[[!meta title="Orkut - dangerous Big Brother database or fun place?"]] [[!meta date="2004-08-25"]] [[!toc]] This is my personal diary about using Orkut (www.orkut.com). ## 27-Feb-2004 I got invited to orkut. ## 29-Feb-2004 Getting first impressions. What is this "orkut"? Looks like a secure thing: Only people who are invited may join. So you most likely know that those are really the people you know and not fake ones. Well, you can even trust the communication, as 'dangerous people' keep outside, can't you? But why are they using HTTP and not HTTPS? Just keep that in mind.. Ok, lets register. What's that? In affilation with google? Does that mean one can google through orkut? Or does that mean google will sell their database to others? Wow what the hell do they want to know? And why should it be senseful to tell them all of my mail adresses? Don't I remember getting spam on all adresses I use on the web? Let's create a Pseudo Email, only used for Orkut, so we can track back the spam. After only telling the needed information I see that the one who invited me is my friend. And that he's got other friends. And they have friends again. Wow. What a fucking big network. Let's go to bed, continue tomorrow. ## 01-Mar-2004 Currently I am browsing through the friends network. Seeing what information I get, so I can conclude on what I will present to others, when participating in orkut. There is the nice thing "communities", so I can see what the persons interests are. Currently orkut looks like a big database of many friends linked together. Perhaps I can profit from it? Wow, there are many interesting communities. Everything I like is around me. Logical, as my friends like same things I do. Wait..as I am always logged in while viewing, they'll have a full view for what is interesting for me. They (=the ones who brougth up orkut) know who invited me. They know his/her interests. Think about this in a chain. So they can see who (with what attributes) is interested in which communities and what you do. Do you surf on in the "Bi & Lesbian"-section or are you enjoying the "Internet" community? Every klick is one point more for data collection. Every move you make is recorded. That sounds for me like "1984". What a horrible vision (or reality?). Oh, let's have a look at whois, who owns orkut: Domain Name: ORKUT.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS11.WORLDNIC.COM Name Server: NS12.WORLDNIC.COM Status: ACTIVE Updated Date: 11-nov-2003 Creation Date: 08-dec-2002 Expiration Date: 08-dec-2006 BUYUKKOKTEN, ORKUT (UHGFNCTSOD) 2400 W El Camino Real, Apt 419 MOUNTAIN VIEW, CA 94040-1680 US Domain Name: ORKUT.COM Administrative Contact: BUYUKKOKTEN, ORKUT (OBD36) orkut@cs.stanford.edu 2400 W El Camino Real, Apt 419 MOUNTAIN VIEW, CA 94040-1680 US 650 888 5822 fax: 123 123 1234 Technical Contact: Network Solutions, Inc. (HOST-ORG) customerservice@networksolutions. 13200 Woodland Park Drive Herndon, VA 20171-3025 US 1-888-642-9675 fax: 571-434-4620 Record expires on 08-Dec-2006. Record created on 08-Dec-2002. Database last updated on 1-Mar-2004 10:57:20 EST. Domain servers in listed order: NS11.WORLDNIC.COM 216.168.225.141 NS12.WORLDNIC.COM 216.168.225.142 Well, this company does not tell me anything at all... If you know something about them, please tell me. ## 02-Mar-2004 After some researching I know that Orkut is being developed by someone working at Google, BUYUKKOKTEN, ORKUT. (As seen in the whois, but before I didn't know whether this is a person or a company. While phoning with some people yesterday I developed some questions and structures: - orkut know who invited which persons - they know which communities somebody is interested in - they see in whom or what you are interested, because every visit is tracked with a username. - if you enter wrong data (e.g. wrong surname) people will/may check the "Bogus"-Button to tell that you are faking somebody - the information provided in orkut are ## 22-Mar-2004 I didn't use my orkut account since 02-Mar-2004 and will now write an email to 'them', requesting to delete my account. Some people argument "But my data can also be found through google, why should I not tell them Orkut?" My answer: With google you cannot track what people do, what they like and this together with country information, your hobbies, etc. In my opinion Orkut is a BigBrother version in the web and I don't like to participate and show 'them' every step I make. ## 24-Mar-2004 Just got again the statement "You should stop using IRC, delete all your mail accounts and stop surfing.", after I said "I wrote a message to orkut, that I would like to have them remove my account. Look at http://nico.schotteli.us/papers/net/orkut-diary, why.". I'll try to explain the difference for you: IRC: - it's easy to track "my" behaviour in IRC - you cannot verify the identity of me very good - when trying to track you, 'they' must normally join every channel you are in (*see mark:1*) - Queries cannot get tracked (*see mark:1*) Mail: - mails are sent to different people on different hosts - to read all my incoming mail, you got to have access to the mail server hosting my email - to read my outgoing mail, you need a) to be my ISP and get all data while sending out (*see mark:1*) b) to control _all_ mail servers of people I write to - mails can easily be encrypted with PGP/GPG (http://www.gnupg.org) WWW: - normally if you visit two different websites (e.g. www.google.com and www.astalavista.com), they don't know from each other - if you visit one website _from_ another site, the second one knows where you come from (if not explicit disabled in your browser) E.g.: http://linux.schottelius.org/gpm/ links to http://lists.linux.it/pipermail/gpm/. When you click on the link at http://linux.schottelius.org/gpm/, the host lists.linux.it registers that you come from http://linux.schottelius.org/gpm/. As said above, this can easily disabled in (good) browsers. - if you visit many links within one page (e.g. looking at http://www.userfriendly.org cartoon archive), it may be possible to track you, while you are keeping the same ip - if sites set and read cookies, they may assign you a unique id. E.g.: You visit www.microsoft.com. This sites sets the cookie "customer_nr=3434oeuntoheu45ouonethaonehp". After that you visit www.sco.com (not from a link from microsoft). Your browser allows www.sco.com to readout the cookie "customer_nr" and can exchange access logs with Microsoft (this should generally not be possible todo cross-site-reading, but can easily be done with a 'middle'-host like an adserver). Most browser allow disabling cookies or at least to show a popup box, asking you whether to use it or not. mark 1: Actually IRC, SMTP or HTTP are plain text protocols. Every person sitting at a router at your ISP can see what you are doing and the contents of every package you send and recieve. You should consider use SILC, TLS/SMTP, HTTPS or PGP encrypted mails instead for better security. Orkut: - you have to login before you can visit anything - every click (changing profile, reading other profiles, joining and leaving communities, ..., just everything) is logged - everything you do can easily added to statistics - 'they' can do track user behaviours, user paths An example of path-tracking: 1. I (person_b) get invited by person_a 2. person_a is in community_a und community_b 3. I join community_a, too. --> Now 'they' may know from which scene/interest area we come. 4. I click through the friends path of person_a and see that there are some friends I know, too. 5. I click on a friend of person_a, whose name is person_h and ask him to be 'my friend'. 6. There can be some reasons why I want to be his friend, the most obvious one is because I know person_a and person_h. 7. Now 'they' about some relationship... This information could be selled or transfered to the FBI for instance... ## 30-Mar-2004 Today I recieved information about what companies pay for filtered user information, it's between $1 per address upto $10 per (snail-mail-)address. ## 08-Apr-2004 Just want to re-read their terms of Service. (http://www.orkut.com/terms.html) Here are some interesting parts: 'We also reserve the right to modify these Terms of Service from time to time without notice.' --> nice, I don't hear or see anything, but will agree and use new Terms of Service. 'In addition, you must provide true, accurate and complete registration information to be an orkut.com member ("Member").' --> complete..very nice..if I would really complete fill out the form, they would know everything about me. 'Other examples of illegal or unauthorized uses include, but are not limited to:' ...'using any robot, spider, site search/retrieval application, or other device to retrieve or index any portion or the orkut.com service;' --> well, 'they' may do it, we not... 'By submitting, posting or displaying any Materials on or through the orkut.com service, you automatically grant to us a worldwide, non-exclusive, sublicenseable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, publicly perform and display such Materials. ' Sure, there are more, these are just examples. There are more intersting things in 'http://www.orkut.com/privacy.html'. Looks like this story will end soon... ## 17-May-2004 Looks like I got to reinvest time in my "Orkut-Diary". It seems people sometimes don't see how they are confronted with Orkut, although they are NOT part of it. Did you ever think about what happened if you recieve an invitation message? No? Well, someone (perhaps a "friend") of you thought it would be nice to invite you to Orkut. He/She entered your - First name - Last name - your Email - and the level of which he/she knows you (haven't met, acquaintance, friend, good friend, best friend) Perhaps you decline the invitation Email, but what happens with this data is unknown to you, to her/him. Perhaps the data will get sold to other companies, perhaps Google uses it for their internal statistics, perhaps they won't even have a look at them.. We don't know.