How safe is life online?
- 6 June 2011
- From the section Technology
How safe are we living our lives online and whose job is it to make sure of that?
When you hand over your photos, your credit card details, your e-mails to companies which will store them on vast banks of computers somewhere the other side of the world, what are you risking?
And if you try to access all that personal data when you are on the move, is there a danger that someone else might get a look too?
All questions that we seek to answer in a film for Newsnight about security in the cloud, that nebulous concept which tries to capture the idea that more and more of our data is now on somebody else's computers, not ours.
It was a project about the security of public wi-fi networks mounted by Goldsmiths College in London that sparked our interest.
Researchers from the Creative and Social Technologies Unit there have been studying how users react when they are shown evidence that they are not as secure or private as they might think when using public wi-fi.
They have been using an open-source tool called Firesheep released last October by a developer called Eric Butler, with the aim of alerting both websites and web users to a security threat.
Firesheep allows the hijacking of anyone's online accounts when they're using social networking sites on a public wi-fi network, and the Goldsmiths' team has been using it in various public places - though always after getting permission first from their targets. They ask these two questions:
1) Do you realize that you are susceptible to the use of software by a third party to get into your password-protected social networking identity?
2) Would you like me to show you?
We filmed with them in an internet cafe in Cambridge, where the wi-fi network was protected by a password but the traffic flowing between users and various sites was not.
What Firesheep does is to sniff out cookies, the files that tell any website that we are who we say we are. So once someone has logged on to their Facebook or Twitter account, the Firesheep user can grab those cookies as they fly across the network.
And that's what the Goldsmiths team did, demonstrating to a series of people in the cafe that they could see their Facebook pages, update their Twitter status, even in one case read all of their e-mails from a webmail account. They reacted, as you can see in our film, with surprise and alarm.
Now anyone who reads the technology blogs will say this is old news - after all, Firesheep was created last October and has been downloaded something like two million times.
But the point is that, as yet, it has not succeeded in its aim of making us all - websites, network providers, and cloud consumers - a lot more security conscious.
Eric Butler, Firesheep's creator, is a man on a mission.
"The message of Firesheep," he told us," is sites like Facebook and pretty much anyone who has a site on the web where people log in and have any personal information need to use what's called https, which is a secure way to browse the web."
Now Facebook and Twitter do offer that kind of secure service - but it's not the default option, so users have to switch it on if they want to be sure that their use of those sites is private when they are in a public wi-fi hotspot.
The other link in the security chain is the hotspot providers. After the experiment in the Cambridge cafe, the owners switched to a higher level of encryption for their network, making it impossible to use Firesheep.
BT, the largest provider of wi-fi hotspots in the UK, says it is rolling out new technology which will make its Openzone network more secure.
But Dave Hughes, BT's director for wireless broadband, told us we may need to think again about public wi-fi: "I think the old days of small, one-off coffee shops providing people with access to their broadband line and giving out the security key is not really going to be the right sort of behaviour for the future."
The holes in wi-fi security may be patched, but the recent high profile data breaches at companies like Sony show that we are all going to need to think carefully about what we hand over to the cloud.
We filmed at a massive data centre in Slough run by the American firm Rackspace. It handles all sorts of data, from the Virgin Trains ticketing website to the transactions on a Kenyan mobile payments system.
We had to pass through several layers of physical security to get in, and the company assured us that the data was well defended from the numerous cyber-attacks that the centre experiences every day.
But Rackspace says we all need to think carefully about what we put in the cloud: "If you look at young people today, they're putting their information on the cloud automatically without really thinking about it," says Fabio Torlini, whose rather wonderful title is vice-president of Cloud:
"If I was a young person today I would think twice in terms of what information I want to put online which is publicly available. Do you really want to put online all of your family information, your surname, your date of birth, online on a site which people can view day in day out?"
The new online services now being offered by Amazon and Apple, by Google and Facebook, offer all sorts of benefits to anyone who wants to run their life on the move from any device. But we are all going to need to smarten up about the dangers of living in the cloud.
You can see my report on safety in the cloud on Newsnight at 22:30 BST on BBC Two.