Looking beyond the Privacy Mirror

Posted July 27th, 2009 - 2 comments

Over the last two weeks, I have been using my homegrown Facebook application, Privacy Mirror, as a means of experimenting with Facebook’s privacy settings. Although Facebook provides a nice interface to view your profile through your friends’ eyes, it does not do the same for applications. I built Privacy Mirror with the hopes of learning what 3rd party application developers can see of my profile by way of my friends’ use of applications. I have yet to speak with representatives of Facebook to confirm my findings, but I am confident in the following findings.

Imagine that Alice and Bob are friends in Facebook. Alice decides to add a new application, called App X, to her profile in Facebook. (For clarity’s sake, by “add”, I mean that she authorizes the application to see her profile. Examples of Facebook applications include Polls, Friend Wheel, Movies, etc.) At this point, App X can see information in Alice’s profile. App X can also see that Alice is friends with Bob; in fact, App X can see information in Bob’s profile. Bob can limit how much information about him is available to applications that his friends add to their profiles through the Application Privacy settings. In this case, let’s imaging that Bob has only allowed 3rd party applications to see his profile picture and profile status.  Continue reading "Looking beyond the Privacy Mirror"...

July 27th, 2009 | Tags: , , , | Category: Privacy | 2 comments

Further findings from the Privacy Mirror experiment

Posted July 25th, 2009 - 3 comments

I find that I rely on my debugging skills in almost every aspect of my life: cooking, writing, martial arts, photography… And it helps when you’ve got friends who a good debuggers as well. In this case, my friends lent a hand helping me figure out what I was seeing in my Privacy Mirror.

The following is a snapshot of the Application Privacy settings I have set in Facebook:

Facebook Application Privacy Settings

Given these settings, I would expect that the Facebook APIs would report the following to a 3rd party application developer:  Continue reading "Further findings from the Privacy Mirror experiment"...

  • My name
  • My networks
  • My friends ids
  • My profile status
July 25th, 2009 | Tags: , , , | Category: Privacy | 3 comments

Privacy Mirror: A privacy experiment in Facebook

Posted July 22nd, 2009 - 7 comments

As I previously blogged, I read Canada’s Assistant Privacy Commissioner Elizabeth Denham’s findings on Facebook and it got me thinking about 3rd party applications. I wondered what 3rd party app developers could see in my profile. In my estimation, the easiest way to find out what a 3rd party application developer could see, was to become a 3rd party application developer.
Enter Privacy Mirror

I built a basic Facebook application called Privacy Mirror. The goal of Privacy Mirror was to see, as a 3rd party developer, just what information I could glean from my profile via Facebook’s APIs. At first, I used two Facebook API calls:

I wanted to call these APIs, see what data they returned, and that’s that. I had and have no interest in storing any of the data, and, in fact, Facebook deems most of the data I retrieved as unstorable according to their terms and conditions. For those of you who use Privacy Mirror I want to repeat, I do not store any of the information that is retrieved by the API calls.  Continue reading "Privacy Mirror: A privacy experiment in Facebook"...

July 22nd, 2009 | Tags: , | Category: Privacy | 7 comments

Laplace’s Demon, Santa Claus and TSA’s Secure Flight

Posted July 21st, 2009 - 1 comment

No doubt you frequent fliers out there have received emails from your airline of choice talking about TSA’s Secure Flight. As you make air travel reservations in the future, your airline will communicate with TSA to get, essentially, a fly/no-fly decision from the Secure Flight system. As the TSA explains in the “How it works” section of their website dedicated to Secure Flight:

Secure Flight matches the name, date of birth and gender information for each passenger against government watch lists to:

  • Identify known and suspected terrorists
  • Prevent individuals on the No Fly List from boarding an aircraft
  • Identify individuals on the Selectee List for enhanced screening
  • Facilitate passenger air travel
  • Protect individuals’ privacy

After matching passenger information against government watch lists, Secure Flight transmits the matching results back to aircraft operators.

Did you notice the extreme use of irony there? Secure Flight is used to “facilitate passenger air travel” and yet Secure Flight’s sole purpose is to keep people off of planes. (I think someone at the TSA doesn’t know what facilitate means.) Irony aside, Secure Flight is ignorant of (or at least tone-deaf to) the US’ strong social and legal tradition of freedom of movement.  Secure Flight can act as a preemptive refusal of air travel in the absence of due process, which contravenes citizens’ freedom of movement.  Continue reading "Laplace’s Demon, Santa Claus and TSA’s Secure Flight"...

July 21st, 2009 | Tags: , , , | Category: Privacy | One comment

Personal Privacy Impact Assessments for Facebook

Posted July 17th, 2009 - 3 comments

I’m reading Canada’s Assistant Privacy Commissioner Elizabeth Denham’s recently released findings into complaints levied against Facebook. (Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC)against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act.) My first reaction to this is, frankly, one of jealousy. I wish we had a similar commissioner/czar/wonk here in the US. I suppose elements of the FTC work in this regard but without the same charter, which is too bad.

Section 4 of the report is, for me, where the action is at. Section 4 is concerned with 3rd party application in Facebook and use of personal data by those applications. As the Facebook platform grows with new additions like Facebook Connect, issues of third-party access to user information will continue to be a concern to those who pay attention to such things. There’s a challenge here as the ways in which 3rd party applications use user information is hard to decipher, as it is, from an end-user perspective, a fairly black-box operation.

I wonder if Facebook could build a personal privacy impact assessment (PPIA) app. The PPIA would analyze the action you are about to take on Facebook, your privacy settings, the 3rd party apps you’ve allows access to your profile, and the privacy settings you have set for those apps. The PPIA could give you a quick read on which applications would be privy to the action you are about to do. It could indicate which groups of friends (based on your privacy settings) would see what you are about to do. Essentially, it would let you see across how much of your social graph a certain action (like posting a link or photo) will travel.  Continue reading "Personal Privacy Impact Assessments for Facebook"...

July 17th, 2009 | Tags: , , , | Category: Privacy | 3 comments