The continuing story of Privacy Mirror

Posted January 21st, 2011 - 2 comments

I had let Privacy Mirror languish for a bit, and having found a free few hours, I decided to update Privacy Mirror to take advantage of Facebook’s Graph API. (For those of you not familiar with my Privacy Mirror experiment, it is a very basic app that explores what personal data apps can see via your friends.) Since I last updated Privacy Mirror, Facebook rolled out two major features. The first was the previously mentioned Graph API, which is a RESTful API that results Facebook data as JSON.

The second, and frankly the more interesting, was extended permissions. The newish extended permissions govern how apps can access data and how users are informed of this use.  It is these extended permissions at the bottom of the recent kerfuffle over Facebook allowing app developers access to phone numbers and addresses. (Ars Technica did a good job over covering this, and here is Facebook’s current response.)

Extended permissions work like this. First, an app developer encodes a request for access to various pieces of your profile data, as well as pieces of your friends’ profile data. Second, when you add the app to your profile, the app asks you for your permission. The following is a picture of what it looks like when Privacy Mirror asks for access to your and your friends’ information.

January 21st, 2011 | Tags: , | Category: Privacy | 2 comments

I “like” you, but I hate your apps – Part 2: Desires & Expectations

Posted January 20th, 2011

I’ve posted the second part of my ‘I “like” you, but I hate your apps’ series over on my Gartner blog.

January 20th, 2011 | Category: Privacy | Leave a comment

I “like” you, but I hate your apps

Posted January 14th, 2011

I’ve been doing a lot of thinking lately about how the apps on our smartphones and Facebook profiles introduce strangers into our interactions. I’ve broken my thoughts up into a three-part post over on my Gartner blog. Check out part 1 and give me your thoughts on it.

January 14th, 2011 | Tags: , , , | Category: Privacy | Leave a comment

Notes from the “Government as Identity Oracle” session at IIW East

Posted September 10th, 2010

These are my raw notes put here for reference purposes.

Attendees

  • Peter A
  • Mary R
  • Ian G
  • Gerry B
  • others

What is mean by identity oracle?

* An oracle provides an answer to a question but not a specific attribute

** If you ask an Oracle, is Peter over 21 it says yes. It does not hand back an attribute – birthdate

Peter: The Federal Govt is authoritative for very few attributes – State Dept – passport #, citizenship. State govt are authoritative for driver’s license number. SSA for SSN.

eVerfify is an example of an oracle, says Gerry.

Peter – what will drive this is the requirement for LOA3 credentials needed to access to medical records.

P – “We do not have an attribute infrastructure.” A lot of attributes are simply issued via IdP’

I – our examples so far have shown organizations that are authoritative for identifiers but not attributes

P – raises need for back end attribute exchange

Gerry – Problem with authoritative attribute provides is that the PDP makes a decision as to what is truly authoritative for a given context. Authoritative data source must provide SLA or MOU so that relying party can establish trust.

P – BAE is 1/2 of the equation and attribute provider (market?) is the other half

A – is there a business model for attribute providers?  Continue reading "Notes from the “Government as Identity Oracle” session at IIW East"...

September 10th, 2010 | Tags: | Category: Identity Management | Leave a comment

Opting-in to a relationship

Posted August 3rd, 2010 - 7 comments

My series of posts related to Facebook and The Washington Post has become very interesting today. Luke provided some insightful feedback on WaPo’s use of an iframe served up to provide a socially-connected experience, and in doing so he raised an interesting point. He said:

The opt-in question is interesting. Since no information is being transferred, it’s not clear that there’s anything to opt into. I think the social plugins work the same as myriad other plugins and ad networks around the internet, with the exception that it’s more obvious to the user what’s happening. If users needed to click a button in order to see personalized stories, then the vast majority wouldn’t get to experience the value that’s created.

For a little clarity here, the opt-in refers to The Washington Post’s Network News feature. If you opt-in (which was the default) you get the Facebook iframe which shows you friend activity with respect to the Post. If you opt-out, your version of www.washingtonpost.com doesn’t include the iframe.

Two points. First, the Washington Post’s decision to opt all of their users in by default is an awful one because it presents an asymmetry of relationship to people not prepared to deal with it. I have a relationship with WaPo. I have a relationship with Facebook. By opting me in, I suddenly see that WaPo and Facebook have a relationship and it seems to center around me. (Now in reality, it isn’t all about me, but from a user’s perspective it is.) This sudden presentation of relationship, even though no data is being passed, lacks a context and explanation that would make it more palatable, if not more desirous, to users.  Continue reading "Opting-in to a relationship"...

August 3rd, 2010 | Tags: , , | Category: Privacy | 7 comments
Older Entries »  
Home
  « Newer Entries