “10 things you can do to make your application shine when it runs on Windows Vista.” Number 8 on the list is “Bring data to the user with RSS.”
One of the API features, called “Shared Feeds” is of particular interest. When a user subscribes to a feed in one application, it will become available to all other applications using the API.
After the 2.3 seconds of “that’s cool” wears off, this opens up some significant privacy concerns. Sharing feed subscription information with any application on your desktop is akin to sharing browser history and, to a lesser degree, your email address book.
Much of the appeal in RSS/Atom comes from with user anonymity… we don’t have to give any personal information when we subscribe. Do we really want our subscription lists intentionally exposed to the inevitable spyware which will be cooked up for Vista? I’m sure there are lots of spammers/marketers who would love to know your name and what feeds you subscribe to.
I haven’t seen anything to indicate opt-in/opt-out functionality for Shared Feeds, so I have posed my privacy concerns in the “Questions” section of the wiki for the Vista (Longhorn) RSS team.
Ideally Vista would prompt you — at the point of creating your first subscription — to opt-in to the Shared Feeds functionality, rather than having it enabled by default. I suspect, however, that it will take a large number of people raising these concerns before that comes to fruition.
September 14th, 2005 at 18:55
Thanks for pointing this ‘feature’ out. Please keep us up-to-date if you receive a reply to your question on the Vista wiki.
Boy, what will those kids up in Redmond cook up next? Operating system calls from web based programs perhaps?
September 14th, 2005 at 19:01
I believe they call that “ActiveX”.
September 15th, 2005 at 09:43
I thought operating system calls from web based programs was called Apple Dashboard?
September 15th, 2005 at 15:13
So you are concerned that a program that _you_ are running can share information with another program that _you_ are running on the same computer (not with other programs running on other computer or other programs running under another username on the same computer)?
How do today’s desktop rss aggregators prevent that from happening? Spyware should be able to read any file you have access to. How can you restrict a file (or a section of the registry) to only be used by a particular program?
September 15th, 2005 at 17:04
Good points, Larry; Thanks for the discussion. And as you imply, I agree that restricting files isn’t very practical in a Windows environment. I believe our best bet is using applications that encrypt the data we deem private. You are right: I don’t know of any aggregator that protects its data. Then again, neither does Outlook, which is scary.
And no, you don’t always have control over what is run on your machine. At home, you probably do. However, there are plenty of corporate environments where applications are installed with Admin rights and run on a desktop without the end user having any say in the matter. I consulted at one company that ran such an application late at night ostensibly to see what users had installed on their machines that day. The app had admin rights to everything on the box; all file access was granted. Basically, it was corporate-level spyware.
As you say, “Spyware should be able to read any file you have access to.” Agreed, that’s how it usually works. But I disagree that it has to be like that. Read Marcus Ranum’s “Six Dumbest Ideas in Computer Security” for a good elaboration. Specifically, “Default Permit” and “Enumerating Badness” address my heartburn on this issue. An easy step toward “Default Deny” at the file level is simply to encrypt it.
All that being said, I am encouraged by what Amar Ghandi (on the IE7 team) had to say in an audio interview with John Udell. It sounds like the Vista folks are taking steps to be considerably more pessimistic in cross-process security issues. Ghandi specifically talks about a situation where IE is compromised unknowingly and yet is NOT allowed to change information in the RSS Repository without user permission.
This seems to indicate a departure from the “Default Permit” we are all so used to. My desire would be that the RSS Repository has Default Deny not only on changing data, but also on reading data without my consent. Granted, most people would probably turn it off, but that should be an active choice, not an obscure feature disabled by default.
Of course, RSS subscription lists are a minor example of the bigger picture: We need easy ways in the OS to restrict read and write on all information we deem private, whether feed choices, or address books, or credit card data.
Heh… let’s just hope it doesn’t wind up in another version of Microsoft Wallet.
September 16th, 2005 at 18:39
I think there are different levels of “badness” in the “Default Permit” discussion. When I run (or when I am REQUIRED to run) Windows as an administrator that allows access to everything on the box (which is really high on the badness scale). When I run as a normal user (as one normally would under Unix) then that access is much more limited; only files and processes I own. To me, it’s a stretch to assume that a product released today should be limited to accessing only the files it absolutely needs.
Encryption? Maybe. But that argument seems to be the white knight of security everyone waves with few details on how it can be actually done. I am not saying it isn’t the answer but it certainly isn’t available today as a general solution.
In the end, I think headlines like “Vista Feed API Raises Privacy Concerns” is not fair to Microsoft. You could have easily published the same headline regarding any other RSS aggregator or any application for that matter.
September 16th, 2005 at 19:41
I must respectfully disagree with the notion that every aggregator presents the same level of concern.
Spyware that wants your feed list from RSSOwl needs to target RSSOwl files. Spyware that wants your feed list from Pluck needs to target Pluck structures. Bloglines… ok, nevermind about Bloglines. But with Vista, the Feed API gives all apps a one-stop shop for all the data they desire. That API raises my concerns about privacy, hence the title. If Vista had a Unified Contact API to expose address book info, I’d have the same concerns.
The title is sincere, so I believe it to be fair. (If you look back over this year’s articles, you’ll see that I am not out to bash Microsoft nor given to sensationalist titles.)
In any case, thanks for sparking some follow-on discussion, Larry — I really do appreciate your feedback. I guess we’ll have to agree to disagree on this one. My ultimate goal with this thread was not to declare “Beware of Vista” or anything like that, but rather to get a discussion going about privacy and feed lists, especially when an OS has explicit functionality to expose them to all apps.
Hopefully the Longhorn RSS folks will respond in some manner to shed further light on this topic. Perhaps the ability to restrict read access to the RSS Repository is already in place.
I know you have a background in security and identity issues when it comes to IT, likely much more so than I do. You sound sceptical about encryption as a viable solution to privacy… if you like, lets take this discussion to your venue. Perhaps you could blog on the topic and offer up your ideas: How do application developers (or more broadly, OS developers) tackle the issues of read/write access to private user data on the desktop, especially in Windows? Let me know, and I’ll add a link here.