Another privacy spat has erupted in relation to Facebook, the social networking site. It all began when the site began actively advertising everything you did you all of your friends: every time a photo was updated or a relationship status changed, everyone could see it by default, rather than having to go looking. After that, it emerged that Facebook was selling information to third parties. Now, it seems that the applications people can install are getting access to more of their information than is required for them to operate, allowing the writers of such applications to collect and sell information such as the stated hometown and sexual orientation of anyone using them.
Normally, I am in favour of mechanisms to protect privacy and sympathetic to the fact that technology makes that harder to achieve. Facebook, I think, is different. As with a personal site, everything being posted is being intentionally put into the public domain. Those who think they have privacy on Facebook are being deluded and those who act as though information posted there is private are being foolish. The company should be more open about both facts, but I think they are within their rights to sell the information they are collecting.
The best advice for Facebook users is to keep the information posted trivial, and maintain the awareness that whatever finds its way online is likely to remain in someone’s records forever.
[Update: 12 February 2008] Canada’s Privacy Comissioner has a blog. It might be interesting reading for people concerned with such matters.
I agree that people don’t have a reasonable expectation of privacy in relation to what they put on Facebook, but the company should warn them better. Something like this should be added to the registration process:
Warning: all information provided to Facebook (including photos) is willfully released into the public domain, for unlimited use by all individuals with no expectation of privacy. Information available on Facebook may be accessed by parents, teachers and administrators (including for disciplinary purposes), police, and present and future employers. Users are advised to keep this under consideration.
Of course, they may end up with a few fewer subscribers, as well as less dramatic party photos being uploaded.
How Sticky Is Membership on Facebook? Just Try Breaking Free
Some members discover it’s tough to erase all their information from the site.
Are you worried about your information staying on the Internet forever?
The technological hurdles set by Facebook have a business rationale: they allow ex-Facebookers who choose to return the ability to resurrect their accounts effortlessly. According to an e-mail message from Amy Sezak, a spokeswoman for Facebook, “Deactivated accounts mean that a user can reactivate at any time and their information will be available again just as they left it.”
But it also means that disenchanted users cannot disappear from the site without leaving footprints. Facebook’s terms of use state that “you may remove your user content from the site at any time,” but also that “you acknowledge that the company may retain archived copies of your user content.”
Its privacy policy says that after someone deactivates an account, “removed information may persist in backup copies for a reasonable period of time.”
Facebook’s Web site does not inform departing users that they must delete information from their account in order to close it fully — meaning that they may unwittingly leave anything from e-mail addresses to credit card numbers sitting on Facebook servers.
Steven Mansour, 28, a Canadian online community developer, spent two weeks in July trying to fully delete his account from Facebook. He later wrote a blog entry — including e-mail messages, diagrams and many exclamations of frustration — in a post entitled “2504 Steps to closing your Facebook account” (www.stevenmansour.com).
Social Networking and Privacy
* Never expect absolute privacy. Know what you’re getting into by reading the privacy statement and policies. Many sites allow all registered users to view all the information you post on your site with no exceptions.
* Before you join a site and post your profile, find out if you can join a closed network, where only those with an email address from your school can register, for example. Find out if the site allows others to see your profile without your consent.
* Choose the highest and most restrictive security setting available and do not give out information like your birthday, full name, phone number, Social Insurance Number or address.
* Take a second to think about what you’re posting about yourself and your friends. Is it something you would post if your professor, boss, kid sister or arch rival was standing right behind you? Even though we tend to think about our personal sites as private, in reality, many can be seen by just about anyone. Is there information about you that is embarrassing or that fraudsters could use? Remember that what you post could be online forever.
* Keep in mind that even sites with extensive privacy options may be required to make your personal information available to certain authorized persons, including law enforcement agencies. Actually, you might want to remember to call your parents regularly before they resort to checking your Facebook page for updates.
Court Demands Private Facebook Data
By kdawson on judge-is-your-new-friend
Defeat Globalism writes in with a Canadian court decision that has ordered a man suing over injuries from a car accident to answer questions about content on his private “friends only” Facebook page. “Lawyers for Janice Roman, the defendant in the lawsuit, believe information posted on John Leduc’s private Facebook site — normally accessible only to his approved ‘friends’ — may be relevant to his claim an accident in Lindsay in 2004 lessened his enjoyment of life. As a result of the ruling by Justice David Brown of Ontario’s Superior Court of Justice, Leduc must now submit to cross-examination by Roman’s lawyers about what his Facebook page contains. Brown’s Feb. 20 ruling also makes clear that lawyers must now explain to their clients ‘in appropriate cases’ that postings on Facebook or other networking sites — such as MySpace, LinkedIn and even blogs — may be relevant to allegations in a lawsuit, said Tariq Remtulla, a Toronto lawyer who has been following the issue.”
Websites ‘keeping deleted photos’
User photographs can still be found on many social networking sites even after people have deleted them, Cambridge University researchers have said.
They put photos on 16 popular websites – noting the web addresses where the images were stored – and deleted them.
School newspaper archives go online, embarrassing student writing and shenanigans become permanent record
By Cory Doctorow
Here’s the latest privacy rupture: old school newspaper archives are showing up online, getting indexed, and becoming part of the permanent googlable record for the people who wrote for them and the people who appeared in them. This is the latest installment in an ongoing story — for example, when DejaNews (now Google Groups) put Usenet’s archives online, the material we thought we’d written in a no-archive medium became part of our googlable past. Soon, face-recognition will put names on every photo on the web, and then, look out!
Rape Fantasies and Hygiene By State
June 25th, 2009
For OkCupid’s inaugural blog post, I’ve picked a few match questions and will be showing you some cool graphs. Graphs you’ll never find elsewhere.
But first, a reminder: OkCupid match questions are written by OkCupid users, not by staff. The community writes the questions, and our software simply asks them. Good questions climb to the top, and new users are asked to answer these first. By “good” I mean people (1) disagree over them and (2) feel strongly about them. God and sex are hot topics, as you’d expect. So are dating expectations, personal politics, and habits.
And a word about statistical validity: the best questions on OkCupid have been answered over a million times. Therefore we have unique insights into the American mindset.
Technology: Facebook App Exposes Abject Insecurity
“Back in June, the American Civil Liberties Union published an article describing Facebook’s complete lack of meaningful security on your and your friends’ information. The article went virtually unnoticed. Now, a developer has written a Facebook ‘Quiz’ based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What’s more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they’re running can see, too. It is unclear whether the developer of the Facebook app did so ‘officially’ for the ACLU.”
Facebook agrees to privacy changes
‘We’re satisfied that, with these changes, Facebook is on the way to meeting the requirements of Canada’s privacy law,’ Privacy Commissioner says
Karim Bardeesy and Bill Curry
Last updated on Thursday, Aug. 27, 2009 10:22AM EDT
Privacy Commissioner Jennifer Stoddart says Facebook has agreed to changes that will bring the social networking site into compliance with Canadian law.
In a press conference, Ms. Stoddart said Facebook, among other pledges, has agreed to new features that will prevent software developers who create games and quizzes from accessiong person information.
“This is an extremely important change,” said Ms. Stoddart.
“I would like to thank Facebook for its co-operation throughout this investigation.”
Facebook will provide new notifications for users, additions to its privacy policy, and technical changes in response to concerns flagged by the privacy commissioner.
“We’re satisfied that, with these changes, Facebook is on the way to meeting the requirements of Canada’s privacy law,” Ms. Stoddart said.
Facebook will make the changes over the next 12 months, and work on them will begin immediately.
Privacy and Facebook
By Colin McKay on Private Organizations
As you may have noticed, we held a news conference this morning to announce further progress in our investigation into the privacy practices at Facebook. Our news release is now available, as is Facebook’s.
The changes proposed by Facebook will make it easier for users to make clear and informed decisions about how to share their personal information within the popular social networking site – and with whom.
Importantly, Facebook has announced that it will be making changes to its API. These changes will, effectively, force developers to acknowledge what pieces of information they would like to access in your profile, and why. The changes will also give each user the opportunity to deny an application access to that piece of information.
PallTech churns through hundreds of databases — collections of private and public records — and spits out up to 300 pages of investigative fodder like addresses, relatives’ names, and aliases. It also enables elaborate combinations of searches, based on, say, a first name and month of birth. All of which helps investigators exploit the most common error made by people starting over: using details from their old lives in their new lives as a way to help keep things straight. “Whether it’s transposing your social security number, your date of birth, or the letters of your name — that’s the quickest way you’re going to get found,” says Robert Kowalkowski, a Michigan-based investigator.
People trying to outrun their old identities have to reckon not just with the data collected about them but also with whatever facts they’ve revealed about themselves. Facebook, MySpace, and Twitter are an investigator’s gold mine, containing everything from your address books and photos (and, for a tech-savvy investigator like Rambam, what camera they were taken with) to your hobbies and favorite bars. A social profile that once would’ve taken an investigator weeks of on-the-ground work to build is a few clicks away. Minimal search-engine acumen — or an undercover account on a social networking site — can turn up a collection of friends for investigators to target, even if an online account is marked “private.”
Generally, investigators work by building a profile of the person they are hunting and then waiting to capitalize on typical human frailties — poor memory, vanity, a craving for social contact. A few years ago, an investigator named Philip Klein was hired by Dateline NBC to locate Patrick McDermott, a onetime Hollywood cameraman who also happened to be Olivia Newton-John’s former partner. McDermott had disappeared from a fishing boat in the Pacific, and the authorities presumed him dead. Early on, Klein likewise turned up only the vaguest hints that McDermott could be alive. “This was the ultimate walk-away,” Klein says.
Smokescreen privacy game uses fun missions to show kids how data on social services can be used against them
By Cory Doctorow on privacy
Smokescreen is a privacy game for kids, it runs them through a series of clever online missions that serve to explain how information disclosed on social sites like Facebook can come back and bite you in the ass
MIT Project “Gaydar” Shakes Privacy Assumptions
“At MIT, an experiment that identifies which students are gay is raising new questions about online privacy. Using data from Facebook, two students in an MIT class on ethics and law on the electronic frontier made a striking discovery: just by looking at a person’s online friends, they could predict whether the person was gay. The project, given the name ‘Gaydar’ by the students, is part of the fast-moving field of social network analysis, which examines what the connections between people can tell us, from predicting who might be a terrorist to the likelihood a person is happy, fat, liberal, or conservative.” MIT professor Hal Abelson, who co-taught the course, is quoted: “That pulls the rug out from a whole policy and technology perspective that the point is to give you control over your information — because you don’t have control over your information.”
Private lives of public servants becoming an issue: Public Service Commission
By Kathryn May, Ottawa Citizen
October 8, 2009
OTTAWA — The case of a young Privy Council Office bureaucrat who admitted on Facebook to be being a Liberal supporter shows how the blurring lines between private and professional lives are testing the century-old convention of a non-partisan public service, says the government’s staffing watchdog.
Maria Barbados, president of the Public Service Commission concluded the young Privy Council Office analyst who posted his support for the Liberal party had crossed the line with “improper political activity,” but found no evidence that this affected the ability to do his job.
How To Spam Facebook Like A Pro: An Insider’s Confession
In June 2007, Facebook opened up their application developer platform so that anyone could build games on top of the social network. By having access to user data, game developers could instantly make engaging, viral games. Rate who is hottest among your friends, share quizzes, race cars, grow vegetables, and so forth – all with a click of a button. Users in one click gave the game permission to access their profile data and they didn’t think twice about it.
Facebook hadn’t consider what was possible when the game developer passed on user name, profile picture, and personal details on to an advertiser – and the kind of deceptive ads that were possible.
…
But the perfect storm being able to dynamically insert user data into an ad, disguising the ad to seem like part of the application, lack of enforcement by the social networks, and billing the parents’ cell phone – well, it’s no secret what happens next.
…
I finally came to this realization: People on Facebook won’t pay for anything. They don’t have credit cards, they don’t want credit cards, and they are not interested in shopping. But you can trick them into doing one of three things:
* Download a toolbar: It could be spyware (such as Zango) or something more legitimate, such as Webfetti or Zwinkys.
* Give up their email address: You’ve won a “free” camera or perhaps you’ve been selected as a tester for a new Macbook Pro (which you get to keep at the end of the test). Just tell us where you want us to ship it.
* Give up their phone number: You took the IQ Quiz, so give us your phone number and we’ll tell you your score. Never mind that you’ll get billed $20 a month or perhaps be tricked into inviting 10 other friends to beat your score.
Privacy Violations by Facebook Employees
By Bruce Schneier
Employee: See, the thing is — and I don’t know how much you know about it — it’s all stored in a database on the backend. Literally everything. Your messages are stored in a database, whether deleted or not. So we can just query the database, and easily look at it without every logging into your account. That’s what most people don’t understand.
The decision to share contact lists automatically through Google Buzz strikes me as a huge mistake, from the perspective of privacy. There are all sorts of valid reasons for which we might not want all of our friends knowing everybody else who we communicate with. We need to be able to sub-divide our lives, and it was inappropriate of Google to smash down barriers without warning.
That said, it is a reminder that whatever you put online is at risk of being made public without you having any say in it. Email is, for me at least, my inner sanctum online, so it is frightening to see how easily it can be opened up.
Anger Leads to Apology From Google About Buzz
By MIGUEL HELFT
Published: February 14, 2010
Google moved quickly over the weekend to try to contain mounting criticism of Buzz, its social network, apologizing to users for features that were widely seen as endangering privacy and announcing product changes to address those concerns.
Todd Jackson, product manager for Gmail and Google Buzz, wrote in a blog post on Saturday that Google had decided to alter one of the most-criticized features in Buzz: the ready-made circle of friends the service provided to new users based on their most frequent e-mail and chat contacts in Gmail. Instead of automatically connecting people, Buzz will in the future merely suggest to new users a group of people they may want to follow or be followed by, he said.
Mr. Jackson, who said that the auto-follow feature had been intended to make it easy for people to get started on Buzz, acknowledged the criticism that was heaped on Google in the last few days.
“We’re very sorry for the concern we’ve caused and have been working hard ever since to improve things based on your feedback,” Mr. Jackson wrote. “We’ll continue to do so.”
Website exposes embarrassing Facebook posts
TORONTO — Some Facebook users are learning a tough lesson about the importance of privacy settings.
A new website is exposing embarrassing Facebook messages posted by users, who probably don’t realize their privacy settings are turned off.
The website FacebookSearch http://youropenbook.org/ includes posts with people brazenly admitting to playing hooky from work.
Others pull no punches in making fun of their bosses. And some are of a very personal nature, falling into the category of too much information.
The founders of the site say they have no malicious intentions. They simply hope to show naive Facebook users that there are very real consequences to not guarding their privacy online.
Facebook warned it’s not in compliance
Canadian Privacy Commissioner says new settings still require disclosure of names, profile information, pictures, gender and networks
Jacquie McNish and Omar El Akkad
Globe and Mail Update Published on Wednesday, May. 26, 2010 7:04PM EDT Last updated on Thursday, May. 27, 2010 8:34AM EDT
Canada’s Office of the Privacy Commissioner warned that Facebook is not complying with federal privacy laws despite major fixes unveiled Wednesday that give users more control over how their data is shared on the sprawling social media network.
“They have dialed it back a bit in terms of openness, but we don’t think they have gone far enough … we don’t think users are comfortable,” said Elizabeth Denham, Assistant Commissioner. Ms. Denham oversaw an investigation into Facebook’s privacy practices that led to a ground breaking settlement with the Palo Alta, Calif.-based company last year.
Under terms of the settlement, Facebook agreed to comply with Canada’s privacy laws by giving Canadian users full control over how their data is shared and used by outside companies. The social media giant fine-tuned its privacy settings last year in response to the Canadian probe and the regulator gave the social media giant until August to introduce other protections.
“I make $100,000 a year.”
REALITY: People are 20% poorer than they say they are.
Apparently, an online dater’s imagination is the best performing mutual fund of the last 10 years.
…
We did a little investigating as to whether a person’s stated income had any real effect on his or her online dating experience. Unsurprisingly, we found that it matters a lot, particularly for men.
…
These bold colors contain a subtle message: if you’re a young guy and don’t make much money, cool. If you’re 23 or older and don’t make much money, go die in a fire. It’s not hard to see where the incentive to exaggerate comes from.
Your Rights Online: Facebook Adds Delete Account Option
“Facebook have quietly added the ability to delete you account. ‘Deactivate Account’, under Account Setting, has become ‘Deactivate or Delete Account’, and when checked it purports to permanently delete your account and all information you have shared. Facebook is actually willing to erase your data permanently? They must be counting on very few people doing so.”
100 Million Facebook Pages Leaked On Torrent Site
“A directory containing personal details about more than 100 million Facebook users has surfaced on an Internet file-sharing site. The 2.8GB torrent was compiled by hacker Ron Bowes of Skull Security, who created a web crawler program that harvested data on users contained in Facebook’s open access directory, which lists all users who haven’t bothered to change their privacy settings to make their pages unavailable to search engines.”
“Below is my taxonomy of social networking data, which I first presented at the Internet Governance Forum meeting last November, and again — revised — at an OECD workshop on the role of Internet intermediaries in June.
* Service data is the data you give to a social networking site in order to use it. Such data might include your legal name, your age, and your credit-card number.
* Disclosed data is what you post on your own pages: blog entries, photographs, messages, comments, and so on.
* Entrusted data is what you post on other people’s pages. It’s basically the same stuff as disclosed data, but the difference is that you don’t have control over the data once you post it — another user does.
* Incidental data is what other people post about you: a paragraph about you that someone else writes, a picture of you that someone else takes and posts. Again, it’s basically the same stuff as disclosed data, but the difference is that you don’t have control over it, and you didn’t create it in the first place.
* Behavioral data is data the site collects about your habits by recording what you do and who you do it with. It might include games you play, topics you write about, news articles you access (and what that says about your political leanings), and so on.
* Derived data is data about you that is derived from all the other data. For example, if 80 percent of your friends self-identify as gay, you’re likely gay yourself.
There are other ways to look at user data. Some of it you give to the social networking site in confidence, expecting the site to safeguard the data. Some of it you publish openly and others use it to find you. And some of it you share only within an enumerated circle of other users. At the receiving end, social networking sites can monetize all of it: generally by selling targeted advertising.”
Monitoring Employees’ Online Behavior
By Bruce Schneier
Not their online behavior at work, but their online behavior in life.
“Using automation software that slogs through Facebook, Twitter, Flickr, YouTube, LinkedIn, blogs, and “thousands of other sources,” the company develops a report on the “real you” — not the carefully crafted you in your resume. The service is called Social Intelligence Hiring. The company promises a 48-hour turn-around.
[…]
The reports feature a visual snapshot of what kind of person you are, evaluating you in categories like “Poor Judgment,” “Gangs,” “Drugs and Drug Lingo” and “Demonstrating Potentially Violent Behavior.” The company mines for rich nuggets of raw sewage in the form of racy photos, unguarded commentary about drugs and alcohol and much more.
The company also offers a separate Social Intelligence Monitoring service to watch the personal activity of existing employees on an ongoing basis…. The service provides real-time notification alerts, so presumably the moment your old college buddy tags an old photo of you naked, drunk and armed on Facebook, the boss gets a text message with a link.”
This is being sold using fear:
“…company spokespeople emphasize liability. What happens if one of your employees freaks out, comes to work and starts threatening coworkers with a samurai sword? You’ll be held responsible because all of the signs of such behavior were clear for all to see on public Facebook pages. That’s why you should scan every prospective hire and run continued scans on every existing employee.
In other words, they make the case that now that people use social networks, companies will be expected (by shareholders, etc.) to monitor those services and protect the company from lawsuits, damage to reputation, and other harm.”
“Facebook founder Mark Zuckerberg famously said that the age of privacy is over. And the government wants to ensure that, it seems. The Electronic Frontier Foundation’s FOIA request has revealed government memos encouraging agents to befriend people on a variety of social networks, to take advantage of their readiness to share — and to spy on them. Thanks to this request, the government released a handful of documents, including a May 2008 memo detailing how social-networking sites are exploited by the Office of Fraud Detection and National Security (FDNS), and one revealing how the DHS monitored social media during the Obama inauguration.”
Via John Scalzi
Cisco this week unveiled software designed to let companies track customers and prospects on social media networks like Twitter, Facebook, blogs and other public forums and sites. Cisco SocialMiner allows users to monitor status updates, forum posts and blogs of customers so they can be alerted of conversations related to their brand. The software is designed to not only enable enterprises to monitor the conversations of their customers but to engage those that require service, Cisco says.
Data protectionism
Serfing the web
A small spat highlights a big issue: who owns your online identity?
Nov 11th 2010 | SAN FRANCISCO | from PRINT EDITION
SUCH is Facebook’s attraction these days that even Britain’s monarch has finally joined the 500m-plus users of the online social network. On November 8th Queen Elizabeth II launched a Facebook page to publicise the royal family’s doings. Within a day, it had attracted almost 200,000 “likes” from around the world plus messages such as “Hello Liz xxx”. But it had also turned into a forum for an acrimonious slanging match between supporters of the monarchy and its critics.
Buckingham Palace says that the Queen’s e-mail address, if she has one, is secret. But it will not end in gmail.com. That will spare her from another wrangle—a kind of digital trade war. On November 5th Google introduced a technical change that blocks its e-mail users from automatically transferring their electronic address book in one lump when they set up a Facebook account. It is part of Google’s efforts to defend its dominance of the internet from Facebook’s growing challenge (as is Google’s announcement this week giving all its 23,000 employees a 10% pay rise and a $1,000 bonus, which is an attempt to halt defections to Facebook).
Both Google and Facebook are run like absolute monarchies in which hundreds of millions of users (digital serfs, some might say) have created identities. Rather like mercantilist countries in the offline realm, both companies operate policies to protect this asset.
“A researcher from a Dutch university is warning that Facebook’s ‘Like This’ button is watching your every move. Arnold Roosendaal, who is a doctoral candidate at the Tilburg University for Law, Technology and Society, warns that Facebook is tracking and tracing everyone, whether they use the social networking site or not. Roosendaal says that Facebook’s tentacles reach way beyond the confines of its own web sites and subscriber base because more and more third party sites are using the ‘Like This’ button and Facebook Connect.”
Privacy laws
Private data, public rules
The world’s biggest internet markets are planning laws to protect personal data. But their approaches differ wildly
FIRST came the yodelling, then the pain. The online entrepreneurs and venture capitalists at DLD, a geeks’ shindig this month in Munich, barely had time to recover from their traditional Bavarian entertainment before Viviane Reding, the European Union’s justice commissioner, introduced a new privacy regulation. Ms Reding termed personal data the “currency” of the digital economy. “And like any currency it needs stability and trust,” Ms Reding told the assembled digerati.
The EU’s effort (formally published on January 25th) is part of a global government crackdown on the commercial use of personal information. A White House report, out soon, is expected to advocate a consumer-privacy law. China has issued several draft guidelines on the issue and India has a privacy bill in the works. But their approaches differ dramatically. As data whizz across borders, creating workable rules for business out of varying national standards will be hard.