Boing Boing 

Facebook "flaw" lets anyone see your private photos

From CNET's Zack Whittaker: "features in Facebook give users access to personal, private and hidden photos that would normally be hidden from view. The flaw, spotted by members of a body building forum, no less, allows Facebook users to access photos revealed by the report abuse tool."

Anil Dash: Facebook attacks the open Web, becomes a badware site


Anil Dash examines Facebook's latest navigational practices, which go beyond making a walled garden of its own content and begin to attack the open Web, including websites that incorporate Facebook's technology. Dash concludes that Facebook now meets the formal definition of a "badware" site -- the sites that generate those "Warning! This site may harm your computer" interstitial pages when you visit them -- and calls on browser vendors and Google to start displaying these warnings when users visit Facebook.

Now, we've shown that Facebook promotes captive content on its network ahead of content on the web, prohibits users from bringing open content into their network, warns users not to visit web content, and places obstacles in front of visits to web sites even if they've embraced Facebook's technologies and registered in Facebook's centralized database of sites on the web...

I believe [StopBadware's malware definition] description clearly describes Facebook's behavior, and strongly urge Stop Badware partners such as Google (whose Safe Browsing service is also used by Mozilla and Apple), as well as Microsoft's similar SmartScreen filter, to warn web users when visiting Facebook. Given that Facebook is consistently misleading users about the nature of web links that they visit and placing barriers to web sites being able to be visited through ordinary web links on their network, this seems an appropriate and necessary remedy for their behavior.

Facebook is gaslighting the web. We can fix it. (via O'Reilly Radar)

danah boyd on a nuanced understanding of privacy in the networked age

Sociologist danah boyd has posted her responses to a Wall Street Journal debate on privacy that included Stewart Baker, Jeff Jarvis, and Chris Soghoian. Boyd's responses are nuanced, evidence-based, and humane, and get well past the "privacy is dead" and "kids don't care about privacy, or they wouldn't be using Facebook" simplifications. As ever, she is required reading for anyone who wants to know what's going on beyond the superficial debate.

People should – and do – care deeply about privacy. But privacy is not simply the control of information. Rather, privacy is the ability to assert control over a social situation. This requires that people have agency in their environment and that they are able to understand any given social situation so as to adjust how they present themselves and determine what information they share. Privacy violations occur when people have their agency undermined or lack relevant information in a social setting that’s needed to act or adjust accordingly. Privacy is not protected by complex privacy settings that create what Alessandro Acquisti calls “the illusion of control.” Rather, it’s protected when people are able to fully understand the social environment in which they are operating and have the protections necessary to maintain agency...

I think that positioning privacy and public-ness in opposition is a false dichotomy. People want privacy *and* they want to be able to participate in public. This is why I think it’s important to emphasize that privacy is not about controlling information, but about having agency and the ability to control a social situation. People want to share and they gain a lot from sharing. But that’s different than saying that people want to be exposed by others. Agency matters.

From my perspective, protecting privacy is about making certain that people have the agency they need to make informed decisions about how they engage in public. I do not think that we’ve done enough here. That said, I am opposed to approaches that protect people by disempowering them or by taking away their agency. I want to see approaches that force powerful entities to be transparent about their data practices. And I want to see approaches the put restrictions on how data can be used to harm people. For example, people should have the ability to share their medical experiences without being afraid of losing their health insurance. The answer is not to silence consumers from sharing their experiences, but rather to limit what insurers can do with information that they can access.

Debating Privacy in a Networked World for the WSJ

Scathing critique of "social" sites: "The Social Graph is Neither"


Maciej Ceglowski's "The Social Graph is Neither" is a scathing, spot-on critique of the deceptive and seductive simplicity of "social graphs" which purport to represent human interaction and relations through mathematical modelling. As with many "semantic web" projects, social networks can only achieve any kind of usable scale and coherence by simplifying the relationships they model to the point of triviality.

One big sticking point is privacy. Do I really want to find out that my pastor and I share the same dominatrix? If not, then who is going to be in charge of maintaining all the access control lists for every node and edge so that some information is not shared? You can either have a decentralized, communally owned social graph (like Fitzpatrick envisioned) or good privacy controls, but not the two together.

There's another fundamental problem in that a graph is a static thing, with no concept of time. Real life relationships are a shared history, but in the social graph they're just a single connection. My friend from ten years ago has the same relationship to me as the friend I dined with yesterday. You're left with forcing people (or their software) to maintain lists like 'Recent Contacts' because there is no place in the model to fit this information.

"No problem," says Poindexter. "We'll add a time series of state transitions and exponentially decaying edge weights, model group dynamics as directional flows, and pass a context object in with each query..." and around we go. p> This obsession with modeling has led us into a social version of the Uncanny Valley, that weird phenomenon from computer graphics where the more faithfully you try to represent something human, the creepier it becomes. As the model becomes more expressive, we really start to notice the places where it fails. p> Personally, I think finding an adequate data model for the totality of interpersonal connections is an AI-hard problem. But even if you disagree, it's clear that a plain old graph is not going to cut it.

Pinboard Blog (via O'Reilly Radar)

(Image: Map of top 50 UK PR twitter people and their followers, a Creative Commons Attribution Share-Alike (2.0) image from porternovelli's photostream)

Tunisia recognizes the American Transitional National Council

Tunisian Facebook users have plastered Obama's Facebook page with thousands of messages in support of the Occupy movement:

Among the comments, Tunisian Facebook users circulated “Arab Spring” jokes, such as: “Tunisia is the first country to recognize the American Transitional National Council,” referring the revolutionary upheaval in Libya and the global recognition of the Libyan transitional council.

The Facebook users described it as a “virtual surprise attack” on. Many of the recent entries on his 2012 presidential campaign page were bombarded with as many as 20,000 comments each.

“Tunisian people are calling the U.S. authorities to respect freedom of expression and not to resort repression and assault on the rights of American citizens,” read one comment, which was reposted by several users.

Another comment read: “Tunisian people denounce violations against the American people by the security forces, which affect the freedom of expression.”

Tunisians poke fun at Obama in assault on his Facebook page

(Image: Occupy Philadelphia || Oct 6, 2011, a Creative Commons Attribution (2.0) image from janeanger's photostream)

EU vs Facebook: Facebook's dossiers on Europeans breach EU privacy laws

An Austrian student has kicked off a movement that pits EU privacy rules against Facebook's data collection practices. Max Schrems requested a copy of the data Facebook had collected on him (which Facebook is required to provide under EU law) and found himself with more than 1,000 pages of data that demonstrated several clear breaches of EU privacy laws. Kim Cameron has a good writeup on the ensuing complaints that Schrems filed:

Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues. In Europe there is a requirement that entities with data about individuals make it available to them if they request it. That’s how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection. He argues that the record Facebook provided him finds them to be in flagrante delicto.

The logical next step was a series of 22 lucid and well-reasoned complaints that he submitted to the Irish Data Protection Commissioner (Facebook states that European users have a relationship with the Irish Facebook subsidiary). This was followed by another perfectly executed move: setting up a web site called Europe versus Facebook that does everything right in terms using web technology to mount a campaign against a commercial enterprise that depends on its public relations to succeed.

Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel. As part of the documentation, they publicised the procedure Max used to get his personal CD. Somehow this recipe found its way to reddit where it ended up on a couple of top ten lists. So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement that it provide the information within a 40 day period.

Facebook's misleading "log out" button and the future of privacy legislation

The Electronic Frontier Foundation's Activism Director Rainey Reitman has an in-depth analysis of how Facebook continues to track its users even after they've taken several affirmative steps to log out of the service, and how this may interact with eventual privacy legislation.

This newest privacy snafu could prod legislators into moving on one of the many online privacy bills that have been introduced this year. Users’ unease with the quickly-evolving technical capabilities of companies to track users, combined with the abstruse ways in which that data can be collected (from social widgets to super cookies to fingerprinting), has resulted in a growing user demand to have Congress provide legal safeguards for individual privacy when using the Internet.

Unsurprisingly, Facebook hopes that its brand of data collection through ‘like’ buttons won’t be subject to federal regulation. According to AdAge, Facebook sent an “army of lawyers” to Washington to convince Senators McCain and Kerry to carve out exceptions to their recently introduced privacy bill so that Facebook could track their users via social widgets on other sites (dubbed the "Facebook loophole"). But while Kerry and McCain may have acquiesced to Facebook's requests, Senator Rockefeller did not. He introduced legislation that would empower the FTC to create rules around how best to protect users online from pervasive online tracking by third parties.

Facebook seems keen to influence future legislation on these issues. They recently filed paperwork to form a political action committee that will be "supporting candidates who share our goals of promoting the value of innovation to our economy while giving people the power to share and make the world more open and connected."

Who killed videogames? Beautifully written account of behavioral economics and social games

Tim Rogers's essay "Who killed videogames? (a ghost story)" is one of the most interesting pieces of technology reporting I've ever read. It's a long (long!) account of the mechanics of "social games" where psychomathematicians or behavioral economists or engagement designers (all variations on the same theme) create systems to make games compelling without being enjoyable. The sinister science of addictive game design is practiced -- in Rogers's account -- by people who don't like games or gamers, who actually hold them in contempt, and see no reason not to entrap them in awful, life-sucking systems designed to separate them from their money without giving any pleasure or service in return. I've always suspected this to be true, and Rogers's account is awfully well-written and convincing:

The larger man spoke. He gestured while doing so. “You teach the player how to play the game in one minute. Within that one minute, you give them in-game money. You make them spend all of that money to buy an investment that will begin to earn them profit. They build a thing. It says: this thing will be finished in five minutes. Spend one premium currency unit to have it now. You happen to have one free premium currency unit. The game makes you use it now. Now you have a thing. Now it says to wait three minutes to collect from that thing. So they have a reason to stick around for three minutes. When those three minutes are up, you tell them to come back in a half an hour. You say, ‘You’re done for now. Come back in a half an hour.’ The phone sends them a push notification in a half an hour. Right here, you’re telling them to wait. You’re expressing to them the importance of patience. They’re never going to forget the way it feels to wait a half an hour after playing a game for one minute. They’re going to forget the second time they wait for a half an hour, and the third time, and they’ll then not forget the first time they have to wait for four hours, then twenty-four hours. This is why they’ll start to pay to Have Things Right Now.

“So after the first half hour, they get a push notification. Their phone vibrates. It tells them their such-and-such is ready for collection.” The Other Men don’t make any sound. They have collectively folded their hands alongside their Alpine Crystal Spring Superclear Water bottles atop the glass table, collective face intent and weirdly worried, like that of a man hearing the beginning of a joke involving a rabbi, a toddler, and a lizard.

“They open the app. They collect from their such-and-such.

“Now the game tells them they’ve leveled up. It gives them some bonus coins. It tells them they’ve unlocked a new thing — a fancier thing.

As Alice notes, this is long, but the epilog is the best part, and it loses its impact if you haven't read the rest. Keep reading.

(via Wonderland)

Talk on the privacy bargain, big data, and human sensors versus human barcodes

Here's the video from the talk I gave last week at the O'Reilly Strata conference on "big data" in NYC. The talk is called "Designing for Human Sensors, Not Human Barcodes," and it talks about the philosophy underpinning the "privacy bargain" we strike online when we trade personal information for access to services.

Facebook recovers "original" Ceglia contract

Facebook entered into evidence what it says is the original contract between founder Mark Zuckerberg and Paul Ceglia, who is suing the company for part-ownership. Unlike the version produced by Ceglia, identifying him as part-owner of "The Face Book", this version has no mention of the company at all. The "original" coding contract was recovered from Ceglia's own computer by forensic specialists; Facebook says he tried to keep it out of the lawsuit by claiming attorney-client privilege. [Wired]

Google Plus's "Real Name" policy is abusive; Facebook is not a "Real Name" success story

Here's danah boyd in very good form, explaining why "Real Name" policies like the one Google has rammed down Google Plus users' throats (and like the insanely naive one that Randi Zuckerberg would like to foist on the entire Internet) are an abuse of power:
Over and over again, people keep pointing to Facebook as an example where “real names” policies work. This makes me laugh hysterically. One of the things that became patently clear to me in my fieldwork is that countless teens who signed up to Facebook late into the game chose to use pseudonyms or nicknames. What’s even more noticeable in my data is that an extremely high percentage of people of color used pseudonyms as compared to the white teens that I interviewed. Of course, this would make sense…

The people who most heavily rely on pseudonyms in online spaces are those who are most marginalized by systems of power. “Real names” policies aren’t empowering; they’re an authoritarian assertion of power over vulnerable people. These ideas and issues aren’t new (and I’ve even talked about this before), but what is new is that marginalized people are banding together and speaking out loudly. And thank goodness.

What’s funny to me is that people also don’t seem to understand the history of Facebook’s “real names” culture. When early adopters (first the elite college students…) embraced Facebook, it was a trusted community. They gave the name that they used in the context of college or high school or the corporation that they were a part of. They used the name that fit into the network that they joined Facebook with. The names they used weren’t necessarily their legal names; plenty of people chose Bill instead of William. But they were, for all intents and purposes, “real.” As the site grew larger, people had to grapple with new crowds being present and discomfort emerged over the norms. But the norms were set and people kept signing up and giving the name that they were most commonly known by. By the time celebrities kicked in, Facebook wasn’t demanding that Lady Gaga call herself Stefani Germanotta, but of course, she had a “fan page” and was separate in the eyes of the crowd. Meanwhile, what many folks failed to notice is that countless black and Latino youth signed up to Facebook using handles. Most people don’t notice what black and Latino youth do online. Likewise, people from outside of the US started signing up to Facebook and using alternate names. Again, no one noticed because names transliterated from Arabic or Malaysian or containing phrases in Portuguese weren’t particularly visible to the real name enforcers. Real names are by no means universal on Facebook, but it’s the importance of real names is a myth that Facebook likes to shill out. And, for the most part, privileged white Americans use their real name on Facebook. So it “looks” right.

“Real Names” Policies Are an Abuse of Power