Last Updated: 2006-03-05 04:46:30 UTC
by Lenny Zeltser (Version: 1)
The new generation of portal sites, such as Netvibes and Google Personal Homepage, offers rich functionality that allows the users to include interactive modules in the start page. Before embedding your email or del.icio.us accounts in one of these pages, be mindful the potential risks of using such sites to process sensitive data.
I'd like to bring up two such risks for your consideration:
- Providing such portal sites with login credentials to your other accounts threatens confidentiality of your username and password.
- Using portlet modules created by a third party may allow unauthorized access to the web session and other information.
How Does the Site Store Your Information?
Netvibes is a popular new-generation start page site, offering a clean interface and a nice set of features. In addition to allowing its users to embed a range of data sources on the personalized start page, Netvibes includes several interactive modules. One of them lets a Netvibes user keep an eye on his or her Gmail mailbox:
It's neat. How can Netvibes connect to the user's Gmail mailbox? The person has to supply his or her username and password to Netvibes:
Other Netvibes modules that might threaten your data's confidentiality allow logging in to Yahoo! Mail, POP accounts, del.icio.us, and Blogmarks.
Who Has Access to Your Information?
Another issue with using such portal sites to process sensitive data is illustrated by portlet modules that users can add to their Google Personal Homepage. It is relatively easy to write custom modules for this site. Google offers numerous such portlets, created by third-party developers for adding to Google Personal Homepage.
When a user attempts to add a third-party module to the personal home page, Google thoughtfully presents the person with the following warning pop-up:
In this message, Google reminds the user that the module, written by a third-party developer, has the ability to access any information the user supplies to this module. If the module you are adding asks for sensitive information, be sure you trust the module's developer before supplying the data.
What Other Information Can the Module Access?
Another concern related to the use of personalized start pages is that one portlet module might gain access to sensitive session information or to another module. Google warns its users when it notices that a module carries this risk. For instance, when a user attempts to set up a Bloglines notifier module for Google Personalized Homepage, he is presented with the following warning:
In this message, Google alerts the user that the module could give its author access to sensitive information associated with his google.com session, and implies that data from other portlet modules will be accessible, too.
I like the idea of personal personalized start pages that improve upon the concept that a portlet module should only contain static data. At the same time, I am weary of using these sites for processing data that I consider sensitive. I think you should be careful, too. There are many new web sites springing up in attempts to offer modern versions of start-up page sites. I hope some of them decide to differentiate themselves from their competitors by implementing a solid data segregation model and a reliable way of protecting their user's data.
For a long list of new-generation personalized start pages take a look at the AJAX Homepages Market Review article on the Web 2.0 Explorer blog.
ISC Handler on Duty