I made some thoughts on Web 2.0 Security and Privacy and scetched some things (see www.cu-0xff.de/web20sec/). I used the Windows Journal to Silverlight exporter.
First I tried to develop a model for the information gathering in the Next Web usage scenario (scetch on the top). I think one should see the plugins on the machine as a valid part within this model (while this can be a plugin in Firefox, a searchbar or a part of the operating system). It is of interest as soon as it collects usage information and communicates it back to a service provider to improve service or quality.
The service provider of any kind gets additional user information by the sheer usage of the service (e.g. a shop collecting information on what you browsed or buyed).
The most service provider share information with Ad Distributors in a sense that they host ads on their sites. By combining a context aware Ad service (which needs some information about the context it is displayed in) and cookies used to track users through different sides the Ad service itself can collect user information.
Regarding privacy it is necessary to build a model (which is not complete by now. For example the base line ISP can collect user information by tracking its proxies). I will try to fit this in the Microsoft Privacy Model (see www.microsoft.com/privacy).
In the lower sketch I tried to develop a layer model of the engaged parts and pieces. Every part and piece can be attacked in its own manner. The question will be how to ensure security in this layered world.
I am thinking of doing some kind of workshop on this topic at the XTOPIA (see www.xtopia.de). What do you think??