Life With Alacrity

A blog on social software, collaboration, trust, security, privacy, and internet tools by Christopher Allen.

Insecurity at Orkut

by

Like many others, I've been paying attention to Orkut in the last couple of weeks. I've answered more requests to be "friends" on Orkut then I have of any of the other half-dozen Social Networking Services I've tried, and I've looking at other people's friends to see if I know anyone. I've yet to ask someone to join Orkut that wasn't already a member, and I've been careful to not have anyone as a "friend" that I didn't know reasonably well and I thought knew me. Currently I have 68 Orkut "friends", many more then I have on LinkedIn, which I've been using for several months and have 50 "connections".

In addition to this activity on Orkut, I've been reading a lot of blogs about other people's experiences on Orkut. In particular, I've found Danah Boyd's blog Apophenia a great source for thought on social networking services, so I've got it near the top of my RSS aggregator. I'd just read her rant venting my contempt for Orkut when I saw a follow up post orkut pissyness round 2 where I read:

Wanna see a big phat privacy hole on Orkut? Go to messages. Click compose. Click "friends and friends of friends." Click next. Copy & paste all of your friends and their friends' email addresses.

I tested this out, and discovered she was correct, when I clicked "friends of friends" I got a long web page of names and email address. So I sent to this list I'd generated:

A serious security hole? Yep.

I just was shown 1137 friend and friends of friends email address, including your email address. As reported by Zephoria:

http://www.zephoria.org/thoughts/archives/2004/01/30/orkut_pissyness_round_2.htm

I got a lot of replies back like "What did you expect?" and "That is why I don't use my main email for Orkut".

I also got a reply from Orkut Buyukkokten via email:

Could you please send an email to your friends and friends of friends to tell them that there is no security hole?

We worked very hard to ensure that the privacy of our members is not compromised in any way. I don't want our members to get the wrong impression.

I would greatly appreaciate it if you could pass the following message to you friends (:

You'll only see the e-mail addresses of people who chose to share them with you: if you mark your email address as not to be shared with friends and friends of friends, they won't be able to get your address this way. If you look at the list of people it's addressed to, you'll see that some are listed without addresses (unless you've got very permissive friends).

Somewhat abashed, I checked, and since the last time I'd sent an email, the interface changed. I discovered that only 356 of 1137 of my friends of friends were actually allowing their email to be shown, and the rest now showed a "lock" icon next to their name. Of course, the first 100 or so on that list coincidentally allowed their emails to be shown, so I had assumed incorrectly that all had.

So I sent Orkut's reply out to my "friends of friends" and added links to my blog and this comment:

I'm still quite uncomfortable with privacy issues of Orkut.com at this time. I've had to reveal more information then I'm comfortable, and the software is too lax in letting me see other people's info, for instance "relationship status" when I've marked myself as not interested in that. Maybe Orkut is just trying to be too much.

I sent an email back to Orkut saying that I'd sent this email, then continued to get a lot of replies to my original email, and I discovered that I was now in Orkut "jail". This meant that I could not send messages, could not add friends or groups, etc. No reason was given for why I was in jail. The only reason why I'd seen other people in jail was because they had added too many friends too fast. I had only 50+ friends at the time, so I knew that wasn't the reason. I could only assume the worse.

I'm out of Orkut "jail" this morning, but I still don't have any explanation of why. I continued to get replies both in support of my concerns:

I tend to agree with you. I've learned more information than I expected about people. Also it's been a little odd to see people I know professionally on orkut, since I first conceptualized it as a social-friends service. (Then again, I've found professors on Friendster, which is much more explicitly social, so perhaps I'd better just accept that these people have lives.)

At the same time, I think that Orkut's attempt to be all things to all people has helped it take off. I feel easier asking professional contacts to join orkut than I would for Friendster. It seems like less of a big deal to add someone to your orkut list rather than on another more focused service, as there is a level of plausible deniability as to intention.

As well as comments like:

I don't want to be too harsh, but if perhaps you, and Danah, and Cory don't want to play then really no one is forcing you to play. But whining about things that you don't like is just, well, unseemly.

I took a break to think on why I responded so negatively when Orkut has the appearance of doing something wrong (first, the 'security hole' that was a feature, and secondly the 'jail'). Then it came to me:

I'm insecure about orkut.

Some of the definitions of 'insecure' are not firm or firmly fixed; likely to fail or give way; lacking self-confidence or assurance; not safe from attack; lacking in security or safety; not financially safe or secure;. The one that fits me the best is "lacking self-confidence or assurance". Why do I feel this way about Orkut?

I guess my insecurity started out at the very beginning. As it is in beta, you can't join Orkut, you have to be invited. This made the place seem 'exclusive' and thus possibly safer. Yet right off it asks you some fairly personal questions: What is your relationship style? What is your sexual orientation? Who are you living with? What are your politics?

Later I find out by looking at other people's information that this is all completely public. It isn't limited to just friends, or friends of friends, but instead is prominent. In fact, other then your name and how many "friends" you have, your relationship style is the most prominent thing listed. Do I really want to know that my business acquaintance that I see only at technical conferences 2 or 3 times a year is in an open marriage? Or divorced? Or gay?

I live in the Bay Area and I've seen it all, and consider myself open and try to be consciously non-prejudiced. That's not to say that I'm comfortable when I'm hit on by another man, but for that matter, I'm not that comfortable when I'm hit on by a woman. The point is that I don't think about someone's sexual and personal choices when I interact with them. I don't care if you are gay, into S&M, or any other radical lifestyle. I don't care if your straight, chaste, and christian. What I do care about is your relationship to me -- if you feel that it is important to your identity to let me know, well that is between us. But I'm not going to pry. I once had a male employee in my office that wore a dress to work -- I still don't know if he is gay or not. It didn't matter to me and he didn't tell me -- what mattered was that he was good employee.

This started my 'insecurity' about Orkut. Later I read that you couldn't delete your pictures or profiles. This worried me. Then I read that the system was down because of a XML hack.

When Orkut came back after the hack, a new feature was added, fans and ratings. This made me yet even more uncomfortable. Did I really want to have to not say I was a fan of someone that said they were a fan of me? Wasn't endorsing someone a far better signifier of fan? What does Trustworthy mean? Cool? I refused to enter anything for Sexy. I worried if someone could see my ratings, or reverse socially engineer it, or hack it.

Thus these insecurities of mine led me to think the worst and to post too quickly about the "Friends of Friends Security Hole" and still feel uncomfortable about why I was put in "jail".

So far I've had no abuses of me by Orkut -- I've had only two people ask me to be friends that I don't know, and so far I've not been told that someone is my fan whom I'm not willing to honestly say that I'm a fan back. I've even found some old friends that I'd lost track of, which is exactly why I still "play" and not leave Orkut. I do believe that there may be something useful in these social network services.

Yet I feel that my old blog entry Evaluating Social Network Services that concluded with my take on The Perfect Social Network Service is still quite on track:

My ideal service would have the multiple professional affiliation features of LinkedIn, but also allow me to show non-professional affiliations. It would allow me to form intentional communities like Tribes.Net, but would also let me do a Wiki in addition to a message board. It would have meeting/party invite services like eVite, and blogging features like LiveJournal. It would have an endorsement system like LinkedIn integrated not only with professional endorsements, but personal endorsements as well, and you could even endorse intentional communities. It would let me better map and control my network, giving different friends different privileges. It would handle the release of my personal information like Ryze, but less clunky.

I'd add to that list that I'd like to have more control over my information, in particular, relationship information. That I'd like to see more "progressive disclosure" where there was more granularity of what was revealed at public, friends of friends, friends, fans, fans who I've endorsed, etc. Finally, I'd really not like to see things that are not applicable to me, such as relationship information of other people when I'm not looking for relationships, or professional information of others if I'm only using Orkut for dating.

[Update: another Orkut user and I found a different privacy hole when sending emails -- see Confirmed Email Privacy Hole at Orkut.]

Comments

The only reason why I'd seen other people in jail was because they had added too many friends too fast. There is no basis in this assumption other than, maybe, a little hubris. The constant repetition of this unfounded claim speaks volumes about the research and professionalism of those perpetuating it. Marc, at least, had a question mark after that sentence. Fact is, some people have been "jail"-ed for violating the Orkut TOS, namely the posting of images of children or nude photography. One person I know of has been suspended for posting copyrighted images. Now, one may think that the limitations are overly stupid and should be changed, but as it stands a look at Marc's profile shows, that he has been most likely suspended for the images of his children. I think is is safer to assume, he has been "jailed" for violating the TOS, than for having too many "friends".

Jonas M Luster

Hmm, nothing in the message said anything about TOS. In fact, I later received an email from Orkut saying "Your account was blocked by the system automatically. The block is temporary. Your account should be fine now. I apologize for the inconvenience." I still don't know why I was in "jail" last night, and in fact, now I'm in "jail" again late today, so I can only assume that it is because I sent another email to "friends of friends" as that is the only common event between last night and today. If they use the "jail" for TOS as well as for slowing down people like Marc and I, then I think that is a big mistake to use the same name for both purposes.

Christopher Allen

What is your proof for the "slowing down" of Marc? His assertions aside, Marc is by far not the most prolific linker, and has not been adding friends as fast as some others, who are neither in Jail nor suspended. Other, much less prolific linkers, have been suspended, all of which share the fact that their actions (the posting of children pics) violated an admittedly stupid TOS provision. At this point, it's Marc's assumption ("they don't like me, because I link a lot of people") against a trend in suspensions that is closely related to what images have been posted.

Jonas M Luster

I too am concerned about a lot of things regarding Orkut, and working on a post of my own about it. But, just to contribute to this, I've sent two messages to friends of friends and haven't been in Jail or anything yet.

sean bonner

Later I find out by looking at other people's information that this is all completely public. It isn't limited to just friends, or friends of friends, but instead is prominent. In fact, other then your name and how many "friends" you have, your relationship style is the most prominent thing listed. That I'd like to see more "progressive disclosure" where there was more granularity of what was revealed at public, friends of friends, friends, fans, fans who I've endorsed, etc. There's quite a bit of granularity already, since launch, which you continue to ignore. Every one of your hypothetically incomfortable tidbits of information are filterable by social distance, that is, yourself, friends, friends of friends, everyone. And I can only expect that you will be able to filter by karma/fan, since that would be one of the only primary benefits to the end user of the karma system. I'm not sure what you mean by "XML hole". Perhaps you meant XSS? To my knowledge, the precise reasoning for Orkut's shutdown has not been revealed, but judging by what I've noticed has changed, it seems like they took it down to remove the ability of users to broadcast messages to the everyone on the site. The reply-to-all button is gone, and you can no longer send a message to a saved search. I can think of more applicable (and offensive) words for the orkut-bashing chicken-littles than "unseemly".

dreww

I don't like that it's not easy to opt out. I've already had to delete a flame from my "scrapbook" and I could see how this could turn ugly quickly. Without an opt-out I don't see how I have any way of getting out of there quickly if there's a problem. Maybe what they need is a way for me to put myself in jail for a period of time.

Trash Averse

I've joined a few social networks, revealing things about myself that I don't mind if everyone reads. Things I don't want 'everyone' to know, I don't add to these networks. I also choose my communities/tribes/groups knowing everyone will be able to see my interests, and have avoided joining some I considered interesting but don't want linked to my profile. I use disposable email addresses for social groups; when weaknesses are found, I'm not disturbed by it. I think others might be though, because they might reveal more about themselves that what I did. I've changed my settings to not expose my address to everyone (I think, there's a lot of places to check). I think it's good that weaknesses are exposed, even publicly. Not picking on any particular network, but if a person found a weakness in it, and reported it to them, there's a chance it would be missed/overlooked/ignored. Perhaps there are some that would take a reported weakness about their network very seriously, probably not as many though. So by making the weaknesses public, I think it puts a fire under the developers to patch the hole. Would Orkut's hole have been patched as quickly as it was if the persons that found the hole had reported it to them instead of publicly? Maybe, maybe not. If a network does take immediate measures to patch holes as soon as they're reported, I'd think it would be nice to give them advance notification before going public with the breach. But I'm pessimistic about this, and think it probably takes threat of bad publicity to get some networks to patch. Keep up the good works; your blog is very interesting, and I've subbed your RSS in my Bloglines.

Sherri

I also felt insecure about Orkut, I went to jail maybe because of too many friends in short time (281), but I did not receive any explanation, do not know when the jail will be open and do not know why and when it could be closed again. http://www.orkut.com/Profile.aspx?uid=13086236090759842440

Jose Luis Orihuela

URL: Regarding your perfect vision of a social networking service: I guess one could say there maybe other features that someone else might like and visa versa. So, maybe the perfect service would allow you to pick and choose from a menu of features and services.

bardia

URL: hey...invite me to orkut...ive been trying to find someone whos a member so thell invite me...but ur the onlyone i know thanx!

CamilA

URL: I realize this is kind of late to respond... But Every bit of information other than your name is pretty much optional. You only have to tell Orkut what you want to tell it, and the visibility of what you tell it is controllable by defining when strangers/friends/etc can see... I'm thinking part of your paranoia is a misunderstanding of how the system works.

CbiMerrow

URL: I got put in Orkut jail! Here's why. I had created a community for those critical of the Macintosh and the mac zealots all ganged up and marked me as bogus user! I sent a fed-ex to Orkut demanding he remove from his system all of the Mac users who abused the "bogus user" button. So far, no reply

Reuven

URL: please, i just want to know what the word orkut means, etimological or eletronic one.

Antonio Carlos

URL: Al I have to say to is that if you are so unconfortable with Orkut, just get out, and don't be a part of the communite. I'm not trying to defend orkut or something, but I've found a lot o friends that i've not seen for many years and that is the power of orkut.. find or be together friends I guess that make you unconfortable too... if you don't like don't try to finish with a whole ideia, that in my point of view is very good.

Marcelo

URL: Al I have to say to is that if you are so unconfortable with Orkut, just get out, and don't be a part of the communite. I'm not trying to defend orkut or something, but I've found a lot o friends that i've not seen for many years and that is the power of orkut.. find or be together friends I guess that make you unconfortable too... if you don't like don't try to finish with a whole ideia, that in my point of view is very good.

Marcelo

URL: There are other reasons to be in jail. Some people say that people that "spam" a lot go to jail. There are a link under the photo of any person that anyone can click. That link says report as bougus. But I realy don´t know...

Marcelo Vergara

URL: plz make me a member of orkut.com plz.....

maliya

URL: Hi... I'd like to ask how Orkut works... Do i need to be invited to use Orkut?? thanks ... bye ...

rafael

URL: Hi again :) ... People really go to jail because of orkut?!!? They'r real life is destroyed because a fucking idiot computer program??? if this is true...... Orkut users are a bunch of dumb people who riscs they'r freedom at this idiot program of ""FRIENDS"" thanks.... bye .... sorry if i offended someone...

rafael

URL: well i dont know if u had experienced this but i found a different hole. i browsed throught friends and friends of friends and went to community search added a community and when i went to create one i found out that somebody in india is owner of it. i hit the home button and here i was at the home page of that indian guy. with all access from changing his profile to terminate his account. well if i got there somebody can get to mine. ANZ

amyn

I have been playing around with Orkut a lot in the last 24 hours. One thing I don't understand about these Social Networking Platforms is why they ask for useless information and why they don't ask for the interesting things. Example: Orkut gives me five large textareas to explain things like what I have learned from my past relationships. It lets me give Karma-Points to Phil Wolff if I think he is sexy. It lets me upload photos of my cat. But it does not ask me if I have ever met Phil in person. (I have.) It does not ask me for how long I have known him. It does not distuinguish between "friend" and "acquaintance". It asks "Is xxx your friend?" and I am supposed to give a "thumbs-up" or a "thumbs-down". (And if I say "no" I cannot even add an explanation to that. I hope I haven't hurt anybody.) I don't get it. It would be so easy to gather this information and it would be so valuable. A simple "have met in person"-flag or something like "How often have you met X?" - "never - once - several times - often - meet regularly" would do it and give so much more depth to the network. What is it that I am missing? Why is Orkut not gathering more data about the relationships of its members? (Like most of the information it could be optional - I bet many people would share it.) Please enlighten me.

Robin Smith

URL: hi i wnt to become a member of orkut

nasir

URL: i came across lifewithalacrity a while ago [6:20 pm GMT, Nov 18, 2004] while i was searching for answers regarding 'identity theft' on orkut after suffering a harrowing experince on that social networking site. i've been a member of Orkut for no more than 2 months now. i'm a journalist and work for a satellite tv channel in Pakistan. i have so far added 16 friends to my freind's list on Orkut who r either journalists, or celebrated singers, or tv actors/actresses in my country. this is the first ever social networking forum i've joined primarily becuase i have always had security concerns regarding privacy on other forums and because it was in affiliation with Google, offering a degree of reliability. throughout the time i have been a member of Orkut, i have sufferd loging and access problems on the site. there were times i culd not log into my account at all, or access my messages or access my friends. logging out was especially a major hassle becuase 8 out of 10 times i culdn't log out at the end of a session because when i tried to log out i got a messgae saying that the page i was trying to access was no longer available. i'd try a couple of times and then close the browser window which was always a source of concern becuase i use cablenet connection and remain apprehensive of leaving my account open and vulnerable on the network server if i dont log out. i duly reported all of this to the orket team via emails but all they ever sent me were automated replies telling me that due to the rapid expansion of Orkut these problems wuld come up especially since the software was beta. Today however i got a real shock when i logged into my account at about 1:15 pm GMT. There were horrible messages sent from account to all my freinds [scribbled on their scrapbooks mostly], messages like 'hey guys i am gay' and 'you suck!'. my user name and password to my account are known only to me. i dont knwo how someone got access to my account and sent these messages to all my freinds and made posts in my name on the communities i am a member of. my first instinct was to remove my account altogether from orkut. but then i thought that this was precisly what the malicious act was meant to do, to intimidate me ne and annoy me. but i am seriously not sure what i should do to ensure my id is not stolen again. any suggestions?

tahir

please ask me to orkut

mohamad

URL: Well dear, yet I have not been invited by any one to join orkut. Can you help me to join orkut.

Abbas

i can not go in orkut site cus of proxy how can i passed it iam living in iran

mani

hi mani, Access http://www.openproxies.com []'s Weber Ress

Weber Ress

URL: give me ID in orkut

snopy

URL: i can not go in orkut site cus of proxy how can i passed it iam living in iran

sara

URL: i can not go in orkut site cus of proxy how can i passed it iam living in iran

neda

URL: Some guy named Junaid from Karachi, Pakistan put up my cell no. on orkut in the call girls' list. I have been receiving countless phone calls from guys asking me how much i charge. This is pathetic because i don't even know any Junaid and i had never heard of this site till some guy called and told me that my cell no. was on display and so was my name under the call girl list.

Maheen

orginal layout