Home Are Aggregation Services Security Risks?

Are Aggregation Services Security Risks?

Do you like social aggregation and tracking services like FriendFeed, Google Buzz and Cliqset? If so, there’s another startup launching today that wants your attention: Strings. This service is focused less on social content sites like flickr and YouTube (although supported) and more on traditional online activity like clothing purchases from JCrew or Saks, groceries from Amazon Fresh, beauty products from Sephora and a slew of other purchases from web-based shopping sites.

But before you rush to sign up with yet another activity aggregation service, it may be time to pause and think. Do the benefits of seeing your friends’ purchases on sites like Strings and the online shopping tracker Blippy outweigh the risks of handing over login credentials to these third parties?

Social Tracking and Beyond

There are more than a few services out there today that allow you to share your activity with the world at large. FriendFeed and Google’s new Buzz service, for example, are popular playgrounds for social sharing. Their aggregation capabilities offer combined activity streams from sites like Twitter, YouTube, flickr, Google Reader and much more. These social activity trackers aren’t too risky except for the fact that they make you more of a public persona than you may have intended – something not everyone is comfortable with as was apparent by the recent Google Buzz privacy backlash.

However, some tracking services go beyond simple social activity aggregation. One of the more puzzling launches of late is Blippy, a service that tracks your “favorite purchases” made with any credit card used at a selection of online stores. Similarly, the web activity tracker Glue lets you share the results of your day’s web surfing when visiting both social and non-social sites including Wikipedia, Amazon, NewEgg, eBay, BestBuy, Zagat and dozens of others.

The concept for the newly launched Strings fits it in nicely with the others of this genre. At this time, the service tracks 25 web sites from the more social Hulu and YouTube to more traditional sites like Nordstrom and Tiger Direct. And like its competitors, you can follow others on the service to see what they’ve been doing, where they’ve been shopping and what they’ve bought.

Strings: Let’s See Where You Shop

Unfortunately, in Strings’ case, the execution is somewhat lacking. The design leaves a lot to be desired with small, light-colored text and a slightly confusing flow. Should I add trackers first? Do I need the Firefox extension? Is the desktop app a necessary component? All these options are thrown at you on the front page with little explanation as to why they’re needed.

More importantly, for every site you add, you’re asked to provide your username and password. Obviously, for online shops like JCrew, this makes some sense – there isn’t exactly a public stream of your purchases there. However, for social apps like YouTube and flickr, there’s simply no need to request a password. Your account activity can be imported into your stream simply by providing your username. That’s how FriendFeed and Buzz do it and that’s how Strings should too.

In fact, tracking services should make every attempt not to request your credentials unless absolutely necessary. Every time you provide this information to a third-party service, you’re taking a risk. If their servers were compromised and their database of account information was accessed, the attackers would have your login information to a number of online sites – sites where you’ve often stored credit card information, phone numbers and addresses, too.

But is this risk acceptable? , you may ask.

Is Aggregating Your Credentials Too Risky?

Before we pick on Strings alone, though, it’s worth noting that their request for your online shopping sites’ login isn’t unique to them. Blippy, too, requests your login credentials for the sites you want to add to their service. They also want your credit card information so they can track other purchases.

Now, one can argue that the fear of sharing your credit card info online is unfounded. After all, if you do any online shopping, then you’ve already shared this info with a number of companies, some of whom may operate servers with far less security than Bippy’s.

That’s definitely a valid argument. But there is something to be said for the increased risk due to the aggregation of your online accounts. While you may only store one or two credit cards at Amazon.com, Blippy lets you track all your cards. If their infrastructure was compromised not only would the potential hacker gain access to this information, they would also have your username and password to quite a few online web sites too. And if you’re like 99% of the world, that’s probably the same username and password you use elsewhere…like on your webmail account, your computer sign-on and maybe even your bank account or corporate VPN, assuming the password is complex enough to meet their security requirements.

Also, the risk in using these services doesn’t necessarily have to come from an outside malicious attack – the services themselves may not have your best interests at heart either. Take for example, this text from Blippy’s Privacy Policy:

Blippy may sell, transfer or otherwise share some or all of its assets, including your personally identifiable information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy. You will have the opportunity to opt out of any such transfer if the new entity’s planned processing of your information differs materially from that set forth in this Privacy Policy.

Most people would prefer their personally identifiable information to remain private. But if Blippy crashes and burns, it’s up for sale unless you take action to opt-out.

Strings’ privacy policy is different than Blippy’s, but not much better. In their case, your personal information may be collected so you can be marketed to from other parties:

…we may invite you to participate in surveys, questionnaires or contests, contact us with questions or comments or request information, provide us with feedback, participate in chat or message boards, or complete a profile or registration form. Due to the nature of these Services, we may collect personally identifiable information such as your name, address, email address, phone number, age or date of birth, gender, and other contact information that you voluntarily transmit with your communication to us…

And they may use that information to contact you about:

software and/or Services that you may wish to contact and for targeted advertising.

Do the Benefits Outweigh the Risks?

For some people though, this new openness is the future of online sharing. By allowing others to peer into our lives this deeply, we’re becoming, as a society and a culture, more transparent. And that’s a good thing. Notes pro-openness blogger Louis Gray, “instead of keeping all my data internal to me, it opens it to the world for discussion.” He also notes Wall Street Journal’s review on Blippy which concludes that the biggest risk for people in using Blippy is that “their purchases are totally mundane and you’re really super boring.”

We would argue there are a few more risks than “boringness” to be considered here, but for some, those risks may be worth it. So whether you believe than aggregation sites are hacker goldmines, marketers’ dreams or simply new stores of data that will enhance our understanding of the web and its users, they services are likely to stick around for a little while. The only question now is: will you be using them?

Update: After this article was published, Strings updated their privacy policy.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.