Shostack + Friends Blog Archive

 

A Blizzard of Real Privacy Stories

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic:

Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there was no risk to users, and the experiment went drastically wrong. “Within five minutes, users had got hold of his telephone number, home address, photographs of him and a ton of other information,” said Mr Brand.

The customers apparently really liked their privacy, and “Blizzard backs off real-name forum mandate.” Which, you’d think, would end the uproar. But no. This morning, “Gamers Who Complained About Blizzard’s Forum Privacy See Email Addresses Leaked” by the Entertainment Software Rating Board. Interestingly, the ESRB Online Privacy Policy is one of the few that does not start “your privacy is important to us.” Who knew that line was important?

The key lesson is that your customers think about identity differently than you do, and trying to add it to a system is fraught with risk. (Don’t even get me started on the jargon “identity provider.”)