In the coming years most of us will be carrying or wearing smart technology. How to manage the digital trails we emit in everyday interactions? We need solutions that can protect both our identity and our right to anonymity Read More
In the past couple of weeks there have been a series of articles raising concerns about the amount of personal data being published to online social networks and the potential for it to be used for ill intent.
There are two different scenarios people should consider before sharing personal information:
- Would I mind if a complete stranger knew that information?
- Do I mind what any of my ‘friends’ do with the information?
If the answer is Yes to either question think twice before putting that personal information online at all. That’s not to say sharing is inherently good or bad. But once you have shared information with anyone, you have lost control of it. If you answered ‘No’ to question two above, you answered ‘No’ to both.
Here is a simple scenario using Facebook. In the image above, the green buddy is you. The blue buddies are your ‘friends’. The red buddies represent everyone else with Internet access.
You set up your privacy settings so that only friends can see your personal information. Anyone who is on Facebook but not a friend will only see your name, nothing else. That’s your decision. Sounds sensible. Sounds under control.
But if one of your friends decides to share information with their friends or third party applications, they may handover your personal information as well. It can be done in complete innocence and for good intentions – ‘I want to send birthday cards to my friends’, ‘Are any of my friends nearby to meet up with?’, ‘I’m interested in this group, I’ll add my friends to it as well’, ‘Has anybody in my network bought this <insert name of any item>?’ In the right context, all great stuff. But information about you has now been handed over to and stored somewhere beyond your control. The same applies to every application or web site that you allow to connect to your Facebook profile. Do you read all the terms and conditions, the notes about agreeing to data being stored indefinitely or granting access to other third parties?
It is not just you who decides how secure your personal information is. If you decide to share it with them, all your friends get to decide too. As do all the apps and web sites you connect to. And if you’re one of Facebook’s social butterflies, everyone gets to decide.
This doesn’t mean you should head straight to Facebook and switch everything off (too late for existing content anyway) but if you are going to participate in online social networks and care about what happens to your personal data, it’s a good idea to keep track of privacy settings and changes to policies.
If you’re not paying for a product, you’re not the customer, you are the product being sold. – Andrew Lewis
For Facebook and every application/advertising tool that uses it, it is in their best interests to get you to share your personal information. They will make it as easy and seamless to do as possible. And many will make it difficult or inconvenient to change those default settings to be more private. So think long and hard about what you want to share with anyone. And question whether having different privacy policies for everyone versus ‘friends’ actually means anything. A simpler (and more reliable) approach is to either share something with nobody or share with everybody.
A hassle, yes. But massive online social networks are still a young concept on the Internet meaning lessons will be learned the hard way. And everyone with a Facebook account can count themselves as one of the testers.
- Selling you on Facebook – Wall Street Journal, Apr 2012
- Selling digital fear – TechCrunch, Apr 2012 (response to WSJ article)
- This creepy app is a wakeup call for Facebook privacy – Cult of Mac, Apr 2012
- Facebook: Tracking your web activity even after you log out? – PCMag, Sep 2011
[Update] Adding links and references as they bubble up on this topic…
There has been a range of news recently about Facebook’s latest approach to users’ privacy.
Wired has an article – Facebook’s Gone Rogue; It’s Time for an Open Alternative – explaining the concern being raised by many. By default, Facebook is now connecting and publishing every piece of data you choose to share on the platform. You may think you are only sharing your photos with your friends and family, but you are granting permission for Facebook to share your content with everyone and anyone on the Internet.
Robert Scoble has an article – Much ado about privacy on Facebook – with the counter argument. That we’re kidding ourselves if we ever thought anything we share on a computer, especially one connected to a network, is private. Facebook is just exploiting that which others have exploited less visibly (or easily – and that’s the key difference) in the past, and in the process helping people find what they need in ways Google never can.
Facebook is transitioning from a site for building social networks between friends to being one giant social network. A new mesh of connected personalised data is being created that has never before been possible. And that mesh is being shared with whatever organisations Facebook chooses to do business with. At the same time as we are seeing new tools arise that can mine massive amounts of data for patterns and profiling… We don’t yet know what all the implications – good and bad – will be. And whilst Robert highlights the good, history tells us there will also be bad. This is a live experiment that over 400 million people (and that’s just the active users) unknowingly volunteered to participate in.
Related Blog Posts
- Do search and social networks mix? – March 2010
- Facebook’s Gone Rogue; It’s Time for an Open Alternative – Wired
- Much ado about privacy on Facebook – Robert Scoble
- Facebook’s “Evil Interfaces” – Electronic Frontier Foundation
- Top 10 reasons you should quit Facebook – rocket.ly
- Facebook Statistics – Facebook Pressroom (as published on 9th May 2010)
- Infographic: Facebook privacy options – New York Times
Other posts of interest on this topic:
- The Facebook Alienation: Pleasing the Wrong Stakeholders – Strategyist, May 2010
- Why I am using Google Buzz as an alternative to Facebook – Louis Gray, May 2010
- Publicly searching Facebook status updates – TechCrunch, May 2010
- Facebook as a utility, utilities get regulated – Danah Boyd, May 2010
- Goodbye Facebook – Neville Hobson, May 2010
Here’s a selection of links shared during February via Google Reader, Delicious and Twitter. Organised into the usual overlapping categories: Systems and the bits and pieces that make them work.Hot topic this month- games and reputation starting to be examined seriously as social media rumbles on into the workplace. Enjoy!
- Rwanda’s laptop revolution – the ‘one laptop per child’ programme in practice and enabling change
- Lessons from Chile – better building codes work and the importance of architecture
- Social media protest against Nestle may have long standing ramifications – other brands, take note
- Social Media cheat sheet – nice guide for any looking to use social media to enhance their business
- On unintended consequences – three unrelated examples remind of the unforeseen
- Keep Moving Forward vs Defend & Extend – Opposing strategies: how Apple and RIM took mobile market share from Microsoft and Palm
- Planning is very important … it doesn’t work – the plan is not the goal, it is the current best picture
- Blog post: Did the clouds just get darker – global cloud services get entangled in local borders
- Blog post: Social Media judges the Olympics – trending topics on Twitter show real-time analytics
- Blog post: You cannot walk in another’s shoes – how our perception trumps reality
- Blog post: How to lower productivity – monitor what everyone is doing
- The Performance Paradox – focus on movement rather than timing
- 10 principles for leading and managing in the networked knowledge workplace
- Cognitive learning theories and e-learning – how cognitive learning abilities are acquired
- Before they were titans: putting rejection letters in perspective – nice reminder of priorities in life
- Will Twitter Spam Ruin Your Reputation – the challenge facing social media and the systems depending on it
- Should Doctors Google Their Patients – revenge of the professional? 🙂 but a serious question… changes diagnosis?
- Games entering the workplace as a topic is hotting up – and not before time
- Gaming can make a better world – TED Talk
- Thinking the unthinkable – 12 months ago, who would have thought Toyota would be in the position its in today?
- Unifying probabilistic and rules-based approaches to artificial intelligence – human and machine-based approaches to learning and decisions
- Analysis of the UK budget on a human scale – puts deficit in perspective (FT.com – subscription may be required)
- Blog post: Do Search and Social Networks mix? – Does all information want to be found? Google Buzz thoughts
- Blog post: Blogging mistakes help improve policy – sometimes you need to learn the hard way
- On risk – defining the boundaries between good policy and excessive application gets harder
- Pew Internet on how we get our news – latest statistics: Of those who get news online, 75% forwarded through email or posted on social nets and 52% then share onwards – suggests participation is increasing over pure consumption
- Stanford Uni Workshop on Algorithms for Modern Massive Date Sets – presentations
- Why privacy is a human right – an old post by Bruce Schneier worth dusting off once in a while as data goes public
- Blog post: SharePoint 2010 and Adobe PDF indexing (updated from SharePoint 2007)
- Blog post: Microsoft’s Productivity Hub (add-on site collection for SharePoint)
- Analysts review of SharePoint 2010 – Gartner, IDC, Forrester
- Blog post: Concerns with cloud computing – looking beyond the technical issues
- Blog post: Private Public Sector Clouds – how commerce is creating dedicated cloud services for government
- Microsoft on cloud computing – gallery of video talks
- Redesigning school from in-world out – how a UK school used SecondLife to 3D model plans and avoid costly mistakes
- Do experiments, not projects – IT is no longer simply automating existing manual processes, it is trying to change the way people think and behave. Nobody really knows what’s going to happen (the need to move away from the fixed delivery boundaries of IT projects)
…and finally, finishing with the usual bit of fun. Well two bits this month as couldn’t decide between them:
1. Dilbert highlights a painful reality for too many projects
2. Why companies needn’t worry too much about how people blog – stuff usually catches up with you and lessons are often best remembered when learned the hard way…
The rumblings over Facebook banning Robert Scoble have opened up all sorts of conversations about who owns or controls your data – see also: Data as currency. One issue that has been highlighted is how easy it is for people to scrape enough information about you to form an identity. Scoble was running an automated script to pull out contact details by the thousand.
Yesterday, another related article cropped up on Techmeme – Sears Exposes Customer Purchase History. It appears that Sears added a feature on their web site where you could look up your purchase history. All you had to do was enter your name, address and telephone number. Trouble is, whilst you had to have an account and login to the site, you could then enter anybody’s name, address and telephone number to view their purchases. Somebody forgot to restrict access to only purchases associated with the authenticated user. Since the news became public, Sears have disabled the feature to sort it out.
But it does raise yet another warning about how easy it is for companies to accidentally make too much information public, be it downloading database records to a CD or making those records available online. Mash-up poor (or missing) security controls with automated scripts to gather contact details and our criminal friends won’t need to go phishing for dinner.
During the past 24 hours, there has been a flurry of discussion about Facebook banning Robert Scoble. Robert was running an automated script to scrape his ‘friends’ contact information (5,000 of them) out of Facebook. The script was being tested on behalf of Plaxo, an online address book that can automatically update contact details.
I think Facebook was correct in having a process that detected suspect behaviour and automatically disabled it. If only the HMRC could have implemented something similar, 25 million people in the UK wouldn’t be wondering if they are going to be the victims of identity fraud…
But the debate that is really kicking off is who owns the data that was being scraped – the service that stores it, the individual who posted it, or the ‘friend’ who has been given access to view it. This will be an ongoing argument for 2008 and Facebook will not have a monopoly on headlines. The Financial Times ran an article just before Christmas – The devil in the details – that explored the effects and cost of privacy breaches as more and more personal data is stored online. One particularly interesting scenario highlighted how government agencies are using data as currency:
¨While you can obtain [Transport for London’s Oyster Card] over the counter without providing personal details, you can get a refund on a lost card only if you have given your name and address. So to get full economic value from an essential service, you must hand over your data. Is this informed consent, or de facto coercion?¨
It’s an interesting development. In the past, you would have just needed to produce a valid receipt to get a refund.
- Scoble: freedom fighter or data thief? (Rough Type, Jan 08)
- I’ve been kicked off Facebook; What I was using to hit Facebook; Facebook lets me back in (Robert Scoble, Jan 08)
- Devil in the details: Why personal data are ever more open to loss and abuse (FT, Dec 07)
- UK families put on fraud alert (BBC News, Nov 07)
[Update: 28th Dec] Link updated as the author has moved the post.
Google has been in the news over the past couple of days, introducing a feature that has upset a few people by opening up their ‘shared’ news items to everyone in their contacts list (as opposed to them notifying selected users to view their shared items). Check out the following link for a quick overview (bit of an extreme and inaccurate title, but hey ho) – Google Reader shares private data, ruins Christmas. One of the comments highlighted within the post is interesting from a different perspective:
¨Please fix this and let us OPT IN to who we want to share with… Don’t make me leave my Google apps¨
If you are using Google services, you get the same set of applications regardless of whether its for personal or business use. Chances are, you will use those applications in different ways depending on context. But it easy to forget what context you are in when everything looks the same. This has happened before…
Back in the early 90s, I was a local area networking (LAN) newbie, starting out with Novell NetWare 2.2. At the time, my lucky users had Windows 3.1 on their desktops. (If you remember GPFs, you’ll know just how lucky they were.) The network server sat in the office and nobody ever dared touch it. It was different. Physically, it looked the same (because it was, from a hardware perspective – aside from a whopping double the RAM at 8Mb). But the monitor displayed gobbledygook that looked nothing like the software on their desktop PCs.
After a couple of years, a mandate from above and beyond (ours was a small satellite office, HQ was in a land far far away) resulted in a network migration to Windows NT. When I first started to learn about NT, I hated it. For one simple reason. It looked just like Windows on the desktop. I could no longer risk leaving the server in the office. If someone was stuck with a GPF on their own computer, they might go and try using the network server, not realising it wasn’t just another desktop PC. If there was a problem with the network and I wasn’t around, the more ambitious users would have a go at fixing it. It looked similar to their desktop PC – the icons looked familiar – and they often figured the same trick of doing a reboot ought to sort it out… Thank goodness nobody had mobile phones back then, I could carry on at college blissfully unaware and sort out the mess the next morning. When the Finance Dept had enough of not being able to access accounts because somebody had crashed the network again, we converted a kitchen area over the weekend and, from that day forward, servers have been kept locked up in server rooms.
The Google-gate that has occurred over Christmas (and ditto for Beacon-gate that Facebook caused earlier this month) is history repeating itself. The challenge this time around is that business is being mixed with pleasure, providing plenty of opportunities for trouble and strife.
Google introduced a new feature to its Google Reader service – connecting Google Reader with Gmail. Anybody who had chosen to share items in Google Reader discovered that the items were now being shared with everyone in their Gmail contacts list. People have been upset because their Gmail contacts list contains a mix of contacts – friends, family, business, occasional communications etc. They are the same, but different. People didn’t consider ‘share’ to mean ‘share with everyone’.
Any software company that produces tools to be used in different contexts needs to be sensitive to the differences. And we. as users of those tools, need to be equally sensitive to the similarities. When you decide to ‘share’ something, it is no longer private. Yes, you ought to be able to opt in/out of new features when they are introduced. But web-based services make beta testers out of us all. Like it or not, you can’t choose to wait for service pack 3 to avoid unexpected outcomes. And if you use the same tool for both business and pleasure, be prepared for the two to mix…
*GPF = General Protection Fault, a regular occurrence in Windows 3.1 that would freeze the machine (this was back when there was no multi-tasking – if your computer was printing, you couldn’t even play Solitaire whilst you waited)
An interesting blog post has highlighted how Gmail accounts can be hacked – Google Email Hijack Technique. Aside from the issue that it appears quite easy for someone/thing who knows what they are doing to start snooping on your email (more than slightly worrying), the blog post highlights a new security challenge for anyone beginning to rely on hosting data in ‘the cloud’ – i.e. stored on remote data centres and accessed using online services. Think Gmail, Flickr, YouTube, Facebook, Office Live, MySpace, LiveJournal, SalesForce…
When viruses first appeared, the primary method of spread was through infected disks. People had a habit of leaving floppy disks in computers. When the computer was next switched on, a virus would copy across from the floppy disk (way back when, the floppy disk drive was the first item read when your computer started up and the most common form of network for file sharing). Your computer would start to behave oddly as files became corrupted and you lost all your data. People, through training, threats and learning the hard way through experience, began to get better at not leaving disks inserted in computers when they switched off. But it didn’t matter because the threat changed…
Along came email and networks. New ways of hacking accounts, crashing computers and corrupting data arose that no longer relied on a floppy disk to spread the havoc. And new challenges appeared – spam overwhelming inboxes, phishing scams persuading people to willingly hand over bank details. Whilst some attacks were purely web-based (fake sites pretending to be your friendly bank), the majority of attacks still focused on taking control of your computer and doing bad stuff with it. But having a computer crash has become less of a worry as more data is being uploaded onto the web. Our need to have our data available regardless of the device we happen to be using means our devices are more resistent to damage. If your computer gets hacked, wipe it and rebuild it, then re-sync with your online services. And so the threat changes again…
The Gmail exploit doesn’t care about your computer, or your mobile phone or whatever device you choose to use. It lives in ‘the cloud’, hacking directly into the online services that are hosting your data. If Gmail gets hacked, what do you do? You can’t just format and rebuild, as has worked in the past with computers. You don’t control the service or the computers where your data is stored. Instead, you have to trust Google (or whichever service provider you happen to be using) to fix the issue. It’s a different dynamic and one that will need to be considered by any organisation planning to switch from local servers to fully hosted services.
There is a bit of a furore going on over a piece of code being leaked to the web that enables you to crack HD-DVDs. However, one of the blog posts/news articles includes a snippet of information that I am more interested in, because it highlights a big flaw in the strategy for moving your data into the Internet cloud. Snippet from a blog on Wired, documenting a takedown notice from Google to someone using their Google Notebook application (bold highlighting is mine):
… Google has been notified, according to the terms of the Digital Millennium Copyright Act (DMCA), that content in your notebook Google Notebook Entry allegedly infringes upon the copyrights of others. The particular section of your notebook in question is the section covering www.digg.com/users/entangledstate/news/dugg …
…. If you do not do this within the next 3 days (by 4/30/07), we will be forced to remove your entire notebook. If we did not do so, we would be subject to aclaim of copyright infringement, regardless of its merits. We can reinstate this content into your blog upon receipt of a counter notification pursuant to sections 512(g)(2) and (3)of the DMCA…
Back in March, I wrote a post – Google and Microsoft looking alike – talking about Google’s strategy for getting us to use their online services for storing our data. If they are happy to act as big brother on behalf of people who use the DCMA as an easy form of censorship, will we be comfortable to hand over the keys to our information?
Take a simple scenario. I use Gmail for email. Someone sends me an email containing content that might infringe copyright. Google receives a notification from the copyright owner and issues notices similar to the one above with 3 days to comply. I happen to be on holiday and don’t check my email, so have not even read the allegeded offending email, let alone seen the takedown notice. When I return to work, my entire Gmail account has been deleted. What if I ran my entire business using Google services? Would they all be deleted too? Hmmm…
I last blogged about the DMCA in January 2006 – Post and be damned. The NewScientist magazine had published an article examining the use of the DMCA as a form of censorship. One study found that 47% of takedown notices concerned material that would likely have been deemed fair use. However, the DMCA enables content owners to issue takedown notices without having to go to court, placing the onus on the individual to legally challenge them. Targeting the Internet Service Providers (ISPs) has proven effective – they will simply remove the content unless the individual web site owner is prepared to finance a legal challenge to the notice. Picking on Google (and any other player in the web software/services playground) makes it even easier. Google can simply shrug and say ‘we have to do this or else we would be subject to a claim’. But the impact on the individual or organisation targeted is now even bigger. You don’t just lose your web site, you could lose your entire ability to do business if you rely on web-based services…