Identity / Profiles / Trust

For those who even now still think Facebook is a benign thing, comes this article:

Facebook fanatics who have covered their profiles on the popular social networking site with silly games and quirky trivia quizzes may be unknowingly giving a host of strangers an intimate peek at their lives.

Those mini-programs, called widgets or applications, allow users to personalize their pages and connect with friends and acquaintances. But they could pose privacy risks. Some security researchers warn that developers of the software have assembled too much information -- home town, schools attended, employment history -- and can use the data in ways that could harm or annoy users.

"Everything requires you to give access to personal information or it forces you to ask your friends to do the same -- it becomes a real nuisance," said David Dixon, 40, an information technology consultant in Columbia who recently deleted most of the applications he had downloaded to his Facebook profile after reading on a blog that developers may have access to his information. "Why does a Sudoku puzzle have to know I have two kids? Why does a postcard need to know where I went to college?"

Not that its just Facebook of course - datamining is the raison d'etre of many a Net business and nearly every social net, especially now that its clear straightforward advertising isn't the route to riches.

But its June 2008 and these sort of articles still hit the front page of Techmeme. This is hardly new news, but it seems we forget things so quickly. Still, its now hitting the Washington Post rather than the Tech Blogosphere. so that must be getting the news out to a wider audience.

A group of law students went through the Facebook system and found that it broke the Canadian privacy code in many places, notes Ars Tech:

Facebook's policies and practices were analyzed by a "team of law students" over the winter, resulting in their discovery of what they believe to be numerous violations of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). Some of the issues raised in the complaint are a little benign: for example, CIPPIC takes issue with the fact that all of a user's friends can see Wall posts (comments) left by other friends, and that it's not easy to simply delete all Wall posts with a single click. Other issues, however, are more serious, like a user's inability to easily delete his or her account and all the data associated with it.

We don't know of any study thats been done in the UK or EU but we suspect a similar situation would occur, from the working knowledge of UK data protection law we have. Any student legal teams fancy doing this as a project?

Maybe a Facebook group could be set up to co-ordinate it

It never ceases to amaze me how little people know about how much their privacy is being abused in closed worlds online - today CNet notes that many US companies spy on their own employees communication.

A new survey finds that 41 percent of large companies (those with 20,000 or more employees) are paying staffers to read or otherwise analyze the contents of employees' outbound e-mail.

In the study, which was commissioned by e-mail security provider Proofpoint and conducted by Forrester Research, 44 percent of the companies surveyed said they investigated an e-mail leak of confidential data in the past year and 26 percent said they fired an employee for violating e-mail policies, according to security portal Help Net Security.

Its an open story in the industry fer crying out loud - there are social network analysis companies making a living selling packages to analyse emails, draw up social graphs, define behaviours etc. What makes people think for a second that its only Facebook up to these stunts? And this just joins the ranks of surveillance tools like CCTV etc.

In Europe, because of our data protection laws it is (theoretically) illegal to analyse our emails etc, but if I were employed by a US outfit I'd make sure they are aware, just in case.

I read two interesting articles today, both on companies adjudicating the content of messaging:

Firstly, this story on Search Engine Land about Google maybe interdicting false linkbait stories, Matt Cutts saying:

My quick take is that Google's webmaster guidelines allow for cases such as this: "Google may respond negatively to other misleading practices not listed here (e.g. tricking users by registering misspellings of well-known websites). It's not safe to assume that just because a specific deceptive technique isn't included on this page, Google approves of it."

There's not much more deceptive or misleading than a fake story without any disclosure that the story is hoax.

Secondly, Facebook looking at censoring user messaging:

If you ever get the itch to use the word "yuwie" or perhaps make reference to "wadja.com" - don't bother. "Some of the content you included in this message is not allowed by Facebook," is the message you'll get in response. Both of the above are small social networks, but you can't even send a message about how something disgusting (like yuwie.com's site design) made you say "yuwie, that smells bad!" On principle, the whole thing stinks.

Obscenity isn't blocked by Facebook, I was able to send a message that said "John McCain is a f*cking Nazi" (asterisk free) with no problem.

(Wadja etc are Facebook competitors - f*cking Nazis are not)

Google is trying to be helpful, though it may be in real danger of getting the law of unintended consequences applying. Facebook is just being Facebook - Umair Haque would argue their DNA just started evil, no doubt.

The thing that interests me more about these happy groovy "Web 2.0" players is that they are even considering message interdiction - the "Web 0" usenet, and Web 1.0 tools (email, IM) by and large did not. Clearly though, there is something now in the Zeitgeist and that is concerning to anyone interested in user privacy and other rights

Update - here is another interdiction call - a woman who has been called nasty names and had identity details "outed" on Twitter wants to get her "stalker" banned from the service. Twitter had a look at the person's behaviour and its terms of service, and decided this was not its problem.

I think Twitter are right - this is another case where doing the politically correct / expedient / nice thing - interdicting the nasty-person - is probably the wrong thing to do big picture as it sets a dangerous precedent for the rights of all users. There have always been a**holes on the internet, and the "social net" means that most people - inadvisably in our view - have put more data about themselves on it than they should. I suspect we will see more and more of this on Social Networks as opponents, jilted lovers etc trawl the archives to expose your digital detritus. (Incidentally I see that the complainant also works for a Twitter competitor - hmmmmm )

A friend asked me which was the best system for posting from Twitter to blogs, I hadn't tried out any so initially set up the Twitter one, that posted friends' feeds to the RH side of this blog. It works very well.

But I've taken it down.

I didn't like 2 things about it:

(i) It posted people's real names, not their Twitter handles

(ii) It posted stuff from people who had asked that their posts be kept private and visible only to their friends.

Its an interesting lesson in privacy - just because you set certain privacy rules in one social network it does not mean that those rules will be kept once data is exported.

When we looked at how to avoid Phorm phishing our digital footprint, we thought the obvious way was to generate "white noise" - ie a whole lot of spurious behaviour that masked our real behaviour - we looked at using the Dogpile live search feed to throw back into the system for example.

(FYI - Dogpile is my default search engine, has been for 8 years - it searches all the others and You Know Who knows less about me that way)

It looks like others have had a similar idea, notes El Reg:

Coding activists have developed an application designed to confound Phorm's controversial behaviour-tracking software by simulating random web-browsing.

The folks behind AntiPhormLite says this means actual browsing habits are buried in noise. The app, which is available free of charge, is designed to poison the anonymised click stream Phorm collects with meaningless junk, thereby (at least in theory) undermining its business model.

Like with killing popups, the Web will find a way - I expect it to be automatic in browsers within months. How that will impact Phorm's "interesting" public valuation I don't know, but I guess we will find out in fairly short order......

The Register points to the "makeover" Phorm has been giving itself on Wikipedia:

Phorm has admitted that it deleted key factual parts of the Wikipedia article about the huge controversy fired by its advertising profiling deals with BT, Virgin Media and Carphone Warehouse.

The tracking and ad targeting firm said in an email: "We wanted to clarify a number of inaccuracies in the Wikipedia entry on Phorm."

As El Reg notes, this desperate want has led to practices which are actually violations of Wikipedia practice, never mind telling porkies....

The spokesman said Phorm's PR team had not been aware of Wikipedia's policy on conflicts of interest. Among many other rules they violated, it states: "Producing promotional articles for Wikipedia on behalf of clients is strictly prohibited."

A BT representative meanwhile wrote in an email: "I don't see anything wrong with correcting Wikipedia articles about your own company or services."

However, the edits made by Phorm included silencing factual primary information, that has been acknowledged as correct by the parties involved.

I thought Wikipaedia was also violated if you wrote about yourself on it - clearly Corporates think they run on different rules?

This was fairly high profile, given Phorms' prior form, but one wonders how Wikipedia will deal with the daily drip drip drip of PR attacks. In the great fight between enthusiastic amateurs vs paid professionals, at some point amateurs usually run out of time, money or energy. One can only hope Clay Shirky is right, and enough Everybody's continue to come along to put things right.

Update - friend pointed me to this article with video debates on Wikipedia, including arch chatterati hate figure Andrew Keen Addresses some of the issues covered above.

If imitation is the sincerest form of flattery, then cutting someone else's work and pasting it on your own blog is downright adulation - this is a fascinating piece of analysis by Louis Gray, shows what is possible with crunching Social Network data.

The new company profiles on LinkedIn are a gold mine for reporters who want to get data beyond what the PR guys may want to dish out. (See: LinkedIn Is a Paradise for Smart Reporters)

Want the average age of an employee? A good estimate is on LinkedIn. Want to know if there is a high level of turnover, and people don't stay long? LinkedIn has that too. It also can provide hints as to whether a company is so strong that folks aren't leaving at all, or if they are leaving in exodus. And if you peer closely enough, you can see the Silicon Valley carousel, as employees move from company to company in search for the next big thing.

You can see employees move from PayPal to Google, Yahoo! or LinkedIn. You can see Friendster employees went to Yahoo! and Zazzle, or from Napster to Apple, Yahoo!, Microsoft and Google. And if you think Google is getting all the good employees out there, there's no question they get their share, but so far, it looks like Facebook is getting a lot of new hires, and nobody's leaving - a boomtime for the social networking giant.

Interestingly, due to Apple's tenure, and the company's rising from the ashes with the return of Steve Jobs, you can see employees that once left the company have returned, having never lost the Mac religion.

Check out the diagrams on Louis' blog. The thoughts Pandora and Box come to mind................

Data portability has been climbing the Tech Buzztrends for awhile, but this BBC note from Sir Tim Berners Lee implies to me that we need to get the privacy horses sorted out before the portability coach is harnessed up:

Sir Tim said he did not want his ISP to track which websites he visited.

"I want to know if I look up a whole lot of books about some form of cancer that that's not going to get to my insurance company and I'm going to find my insurance premium is going to go up by 5% because they've figured I'm looking at those books," he said.

Sir Tim said his data and web history belonged to him.

He said: "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return."

This is probably my main interest area in the development of VRM - my data has a value, and I'm damned if the Internet is going to be a system that extracts it from me without some benefit. And long before I am worried about its portability, I want some guarantees as to its privacy. In particular, Sir Tim was worried about Phorm, a company which tracks web activity to create personalised adverts - the BBC says that its:

...system offers security benefits which will warn users about potential phishing sites - websites which attempt to con users into handing over personal data.

The advertising system created by Phorm highlights a growing trend for online advertising tools - using personal data and web habits to target advertising.

In our view the best way for the ISP-level Web to go is as a neutral supplier of service, as Sir Tim notes:

"I myself feel that it is very important that my ISP supplies internet to my house like the water company supplies water to my house. It supplies connectivity with no strings attached. My ISP doesn't control which websites I go to, it doesn't monitor which websites I go to."

More worryingly for us, it looks like our ISP, BT, has signed up for Phorm. The thing is, I am already paying for my ISP connection, I really, really don't want advertising models on a paid-for service.

Well, we objected strenuously to Facebook Beacon, and are now no longer on that site. Rest assured we shall evacuate any provider that tries to foist Beacon, or Phorm, or whatever comes next, on us.

Update - I've just found out that there is an e-petition against Phorm, over here.

Update II - I am seriously enjoying the Slashdot discussion on this

Update III - the FIPR have written a letter to the Information Commissioner alleging this is illegal.

The reason we got interested in VRM initially was a project we were working on awhile ago which we called "white label Identity" - we were getting increasingly worried about just how much the search engines and consumer sites were able to glean from your digital footprint.

The idea was to have a service that knew who you were, so it could authenticate you, and it then represented you - and many others - in your cruisn round the web. So Google et al don't see you, Jo/e Sixpack, with your surfing history and credit card number, but instead see an aggregated identity doing many different things, and when you want to spend money the White Label just says "yup, I'm up for that - charge it"

Anyway, I was reminded of that when I read this paper on "Identity Escrow" - its a much catchier term for what we were looking at (the skill with many of these "old wine" ideas is the correct labelling of the new bottle methinks

Now, at the time, when we tested the idea the two things that came back instantly were:

(i) A lot of people would immediately want to be very certain it wasn't being used for money laundering etc, so the entity running it would probably have to be fairly well regulated to be trusted (or set up in the Cayman Islands - hmmmm...). In Europe anyway, national Telcos emerged as trusted parties for this service, banks at a push, HM Gov (before the disks fiasco), but certainly not dodgy startups.

(ii) At the time (c 3 years ago) the rank and file out there couldn't give a toss about security anyway and wouldn't pay tuppence ha'penny for it - and to be honest, looking at the collective "So?" that has greeted the revelations about Facebook Beacon etc, I'm not sure its much better now

Anyway, we wrote the report, took the money, and went off to fields anew - However, I do note that towards the end of last year and since, there have been increasing rumblings, and the emergence of stuff like VRM makes me think this is an area whose time is coming.