Security, privacy ideas emerge at Demo Spring conference

Amid the companies presenting are startups doing two-factor authentication, Facebook profile-cleaning and clearer terms of service

The cool new Internet ideas of yesteryear often create the headaches of today, and some startups at the Demo conference are starting to try to solve those problems.

Young companies at this week's edition of Demo will be pitching a service to secure online transactions, a way to wipe objectionable entries from Facebook profiles, and a tool to simplify terms of service for both developers and consumers.

Toopher

One of the most common ways to supplement password protection for access to enterprise resources or online services is two-factor authentication. Typically, this involves a constantly changing code that is delivered through a dedicated card, a numeric display on a credit card, or a mobile app. Users have to enter both a password they know and the current code from the device they're carrying in order to get onto a corporate VPN or a banking website.

When Toopher CEO Josh Alexander looked at this system, he saw high cost and inconvenience. The worst of it is, it forces users to take something out of their pockets in order to prove their identity to a website, he said. So, in place of a real-time code, Toopher uses the customer's current location, continuously transmitted by their mobile phone. The company's slogan is "Keep it in your pants."

Eliminating the need for tokens will make Toopher a more viable option for consumer services, which have largely rejected two-factor authentication, Alexander said. "Amazon's not going to pay $40 per year for each user to have a secure token," he said.

With Toopher, users download a smartphone app and register one or more locations as places where they typically do online transactions. The PCs or tablets they regularly use to access the online service also are identified, through cookies or other mechanisms. (Developers of smartphone apps can also set up Toopher to provide two-factor authentication right on their users' phones.) The assumption behind Toopher is that most consumers carry their phones with them everywhere, and criminals are unlikely to try an unauthorized login from the consumer's own computer while near their phone, in their home or office.

If a user registers her home as an authorized location, for example, then the website's authentication system will check the location of her phone after she enters her password. The location data never leaves the phone. If the phone isn't in her home at that time, she will get a prompt on her phone to manually grant or deny the login request, Alexander said. If the phone says it's in one of the authorized locations, the authentication works without the phone even being turned on.

The key to Toopher is that this doesn't require much effort. Though two-factor authentication with changing codes is fairly secure, no one likes to take out another device and copy a number from it, he said.

But Toopher can even be more secure than a real-time password in some cases, according to Alexander. For example, Toopher can re-authenticate users after login, every time they try to take an important action. This prevents hackers from taking over the session right after the user logs in, he said. Also, by setting a virtual boundary around authorized locations, the user can prevent improper transactions just by walking away from the computer. Rather than waiting for a predefined time before automatically logging the user off, Toopher does it when they leave.

The service can also be gated by time of day. For periods when a user normally wouldn't carry out a transaction, such as at night, he can make it impossible to authorize logins except by responding to a prompt on the phone to grant or deny the login request.

Alexander, who is a financial manager and a risk management professor, and his three partners in the venture have funded Toopher entirely by themselves. Toopher is available now in private beta. It will be offered on a SAAS (software-as-a-service) model, using licenses based on the number of authentications a customer needs to carry out peak hours. For small organizations with fewer than 500 customers, Toopher is free.

The software is available for Android now and will be out for Apple iOS soon, Alexander said. Toopher is also looking at other smartphone OSes for future deployments, he said.

NetworkClean

If the eyes are the window to the soul, the Facebook profile sometimes looks like the doggy door. In the heat of status updates and comments, what appears on your profile doesn't always present your best side. NetworkClean says it can spruce up your image through a network-based service that searches text and flags potentially offensive or embarrassing words and phrases.

Even if employers requesting job applicants' Facebook logins is not as common as it seemed during a recent controversy, individuals' profiles on the site can affect their professional prospects if they're visible to the public. And companies, celebrities and just about anyone else with a brand now uses Facebook fan page to support it. NetworkClean CEO Kishore Mamillapalli co-founded the self-funded company with COO Doug Haustein to make it easier to know and control what's in your profile.

After signing up for NetworkClean, a user can log in to Facebook through the service and then use one click to scan their entire Facebook history or just all the entries from a recent period. When it scans the customer's profile, NetworkClean looks for offensive language and for thousands of other terms, such as "attack," that might be part of a comment that would cause a reader concern. The user can customize the list of searched terms.

Once the user can see those words flagged, they can delete or ignore one or all of the entries that use a given term. Scanning can also be set to take place automatically while the user is away and not even logged in to Facebook, Mamillapalli said. For companies and organizations with Facebook fan pages, NetworkClean can save having to hire extra staff to monitor those pages for criticism and potentially offensive material, Mamillapalli said. All deleted items will remain available in NetworkClean for future reference.

The service checks anything that's linked to the customer's profile, including personal information, status updates and content they've posted, comments that friends made on those posts, and tags on other people's photos. Facebook provides tools to remove any of those things, but NetworkClean makes them easier to find and manage.

Another potentially useful feature of NetworkClean is constant monitoring of the user's privacy settings. The company promises to make the consumer's view of the myriad of Facebook security options simpler and easier to understand, and to flag settings the user might want to change. For example, it might warn a customer that they have disclosed both their birthdate and their hometown, a combination that could be used for identity theft. This tool will keep up with and remind users of changes in Facebook's privacy options.

NetworkClean is scheduled to launch on Thursday in beta test form, as a free service for individuals. Fan pages will be added soon after, Mamillapalli said. The Los Angeles-based company plans eventually to charge companies to use it, while keeping the consumer version free with targeted ads, COO Haustein said. After tackling Facebook, the company plans to take on other social-networking sites, such as Twitter and LinkedIn, he added.

Tosigram

No one, except perhaps lawyers, likes the lengthy terms of service and privacy policies for websites. Yet they're probably with us to stay, and both the number of online services consumers use and their privacy concerns about them continue to grow. That's the problem Andrew Chen wanted to solve with Tosigram, a service that can create customized terms of service and translate them into a few easy-to-understand bullet points for users.

"As someone who's really focused on the user experience, it's always been a pretty big pain point, in my opinion, to see all those terms of service and not be able to read them, but you still have to agree to them," Chen said. "So I always thought that's going to be an issue that's going to blow up sooner or later."

Terms of service dictate both what customers can do on a site and what that site can do with its customers' information. Well-funded websites can afford a legal team or law firm to write up terms of service just for them, while smaller ventures often just download generic documents and post them on their pages, Chen said. The former is expensive and time-consuming, and the latter isn't the best solution for startups, he said.

Tosigram is designed to automate the creation of custom terms of service. Web developers answer questions about what they want users to be able to do on their sites and what they plan to do with the visitors' data, and Tosigram puts together the chunks of legal language that cover those points into a document. Then it translates that document into a concise list of advisories that can appear when users sign up to use the site, Chen said.

For example, bullet points on the summarized terms of service might say that personally identifiable information will only be used for that service and it won't be stored or sold, but anonymous usage data may be collected. Other points could note the minimum age for users and give guidelines for participation on the site, such as not posting offensive material and not linking directly to hosted files.

The full terms of service document would still be a hefty piece of text, which any prospective user could click to open up. But few Web users read those full terms, which is why Tosigram is providing the bullet summary.

Chen, a high school senior from Naperville, Illinois, formed Tosigram with two partners who attend universities in the Chicago area. Chen designed the user interface, while one partner wrote the code and the other, a law student, wrote the terms-of-service content. To finish the final product, Tosigram plans to enlist a law firm to act as an advisory board.

The company plans to use a "freemium" business model, offering the service free of charge to small startups, with Tosigram's brand appearing on the summary terms of service as a form of advertising to build up its brand. Fee-based services might include a white-label version that sites can use under their own brands. After getting the Web version out in the market, Tosigram plans to create a similar service for mobile apps.

Tosigram will be showing a prototype of the product at Demo but is nearly ready to go into private beta testing, with a public beta possibly next month -- when Chen also will graduate high school.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is stephen_lawson@idg.com

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies