On the one hand, I wasn’t entirely surprised by this news – it was only a matter of time before someone started building up such a dataset. I’ve previously mentioned that developer Pete Warden had planned on releasing public profile information for 210 million Facebook users until the company’s legal team stepped in. But nothing technical prevented someone else from attempting the task and posting data without notice. I imagine Facebook may not be too happy with Bowes’ data, but I’m not going to delve into the legal issues surrounding page scraping.

However, the event did remind me of a related issue I’ve pondered over the last few months: the notion of “security through obscurity” as it relates to privacy issues.

I’ve often referenced the work of danah boyd, a social media researcher that I highly respect. In a talk earlier this year at WWW2010 entitled, ”Privacy and Publicity in the Context of Big Data,” she outlines several excellent considerations on handling massive collections of data about people. One in particular that’s worth remembering in the context of public Facebook information: “Just because data is accessible doesn’t mean that using it is ethical.” Michael Zimmer at the University of Wisconsin-Milwaukee has made similar arguments, noting that mass harvesting of Facebook data goes against the expectations of users who maintain a public profile for discovery by friends, among other issues. Knowing some of the historical issues with academic research involving human subjects, I tend to agree with these positions.

But a related point from boyd’s talk concerns me from a security perspective: “Security Through Obscurity Is a Reasonable Strategy.” As an example, she notes that people talking in public settings may still discuss personal matters, but they rely on being one conversation among hundreds to maintain privacy. If people knew other people were specifically listening to their conversation, they would adjust the topic accordingly.

In this “offline” example, taking advantage of obscurity makes sense. But boyd applies the same idea online: “You may think that they shouldn’t rely on being obscure, but asking everyone to be paranoid about everyone else in the world is a very very very unhealthy thing…. You may be able to stare at everyone who walks by but you don’t. And in doing so, you allow people to maintain obscurity. What makes the Internet so different? Why is it OK to demand the social right to stare at everyone just because you can?”

I would respond that at least three aspects make the Internet different. First, you rarely have anyway of knowing if someone is “staring at you” online. Public content on Facebook gets transferred to search engines, application developers, and individual web surfers every day without any notification to the creators of that content. Proxies and anonymizers can spoof or remove information that might otherwise help identify the source of a request. And as computing power increases each day, tracking down publicly accessible resources becomes ever easier.

Second, the nature of online data means that recording, parsing, and redistributing it tends to be far simpler than in the offline world. If I want to record someone’s in-person conversations, it’s theoretically possible that I could acquire a small recording device, place it in a convenient location, save the audio from it, type up a transcript of the person’s words, then send it to another person to read. But if I want to record someone’s conversations on Twitter (as an example), I can have all them in a format understandable to various computer-based analysis tools in just a few clicks. In fact, I could setup an automated system which monitors the person’s Twitter account and updates me whenever certain words of interest appear. Add the fact that this is true of any public Twitter account, and the capabilities for online monitoring grow enormously.

Finally, while digital content is in some ways more ephemeral than other media, web data tends to persist well beyond a creator’s ability to control. Search engine caches, archival sites, and user redistribution all contribute to keeping content alive. If someone records a spoken conversation on a tape, the tape can be destroyed before copies are made. But if you (or a friend of yours) post a sentence or photo on a social networking site, you may never be able to erase it fully from the Internet. Several celebrities have learned this the hard way lately.

From a privacy perspective, I wholeheartedly agree with boyd that we can’t expect users to become paranoid sysadmins. The final point of my own guide to Facebook privacy admonished, “You Have to Live Your Life.” But from a security perspective, I know that there will always be people and automated systems which are “staring at you” on the Internet. I’ve seen time and again that if data is placed where others can access it online, someone will access it – perhaps even unintentionally (Google indexes many pages that were obviously not meant for public consumption).

In my opinion, the only way to offer any setup online which resembles the sort of “private in public” context boyd described requires some sort of a walled garden, such as limiting your Facebook profile to logged in users. That alone still doesn’t provide the same degree of privacy, since many fake profiles exist and applications may still have access to your data. But while “security through obscurity” (or perhaps more accurately, privacy through obscurity) may be a decent strategy in many “offline” social situations, it simply can’t be relied on to protect users and data online.

Facebook users are starting to discover this firsthand. I’ve seen several reactions to Bowes’ release that characterize it as a security issue or privacy issue, and people have seemed quite surprised that building such a dataset was even possible. Yet it really shouldn’t come as a surprise to someone familiar with current technology and ways of accessing Facebook data. And it won’t be the last time we see someone make use of “public” data in surprising ways. Some of these uses may be unfortunate or unethical (see above), but we’ve often seen technology steam ahead in pursuit of fortune, and the web has many users with differing ideas on ethics. Reversing the effects of such actions may prove impossible, which is why I would argue we need to prevent them by not trusting obscurity for protection. And how do we balance this perspective to avoid unhealthy paranoia? I’m honestly not sure – but if content is publicly accessible online without any technical limitations, we can hardly consider it immune to publicizing.

I first created this blog in 2007 after finding basic CSRF issues in the first publicly available OpenSocial application. At the time, I admittedly knew very little about application security (not that I know much now!), but I was interested in many aspects of building online social networking systems, and that led me to research security issues more and more. Over time, this blog grew and several other projects hosted on the same server fell by the wayside. As my understanding of security also grew, I found some of my sites hacked a few times, and I undertook a number of steps to secure this WordPress installation.

That maintenance contributed to the confidence I had in my warning on Twitter – malicious scripts kept popping up in my site’s footer, and the only apparent problem were some suspicious requests to a particular WordPress interface. I had looked gone through all my plug-ins (the apparent source of previous attacks), double-checked my permissions, changed passwords, etc. I finally did a thorough sweep of every single folder on my site, and lurking in an upload folder, I found a sophisticated PHP backdoor.

I’m guessing that file originally been placed during a much older attack and I’d simply missed it until now. Since deleting it and taking even more steps to protect my blog, I’ve not had any more trouble. I wouldn’t presume to think this site is 100% secure and I’ve never claimed to be an expert on application security, much less WordPress or PHP security, but I’m now quite confident that I’ve taken enough precautions to avoid most attacks.

That leads me to the following list of steps I’ve performed to harden this particular WordPress site. If you’ve not taken the time to ensure your blog is secure, this may be a good guide for you to start with. I’m indebted to many websites on WordPress security, and while I would want to link to all of them, I’m honestly not sure of all the specific ones I’ve drawn from and it would take a while to piece them together. A quick search will bring up many helpful recommendations, and I encourage you to check them out in addition to these tips.

• Stay updated. Running the most current version of WordPress is probably the most important step. My host offers automatic updating for my installations. Also, be sure to keep your plug-ins updated as well.
• Protect other sites. If you have more than one website running on the same server, make sure all of them are secure. One vulnerable application can compromise others. If you have sites that you don’t maintain, consider deleting them or locking them down to avoid future problems.
• Scan through all of your folders. If you haven’t done this in a while, now would be a good time. Look through what files are present and keep an eye out for anything suspicious. Check your WordPress files against a fresh download to make sure they line up.
• Scan through all of your permissions. This should be fairly easy with an FTP program that displays permissions settings. With rare exception, I keep files at chmod 644 and folders at chmod 755.
• Periodically change passwords. Definitely modify your passwords if you’ve recovered from an attack. Remember to change your database password (and corresponding line in wp-config.php) as well as account passwords.
• Use modified passphrases. This is one tip I don’t see often, but it’s one of my favorite tricks. Rather than simply jumbling characters into a password you have trouble remembering, start with a sentence. Not something terribly common, but something familiar to you. Pick one with at least six words in it. Take the whole sentence, with capitalization and punctuation, and add some complexity – append some numbers and punctuation at the beginning or end, and maybe change a few letters to numbers (such as “3″ for “e”). You should then have a very strong “password” that’s much easier to remember. Many websites and applications will let you use spaces and hundreds of characters in your password. But once again: avoid common phrases, include at least six words, and don’t just use a sentence without adding some numbers and special characters.
• Check your users table in the database. I’ve seen attacks before that lead to the creation of an administrative account which is then hidden from the list of users in the web-based control panel. I’ve never quite understood why hidden users should be allowed, but that could be part of the attack to begin with. Anyway, just to be careful, I like to look at the actual table in the database and see if any other accounts have administrative privileges.
• Double-check and clean up all plug-ins. I’ve deleted every plug-in I don’t use, and I try to keep all of my active plug-ins current. If you have a plug-in that’s no longer maintained or hasn’t been updated in a long time, you should probably check and see if a newer replacement is available. In my experience, plug-ins can be one of the weakest points in your WordPress installation. It’s kind of like a certain other site I know well – Facebook itself tends to be pretty secure, but you can often access data through vulnerable Facebook applications.
• Add HTTP authentication to your wp-admin folder. This is covered in many places online so I’ll not recap specific steps here. And I’ll add that I realize this is not a silver bullet – basic authentication sends passwords in cleartext (so don’t use the same credentials as your WordPress account), and the traffic is not encrypted if you’re not using SSL/TLS. But adding another login prompt for the admin panel adds friction and may repel less-determined attackers. (This tip is obviously geared towards those who don’t have user accounts for non-admins.)
• Move wp-config.php to a folder not as easily accessible. You can place wp-config.php one folder above your WordPress install; under my hosting setup, this location does not correspond to any public website folder. I also set mine to chmod 644 after changing it.
• Rename your admin account. Several means exist to do this; I simply edited the record in the database.
• Change your table prefix. This can be a bit of a hassle, but plug-ins exist (see below) to help. I’ll admit that I still need to check this one off my own list; long story.
• Disable interfaces such as XML-RPC if you don’t use them. I don’t doubt that the programmers behind WordPress have worked hard to secure these interfaces, but I simply don’t like having another avenue of accessing administrative functions. And I think it’s not a bad idea to disable features you don’t actually need.
• Use security tools. I installed the WP Security Scan plug-in after reading about it on WordPress’ own hardening guide.
• Keep monitoring your site. I make a habit of loading up my homepage ever so often, hitting “View Source,” and scanning through the HTML. If I ever see an unfamiliar script or iframe element, I look closer.

That’s my personal list of WordPress security tips, based on many helpful resources and my own experiences of getting hacked. These certainly don’t apply to everyone, more could be added, and your mileage may vary, but hopefully this will help others avoid some of the problems I encountered. Be sure to look at other people’s advice as well and watch out for any WordPress security news.

Why the Change?

And why did Facebook make those changes? There’s no technological reason for many of them. Nothing about liking pages or using social plug-ins forced the company to remove old access controls or make “instant personalization” an opt-out feature. Facebook’s executives made a policy and business decision to push users into more public sharing. In many ways, we’re having this debate because Facebook chose to make it an issue.

That’s not a criticism, simply an observation. In fact, many would probably say that Facebook was right to challenge ideas on privacy. Popular tech blogger Robert Scoble has repeatedly argued that Facebook’s changes bring many benefits to users. One writer at Fortune questioned any backlash and gave this response to Pandora’s new social setup: “My first reaction? Creepy! My second reaction: Cool!” Is it wrong to force users into a new situation that’s uncomfortable at first if it ultimately brings significant value?

In this case, however, the ultimate value to users remains unclear. Many users will certainly find advantages to a freer flow of information. But does Facebook really have the right to decide whether content people had previously restricted should now be available publicly? How can any of us judge whether the benefits outweigh the downsides for each user? Many users chose to put information in their profiles that they did not want shared beyond certain limits. If exposing that information seems trivial, are you certain you understand why the profile owner thought limits so important to begin with?

I would argue that by pushing the envelope on our understanding of privacy, Facebook’s leadership made changes that benefit the company, partly by also benefiting developers and partners. That’s not necessarily a bad thing – Facebook is a business and has to make money. But while those changes do benefit some users, perhaps even a majority of users, they also harm the trust of many other users who had shared private content on Facebook.

Where’s the Backlash?

In the short term, the benefits outweighed the downsides for Facebook. Several high-profile users have deleted their accounts, and others are following suit. But keep in mind that even if 10 million people stopped using the site, that would only be a 2% reduction in user base.

As the company faces widespread criticism and possible regulatory changes, you might expect Facebook to back down on some of their changes. I doubt it. Facebook’s executives know the company enjoys a very strong position in the market right now. They can afford losing 2% of users without breaking a sweat. And if people do leave, where will they go?

Given that level of security, why bother talking about Facebook privacy? Why does it matter if techie types bail on the service? Should we simply get used to having less control and move on?

To put it another way, should we let Facebook dictate our understanding of online privacy?

I realize Facebook will probably never go back to the way it once was and that there’s essentially no hope of meaningful competition in the short term. Yet Facebook didn’t reach this place overnight. Industry shifts take time. And many influential people in technology are often on the bleeding edge of such shifts.

Is Privacy Dead?

For the time being, though, Facebook users will likely react in one of three ways. First, they may not understand the implications of updates and keep using the site as before. Second, they might embrace the new capabilities and voluntarily unleash more content. Third, they will decide that they derive too much value from Facebook to let it go, and thus will, perhaps begrudgingly, keep their account – but they’ll be far more careful about what they post in the future.

I suspect that as awareness grows of how much data Facebook now distributes, many people will take more precautions in using the site. That’s not necessarily a bad thing – I’ve long argued for increased education of online dangers. People need to be careful online, regardless of how “private” a service seems. But care is not the same as paranoia or having to manage your identity the way a celebrity might. If Facebook wanted to increase intimacy and authenticity among online friends, they may find they’ve actually done the opposite.

Some people, such as Scoble or perhaps Mark Zuckerberg, have chosen to live their lives with “radical transparency.” Most of us probably still want to keep certain information private, and yet we routinely share that information with parties we trust – even online. I use my credit card number when shopping at Amazon, but I’d prefer they keep it to themselves. When I filled out web-based job applications last year, I often had to disclose my social security number – a small bit of data I would not want passed around. In a more offline example, I’ve often shared personal struggles with close friends in other states by talking with them on my mobile phone.

I realize that a determined hacker could possibly steal my payment info or even my SSN when I send that data to websites. I also know that my phone can be tapped or that my friends could repeat our conversations to others. But based on a wealth of factors, I make a decision to take those risks, since I judge the likelihood of these scenarios (especially given certain precautions I take) to be minimal.

The idea that any data you transmit to another computer should be considered public has significant merit. In practice, though, much of our offline lives face the same technical threat of publicity, and channels have long existed to share electronic data with only a limited audience. Most of us would not want the entire world to see all of our e-mails, and a range of businesses let only certain people access certain servers.

Which brings me back to one of my original points: nothing forced Facebook in a direction away from privacy. They chose it. I doubt whether they would have around 500 million users today if they had chosen that direction years ago. But even if Facebook now thinks I should share all of my content with everyone, I still find value in keeping some information limited. For me, that’s the essence of online privacy. And while one website with a very large audience may have reduced privacy by keeping me from using their features in a limited way, I will continue to exercise control over my data in other ways.

What Now?

The current debate about Facebook and privacy may seem confusing, futile, or even pointless. But it’s important to evaluate the background and ramifications of Facebook changes, especially given the company’s influence on industry trends. It’s important to realize that visible competition and meaningful alternatives to Facebook will require months or even years of development. And it’s important to understand how much privacy still plays a role in the way people manage and share information, whether online or offline.

Perhaps Facebook will end up right, and most people will move away from old ideas about privacy. But I’d rather see companies educate users on new features and empower them to choose more public sharing rather than expose previously private content and encumber such a change with illusory settings. Facebook may try to say most people don’t mind their new take on privacy, but I think they’ll find this debate is far from over.

Frustration with Facebook has appeared to reach a tipping point recently. Changes to the service have always drawn criticism and even outrage from various users, but after the latest updates, I’m seeing more people talk seriously about leaving the site. Consequently, some people have begun looking for alternatives, and a few have even started trying to build their own.

I’m among those looking for alternatives. I’ve held back from closing my account several times in the past due to a large network of friends, but my concerns continue to rise. Few other options exist, though, and any service looking to compete directly with Facebook faces an uphill battle.

Consider this post my advice to anyone who wants to tackle that challenge.

1. Avoid Pitfalls in Planning

When I’ve observed people discussing Facebook competition thus far, they invariably seem to fall prey to what I see as two mistakes. First, they focus almost entirely on the development side: what back-end technologies to support, what formats to use for data exchange, protocols for such interactions, etc. All of these aspects are important to consider, but I contend that you need to start by looking at the user side of the equation: mapping out the features you will sell to average people, designing interfaces with usability and simplicity in mind, creating processes and workflows that anyone can understand.

Second, many critics of Facebook focus on how the company fails to be “open,” a term that has long since entered buzzword territory. Ask a developer about their Facebook replacement, and they’ll probably start by telling you how it uses the Open Stack, with tools such as OpenID, OAuth, and Activity Streams. I have no problem with using these formats in a new site, but once again, you ultimately have to focus on your users. If you want your product to find mainstream adoption, you’ll have to convince average consumers that using it is worth any difficulty involved in leaving Facebook. Most people don’t care so much about whether technology is “open” or “closed” so long as it works. (Case in point: iPhone.) Rather than starting your plans by picking which “open” standards you’ll use, start by designing a better social networking service and then determine how “open” specs will help you build that service.

2. Think Through Your Setup

While I don’t recommending starting with too many technical details in planning, you still need to think through how the general structure of your application will work. Social networking services tend to involve a number of interlocking components, and the nature of the content involved can invoke problems other services don’t normally face.

For instance, nearly every Facebook alternative I’ve heard about thus far is built to be a distributed system, connecting multiple servers or platforms together into an aggregated network. This offers a number of advantages over Facebook’s centrally controlled setup.

But it also brings a number of disadvantages and hurdles that ought to be addressed. Say your social graph on a distributed service includes 500 friends, with profiles spread across 100 different servers. What sort of performance will you get when you need to pull data from 100 sources to build a news feed? If you use caching, how will you handle data retention and expiration to respect others’ privacy? What sort of fail-safe measures will be in place if a few servers are down? How will you establish trust relationships or handle malicious users? How will security vulnerabilities in one server affect others on the network? How will you ensure every server stays updated with the latest patches or features? All these questions and more come into play with distributed social networking, and I’ve yet to see many of them satisfactorily addressed by current offerings.

3. Learn from Academic Researchers

Many people in the academic community are producing research that addresses how people interact both offline and online, as well as how people understand concepts of privacy and social networking. As websites continue to reshape the fabric of our society and Facebook in particular affects notions of privacy, you simply can’t afford to ignore these studies.

While I wouldn’t want to neglect the work of anyone in this field of academics, I particularly respect and recommend works by danah boyd. For example, her talks on “Making Sense of Privacy and Publicity” and “Privacy and Publicity in the Context of Big Data” are must-read material for anyone looking to enter the world of social networking development. I’d also advise learning about the Helen Nissenbaum‘s concept of “contextual integrity,” explained well in a series of articles by Michael Zimmer. Fred Stutzman and Kaliya Hamlin (though she’s strictly not in academia) are just a few more of the many people I’ve come across who are contributing to our understanding of social media. Get familiar with more than just the technical implications of social networking: understand the social side.

4. Relationships are Not Digital

I understand that the Internet has created new possibilities and methods for people to relate to one another, and I’m not arguing there’s anything inherently wrong with those developments. But I do think some online applications generally employ constructs that fail to resemble many offline relationships. For example, many online connections with other people are essentially binary – friend or not, follower or not. Making such a connection often involves a subscription to the other person’s entire stream generated updates, regardless of type or content. Control over those updates can be limited or confusing.

I recognize that providing effective communication channels that avoid being cumbersome but also reflect social norms is a daunting prospect. It’s no wonder most of the sites we’ve seen thus far have followed previous online models of communication, such as the simple dichotomy of public discussions and private messaging. But I think it’s time we reevaluate some of our ideas about how sharing content should look and seek out new methods for staying in touch.

Of course, with this point I’m really advocating for a Facebook alternative that addresses a certain market: an online service that helps people leverage technology to stay better connected with their offline friends and associates. Remember, my overall message here is to build a better Facebook. It’s not enough to make things more open, or offer more privacy controls, or integrate with more sites. You need to provide more value. And personally, I see a great opportunity to provide more value in finding better ways for people to stay in touch. As someone who lives in a different state than the majority of my friends and family, I have enough trouble keeping up with people even with Facebook, but getting rid of my account would make that task more difficult. I would love to see a service that improves on Facebook in this area, and I imagine many others would as well.

One other note on this point: I would love to see a service try and tackle the issue of multiple identities with a more elegant solution than letting users create multiple accounts.

5. Don’t Overdo Privacy Settings

Given the uproar over Facebook’s lack of certain privacy controls and the amount of time I’ve spent talking about privacy controls, this point may seem a bit strange. But “privacy” is not simply about having granular, detailed settings for every bit of content or feature on a site. Too many choices will easily overwhelm users, and while powerful controls may help enterprises manage permissions on resources, most people don’t have the time to manage a plethora of menus and check boxes.

This ties back into previous advice on understanding the social side of social networking. Don’t simply rely on the sort of controls that you as a developer or systems administrator use for managing data. In some cases, you may even need to simplify things by eliminating layers. For instance, Facebook provides separate settings for both the photos application as a whole and the photo albums within the application. I would argue getting rid of the former and displaying available albums based on the current context.

From a high level, I think privacy controls need to clearly but concisely communicate two things to a user: who can access the data and where (or how) may the data be publicized. Whatever settings you include need to be simple enough to maintain usability but clear enough to avoid any unpleasant surprises.

6. Reduce the Noise

Facebook and other services thrive on people sharing content. These sites push people to produce more content and increase the flow of information. However, I would contend that while access to increased information can bring many benefits, we have to balance that notion with the understanding that more knowledge is not always better and that increased information does not always need to broadcast. Many online users are suffering from severe information overload, and better filters alone are not going to solve the problem. It’s time we dialed back some on the production of content to begin with.

Please don’t misunderstand my position here: I’m not trying to put an end to Wikipedia or become some sort of content police. What I am saying is that our obsession with streams and the real-time web may be driving us to lose sight of other priorities. Just because your service can track and broadcast every activity your users perform doesn’t mean that it should.

7. Integrate with Facebook

This is one bit of advice I’ve not seen anywhere else thus far: If you want to beat Facebook, use Facebook’s features against it. Over the last several years, Facebook has provided more and more access to information for third-party developers. I’ve not seen any provisions that would prevent another social networking service from taking advantage of these methods.

I’ve often heard people talk about the idea of “taking your social graph with you,” but that’s not really the problem right now. It may be a bit complicated, but you can pretty much export your entire social graph from Facebook. The real problem is this: where do you take it to? The only “import” function for most sites involves scanning a list of e-mail addresses to find other users.

With Facebook’s APIs, though, you can simply connect your other social networking profile with your Facebook profile. Be warned that you should not simply assume people who do this will want any Facebook friends who sign up for your site to know about their profile or be their friend on your site. But you at least have options to make the transition much smoother.

Also, since people criticize Facebook for taking in more information than they give out, you can simply make sure data originates outside of Facebook. Your application can push status updates, messages, and content to Facebook, and then you already have a copy on your service. Besides, nowadays you can pull a user’s inbox, updates, notifications, and so on from Facebook as well.

8. Value What Your Users Value

Building a Facebook alternative includes many details to worry about, such as monetization, advertising, and privacy. But never forget what makes any service valuable: the people that use it. If your product becomes popular, that means people will be using it to share content they deem valuable and trusting you to store content they deem valuable. You will have to earn that trust and work hard to maintain it.

Communicate with your users in a helpful, honest way. Give them meaningful support options. Provide them with default privacy settings that protect them rather than surprise them. It can be fine to let users share everything with everyone if they want, but let the users decide and empower them to choose the path they want rather than push them towards one approach.

And above all, keep providing a service that people find useful. The real reason so many people still use Facebook is that the benefits outweigh any difficulties or privacy concerns. If you’re going to compete with Facebook, you’ll have to top that.

(Oh and one last bit of advice: come up with a good, professional name for your start-up. Please.)

Privacy is not simply about confidentiality. Privacy is about control – you having control over the nature, disclosure, dissemination, and usage of your information. Privacy is about ensuring data exchanges happen under certain norms and in appropriate contexts.

Many Silicon Valley executives, however, seem to think users should embrace sharing most of their data with the entire web. This attitude is typified in a comment by blogger Robert Scoble: “We are all going to have to learn new ways to deal with privacy. Personally I think privacy is dead. Get over it. If you want it to be private don’t put it on a computer and don’t put it on the Internet. My entire life is public. If you want, you can search for naked photos of me (there are three out there).”

But can we really extrapolate the experiences of certain social media personalities and apply them to web users in general? Would we be as comfortable with a thirteen-year-old girl commenting that you could find three naked photos of her online?

In fact, the incongruence between Scoble’s public living and the worlds that even other US bloggers navigate became apparent in a post by Michelle Greer on geolocation. Greer does not oppose geolocation services, but she does note how they can increase risks for a person dealing with stalkers. And such risks are not eliminated by the person simply avoiding these tools – if trusted friends start using them without careful thought, an attacker can exploit data beyond their target’s control.

Robert Scoble may be able to have his entire life public, and in an ideal world, perhaps everyone else could too. The difficult reality, however, is that people in a broad range of circumstances require a greater degree of privacy to thrive socially – and at times, even to survive.

Of course, Scoble is far from alone in his outlook. I often see reactions to various stories that include sentiments I can describe at best as oversimplifications or misunderstandings. In some cases, these ideas seem to carry an appalling amount of arrogance as well. I’ll give four examples with short rebuttals:

• “No one cares about what you ate for breakfast.” What if you died of poisoning one morning? Suddenly your family, the police, and many other people would care very much about your breakfast. But while I could offer dozens of other similar scenarios, they can distract from a more important point: Who are you to decide whether anyone cares about my breakfast? Why should I or others rely on your judgment in determining the value of the information that I choose to share? We all know people who care about details as mundane as our meal choices simply because of their relationship with us, even if that knowledge seemingly provides them no tangible benefit (unlike the poison investigation).
• “What use would basic profile data be to a malicious third party? Disclosing it would not really matter.” This perspective includes an informal logical fallacy familiar to many in the scientific community: an argument from incredulity. In other words, since the questioner cannot imagine a certain scenario happening, it must be impossible. As before, I could easily frame a few situations where simple information disclosure could cause serious consequences for a given user (and the Google Buzz roll-out provided real-life examples) but doing so would fail to address the real issue: Only a profile’s owner has the knowledge and background required to outline all possible implications of disclosing their particular bits of information to various other parties.
• “If you don’t want everyone to see certain content, you shouldn’t post it online to begin with.” Nearly everyone who routinely interacts with websites sends them content that carries expectations of confidentiality. Would you be comfortable with sites publicly sharing your credit card information? After all, you’re not liable for unauthorized charges, a point Blippy noted after a few of its customers’ credit card numbers leaked out on Google. The flexible nature of the Internet has always allowed people to share content in a way that limits the audience. Nothing technological has to prevent users from enjoying degrees of disclosure between encrypted e-mail transfer and publicly indexed web pages.
• “Participating in social media is a choice. If you don’t like Facebook/Twitter/etc., don’t use it.” This advice assumes that personal choice is the only determining factor for using a social media service. Under the same assumption, I could argue that driving a car, using a mobile phone, having indoor plumbing, and buying groceries instead of farming are also choices no one is forced to make. Many Facebook users could leave the service in the sense that doing so would not affect their physical survival, but many of them cannot leave Facebook without significant negative effects on social, relational, and perhaps even economic aspects of their lives. Once again, few of us are in any position to evaluate such situations for other individuals.

In essence, no social media executive can assume that he or she understands the ramifications of reducing user control over information. No algorithm can make the same social judgments a human being can. And yet, what sort of trends do we see in the market? As an example, Facebook has gradually widened the definition of “publicly available information” while also adding features that aggregate and publicize data unexpectedly.

As Bruce Schneier notes in an excellent video presentation, however, you and I are not Facebook and Google’s customers. We are their products. They sell information about us, and hence they have a business interest in us sharing more information with more people. Yet for us, this approach tends to increase the amount of noise we deal with. I would submit that the market for online social networking needs to shift towards a model where business interests somehow align with users’ best interests. Obviously such a proposal is easy to state but difficult to implement and monetize, but it’s time we started rethinking how we approach these services.

For instance, many social networking sites have been structured more around technological paradigms than social ones. Most sites include a private messaging feature generally intended for confidential, one-on-one communication, then a method for sharing information that’s generally public, but perhaps includes features for limiting the audience. Perhaps we should design a more fluid communications system that reflects the sort of individual and group interactions we make offline or shoehorn into existing online services.

Another practical step towards ensuring user privacy would be to implement restrictive default settings. Which would be worse for the user: posting content privately that was intended to be public, or posting content publicly that was intended to be private? Rather than require a user to complete long lists of privacy settings prior to engaging with a service, keep content locked down by default and make it simple for a user to then open up their content more broadly.

Privacy is not dead, but many of today’s web applications seem intent on killing it. We desperately need alternatives that empower users with intuitive, defensive privacy controls. Note that by calling for better privacy models, I’m not saying we should avoid public sharing. If users want to live as Robert Scoble, a social media service need not stand in their way. (While Facebook once had more restrictive privacy defaults, it also used to prevent most content from ever leaving the site.) But rather than assume most people are Scobles, we need to find value in also enabling less-public sharing and protect the information that users themselves value.

I do agree with Scoble on one point: “We are all going to have to learn new ways to deal with privacy.” I also see a grand opportunity for entrepeneurs to help shape those “new ways” while keeping privacy very much alive.

However, I must issue an apology regarding what I view as a significant error that I discovered today while researching a new idea. In at least two recent posts, I misrepresented how much information Facebook applications are able to access without explicit authorization. My apologies to Facebook for overstating such access.

Previously, I’d stated that Facebook applications have access to your “publicly available information” and content marked accessible to “Everyone” prior to authorizing the application. In one case, I stated this could be used by a fan page tab to identify users without explicit authorization.

As it turns out, applications only have this automatic access in certain circumstances. According to Facebook’s documentation, such access only occurs when users arrive at an application page from certain Facebook channels and can be affected by strong privacy settings. I misunderstood this process and consequently applied in situations where it would not actually come into play.

As for fan pages, a tab apparently does not have automatic means of identifying a user and would need to request authentication to access such information.

It bothers no one more than me that I misled my readers on this point, and I will certainly strive all the more to avoid such an error in the future.

Given the way Facebook has repeatedly described “publicly available information” (PAI) since last fall’s privacy changes, this update is actually a logical next step for the company. Under a strict interpretation of Facebook’s policies, nothing would prevent a site from making use of such information already. Only technological barriers currently block the information flow – specifically, a site doesn’t automatically know who you are on Facebook when you visit.

At least, so it would seem. Researchers have already outlined ways that sites can infer a visitor’s social networking profile from other tracking mechanisms. In some ways, the new Facebook auto-connect simply builds on cookies and inline frames, the sources of earlier online privacy controversies. Furthermore, several security researchers have demonstrated exploits that led to data leakage. Nitesh Dhanjani demonstrated earlier this year that an authentication issue could give sites automatic access to the PAI of visitors, and just this week I reported to Facebook a vulnerability in their Platform that would allow sites to silently harvest all of a user’s profile information (details pending a patch).

Given the amount of data already flowing to Facebook applications and Facebook Connect sites (as well as their advertisers), the company’s moves towards more and more public sharing, and the history of privacy/security problems on the Facebook Platform, I’ve long argued that Facebook users should treat all of their content on the site as public. But Facebook has worked hard to maintain user trust, even making some content appear to be more private than it actually is. When I first discussed accessing public but hidden photo albums last December, I commented, “Making the albums hard to find gives an illusion of privacy and only delays any rude awakenings that may come from users who have inadvertently shared private photos.”

Now it may seem that Facebook users will finally understand the ramifications of default privacy settings. But the new system will probably be fairly subtle at first. Some users will find it creepy to be greeted on other sites by name, but such information will probably appear in a distinct, Facebook-labeled box (i.e., a Facebook Widget) to let a user know where the content comes from and make it still seem somewhat separate from the rest of the site. On the backend, though, the site will have access to the user’s public data.

What users may not realize is how much data they’re already sharing. This new style of Facebook Connect actually mirrors the behavior of Facebook itself. When you visit a Facebook application for the first time, it automatically knows who you are and can access your public data. (Correction: This only occurs in certain circumstances; more information here.) When you then click “Allow” to authorize the app, you give it access to all of your private data. Currently, an external web site knows nothing about you until you click “Connect.” If you do click, it has the same access to your private data as an authorized application. Now, Facebook is letting sites initially act like new applications by giving them access to your public data prior to full authorization.

In discussing the Facebook Platform, Anil Dash gave this analogy: “Think of the web, of the Internet itself, as water. Proprietary platforms based on the web are ice cubes. They can, for a time, suspend themselves above the web at large. But over time, they only ever melt into the water.” Depending on your perspective, either Facebook is finally melting into the water or the Web turned out to be the ice cube. With an automatic Connect system and the Open Graph API, Facebook is expanding its Platform to the rest of the Web. The only major difference between a Facebook-enabled web site and an actual Facebook application may soon be the URI.

You can start to get a sense of how this expansion may look by reading proposed changes to the service’s governing documents (see Inside Facebook’s excellent analysis):

We may also make information about the location of your computer or access device and your age available to applications and websites in order to help them implement appropriate security measures and control the distribution of age-appropriate content.

Currently, many sites hosting pornographic content will ask visitors to click a link verifying they are at least 18 or 21 before loading the material. With Facebook, the site could simply check your profile information first. Media companies worry about visitors accessing content outside of a given country; perhaps soon they can use your Facebook information to check your location.

Granted, providing fake details on your Facebook could easily foil some of these checks, but in many cases, that’s hardly different from lying about your age when you click or using a routing service to mask your location. Also, since if interact with friends on Facebook, you have a greater incentive to keep some information accurate. Facebook also reserves the right to terminate your account if you provide false profile information (despite also suggesting this strategy as a protection against identity theft).

My point is not to suggest that porn sites will soon be on Facebook’s “pre-approved” list or that Hulu would trust your profile over geographic IP data. I simply give these hypothetical scenarios to illustrate a larger trend: for better or for worse, your Facebook profile is becoming a virtual ID card.

Adding an identity layer to the Internet is not a new idea, but this may be the first time a system finds widespread adoption. Yet the Facebook identity model conflicts with many visions of how online identity should operate. “Open Stack” technologies, such as OpenID and OAuth, allow for federated setups. One of the first “Laws of Identity” by Kim Cameron states, “Digital identity systems must only reveal information identifying a user with the user’s consent.” Much of the consent in Facebook’s system comes from accepting the site’s terms at sign-up; many users will likely think that an opt-out Connect model violates Cameron’s principle.

And ultimately, user perception will be key to Facebook finding acceptance of its new endeavor. As social media researcher danah boyd discussed in her SXSW keynote, services with nothing technologically wrong can still disrupt social expectations (e.g. Google Buzz). (I rank the entire talk as must-read material for anyone working in the social networking space, but I’m only focusing on a few points here.) She also made a noteworthy distinction that I think will come up often as Facebook evolves:

Keep in mind that people don’t always make material publicly accessible because they want the world to see it….

Just because something is publicly accessible does not mean that people want it to be publicized. Making something that is public more public is a violation of privacy.

I think this distinction will be severely tested as the availability of Facebook data increases. I don’t dispute boyd’s evaluation, but coming from the perspective of security research, I know that when data becomes publicly available, it’s only a matter of time before it gets publicized in some way. With the wealth of information stored on Facebook’s servers, the site is becoming a favorite of both advertisers and attackers. Already we’ve seen hacks and tricks that make public Facebook data more public (see above), and each new site that integrates with Facebook is a new attack surface.

I’ve been cussed out by visitors to my site who think that by publishing weaknesses in the Facebook Platform or exposing seemingly hidden content I’m assisting those who maliciously hack people’s profiles. But much of what I post attempts to raise awareness of potential privacy and security issues before they get exploited by black hats. I can guarantee you I’m not the only one looking for Facebook weaknesses.

And that’s part of what concerns me about boyd’s distinction. The same technology that makes content “public” makes it easy to aggregate and publicize. For example, Pete Warden recently announced that he had built a dataset of 215 million Facebook profiles that he planned to publish for research purposes. Facebook eventually threatened to sue, prompting him to destroy the data, but no technology stands in the way of someone else recreating the dataset for their own purposes. In fact, with Facebook’s auto-connect system and the possibility of lighter rules for data storage, web sites may soon inadvertently recreate the dataset.

I honestly don’t think that Facebook is evil or that they care nothing about user privacy. Their new identity layer will likely bring benefits to many users and provide sites with valuable features. But just as Facebook became successful through providing users with a more private experience, the Internet became successful in large part because of its anonymity. While many users are happy with their personal Facebook account being a place “where everyone knows your name,” many users also value the rest of the Internet not knowing if they’re a dog. And as danah boyd put it so well, “No matter how many times a privileged straight white male technology executive pronounces the death of privacy, Privacy Is Not Dead.”

Second, I’d like to introduce myself. I’m known to many online as “theharmonyguy,” a screen name that goes back many years for me. Using it as my moniker for writing about security research was a split-second decision when TechCrunch covered my first major “hack” in 2007. Part of my decision came from wanting to keep my hacking endeavors separate from other development projects I had in mind back then. More recently, though, security research has become more than a small hobby, and I think it’s time to shed the anonymity. While I’ll continue to use “theharmonyguy” as an online identity, my real name is Joey Tyson. I graduated from Wake Forest University last year with a masters degree in mathematics, but I’ve spent several years working in IT consulting and web development prior to my career as a hacker.

And that brings me to my third announcement. I’ve officially joined the team at Gemini Security Solutions in Chantilly, Virginia, and look forward to starting work with them in March. A big shout-out to the Liquidmatrix Security Digest for the job posting that led me to Gemini. I’m excited about serving Gemini as they provide quality information security consulting to other companies. Also, I’ve been graciously allowed to continue this blog and my personal Twitter feed with the caveat that they don’t interfere with my work duties. Please note, however, that everything I post here is my own perspective and does not in any way reflect on my employer.

Over the next few weeks I’ll be moving to a new state, adjusting to a new area, and getting settled in a new job, so I may not be posting as frequently during the transition. But I still plan on maintaining (and perhaps expanding) both this blog and my Twitter feed for the near future. Thank you so much to all my readers for your help and support!

I hope you spotted the problem right away, as it’s a classic example of a cross-site scripting hole. The page mentions that the report will reference a particular URI, and that address also appears as a parameter in the page’s URI. As you might guess, the parameter is not being filtered, allowing one to insert any HTML code.

I found it rather ironic that I came across this problem as I was looking for a means to contact ESPN about two other XSS holes. All three issues were reported to ESPN back in late November, then reported again via different means earlier this month. After receiving no response to either report, I decided to go ahead and release this hole publicly.

By the way, I realize some of my posts about XSS issues aren’t directly related to social networking sites and thus diverge from the usual fare on this blog. However, I think they can serve as important lessons for all developers, including those building social networking applications. This sort of vulnerability is exactly the type that leads to FAXX hacks in Facebook applications. And perhaps it will serve as some comfort to smaller developers that even large sites are susceptible to such problems. Anyway, I also think it’s important to record these finds for future reference, and this blog is about the only place I have to do so.

Facebook has often faced this criticism, particularly after unveiling the Facebook Platform in 2007. Several bloggers compared Facebook unfavorably to AOL of yesteryear, eschewing Facebook’s “proprietary” (gasp!) FBML and FQL interfaces. Some even portrayed Facebook as a competitor to the Web itself. While the definition of “walled garden” was not always particularly clear, observers were unhappy with so much data flowing into Facebook and so little flowing out.

One would think that now, with the Facebook API able to expose your wall, News Feed, inbox, and just about every bit of profile data (even e-mail addresses to some degree) Facebook would be allowed in the open club. Indeed, some writers have noted changes since 2007 that justify dropping the dreaded horticultural moniker. But others continue to speak worriedly of Facebook’s dominance, even still drawing comparisons to AOL.

I, for one, not only have full confidence in the Web outlasting any supposed competition but also see Facebook as very much a part of that resilient network. In fact, I’d like to propose a bit of Internet heresy by according walled gardens a place among the open fields of the online realm.

First, let’s establish one fact: Facebook has always been part of, not opposed to, the Web. Disregard ridiculous arguments over FBML and FQL, which were no more of a threat to HTML and SQL than Smarty and WordPress template functions. Open any Facebook application, choose to “view source,” and all you’ll see is good ol’ HTML, CSS, and JavaScript. The Facebook Platform allowed developers to build on top of Facebook, just as Movable Type and Joomla allowed developers to write plug-ins using Perl and PHP. (Differences: you could not roll your own Facebook, Facebook essentially installed every plug-in, and you have to host the code.) That Facebook disallowed certain HTML security risks and added a few convenient tags for interfacing with their content in one approach to development (one could always write full-blown HTML using canvas iframes instead of FBML) hardly meant they were reinventing Web standards.

Technical considerations aside, some writers argued that Facebook opposed the Web in spirit – more specifically, the spirit of openness. Even though Facebook applications (and inverting Facebook’s criticized original setup, other web sites via Facebook Connect) have wide access to Facebook data now, average users still face hurdles if they wish to view posts and information from other Facebook users. At minimum, one has to create an account and login to Facebook to see beyond bare basics. Prior to recent privacy changes, access to content from non-friends was highly limited even after logging in. And while some of Facebook’s data should start appearing in search engines this year, very little has been indexed by Google so far. As I said before, users generate much content within the context of Facebook, but that context usually remains locked away from public access.

Before I respond directly to such charges, I’d note that Facebook (or any social networking utility) serves a limited purpose. Did you catch that? Facebook serves a limited purpose. Facebook was never meant to duplicate the Internet. If I need reference material on world history, I might turn to Google or (as a starting point) Wikipedia. If I want to know the latest technology news, I can bring up Techmeme. If I want to catch up on a favorite TV show, I’ll probably load Hulu. None of these tasks have any inherent social component that would cause me to first open Facebook when fulfilling them.

Last summer, however, I wrote a series of articles on particular doctrinal issues that affected certain people in churches and organizations I’ve been a part of. I’m not ashamed of my opinions, but they involve points that would not make sense to someone who did not have the background and context of the limited audience I had in mind when writing. Consequently, I would prefer such musings did not appear in the Google search results of an acquaintance unfamiliar with my topics. I shared my thoughts with certain friends via Facebook Notes.

I have friends who live several states away that wish to keep me and others posted on life in their growing family. They want to share what adventures their children are having with extended family across the country. Friends desire to see how they’ve decorated their new home and exchange tips on managing it. Rather than open themselves to potential hazards of their house and kids being featured in an image search, my friends can use Facebook’s photo albums to control who can observe their daily life.

These are but two use cases out of a hundred or more that (1) inherently involve a user’s social graph and (2) inherently involve content not intended for public consumption. To argue that Web-based services other than Facebook could provide similar functionality in an open context misses the point. Yes, I could have published my articles with Blogger, my friends could post their photos on Flickr. But these particular examples are not simply about sharing ideas and pictures – they involve sharing ideas and pictures with certain people.

Are you dissatisfied with Facebook limiting access to content? That’s where the rest of the Web (again, Facebook is one part of the Web) comes in handy. If you’re a blogger who wants the world to hear your thoughts, forget Facebook and start a blog. If you’re a photographer who wants to advertise your portfolio, forget Facebook and use a more open service. If you’re looking to interact with a small subset of the world, however, a walled garden may be just the thing for you.

Of course, these days Facebook’s leadership may cringe at my last paragraph, as they seem to be taking a new angle on their service’s purpose. But a few years ago, privacy and control (in essence, the very things that made it a “walled garden”) are what distinguished Facebook from competitors. Personally, I have trouble buying Mark Zuckerberg’s story that “if he were to create Facebook again today, user information would by default be public” (ReadWriteWeb), as such a site really wouldn’t have been much on an innovation. Recall that prior to Facebook’s rise, MySpace dominated social networking sites, and many (if not most) MySpace profiles were publicly accessible. Limitations are what made Facebook novel – originally, only college students were even allowed to create profiles on the site, and all profiles followed a strict layout.

In my experience, friends flocked to Facebook because it let them participate in new technologies (sharing digital photos, for instance) but in a controlled environment where they could enjoy a level of privacy. The garden walls were selling points – college students didn’t want just anyone seeing their photos and messages; later on, parents didn’t want their teenagers communicating with just anyone. I think that’s partly why Facebook’s recent moves encouraging users to share more openly generated such controversy. Users felt they had fallen victim to a “bait and switch” scheme: they invited their friends to use Facebook so they could share privately, now suddenly Facebook has forced them to share certain information and is pushing them to share the rest.

It’s also worth noting that in its early days, Facebook offered little functionality that couldn’t be found elsewhere. The notion of a profile, the ability to send private messages, the exchange of ideas centered around certain topics – all of these features were hallmarks of forum sites for years. But while the members of a forum formed a particular social graph centered around a certain niche community, Zuckerberg portrayed a user’s social graph on Facebook as a mirror of their everyday, real-life connections. Facebook (and other sites, such as MySpace) took the features of forums and adapted them for a general purpose audience, where you essentially chose the members of your forum based on who you already communicated with offline.

This brings us back to Facebook’s limited purpose and why some of the hand-wringing over its “proprietary” nature strikes me as overreacting. For instance, back in 2007, Gervase Markham of the Mozilla Foundation expressed concern that the messaging system in Facebook or LinkedIn might turn e-mail into a closed system incompatible with outside domains – in short, a walled garden. But Facebook messages could never replace SMTP e-mail. If I want to interact with close friends, Facebook messages provide a convenient, hassle-free means of doing so. Yet if I need to exchange notes or documents with acquaintances, large groups, or even businesses, Facebook messages are hardly up to the task. Once again, such use cases do not involve my social graph. I think Facebook recognized this as they expanded and started trying to juggle multiple social graphs beyond a user’s closer friends, since messages from fan pages (essentially, communications for a business) are filed away in a folder quite separate from a user’s main inbox of messages.

All this being said, please don’t think I’m opposed to more “open” approaches to handling my social graph, such as distributed social networking – far from it. I think Facebook is still an early player in online social networking, and that we’ll see many more platforms and ideas develop in years to come. But I think we’re still a long way from a time where the open alternatives provide end users with more value than walled gardens in the types of use cases I’ve already outlined. As much as I’d like to see federated social networking platforms thrive, I foresee many hurdles that have yet to be overcome. Distributed networks will have to deal with issues relating to performance (imagine generating a news feed when your friends’ data comes from hundreds of different servers), retention (is data cached, how long, etc.), reliability (what happens when a few of your friends’ servers are down?), privacy (how will access be controlled and monitored), and security (avoiding injection attacks, ensuring all hosts stay up-to-date, etc.), not to mention monetization (a problem that still plagues closed systems). And when it comes to user value, remember that walled gardens have a few inherent advantages – in a security example, if Facebook detects a worm spreading malicious links via messages, they can block all messages with a certain signature or strip out links to a known rogue site.

I suppose my main point is that we need not be concerned if Internet users (even 350 million of them) find use for a service that strikes many technology-minded people as a walled garden. While the Internet was built on open, equal access, that very setup enables some services to provide certain features in a more limited context while still taking advantage of Web technologies. And for many people, these gated communities provide real value that would actually diminish if Google began indexing it all. While certain circles seem to think any notion of online privacy is at best naïve (and granted, some users need to exercise more caution in what they post online, regardless of what service they use), I tend to think that the only people saying privacy is dead are those named in its will. And when privacy does become a factor in sharing online, at times, a garden might need walls.

P.S.: Lest you think I’ve changed my opinion in light of recent privacy controversies, I’d note that I stated very similar thoughts back in 2007 when some of these debates over Facebook first developed.