Social Networking Spyware in Washington Post

Today’s Washingon Post has an A1 story about Facebook Application privacy:

Facebook fanatics who have covered their profiles on the popular social networking site with silly games and quirky trivia quizzes may be unknowingly giving a host of strangers an intimate peek at their lives.

Those mini-programs, called widgets or applications, allow users to personalize their pages and connect with friends and acquaintances. But they could pose privacy risks. Some security researchers warn that developers of the software have assembled too much information — home town, schools attended, employment history — and can use the data in ways that could harm or annoy use.

I’ve previously blogged on the privacy issues of Facebook Apps such as the civil liberties problems when law enforcement agencies create Facebook apps.

It’s good to see this issue gaining mainstream attention, because it means that people will start thinking differently about threats to privacy online. EPIC recently testified at a hearing on spyware. The testimony included social networking applications as a possible vector for spyware.

People at the hearing talked about the need to have any legislation in this area not be technology dependent. The bill being discussed, S. 1625, included some language that was focused on PCs, but ignored other threats. The bill had sections making unlawful certain behavior. It used language like “caus[ing] the installation on [a] computer of software that” did several prohibited things, like improperly collect information or display too many popups. But that language is focused on the idea that people keep their data on their computer. With social networking, people are keeping their data online, with social networking services. This data should also be protected from new types of spyware, and we should think of improper data collection from social network services in the same way we think about improper data collection from our home computers.

Posted: June 12, 2008 in:

Neat Facebook App Named “Privacy”

I ran into a Facebook App named “privacy.” The operation is rather simple:

Privacy, the application, is a utility that provides insight into what information applications can access just by you or your friends using them.

I’ve previously blogged about the civil liberties implications of law enforcement applications.  Applications see your Facebook Site information, including:

The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wall™, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

The “privacy” application is another way to communicate to people just how much these thousands of third-party developers have access to.

Posted: June 9, 2008 in:

Social Networks as Regulated Utilities?

At CFP‘s, panel on “Privacy, Reputation, and the Management of Online Communities” professor Frank Pasquale mentioned the idea of treating social networking service providers as regulated utilities. He may or may not have read about the Facebook VP that described Facebook as akin to a cable company. One carrying social data:

We view ourselves as a technology company at our core. We’re the cable company creating the pipes, and what they carry is social information and engagement information about people.

So they carry your social information — your social relationships and identity, contextualized and with that social meaning, not just at the level of Internet packets. Facebook knows the meaning of what it is carrying, unlike your telecommunications company. They think of themselves as carriers that set up the structure that knows that meaning and allows it to be communicated.

CPNI and Content?

This sort of thinking opens of lots of neat new analogies. Lets think about privacy. Per the Telecommunications act, telephone companies have to protect the privacy of your “Customer Proprietary Network Information,” or CPNI. This is basically the information the company needs to provide the service — the numbers you dial, the location you dial from, etc… Importantly, not the content of your communication — that already has intense protection. The legal definition includes:

information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship”

Telephone companies have a duty to protect this information but can use it in advertising, or sell it to joint venture partners with consent. EPIC has more information on protection for CPNI.

So what is the equivalent in the social networking space? The people you send messages to are going to be protected. So should be your browsing, and just about all of your social actions. But there’s an important leap here. If Facebook thinks of itself as a pipe of social information, then your connections — your social graph — would be more like the content. That’s the change: your connections are your social messages, rather than your connections being who receives your messages. That would give your social graph quite a bit of protection, and disallow Facebook from reading it.

Common Carriers

Utilities are also sometimes viewed as common carriers. Common carriers can’t discriminate in what they carry, and further are absolutely liable. I analogize the first to the idea that Facebook won’t judge my social graph, and thus can’t discriminate based on how I am socially relating. This means I can be free to move data around, and even download my social graph from Facebook. I previously blogged about the potential for privacy enhancement from so called “data portability.” It would be discriminatory, and a violation of common carrier principles, for Facebook to prohibit certain uses of the social graph.

Posted: May 27, 2008 in:

As the Web Goes Social, Where Is Privacy?

Google, MySpace, and Facebook have recently announced initiatives to share social networking information with third party sites. Google’s announcement describes Google Friend Connect:

This new service, announced as a preview release tonight at Campfire One, lets non-technical site owners sprinkle social features throughout their websites, so visitors will easily be able to join with their AOL, Google, OpenID, and Yahoo! credentials. You’ll be able to see, invite, and interact with new friends or, using secure authorization APIs, with existing friends from social sites on the web like Facebook, Google Talk, hi5, LinkedIn, orkut, Plaxo, and others.

Facebook similarly describes its initiative:

Facebook Connect is the next iteration of Facebook Platform that allows users to “connect” their Facebook identity, friends and privacy to any site. This will now enable third party websites to implement and offer even more features of Facebook Platform off of Facebook – similar to features available to third party applications today on Facebook.

It adds that key features will be: “Trusted authentication; Real Identity; Friends Access; and Dynamic Privacy.” Myspace’s launch includes some partner sites already:

LOS ANGELES—May 8, 2008—MySpace, the world’s most popular social network, alongside Yahoo!, eBay, Photobucket, and Twitter, today announced the launch of the MySpace ‘Data Availability’ initiative, a ground-breaking offering to empower the global MySpace community to share their public profile data to websites of their choice throughout the Internet. Today’s announcement throws open the doors to traditionally closed networks by putting users in the driver’s seat of their data and Web identit

Data Portability

These are being referred to as advances in “data portability” (see here, and here, for example). Data portability is the name given to the idea that data a user has generated with one vendor can easily be moved to or manipulated by another vendor, without the need for any pre-existing relationships.

There was some promise that data portability might improve privacy. Timothy Lee at Techdirt blogged on how data portability could mitigate privacy issues. I previously blogged about a position paper from ENISA on social networking security recommendations. They noted (pdf):

Many of the threats . . . in particular those relating to data privacy, have arisen because SNSs [Social Network Sites] are extremely centralized (i.e., high numbers of users with few providers). Where users were previously protected by spreading tehr data over many mutually inaccessible repositories, its now collected in a single place. It is currently very difficult to transfer your social network from one provider to another, or to interact between provers. . . . While there are clear commercial reasons behind these trends, the security and usability implications of a centralized and closed data storage model should not be ignored. A possible solution to this problem is portable social networks, which allows users to control and syndicate their own ‘social graph’. . . . At a minimum, it should be possible to export the social graph and its preferences from one providers to another and, ideally, users would have the possibility of complete control over their own social data, syndicating it to providers which created added-value ‘mashup’ applications.

The Promise of Privacy?

So portability holds great promise — users are able to easily move between providers; no one provider is a central point of tracking; and users control where their data goes and presumably who has access to it.

But what is now being billed as “portability” looks quite far from that promise. These systems look like they will allow them to track you as you use several sites, rather than allow you leave existing social networks with your data. That’s not really allowing data to move around — thats just SNSs giving you a long leash. It looks like more, not less decentralization. Instead of you having the security and privacy of having different accounts, different persona, you’ll instead have on single logon for several web services. In fact Facebook seems to tout as an advantage that people will no longer be anonymous, that they’ll be coming in with their entire social graph to new ventures. When privacy activists are telling users to use pseudonyms, to use different logins, this new development is going in a different direction.

I suspect these companies want your entire web experience to be “social.” But more importantly, while logged into them, and while a captive audience to their ads, and all while building up their profiles of personal information so that they can market to you.

Posted: May 20, 2008 in:

BBC Creates Data-Mining Facebook Application

I earlier blogged about the civil liberties dangers that law enforcement Facebook applications pose. The problem: by default, applications have access to much of your and your friends’ data.

The BBC has written an application that shows how easy data collection can be.

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people’s security?

Facebook responded:

Users are strongly encouraged to report any suspected misuse of information to Facebook. Additionally, users can block individual applications from accessing any of their data, block all applications, or block individual types of information.

We have sophisticated technology and a dedicated team to address inappropriate activity by applications. Access by applications to Facebook user data is strictly regulated and if we find that an application is in violation of our terms and policies, we take appropriate action to bring it into compliance or remove it entirely.

I hope this means that Facebook has some automated processes for detecting when applications are accessing too much data, and that this causes them to be reviewed. But overall I don’t see how users can be careful when adding an application. They have no way of knowing what it does.

Posted: May 2, 2008 in:

Facebook Applications: Back Doors for Law Enforcement?

Via Google News I hear of a new Facebook Application: GMP Updates. The application, also known as “The Greater Manchester Police Updates,” gives you a feed of crime updates and links to a form for reporting crimes, according to the article. It’s the first time I’ve seen a law enforcement based Facebook application.

GMP Updates

There have been several articles about law enforcement using its normal user-level access to Facebook for criminal prosecutions (For example: “Facebook Helps Law Enforcement“, “Site Used to Aid Investigations,” “Student Arrested After Police Facebook Him“). In these cases, law enforcement or their tipsters browse Facebook like a normal user, looking at the information made available to that user.

Expanded Viewing Powers

Law enforcement use of applications will significantly expand the reach of what law enforcement can see, and also provide a more surreptitious viewing ability. It’s been noted that some 90% of popular applications have access to more information than they need, but this seems like a significant first — giving law enforcement more access than it needs. Why the expansion? Because application providers get access to just about all of your Facebook information, as described in the “Platform Application Terms of Use“:

In order to allow you to use and participate in Platform Applications created by Developers (“Developer Applications”), Facebook may from time to time provide Developers access to the following information (collectively, the “Facebook Site Information”):

(i) any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information, and

(ii) the user ID associated with your Facebook Site profile.

Facebook provides some examples of what this means. Like:

The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wall™, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

[I've highlighted some of my favorites]

Note that applications can access your data even if you’ve marked it as not viewable by the police in your geographic network or school. Even if you’ve used a “friend list” to restrict who sees a photo, it’s still available to the third party application providers. So its not enough to carefully tune your privacy vis-a-vis other Facebook users. You also have to avoid adding in applications like the GMP Updater — avoid getting updates from your local law enforcement.

Inadvertent Snitching

That’s not all that is happening. When you add an application, by default it can see what you can see on Facebook. So you’re also sharing your friends’ information with law enforcement. Your friends may opt-out of this sharing, but until they do you’ll be the eyes and ears of law enforcement by adding a law enforcement-based Facebook app. The defaults include quite a bit of information:

API Defaults

When you add applications, you’re told they get to see your information:

Add GMP Updates

But you’re not told you’re also sharing your friends’ info.

Content Too?

One thing that is unclear to me is whether applications can see the content of my Facebook messages and other communications I make within the site. Content fits the definition (“any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information”) of information available to third party providers, but it would be quite shocking if this was being made available to third parties. In the US, intercepting a communication requires a warrant — pursuant to the 4th Amendment as well as ECPA, and accessing a stored communication requires court orders or warrants, depending on the age of the information. This is why I’m skeptical that content is being shared with law enforcement via the API. It would be quite a scandal.

Posted: April 16, 2008 in:

Facebook Takes More Steps to Spread Your Data

Social networking website Facebook recently announced that they would be sharing some of their user’s information with the world:

Starting today, we are making limited public search listings available to people who are not logged in to Facebook. We’re expanding search so that people can see which of their friends are on Facebook more easily.

However, it is not just your friends who will be able to find you:

In a few weeks, we will allow these Public Search listings (depending on users’ individual privacy settings) to be found by search engines like Google, MSN Live, Yahoo, etc.

If you object to these steps. Facebook will allow you to avoid this:

As always, if you do not want your public search listing to be visible to people searching from outside of Facebook, you can control that from the Search Privacy page.

So Facebook has decided to share data without asking for permission, and instead posted on its blog this fact, and has given people about 30 days notice to go and change this. They’ve done this before: when they set up their applications to share data with third parties, and when they set up their news feed to spread a users actions to that users network.

In privacy, this is known as an opt-out system: the holder of the data has decided to use your data in a certain way, and lets you stand up to object. This is in contrast to an opt-in system. Under an opt in system, the owner of the data asks for your permission before going off and sharing it further.

The major difference? Think about who has the incentives and costs here. Under opt-out, a person has to continuously monitor what Facebook is doing, they can never expect that what is happening is something they previously ok’ed. Under opt-in, a person can rest easy knowing that no surprises will come along. Under opt-in, Facebook has the incentive to describe the benefits of sharing the information, in order to get user’s permission. Under opt-out, Facebook’s incentive is to not give much notice: the more notice they give, the more people will choose not follow Facebook’s plan for sharing the data. Thus individuals are more informed under opt-in.

Facebook offers a lot of choice in privacy settings. Which is a good feature. But they should stop taking liberties with data, and start asking for permission before spreading it.

UPDATE
This article shows exactly how Facebook is getting away with avoiding the “opt-in/opt-out” distinction:

“The only data that will be available is your profile picture and your name – and then only if you agree that your profile should be searchable,” said [Facebook privacy chief] Chris Kelly.

But the problem is they’re not asking if you agree: they’re assuming you do. Now 40 million people have to find out about this and edit their privacy settings. This instead of Facebook simply selling the program on its merits to users.

Posted: September 9, 2007 in: