Looking For Love; Finding Privacy Violations

itwbennett writes "When you sign up for online dating, there's a certain amount of information you expect to give up, like whether or not your weight is proportional to your height. But you probably don't expect that your profile will remain online long after you stop subscribing to the service. In some cases your photo can be found even after being deleted from the index, according to the electronic frontier foundation (EFF), which identified six major security weaknesses in online dating sites."

Deleted is a relative term

In a lot of systems, deleted simply means marked as deleted. What the system does with that information is another matter. Even in a file system, when a file is deleted, it is many times recoverable if it hasn't been overwritten with other data.

Re:Deleted is a relative term

[Cryacin]

I wonder how many future presidents and company CEO's etc will literally be caught with their pants down in the years to come.

Re:Deleted is a relative term

[ChatHuant]

In a case like that the "deleted" flag still means the data mustn't be accessible from the outside anymore. That is, unless your developers belong behind a McDonald's counter in the first place.

Or, unless the company is hit with a subpoena that forces it to give up your data. Or, unless it is bought by another company that wants to monetize the purchase. Or, unless it decides to unilaterally change the privacy policy, and you have a week to opt out, but oh, don't you check daily for policy changes for this company you haven't used for years now? Then it's your fault if all your "deleted" data suddenly surfaces!

Re:Obviously, deletion was never the case!

[crankyspice]

Well, without RTFA but going just by the above statement: "even after being deleted from the index..."

Deletion from an index != "being deleted."

If I go into the index of the Encyclopedia Galactica and remove all references to The Mule, the article(s) the index pointed to still exist...

Yeah, I know

[Cryacin]

I'm too short for my weight.

Re:Yeah, I know

I'm not overweight, I'm undertall!
-Garfield

Re:Obviously, deletion was never the case!

"Deleted from the index" does not mean the file was deleted. If I rip the table of contents and index out of a book you could still find each page by flipping through them.

Reality check time :

When you put data up on a system you are unable to
physically control, all sorts of things can happen to
that data, including things you might not like, and
in most cases you won't be able to do anything about it.

Facebook, Myspace, all of it is one big steaming pile of
shit and most of you idiots are walking right up and taking
a big bite like it was a tasty meal. Honestly it is impossible
to feel pity for you, because you do it to yourself.

Re:Reality check time :

[MobileTatsu-NJG]

It's not very often friendless people get to act smug.

Re:Reality check time :

[EdIII]

Why do you always assume somebody that refuses to be on Facebook has no friends? It's a curious bit of fallacious logic that I encounter quite often.

I feel the same way the AC does. Most people *are* foolish to give up so much privacy for whatever you think Facebook is delivering.

Personally, I find Facebook to not only be dangerous to me for factual reasons based on logic regarding privacy, anonymity, game theory, etc. but incredibly shallow and just plain old bullshit.

I don't need to tweet shit, or put stuff up on Facebook, or see any of your shit either.

Call it a personal preference, but I prefer my relationships to have a little more "real life" in them. Meeting at tea and coffee shops, having a meal, you know, actually doing real things. Talking with my friends.

Facebook and Twitter (especially Twitter) just lack the depth that I find rewarding in personal relationships.

I am not a phone guy. Hate to be on it for more than a few minutes. Refuse to txt message. My communications are literally limited to email, phone conversations and physically talking. I like it that way.

and..... I have plenty of friends and I am considered to be quite nice and approachable.

Re:Reality check time :

[neonKow]

You don't physically control the systems that hold your wedding photographs, the photos you're getting developed at Walgreen's, the medical information at every hospital or doctor you've visited, or the credit card information from every Target, Macy's, and Safeway you've made purchases at. It doesn't mean you don't deserve to have some expectation of privacy and discretion for that data. You should always be able to say, "okay, stop using this data except as far as compliance with the law goes."

So this comes as a suprise?

[bobbied]

ANYTHING you give up to a website is there for the duration of time. I just figure it will never go away.

Even if you run your own site, don't fool yourself that you can take down the information and it's gone. There are folks that archive web content and sell the historical data for profit. If you are expecting that Facebook or Twitter content can be deleted and it will be gone forever, you are a fool.

I'm always amazed at the number of folks who simply don't understand this, and think that they can delete their Facebook posts and they are gone. So I'm not suprised that data on dating sites might stick around after you are gone.

Don't think I'm right? Check this out: http://www.archive.org/web/web.php

Re:So this comes as a suprise?

[CAIMLAS]

Absolutely.

If you've ever posted something (anything) which could be found with a search engine (ie, it was indexed, which it most certainly was), it's probably available as part of a very large dataset which is indexed and searchable, and the company is able to generate

Those reports are sold to other companies, which then combine them with other information (or do so themselves) - like financial information.

Think about it: how many things from 10 years ago can you find just on the public internet (via Google)? Hell, you can track the 'accuracy' of my job history to see when and with what my resume, etc. on my site was updated through archive.org - going back over a decade, and all they do is archive. I'm sure this isn't exceptional. With the screen name of a prolific internet user in hand and a little time in front of a search engine, chances are you can track down a known person's entire online history manually, too - even without going to Facebook or the like.

As for the OT: my wife recently saw an ad for "singles in your area" for some random site. She was kind of shocked to see a picture of me as part of the collage advertising the 'singles'. It was a picture someone (ahem me) had put up on hotornot.com years ago (close to a decade ago, before I'd met her). Anything and everything you ever post on the internet in a datatype'd field? Someone has packaged it, sorted it, studied it, created reports on it, and sold it - guaranteed.

Re:So this comes as a suprise?

[Svippy]

Don't think I'm right? Check this out: http://www.archive.org/web/web.php

Amusing that you uses Archive.org as an example, because the Wayback Machine fully respects robots.txt, even retroactively. If you eventually decide that your site should not be indexed by Archive.org, you can tell your robots.txt file to indicate that. Moreover, whenever the Archive.org bot comes by your site again and discovers it, it will not only not index your current site but also delete everything else it had on your site.

Now, of course, that is not to suggest that if you delete it from Archive.org and your own website, that the images and text is gone for good, another site may have re-hosted it. But I know none other than Archive.org that does it for a living and moreover, the very data in question will certainly be harder to find.

Difficult deletions

[spaceyhackerlady]

I have several honeypot email accounts, and one kept getting emails that suggested it was somehow a member of a French on-line dating/introduction service.

The web site had no way to delete one's account, nor did the proprietors respond to emails.

My solution? I logged in and updated "my" personal information. I got nasty, every bit of the sickest crap I could think of.

They pulled my account within the hour. :-)

...laura

Re:Difficult deletions

[Zontar+The+Mindless]

My solution? I logged in and updated "my" personal information. I got nasty,
every bit of the sickest crap I could think of.

They pulled my account within the hour. :-)

You just go right on believing that.

Re:Difficult deletions

[cshake]

I had some person set up personal ads on eharmony and another website using my email address a while ago.

On both sites I logged in ("forgot password" link works great since it's my email, and somehow the second site emailed me the unchanged plaintext password so I could leave them both to what the person had set them...) and changed the "something else you should know about me" to be something like "I signed up for this site using a strangers email address, and they're going to delete this account soon if I don't change it" to be nice and give the person a chance if they actually wanted to find dates. The number of email notifications I got for people still trying to set up a date with "me" even with that little tidbit in the profile was kinda scary, so a week later I went through their "delete profile" procedure, and lo and behold I'm getting mail filtered to my spam folder to this day from eharmony asking me to sign back up. However, the second site seemed to be moderated by real people, and within a day of me adding that info the account was removed without me having to do anything more - and I haven't gotten any email from them since.

Do not date online

[Zombie+Ryushu]

I tried a dating site long ago (eHarmony) and I found that they are utterly worthless for finding real relationships with real people. All it does is attract spammers, scammers, and predators. If you want to date, get to know people in your local community. To dating sites, you are just money to be made.

Re:Do not date online

Or, better yet. Date online, as the Internet is a GREAT tool for bringing people together. Just don't go trying to take shortcuts like dating sites. Actually MEET people via sites discussing your interests (you know, outside of genitalia). Dating sites are a hotbed for spammers, desperate folk, and other bad news. Hobby/other Interest based networking sites are much more promising for creating a healthy and valuable relationship in the future. Meetup.com comes to mind, though I'm sure there are great less mainstream/corporate options to go with as well, that may be less inclined to treat you like data to be mined and sold. Even better would be the BBS's of the past (due to their local nature), but I'm afraid in most cases you'll be needing a time machine to go with this option... The big benefit of this method, outside of being less sketchy than online dating sites, is also that even if you don't succeed in finding a partner, you're at least still likely to make some worthwhile friends in the process (might be more valuable to some than others...but I tend to figure most people who use online dating are probably fairly lonely to begin with).

And obviously, use some goddamn common sense. Strangers are strangers, and hopefully y'all got that lesson back in Kindergarten.

Lies I tell you .. all lies

[OzPeter]

My online dating profiles of course. You see by posting profiles that are completely full of lies I have totally side stepped the security issue! There is no way that anyone can trace my profiles back to a real person.

So nyah nyah nyah to all you suckers how put your real photos and descriptions out there in public - you'll never know who has your information now, while I'm free of any worries at all.

(But please don't remind me that I am posting on /. on a Saturday night)

You can be Googled

[ohnocitizen]

Reading the article it is worse than just the deletion problem. If your profile is on the site ever, it is on google forever. Making it available to google seems like a pretty big breach of trust. You look at a site like OkCupid, that allows users to set their profiles to private. With google and google caching, that setting is bypassed entirely. That is simply a failure on OkCupid's part, they either don't have the technical skill to properly secure their site, or they choose not to despite telling users their info is restricted to other users only. Either way, false advertising.

What's a Dating Site's Incentive?

[Thai-Spy]

The best way for a dating site to attract new members is to have a lot of "inventory" in the form of user profiles. Having a larger inventory also means they can ask for more money from advertisers. Again it's a case of "if you aren't paying you aren't the customer, you're the product".

Online dating

[BigBadBus]

On a peripheral matter, online dating does work. I met my wife on Love@Lycos in 2003, she moved in two years later, married in 2007 and we're still together.

The thing about that website is that it was free; others have left a very bad impression, the worst one being match.com . I don't know if it has changed since then, but about 1999 I put my details on their site and got an interested email a few hours later. Of course, I couldn't reply, as you had to pay for membership before you could contact anyone. So I paid £5 for a month's subscription and messaged back. I got no reply. I think it was just an automated match.com robot designed to suck in the desperate into paying up. A little while later, I created a sock puppet account with the most repulsive details I could imagine. I got a couple of messages from people who said they were interested and wanted to know more. In my mind, proof that match.com would do anything to make you part with your money. I didn't and it put me off dating sites until a few years later when I happened to read a newspaper article which rekindled my interest.

Re:Obviously, deletion was never the case!

[hairyfeet]

Sadly a lot of these sites are either filled with scammers or datamine and spam the living hell out of anyone that signs up, i should know as i deal with a lot of folks that have gotten their first computer so I have to warn them and be on the lookout for them as they learn the ropes. Its made all the harder to warn folks because it seems like everybody knows someone who found their current SO through online, hell that's where I got my GF of 4 years, I signed up to get one of my buds to STFU about the stupid site and my little Cherokee princess saw I was a PC guy and asked if I could help her fix the sound on her desktop. I would have never met her IRL since we didn't travel in the same circles but my family just loves her to pieces and we've been happily together ever since.

So if you know anyone that is new to computers or are starting online dating please have them look at a site like Romance Scams so they can see what to watch out for, i know one of the mods and they are good folks just trying to warn the folks about how slick these new scams are. Like the malware I have to deal with daily it seems they get better and smarter at this each year and become harder for those that aren't alert to spot.

Re:Obviously, deletion was never the case!

[HereIAmJH]

Data retention laws only apply to things you are required to keep. You can keep any information that your customers allow you to collect. And you can be subpoenaed for any information that you do collect. But only information that you are required to keep has a legally mandated retention period.

I'm surprised more businesses don't realize the legal obligations that they take on when they collect unnecessary information on their customers. Note ISPs that refuse to keep anything beyond essential logging because keeping it entails a liability to the company. And it's not just law enforcement, the act of collecting can put you under civil requirements and liabilities, for example, PCI.

I can think of very little, if any, customer data that a dating web site would be required to keep. But once you start collecting associations and communications, ala Facebook, then you can expect law enforcement to take interest. Even collecting innocuous things like who visited a profile (something OkCupid and even LinkedIn track) could be used for tracking 'terrorism'.

A big factor on social web sites is ownership. If you pay GoDaddy hosting they are not responsible for data retention on your site. In fact, they may not do any kind of backups at all on your site. Web hosting companies consider it to be your data, thus your responsibility. Social web sites, OTOH, consider your profile to be their data. They only thing that will force them to delete something they consider a business advantage are privacy laws that are virtually non-existent because governments see the value of having access to information they don't have to collect or store.