Creators of Trust Me, It’s Art ask users to sacrifice their own internet security to make a statement about internet security.
Don’t ask Taulant Ramabaja for one of his passwords.
“Nobody who’s technical would ever ask anybody for their passwords,” the 21-year-old startup CEO told me at recent tech community gathering he organized in Kosovo’s capital, Pristina. “I know technical people who broke up with their girlfriends because they asked for their Facebook passwords.”
I was chatting with Ramabaja about passwords because I was about to reveal one of my own in a very public way — which anyone who cares about internet security should never do. Not long after, I accessed the Slovenian website Trust Me, It’s Art and submitted an old password of mine, one I haven’t used in ages. It instantly appeared on an online gallery of 600 submissions.
Now, you might be wondering, why on earth would anyone do this? It’s a question I posed to the website creators.
It’s “the rush that you get when you enter your password. You find it in the gallery. It’s always staring at you. You feel vulnerable,” said Jure Martinec, who created the Trust Me It’s Art site with fellow graphic design students Klemen Ilovar and Nejc Prah in Slovenia’s capital, Ljubljana.
The site launched in June, born out of the students’ curiosity about what kinds of things people would submit. For now, there’s clearly a Slovenian bias, with entries like klobasa, which means “sausage.” Eventually, they hope to turn the passwords into a physical installation.
Ilovar said the idea is to make users aware that their private information isn’t all that private.
“Like Facebook and other applications, you give some information about yourself, and this is like, basically, you’re giving much more than you know,” he said. “We’re just more honest. We don’t want to use it. But this is the biggest information you can give to some other person on the internet.”
The three insist they’re not doing anything nefarious with the information, and they warn that users should not feel secure about anything submitted to the site. When I spoke them over Skype recently, they all laughed, declaring over one another, that “It’s not really safe — that was not the point. Maybe not it’s not so smart to tell that.”
All submissions are anonymous, and they’re continuously shuffled. But there aren’t any special security precautions. Ilovar says he wouldn’t mind if a hacker did exploit the passwords.
“That would be a positive reaction for us, for the page, for the project, so if anybody does that, well, we don’t support it but it would be positive thing for the project,” he said, because it would underscore just how insecure the internet is.
In fact, the website creators say wouldn’t shut down Trust Me It’s Art if a hacker were to find a way to use the passwords.
Dan Goodin, the security editor of the US tech website Ars Technica, the approach of Trust Me It’s Art’s creators is wrong-headed.
“It reminds me of somebody saying that to demonstrate and raise awareness about street crime you should take a taxi, (have it) drop you off in the middle of the most dangerous neighborhood at 3 a.m. in the morning and see if you can leave. And, you know, if you get beat up, it’ll show you how dangerous street crime can be,” Goodin said.
Any password that’s submitted to the site can be exploited by hackers easily, Goodin said.
“Hackers will cut and paste every single password that is displayed by these artists in this project and they will be trying those passwords in the future.”
In other words, submitting a real password to Trust Me It’s Art is offering hackers another tool in their arsenal for future raids.
Ramabaja, who runs the startup in Pristina, said submitting a fake password is also risky.
“Even if it’s not your password, it’s still probably, mentally, psychologically connected to what you do or to your actual password or something,” Ramabaja said. “So if someone really wanted to get your password. They could probably use that as a starting point.