Posted July 27th, 2009
Over the last two weeks, I have been using my homegrown Facebook application, Privacy Mirror, as a means of experimenting with Facebook’s privacy settings. Although Facebook provides a nice interface to view your profile through your friends’ eyes, it does not do the same for applications. I built Privacy Mirror with the hopes of learning what 3rd party application developers can see of my profile by way of my friends’ use of applications. I have yet to speak with representatives of Facebook to confirm my findings, but I am confident in the following findings.
Imagine that Alice and Bob are friends in Facebook. Alice decides to add a new application, called App X, to her profile in Facebook. (For clarity’s sake, by “add”, I mean that she authorizes the application to see her profile. Examples of Facebook applications include Polls, Friend Wheel, Movies, etc.) At this point, App X can see information in Alice’s profile. App X can also see that Alice is friends with Bob; in fact, App X can see information in Bob’s profile. Bob can limit how much information about him is available to applications that his friends add to their profiles through the Application Privacy settings. In this case, let’s imaging that Bob has only allowed 3rd party applications to see his profile picture and profile status. Continue reading "Looking beyond the Privacy Mirror"...
Posted July 25th, 2009
I find that I rely on my debugging skills in almost every aspect of my life: cooking, writing, martial arts, photography… And it helps when you’ve got friends who a good debuggers as well. In this case, my friends lent a hand helping me figure out what I was seeing in my Privacy Mirror.
The following is a snapshot of the Application Privacy settings I have set in Facebook:
Given these settings, I would expect that the Facebook APIs would report the following to a 3rd party application developer: Continue reading "Further findings from the Privacy Mirror experiment"...
- My name
- My networks
- My friends ids
- My profile status
I find that I rely on my debugging skills in almost every aspect of my life: cooking, writing, martial arts, photography… And it helps when you’ve got friends who a good debuggers as well. In this case, my friends lent a hand helping me figure out what I was seeing in my Privacy Mirror.
The following is a snapshot of the Application Privacy settings I have set in Facebook:
Given these settings, I would expect that the Facebook APIs would report the following to a 3rd party application developer: Continue reading "Further findings from the Privacy Mirror experiment"...
- My name
- My networks
- My friends ids
- My profile status
Posted July 17th, 2009
I’m reading Canada’s Assistant Privacy Commissioner Elizabeth Denham’s recently released findings into complaints levied against Facebook. (Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC)against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act.) My first reaction to this is, frankly, one of jealousy. I wish we had a similar commissioner/czar/wonk here in the US. I suppose elements of the FTC work in this regard but without the same charter, which is too bad.
Section 4 of the report is, for me, where the action is at. Section 4 is concerned with 3rd party application in Facebook and use of personal data by those applications. As the Facebook platform grows with new additions like Facebook Connect, issues of third-party access to user information will continue to be a concern to those who pay attention to such things. There’s a challenge here as the ways in which 3rd party applications use user information is hard to decipher, as it is, from an end-user perspective, a fairly black-box operation.
I wonder if Facebook could build a personal privacy impact assessment (PPIA) app. The PPIA would analyze the action you are about to take on Facebook, your privacy settings, the 3rd party apps you’ve allows access to your profile, and the privacy settings you have set for those apps. The PPIA could give you a quick read on which applications would be privy to the action you are about to do. It could indicate which groups of friends (based on your privacy settings) would see what you are about to do. Essentially, it would let you see across how much of your social graph a certain action (like posting a link or photo) will travel. Continue reading "Personal Privacy Impact Assessments for Facebook"...
Posted June 29th, 2009
Last week I was at the recent Department of Homeland Security’s Government 2.0 Privacy and Best Practices conference. Not surprisingly the subject of transparency came up again and again. One thing that definitely caught my attention was a comment by one of the panelists that efforts towards government transparency are too often focused on data transparency rather than process transparency. While we have Data.gov as one of the current administration’s steps towards furthering government transparency, we do not have an analogous Process.gov. Said another way – we get the sausage but don’t get to see how it is made. This isn’t transparent government but translucent government.
From what I’ve seen I’d say that enterprises have achieved the opposite kind of translucency with their identity management programs. Though enterprises have achieved some degree of process transparency by suffering through the pains of documenting, engineering, and re-engineering process, they haven’t been able to achieve data transparency. Identity information has yet to become readily available throughout the enterprise in ways that the business can take advantage of. Identity information (such as entitlements) has yet to achieve enterprise master-data status. Worse yet, the quality of identity data still lags behind the quality of identity-related processes in the enterprise.
For those of you attending the Advanced Role Management workshop at Catalyst this year, you’ll hear me and Kevin present the findings from our recent roles research. Throughout our interviews we heard identity teams discuss their struggles with data management and data quality. Finding authoritative sources of information, relying on self-certified entitlement information, and decoding arcane resource codes were just some of the struggles we heard. No one said that identity data transparency was easy, but without it enterprises can only achieve identity translucency and not true transparency. Continue reading "Transparent or Translucent?"...
Posted May 15th, 2009
No organization wants to be the first to be fined because of a new regulation. Unfortunately, that’s exactly where Kaiser Permanente finds itself. After some high profile cases of unauthorized access to celebrities’ medical records, the California legislature adopted two new privacy laws (SB 541 and AB 211); these regulations were so swiftly enacted that they contained spelling errors. Both regulations went into effect on January 1 of this year. Five months later, Kaiser Permanente has become the first enterprise to be fined under this new regime.
Regulators have levied the maximum fine, $250,000, for the recent incident involving Nadya “Octomom” Suleman. (Kevin commented on this previously.) All in all, 23 individuals looked at Ms. Suleman’s records without authorization. Of these, 15 have either been fired or resigned. And although the state regulators have fined Kaiser, they have yet to penalize any of these 23 individuals – which they can do under state law.
As reported in the LA Times, Suleman’s lawyer said:
“I think Kaiser handled it professionally. They found out, they terminated the employees, they brought it to our attention. They certainly didn’t try to hide it.“
It’s important to note that even though Kaiser acted appropriately, laws like SB 541 are clear cut: unauthorized access to medical information = fine. Do not pass Go; do not collect $200.
As we’ve said before privacy risks are real. The fines are increasing. The number of regulations is increasing. Now more than ever is the time to register for this year’s Catalyst conference so you can attend our Privacy Risks Get Real track and learn how to reduce the chance your organization will become the next “first.” Continue reading "Privacy Risks Get Real – California Privacy Laws, Octomom, and Kaiser Permanente"...
|
|
what others say