Twitter
LinkedIn
Skype (m.close)
With the advancements that came out of Facebook’s ominously named “F8″ conference last month, there is a lot of buzz about privacy and security. What it all revolves around is essentially a new digital social contract between you and the services you use to socialize on. A lot of people are talking about leaving Facebook right now, but few people I know have actually done it, because fear is mounting around the steps that are being taken to write, and rewrite, that contract. I’m going to try to sum this up so my Grandma can understand the real-world implications of these changes. Unfortunately, it won’t be brief. The two Facebook features I’ll focus on are the “Instant Personalization” feature and the “Like” button. The “Like” button is part of a suite of tools that Facebook calls “social plugins,” but many people see them as the central point in Satan’s pitch fork.
Privacy
Forget it. Nothing you do on Facebook is private. Treat everything on Facebook as if you are doing it in public. Even when you “message” a person, Facebook is filtering that message. They say that they only do it to save kittens and promote world peace, but there is nothing stopping them from updating their TOS to expand the scope of the program. Then they might start handing that data off to the government for some kind of McCarthy-esque round up, sending all of the Farmville addicts to concentration camps. Or, heaven forbid, they could start data mining those messages for the delivery of targeted advertising. Who are we kidding those things, except the Farmville camps, are probably already happening. The bottom line is that Facebook’s recent actions have proven that information being treated as private today doesn’t mean it will continue to be private tomottow, or that you will even receive real notice when your information jumps that fence.
Instant Personalization and Privacy
I’m not sure if you realize it, but the “Instant Personalization” feature reversed existing Facebook privacy policies. What you may have thought was private, or only shared with your friends, became public. It’s a clever name, really. By “personalization” they apparently mean shipping your “personalized” information off to third parties of their choice and, by “instant,” they mean that they did it “instantly”; the information was shipped off before anyone had a chance to opt out. The less cynical perspective on it is, why not let the information I put into my facebook profile be used by other hand-picked sites to try to serve me in a more effective way? Pandora can look at my favorite music on Facebook and start playing what I really want to hear right now. Yelp can give me restaurant suggestions in my area that are highly rated by my peers and serve the food I like. That’s pretty awesome. Microsoft knowing my likes and dislikes, however, is kinda like finding out that your Grandma just did the laundry and had to fold your underwear. It’s just not right. The only thing I see wrong with that is the likelihood that the sites who get my info may not be so “hand-picked” in the very near future. The information that Facebook is selling (I assume there’s hefty a price tag on it) for Instant Personalization is the information that appears in the “info” tab on your Facebook profile. I’m sure it will extend to other information, and potentially everything you do on Facebook as they test the boundaries of what is public and what is private, but for now that’s all they’ve sent to Microsoft, Pandora, and Yelp. If you want to opt out, Facebook makes it easy-ish:
When logged in to Facebook:
-
Click “Account” in the upper right corner
-
Choose “Privacy Settings”
-
Click “Applications and Websites”
-
Click “Edit Setting” next to Instant Personalization
-
Uncheck the “Allow select partners to instantly personalize their features with my public information when I first arrive on their websites.”
While you’re in there, explore every single setting or just stop using Facebook. Seriously. Then check it every few months to see what has changed.
The “Like” Button and Privacy
Another feature that is drawing some criticism is the new suite of “social plugins.” Facebook has made them available to the millions of sites across the internet, like LightMedium.com, that want an easy way to tie into the conversation on Facebook. The plugin that seems to have drawn the most attention is the “Like” button. On my site, and please feel free to use it, the button is called “Recommend.” If you click the button, you will see your picture appear on this article below the button. GASP!!! PRIVACY ALERT! PRIVACY ALERT! I don’t want my picture on this web site!! The truth is that a web site like this one doesn’t have access to the information in your Facebook profile, and your use of the “Like” button doesn’t allow your data to be used by this site in any other way. Sites that ask you to log in to facebook are a different story, but the “Like” button is merely a window into Facebook, and only your friends who are currently logged into Facebook will know that you liked it. So, if you don’t want your Facebook friends to see that you like the article, then don’t click the “Like” button!
Security
These new features have raised the mumbling din of internet security Chicken Littles as well. Are there security risks? Yes, but they are the same general risks of doing anything on the internet, and aren’t necessarily new or exacerbated by these new features.
Instant Personalization and Security
The security risk with Instant Personalization would most likely result from the partner site exploiting a security vulnerability to gain greater access to your information than is needed. Unless the Facebook engineers are completely idiots, there is probably a 0% chance of that vulnerability existing in the first place, let alone being exploited. There is no reason, for example, that your username and login should be part of the exchange between Facebook and the third party sites. The other security risk would involve misuse of the information gained by the partner site. It may seem like your favorite books, music, and recent events you’ve attended is pretty innocuous information, but from a social engineering perspective, that is far from the case. Still, the information isn’t nearly as potentially damaging as the sharing of your credit card and social security number can be. There are sites right now (fandango.com, buy.com, 1800flowers.com, travelocity.com, and many others last I checked) who have partnered with a company called Reservation Rewards to, in a very shady way, transfer your credit card info to them so they can start charging you $5.99 a month to be a member of their discount club. They started charging me two years and I had to go to war to get our money back. Google it, it’s crazy. The potential for abuse of an information sharing arrangement like Reservation Rewards is far more scary than Facebook’s Instant Personalization feature, and it’s been going on for years without much outcry from the general population.
The “Like” Button and Security
A lot of people have seen the “Like” button and thought, “How does CNN.com know about my friends on Facebook? Wait, how does CNN.com even know who I am? I didn’t give them permission to access my Facebook account!” The truth is, when you see those little Facebook social plugins on third party sites, you are really looking at a tiny window into Facebook.com called an “iframe.” The browsers create what is called a “security sandbox” around the content in that iframe. That sandbox prevents information sharing between the page (CNN.com in this example) and the iframe (Facebook.com in this example). So, if you see your friends smiling back at you on CNN.com, it is only because you are currently logged into Facebook, and they clicked the “Like” button. Log out of Facebook and go back to CNN.com to prove it to yourself. This arrangement is no less secure than Facebook.com itself, and you already trust Facebook, right?
The New Digital Social Contract
A lot of people argue that America is not a Democracy, but is in fact a Plutocracy where, in essence, the nation is ruled by “the people with the money” instead of just “the people.” If the mafia-infested concrete jungles, cartoon-chicken-littered farmlands, and libraries of mundane chatter in the land of Facebook actually made up a real country, it would definitely be a Plutocracy. That’s not some kind of profound revelation, it’s just recognition of the fact that Facebook is a corporation with a bottom line and a lot of overhead. There isn’t much regulatory oversight in social media (yet). It’s the wild west and cash is king. The lines between which bits of information are private and which bits are public, which bits belong to you and which bits belong to the sites, are being drawn as you read this (did I mention the Facebook “recommend” button below?). They aren’t being drawn by geeky, spiky-haired attendees at some kind of Silicon Valley constitutional convention. They’re being drawn line by line, feature by feature, by companies like Facebook who own the sites we happily socialize on *for free*. From an engineering perspective, the more information you can gather and use, the more robust your set of offerings will be to the third parties who want to target your user base. From a business perspective, the more robust your set of offerings to third parties is, the more money you can make to pay the bills, keep the lights on, keep the service free to the 500 million people who use it, and buy islands in the Caribbean. The goal of the company isn’t to protect your privacy, the goal is to buy islands in the Caribbean. So, when it comes to the privacy lines being drawn, the company is going to continually push the limits until the screaming of the peasants gets too loud. If you don’t like the direction a particular service is going, you better start screaming because they’ll keep on pushing. Keep in mind, though, that if we want to be able to use services like Google and Facebook, Facebook and Google have to be able to use us. If that makes you feel dirty, then the only thing you can do is log out, cancel your accounts and go take a shower.
The part that has fascinated me lately is that, as Facebook expands its reach with their new social plugins and the Open Graph Protocol, they inch closer and closer to reaching a point of “customer lock-in.” Each partner in Facebook’s social graph is another anchor that the SMS Facebook drops in your harbor. There are two aspects to customer lock-in in our relationship with Facebook. First, we are becoming locked in by becoming data-bound to the system. That means that all of our mobile picture uploads that don’t exist anywhere else but on Facebook, all of the pictures our friends have uploaded that we can only access though Facebook, all of those priceless conversations about nights of debauchery, all of those witty status updates that you hoped to get a book deal with someday… they’re all in Facebook. Sure, you can get them out, but it would be such an enormous pain in the butt that you’d rather just stick around and deal with whatever gripes you have against the service than spend the days it would take to round up all of your data and store it somewhere else. People are, however, writing software tools that promise to scrape that data out of Facebook for you, but you can bet that Facebook will be working overtime to shut them down one-by-one. Second, we are inching closer to lock-in by becoming culture-bound to the system. If I leave Facebook, what will I miss? Where will I go? Everyone is there! Who will come with me? Will the new service have Farmville? Several of my friends, who I admire and respect very much, disagree with me on the strength of cultural bonds to software. They name several also-rans, like Friendster, that were simply abandoned and then atrophied. If a project likeDiaspora succeeds in creating a massive “geek exodus” from Facebook like the one that foretold the decline of AOL, then maybe Facebook will atrophy and die, but otherwise I think we’re about 18-24 months from a very powerful lock-in.