Protecting your privacy on these forums
Posted , 5 users are following.
For those here who wish to protect their privacy, I would like suggest you take action and change the little icon associated with your account. Just click on the icon, select edit, and choose a random image not connected to you. If you don't believe this will help you think of it this way, it can't hurt.
Site moderators:
I've sent a private message explaining why this is a concern, but have had no reply. Glad to discuss technical details within private email or private messaging.
Since any link included in a post seems to trigger moderator review, I'll leave this wikipedia link to the U.K. data protection directive in hopes of catching your attention regarding the issue:
https://en.wikipedia.org/wiki/Data_Protection_Directive
Regards -
1 like, 9 replies
Patient_Mod unforgiven
Posted
Hi unforgiven. As I'm sure you're aware, the default avatars given to users are Gravatars.
For everyone else, Gravatar is a service that creates a random image based on your email - so if you were to create another account on another forum that also uses Gravatars for their default image using the same email address, then your image would be the same.
However, for someone to breach your privacy via this method, they would have to know your email address (and your identity) already, generate the gravatar themselves, then manually scour the forums until they found a random avatar that matches the image. Even if they managed to do this, they would only be able to see what you had posted.
We take data privacy very seriously at Patient, and regularly get the site tested to make sure it's secure. We've investigated any possible data breach associated with using Gravatars and have decided that they do not present any credible risk to our user's privacy.
That said - we recommend that users DO change their avatars, if only to personalise their account.
unforgiven Patient_Mod
Posted
>they would have to know your email address...
No, given only someone's gravatar, it's possible to determine their e-mail address:
>and [would have to know] your identity...
No, e-mail addresses are considered PII so this is already a legal issue.
>[an attacker would be required to] manually scour the forums until they found a random avatar that matches the image
No, it could be trivially automated. Since the gravatar is equivalent to an MD5 hash, it's just a number. No manual scouring required.
This problem really boils down to computers being orders of magnitude faster at cracking hashes now due to GPUs and specialized software.
The net of it is Patient's default use of gravatar is a security risk. It must be mitigated, there are many ways to go about this and it shouldn't be an undue burden.
Moderator comment: I have removed the link(s) directing to site(s) unsuitable for inclusion in the forums. If users want this information please use the Private Message service to request the details.
http://patient.uservoice.com/knowledgebase/articles/398316-adding-links-to-posts
http://patient.uservoice.com/knowledgebase/articles/398331-private-messages
Patient_Mod unforgiven
Posted
We had got plans to address the existing avatars, because of their inefficency due to them not being cached properly, however now we will move this work item forward.
unforgiven Patient_Mod
Posted
Best regards -
Patient_Mod unforgiven
Posted
Hi Unforgiven, as you will now be able to see, we've replaced the gravatars with generic blank ones now.
Hope that satisfies your concerns!
Ashley025 unforgiven
Posted
I didn't choose my icon though. I think the image won't do anything. I think they moderate everything. We are online. There's no privacy. Just be cautious of what you write and comment ect. Dont trust anyone or give out any kind of personal information. Be aware.👍
shaz6098 unforgiven
Posted
I believe that all external links go to a moderator, if you are sharing a link to forum or info within the site, it doesn't.
You should also be aware that other users also can flag/report to a moderator, so if you read something that isn't right or you have concerns, you can flag it.
It one sense it is good, as it saves us getting lots of information that is not helpful, or not tried and tested, you know the type thing that your friends share or you see on the internet, take this magic pill from mars, and magically you will lose a stone over night (type of stuff).
I am not sure, how EU legislation will be enforced when we come out of the EU. For us in the U.K., the Data Protection Act is probably more relevant. It is also, worth checking your terms & conditions for any services you use, and how they will manage and store your information. That also goes for email accounts and mobile phones.
Regardless of any legislation, if somebody's life is in danger, i.e. Immediate risk of self harm, then service providers then have a duty to do something about it.
And even if you look at the Articles with the ECHR, there are lawful and legimate reasons when and why the can be breached.
If privacy is an issue, then a public forum is probably not the best place to discuss problems.
shaz6098 unforgiven
Posted
You might find it helpful to read the "terms of use" for the website and the forums.
unforgiven
Posted
@ashley73934 - Im sorry but it doesn't help much that you have not yet chosen an icon, there's still a risk. Also it's not a privacy issue about the content of your posts. Yes we can see them. It's an identity issue.
I can explain it better after the mods fix the vulnerability. Until then it's just a suggestion, I am obviously not in charge here.
It's also possible I'm just mistaken. These things need moderator discussions before it can be confirmed a problem exists. I can tell you that before posting, I did get feedback from a few information security specialists who advised that this is something to investigate.
@shaz6908 - Yes, of course it best discussed privately. It's only here because the official channel received no response. No details will be given out how to exploit.
Regarding the site terms and conditions I'm not sure how that's relevant. I have read them, but regardless of any disclaimers there is a ethical and legal obligation to protect identity of forum users and terms and conditions can not be crafted in anyway that removes these obligations.
@moderators, I request that you contact via PM or email for further discussion.
Thank you -