NetIDme privacy and security problems put children at risk
The Daily Mail and Sky News have been hyping the launch of Net-ID-me, which is claimed by the NetIDme Limited company's founder Alex Hewitt to somehow be:"
Net-ID-me.com is the world’s first Internet Age and Identity Verification System that enables Internet users to exchange real-time electronic ID cards before chatting online. The system helps to significantly reduce the risk of teenagers being groomed online
Is this really the very first such system in the world ?
We are reminded of our criticisms of the launch of the ChildLocate mobile phone Location Based Service, back in October 2003.
NetIDme seem to have launched Yet Another Commercial Service Aimed At Exploiting Fear For Children's Safety, without bothering to take some cheap and simple precautions to
protect the privacy and security of their customers, and to instill a measure of Public Trust in their no doubt well intentioned service.
At the moment, until the following criticisms are sorted out, we would advise any parents or children to boycott this new service / product - it has the potential to put your children more at risk than by not signing up for it at all !
Why was the service launched in public, without the following points having been addressed ?
- Where is there any assurance that all of the staff at NetIDme have been subjected to at least the same level of checks on the Criminal Records Bureau , as if they were employed at a school ?
There is no such assurance.
Why should any parent trust a commercial organisation which aims to build a database of "hundreds of thousands" of Children's online identities within a year, without even this level of assurance against "insider" attacks ?
- Why is there no use of Secure Sockets Layer version 3 (SSL) or Transport Layer Security version 1.0 session encryption either when filling in the sensitive personal details such as Nickname and Password during registration, or to protect the online credit card details, or for a child to actually log on to the service via the website ?
There is no SSL Digital Certificate installed on httpS://www.netidme.com webserver [62.232.97.26] !
Similarly there is no SSL Digital Certificate in operation on the corporate www.netidme.net [194.154.164.66] webserver either.
Given the sensitive personal information which is collected, and the usernames ("nicknames") and passwords which are transmitted in the clear over the internet, where they can be harvested and intercepted by malicious people or software on, for example , a school's local area network, or at the level of child's internet service provider, why has this simple, and realtively inexpensive, bog standard e-commerce precaution not been taken ?
SSL/TLS encryption, especially without a client side certificate installed in your web browser is not infaqllible, but it would go a long way to prevent the genuine NetIDme credentials from being stolen by anyone with physical access to, say, a school's local area network or to an unsecured home wireless LAN etc.
See the next blog posting for the continuation of this article