Super Ninja Privacy Techniques for Web App Developers
by Marc Hedlund and Brad Greenlee - Developers at Wesabe - Wednesday, 22 August 2007.
If I keep my documents on Google Docs, my mail on Yahoo Mail, my bookmarks on, and my address book on .Mac, is there any point in talking about the privacy of my data any more? Should I just accept that using web-hosted applications means that privacy doesn't exist?

Many new applications do a great job of making it easy and free for you to post your information online. In a lot of cases, your data is combined with other people's data, to pull helpful or interesting relationships out of aggregate data ("People who bought this book also bought...."). Your photos on your hard drive are not as useful as your photos on Flickr, where others can comment on them, find them via tags, share them, and make them into photo-related products.

Obviously, though, this shift has many implications for privacy, and it is worth wondering what the future of privacy is for web application users. A security breach on one of the most popular hosted web applications could easily reveal private information about thousands or even millions of the site's users. An employee of one of the largest providers could access information about the site's users without anyone knowing. How should a user of these applications think about these risks?

Right now, most application providers either don't talk about these risks or simply ask users to trust that they have their best interests in mind; and as far as we know, the companies providing these applications do in fact make great efforts to respect the privacy of their users. As users, though, the "trust us" proposition does not offer much in the way of reliability of certainty. We essentially must rely on the harm that a large-scale privacy breach would cause the provider as counter-incentive against allowing one to occur.

As developers of Wesabe, and online personal finance community, we think about these questions a great deal. We believe that there is a significant benefit to consumers in anonymously combining their financial data online, since this allows us to produce an aggregate view of where consumers find the best values (sort of like a reverse FICO score -- a value rating for businesses). However, this project asks our users for a lot of trust. We decided from the outset that, as a startup without the name recognition of a Google or Yahoo, and simply as people interested in providing privacy and security to our users, that we should come up with as many approaches as possible that would help us protect Wesabe users' privacy.

Many of these techniques are generally applicable. While there is a fair amount of information online for individuals who want to protect their own privacy, we found little for web application developers interested in protecting their users' privacy; so, we want to document what we've learned in hope of making these techniques more common, and developing better critiques and improvements of the approaches we've taken so far. Below, we outline four techniques we use at Wesabe which we think any web application developer should consider using themselves, and describe the benefits and drawbacks to each.

Keep Critical Data Local

As a web application developer, the best way to ensure that you protect the privacy of a user's data is not to have that data at all. Of course, it's hard to develop a useful application without any data, but it is worth asking, is there any information you don't absolutely need, which you could make sure not to have at all?


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th