Those of you who follow the news posts on LiveJournal saw a reference to “a service issue that sprung up a couple days ago and was quickly resolved”. If you followed the link and read the comments, you discovered it was more than a “minor service issue”: it was a major LJ kerfluffle™. What happened, in short, was that there was an error with their page serving cache, and for some period of time (LJ says it was under three minutes; others say it was longer), people were served random pages from other people that were in the cache. This included, naturally, pages that included friends-locked and private entries. LJ classifies it as minor because no one could change any page; others are much more concerned because their private information was exposed to some other party—and they are not going to be happy until LJ does something unspecified, including recognizing it was major.
My assessment: It’s not as minor as LJ classified it, but it also isn’t a major privacy problem or security risk (such as the flaw just discovered in Facebook that allows someone to attach an executable to a message). Yes, private information was exposed, but (a) was exposed in a random manner, meaning that the user that saw the private data was likely someone who didn’t know the individual whose data it was—and thus the exposure risk was likely lower than exposing it to someone who knows the individual. Secondly, there was no ability to navigate in that person’s account purposefully, and so specific locked entries could not be seen. This is not to downplay the risk—it was a breach—but the exposure risk and the exploitation risk was low.
I’m sure a lot of people who are upset about this are operating on the naive assumption that security mechanisms on websites work, and that their computers are secure. Of course, we know that to be false, but we like to believe the artifice so we can sleep at night. People should always work on the philosophy that you shouldn’t post something on a website that you don’t want the world to see. Breaches will occur; it is the nature of the beast. Protections fail; databases are sold. You can only have a level of confidence in someone that has a fiduciary interest (meaning a legal obligation) to protect your data… and this is distinctly not true for social networking sites, no matter what we might believe.
Will this prompt me to leave LJ? I thought about it. I could easily set up a WordPress blog on cahighways.org (they have version 3.1—does anyone know if that version can interact with LJ?). But I likely won’t do it, for the same reason I don’t leave FB: the people I want to interact with are on LJ (or FB). They are not commenting on random WordPress blogs; they are not present with sufficient mass on DreamWidth. The people I care about reaching are on LJ. Further, *I* do not have the privacy concern, because my LJ posts are (99.9%) public, and I don’t talk about things I don’t want to be public. At worst, people discover a party I was planning 3 years ago, or a fight I had with my wife 4 years ago. Big deal. But I do know that for others, even the slightest risk is a big concern. Everyone has their own risk tolerance level.
I’d like to know your thoughts on the exposure kerfluffle? Is it making you leave LJ? If so, where are you going: DW, your own blog, G+, FB, or somewhere else? When do you think that LJ will lose enough critical mass in the English-speaking world that it effectively becomes a true niche player?
