Posted by theharmonyguy in Facebook | 65 comments
The Social Hacking Guide to Understanding Facebook Privacy
After Facebook’s sweeping announcements at the 2010 f8 conference, many people have been reexamining the content they’ve posted on Facebook and who can access that content. This process has helped raise awareness of new behaviors that affect privacy expectations, but has also caused some users to discover old issues for the first time. As with many Facebook updates, the ensuing responses have at times led to confusion and misunderstandings. In this guide, I hope to provide some clarity in understanding how privacy works on Facebook.
This guide is intended for a general audience, so I will try hard to explain ideas clearly and not get bogged down by technical details. However, I will also be focusing on the concepts behind various privacy controls, but not necessarily stepping through all available settings. If you want more on the latter, along with recommendations for those settings, I would point you to the Facebook Privacy & Security Guide maintained by Tom Eston at Social Media Security, a site where I’m also a contributor.
Keep Reading »Posted by theharmonyguy in General | 22 comments
Why I Care if Others Care About What They Ate for Breakfast
I find that the only people saying privacy is dead seem to be those named in its will. Social media researcher danah boyd highlighted some of these conflicts of interest when she admonished, “No matter how many times a privileged straight white male technology executive pronounces the death of privacy, Privacy Is Not Dead.”
Privacy is not simply about confidentiality. Privacy is about control – you having control over the nature, disclosure, dissemination, and usage of your information. Privacy is about ensuring data exchanges happen under certain norms and in appropriate contexts.
Many Silicon Valley executives, however, seem to think users should embrace sharing most of their data with the entire web. This attitude is typified in a comment by blogger Robert Scoble: “We are all going to have to learn new ways to deal with privacy. Personally I think privacy is dead. Get over it. If you want it to be private don’t put it on a computer and don’t put it on the Internet. My entire life is public. If you want, you can search for naked photos of me (there are three out there).”
But can we really extrapolate the experiences of certain social media personalities and apply them to web users in general? Would we be as comfortable with a thirteen-year-old girl commenting that you could find three naked photos of her online?
Keep Reading »Posted by theharmonyguy in Facebook | 26 comments
Facebook’s Open Graph Still Faces Semantic Web Hurdles
Geek level: Fairly technical. Aimed at web developers and security researchers.
In the wake of last week’s Facebook announcements, people have begun dissecting more of the technical details involved and adding various critiques. One point of discussion has been Facebook’s use of the buzzword “open,” with some observers feeling the description masks certain negative aspects of the new Open Graph.
But amid all the debate about openness, critics and supporters alike seem at times to inadvertently conflate three different (albeit related) technologies. First, the Open Graph Protocol defines a structure for website authors to provide certain bits of metadata (such as title, type, description, location, etc.) about their pages. Second, Facebook is expanding their “social graph” concept by building a database of connections among people, brands, groups, etc. The label “Open Graph” has been variously applied to this new map. Finally, the social networking site has introduced new methods for accessing these stored connections as part of their Graph API.
From a technical perspective, each of these offer great potential. But as they are currently being implemented, they still face difficulties that may hinder Facebook’s vision of the Semantic Web. In fact, while Facebook may have brought certain Semantic Web ideas to a more mainstream audience, they have not addressed some of the issues that have stymied advocates of similar technologies – including criticisms found in Cory Doctorow’s famous “Metacrap” essay from 2001. But first, I think it worthwhile to explore some of the details of Facebook’s three new components.
Keep Reading »Posted by theharmonyguy in Facebook | 7 comments
Pros and Cons of Today’s Facebook Announcements
Earlier today, Facebook held a developer conference called f8 and took the opportunity to announce a number of new features that impact both developers and average users. I’ve assembled a non-exhaustive list of several important changes the company described, along with a summary of each change and a quick pro/con evaluation from my perspective. I’ll be looking at these and other new features in-depth over the next several days.
The Open Graph
While Facebook has often talked about how its users friend relationships form a “social graph,” the company is now focused on creating a broader “open graph.” This is essentially a map of connections between people, companies, products, websites, and so on. When you list your interests and tastes on your profile, you’re helping build this structured database of links.
Pros
- In many ways, this idea echoes the vision of a “Semantic Web” that others have outlined in the past. In fact, World Wide Web creator Tim Berners-Lee has long called for building a similar structure.
- Facebook’s implementation includes simple ways for sites to add usable information about them, and they’ve built a simple interface for accessing data on pieces in the graph.
Cons
- While this graph may be “open” for contribution and access, it’s definitely controlled by Facebook alone. That setup has obvious business, political, and philosophical implications, but centralized administration of such a graph has technical trade-offs as well, such as dependence on a single point of failure.
- Facebook’s new version of the Semantic Web still carries many of the same issues as older versions, such as major privacy concerns, data poisoning, and data inconsistencies.
Universal Social Experience
In today’s keynote, Facebook CEO Mark Zuckerberg often talked about the high-level goal of enabling social experiences for users across the entire web. By combining the latest features Facebook offers, any site can bring identity and relationships into its own ecosystem.
Pros
- Much of the information that you encounter on sites today is generic and requires that you spend time sorting or searching to make the site more relevant. With data from your part of the open graph, sites could customize and optimize in a way that’s tailor made for you, providing more relevant content right away.
- This approach greatly reduces friction on other sites as well, since you won’t have to go through the tiresome process of setting up a new account, remembering another password, and trying to find people to connect with or useful content.
Cons
- One person’s feature is another person’s privacy violation. However well-intentioned other sites may be, their “social experiences” can fail to recognize the value of anonymity or take into account a rightful degree of user control.
- As others have pointed out previously, since this type of optimization often centers around your establish relationships, it can create an echo chamber effect and further isolate socioeconomic or ideological groups from each other.
Instant Personalization
This is the marketing term for a feature Facebook first earlier this year. The company has partnered with certain “pre-approved” websites that can now automatically identify a Facebook user at their first visit. The sites can also access what Facebook classifies as publicly available information.
Pros
- This is a more specific example of Facebook’s vision for social experiences reducing friction. The feature is aptly named “instant,” as it basically sets up a user’s account on another site without any interaction, a behavior some may find very convenient.
- From a privacy standpoint, Facebook has included a global opt-out under users’ application privacy settings, and clearly indicates when this sort of automatic authentication takes place with a banner at the top of the site.
Cons
- The feature still raises a number of privacy concerns, and essentially repeats several of Google’s well-documented mistakes with the launch of Buzz. And while a full opt-out does exist, users are opted in by default. This personalization will likely be the source of many surprises and violated expectations.
- Facebook controls who has access to the setup, and currently it’s not entirely clear how sites can become pre-approved or how much the program will expand in the future. The privacy controls also lack some clarity, as the opt-out does not cover information shared by friends who use instantly personalized sites.
Social Plugins
Any web site now has access to a range of simple tools that add Facebook features, such as “liking” a page and publishing approved stories to a user’s news feed. These widgets also replace some of the options previously offered to developers under Facebook Connect.
Pros
- Facebook has built these plugins with ease of deployment in mind, and they drastically reduce the complexity of integrating with the service. Many developers will be pleased with the simplicity of these functions.
- From a security perspective, Facebook’s approach also sets up a barrier between the external site and Facebook content the users sees. While the like buttons and friend pictures may seem to be simply part of the page, they actually reside in a separate data space from the rest of the page’s content until you choose to authorize access for the other site. This helps protect both the developer and you as a Facebook user.
Cons
- In practice, the deceptive appearance just described may mislead many users into thinking that Facebook is exchanging far more data with other websites than they actually are. This will likely lead to some unwarranted panic.
- These plugins do rely in many ways on developers providing accurate data, and it’s likely we’ll see these features abused by scam artists and distributors of malware. Currently, the plugins seem to lack certain authentications that may lead to unintended consequences.
OAuth 2.0
As part of a more streamlined development experience, Facebook has launched a technology called OAuth 2.0 for authenticating applications and websites. This replaces the proprietary model the site had been using and should once again simplify building Facebook-enhanced services.
Pros
- This is a major validation for an open standard many companies have helped put together. Many developers will be encouraged to see Facebook choosing OAuth over a proprietary system.
- As already mentioned, this is another way that Facebook has simplified application development. OAuth should reduce confusion over how other sites can access Facebook information.
Cons
- While perhaps not a completely fair point, I’ll note that the use of OAuth does not diminish the threat of application-based attacks through vulnerabilities known as XSS and CSRF.
- A number of other sites, such as Twitter, have used OAuth for some time, but this is a major roll-out of a very new version. We may see new security issues related to Facebook’s implementation.
Facebook Credits
At f8, Facebook expanded on their plans to offer a virtual currency system for application payments. Several applications are already using Facebook Credits, but we’ll likely see far more implementations in the near future.
Pros
- Yet again, this system helps reduce friction. For developers, Facebook offers a simple way to include payments without having to worry about a number of implementation details.
- Also, for users, virtual currency can reduce the hassle of worrying about issues such as international currency conversion.
Cons
- Since Facebook is already facing widespread criticism over privacy issues, some users may hesitate to add credit card information to their Facebook profiles, even if it can only be accessed by Facebook.
- This service makes Facebook a middleman in potentially millions of dollars of transactions, and could raise liability issues.
Granular Data Access
Though perhaps overlooked, Facebook made good on their promise to include more granular permissions when applications request user information. This feature comes in response to concerns raised by Canada’s Privacy Commissioner last fall. With the new setup, applications will have to individually request private profile fields when a user chooses to authorize.
Pros
- This change will immediately provide more transparency and accountability, since users will see listed out exactly what fields an application will want access to when they authorize.
- Many users may simply click through anyway, but the new system may raise awareness for many users who did not previously understand the range of information applications could access. Seeing a greedy list of data fields may give users pause.
Cons
- Since announcing granular access last fall, Facebook has radically changed the definition of what constitutes “private” information. Consequently, many of the fields that might have been included in this setup are now considered “public” and thus generally outside access controls.
- While commendable, this change may not lead to any substantial changes in practice. The model relies on developers limiting their requests, and many users will probably still want access to applications that ask for all information.
Persistent Data Storage
Until this week, applications and Facebook-enabled websites could not store most information accessed via the Facebook API beyond 24 hours. Now, Facebook has removed this time limit, meaning developers can save user data for as long as they want.
Pros
- This change will significantly reduce overhead for both developers and Facebook, since applications will no longer have to exchange data with the service each day a user connects.
- Users will likely see some performance gains from applications, since they can cache data locally rather than constantly checking with Facebook before rendering content.
Cons
- Facebook applications will now be far more valuable targets for attackers. If a popular application suffers a database compromise, millions of users’ private information could be put at risk. Hacking Facebook directly tends to be difficult, but many applications lack the same level of security.
- This increases opportunities for behavioral targeting and visitor tracking, since third-party developers will now be able to maintain complete archives of profile information.
Posted by theharmonyguy in Facebook | 1 comment
More Changes to Facebook Privacy, and More to Come
Yesterday, Facebook announced two new features: Community Pages and “connections” for certain profile information. The first combines some of the generic fan pages that have become popular over the last few months with Wikipedia articles to create a sort of social encyclopedia. I’m not entirely clear on what Facebook envisions with this feature, but it will be interesting to watch it develop.
The second feature, however, has attracted much more attention, and rightfully so. I’m again still sorting through details and have not yet seen the new connections in action, but certain parts are pretty clear. Facebook is replacing the manual lists in parts of the “info” tab on your profile to lists of fan pages you connect with. Along with the new setup, Facebook is changing the “Become a Fan” buttons to “Like” buttons. If you want to connect with a page for something you’re interested in, you now will simply “like” the page.
In a blog post, Facebook spun the connections as an exciting improvement: “Instead of just boring text, these connections are actually Pages, so your profile will become immediately more connected to the places, things and experiences that matter to you.” I can see three main reasons why Facebook would make this change, and none of them involve text being boring.
First, this helps software more easily process your interests. With textual lists, you may find titles such as these under a user’s favorite movies: “LOTR,” “Lord of the Rings,” “Lord.Of.The.Rings,” “***Lord of the Rings!***”, “i just LOVE lord of the rings so much,” etc. It’s obvious to a human that these all refer to the same trilogy of movies, but not to a computer. By essentially turning sections of your profile into database relationships, Facebook can take all of these disparate descriptions and replace them all with a link to an official Lord of the Rings page.
Second, the shift to “liking” reduces friction. The semantics may be subtle, but I’m sure Facebook has done research on this. “Liking” implies a simple, casual gesture (represented by the thumbs up icon), while “becoming a fan” or “subscribing” carries more of a commitment and desire for further interaction. I’m guessing users are far more likely to say they “like” something than “become a fan” of it, and Facebook wants users to connect and share as much as possible.
Third, this increases the useful data Facebook can offer to others. It’s likely that a large majority of Facebook’s users currently have privacy settings that only allow friends to see the “boring text” in their profiles. But since last fall’s privacy changes, connections to fan pages are now considered publicly available information. By taking the simple step of “liking” a page, users will add an easily processed connection that certain sites and applications will be able to access when visited.
Since the new setup has obvious privacy implications, Facebook added privacy controls, but unfortunately, they seem to also add further confusion. As Facebook notes, the new settings relate only to profile visibility: “You can control which friends are able to see connections listed on your profile, but you may still show up on Pages you’re connected to.” This is yet another example of Facebook making information appear to be private without actually making it private. As TechCrunch writer Jason Kincaid put it well, “In short, this section is about the data on Facebook that you can’t actually control. You can make it harder to find, and even hide it from your profile, but you can’t remove it entirely.”
Facebook stands to gain enormously from users embracing these new profile connections, and fan pages within Facebook are only the beginning. Tomorrow is f8, a developer conference hosted by Facebook, and the company will likely be introducing several new features and plans, such as adding location information to wall posts. Inside Facebook has an excellent round-up of what to expect. Several of these changes will likely have a significant impact on user privacy; I expect we’ll hear more detail about pre-approved Facebook Connect sites gaining automatic access to user data. Another item of interest will be the Open Graph API, which takes the “liking” behavior described above and extends it to any website.
That means that rather than simply say you’re a fan of Social Hacking, for instance, you could potentially “like” theharmonyguy.com. In other words, you could create a connection between your profile and a given URI (website address). That opens up many new possibilities, but once again adds significant information to your public profile.
As I said, certain details are still not clear to me; for instance, Facebook seems to have backtracked on whether your list of friends is publicly available information, and says that fan page connections will not be public for minors. I’ll certainly be watching to see what Facebook announces tomorrow, and will likely have much more to say about it in the next week or so. (In fact, I’ve been holding off on a few posts until I see how the f8 announcements will impact the issues they deal with.) I should also have shorter, quicker updates throughout the day tomorrow on my Twitter feed.
Keep Reading »Content License
All content by theharmonyguy on this site, including text and images, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.