Looking beyond the Privacy Mirror

Over the last two weeks, I have been using my homegrown Facebook application, Privacy Mirror, as a means of experimenting with Facebook’s privacy settings. Although Facebook provides a nice interface to view your profile through your friends’ eyes, it does not do the same for applications. I built Privacy Mirror with the hopes of learning what 3rd party application developers can see of my profile by way of my friends’ use of applications. I have yet to speak with representatives of Facebook to confirm my findings, but I am confident in the following findings.

Imagine that Alice and Bob are friends in Facebook. Alice decides to add a new application, called App X, to her profile in Facebook. (For clarity’s sake, by “add”, I mean that she authorizes the application to see her profile. Examples of Facebook applications include Polls, Friend Wheel, Movies, etc.) At this point, App X can see information in Alice’s profile. App X can also see that Alice is friends with Bob; in fact, App X can see information in Bob’s profile. Bob can limit how much information about him is available to applications that his friends add to their profiles through the Application Privacy settings. In this case, let’s imaging that Bob has only allowed 3rd party applications to see his profile picture and profile status.

After a while, Alice tells Bob about App X. He thinks it sounds cool and adds it to his profile. At this point if App X, via Alice’s profile, looks at Bob’s profile it will see not only his profile picture and status but also his education history, hometown info, activities and movies. That is significantly more than what he authorized in his Application privacy settings. What is going here?

It appears what’s going on is that if Alice and Bob both have authorized the same application, that application no longer respects either user’s Application Privacy settings. Instead, it respects the Profile Privacy settings of each person. In essence, App X acts (from a privacy settings point of view) as if it were a friend of Alice and Bob and not a third-party application.

Putting my privacy commissioner hat for a moment, I’d want to analyze this situation from a consent and disclosure perspective. When Bob confirms his friendship with Alice he is, in a sense, opting in to a relationship with her. This opt-in indicates that he is willing to disclose certain information to Alice. Bob can control what information is disclosed to Alice through his Profile Privacy settings and this allows him to mitigate privacy concerns he has in terms of his relationship with Alice.

What Bob isn’t consenting to (and is not opting in to) is a relationship with Alice’s applications. Bob is completely unaware of which applications Alice currently has or will have in the future. This is an asymmetry of relationship. It is entirely possible that Alice and Bob will have applications in common and once they do the amount of profile information disclosed (by both of them) to an application can radically change and change without notice to either Alice or Bob. Furthermore, it is unclear which Facebook privacy settings Bob needs to manipulate to control what Alice’s applications can learn about him.

This lack of clarity is harmful. It shouldn’t take a few hundred lines of PHP, three debuggers, and an engineering degree to figure out how privacy controls work. This lack of clarity robs Facebook users of the opportunity to make meaningful and informed choices about their privacy.

This experiment started after I read the Canadian Privacy Commissioner’s report of findings on privacy complaints brought against Facebook. This report raised significant concerns about third-party applications and their access to profile information.

As of the beginning of Catalyst (today!), Facebook has about 15 days remaining to respond to the Canadian Privacy Commissioner’s office, I hope that this issue about third party applications and privacy controls is meaningfully addressed in Facebook’s response.

(Cross-posted with Burton Group’s Identity Blog.)

Further findings from the Privacy Mirror experiment

I find that I rely on my debugging skills in almost every aspect of my life: cooking, writing, martial arts, photography… And it helps when you’ve got friends who a good debuggers as well. In this case, my friends lent a hand helping me figure out what I was seeing in my Privacy Mirror.

The following is a snapshot of the Application Privacy settings I have set in Facebook:

Facebook Application Privacy Settings

Given these settings, I would expect that the Facebook APIs would report the following to a 3rd party application developer:

  • My name
  • My networks
  • My friends ids
  • My profile status

Continue reading Further findings from the Privacy Mirror experiment

Privacy Mirror: A privacy experiment in Facebook

As I previously blogged, I read Canada’s Assistant Privacy Commissioner Elizabeth Denham’s findings on Facebook and it got me thinking about 3rd party applications. I wondered what 3rd party app developers could see in my profile. In my estimation, the easiest way to find out what a 3rd party application developer could see, was to become a 3rd party application developer.
Enter Privacy Mirror

I built a basic Facebook application called Privacy Mirror. The goal of Privacy Mirror was to see, as a 3rd party developer, just what information I could glean from my profile via Facebook’s APIs. At first, I used two Facebook API calls:

I wanted to call these APIs, see what data they returned, and that’s that. I had and have no interest in storing any of the data, and, in fact, Facebook deems most of the data I retrieved as unstorable according to their terms and conditions. For those of you who use Privacy Mirror I want to repeat, I do not store any of the information that is retrieved by the API calls.

Continue reading Privacy Mirror: A privacy experiment in Facebook

Laplace’s Demon, Santa Claus and TSA’s Secure Flight

No doubt you frequent fliers out there have received emails from your airline of choice talking about TSA’s Secure Flight. As you make air travel reservations in the future, your airline will communicate with TSA to get, essentially, a fly/no-fly decision from the Secure Flight system. As the TSA explains in the “How it works” section of their website dedicated to Secure Flight:

Secure Flight matches the name, date of birth and gender information for each passenger against government watch lists to:

  • Identify known and suspected terrorists
  • Prevent individuals on the No Fly List from boarding an aircraft
  • Identify individuals on the Selectee List for enhanced screening
  • Facilitate passenger air travel
  • Protect individuals’ privacy

After matching passenger information against government watch lists, Secure Flight transmits the matching results back to aircraft operators.

Did you notice the extreme use of irony there? Secure Flight is used to “facilitate passenger air travel” and yet Secure Flight’s sole purpose is to keep people off of planes. (I think someone at the TSA doesn’t know what facilitate means.) Irony aside, Secure Flight is ignorant of (or at least tone-deaf to) the US’ strong social and legal tradition of freedom of movement.  Secure Flight can act as a preemptive refusal of air travel in the absence of due process, which contravenes citizens’ freedom of movement.

Let’s talk about Pierre-Simon Laplace for a second. The French mathematician and astronomer described “an intellect” so vast that it knew the location and momentum of every atom in the universe. With this knowledge, this intellect (latter dubbed Laplace’s Demon by biographers) could know the future. As he wrote:

We may regard the present state of the universe as the effect of its past and the cause of its future. An intellect which at a certain moment would know all forces that set nature in motion, and all positions of all items of which nature is composed, if this intellect were also vast enough to submit these data to analysis, it would embrace in a single formula the movements of the greatest bodies of the universe and those of the tiniest atom; for such an intellect nothing would be uncertain and the future just like the past would be present before its eyes.

So with two attributes, location and momentum, Laplace’s Demon can know the future. With gender and birthday (along with name), Secure Flight can know bad guys from good guys and keep them off a plane.

The problem is that neither work. Laplace’s Demon has been slain multiple times. Secure Flight and the No-Fly List have and will continue to suffer the same fate.

Nations (UK, Israel, the US) and Agencies (DHS), like malevolent Santa Clauses, are building multiple mother-of-all naughty-and-nice lists. Their slavish devotion to Laplace’s Demon fuels their hopes that by knowing everyone’s name (and other attributes) they somehow can predict (and in some cases, prevent) the future. Hubris and ignorance are the twin attributes of such plans and neither ought to have a place in the programs of civil societies.