May 21, 2010

Herre we go again...

Sigh, this is classic for anyone who's worried about data privacy when developing web-based apps. The WSJ reports today that:

The practice, which most of the companies defended, sends user names or ID numbers tied to personal profiles being viewed when users click on ads. After questions were raised by The Wall Street Journal, Facebook and MySpace moved to make changes. By Thursday morning Facebook had rewritten some of the offending computer code.

Advertising companies are receiving information that could be used to look up individual profiles, which, depending on the site and the information a user has made public, include such things as a person's real name, age, hometown and occupation.

So if you click on an ad from your profile page, the referring URL is sent to the advertiser without being scrubbed. Looks like steps are being/have been taken by at least Facebook, but this is a rookie mistake. To ameliorate the sting of yet another Facebook privacy smack-down, other social networks are doing the same:

In addition to Facebook and MySpace, LiveJournal, Hi5, Xanga and Digg also sent advertising companies the user name or ID number of the page being visited. (MySpace is owned by News Corp., which also owns The Wall Street Journal.) Twitter—which doesn't have ads on profile pages—also was found to pass Web addresses including user names of profiles being visited on when users clicked other links on the profiles.

And don' tell me advertisers armed with URL referrers back to user profile pages are making sure they are getting user's consent before looking at the profiles.

Facebook said its practices are now consistent with how advertising works across the Web. The company passes the "user ID of the page but not the person who clicked on the ad," the company spokesman said. "We don't consider this personally identifiable information and our policy does not allow advertisers to collect user information without the user's consent."

A URL referrer (i.e., user ID of the page) is a technicality; if it goes back to the user's profile page then it is a breach of a policy not to divulge personally identifiable information to 3rd parties.

I repeat myself, I'm glad all of this is happening. The social media is growing up and it's the consumers that are ensuring that things are getting safer out there. Apparently when experts expose security issues the fixes languish:

The sharing of users' personally identifiable data was first flagged in a paper by researchers at AT&T Labs and Worcester Polytechnic Institute last August. The paper, which drew little attention at the time, evaluated practices at 12 social networking sites including Facebook, Twitter and MySpace and found multiple ways that outside companies could access user data.

I know it's hip to buck the established/academic technology world in social media tech circles, but sometimes these smarty-pants can actually help to prevent some embarrassing moments.

Facebook, MySpace Confront Privacy Loophole -

May 19, 2010

Privacy in the news

Its been an interesting couple weeks for raising privacy awareness. As Facebook gets hammered by its users and the media on privacy concerns (see my earlier post), Google is finding itself in hotter water with German officials and potentially the US FTC with investigations over collecting private data.

I've been watching this story unfold for the last few weeks. German prosecutors are investigating Google's apparent 3 year practice of collecting unsecured WiFi data with its Street View cars. On Friday May 14th Google admitted and apologized on its blog for the "mistaken" collection of private network data. This was after they denied the allegations in an earlier blog post. In the May 14th post Google explains how they inadvertently left experimental WiFi network data collection code in the Street View car code and sent it on the road. An honest mistake, says Google, with no bad or nefarious intentions. Google also made sure to say that it is taking steps to cooperate with officials and remove any offended data. Good.

True this can happen with code, but I'm particularly concerned about the lack of adult supervision that would allow Google to end up in this position. Yes, it is the maverick frontier of Web X.0 and stuff like this happens. But, there are lots of technologist who could have told Google this could happen and helped to protect itself from something like this. They would have also checked the code before posting a denial, to make sure there wasn't any mistake to correct.

Thing is, Google has a lot to lose today, with its foray into enterprise and the fact that is starting to charge for business grade services. It's one thing when you offer your services for free and then muck around with privacy settings (like Facebook). It can really annoy users but hey, they aren't paying for consistency. Its another thing, however, when you're trying to break into the skittish business market, get them to change their thinking about the Web, and trust that you have robust respect and technology for data protection and privacy.

Personally, I'm glad to see all this kerfuffle about privacy. Social networks the size of Facebook and data hoarders like Google are good things but there are risks. As consumers become more educated about those risks the more pressure can be placed on technology providers to mitigate those risks. I remember when cars didn't have to have seat belts or children didn't need to ride in car seats. These are good things that consumers demanded. As more and more people get connected to the Internet, safety should be a leading concern for all Internet providers.

Which company is more social?

Nice graphics and details on the use of social media at top firms. I find the IBM numbers low, probably because IBM has so many private social networks which would not be reflected in these charts. So does that mean that Microsoft personnel use public social networks more because the company hasn't establish strong private social networks? Or is IBMs lower use of public networks a sign of weaker ties to external connections?

Click here to full chart.

May 14, 2010

The Evolution of Privacy on Facebook

Seems that Facebook is the latest privacy poster-child highlighting the strains that come between a service provider seeking a way to cash-in on our desire to socialize and the responsibility the provider assumes to protect its users.

Recent blog posts and articles have recently come out on the (de)evolution of privacy on Facebook since 2005. Kurt Opsahl of the EFF provides an handy timeline of changes to Facebook's Terms of Service through the years. This posting prompted Matt McKeon at IBM Research's Center for Social Software to create a more specific timeline and interactive chart (click on image below for link to interactive chart and blog post).

Matt points out on his blog:
However, Facebook hasn't always managed its users' data well. In the beginning, it restricted the visibility of a user's personal information to just their friends and their "network" (college or school). Over the past couple of years, the default privacy settings for a Facebook user's personal information have become more and more permissive. They've also changed how your personal information is classified several times, sometimes in a manner that has been confusing for their users. This has largely been part of Facebook's effort to correlate, publish, and monetize their social graph: a massive database of entities and links that covers everything from where you live to the movies you like and the people you trust.

In a May 13th blog post, Ken Opsahl continues his coverage and urges Facebook to "follow its own Principles." According to Opsahl, Facebook's current privacy practices coupled with Elliot Scrage's (Facebook's VP for Public Policy) flippant responses in a recent NYT readers' question and answer piece, amount to a boatload of double-speak coming out of Palo Alto when it comes to user data privacy.

Social software wants to be open by nature. Which is crux of the current Facebook privacy kerfuffle. Without openness connections can't be made. However, with any social group there are implied rules for who can participate, what gets shared, and how. From a user's point of view, social wants to be open, but not that open.

A third party, who's purpose it is to facilitate, moderate, and monetize social activity, can be at odds to the purpose of the user. It is the third purpose of the service provider, making money, that creates the tailspin. Today Facebook takes the point of view that the act of registering for a Facebook account is implicit permission for Facebook to use any information a user posts for Facebooks own purposes (we're talking about making money here). Facebook is not just there to facilitate the connections that users want to make. After all, Facebook isn't free for Facebook.

If you look at Matt's interactive chart big changes happened between 2007 and 2009. Yea, I know a whole year, but I suspect 2008 would show some other interesting data, like jumps in numbers of users, increased numbers of applications, and even increased investment into Facebook. In other words Facebook's business changed and the opening up of user data provided the means for creating monetary value in Facebook.

Social networking has reached a tipping point where the "trust" levels are diminishing as usage rises. As more people and applications use the information we post in social networks, the more skittish we become. Not without reason, the rise in spam/malware attacks, bullying, "checking-up on" by employers/neighbors/creditors, and identity theft on social media is an indication of how valuable the social media dirt is to others. Of course users want more protections with consistent policies and experiences. But maybe we're gonna have to pay for that luxury.