Facebook: Conform or else

Robert Scoble, discussing Facebook founder Mark Zuckerberg:

He also said that his system looks for “outlying” behavior. He said if you behave like an average user you should never trigger the algorithms that will get you kicked off.

Let’s be specific here: if you behave like the system’s Harvard undergraduate founders and primarily-male engineering staff have programmed the software to think like “an average user” behaves you should never trigger the algorithms that will get you kicked off. Except in reality, most people don’t behave that way. Robert is surprisingly sympathetic to arbitrary undocumented limits on speech:

Of course, that irks me a bit because my usage of social media sites is totally outlier behavior. But, I can see his point. One thing that’s nice about Facebook is that I see very little spam or other nasty behavior.

That’s Jon Pincus discussing “Zuckerberg: Facebook to ratchet up exploitation, only bans “outliers”.”

I think this is a real concern. Facebook exists as a means of connecting with others. As I discuss in “ Identities are Created Through Relationships,” we create and evolve our identities through such interaction. If Facebook imposes conformity through secret rules whose violation results in suspension, then it acts as a censor on our social interaction and our willingness to explore and excel.

It’s unsurprising that Scoble sees little spam or other nasty behavior, but free communities have some level of that, or they have a constant level of looking over one’s shoulder for the camera or the plainclothesman. Scoble shouldn’t be ok with that, and neither should we.

They’re trying to dress up giving users the ability to up/down vote on their rules as “democracy,” and giving users a voice but as Michael Zimmer documents, it’s a vote. They haven’t (say) Wikified their Terms of Service and given users real input. They certainly aren’t offering minorities any protection against the wishes of the majority.

What if the entire userbase votes to make everything from a member of the Screen Actors Guild fully public?

It is fascinating to watch the autocracy of Facebook forced to take tentative steps towards democracy. Here’s hoping that their community also pushes for liberty.

SDL Threat Modeling Tool 3.1.4 ships!

On my work blog, I wrote:

We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum!

In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve added an “issue type” at the bug tracking system level) and updated the template format. You can read more about the tool at the Microsoft SDL Threat Modeling Tool page, or just download 3.1.4.

Unfortunately, we have no effective mitigation for the threat of bad π jokes.

I’m really excited about this release. This is solid software that you can use to analyze all sorts of designs.

Security Breach Notification Symposium

Next Friday (March 6th) I’ll be speaking at the “Security Breach Notification Symposium:”

A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what the solutions should be. Questions remain concerning the scope of security breach laws, their effectiveness, and cost. Critics argue that notification laws are wasteful and that most breaches aren’t connected to identity theft. Supporters say the laws create vital incentives to safeguard information and reveal hidden cracks in security.

The symposium begins with a session on California’s security breach law and continues with a look at current research and proposed reforms by the state’s top policy makers and scholars.

Conference Information and agenda is online at: http://www.law.berkeley.edu/institutes/bclt/security/schedule.htm.

DETAILS: The program is free for public interest groups and media. Registration required by the general public. For more info, go to http://www.law.berkeley.edu/institutes/bclt/security/about.html

Space is still available, please join us!

[Update: the linked site had permission issues, now fixed. Thanks Chris!]

More on Privacy Contracts

Law Prof Dan Solove tool the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality:

Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach of confidentiality. The tort is recognized in most states, and it provides for liability whenever one owes a duty of confidentiality and breaches that duty. We observed, however, that the tort has remained “relatively obscure and frequently overlooked” in American law. In contrast, in England, the tort is robust and applies quite broadly. We suggested in our article that the American tort could develop more along the lines of the English tort, and it is, in fact, already beginning to head in that direction. See Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).

Lots more very interesting analysis. Check it out!

Congratulations, Justin!

Justin Mason has won the 2009 Irish Blog Award for Best Technology Blog/Blogger.

I don’t know how Justin manages to stay engaged with his blog and others while getting so much work done. When I say others, I mean this blog. Justin found Emergent Chaos back when it was a solo gig and I was blogging about taxonomies a lot. It was really cool to engage with him, and helped me see the potential for where this might go.

So thanks, Justin, and congratulations on a well-deserved award!

Don’t put Peter Fleischer on Ice

Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common.

He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with Down Syndrome. See law firm Proskauer Rose’s “Google Execs Face Privacy Related and Other Criminal Charges for Taunting Video” for or Dan Solove’s “Criminalizing Google’s YouTube in Italy” for background.

A small part of me is happy to see enforcement of privacy laws. This is clearly a sit up and take notice moment for many executives around privacy, and that might be for the good.

I think much more, it’s to the detriment of much of what’s good about the internet, and not even good for privacy. On the scale of privacy invasions, this one isn’t like publishing someone’s medical records, their financial records, or their diary. It’s three minutes of bullying. I’m not trying to universalize my values, but it’s hard to understand 191 seconds of bullying as justifying three years in jail. The executive ‘takeaway’ from this is likely to be “we need to get those laws fixed.”

Google claims that 200,000 videos are uploaded to Google Video daily. There’s all sorts of good–people are enthralled, and choose to spend a tremendous amount of time watching that crap. No, really, 99% of it’s crap, but 1% is great, and we all differ on which video is which. It’s chaotic. The value of Google Video emerges from hundreds of thousands of people providing video, and Google making it available to others.

If Peter Fleischer goes to jail, that will stop. Not just at Google, but at other companies (not speaking for my employer–I have no knowledge of plans.) No executive will say this is worth jail time. The chilling effect would be massive, and also ineffective.

Video on the internet will move to a peer to peer system, just like music has. The ability to remove content will fall away, as will searchability. What’s more, we won’t gain much in privacy (except, perhaps, with regards to how much Google can observe). New business will be hesitant to step into these areas, and we’ll give up all the good which might emerge.

Ironically, Google’s aggressive tracking (with 3 domains worth of cookies and 2 Flash LSOs) offer up a perfect “more speech” opportunity. There are logs of who viewed the original video. It would be easy (if an apology video existed) to show it to each person who viewed the original video, and to measure what fraction had seen it.

None of this is aided by a threat of jail time for Peter Fleischer.

Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column.

Brenner watched the FUD as he spreads it. He moans histrionically,

When security is your company’s business, even the smallest breach is worthy of scorn. If you can’t keep the bad guys out of your own database, how can customers reasonably expect that you’ll keep theirs safe?

Oh, please. Spare us the gotcha. Let me toss something back at Brenner. In the quote above, he says, “theirs” but probably meant to say “them.” The antecedant of “theirs” is database, and Kaspersky isn’t strictly a database security company, but an anti-virus company. “Them” is a much better turn of phrase, and I hope what he meant to say. How can we possibly trust CSO Online as a supplier of security knowledge when they can’t even compose a simple paragraph? And how can we even trust your own tagline:

Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items.

Why is FUD Watch creating the very sort FUD they claim to watch? Who watches the FUD watchers? I do, I suppose.

Is my criticism unfair and picayune? Yup.

People make mistakes, even Kaspersky and F-Seecure. And heck, even CSO Online. I forgive you.

Brenner came very close to writing the article that should have been written. If even the likes of Kaspersky and F-Secure fall victim to stupid things like SQL injection, what does that say about the state of web programming tools? How can mere mortals be safe if they can’t?

The drama about these breaks is FUD. It shows that no one is immune. It shows that merely being good at what you do isn’t good enough. It means that people need to test, verify, buy Adam’s book, read it, and act on it.

The correct lesson is not schadenfreude, but humility. There but for the grace of God, go all of us.

Synthetic Identity “Theft” – The Mysterious Case of Prawo Jazdy

prawo.jpg
The BBC tells the tale of a Polish immigrant flouting traffic regulations across the emerald isle:

He had been wanted from counties Cork to Cavan after racking up scores of speeding tickets and parking fines.
However, each time the serial offender was stopped he managed to evade justice by giving a different address.

As it turns out, however, there was more (and less) to this dastardly villain’s wild ride than meets the eye.

“Prawo Jazdy is actually the Polish for driving licence and not the first and surname on the licence,” read a letter from June 2007 from an officer working within the Garda’s traffic division.
“Having noticed this, I decided to check and see how many times officers have made this mistake.
“It is quite embarrassing to see that the system has created Prawo Jazdy as a person with over 50 identities.”

BBC News

And thus, the mystery was solved.

Public domain image via pl.wikipedia.org