InfoAdvocate

I ran into a Facebook App named “privacy.” The operation is rather simple:

Privacy, the application, is a utility that provides insight into what information applications can access just by you or your friends using them.

I’ve previously blogged about the civil liberties implications of law enforcement applications.  Applications see your Facebook Site information, including:

The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wall™, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

The “privacy” application is another way to communicate to people just how much these thousands of third-party developers have access to.

Bookmark to

Google, MySpace, and Facebook have recently announced initiatives to share social networking information with third party sites. Google’s announcement describes Google Friend Connect:

This new service, announced as a preview release tonight at Campfire One, lets non-technical site owners sprinkle social features throughout their websites, so visitors will easily be able to join with their AOL, Google, OpenID, and Yahoo! credentials. You’ll be able to see, invite, and interact with new friends or, using secure authorization APIs, with existing friends from social sites on the web like Facebook, Google Talk, hi5, LinkedIn, orkut, Plaxo, and others.

Facebook similarly describes its initiative:

Facebook Connect is the next iteration of Facebook Platform that allows users to “connect” their Facebook identity, friends and privacy to any site. This will now enable third party websites to implement and offer even more features of Facebook Platform off of Facebook – similar to features available to third party applications today on Facebook.

It adds that key features will be: “Trusted authentication; Real Identity; Friends Access; and Dynamic Privacy.” Myspace’s launch includes some partner sites already:

LOS ANGELES—May 8, 2008—MySpace, the world’s most popular social network, alongside Yahoo!, eBay, Photobucket, and Twitter, today announced the launch of the MySpace ‘Data Availability’ initiative, a ground-breaking offering to empower the global MySpace community to share their public profile data to websites of their choice throughout the Internet. Today’s announcement throws open the doors to traditionally closed networks by putting users in the driver’s seat of their data and Web identit

Data Portability

These are being referred to as advances in “data portability” (see here, and here, for example). Data portability is the name given to the idea that data a user has generated with one vendor can easily be moved to or manipulated by another vendor, without the need for any pre-existing relationships.

There was some promise that data portability might improve privacy. Timothy Lee at Techdirt blogged on how data portability could mitigate privacy issues. I previously blogged about a position paper from ENISA on social networking security recommendations. They noted (pdf):

Many of the threats . . . in particular those relating to data privacy, have arisen because SNSs [Social Network Sites] are extremely centralized (i.e., high numbers of users with few providers). Where users were previously protected by spreading tehr data over many mutually inaccessible repositories, its now collected in a single place. It is currently very difficult to transfer your social network from one provider to another, or to interact between provers. . . . While there are clear commercial reasons behind these trends, the security and usability implications of a centralized and closed data storage model should not be ignored. A possible solution to this problem is portable social networks, which allows users to control and syndicate their own ’social graph’. . . . At a minimum, it should be possible to export the social graph and its preferences from one providers to another and, ideally, users would have the possibility of complete control over their own social data, syndicating it to providers which created added-value ‘mashup’ applications.

The Promise of Privacy?

So portability holds great promise — users are able to easily move between providers; no one provider is a central point of tracking; and users control where their data goes and presumably who has access to it.

But what is now being billed as “portability” looks quite far from that promise. These systems look like they will allow them to track you as you use several sites, rather than allow you leave existing social networks with your data. That’s not really allowing data to move around — thats just SNSs giving you a long leash. It looks like more, not less decentralization. Instead of you having the security and privacy of having different accounts, different persona, you’ll instead have on single logon for several web services. In fact Facebook seems to tout as an advantage that people will no longer be anonymous, that they’ll be coming in with their entire social graph to new ventures. When privacy activists are telling users to use pseudonyms, to use different logins, this new development is going in a different direction.

I suspect these companies want your entire web experience to be “social.” But more importantly, while logged into them, and while a captive audience to their ads, and all while building up their profiles of personal information so that they can market to you.

Bookmark to

I earlier blogged about the civil liberties dangers that law enforcement Facebook applications pose. The problem: by default, applications have access to much of your and your friends’ data.

The BBC has written an application that shows how easy data collection can be.

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people’s security?

Facebook responded:

Users are strongly encouraged to report any suspected misuse of information to Facebook. Additionally, users can block individual applications from accessing any of their data, block all applications, or block individual types of information.

We have sophisticated technology and a dedicated team to address inappropriate activity by applications. Access by applications to Facebook user data is strictly regulated and if we find that an application is in violation of our terms and policies, we take appropriate action to bring it into compliance or remove it entirely.

I hope this means that Facebook has some automated processes for detecting when applications are accessing too much data, and that this causes them to be reviewed. But overall I don’t see how users can be careful when adding an application. They have no way of knowing what it does.

Bookmark to

It seems like it is not sometimes known what the privacy interests are that one has when using social networking sites. There seems to sometimes be this idea, which has been referred to as the “secrecy paradigm,” that things which are “posted on a public website” cannot be the subject of “privacy.” That’s not really all that there is to privacy. For example, Alan Westin considered it:

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

So how does this get expressed in the world of social networking? Two recent publications give a good , though I suspect not exhaustive, overview. The European Network and Information Security Agency (ENISA) prepared a position paper on “Security Issues and Recommendations for Online Social Networks” (pdf). The International Working Group on Data Protection in Telecommunications, composed mainly of European privacy officials, has issued a “Report and Guidance on Privacy in Social Network Services” (pdf) A few examples from these highlight the idea that privacy is more than just secrecy.

ENISA

ENISA identifies the problem of “Digital Dossier Aggregation.” Data can easily be taken from social networks and placed in a different context — it can be easy to build a profile of a person that is not controlled by that person. Further, social networks collect your browsing information — who you click on, who you interact with — and often don’t discuss what uses they put this information to. These are both common privacy issues: that users may lose control of their data and that data is being collected and put to secondary uses.

ENISA also identifies two risks which I had not considered previously. Facial recognition algorithms will be able to be deployed on social networks, and allow automatic identification of individuals and linking of several profiles. Semi anonymous online dating profiles will be able to be automatically matched with non-anonymous images elsewhere online. Extracting other information from images will allow algorithms to determine what people are doing (such as drinking) and maybe even where.

Lastly, ENISA also identifies the difficulty of account deletion as a privacy risk. Facebook users have complained about how difficult deletion can be. This is another way in which controlling your data is important. ENISA even goes one step further, and proposing that social networks make profiles “portable” so that users can easily move from one network to another — promoting competition and user control, and alleviating the other threats which come from the centralization of data.

The report contains other issues, such as stalking, spam, and even corporate espionage. Read the whole thing.

Working Group on Data Protection in Telecoms

The Working Group notes some of the security concerns that ENISA focuses on, but also mentions other privacy issues. The first is that online data is usually permanent — it is hard to erase. Even once the data subject deletes the data they control, cached copies may exist, or other services may have duplicated the data. Secondly, the intimacy of the relationships online may be illusory — and sometimes exclude key players. One’s “friends” on social networking sites are not necessarily real friends. I’ll add that the social nature of the site, as well as its communications (talking about your friends, your networks, and who can see your data) covers up the fact that the service operates as a Big Brother, watching and collecting all your activity online.

This data collection — of your browsing history and other activity — raises other issues, as this data may be accessible to law enforcement and intelligence services. The data will also be used for marketing and other secondary uses that may not be clearly specified by the social networking service. Further uses may be employers or others interested in researching the reputation of individuals.

Lastly, a new development is the creation of application programming interfaces, or APIs. These allow even more third party access to data, often in a way that is hidden. I’ve previously blogged about the privacy and civil liberties issues with law enforcement created applications. You can read there for the specific problems on the Facebook platform. But the general problem is that third party access is being increased in ways which are not transparent to users.

Guidelines and Recommendations

The discussion above should clarify what people mean when they talk about social networking privacy. It is not just a matter of “keep things secret.” For some steps on how to deal with these issues, I again recommend you check out the two publications.

“Report and Guidance on Privacy in Social Network Services” (pdf).

“Security Issues and Recommendations for Online Social Networks” (pdf).

Bookmark to

Via Google News I hear of a new Facebook Application: GMP Updates. The application, also known as “The Greater Manchester Police Updates,” gives you a feed of crime updates and links to a form for reporting crimes, according to the article. It’s the first time I’ve seen a law enforcement based Facebook application.

There have been several articles about law enforcement using its normal user-level access to Facebook for criminal prosecutions (For example: “Facebook Helps Law Enforcement“, “Site Used to Aid Investigations,” “Student Arrested After Police Facebook Him“). In these cases, law enforcement or their tipsters browse Facebook like a normal user, looking at the information made available to that user.

Expanded Viewing Powers

Law enforcement use of applications will significantly expand the reach of what law enforcement can see, and also provide a more surreptitious viewing ability. It’s been noted that some 90% of popular applications have access to more information than they need, but this seems like a significant first — giving law enforcement more access than it needs. Why the expansion? Because application providers get access to just about all of your Facebook information, as described in the “Platform Application Terms of Use“:

In order to allow you to use and participate in Platform Applications created by Developers (”Developer Applications”), Facebook may from time to time provide Developers access to the following information (collectively, the “Facebook Site Information”):

(i) any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information, and

(ii) the user ID associated with your Facebook Site profile.

Facebook provides some examples of what this means. Like:

The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wall™, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

[I've highlighted some of my favorites]

Note that applications can access your data even if you’ve marked it as not viewable by the police in your geographic network or school. Even if you’ve used a “friend list” to restrict who sees a photo, it’s still available to the third party application providers. So its not enough to carefully tune your privacy vis-a-vis other Facebook users. You also have to avoid adding in applications like the GMP Updater — avoid getting updates from your local law enforcement.

Inadvertent Snitching

That’s not all that is happening. When you add an application, by default it can see what you can see on Facebook. So you’re also sharing your friends’ information with law enforcement. Your friends may opt-out of this sharing, but until they do you’ll be the eyes and ears of law enforcement by adding a law enforcement-based Facebook app. The defaults include quite a bit of information:

When you add applications, you’re told they get to see your information:

But you’re not told you’re also sharing your friends’ info.

Content Too?

One thing that is unclear to me is whether applications can see the content of my Facebook messages and other communications I make within the site. Content fits the definition (”any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information”) of information available to third party providers, but it would be quite shocking if this was being made available to third parties. In the US, intercepting a communication requires a warrant — pursuant to the 4th Amendment as well as ECPA, and accessing a stored communication requires court orders or warrants, depending on the age of the information. This is why I’m skeptical that content is being shared with law enforcement via the API. It would be quite a scandal.

Bookmark to

Ryan Singel at Wired’s THREAT LEVEL blog is having a contest to name the DHS privacy office mascot/gift they’ve received. A toy pig.

But there’s something else thats funny here. Check out the picture of the pig:

So whats the message here? “Privacy at Homeland Security. When Pigs Fly?” Am I missing something?

Bookmark to

Today my project at EPIC filed a complaint before the Federal Trade Commission against several purveyors of amateur spyware. I’ve previously blogged about the uses of spyware to intercept the communications of spouses.

The complaint alleges unfair and deceptive practices by these companies. Specifically, these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their costumers of the legal risks of the improper use of this software.

Click on this thumbnail for a view of what the marketing looks like:

There are many more examples of the marketing in the complaint.

The FTC does pay attention to spyware. But this is a new beast for them to take on. I suspect that software like this is used in many situations of abuse, but that it goes relatively undetected, unpunished and in general unreported. Undetected because people do not know to look for it. Unpunished because it is difficult to get an otherwise busy police force to focus on the computer forensics needed to effectively prosecute. And unreported because there really is not much data collection going on with these products. We have inklings that the problem is growing, but not much hard data. I hope this also spurs more organizing around this topic and we get a better sense of the malicious uses of this software.

I suspect this is a growing industry, and there will soon be malicious payloads being offered for delivery to your target’s cell phones, iPhones, and other devices, not just PCs. Lets hope the FTC moves and nips it in the bud.

Bookmark to

Via PI Buzz I hear that the Connecticut court is removing some protection / restraining order information from its website.

Effective Monday, Dec. 3, 2007, and in accordance with federal law, information identifying a party protected by a restraining order will no longer be available through the civil/family look-up section of the Judicial Branch’s website. This federal prohibition does not extend to disclosable information in a file at a court clerk’s office.

Under a 2006 amendment to the Violence Against Women Reauthorization Act of 2005, no state, Indian tribe of territory “shall make available publicly on the Internet any information regarding the registration or filing of a protection order, restraining order, or injunction in either the issuing or enforcing State, tribal, or territorial jurisdiction, if such publication would be likely to publicly reveal the identity or location of the party protected under such order.”

EPIC and several domestic violence advocates in DC filed comments against a proposal by the DC courts to place information like this online. We highlighted this VAWA prohibition. In those comments we pointed that DC law requires an intrafamily relationship before a protection order is issued. That means that information like the restrained party’s name might identify the protected party. We also pointed out that information about addresses that the restrained party cannot approach has a likelihood of disclosing protected party location. We also pointed to other privacy problems with other court records, including divorces and civil cases.

It looks like the Connecticut court will still keep a lot of things on line. For more on the risks of that, see our comments (pdf).

Bookmark to

People my age remember the anti-drug public service announcements from the 1980’s. Classic lines like “I learned it by watching you” and “this is your brain on drugs.” Besides, of course, the vast socio-economic effects of the war on drugs, these are probably some of the most memorable icons of the ridiculousness of that era. At least for white middle class me.

But it seems that nowadays, kids are being warned against Cyberbullying. The slogan is “Delete cyberbullying. Don’t write it. Don’t forward it.”

I like how they do more than just detract the creation of offending content. They point out that it also propagates via user action. Forwarding, linking, adding to newsfeeds helps to move the information around. And it helps to propagate the privacy violation. Forwarding not only increases audience, it also may move it from a non-indexed medium, like text message, to one that search engines pick up, like blogs or social networking.

Like a good PSA, they’re tough to watch and pretty intense:

I like that the overbearing medium of the public service announcement is being used to promote a privacy aware generation. Better than stoking simplistic prohibitionist hysteria.

Bookmark to