Protecting your privacy on these forums

Posted , 5 users are following.

For those here who wish to protect their privacy, I would like suggest you take action and change the little icon associated with your account.  Just click on the icon, select edit, and choose a random image not connected to you.  If you don't believe this will help you think of it this way, it can't hurt.

Site moderators:

I've sent a private message explaining why this is a concern, but have had no reply.  Glad to discuss technical details within private email or private messaging.

Since any link included in a post seems to trigger moderator review, I'll leave this wikipedia link to the U.K. data protection directive in hopes of catching your attention regarding the issue:

https://en.wikipedia.org/wiki/Data_Protection_Directive

Regards -

 

1 like, 9 replies

Report / Delete

9 Replies

  • Posted

    Hi unforgiven. As I'm sure you're aware, the default avatars given to users are Gravatars.

    For everyone else, Gravatar is a service that creates a random image based on your email - so if you were to create another account on another forum that also uses Gravatars for their default image using the same email address, then your image would be the same.

    However, for someone to breach your privacy via this method, they would have to know your email address (and your identity) already, generate the gravatar themselves, then manually scour the forums until they found a random avatar that matches the image. Even if they managed to do this, they would only be able to see what you had posted.

    We take data privacy very seriously at Patient, and regularly get the site tested to make sure it's secure. We've investigated any possible data breach associated with using Gravatars and have decided that they do not present any credible risk to our user's privacy.

    That said - we recommend that users DO change their avatars, if only to personalise their account.

    Report / Delete Reply
    • Posted

      >they would have to know your email address...

      No, given only someone's gravatar, it's possible to determine their e-mail address:

      >and [would have to know] your identity...

      No, e-mail addresses are considered PII so this is already a legal issue.

      >[an attacker would be required to] manually scour the forums until they found a random avatar that matches the image

      No, it could be trivially automated.  Since the gravatar is equivalent to an MD5 hash, it's just a number. No manual scouring required.

      This problem really boils down to computers being orders of magnitude faster at cracking hashes now due to GPUs and specialized software.

      The net of it is Patient's default use of gravatar is a security risk. It must be mitigated, there are many ways to go about this and it shouldn't be an undue burden.

       

      Moderator comment: I have removed the link(s) directing to site(s) unsuitable for inclusion in the forums. If users want this information please use the Private Message service to request the details.

      http://patient.uservoice.com/knowledgebase/articles/398316-adding-links-to-posts

      http://patient.uservoice.com/knowledgebase/articles/398331-private-messages

      Report / Delete Reply
    • Posted

      Thanks for your reply unforgiven - the link you provided does present a case that it may be possible to reverse engineer an email address from a Gravatar. I stand corrected.

      We had got plans to address the existing avatars, because of their inefficency due to them not being cached properly, however now we will move this work item forward.

       

      Report / Delete Reply
  • Posted

    I didn't choose my icon though. I think the image won't do anything. I think they moderate everything. We are online. There's no privacy. Just be cautious of what you write and comment ect. Dont trust anyone or give out any kind of personal information. Be aware.👍

    Report / Delete Reply
  • Posted

    I believe that all external links go to a moderator, if you are sharing a link to forum or info within the site, it doesn't.

    You should also be aware that other users also can flag/report to a moderator, so if you read something that isn't right or you have concerns, you can flag it.

    It one sense it is good, as it saves us getting lots of information that is not helpful, or not tried and tested, you know the type thing that your friends share or you see on the internet, take this magic pill from mars, and magically you will lose a stone over night (type of stuff).

    I am not sure, how EU legislation will be enforced when we come out of the EU. For us in the U.K., the Data Protection Act is probably more relevant. It is also, worth checking your terms & conditions for any services you use, and how they will manage and store your information. That also goes for email accounts and mobile phones.

    Regardless of any legislation, if somebody's life is in danger, i.e. Immediate risk of self harm, then service providers then have a duty to do something about it.

    And even if you look at the Articles with the ECHR, there are lawful and legimate reasons when and why the can be breached.

    If privacy is an issue, then a public forum is probably not the best place to discuss problems.

    Report / Delete Reply
  • Posted

    You might find it helpful to read the "terms of use" for the website and the forums.

    Report / Delete Reply
  • Posted

    @ashley73934 - Im sorry but it doesn't help much that you have not yet chosen an icon, there's still a risk.  Also it's not a privacy issue about the content of your posts.  Yes we can see them.  It's an identity issue.

    I can explain it better after the mods fix the vulnerability.  Until then it's just a suggestion, I am obviously not in charge here.

    It's also possible I'm just mistaken. These things need moderator discussions before it can be confirmed a problem exists.  I can tell you that before posting, I did get feedback from a few information security specialists who advised that this is something to investigate.

    @shaz6908 - Yes, of course it best discussed privately. It's only here because the official channel received no response.  No details will be given out how to exploit.

    Regarding the site terms and conditions I'm not sure how that's relevant.  I have read them, but regardless of any disclaimers there is a ethical and legal obligation to protect identity of forum users and terms and conditions can not be crafted in anyway that removes these obligations.

    @moderators, I request that you contact via PM or email for further discussion.

    Thank you -

     

    Report / Delete Reply

Join this discussion or start a new one?

New discussion Reply

Report or request deletion

Thanks for your help!

We want the forums to be a useful resource for our users but it is important to remember that the forums are not moderated or reviewed by doctors and so you should not rely on opinions or advice given by other users in respect of any healthcare matters. Always speak to your doctor before acting and in cases of emergency seek appropriate medical assistance immediately. Use of the forums is subject to our Terms of Use and Privacy Policy and steps will be taken to remove posts identified as being in breach of those terms.

newnav-down newnav-up