A Quintet of Facebook Privacy Stories

It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets.

Some recent stories that I think come together to tell a meta-story of privacy:

  • Steven Levy tweeted: “What surprised me most in my Zuck interview: he says the thing most on rise is ‘sharing with smaller groups.'” (Tweet edited from 140-speak). I think that sharing with smaller groups is a pretty clear expression that privacy matters to Facebook users, and that as Facebook becomes more a part of people’s lives, the way they use it will continue to mature. For example, it turns out:
  • 71% of Facebook Users Engage in ‘Self-Censorship’” did a study of people typing into the Facebook status box, and not hitting post. In part this may be because people are ‘internalizing the policeman’ that Facebook imposes:
  • Facebook’s Online Speech Rules Keep Users On A Tight Leash.” This isn’t directly a privacy story, but one important facet of privacy is our ability to explore unpopular ideas. If our ability to do so in the forum in which people talk to each other is inhibited by private contract and opaque rules, then our ability to explore and grow in the privacy which Facebook affords to conversations is inhibited.
  • Om Malik: “Why Facebook Home bothers me: It destroys any notion of privacy” An interesting perspective, but Facebook users still care about privacy, but will have trouble articulating how or taking action to preserve the values of privacy they care about.

Happy Data Privacy Day! Go check out PrivacyFix

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and checking your settings regularly is a drain.

Enter PrivacyFix.

PrivacyFix is a Firefox & Chrome plugin that you might want to check out. It looks at your Facebook and G+ settings, and helps you fix things. It also helps you send opt-out email to web site privacy addresses, which is awesome.

Not having a Facebook or G+ account, I can’t really test it. I do find the model of a plugin that works when you’re on their site (versus local UI) to be confusing. But maybe I’m not their target audience. Anyway, I did want to refer back to my Lessons from Facebook’s Stock Slide, in which I talked about intent versus identity.

Facebook tracks
Google tracks

I don’t know if PrivacyFix’s estimates of revenue are accurate. But unless they’re off by 2 orders of magnitude for each of Facebook (under-estimating) and Google (over-estimating), then wow.

Should I advertise on Twitter?

Apparently Twitter sent me some credits to use in their advertising program. Now, I really don’t like Twitter’s promoted tweets — I’d prefer to be the customer rather than the product. (That is, I’d like to be able to give Twitter money for an ad-free experience.)

At the same time, I’m curious to see how the advertising system works. I’d like to understand it and blog about it, but Twitter would like to maintain confidentiality around the program. They’re engaged in white-hot competition with Facebook and Google to be the new advertising platform of the future. At the same time, it’s less transparency than the exceptionally high bar that Twitter has generally aspired to.

That said with the launch of Control-Alt-Hack, my collaborators have stuff to sell and give away. (Not to mention maybe a sales bump for The New School of Information Security?) Or maybe I could promote other books that I think people should read, like “Thinking, Fast and Slow“). Does the nature of what I’m advertising change the calculus? Would advertising the giveaway make it different?

Then again, I do lots of “advertising” on Twitter already–I advertise the book, the game, blog posts, ideas I like. Does paying to bring them to more people dramatically change the equation?

Interestingly (and I think this is something that can be discussed, because it’s visible), I’m offered the chance to promote both tweets and myself.

I’d be really interested in hearing from readers about how I should take advantage of this, and if I should take advantage of it at all.

Proof of Age in UK Pilot

There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:”

It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint biometrics and NFC to allow young people to prove that they are 18 years or over at licensed premises (e.g. bars, clubs).

The principle is simple: a young person brings their proof of age document (Home Office rules stipulate this must be a passport or driving licence) to a participating Post Office branch. The Post Office staff member checks document using a scanner, and confirms that the young person is the bearer. They then capture a fingerprint from the customer, which is converted into a hash and used to encrypt the customer’s date of birth on a small NFC sticker, which can be affixed to the back of a phone or wallet. No personal record of the customer’s details, document or fingerprint is retained either on the touch2id enrolment system or in the NFC sticker – the service is completely anonymous.

So first, I’m excited to see this. I think single-purpose credentials are important.

Second, I have a couple of technical questions.

  • Why a fingerprint versus a photo? People are good at recognizing photos, and a photo is a less intrusive mechanism than a fingerprint. Is the security gain sufficient to justify that? What’s the quantified improvement in accuracy?
  • Is NFC actually anonymous? It seems to me that NFC likely has a chip ID or something similar, meaning that the system is pseudonymous

I don’t mean to try to allow the best to be the enemy of the good. Not requiring ID for drinking is an excellent way to secure the ID system. See for example, my BlackHat 2003 talk. But I think that support can be both rah-rah and a careful critique of what we’re building.

Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports:

There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. (“Study: 13 Million People Haven’t Touched Facebook Privacy Settings“, Consumerist)

Consumerist’s headline focused on the small portion who haven’t touched their privacy settings. I think much more interesting is that based on the Consumer Report numbers, 91% of Americans have taken the time to dig into Facebook’s privacy controls. Also, 72% lock down their wall posts. Those are privacy protective actions, and we regularly hear how those privacy controls are hard to use, and how frequently Facebook changes them.

We often hear privacy-invaders making claims that Americans don’t care about privacy, or won’t do anything about it. Those claims are demonstrated to be false, and false amongst even those least likely to be privacy-concerned (young, willing to be on Facebook).

So next time you hear someone make one of those claims, ask them why 91% of Americans change their privacy settings.

As an aside, the article has a really clear summary of the many privacy problems around Facebook.

More on Real Name Policies

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path:

  • Google+ and The Trouble With Tribbles

    The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook is being far more successful in doing so using far more insidious means). Facebook also has a policy of Real Names, but it realizes that to make the social work you have to cater to the psychology of the users. So there are no identity verification processes, no automatic suspension of accounts and schemes that entice us to provide real data instead of telling us to do so. The fidelity of the data is proven by it’s socially verified reputation, not because there is a policy document that can be pointed to (at the end of the day, a much more robust and legitimate mechanism).

  • For Ceorl Onlyone, thanks…

    “As I’ve said previously, I left Facebook and Google+ because I could see the direction and I discerned the narrowing that indicates both subtle and direct attacks upon choice and privacy. I left because my presence was a reason for my family, friends, and peers to remain.

  • The Social Graph is Neither.”
    There’s no clear pull quote, but boy is this a great de-construction of the phrase (and product name) “the social graph”. Read it carefully, and you’ll never hear those words the same way.

  • In a number of places, including “Take back the comments: stop online harassment” and comment on “Why it Matters: Google+ and Diversity, part 2,” Kathy Sierra says:

    Keep the pseudonyms and lose the assholes.

Previously: “Google+ Failed Because of Real Names” and “Yes, Google+ Is a Failure

Yes, Google+ Is a Failure

One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician.

Some folks might advise me to stop digging a hole, put down the shovel and walk away. But
I’m going to pick up that shovel, and try to convince you that I’m not exaggerating. Google+ may not be a New Coke level failure, it may be a successful failure, but it’s a failure nonetheless.

The goal of Google+ is to dominate the social network space, replacing Facebook, LinkedIn and Twitter, and building a moat around Google’s core business of advertising. That moat ought to consist of Google having more information about you than the CIA does (ok, that’s hyperbole. The CIA can’t store that much info). The moat ought to be that Google can show your wallet-name ads that tug at your wallet-strings.

Do you really think that Google wanted to enter this market to play second-fiddle to Facebook? Do you think that Google is happy that Facebook is going to pop out in the biggest IPO in history real soon now, giving them a massive war chest?

I think that the answer is fairly obviously a no. Now, you could argue that Google+ is en route to topple Facebook. That Google will take three tries to get it right or something, like they did with Search and Mail and Maps. (Oh, wait, they didn’t take three tries on any of those.)

What’s more, I don’t think that no was pre-ordained because of Facebook’s massive user-base. People were willing to show up at Google+ and explore. And that exploration rapidly foundered on the nymwars.

I think the system could and should have done better, if Google wasn’t so hell-bent on controlling what name people could display for themselves.

Google+ Failed Because of Real Names

It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the physical world that matter to its paying customers: advertisers. To me, the most interesting part is how the real name issue acted as a lens, focusing attention on Google’s plans for the service, the horse-trade Google is asking people to make, and Google’s weighting of a communications platform versus having an online Disneyland where nothing offensive is allowed.

There’s a lot that Google gets right in Google+, most notably the idea of circles. Circles could be a great way for Google to mirror how people interact, and let them present different things to different sets of people, under their control. It’s a simple, understandable metaphor.

But Google hasn’t derailed Facebook, because Google shot themselves in the foot at launch. That’s why TechCrunch has articles like “Raise Your Hand If You’re Still Using Google+.” Let’s be clear, this was an own-goal, and it was avoidable. I know of at least two Googlers who left because they felt Google wasn’t living up to its own values in the internal debate. Google has put their desire to have a real-name driven internet ahead of their user’s desires. Maybe a free name change would make that ok? But it’s not ok, and name changes won’t make it ok.

Within days of Google+ being launched, the positive press was being driven out by stories about the “Nymwars.” A lot of it revolved around Google having claims that your displayed name could be what people called you, but as Skud clearly documented, that was a bizarre and bureaucratic lie. But documenting up your “government name” isn’t enough, as people like 3ric have documented. (It’s pronounced “Three-Rick,” and that’s how I’ve always known him.)

As bad as it is to tell people what they can write on the “Hello, My Name is” badges, it’s worse to be inconsistent and upsetting around something as personal as a name, or to tell someone that a Capulet they’ll no longer be. The very worst part is that Google managed to do it at the wrong time.

What Google did by focusing attention on “real names” when they did was to take attention from the really cool aspects of Google+, and draw it to an emotionally laden set of battles that they can’t win. They managed to calm the waters a bit by declaring that they’d “support” other names, leading to this awesome bit of politically-incorrect-calling-bullshit: “EFF declares premature victory in Nymwars.”

Another way to see this is Google knowingly burned an awful lot of goodwill with one of their key communities, techies. The way that they did it hampered Google+ during its launch, preventing it from getting the momentum it probably deserved.

They did all that in order to get one unique name for everyone. Oops, wait, there’s lots of people named Mike Jones. They did it to get name that links to “the real world you.” They wanted to get a commercial advantage for Google, at the expense of people’s ability to choose how they present themselves.

It hasn’t worked out, and yesterday, Google announced the next set of changes. (EFF has some comments in “Google+ and Pseudonyms: A Step in the Right Direction, Not the End of the Road.”)

Most interesting to me, Yonatan Zunger, Chief Architect of Google+ says:

We thought this was going to be a huge deal: that people would behave very differently when they were and weren’t going by their real names. After watching the system for a while, we realized that this was not, in fact, the case. (And in particular, bastards are still bastards under their own names.) We’re focusing right now on identifying bad behaviors themselves, rather than on using names as a proxy for behavior.

That’s gotta hurt.

The key takeaway: Google spent a huge amount of goodwill on an attractive, but untested idea, which Yonatan summarizes as “Bastards won’t be bastards under their real name.” (As an aside, there’s a lean startup lesson there, but Google has yet to pivot.) You shouldn’t make the same mistake.

Names are personal. They shouldn’t be subject to policies for vague, untested reasons. They shouldn’t be subject to policies at all unless your idea is even better than Google can do. Don’t make your new thing fail by sacrificing it on the altar of real names.

Some follow-on posts: “Yes, Google+ Is a Failure” and “More on Real Name Policies.”

Google+ is not a space for free expression

Earlier today I noticed something funny. My Google profile picture — the picture associated with my Gmail account, my GChat account, my Google+ account, etc — had vanished. A bug? Nope.

It turns out, Google — without telling me — went into my account and deleted my profile picture.

See “Dear Google+” for the details of why MG Siegler’s picture looks like this:
Gmg3
Yet another reason that we, retro-style, run our own blogs.

“Can copyright help privacy?”

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.”

Key quote:

One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two demerits: it is unconstitutional, and it is insane. Otherwise, it seems fine.

As an aside, Bambauer is incorrect. The idea has a third important problem, which he also points out in his post: “It’s also stupid.”

Read the whole thing here.