Facebook’s latest privacy debacle was driven by their failure to properly manage user IDs. This is not a new problem area and as the EFF points out, Facebook has done this before. So while I don’t know if Facebook will be interested in this post, those who care about protecting their user’s privacy in an age of data sharing may want to have a look at the threats and defenses needed to share user IDs across sites. Securing user IDs isn’t easy.

[Update 10/22/2010: Changed the title and intro and added three new sections at the end.]

It's voting time again. I still don't know why I bother. But here I am. Scroll down to see details about why I am voting the way I list.

• Initiative Measure No. 1053 - No

• Initiative Measure No. 1082 - No

• Initiative Measure No. 1098 - No

• Initiative Measure No. 1100 - No

• Initiative Measure No. 1105 - No

• Initiative Measure No. 1107 - No

• Referendum Bill No. 52 - No

• Amendment to the State Constitution Senate Joint Resolution No. 8225 - Yes

• Amendment to the State Constitution Engrossed Substitute House Joint Resolution No. 4220 - No

• Charter Amendment No. 1 Amendments to the Preamble - No

• Charter Amendment No. 2 Amendment of Section 690 - Campaign Finance - Yes

• Charter Amendment No. 3 Amendment of Section 890 and New Section 897 - Collective Bargaining - No

• Proposition No. 1 Sales and Use Tax for Criminal Justice, Fire Protection, and Other Government Purposes - No

• Seattle School District No. 1 Proposition No. 1 Supplemental Operations Levy - No

• United States Senator - Patty Murray

• United States Representative Congressional District No. 7 - Jim McDermott

• State Representative Legislative District No. 46 - Position 2 - Phyllis G. Kenney

• Seattle Municipal Court Judge Position No. 1 - Edsonya Charles

• Seattle Municipal Court Judge Position No. 6 - Karen Donohue

• State Supreme Court Justice Position No. 6 - Richard B. Sanders

Eran’s latest article raises a number of specific security threats by way of arguing that bearer tokens are irredeemably insecure. In this article I examine the attacks Eran calls out and demonstrate that they are already addressed by OAuth 2.0. Eran’s article does bring up the interesting question of - do we need defense in depth for the tamper resistance and confidentiality provided by SSL/TLS?