Blown To Bits

Archive for the ‘Privacy’ Category

Facebook sort of apologizes, and fixes one problem

Wednesday, May 26th, 2010 by Harry Lewis

A couple of days ago Mark Zuckerberg had an opinion piece in the Washington Post explaining that Facebook would be doing another rev on its privacy policies. Here are some key sentences:

The biggest message we have heard recently is that people want easier control over their information. Simply put, many of you thought our controls were too complex. Our intention was to give you lots of granular controls; but that may not have been what many of you wanted. We just missed the mark.

We have heard the feedback. There needs to be a simpler way to control your information. In the coming weeks, we will add privacy controls that are much simpler to use. We will also give you an easy way to turn off all third-party services. We are working hard to make these changes available as soon as possible. We hope you’ll be pleased with the result of our work and, as always, we’ll be eager to get your feedback.

We have also heard that some people don’t understand how their personal information is used and worry that it is shared in ways they don’t want. I’d like to clear that up now. Many people choose to make some of their information visible to everyone so people they know can find them on Facebook. We already offer controls to limit the visibility of that information and we intend to make them even stronger.

There are two threads here. The first is that the privacy controls were too granular and too complex. Certainly true, as the NYT graphic beautifully illustrated. Second is that not everyone wants lots of stuff public. Certainly true also. Glad they are addressing both problems. Or are they?

The tonal problem remains, I am afraid. The implication is that we geniuses at Facebook thought everything was cool, the problem was with the users. “Many of  you thought our controls were too complex.” Well, no; they were too complex. The point of privacy settings is so people, ordinary people, can keep stuff private. It shouldn’t take hundreds of clicks to do that. You are a consumer oriented company now, and the customer is always right. Imagine if a washing machine had a hundred knobs on it and had to be retrofitted. Would Whirlpool say “Many of you thought our controls were too complex”? Why didn’t Facebook run some user tests first?

And then there is the problem of defaults. Zucerberg’s post contains no hint that the defaults are wrong. In fact, there is deceptive language that suggests that the defaults are other than they are. “Many people choose to make some of their information visible to everyone.” No; “choose” suggests opt-in; the fact is opt-out. You, MZ, chose, on behalf of all of us, that some of our information will be visible to everyone, unless we do something to hide it. Big difference.

At least the programmers got cracking and fixed the data leakage Ben Edelman pointed out. But this was a kind of design bug that never should have happened in the first place. It wasn’t a coding error; they just failed to have some smart person looking over the engineers’ shoulders for privacy issues with their implementation. Again, some process failure is evident here.

Finally, the character-of-the-leader issue isn’t helped by the report that came out a couple of months ago that Zuckerberg, while still at Harvard, had used failed Facebook login attempts to guess email passwords of student journalists. Now there is a place where you really can only trust your web site. How would you ever know that when you type the password for one site into another, that the second isn’t grabbing the key you typed to see what it might unlock?

So the question will remain in the minds of lots of people: Can Facebook be trusted with personal information? I am betting there will be increasing Congressional interest in that question.

Mark Z: Grow Up

Sunday, May 23rd, 2010 by Harry Lewis

The more I learn about Facebook’s privacy problems, the more I am confirmed in my original guess about the root cause. It just looks like the company is being run by adolescents, or twenty-somethings whose idea of profitable fun and games is more appropriate for badly behaved teens.

So Mark, here is some unsolicited advice from your old college professor. It’s amazing what you’ve accomplished. A social network with 400 million people, how cool is that? But now you’ve got to grow up. There is a flesh and blood human being behind every profile. Those are real guns you are playing with now, loaded with ammo.

I had to read Ben Edelman’s post twice to be sure what it described was as simple as it seemed to be. Facebook claims — and has claimed repeatedly, including on occasions when its claim has been challenged — that when you click on an ad that appears on a Facebook page, the advertiser does not learn your Facebook identity, and all the profile information that lies behind it. Of course, the advertiser will know something about you, because it will have given Facebook some demographic parameters to limit who is shown the ads. So if the advertiser bought advertising space on Facebook and said it wants its ads shown only to people under 30 in the Boston area, when somebody clicks on an ad, Facebook will know that the person is under 30 and in the Boston area. But it shouldn’t know that the person is samjones478 or whatever; that would reveal a great deal more about the person who clicked, especially if samjones478 had accepted Facebook’s new default publicity settings (what Facebook misleadingly calls its “privacy settings”).

As recently as six weeks ago, Facebook was declaring flatly that it doesn’t share your identity with advertisers. “We don’t share your information with advertisers unless you tell us to (e.g. to get a sample, hear more, or enter a contest).” said Facebook’s Barry Schnitt. “Any assertion to the contrary is false. Period.” And that is a consistent line, not a Blumenthalian momentary lapse of precise language.

Turns out, it just isn’t true. When you click on an ad while you are viewing your own profile, or a page linked to from your profile, your username is part of the URL. The advertiser, before taking action on your click, can check your profile and customize its offer based on the personal information it finds there.

How useful is that information to an advertiser?

Well, consider the study Jeremy Bailenson did at Stanford at the time of the 2004 presidential election. Voters were shown pictures of the candidates, but only one of the candidates was actually shown accurately. The other candidate’s picture was morphed with a small amount of the subject’s own face (the subjects were on camera during the experiment). Voters’ preferences shifted significantly toward the candidate with whom the voters’ face had been morphed — and not one subject noticed the deception.

Since Bailenson talked about this at the Berkman Center last year, I have been thinking that images of our faces are a gold mine for advertisers. Now we have a too-good-to-be-true source of high quality facial images. Before serving an ad, the advertiser could just grab our profile photo and morph a little bit into a face appearing in the ad, to make it more effective.

Back to the main point. Facebook’s data on us is very valuable commercially. The changes to the privacy policies are not about creating a better social experience for us. They are about monetizing what Facebook knows about us. Fair enough; they are a business. But Facebook needs to be open about what it is doing. It needs to stop baiting and switching. And it absolutely needs to stop lying, which seems to be the appropriate term given that Facebook has continued to claim that it is not sharing user information even though it was put on notice months ago that it was doing exactly that.

Postscript: A friend pointed me to this account of IM’s from Zuckerberg back in his college days:

Zuck: Yeah so if you ever need info about anyone at Harvard

Zuck: Just ask.

Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend's Name]: What? How’d you manage that one?

Zuck: People just submitted it.

Zuck: I don’t know why.

Zuck: They “trust me”

Zuck: Dumb fucks.

A fabrication? Possibly. But it sounds right. The company issued a reassuring statement but would neither confirm nor deny the authenticity of the instant messages. But there is sweet irony in the idea that Mark’s own age-19 misjudgment about openness would come back to bite him as his company struggles to persuade its 400 million users that it truly does deserve to be trusted with their private information.

All the news on the privacy front

Thursday, May 20th, 2010 by Harry Lewis

Lots of news items today on the privacy front.

The new Conservative-Liberal Democrat coalition government in England has launched a remarkably aggressive campaign to unwind the ubiquitous surveillance that was put in place through the years of the Labour government. The deputy prime minister refers to a “culture of spying on its citizens” and says “It is outrageous that decent, law-abiding citizens get treated as if they have got something to hide.” In the U.S. the politics of surveillance seem to be the reverse of the attitudes in England. Here it is the left that complains about the violations of individual liberty occasioned by surveillance, either governmental or commercial, and it is the right that defends surveillance, either as an aid to law enforcement and national defense, or as a free exercise of unrestrained capitalism.

Here, thanks to Larry Denenberg, is a terrific CBS News segment on the privacy risks due to copy machines, which in the modern era are nothing more than scanners attached to computers — with hard drives. Those hard drives hold huge amounts of data, which doesn’t get deleted between jobs. Just as in the case we report in Blown to Bits about the data that can be recovered from the hard drives of used personal computers, a LOT can be recovered from the disk drives of used copiers. I feel rather foolish that this never occurred to me. What happens to your office copier when it breaks down and is replaced, or worse, is traded in for a newer model? Do years of office documents go with it, unencrypted? Among the more interesting things about this video is the revelation that there actually is a proper auto-delete feature available on Sharp copiers — a few extra lines of code for an extra $500, which is about the price of an entire PC today, with Windows installed.

Thanks to Hanspeter Pfister for pointing me to this terrific graphic on how Facebook’s privacy policies have become weaker over the years, and this site that helps you check and modify your own Facebook privacy settings. The New York Times graphic from a few days ago on Facebook privacy also is worth a thousand words (or 5,830, which is actually how long Facebook’s privacy policy now is).

Finally — I was on Emily Rooney’s Greater Boston show last night with Tim Wong, until recently of the Berkman Center, talking about the backlash against Facebook’s new privacy model.

Facebook Privacy: An Oxymoron, again

Wednesday, May 5th, 2010 by Harry Lewis

A bug allowed private chats to be publicly viewable.

People who wonder whether Facebook takes their privacy concerns seriously should be forgiven for wondering.

The (North Carolina) Government Wants to Know What You Bought

Tuesday, April 20th, 2010 by Harry Lewis

Massachusetts has started to get a bit more insistent about collecting MA sales taxes on goods purchased out of state–including over the Internet. This year’s return invited me either to list the actual amount paid and pay the Massachusetts rate on the total, or to pay a “safe harbor” tax on my income. Pay the safe harbor rate and I am exempt from harassment for my out of state purchases, even if I get audited and it turns out I would have owed the state much more based on my actual purchases.

I found this annoying. But actually it seems to me correct. I don’t imagine people were paying those taxes until the safe harbor was introduced, and if I don’t like the safe harbor, I can keep track of all my Amazon purchases and whatnot and pay the 6.25% on those. I can object to the whole notion that stuff I buy out of state and bring or have shipped in state should be taxed, but until somebody changes the rules, that is the way the rules read.

Now the state of North Carolina has done Massachusetts one better and has handed its comparable tax collection problem to Big Brother. The state has demanded that Amazon turn over to its tax authorities detailed, itemized records of everything shipped to anybody in the state. (Amazon has no business address in North Carolina. Only customers are there.)

That’s a lot of data, but of course that’s not the problem. Amazon has it, not just for billing purposes but so it can pitch you different suggestions on rainy Tuesday nights if it notices that you particularly like ordering steamy romances on evenings like that. The granularity of the data is extremely fine, and the state wants it all. Amazon provided some anonymized information — not sure I am happy even with that, given how easily apparently anonymized data can be re-identified — but it doesn’t matter, because the state was not content with that. It wants names and addresses.

Amazon is resisting, thank goodness, on First Amendment grounds–citing individuals’ right to read anonymously. But aren’t there Fourth Amendment issues, too? Given constitutional guarantees of security against unreasonable searches, what possible justification could the government have for demanding to know the shoppings lists of ordinary citizens, not under suspicion of anything?

The Forces Align Against Anonymity

Saturday, April 17th, 2010 by Harry Lewis

Stories on successive days in the New York Times make me wonder if there is any hope of preserving anonymity on the Internet. The forces of security and commerce are lining up to end it, and I am not feeling a lot of pushback.

On Friday, there was some apparently happy news: At Internet Conference, Signs of Agreement Appear Between U.S. and Russia. It takes awhile to learn the nature of the common ground between American and Russian cybersecurity experts.

“Anonymity is an invitation to criminals,” General Miroshnikov said.

Mr. Baker agreed, saying, “Anonymity is the fundamental problem we face in cyberspace.”

And then today, there is a stunning report on refinements in the business of discount coupons. The coupons you print off the Internet look generic, but the bar code may have everything but your social security number in it — even including your IP# and the search terms you used to get to the site where you printed the coupon. This information enables aggregation of extremely fine-grained information about your shopping habits — and adjustment of what offers get extended to which customers.

“When someone joins a fan club, the user’s Facebook ID becomes visible to the merchandiser,” Jonathan Treiber, RevTrax’s co-founder, said. “We take that and embed it in a bar code or promotion code.”

“When the consumer redeems the offer in store, we can track it back, in this case, not to the Google search term but to the actual Facebook user ID that was signing up,” he said. Although Facebook does not signal that Amy Smith responded to a given ad, Filene’s could look up the user ID connected to the coupon and “do some more manual-type research — you could easily see your sex, your location and what you’re interested in,” Mr. Treiber said. (Mr. O’Neil said Filene’s did not do this at the moment.) …

“Over time,” Mr. Treiber said, “we’ll be able to do much better profiling around certain I.P. addresses, to say, hey, this I.P. address is showing a proclivity for printing clothing apparel coupons and is really only responding to coupons greater than 20 percent off.”

Is this the Internet we want?

The Camera App that Identifies your Subjects

Tuesday, March 2nd, 2010 by Harry Lewis

I recently noticed that the latest digital cameras have a feature that not only tags people the camera can identify because you have tagged them before, but stops you to ask if you’d like to identify them if the camera notices that they keep turning up in your photos. Facial recognition is in the camera software. (Here is a Panasoic page describing this feature.)

That didn’t surprise me much, but somehow the Recognizr Android-phone app impresses me more. Point the camera at someone and the phone goes to the Web to identify the person and look up his or her profiles on Facebook and other social networks. Bingo, the phone reports back to you whatever the profiles disclose about them.

Nothing very complicated going on here, if you think about it, once you accept that facial recognition is a solved problem. The rest is just web search and retrieval. Underlying face recognition is by Polar Rose.

But think of it. Just miniaturize a bit more and we can all put these in our eyeglasses. Meet someone for the first time, and greet them by name. It will feel weird at first, but I suppose we will get used to it, in the same way that it no longer startles us to see pulled-together businesspeople striding confidently down the sidewalk talking to no one visible.

Point and Buy

Saturday, February 27th, 2010 by Harry Lewis

In B2B we briefly noted a couple of coming technologies in the advertising and marketing field—stores that would welcome you when they “saw” you coming in the door, perhaps suggesting things you might like to buy based on what they knew about what you had bought, etc. The New York Times reports today that it’s all here. It’s a good story, describing multiple technologies. It leads with the idea of pointing a cell phone camera at a window display after hours and having the item recognized from its image, so the shopper can buy it literally right out of the window. Here is another technology that I find particularly interesting:

Other retailers have begun testing a product from I.B.M. called Presence. Shoppers who sign up can be detected as soon as they set foot in a store. That enables Presence to offer real-time mobile coupons. And tracking shoppers’ spending habits and browsing time in various departments can help the system figure out who might be moved to suddenly buy a discounted item.

Presence can also make product recommendations. If a shopper was buying cake mix, Presence might suggest buying the store’s private-label frosting and sprinkles, too.

“We’re also able to do predictive analytics — predict what we think you might want based on what we already know about you,” said Craig W. Stevenson, an I.B.M. executive who oversees Presence.

We were imagining RFID chips in clothing as the identifiers. We should have expected that GPS phones would be ubiquitous and that people would happily tell merchants their whereabouts in exchange for small perceived rewards.

Privacy and Knowledge

Tuesday, February 23rd, 2010 by Harry Lewis

I am giving a talk with that title at Cornell on Thursday. It will be livestreamed at 4:15pm—details here. Thursday morning I am giving a talk on an earlier book, Excellence Without a Soul—that too will be livestreamed if anyone is interested. Same link.

Judge of Google Books Settlement Seems Skeptical

Friday, February 19th, 2010 by Harry Lewis

Yesterday was the “Fairness Hearing” in the Google Books Settlement case. The New York Times has a good report on it. Judge Chin’s questions suggest he is worried that the settlement goes way beyond what was needed to settle the issues between the parties—which is true, of course. A class action lawsuit over copyright infringement should not be a platform for a world-changing business partnership, with the biggest rewards going to the infringer.

Alas, so far I see nothing to suggest that the privacy issues with the settlement have caught the judge’s attention. I found this paragraph from the ACLU particularly interesting:

Because the settlement does not contain any privacy protections for users, Google’s system will be able to monitor which books users search for, which pages of the books they read and how long they spend on each page. Google could then combine information about readers’ habits and interests with additional information it collects from other Google services, creating a massive “digital dossier” that would be highly tempting and possibly vulnerable to fishing expeditions by law enforcement or civil litigants.

Among the reasons Google will rue the day it decided to roll out Buzz as an opt-out product with your social network harvested from your Gmail address book is that it renders worries like the ACLU’s far more credible. With all that useful data about reader behavior, Google itself will be highly  tempted to repurpose it. After all, it has shown itself willing to do that with your address book, which many of us consider confidential information—why not do it with the information about which books, and which pages of which books, you spend your time reading?