Peeple, Security and why hiding reviews doesn't matter

There’s been a lot of discussion about the Peeple app, which lets random individuals provide reviews of other people. The founders of the company seem to believe that no one is ever mean on the Internet and that all reviews are accurate. They’ve tried to assure us that no negative reviews will be published for unregistered users. They’re almost charming in their naivety, and it might be funny if this wasn’t so serious.
The app is an invitation to online abuse and harassment. And based on the public comments I’ve seen from the founders they have no idea what kind of pain their app is going to cause. They just don’t seem to have any idea of the amount of abuse that happens on the Internet. We work with and provide tools to abuse and security desks. The amount of stuff that happens as just background online is pretty bad. Even worse are the attacks that end up driving people, usually women, into hiding.
The Peeple solution to negative reviews is two fold.

  1. Prompting individuals to discuss negative reviews before they go live.
  2. Hiding any negative reviews when the user is unregistered.

Both of these solutions have major problems and will minimize the chances of this product being widely adopted.
First off, if someone is creating a negative review maliciously, then talking to them isn’t going to result in anything more than frustration for the person being reviewed. There will be malicious users on the site, nothing has been invented that’s bully proof. Even curated online spaces deal with malicious folks. There’s nothing in any of the press releases that make me think this is going to be even remotely curated.
Even if the negative review isn’t done maliciously, people can occasionally have bad days, or bad weeks. Sometimes that accumulated stress is enough to cause individuals to lash out. It’s bad behavior, it’s wrong, but it happens. That person lashing out could be the person writing the review, or the person the review is about. I’m sure all of  us have had experiences where we acted badly or wanted to point out someone acting badly.
The reality, though, is that bullying culture is alive and well on the Internet. We have countless examples of very public campaigns to harass people. Even among my friend group, most of us have some story where we’ve been targeted by people. My own experience was almost 20 years ago now, but did involve the police and spilled over into harassment of my boss at her home and both of us at work.
Hiding reviews for unregistered users will encourage people NOT to sign up. I expect this policy to last until they start running out of VC and are struggling to raise a second round. If you can’t show widespread adoption, and make no mind this policy will discourage signups, then you can’t get the next round of cash.
The big issue is that I’m not seeing anyone else mentioning is just hiding negative reviews doesn’t make them secret. Why? Because no company is secure. Ashley Madison. Experian. The US Government. Epsilon. Anthem Healthcare. Target. CareFirst. The University of Delaware. LastPass. Staples. And those are just the ones I remember well enough to plug  CompanyName hack into Google. Peeple is going to be compromised and that negative data will leak.
DlRfSZbn_400x400Of course, we now know that there is another product called Peeple, a very slick looking camera that lets you see who is at your door without having to go to the door. A much better use of the name and a better product all around.
 
 

Related Posts

Organizational security and doxxing

The security risks of organizational doxxing. 
These are risks every email marketer needs to understand. As collectors of data they are a major target for hackers and other bad people. Even worse, many marketers don’t collect valid data and risk implicating the wrong people if their data is ever stolen. I have repeatedly talked about incidents where people get mail not intended for them. I’ve talked about this before, in a number of posts talking about misdirected email. Consumerist, as well, has documented many incidents of companies mailing the wrong person with PII. Many of these stories end with the company not allowing the recipient to remove the address on the account because the user can’t prove they own the account.
I generally focus on the benefits to the company to verify addresses. There are definite deliverability advantages to making sure email address belongs to the account owner. But there’s also the PR benefits of not revealing PII attached to the wrong email address. With Ashley Madison nearly every article mentioned that the email address was never confirmed. But how many other companies don’t verify email addresses and risk losing personally damaging data belonging to non customers.
Data verification is so important. So very, very important. We’ve gone beyond the point where any big sender should just believe that the addresses users give them are accurate. They need to do it for their own business reasons and they need to do it to prevent incorrect PII from being leaked and shared.

Read More

A series of tubes

ASeriesofTubes_thumb
The Internet and pundits had a field day with Senator Stevens, when he explained the Internet was a series of tubes.
I always interpreted his statement as coming from someone who demanded an engineer tell him why his mail was delayed. The engineer used the “tube” metaphor to explain network congestion and packets and TCP, and when the Senator tried to forward on the information he got it a little wrong. I do credit the Senator with trying to understand how the Internet works, even if he got it somewhat wrong. This knowledge, or lack there of, drove his policy positions on the issue of Net Neutrality.
In the coming years, I believe we’re going to be seeing more regulations around the net, both for individuals and for corporations. These regulations can make things better, or they can make things worse. I believe it’s extremely important that our elected officials have a working understanding of the Internet in order to make sensible policy. This understanding doesn’t have to be in their own head, they can hire smart people to answer their questions and explain the implications of policy.
Apparently I’m not the only one who thinks it is important for our elected officials to have a working knowledge of technology. Paul Schreiber put up a blog post comparing the website technology used by the current Presidential candidates. Do I really expect the candidate to be involved in decisions like what domain registrar or SSL certificate provider to use? No. But I do expect them to hire people who can create and build technology that is within current best practices.

Read More

Protecting customer data

There have been a number of reports recently about customer lists leaking out through ESPs. In one case, the ESP attributed the leak to an outside hack. In other cases, the ESPs and companies involved have kept the information very quiet and not told anyone that data was leaked. People do notice, though, when they use single use addresses or tagged addresses and know to whom each address was submitted. Data security is not something that can be glossed over and ignored.
Most of the cases I am aware of have actually been inside jobs. Data has been stolen either by employees or by subcontractors that had access to it and then sold to spammers. There are steps that companies can take to prevent leaks and identify the source when or if they do happen.

Read More