Why are you still at Facebook?


why do you affect me? why do you affect me still?
why do you hinder me? why do you hinder me still?
why do you unnerve? why do you unnerve me still?
why do you trigger me? why do you trigger me still?
From Can’t Not by Alanis Morissette

This week was the occasion for yet another Facebook attack on their users sufficiently egregious to stir me out of my summer hiatus. Or was that my extended spring hiatus? Regardless of my obvious neglect of this weblog, I just couldn’t let this one pass. Basically the facts, as reported by Graham Cluley at the nakedsecurity blog, are these.

Back in April, Facebook quietly announced that it would be giving users @facebook.com email addresses so that they matched their public username (used as the URL for users’ profile pages).

However, the social network didn’t make clear that it would also be making the @facebook.com email addresses the default address displayed to your online friends.

Clearly this all part of the site’s plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from.

As we described extensively in our examination of the Facebook messaging system, the @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links.

Facebook will have to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network’s messaging system.

My guess is that it won’t be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.

Well that was just the beginning of this debacle. Turns out we didn’t have to wait for criminals to start abusing those dandy new (and mostly unwanted) email addresses because Facebook’s unbridled lust for every scrap of personal information they could steal from their users caused a really nasty side effect. The facts surrounding this (presumably) unintended consequence, as reported by Help Net Security, are these.

If you thought that Facebook’s recent unannounced change of its users’ email address tied with their account to Facebook ones was bad, you’ll be livid if you check your mobile phone contacts and discover that the change has deleted the email addresses of many of your friends and acquaintances.

According to Facebook, the glitch was due to a bug in its application-programming interface, and makes the last added email address be pulled and added to the user’s phone Contacts.

The company says they are working hard at fixing the problem, but in the meantime, a lot of users have effectively lost some of the information stored on their devices.

And Violet Blue over at CNet News wrote this.

An alarming number of people are reporting that the new e-mail address Facebook forced on users this week is changing their address books while intercepting and losing unknown amounts of e-mail.

Facebook users say contacts’ e-mail addresses on phones and personal devices have been altered without their consent — and their e-mail communication is being redirected elsewhere, and lost.

One very angry user is Adobe employee Rachel Luxemburg.

On her personal blog she writes,

 Today, a co-worker discovered that his contact info for me had been silently updated to overwrite my work e-mail address with my Facebook e-mail address. He discovered this only after sending work e-mails to the wrong address.

And even worse, the e-mails are not actually in my Facebook messages. I checked.

They’ve vanished into the ether.

For all I know, I could be missing a lot more e-mails from friends, colleagues, or family members, and never even know it.
As Luxemburg explains, this disaster is happening despite the fact that, like many others, she rushed to replace the @Facebook e-mail with their correct e-mail address once they’d found out about Facebook’s change.

When Facebook forced its hundreds of millions of users into an @facebook account, commenters across the Internet talked about alterations that had begun in their contacts and address books outside Facebook — valid e-mail addresses were being changed for @Facebook without people’s awareness or consent on their phones and computers.

So if I’m a lawyer (which I’m not, but let’s pretend) right about now I’m thinking Class Action Lawsuit, Booyah! If I’m a corporate IT guy (which I’m not – but I know quite a few of them) right now I’m thinking Holy BYOD [Bring Your Own Device] Batman! I think I’ll re-route the help-desk to those frickin’ brain donors at Facebook! And if I’m a security guy and recovering Facebookie (which I am), right about now I’m thinking Why in the name of all that is sacred is anyone putting up with this crap?

Seriously folks, things were bad enough at Facebook when I dumped them last year and wrote about it, and I’ve been kept busy by the rascals since then with this piece about Facebook’s way-too-cozy relationship with law enforcement and this post about a micro-lending start-up using Facebook “friends” as credit references. Look, I get it – Facebook gives you the illusion of being connected with long lost friends and family. And that’s not altogether terrible. But don’t kid yourself, it’s still an illusion and if you really cared to “be connected” with those people you would call them or send personal emails to them. For goodness sake, think about what you are giving up to have this virtual (read phony) social life: not only your personal information but now your personal correspondence too. What’s next? A webcam feed to Facebook from your bedroom? Or better yet, try explaining to your boss how you missed that big order because it went to your @facebook.com account which you didn’t even know you had. But Facebook did and I’ll bet they’ll be happy to sell it back to you.

Another nasty Christmas Present from Facebook

Whenever somebody comes up with a new business idea involving social media it’s usually time to cover your private parts. To the extent that you can. Take this idea from Hong Kong-based microlending startup Lenddo as described in this article in The Observer.

[Lendo] calls itself “the first credit scoring service that uses your online social network to assess credit.” The first thing Lenddo asks for is a Facebook account; then it wants access to Gmail, Twitter, Yahoo, and Windows Live. The Observer was given a respectable score of 470. But when we tried to apply for a loan, we were told “you need at least 3 connections with scores above 400 in your Lenddo trusted network.”

The company’s algorithm is proprietary and secret, said CEO Jeff Stewart, but the primary metric is what Lenddo knows about the people you’re friends with. “We think that in the age of the internet you should be able to establish your reputation and your identity through your social graph, through your on- and offline community, and use that to get access to financial products and information,” he said.

If Lenddo sees one of your best Facebook buddies took out a loan and paid it back, there’s a good chance you will too. “Our backgrounds are in machine learning and pattern recognition,” Mr. Stewart said. “It’s some serious math.

“There’s no reason there shouldn’t be thousands of engineers working to assess creditworthiness.”

I should note here that I too have a background in machine learning and pattern recognition but would hardly summarize it as “some serious math” except maybe to US GOP Presidential nominee hopefuls to whom addition is apparently an arcane art, but I digress…

Marketing hype aside, this simply checks to see if your Facebook “friends” are creditworthy and makes the unwarranted leap that you are like them with respect to creditworthiness. Problem with that idea is when you have “friends” with completely fictional profiles on social media sites. Like say me (when I was on Facebook) or Nitrozac and Snaggy. If you had friended me on Facebook, services like Lendo might conclude (not without basis) that you were a total wackjob. Seriously though, there is a very ugly side to this social credit rating business.

In another nifty but nefarious innovation, Lenddo reserves the right to broadcast your loan status if you fall into default. As the site warns: “Failure to repay will negatively impact your Lenddo score, as well as the score of your Lenddo friends. Lenddo MAINTAINS THE RIGHT TO NOTIFY YOUR FRIENDS, FAMILY AND COMMUNITY if the borrower fails to repay, however, this is only done after several notifications to the borrower and an attempt to work out a payment plan.”

“I think Mark Zuckerberg said it best,” Mr. Stewart said. “Every industry will be in fact impacted by social.”

Banks have been curious about using social media to gauge risk for at least a year, said Matt Thomson, VP of platform at Klout, which calculates “influence” based on a user’s social media activity. Determining creditworthiness is not a core product of Klout’s, he said, but banks have approached the startup to ask about it. He wouldn’t name names. “It’s really like the who’s who of banking,” he said.

(Mr. Stewart of Lenddo also said his startup is approached “regularly” by major banks curious about the algorithm.)

So let me get this straight, the same weasels who trashed the global economy with financial instruments that institutionalized fraudulent and unsecured, except by other equally dodgy financial instruments like credit default swaps, mortgages are now using the fact that everyone knows – or is – someone who was victimized in this debacle to further victimize people?

This time I’m not even going though the pretense of some imaginary conversation about privacy being dead, I’ll just throw out this quote and leave it at that.

Media theorist Douglas Rushkoff dismissed the idea that social media credit scoring is a serious erosion of privacy, mostly because there’s nothing left to hide. “We’re already in the nightmare scenario,” he wrote in an email. “They already know everything about you—more than most of us realize. If anything, the addition of social networking information to this data mining will help us come to some understanding of how much more these companies know about us than we know about ourselves.”

And there you have it folks from the lips (or keyboard) of a bona fide Media theorist – social media credit scoring doesn’t invade your privacy because you have no privacy to invade. So if you are still on Facebook you might as well just bend over. Again. Or quit being a tool. I’m just saying.

Hiding in Glass Houses

You’re building glass houses on the sand
Then you stand around and shake your head
When they all fall down
From Glass Houses by Steel Magnolias

So the big tech and style news this month, in case you missed it, was Apple’s hyperbole laden and new(ish) iPhone 4s and iOS5. This baby boasts everything better, faster and smarter (Siri notwithstanding) than the old school iPhone 4. Including this swell new(ish) app called Find My Friends which is described in Slashgear thusly [emphasis mine].

The free app, which uses GPS to locate your friends and family and, if the privacy settings mash correctly, display them on a map in real-time, can be found here.

But as Aahz the Pervect was wont to say “Therein lies the story”. That deal about privacy settings should be a clue [hint - turn them all off]. There’s even an interesting thread on MacRumors making it’s way around the blogosphere with a tale to make divorce lawyers weep. In agony or ecstasy depending on which side they represent.

I got my wife a new 4s and loaded up find my friends without her knowing. She  told me she was at her friends house in the east village. I’ve had suspicions  about her meeting this guy who live uptown. Lo and behold, Find my Friends has  her right there.

Regardless of the veracity of the post, I posit the following question: Who really thinks it’s a good idea to have everyone know exactly (within 10 meters) where you are at all times? I can think of a number of folks, in addition to suspicious spouses, who love this idea including:

  1. Law Enforcement – rounding up the usual suspects has never been easier
  2. Burglars who prefer victims to be elsewhere than the location being burgled – saves all that unpleasantness associated with being surprised by irate property owners.
  3. Employers who want to verify that employees are actually working from home – or really at the dentist instead of interviewing for another job.

Now certainly there might be situations where this feature would have a non-nefarious or even beneficial usage, like say finding a missing child. I’m just doubtful that would work in a serious situation like say kidnapping. Unless the kidnapper was stupid enough to keep the phone,  like say users of Find My Friends.

You see, here’s the deal – owning a smart phone or other GPS-enabled mobile device is like hiding in a glass house. Unless you take extraordinary measures anyone can find you. At any time.  Problem is most users of the aforementioned devices have no idea how exposed they are by default – not to mention what happens when they use an app like Find My Friends.

About now you may be thinking, “Yeah, well maybe that’s true, but everybody knows that privacy has been dead since 1999 so deal with it”,  channeling Scott McNealy’s infamous comment. Or even “You shouldn’t be worried about privacy unless you have something to hide”.

And that, my friend, is what concerns me. When everyone accepts this truism and becomes willing to trade their privacy – and ultimately their liberty to disagree with whatever authority is currently watching – for slick but useless diversions there will be serious consequences.

We may not be able to do anything about our modern life in glass houses. But at least we can try to hide without constantly screaming our location.

Facebook will throw you under the bus

Tryin to ruin my name
Threw me under the bus
Riding all over the town
Spreading rumors around
Threw me under the bus
From Under the Bus by Lolene

In my previous post I explained why I left Facebook. Doing so freed up enough time to actually do another bl0g entry so it’s only apropos that this entry reinforce the idea that Facebook is not your friend. Unless of course your friends are conniving weasels who steal from you and will throw you under the bus in a heartbeat. Like being friends with Casey Anthony (but I digress). If you have friends like that then Facebook is what you are used to. If not then read on.

In this post by the oft quoted (by Security For All at any rate) Sharon D. Nelson, Esq. of the {ride the lightning} blog the following question is asked: How Much Data is Facebook Giving Law Enforcement Under Secret Warrants?

According to Reuters, since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorrism.

What interested me most is that these warrants demands a user’s “Neoprint” and Photoprint” – terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook’s claim that the “Download Your Account” button gives you everything that Facebook itself possesses.

Facebook doesn’t tell users about the warrants to give them a chance to challenge those warrants legally.

Yikes! Talk about throwing your users under the bus. And without notice. As Sharon points out even Twitter has a policy of notifying users before they hand over anything to law enforcement. But not Facebook.

And then there is this post by fellow Security Blogger Carole Theriault in the nakedsecurity blog that asks Does using Facebook put you at more risk elsewhere on the internet?

The Pew Research Center has shown that the more time you spend on the internet, especially social networks like Facebook and Twitter, the more trusting you become.

Not just on social networks, but everywhere – both online and in real life.

With 30% of the world estimated to be online – about 80% of North America and 60% of Europe – and more than half of these users belonging to some social networking site, an increase in trust could have major impacts on how people interact in the future.

Does this mean that social network users will eventually become a bunch of loved-up hippies? It is really difficult for me to imagine what I would be like if I shed my cynical armour.

I shouldn’t really worry: while I study social networks all the time, I am more of a voyeur than a player. Let’s be honest here – I find them really scary.

Many users of social networks seem completely addicted – they are on there all the time, recording every event of their lives. It just seems so intrusive to me…and compulsive.

So the premise is that people on Facebook are more trusting than other internet users, and MUCH more trusting than non-internet users.

It seems clear me to me that if Facebook users are genuinely more trusting, they are more at risk of online scams, both on and off social media sites.

Maybe research like this proves that social networking sites like Facebook and Twitter need to show greater interest in educating their users about being safe online.

One could argue that they should proactively protect their community against commonly encountered threats.

I agree that it would be swell if Facebook showed a greater interest in educating their users about being safe online but from where I sit I’ve only seen an interest in exploiting their users. But it is a great interest.

To borrow a soundbite (in spite of the lack of audio in this blog) from former First Lady Nancy Reagan, Just say No! to Facebook. Or friend Casey Anthony.

Why I left Facebook

Speak my friend, you look surprised
I thought you knew I’d come disguised
On angel wings, dressed in white
From Descent of the Archangel by Kamelot

Last week I finally had enough. The cumulative effect of every sleazy privacy invading stunt that Mssrs. Zuckerberg et al have pulled was definitely part of the motivation. Also the recent departure of several of security blogger “friends” including Richard Stiennon was another part. That, and the reality that I’m already following all of my blogger “friend’s” blogs so Facebook was like a cheesy notification service of new blog entries which is not only redundant  as news aggregators do a much better job, but includes tons of advertising  which I was compelled to filter.

Then there was the simple fact that Facebook is a an incredible time sink [read waste of time]. When I realized that the last two entries in this blog were Captain X-Ploit sagas – and the good captain doesn’t appear that often – it became clear that some priorities were seriously amiss. There were some mitigating factors of course not the least of which is that I work for a company that builds actual products for actual customers and the particular actual product that I’m working on is getting close to release [disclaimer: this is not a product announcement since I have nothing to do with that kind of stuff and is not meant to imply or represent anything about Ricoh products] which means plenty of work and deadlines. And the fact that I spent any time on Facebook is hard to justify.

And then there was a post that was forwarding and reposting it’s way among my less technically savvy (or possibly delusional) “friends” that went like this.

Who says Facebook friends aren’t real friends?.. They enjoy seeing you on line everyday. Miss you when you’re not there. Send condolences when you lose a loved one. Send you wishes on your birthday. Enjoy the photos you post. Put a smile on your face when you’re down. Make you laugh when you feel like crying. Repost if you are grateful for your Facebook friends. I know I am.

Seriously? Come on folks – a Facebook “friend” is an online persona. They are NOT REAL PEOPLE. You may buy into the abstraction that your “friends” represent real people, but I for one have always been very open about the fact that my Facebook profile was completely fraudulent. This was to help mitigate the privacy infringing business model of Facebook. If you really don’t mind letting Facebook have it’s way “monetizing” your personal information with no compensation to you I guess that’s your choice. Sucker.

And then there’s the legal exposure. Yeah that’s right. Legal exposure. Here’s an example from the Electronic Discovery Law blog.

In this case arising from a car accident which the plaintiff claimed resulted in physical and psychological injuries, the parties invited the court to conduct a review of Plaintiff’s social networking accounts “in order to determine whether certain information contained within Plaintiff’s accounts is properly subject to discovery.” Using Plaintiff’s log-in information, the court reviewed Plaintiff’s Facebook account, including “a thorough review of Plaintiff’s ‘Profile’ postings, photographs, and other information.”

But the thing that finally caused me to bail from Facebook was the realization that the Facebook – and nearly all social networking sites’ – business model is fundamentally flawed. This is articulated quite nicely in this article by Bob Garfield in IEEE Spectrum entitled The Revolution Will Not Be Monetized.

1. If you build it and they come, does that guarantee that there’s money to be made? (Hint: No.)

2. Which of Facebook, YouTube, and Twitter will amass the millennium’s first megafortune and a borderless virtual state, with a vast population, political influence, economic clout, and a lair in a hollowed-out volcano from which to control the world’s weather? (Well, you can probably eliminate Twitter.)

3. The Wall Street valuations of companies like Facebook, which is worth US $85 billion on the secondary market, are stratospheric. Should we stockpile ammo and canned goods for when the bubble bursts? (Not a bad idea; remember Pets.com.)

According to the Interactive Advertising Bureau, U.S. advertisers spent $25 billion online in 2010—representing about 15 percent of the $164 billion U.S. ad market and, for the first time, a bit more than their spending on print newspapers. That was no small milestone. But here’s the thing: According to eMarketer, 31 percent of Americans’ media-consuming time in 2010 was spent online. Which means, speaking broadly, marketers valued new-media time only half as much as old-media time. And that’s the rose-colored view. Chris Anderson, curator of the TED Conferences, recently crunched numbers from Nielsen, Forrester Research, the Yankee Group, and other modelers to synthesize the value, medium by medium, of an individual’s time. Globally, print publications fetched $1 per hour of reader attention. TV got a quarter for a viewer hour. Online fetched “less than a dime.”

Why is online advertising such a poor stepchild? Well, extremely delightful and informative books with pale-blue and white covers have been written on this subject, but let’s reduce the problem to its essence: The endless supply of online content means an endless supply of places where ads could go, which by definition depresses demand and, with it, price. Period.

The second problem is more basic still. Ever click on a banner ad? Have you? Ever? Of course not, because why would you leave what you’re doing—especially socializing—to go listen to a sales pitch? The click-through rate, industry-wide, is less than 1 percent—and chalk some of that up to mouse error and click fraud. Some advertisers deal with this problem by popping ads into your face, blaring audio, or subjecting you to “preroll” video messages before the video you actually wish to see. As Anderson sagely observed to a Madison Avenue audience, that was an acceptable quid pro quo in the days of passive TV viewing. Online, though, users are active and in control. “If you take control away from them,” he said, “they will hate you.” Or, put another way: Online, all advertising is spam. These two structural problems leave two possibilities: Either advertising will never be the force in new media that it was in the five predigital centuries (a theory to which I personally subscribe), or someone will crack the code.

Yep. That pretty much covers it. When you are a Facebook “member” [read product] you are essentially trading your privacy for Facebook to convince advertisers that they can target you with spam better than their competitors. It’s not even as clever as Google’s for-fee search engine poisoning (er… Search Engine Optimization) and a whole lot more intrusive.

So there you have it. I really doubt that I will be missed on Facebook. Certainly not by Facebook themselves since I never provided them with any private information and probably not by any “friends” [read online personae that I found amusing] since those who matter in any real way can either call me or find me at this blog. All the others will probably find it refreshing to not be mocked with snarky comments when they post silly nonsense on their walls. And fear not, this blog is still represented on Facebook through the intrepid David Nicholas Stone, AKA Captain X-Ploit. Feel free to become a fan.

Oh – and to my “friend” Mark Zuckerberg - Take the money and run dude! It will get ugly when the investors sober up.

The road to jail is paved with smart phones

Could you get me out of jail?
(Man I aint even done nothin’)
Could you get me out of jail?
(Aye look, aye somebody get my cell phone. Aye get my cell phone.)
Could you get me out of jail?
From Get Me Out Of Jail by Petey Pablo

Possibly the coolest innovation spawned by Apple’s now ubiquitous iPhone was the concept of “jailbreaking” whereby iPhone owners, myself included, could free their device from the Apple/AT&T apps/carrier monopoly by using hacked firmware. Well now, thanks in part to the Supreme Court of the State of California, your phone may require you to do some very literal jailbreaking. This article by Ryan Radia in Ars Technica explains the situation thusly.

[The] decision in People v. Diaz (PDF), [holds] that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to the Fourth Amendment to the Constitution.

So if you live in or plan to visit California any time soon it would probably be a good idea to lock down your cell phone and plan on doing a little time for obstruction or contempt. “Now just hang on a gosh darn minute there, bucko!“, you’re thinking about now, “I’m a law abiding citizen with nothing to hide, so how can this possibly affect me?“. With all due respect and attendant snarkiness, you are probably a criminal whether you know it or not. Sorry, it’s sad but true. There is a disturbing phenomenon called overcriminalization, described by the Heritage Foundation as follows.

Federal criminal law has exploded in size and scope. Federal criminal law used to focus on inherently wrongful conduct: treason, murder, counterfeiting, and the like. Today, an unimaginably broad range of socially and economically beneficial conduct is criminalized. More and more Americans who are otherwise law-abiding are being trapped and unjustly punished.

Regular readers of this blog, other than you Captain X-Ploit fans who consider laws as challenges to be hacked and overcome, will recall that past entries like this and this detail egregious legal abuses in the name of copyright enforcement. So given the penchant of the entertainment industry and their trained stooges in congress [sorry, that's a bit harsh - the Three Stooges as well as Iggy and the Stooges were much smarter than congress - but I digress] to criminalize all sorts of behaviors that interfere with their unmitigated money grab (er… IP protection) I would ask you law abiding citizens this question, How certain are you that the music and videos on your smart phone are “legal” and not “pirated”?Now that’s just ridicules!“, you might respond, “Law enforcement does not enforce those kind of laws.” You think? Sorry to disabuse you of your delusions of freedom, but I’ve written about that very thing in this entry entitled Over the top copyright enforcement insanity.

Or how about those of you who engage in “sexting”? If your “sexts” sometimes include racy photos whose subject was under the legal age of adulthood at the time of the photo that’s child pornography. Or how about that clueless, tasteless friend you have – you know who I mean – that insists on sending you off-color jokes that are illustrated. If you get your email on your smart phone, and who doesn’t nowadays, guess what – potential pornography again. Law enforcement calls that “probable cause”, and no it doesn’t matter that you’ve deleted them. The point is this, again summed up by Ars Technica.

A May 2010 study from the conservative Heritage Foundation and the National Association of Criminal Defense Lawyers found that three out of every five new nonviolent criminal offenses don’t require criminal intent. The Congressional Research Service can’t even count the number of criminal offenses currently on the books in the United States, estimating the number to be in the “tens of thousands.”

So you are almost certainly a criminal whether you intend to be or not. And here is the rub: when I mentioned “locking down” your smart phone earlier, I failed to mention that it’s rarely possible to do so.

While police cannot force you to disclose your mobile phone password, once they’ve lawfully taken the phone off your person, they are free to try to crack the password by guessing it or by entering every possible combination (a brute-force attack). If police succeed in gaining access your mobile phone, they may make a copy of all information contained on the device for subsequent examination and analysis.

A “brute force” attack on a 4-digit lock code as the iPhone has, is hardly a daunting task since 80% of you will use “1234″ or “1478″. Furthermore,

In many cases, extracting data from a mobile device is possible even if the device password is not known. Such extraction techniques take advantage of widely known vulnerabilities that make it disturbingly simple to access data stored on a smartphone by merely plugging the device into a computer and running specialized forensics software.

Ideally you would want full-disk encryption on your mobile device – just like you use on your laptop or netbook computer. But the news is grim in this area as well.

Unfortunately, few consumer-grade smartphones support full device encryption. While there are numerous smartphone apps available for encrypting particular types of files, such as emails (i.e. NitroDesk TouchDown), voice calls (i.e. RedPhone), and text messages (i.e. Cypher), these “selective” encryption tools offer insufficient protection unless you’re confident that no incriminating evidence exists anywhere on your smartphone outside of an encrypted container.

Despite the generally sorry state of mobile device security, a few options exist for privacy-conscious mobile phone owners. Research in Motion’s BlackBerry, when configured properly, is still widely considered to be the most secure smartphone platform. In fact, BlackBerry’s transport encryption is so robust that a few foreign governments have recently forced RIM to install backdoors for law enforcement purposes.

So basically if you want real protection, get a Blackberry. In the meantime there are some steps we non-Blackberry users can take to help shore up our eroding fourth amendment rights.

You should store your mobile phone in your luggage, footlocker, or in some other closed container that’s not on your person, particularly when driving an automobile. (For more on this subject, see our 2008 article summarizing the search incident to arrest exception in the context of mobile phones. Also see The iPhone Meets the Fourth Amendment, a 2008 UCLA Law Review article by law professor Adam Gershowitz.)

So always lock your phone and put it in a bag in the trunk when you drive. That’s a really good idea for a whole lot of reasons, many of which are your fellow travelers who won’t be at risk of you causing an accident because you won’t be able to text and drive.

Social Network privacy officially an oxymoron

It’s good to know you’re thought of, it’s good someone should care
It’s good to know you’re trusted but not to know they’re there
Too late to shut your curtains they’ve caught you unaware
They’re not at your window man, they’re sitting in your chair
From Privacy Invasion by Exploited

I have attempted on numerous occasions, for example here, here and here, to get the point across that you have no reasonable expectation of privacy on social networks. Posting anything on Facebook or MySpace is the same as announcing it on network television. Only with more marginally sentient viewers. “Oh yeah, we already know all about that.” I hear you thinking (it’s a gift, my telepathy). “ But that’s only on the public part of my Facebook page and stuff I post publicly to my friends’ pages. All my private stuff is password protected and, well, private“. Yeah. You wish. This entry in the Electronic Discovery Law blog describes a ruling that should disabuse you of those social networking privacy notions forever.

In this personal injury case, defendant sought access to plaintiff’s social network accounts and requested production of his user names, log-in names, and passwords.  Plaintiff objected, arguing that the information was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days and that plaintiff should not take steps to delete or alter the existing information on his social network accounts.

Holy social privacy slapdown, Batman! You mean that a court can compel you to [that means throw your fuzzy butt in jail if you don't] hand over your Facebook logins and passwords? Yes indeed. And that’s not all, folks. The judge in this case had some very specific points to make vis-à-vis social networking [emphasis mine].

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.

The court concluded that no person could reasonably expect that his communications on a social network site would remain confidential; that confidentiality was not essential to maintain the relationships between social network users; that the relationship between users was not one that the “community seeks to sedulously foster”; and that “whatever relational harm may be realized by social network computer site users [by disclosure of their communications] is undoubtedly outweighed by the benefit of correctly disposing of litigation.” As to the last point, the court went on to reason that “[a]s a general matter, a user knows that even if he attempts to communicate privately, his posts may be shared with strangers as a result of his friends’ selected privacy settings.  The court thus sees little or no detriment to allowing that other strangers, i.e., litigants, may become privy to those communications through discovery.

So you have only the right to be hoist by your own petard and your friends’ petards and their friends’ petards and so on. Privacy? Not so much. Actually, not at all. Not now. Not Ever. I would especially like to draw your attention to the statement: the relationship between users was not one that the “community seeks to sedulously foster”.  While you should definitely look up “sedulously”, I’ll translate as a public service: the “community” doesn’t give a rodent’s pa-toot about your relationships. Don’t ask, don’t tell, don’t care. And just in case you are still holding a glimmer of privacy hope allow me to allow the court to snuff that glimmer forever.

Where there is an indication that a person’s social network sites contain information relevant to the prosecution or defense of a lawsuit, therefore, and given Koken’s admonition that the courts should allow litigants to utilize “all rational means for ascertaining the truth.” 911 A.2d at 1027, and the law’s general dispreference for the allowances of privileges, access to those sites should be freely granted.

In case you doubt the veracity of my paraphrase and quoting abilities here is the full opinion.

RIP Social Network Privacy. We only wished we knew you.

Facebook Carnac and Other Horrors

I believe I can see the future
Cause I repeat the same routine
I think I used to have a purpose
But then again
That might have been a dream
From Every Day Is Exactly The Same by Nine Inch Nails

In case you were feeling safer, more secure and comfortable these days with social networking allow me [with apologies to Stephen Colbert] to Keep the Fear Alive. Just about the time you start feeling more complacent because crack programmers are slowly but surely plugging the holes in the privacy sieve that is Facebook, stories like these rear their ugly heads.

Exhibit A comes to us from Mike Elgan on the IT Management blog. In this entry entitled ‘Pre-crime’ Comes to the HR Dept. he writes about a new service for Human Resources [Memo to HR: While I'm mostly human if you refer to me as a resource, I will slap you so hard that your unborn resources will be well behaved] that pushes the privacy violation envelope.

A Santa Barbara, Calif., startup called Social Intelligence data-mines the social networks to help companies decide if they really want to hire you.

While background checks, which mainly look for a criminal record, and even credit checks have become more common, Social Intelligence is the first company that I’m aware of that systematically trolls social networks for evidence of bad character.

Using automation software that slogs through Facebook, Twitter, Flickr, YouTube, LinkedIn, blogs, and “thousands of other sources,” the company develops a report on the “real you” — not the carefully crafted you in your resume. The service is called Social Intelligence Hiring. The company promises a 48-hour turn-around.

Because it’s illegal to consider race, religion, age, sexual orientation and other factors, the company doesn’t include that information in its reports. Humans review the reports to eliminate false positives. And the company uses only publically shared data — it doesn’t “friend” targets to get private posts, for example.

The reports feature a visual snapshot of what kind of person you are, evaluating you in categories like “Poor Judgment,” “Gangs,” “Drugs and Drug Lingo” and “Demonstrating Potentially Violent Behavior.” The company mines for rich nuggets of raw sewage in the form of racy photos, unguarded commentary about drugs and alcohol and much more.

That’s right sports fans, just like Carnac the Magnificent Social Intelligence claims predictive abilities. Although unlike Johnny Carson’s well known character who could psychically divine unseen answers to unknown questions, these clever entrepreneurs glean their predictions by a systematic dredging of the social networking cesspool. About now you might be going all Church Lady on me and thinking “Well, isn’t that special? Isn’t it a good thing that companies avoid hiring drunken, crackheaded, violent gang bangers exhibiting bad judgement? And besides, I’m comfortably employed so why should I care?” Well, quite simply, there’s an app for that too.

The company also offers a separate Social Intelligence Monitoring service to watch the personal activity of existing employees on an ongoing basis. The service is advertised as a way to enforce company social media policies, but given that criteria are company-defined, it’s not clear whether it’s possible to monitor personal activity.

The service provides real-time notification alerts, so presumably the moment your old college buddy tags an old photo of you naked, drunk and armed on Facebook, the boss gets a text message with a link.

Two aspects of this are worth noting. First, company spokespeople emphasize liability. What happens if one of your employees freaks out, comes to work and starts threatening coworkers with a samurai sword? You’ll be held responsible because all of the signs of such behavior were clear for all to see on public Facebook pages. That’s why you should scan every prospective hire and run continued scans on every existing employee.

In other words, they make the case that now that people use social networks, companies will be expected (by shareholders, etc.) to monitor those services and protect the company from lawsuits, damage to reputation, and other harm. And they’re probably right.

That’s right, even if you are gainfully employed and your sinful, poor judgement days are long past you are not immune. Not if you ever had unsavory friends. Or have friends now on Facebook. To paraphrase Queen guitarist Brian May, when asked about bandmate Freddie Mercury‘s infamously decadent parties, you’ve been there,  so you’re definitely going to hell.

But how is this legal? I mean this is the United States of America after all, state of martial law imposed after 9-11 notwithstanding. Surely the judicial branch of our government will put an end to this. Actually, no. As Exhibit B, this entry in the Electronic Discovery Law blog illustrates.

Defendant sought to discover plaintiff’s “current and historical Facebook and MySpace pages and accounts”, including deleted information, on the belief that information posted there was inconsistent with her injury claims.  The court granted the motion, despite plaintiff’s privacy concerns, upon finding the information was material and relevant and that plaintiff had no reasonable expectation of privacy, and because the defendant’s need for access outweighed plaintiff’s privacy concerns.

Regarding plaintiff’s privacy concerns, the court found that production of plaintiff’s MySpace and Facebook entries would not violate her right to privacy, and “that any such concerns were outweighed by Defendant’s need for the information.”  Specifically, the court found that “as neither Facebook nor MySpace guarantee complete privacy, Plaintiff has no legitimate reasonable expectation of privacy.”  The court supported this finding by noting that both MySpace and Facebook warned users against an expectation of privacy.  My Space, for example, warned users “not to forget that their profiles and MySpace forums are public spaces.”  The court concluded:

Thus, when Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings.  Indeed, that is the very nature and purpose of these social networking sites else they would cease to exist.  Since Plaintiff knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy.  As recently set forth by commentators regarding privacy and social networking sites, given the millions of users, “[i]n this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”

So see, not only does the court not recognize a reasonable expectation of privacy with respect to social networks, it actually gives that idea a name: theoretical protocol better known as wishful thinking. So next time you post anything on Facebook you need to get a bit stricter than don’t post anything you wouldn’t want your mother to see. Your mom knows about your failings and loves you anyway. Your boss and the courts, not so much.

Is privilege transitive?

A little less than a year ago in a post called No privilege for you! a situation was discussed where communication that appears on the surface to be clearly privileged, that between a client and attorney, was not. Due to the circumstances of the communication. Namely it was an email thread that took place over a corporate email network where the court deemed that there was no reasonable expectation of privacy due to the corporate policy. No expectation of privacy, no privilege. Well now we have yet another twist in the attorney client privilege for email saga. In this entry in Electronic Discovery Law blog the situation is described as follows.

The magistrate judge rejected the explanation of plaintiffs’ son that his “technical assistance was necessary for his parents to timely receive the email communications from counsel” because his parents were “not proficient in the use [of] electronic mail.”  The magistrate judge reasoned that “[l]ack of technical competence … is not the equivalent of an inability to communicate.

Now hang on just a darn minute! This magistrate is saying that if you need help getting your email then any correspondence with your attorney isn’t privileged? Apparently this is a really young judge with no older parents or grandparents. A millennial orphan perhaps. Or possibly a tech-savvy computer senior who just wants to punish his internet-illiterate peers. In any case I can assure you that if my mom’s lawyer sent her an email, her first call would be to me to make sure she got it with no problems. Fortunately the district court that reviewed the issue when the plaintiffs objected to the order took a more realistic view.

The district court identified an exception to the principle that communications involving third parties are generally not privileged where “the purpose of the communication [to a third party] is to assist the attorney in rendering advice to the client” and where the party asserting the privilege can establish that the client had a reasonable expectation of privacy with respect to the communication at issue and that disclosure to the third party was necessary for the client to obtain informed legal advice.  The court further established that disclosure to an agent of the attorney or the client does not result in waiver.

Actually New York State law is pretty clear on this matter.

New York State law addressing the “attorney-client privilege’s application in the context of electronic communications, including email.”  Section 4548 of the New York Civil Practice Law and Rules states:  “No communication … shall lose its privileged character for the sole reason that it is communication by electronic means or because persons necessary for the delivery or facilitation of such electronic communications may have access to the content of the communication.

So this certainly brings up some interesting questions. With almost all communications happening electronically over the internet and with more lawyers and doctors becoming aware of the need to protect correspondence with clients and patients as a result of regulatory compliance, the mechanisms that will be put in place to protect these communications are only going to make it more complex for a large portion of the recipients. This will necessitate ever more assistance from tech-savvy helpers. I mean seriously, there’s no way you can expect my mom to be able to decrypt email without assistance. So does that  imply that if I help my mom (don’t worry she loves it when I use her as an example – right mom?) communicate with her lawyer electronically that the privilege is transitive to me? I mean her privilege. I certainly wouldn’t expect privilege to extend to unrelated correspondence between her lawyer and me. But if so how far does the transitive privilege extend? To children? Siblings? Cousins? Any relative? Friends? Nigerian princes? [just kidding]. In any case this is an important question that will no doubt be tested further in courts as technology continues to outstrip the ability of an ever larger portion of the population to comprehend it.

Can you be social and private simultaneously?

You keep on stalking me
Invading my privacy
Won’t you just let me be?
From Privacy by Michael Jackson

So now that everyone and their mother are on FaceBook it’s just swell how social we are. Keeping track of family and friends has never been easier. And how about those cute games? And that nice Mr. Zuckerberg is there to watch out for your privacy. He said so here and here. Or not. Okay – that last little foray into social networking fantasy land was cute, but unfortunately the the facts are somewhat more pedestrian and commercial [note to self: avoid writing blog entries while drinking brandy and listening to Porcupine Tree - coherency suffers]. So let’s start this over. Here’s the fundamental reality of social networking: You are not Facebook’s customer. You are the product they offer to their real customers – advertisers. [to paraphrase a tweet by @gollmann]. So what exactly are we supposed to do to protect our privacy? Because hey, social networking really IS cool. I mean you don’t want to throw the baby out with the bath water. It turns out there are some things you can do to help preserve what little privacy you have left online. This entry in LifeHacker has some great ideas. Here is an abbreviated version of their list.

10. Run a Background Check on Yourself to Know What’s Out There
It takes only a few seconds to know what Google knows about you, but there are many, many other avenues into your past and present on the web. Want to know more about what a potential employer can know? Consumer action blog Consumerist has a nicely comprehensive list of background check tools to try out.

This one is a must. Not only is it informative it will scare the bejeezus out of you the first time you go to some of these sites. Who knows it might scare you enough to actually take some action. In this case fear is your friend.

9. Skip Incognito/Private Browsing and Really Leave No Trace
Private browsing modes might prevent your coworkers or roommates from seeing where you wander on the web, but you still leave plenty of traces for someone who knows where to look. Take the How-To Geek’s advice and really browse without leaving a trace.

That’s right, the vaunted “porn mode” of Google Chrome  - and now pretty much every other browser out there – might fool your spouse but it certainly won’t fool your teenager. Or those pesky e-Discovery folks. Sandbox it, portable-ize it and lose it forever. I’m not saying, I’m just saying…

8. Pick Better Security Questions
Some security questions and password recovery schemes offered by webapps are so bad, anyone with your casual acquaintance and a small amount of Google savvy could poke into your email whenever they felt like it. To get around weak security questions, use blogger danah boyd’s security question algorithm.

I prefer an easier solution here. I’ve mentioned many times before that I use a password manager program. I just keep track of the “security questions” and answers I provide – which are completely irrelevant nonsense. Example – Q: “Mother’s maiden name” A: “Chevrolet Belair”.

7. Set Up BitTorrent for Private Downloading
BitTorrent is a public commons of file sharing, and that means that all kinds of folks interested in, say, what your home IP address is, and what you’re downloading, can dig into it. With both a proxy and settings in your favorite torrent app, you can protect your privacy when downloading.

Yeah – I know you use it. Just be aware that you are most exposed when seeding. Sure if you don’t seed you’re just a freeloading leach. You can live with that.

6. Know Your Google Settings
If you’re anything like us, or most of our readers, you’ve got a lot of your life floating around in Google’s cloud-based apps. It pays, then, to know how to set what Google shares publicly about you, how much of your search history is being saved, and how to back up your data so you’ve always got your own copy. These are among the 10 Google settings you should know about that center on privacy and data retention, though it’s always a good idea to know the parameters of the spaces you share your data in.

Google is almost as bad as Facebook about “knowing what’s best for you”. Just ask yourself how Google makes so much money when you don’t pay them anything for those nifty free services. Then go change your settings. Now.

5. Know How to Travel Without Being Spied On
Just because some countries have widespread net access doesn’t mean it’s an open and private web. It’s often meant to deter dissidents in strong-handed regimes, but why take the chance of letting your web data fall into the wrong hands? One Lifehacker reader, wishing to remain anonymous and in a non-specific region, crafted a survival guide for traveling where privacy isn’t respected.

Lately the good old USA has been the most fascist place with respect to traveler’s privacy that I’ve been to. Full disk encryption – don’t leave home without it. Period. Most businesses, my employer included, mandate this nowadays.

4. Know Where You Stand With Facebook at a Glance
Facebook has promised “simplistic” privacy settings coming soon, but in the meantime, knowing exactly what you’ve offered to share or keep private is far from transparent. One very crafty hacker at ReclaimPrivacy has put together a settings-scanning bookmarklet that shows what you’re sharing beyond your social circle, and offers links and automatic fixes for those settings. Another coder, Ka-Ping Yee, offers a site that shows what the public web can see on Facebook, some of which you can then remove.

If you let things default then you are standing right where they want you. That’s probably not where you want to be.

3. Run Your Browser Through a Proxy
It’s not something you’ll want to do all the time, but once in a while, you might want to hide your online tracks. To do so, you can use the go-to web randomization tool,TOR, which has tools available for nearly every OS and browser.

I use TOR regularly when I need to check out unsavory or questionable corners of the web. For research purposes. Just remember that TOR is a double-edged sword – you are anonymized but you will also draw some very unhealthy attention from folks who realize that TOR users are doing something interesting.

2. Better Protect Your Mint.com or Other Financial Accounts
The thing that makes Mint.com such a convenient one-stop shop for financial data and budgeting also makes it a gold mine for anyone looking to learn more about you, or know which accounts they could try to jump into. Security professional Jason Owens provides some smart tips on better protecting your Mint.com account that can apply to any site where you manage your financials.

I’m not a big fan of online financial services. Call me old fashioned, but I just don’t trust those guys. Of course I don’t trust my bank either. And I hate my credit card companies. I find it’s safer to treat them like the enemy. More fun too. As a result my wife handles our finances.

1. Stay Available on Facebook Without Really Being In It
You might have considered quitting Facebook, but stopped short because it’s how a few far-flung friends and relatives stay in touch, or a place those without your email address can ping you. We can understand, and, luckily, have a halfway solution to recommend. Quit Facebook without really quitting.

This one is near an dear to my heart. Not only is Facebook a spectacular time sink, I really don’t like them pimping my info to their customers. So I decided to get creative. If you go to my Facebook profile you will see that I work for “The Universe at Large” as a “Transdimensional Protocol Facilitator” and that I’m a lot older than I seem, being born on 29-Feb-1904 [not bad for 106!] but then again time is a slippery thing when your in my line of work. Consider that I got my doctorate from the Ramses II Institute of Science when I was only 9 years old and went to high school at San Dimas High some 71 years later.

So here’s a shout out to all my classmates from Egypt in 1913 – it’s time to become who you really are on the internet. Then privacy isn’t such a big deal.