Wearable gadget

Identity and Anonymity

In the coming years most of us will be carrying or wearing smart technology. How to manage the digital trails we emit in everyday interactions? We need solutions that can protect both our identity and our right to anonymity  Read More

Unexpected social connections

In the past couple of weeks there have been a series of articles raising concerns about the amount of personal data being published to online social networks and the potential for it to be used for ill intent.

There are two different scenarios people should consider before sharing personal information:

  1. Would I mind if a complete stranger knew that information?
  2. Do I mind what any of my ‘friends’ do with the information?

If the answer is Yes to either question think twice before putting that personal information online at all. That’s not to say sharing is inherently good or bad. But once you have shared information with anyone, you have lost control of it. If you answered ‘No’ to question two above, you answered ‘No’ to both.

Social Network Connections

Here is a simple scenario using Facebook. In the image above, the green buddy is you. The blue buddies are your ‘friends’. The red buddies represent everyone else with Internet access.

You set up your privacy settings so that only friends can see your personal information. Anyone who is on Facebook but not a friend will only see your name, nothing else. That’s your decision.  Sounds sensible. Sounds under control.

But if one of your friends decides to share information with their friends or third party applications, they may handover your personal information as well. It can be done in complete innocence and for good intentions – ‘I want to send birthday cards to my friends’, ‘Are any of my friends nearby to meet up with?’, ‘I’m interested in this group, I’ll add my friends to it as well’, ‘Has anybody in my network bought this <insert name of any item>?’ In the right context, all great stuff. But information about you has now been handed over to and stored somewhere beyond your control. The same applies to every application or web site that you allow to connect to your Facebook profile. Do you read all the terms and conditions, the notes about agreeing to data being stored indefinitely or granting access to other third parties?

It is not just you who decides how secure your personal information is. If you decide to share it with them, all your friends get to decide too. As do all the apps and web sites you connect to. And if you’re one of Facebook’s social butterflies, everyone gets to decide.

This doesn’t mean you should head straight to Facebook and switch everything off (too late for existing content anyway) but if you are going to participate in online social networks and care about what happens to your personal data, it’s a good idea to keep track of privacy settings and changes to policies.

If you’re not paying for a product, you’re not the customer, you are the product being sold. – Andrew Lewis

For Facebook and every application/advertising tool that uses it, it is in their best interests to get you to share your personal information. They will make it as easy and seamless to do as possible. And many will make it difficult or inconvenient to change those default settings to be more private. So think long and hard about what you want to share with anyone. And question whether having different privacy policies for everyone versus ‘friends’ actually means anything. A simpler (and more reliable) approach is to either share something with nobody or share with everybody.

A hassle, yes. But massive online social networks are still a young concept on the Internet meaning lessons will be learned the hard way. And everyone with a Facebook account can count themselves as one of the testers.

References

Lessons from Facebook’s experiments

[Update] Adding links and references as they bubble up on this topic…

There has been a range of news recently about Facebook’s latest approach to users’ privacy.

Wired has an article – Facebook’s Gone Rogue; It’s Time for an Open Alternative – explaining the concern being raised by many. By default, Facebook is now connecting and publishing every piece of data you choose to share on the platform. You may think you are only sharing your photos with your friends and family, but you are granting permission for Facebook to share your content with everyone and anyone on the Internet.

Robert Scoble has an article – Much ado about privacy on Facebook – with the counter argument. That we’re kidding ourselves if we ever thought anything we share on a computer, especially one connected to a network, is private. Facebook is just exploiting that which others have exploited less visibly (or easily – and that’s the key difference) in the past, and in the process helping people find what they need in ways Google never can.

Robert has a point. However the picture is a little more complicated. Not everyone wants to share their entire life online with everyone else and every organisation on the planet. Some people have very good and legitimate reasons not to. You could argue that such people simply shouldn’t be on Facebook. But in the past, it wasn’t a problem – the default behaviour in Facebook’s privacy policy was that information would only be shared amongst your network, which could be as large or small as you choose it to be. And your content stayed within the walls of Facebook unless you chose to opt-in to third party applications. That has now all changed and Facebook does not make deleting anything easy. Even if you choose to leave, if your ‘friends’ have already shared your content or tagged their own content with your name then your identity will continue to persist without you. And if you choose to stay, for certain content it is now all or nothing – if you try to opt-out of sharing with everyone then it will be removed from your profile and friends will no longer see it either.

Facebook is transitioning from a site for building social networks between friends to being one giant social network. A new mesh of connected personalised data is being created that has never before been possible. And that mesh is being shared with whatever organisations Facebook chooses to do business with. At the same time as we are seeing new tools arise that can mine massive amounts of data for patterns and profiling… We don’t yet know what all the implications – good and bad – will be. And whilst Robert highlights the good, history tells us there will also be bad. This is a live experiment that over 400 million people (and that’s just the active users) unknowingly volunteered to participate in.

Related Blog Posts

References

Other posts of interest on this topic:

March News and Links

Here’s a selection of links shared during February via Google Reader, Delicious and Twitter. Organised into the usual overlapping categories: Systems and the bits and pieces that make them work.Hot topic this month- games and reputation starting to be examined seriously as social media rumbles on into the workplace. Enjoy!

Systems

People

Information

Technology

…and finally, finishing with the usual bit of fun. Well two bits this month as couldn’t decide between them:

1. Dilbert highlights a painful reality for too many projects

Dilbert.com

2. Why companies needn’t worry too much about how people blog – stuff usually catches up with you and lessons are often best remembered when learned the hard way…

I know what you bought last summer

The rumblings over Facebook banning Robert Scoble have opened up all sorts of conversations about who owns or controls your data – see also: Data as currency. One issue that has been highlighted is how easy it is for people to scrape enough information about you to form an identity. Scoble was running an automated script to pull out contact details by the thousand.

Yesterday, another related article cropped up on Techmeme – Sears Exposes Customer Purchase History. It appears that Sears added a feature on their web site where you could look up your purchase history. All you had to do was enter your name, address and telephone number. Trouble is, whilst you had to have an account and login to the site, you could then enter anybody’s name, address and telephone number to view their purchases. Somebody forgot to restrict access to only purchases associated with the authenticated user. Since the news became public, Sears have disabled the feature to sort it out.

But it does raise yet another warning about how easy it is for companies to accidentally make too much information public, be it downloading database records to a CD or making those records available online. Mash-up poor (or missing) security controls with automated scripts to gather contact details and our criminal friends won’t need to go phishing for dinner.

Data as currency

During the past 24 hours, there has been a flurry of discussion about Facebook banning Robert Scoble. Robert was running an automated script to scrape his ‘friends’ contact information (5,000 of them) out of Facebook. The script was being tested on behalf of Plaxo, an online address book that can automatically update contact details.

I think Facebook was correct in having a process that detected suspect behaviour and automatically disabled it. If only the HMRC could have implemented something similar, 25 million people in the UK wouldn’t be wondering if they are going to be the victims of identity fraud…

But the debate that is really kicking off is who owns the data that was being scraped – the service that stores it, the individual who posted it, or the ‘friend’ who has been given access to view it. This will be an ongoing argument for 2008 and Facebook will not have a monopoly on headlines. The Financial Times ran an article just before Christmas – The devil in the details – that explored the effects and cost of privacy breaches as more and more personal data is stored online. One particularly interesting scenario highlighted how government agencies are using data as currency:

¨While you can obtain [Transport for London’s Oyster Card] over the counter without providing personal de­tails, you can get a refund on a lost card only if you have given your name and address. So to get full economic value from an essential service, you must hand over your data. Is this informed consent, or de facto coercion?¨

It’s an interesting development. In the past, you would have just needed to produce a valid receipt to get a refund.

Related links: