The continuing story of Privacy Mirror

I had let Privacy Mirror languish for a bit, and having found a free few hours, I decided to update Privacy Mirror to take advantage of Facebook’s Graph API. (For those of you not familiar with my Privacy Mirror experiment, it is a very basic app that explores what personal data apps can see via your friends.) Since I last updated Privacy Mirror, Facebook rolled out two major features. The first was the previously mentioned Graph API, which is a RESTful API that results Facebook data as JSON.

The second, and frankly the more interesting, was extended permissions. The newish extended permissions govern how apps can access data and how users are informed of this use.  It is these extended permissions at the bottom of the recent kerfuffle over Facebook allowing app developers access to phone numbers and addresses. (Ars Technica did a good job over covering this, and here is Facebook’s current response.)

Extended permissions work like this. First, an app developer encodes a request for access to various pieces of your profile data, as well as pieces of your friends’ profile data. Second, when you add the app to your profile, the app asks you for your permission. The following is a picture of what it looks like when Privacy Mirror asks for access to your and your friends’ information.

An example of extended permissions

It is crucial important to notice that you as an app user can only agree to the use of all the requested information (as opposed to individual pieces.) Also, the app user cannot say that the app can have permission to her own data but not that of her friends. (See my series “I ‘like’ you, but I hate you apps” for the implications of this coarse-grained control.) Third, once the app has your permission, it goes off and does what it doe

I have to say, I like the spirit of the extended permissions. I like the fact that developers must ask for permission and I like that users must grant that permission. But I am very troubled by the lack of granular control afforded to the user.

Also, Facebook has not addressed what I feel to be a much bigger privacy issue: the mistreatment of relationship between people and their apps. If I have an app and you don’t use the same app, then that app can only see the elements of your profile that you have allowed applications to see. (This is controlled via the Account > Privacy Settings > Apps, Games and Websites > Info accessible through your friends settings.) But if you and I both have the same app on our profile, then the app can see the elements of your profile that you can granted me access to see. In this sense, the app executes with my permissions based on our relationship. But you have a relationship with me, not my apps. This is subtle and remains an critical unsolved problem.

Opting-in to a relationship

My series of posts related to Facebook and The Washington Post has become very interesting today. Luke provided some insightful feedback on WaPo’s use of an iframe served up to provide a socially-connected experience, and in doing so he raised an interesting point. He said:

The opt-in question is interesting. Since no information is being transferred, it’s not clear that there’s anything to opt into. I think the social plugins work the same as myriad other plugins and ad networks around the internet, with the exception that it’s more obvious to the user what’s happening. If users needed to click a button in order to see personalized stories, then the vast majority wouldn’t get to experience the value that’s created.

For a little clarity here, the opt-in refers to The Washington Post’s Network News feature. If you opt-in (which was the default) you get the Facebook iframe which shows you friend activity with respect to the Post. If you opt-out, your version of doesn’t include the iframe.

Two points. First, the Washington Post’s decision to opt all of their users in by default is an awful one because it presents an asymmetry of relationship to people not prepared to deal with it. I have a relationship with WaPo. I have a relationship with Facebook. By opting me in, I suddenly see that WaPo and Facebook have a relationship and it seems to center around me. (Now in reality, it isn’t all about me, but from a user’s perspective it is.) This sudden presentation of relationship, even though no data is being passed, lacks a context and explanation that would make it more palatable, if not more desirous, to users.

Second, even though there is no data transfer, there very clearly is something to opt-in to: an N-way relationship. Me, the Washington Post, Facebook, and my friends who also read the Washington Post are all connected in the social graph once I opt-in. I’ll give Luke that no data is transferred, but by forming edges between between up-until-then disconnected nodes something new is created (a relationship) and users ought to have control over that. This is very similar to my Privacy Mirror findings. I have a relationship with my friends. I do not have a relationship with my friends apps, and likely I don’t want one. And yet, it seems that the social graph doesn’t make that distinction: an edge is an edge is an edge.

By revealing asymmetrical relationship and by opting me into a ready-baked relationship without providing choice leads to uncomfortable users to say the least.

In the end, this thread is more an illustration of how the transition to a social web cannot, should not, and must not be made in one bound. Websites like The Washington Post have to better educate their users about the richness of experience connecting to the social graph can bring while respecting user choice.

Follow-up on Facebook and The Washington Post

I’ve been getting a lot of comments on my post about Facebook and The Washington Post. I wanted to just write a brief follow-up on it. I had Luke Shepard of Facebook present at the Gartner Catalyst conference last week and through a bit of serendipity he found Tuesdaynight and my recent post. He kindly provided this clarification on what was going on:

The Washington Post still has no idea what your Facebook account is – the blue box is an iframe onto, and it’s served entirely by Facebook. No information is transferred to the Wapo, and none of the rest of your activity on Wapo is linked back to Facebook, unless you explicitly choose to (by clicking the “Like” plugin, for example).

As I mentioned in my comment back to him, there were two things that threw me off. First, I didn’t realize how Facebook’s session management worked. FB sessions live on after you close the browser unless you explicitly log-off. This is no different than any other website. However, what is a bit different is that  sites with Facebook’s embedded iframe can take advantage of you departed-but-not-logged-out session and this is exactly what was happening on WaPo. Second, I have a problem with WaPo giving me a choice about Network News but not informing me about it. Furthermore, the default opt-in on the part of WaPo I think disrespects people’s desire for meaningful choice and control.

Thanks to Luke for providing a bit of insight and thanks to all of you how have commented on the previous post.

Waiter – there’s no (more) identity in my blog

Sorry to interrupt you attempting to set you Facebook privacy settings, but I have to tell you something. I’ve got me a new blog over at Gartner. You can get all my rambling goodness on identity management related stuff over there. As for the rants about privacy, they are likely going to stay here, but you never can tell.

Also, I am thinking of building a new version of Privacy Mirror to use the graph API. Any one have feature requests?