Social Networking Spyware in Washington Post

Today’s Washingon Post has an A1 story about Facebook Application privacy:

Facebook fanatics who have covered their profiles on the popular social networking site with silly games and quirky trivia quizzes may be unknowingly giving a host of strangers an intimate peek at their lives.

Those mini-programs, called widgets or applications, allow users to personalize their pages and connect with friends and acquaintances. But they could pose privacy risks. Some security researchers warn that developers of the software have assembled too much information — home town, schools attended, employment history — and can use the data in ways that could harm or annoy use.

I’ve previously blogged on the privacy issues of Facebook Apps such as the civil liberties problems when law enforcement agencies create Facebook apps.

It’s good to see this issue gaining mainstream attention, because it means that people will start thinking differently about threats to privacy online. EPIC recently testified at a hearing on spyware. The testimony included social networking applications as a possible vector for spyware.

People at the hearing talked about the need to have any legislation in this area not be technology dependent. The bill being discussed, S. 1625, included some language that was focused on PCs, but ignored other threats. The bill had sections making unlawful certain behavior. It used language like “caus[ing] the installation on [a] computer of software that” did several prohibited things, like improperly collect information or display too many popups. But that language is focused on the idea that people keep their data on their computer. With social networking, people are keeping their data online, with social networking services. This data should also be protected from new types of spyware, and we should think of improper data collection from social network services in the same way we think about improper data collection from our home computers.

Posted: June 12, 2008 in:

Neat Facebook App Named “Privacy”

I ran into a Facebook App named “privacy.” The operation is rather simple:

Privacy, the application, is a utility that provides insight into what information applications can access just by you or your friends using them.

I’ve previously blogged about the civil liberties implications of law enforcement applications.  Applications see your Facebook Site information, including:

The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wall™, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

The “privacy” application is another way to communicate to people just how much these thousands of third-party developers have access to.

Posted: June 9, 2008 in:

Social Networks as Regulated Utilities?

At CFP‘s, panel on “Privacy, Reputation, and the Management of Online Communities” professor Frank Pasquale mentioned the idea of treating social networking service providers as regulated utilities. He may or may not have read about the Facebook VP that described Facebook as akin to a cable company. One carrying social data:

We view ourselves as a technology company at our core. We’re the cable company creating the pipes, and what they carry is social information and engagement information about people.

So they carry your social information — your social relationships and identity, contextualized and with that social meaning, not just at the level of Internet packets. Facebook knows the meaning of what it is carrying, unlike your telecommunications company. They think of themselves as carriers that set up the structure that knows that meaning and allows it to be communicated.

CPNI and Content?

This sort of thinking opens of lots of neat new analogies. Lets think about privacy. Per the Telecommunications act, telephone companies have to protect the privacy of your “Customer Proprietary Network Information,” or CPNI. This is basically the information the company needs to provide the service — the numbers you dial, the location you dial from, etc… Importantly, not the content of your communication — that already has intense protection. The legal definition includes:

information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship”

Telephone companies have a duty to protect this information but can use it in advertising, or sell it to joint venture partners with consent. EPIC has more information on protection for CPNI.

So what is the equivalent in the social networking space? The people you send messages to are going to be protected. So should be your browsing, and just about all of your social actions. But there’s an important leap here. If Facebook thinks of itself as a pipe of social information, then your connections — your social graph — would be more like the content. That’s the change: your connections are your social messages, rather than your connections being who receives your messages. That would give your social graph quite a bit of protection, and disallow Facebook from reading it.

Common Carriers

Utilities are also sometimes viewed as common carriers. Common carriers can’t discriminate in what they carry, and further are absolutely liable. I analogize the first to the idea that Facebook won’t judge my social graph, and thus can’t discriminate based on how I am socially relating. This means I can be free to move data around, and even download my social graph from Facebook. I previously blogged about the potential for privacy enhancement from so called “data portability.” It would be discriminatory, and a violation of common carrier principles, for Facebook to prohibit certain uses of the social graph.

Posted: May 27, 2008 in:

As the Web Goes Social, Where Is Privacy?

Google, MySpace, and Facebook have recently announced initiatives to share social networking information with third party sites. Google’s announcement describes Google Friend Connect:

This new service, announced as a preview release tonight at Campfire One, lets non-technical site owners sprinkle social features throughout their websites, so visitors will easily be able to join with their AOL, Google, OpenID, and Yahoo! credentials. You’ll be able to see, invite, and interact with new friends or, using secure authorization APIs, with existing friends from social sites on the web like Facebook, Google Talk, hi5, LinkedIn, orkut, Plaxo, and others.

Facebook similarly describes its initiative:

Facebook Connect is the next iteration of Facebook Platform that allows users to “connect” their Facebook identity, friends and privacy to any site. This will now enable third party websites to implement and offer even more features of Facebook Platform off of Facebook – similar to features available to third party applications today on Facebook.

It adds that key features will be: “Trusted authentication; Real Identity; Friends Access; and Dynamic Privacy.” Myspace’s launch includes some partner sites already:

LOS ANGELES—May 8, 2008—MySpace, the world’s most popular social network, alongside Yahoo!, eBay, Photobucket, and Twitter, today announced the launch of the MySpace ‘Data Availability’ initiative, a ground-breaking offering to empower the global MySpace community to share their public profile data to websites of their choice throughout the Internet. Today’s announcement throws open the doors to traditionally closed networks by putting users in the driver’s seat of their data and Web identit

Data Portability

These are being referred to as advances in “data portability” (see here, and here, for example). Data portability is the name given to the idea that data a user has generated with one vendor can easily be moved to or manipulated by another vendor, without the need for any pre-existing relationships.

There was some promise that data portability might improve privacy. Timothy Lee at Techdirt blogged on how data portability could mitigate privacy issues. I previously blogged about a position paper from ENISA on social networking security recommendations. They noted (pdf):

Many of the threats . . . in particular those relating to data privacy, have arisen because SNSs [Social Network Sites] are extremely centralized (i.e., high numbers of users with few providers). Where users were previously protected by spreading tehr data over many mutually inaccessible repositories, its now collected in a single place. It is currently very difficult to transfer your social network from one provider to another, or to interact between provers. . . . While there are clear commercial reasons behind these trends, the security and usability implications of a centralized and closed data storage model should not be ignored. A possible solution to this problem is portable social networks, which allows users to control and syndicate their own ‘social graph’. . . . At a minimum, it should be possible to export the social graph and its preferences from one providers to another and, ideally, users would have the possibility of complete control over their own social data, syndicating it to providers which created added-value ‘mashup’ applications.

The Promise of Privacy?

So portability holds great promise — users are able to easily move between providers; no one provider is a central point of tracking; and users control where their data goes and presumably who has access to it.

But what is now being billed as “portability” looks quite far from that promise. These systems look like they will allow them to track you as you use several sites, rather than allow you leave existing social networks with your data. That’s not really allowing data to move around — thats just SNSs giving you a long leash. It looks like more, not less decentralization. Instead of you having the security and privacy of having different accounts, different persona, you’ll instead have on single logon for several web services. In fact Facebook seems to tout as an advantage that people will no longer be anonymous, that they’ll be coming in with their entire social graph to new ventures. When privacy activists are telling users to use pseudonyms, to use different logins, this new development is going in a different direction.

I suspect these companies want your entire web experience to be “social.” But more importantly, while logged into them, and while a captive audience to their ads, and all while building up their profiles of personal information so that they can market to you.

Posted: May 20, 2008 in:

BBC Creates Data-Mining Facebook Application

I earlier blogged about the civil liberties dangers that law enforcement Facebook applications pose. The problem: by default, applications have access to much of your and your friends’ data.

The BBC has written an application that shows how easy data collection can be.

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people’s security?

Facebook responded:

Users are strongly encouraged to report any suspected misuse of information to Facebook. Additionally, users can block individual applications from accessing any of their data, block all applications, or block individual types of information.

We have sophisticated technology and a dedicated team to address inappropriate activity by applications. Access by applications to Facebook user data is strictly regulated and if we find that an application is in violation of our terms and policies, we take appropriate action to bring it into compliance or remove it entirely.

I hope this means that Facebook has some automated processes for detecting when applications are accessing too much data, and that this causes them to be reviewed. But overall I don’t see how users can be careful when adding an application. They have no way of knowing what it does.

Posted: May 2, 2008 in:

Sources for Social Networking Privacy

It seems like it is not sometimes known what the privacy interests are that one has when using social networking sites. There seems to sometimes be this idea, which has been referred to as the “secrecy paradigm,” that things which are “posted on a public website” cannot be the subject of “privacy.” That’s not really all that there is to privacy. For example, Alan Westin considered it:

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

So how does this get expressed in the world of social networking? Two recent publications give a good , though I suspect not exhaustive, overview. The European Network and Information Security Agency (ENISA) prepared a position paper on “Security Issues and Recommendations for Online Social Networks” (pdf). The International Working Group on Data Protection in Telecommunications, composed mainly of European privacy officials, has issued a “Report and Guidance on Privacy in Social Network Services” (pdf) A few examples from these highlight the idea that privacy is more than just secrecy.

ENISA

ENISA identifies the problem of “Digital Dossier Aggregation.” Data can easily be taken from social networks and placed in a different context — it can be easy to build a profile of a person that is not controlled by that person. Further, social networks collect your browsing information — who you click on, who you interact with — and often don’t discuss what uses they put this information to. These are both common privacy issues: that users may lose control of their data and that data is being collected and put to secondary uses.

ENISA also identifies two risks which I had not considered previously. Facial recognition algorithms will be able to be deployed on social networks, and allow automatic identification of individuals and linking of several profiles. Semi anonymous online dating profiles will be able to be automatically matched with non-anonymous images elsewhere online. Extracting other information from images will allow algorithms to determine what people are doing (such as drinking) and maybe even where.

Lastly, ENISA also identifies the difficulty of account deletion as a privacy risk. Facebook users have complained about how difficult deletion can be. This is another way in which controlling your data is important. ENISA even goes one step further, and proposing that social networks make profiles “portable” so that users can easily move from one network to another — promoting competition and user control, and alleviating the other threats which come from the centralization of data.

The report contains other issues, such as stalking, spam, and even corporate espionage. Read the whole thing.

Working Group on Data Protection in Telecoms

The Working Group notes some of the security concerns that ENISA focuses on, but also mentions other privacy issues. The first is that online data is usually permanent — it is hard to erase. Even once the data subject deletes the data they control, cached copies may exist, or other services may have duplicated the data. Secondly, the intimacy of the relationships online may be illusory — and sometimes exclude key players. One’s “friends” on social networking sites are not necessarily real friends. I’ll add that the social nature of the site, as well as its communications (talking about your friends, your networks, and who can see your data) covers up the fact that the service operates as a Big Brother, watching and collecting all your activity online.

This data collection — of your browsing history and other activity — raises other issues, as this data may be accessible to law enforcement and intelligence services. The data will also be used for marketing and other secondary uses that may not be clearly specified by the social networking service. Further uses may be employers or others interested in researching the reputation of individuals.

Lastly, a new development is the creation of application programming interfaces, or APIs. These allow even more third party access to data, often in a way that is hidden. I’ve previously blogged about the privacy and civil liberties issues with law enforcement created applications. You can read there for the specific problems on the Facebook platform. But the general problem is that third party access is being increased in ways which are not transparent to users.

Guidelines and Recommendations

The discussion above should clarify what people mean when they talk about social networking privacy. It is not just a matter of “keep things secret.” For some steps on how to deal with these issues, I again recommend you check out the two publications.

Report and Guidance on Privacy in Social Network Services” (pdf).

Security Issues and Recommendations for Online Social Networks” (pdf).

Posted: April 24, 2008 in:

Social Identity Theft

In the web 2.0 world of repurposing content, this seems to take things way too far:The Cut-and-Paste Personality

The Cut-and-Paste Personality
Lacking inspiration and a moral compass, some online daters
are borrowing other people’s witty Web profiles.

These identity thieves don’t want your money. They want your quirky sense of humor and your cool taste in music.

Among the 125 million people in the U.S. who visit online dating and social-networking sites are a growing number of dullards who steal personal profiles, life philosophies, even signature poems. “Dude u like copied my whole myspace,” posts one aggrieved victim.

Now, it would be interesting if someone claimed a copyright on their online profile — there does seem to be a modicum of creativity there. And then sent a takedown request like Comedy Central does when people post Daily Show videos to Youtube.

Would there be a fair use to copying online dating and social networking profiles?

Posted: February 17, 2008 in:

NY Proposes Sex Offender Email Registry, MySpace, Facebook Support

The NY attorney general has proposed to create a registry where sex offenders list their emails and online profiles. The idea is to use this registry to prohibit the sex offenders from signing up for social networking services. Much of it seems to ride on the sanctions — you must register as a condition of parole — rather than on the technical ability of the system.

It’ll be possible to check whether these emails are actually being used, instead of being throwaway email addresses. Sending them regular questions, even using CAPTCHAs, can check whether a person is using that address. But this might not verify whether the offender is the person using the address. And further, it also won’t check whether the offender just went ahead and set up an address for social networking use only. In fact, that’s a good practice for all of us: to have more than one email address that is used for different purposes. It helps to protect against spam, helps us to keep our important addresses — the ones we give to friends — from being crowded with other communications.

It looks like the effectiveness of this program will depend on offenders fearing, or otherwise being ignorant of, the rather simple ways to avoid it. Then again, some offenders were on social networking under their actual names and addresses.

Posted: January 30, 2008 in:

Will the FTC Enforce MySpace’s Security Promises?

Recently, Wired revealed a bug in MySpace’s user account security:

A backdoor in MySpace’s architecture allows anyone who’s interested to see the photographs of some users with private profiles — including those under 16 — despite assurances from MySpace that those pictures can only be seen by people on a user’s friends list. Info about the backdoor has been circulating on message boards for months.

The flaw exposes MySpace users who set their profiles to “private” — the default setting for users under 16 — even though MySpace’s account settings page tells users, “Only the people you select will be able to view your full profile and photos.”

A specially constructed URL will display the images, even to those not logged in to MySpace.

In a followup article, it is noted that “MySpace Quietly Fixes Bug that Gave Voyeurs Access to Teens’ Private Photos“:

Barely 24 hours after my story hit the front door of Wired.com, MySpace has, without comment, closed the backdoor, and the websites that were exploiting it are no longer delivering private photos. That seems to leave just two possibilities:

1. MySpace didn’t know this was going on before.

2. MySpace knew about it, but didn’t take action until the press noticed.

From a privacy activist’s perspective though, the question is: what will the Federal Trade Commission do about it? What can they do?

The FTC has the power to prosecute “unfair and deceptive trade practices.” This doctrine has developed to mean they have a role in enforcing privacy promises:

Enforcing Privacy Promises: Section 5 of the FTC Act

A key part of the Commission’s privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. To respond to consumers’ concerns about privacy, many Web sites post privacy policies that describe how consumers’ personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.

It looks like MySpace was promising privacy. And it looks like that promise wasn’t being kept. The FTC has gone after poor security promises before. A listing of their privacy cases includes a few examples:

  • Company Failed to Use Reasonable Security Measures to Protect Consumers’ Data
  • Agency Says Company Failed to Protect Sensitive Customer Data
  • Tens of Millions of Consumer Credit and Debit Card Numbers Compromised
  • Agency Says Lax Security Compromised Thousands of Credit and Debit Cards
  • Security Flaws Allowed Hackers to Access Consumers’ Credit Card Information

But these cases all have harms that involve credit card or other such personal information of a financial type. MySpace involved pictures. Will the FTC recognize MySpace’s breach of image security as a harm?

FTC action in this case would send a clear message to social networking operators to respect security and protect the privacy of the data which users are entrusting to them. That data may not be “sensitive” in the financial sense. But it is “sensitive” in that it is deeply personal.

Posted: January 20, 2008 in:

Online Dating, Sex Offenders and Background Checks: The Hype and The Problem

Via PogoWasRight, I hear of this NJ online dating bil:

The bill as introduced requires online dating services to disclose to any user from New Jersey whether it has performed background checks on members of the site.

The flawed part of the bill comes in the fact that to satisfy the bill’s “Criminal Background screening” all a site has to do is a simple name search via a regularly updated government public records database or a database maintained by a private vendor.

The actual text of the bill is available in PDF.

The article calls the bill “flawed,” and I agree. These sorts of simple name matching background checks are unreliable. They’re likely to have errors, they’re easy to fool, they’re likely to have mismatches, and they promote a false sense of security. They may not be complete, arrests are not followed up by lack of charges, or something else that shows a person is innocent. Expungements and pardons may not only fail to clear the record, they may not be returned at all. All that and in general criminal records are actually hard to read: its difficult for a lay person to tell from a court printout what someone’s exact criminal history is.

I wanted to add what sorts of things help promote not only the hype, but the background check solution.

As the article notes, Wired Editor Kevin Poulson wrote a perl script to compare sex offender lists with names on MySpace. They ended up arresting an individual from that, and Wired wrote it up under the headline MySpace Predator Caught By Code.

At the time, I blogged about this on my previous blog:

Wired wrote some code to match the information in the national sex offender database — first and last name, and zip code (within 5 miles) — with profiles on MySpace. This gave them “vast numbers of false or unverifiable matches.” It took months of part time work, looking at each profile, to figure out which were actual predators still using the site for their predation. Some profiles were dormant. Some were innocent. One lead to an arrest.

But here was the problem. Not just with the process, but with the entire pitch:

The predator was not caught by code. “Vast numbers of false or unverifiable” matches were caught by code.

It was the human work of tracking down all the false matches and doing investigations that actually caught the bad guy. I predicted at the time that this exercise would incorrectly portray the “magic” of data matching. Not only does it promote the hype of sex predators on social network sites, but it also promotes the idea that there is an easy “search” that one can make to check this threat.

Posted: November 27, 2007 in: