With all the supposed changes in Facebook’s privacy system, I decided to revisit my work with Privacy Mirror (you can catch the backstory: here and then here). Having retested PM with both friends and strangers, here’s what I’ve learned: Plus ça change, plus c’est la même chose.

The more things change, the more they stay the same.

Facebook’s inconsistent treatment of privacy still remains. In a nutshell, what a 3rd party developer can see in your profile, having been granted access to you via your friends, directly depends on whether you have the same application they do. If you and your friends use the same Facebook app, then the 3rd party developer will see your profile (and photos and posts, etc.) as if that developer was your friend. If you do not use the same Facebook app that your friend does, then the 3rd party application is subject to a different set of constraints.

I question whether the recent changes Facebook has instituted have even remotely satisfied Commissioner Stoddart’s concerns with Facebook, specifically 3rd party access to user information. Although users can control the scope of disclosure of their posts a bit better, defaulting settings to “Everyone” access as well as potentially making user’s social graphs public undermines any attempt to cast Facebook in a pro-user control light.

There’s also a nit I’d like to pick with the privacy settings system in Facebook – inconsistent save behavior. In some cases, Facebook automatically saves changed to privacy settings. In some cases, you have to press Save. This is a small point but it points to a larger issue. If service providers do not provide their users with meaningful, usable choices when it comes to controlling privacy and disclosure controls, but instead heap more controls in hard to find places, then these service providers have not aided their customers in the least. More user choices only equals more user control if those choices are clear, consumable, and centralized.

If you want to conduct some of your own testing of Facebook’s privacy system, feel free to play with Privacy Mirror. The following are new features I’ve added:

• PM tests to see if the person your are pointing the Mirror at is a Privacy Mirror user. If they are you’ll get results based on their privacy settings with respect to you as a person. If they aren’t you’ll get results based on their privacy settings with respect to Privacy Mirror being a 3rd party application. This behavior is core Facebook Platform behavior which I feel is inconsistent and puts people at a disadvantage.
• PM tries to find some photo albums that the person may have added
• PM tried to find some photos that are tagged with the person in question
• Added the ability to point the Mirror at a specific person better using their username

I happen to be in Ottawa a few weeks back and had some kick ass meals. First up, Murray Street – a charcuterie and wine bar. They bring much respect to meats – all of them. Anywhere that has an offal of the day as well as a whole pig head on the menu gets my vote any day of the week. It is a small place with a great feel. Highly recommend.

Next up – The Whalesbone Oyster House. Go. There. Now. Imagine a tiny restaurant embedded into an old bike shop. Forget open kitchen, the hot stations are actually in the seating area and the night we were there the a/c wasn’t working – forcing the staff into tank tops and shorts. Whalesbone is, as the name implies, an oyster and fish joint and it takes its ingredients seriously. If the amazing fish, oysters, and drinks doesn’t do it for you, then try this – when was the last time you went to a bar or restaurant where the music was provided by records? Two huge stacks of records behind the bar, from which Ray Charles, Abba, and Sam & Dave were pulled when we were there. The staff has been friends since high school and you can feel their love for the place in everything they do. Again – go there now!

Ottawa may be a somewhat sleepy capital but there are definitely some pockets of serious yum and fun to be had – I’ll be waiting until the spring to head back for oysters and offal.

On the whole, people have no problem using social networking tools. Whether for personal or for work reasons more and more people are using a variety of tools to share and connect. And in this regard, we can think of social tools as engines for disclosure. Although people are relatively comfortable making disclosures such as “had a great meal in Ottawa” or “have to burn the midnight oil to get this blog post done,” people feel uncomfortable when these disclosures appear in other places. This feeling is akin to reaching into your computer bag and finding a long lost banana: a little foreign, a little gross, and a little strange. People often want to keep their social structures separates and, using a highly technical word, people feel oogy when they discover that something they have disclosed (an activity, a group they may have joined, a relationship they formed, a trip they have taken, etc) is known by other people in other networks.

There are three axes to this problem:
* Audience
* Content
* Time

Oogy factor #1 – Audience – People often underestimate the size of the audience to whom their are disclosing information. What they think they are sharing with their team at work, is in fact shared with the enterprise. Furthermore, there are cases where the true size of the audience is not known because linkages between different social networking sites and the social graphs defined therein.

Oogy factor #2 -Content – Some disclosures are not obviously under people’s control. It’s obvious when I update my status in Yammer. It isn’t so obvious when I join a group and that fact appears in my work activity stream.  This is unsettling as information is being disclosed about me and yet I didn’t actively disclose that information. (I fell prey to this one… ask me sometime – funny story.)

Oogy factor #3 – Time – Closely tied to Content, people don’t necessarily have control of when things are disclosed about them. Where social tools are reporting on activity, it isn’t entirely obvious how a person controls such disclosures and when they happen.

People build mental models for their believed behavior of social tools along these three axis. If any one axis is shifted and the tool behave in a manner contrary to those mental models people feel uncomfortable. Although people are just establishing a comfort level with social tools from a consumer perspective, the enterprise is just taking its first teetering steps with social tools. There is definitely enterprise-grade ooginess ahead as enterprise grapples with the data breach and privacy implications of these tools. To that end, social tools have to provide meaningful ways for people, in the consumer setting, to adjust tool-behavior to meet their own mental models, and enterprises to accommodate wider regulatory and data protection concerns.

I’m going to be giving a longer version of this as a presentation to an OWASP and Tivoli users group meeting in December. If you are in the Hartford area, join us. You can register here.

(Cross-posted from Burton Group’s Identity Blog.)

First up – Tuesdaynight’s very own Josh Nanberg has launched his eponymous blog. Josh is one of the few people I know who can

• breakdown political messaging techniques in to something I can understand
• cook a four course meal in a 1 course kitchen
• reference deeply obscure music lyrics

all at the same time.

Next up – my friend and mentor, Rob Ciampa has decided to divert his seemingly boundless energies into a bit of blogging. Besides having an encyclopedic knowledge French wine, a photographic memory for menus, and a typical Boston potty-mouth, Rob is one of the best corporate marketers and channel managers I have ever met.

Admittedly neither blog has much content but I know these guys, and I know what’s to come. You’ll want to know it to.

Questions that I’d like to see answered are:

• How many crimes were not committed because of the presence of a CCTV camera?
• How many crimes were committed in a different location because of the presence of a CCTV camera?

The first question is impossible to answer. The second can be answered and a UC Berkeley study of the city San Francisco’s CCTV camera efficacy has been released. You can ready about the results here and here. The San Francisco study shows the cameras move crime from areas near cameras to areas away from cameras – no big surprise there.

As I have mentioned previously on Tuesdaynight, trading the feeling of safety (without an actual increase in safety) for an invasive, always-on, 3rd-party-accessible video monitoring presence is a choice that leads to a far more paranoid society, less willing to engage in social behavior and less like the kinds of societies in which we want to participate.

The second hack is of a far more interesting class. Ronen Zilberman, a security researcher, harnessed features of the Facebook platform to unwittingly perform a man-in-the-middle attack on itself. Zilberman documents how the attack works in very clear language. You can even see a video of the attack in action. Why is this a more interesting class of attack on Facebook? First, it doesn’t require an application to be added to the victim’s Facebook profile. Second and more importantly, this attack fundamentally turns Facebook’s goals against itself.

Facebook’s mission is to “give people the power to share and make the world more open and connected.” Its business is to accomplish this mission before someone else does. This requires that Facebook provide a means to connect as many people, websites and services as possible and as fast as possible. And in the course of this social networking land-grab, it is not surprising that we have seen both Facebook malware and the Facebook’s platform being used to support anti-social behavior. The Facebook platform is optimized to provide frictionless connections and sharing of information. But as exploits for ill-purposes increase, Facebook has to act and act in a manner counter to their mission.

Facebook is currently trying to tackle some of its privacy issues with new privacy settings. The changes to the Privacy Settings are in beta, expected to rollout system-wide shortly. I sincerely hope that Facebook simplifies the privacy settings interface while adding more granular controls – though I am not too hopeful this will happen. Furthermore, I am very curious to see if changes in privacy settings will improve the situation I discovered with Privacy Mirror – again, not too hopeful. But changes in privacy settings are just patches on the underlying problem: increased privacy controls and platform restrictiveness are antithetical to Facebook’s mission. Until Facebook institutes more control within its platform, we will continue to see more malware and more “interesting” attacks.

In order to achieve its mission, Facebook has to prove that it is a safe space in which its customers can engage in social behaviors. To accomplish this, Facebook must recognize the fact that its users have relationships with each other and that Facebook itself has a relationship with each of its users. These relationships are governed by social norms and are not dictated but negotiated through countless social interactions. These relationships and the rules governing them must be respected in order for Facebook to prove that it is a safe place to make shared information public and keep private information private.

(Cross-posted from Burton Group’s Identity Blog.)

Imagine that Alice and Bob are friends in Facebook. Alice decides to add a new application, called App X, to her profile in Facebook. (For clarity’s sake, by “add”, I mean that she authorizes the application to see her profile. Examples of Facebook applications include Polls, Friend Wheel, Movies, etc.) At this point, App X can see information in Alice’s profile. App X can also see that Alice is friends with Bob; in fact, App X can see information in Bob’s profile. Bob can limit how much information about him is available to applications that his friends add to their profiles through the Application Privacy settings. In this case, let’s imaging that Bob has only allowed 3rd party applications to see his profile picture and profile status.

After a while, Alice tells Bob about App X. He thinks it sounds cool and adds it to his profile. At this point if App X, via Alice’s profile, looks at Bob’s profile it will see not only his profile picture and status but also his education history, hometown info, activities and movies. That is significantly more than what he authorized in his Application privacy settings. What is going here?

It appears what’s going on is that if Alice and Bob both have authorized the same application, that application no longer respects either user’s Application Privacy settings. Instead, it respects the Profile Privacy settings of each person. In essence, App X acts (from a privacy settings point of view) as if it were a friend of Alice and Bob and not a third-party application.

Putting my privacy commissioner hat for a moment, I’d want to analyze this situation from a consent and disclosure perspective. When Bob confirms his friendship with Alice he is, in a sense, opting in to a relationship with her. This opt-in indicates that he is willing to disclose certain information to Alice. Bob can control what information is disclosed to Alice through his Profile Privacy settings and this allows him to mitigate privacy concerns he has in terms of his relationship with Alice.

What Bob isn’t consenting to (and is not opting in to) is a relationship with Alice’s applications. Bob is completely unaware of which applications Alice currently has or will have in the future. This is an asymmetry of relationship. It is entirely possible that Alice and Bob will have applications in common and once they do the amount of profile information disclosed (by both of them) to an application can radically change and change without notice to either Alice or Bob. Furthermore, it is unclear which Facebook privacy settings Bob needs to manipulate to control what Alice’s applications can learn about him.

This lack of clarity is harmful. It shouldn’t take a few hundred lines of PHP, three debuggers, and an engineering degree to figure out how privacy controls work. This lack of clarity robs Facebook users of the opportunity to make meaningful and informed choices about their privacy.

This experiment started after I read the Canadian Privacy Commissioner’s report of findings on privacy complaints brought against Facebook. This report raised significant concerns about third-party applications and their access to profile information.

As of the beginning of Catalyst (today!), Facebook has about 15 days remaining to respond to the Canadian Privacy Commissioner’s office, I hope that this issue about third party applications and privacy controls is meaningfully addressed in Facebook’s response.

(Cross-posted with Burton Group’s Identity Blog.)