Why are you still at Facebook?


why do you affect me? why do you affect me still?
why do you hinder me? why do you hinder me still?
why do you unnerve? why do you unnerve me still?
why do you trigger me? why do you trigger me still?
From Can’t Not by Alanis Morissette

This week was the occasion for yet another Facebook attack on their users sufficiently egregious to stir me out of my summer hiatus. Or was that my extended spring hiatus? Regardless of my obvious neglect of this weblog, I just couldn’t let this one pass. Basically the facts, as reported by Graham Cluley at the nakedsecurity blog, are these.

Back in April, Facebook quietly announced that it would be giving users @facebook.com email addresses so that they matched their public username (used as the URL for users’ profile pages).

However, the social network didn’t make clear that it would also be making the @facebook.com email addresses the default address displayed to your online friends.

Clearly this all part of the site’s plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from.

As we described extensively in our examination of the Facebook messaging system, the @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links.

Facebook will have to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network’s messaging system.

My guess is that it won’t be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.

Well that was just the beginning of this debacle. Turns out we didn’t have to wait for criminals to start abusing those dandy new (and mostly unwanted) email addresses because Facebook’s unbridled lust for every scrap of personal information they could steal from their users caused a really nasty side effect. The facts surrounding this (presumably) unintended consequence, as reported by Help Net Security, are these.

If you thought that Facebook’s recent unannounced change of its users’ email address tied with their account to Facebook ones was bad, you’ll be livid if you check your mobile phone contacts and discover that the change has deleted the email addresses of many of your friends and acquaintances.

According to Facebook, the glitch was due to a bug in its application-programming interface, and makes the last added email address be pulled and added to the user’s phone Contacts.

The company says they are working hard at fixing the problem, but in the meantime, a lot of users have effectively lost some of the information stored on their devices.

And Violet Blue over at CNet News wrote this.

An alarming number of people are reporting that the new e-mail address Facebook forced on users this week is changing their address books while intercepting and losing unknown amounts of e-mail.

Facebook users say contacts’ e-mail addresses on phones and personal devices have been altered without their consent — and their e-mail communication is being redirected elsewhere, and lost.

One very angry user is Adobe employee Rachel Luxemburg.

On her personal blog she writes,

 Today, a co-worker discovered that his contact info for me had been silently updated to overwrite my work e-mail address with my Facebook e-mail address. He discovered this only after sending work e-mails to the wrong address.

And even worse, the e-mails are not actually in my Facebook messages. I checked.

They’ve vanished into the ether.

For all I know, I could be missing a lot more e-mails from friends, colleagues, or family members, and never even know it.
As Luxemburg explains, this disaster is happening despite the fact that, like many others, she rushed to replace the @Facebook e-mail with their correct e-mail address once they’d found out about Facebook’s change.

When Facebook forced its hundreds of millions of users into an @facebook account, commenters across the Internet talked about alterations that had begun in their contacts and address books outside Facebook — valid e-mail addresses were being changed for @Facebook without people’s awareness or consent on their phones and computers.

So if I’m a lawyer (which I’m not, but let’s pretend) right about now I’m thinking Class Action Lawsuit, Booyah! If I’m a corporate IT guy (which I’m not – but I know quite a few of them) right now I’m thinking Holy BYOD [Bring Your Own Device] Batman! I think I’ll re-route the help-desk to those frickin’ brain donors at Facebook! And if I’m a security guy and recovering Facebookie (which I am), right about now I’m thinking Why in the name of all that is sacred is anyone putting up with this crap?

Seriously folks, things were bad enough at Facebook when I dumped them last year and wrote about it, and I’ve been kept busy by the rascals since then with this piece about Facebook’s way-too-cozy relationship with law enforcement and this post about a micro-lending start-up using Facebook “friends” as credit references. Look, I get it – Facebook gives you the illusion of being connected with long lost friends and family. And that’s not altogether terrible. But don’t kid yourself, it’s still an illusion and if you really cared to “be connected” with those people you would call them or send personal emails to them. For goodness sake, think about what you are giving up to have this virtual (read phony) social life: not only your personal information but now your personal correspondence too. What’s next? A webcam feed to Facebook from your bedroom? Or better yet, try explaining to your boss how you missed that big order because it went to your @facebook.com account which you didn’t even know you had. But Facebook did and I’ll bet they’ll be happy to sell it back to you.

Facebook will throw you under the bus

Tryin to ruin my name
Threw me under the bus
Riding all over the town
Spreading rumors around
Threw me under the bus
From Under the Bus by Lolene

In my previous post I explained why I left Facebook. Doing so freed up enough time to actually do another bl0g entry so it’s only apropos that this entry reinforce the idea that Facebook is not your friend. Unless of course your friends are conniving weasels who steal from you and will throw you under the bus in a heartbeat. Like being friends with Casey Anthony (but I digress). If you have friends like that then Facebook is what you are used to. If not then read on.

In this post by the oft quoted (by Security For All at any rate) Sharon D. Nelson, Esq. of the {ride the lightning} blog the following question is asked: How Much Data is Facebook Giving Law Enforcement Under Secret Warrants?

According to Reuters, since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorrism.

What interested me most is that these warrants demands a user’s “Neoprint” and Photoprint” – terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook’s claim that the “Download Your Account” button gives you everything that Facebook itself possesses.

Facebook doesn’t tell users about the warrants to give them a chance to challenge those warrants legally.

Yikes! Talk about throwing your users under the bus. And without notice. As Sharon points out even Twitter has a policy of notifying users before they hand over anything to law enforcement. But not Facebook.

And then there is this post by fellow Security Blogger Carole Theriault in the nakedsecurity blog that asks Does using Facebook put you at more risk elsewhere on the internet?

The Pew Research Center has shown that the more time you spend on the internet, especially social networks like Facebook and Twitter, the more trusting you become.

Not just on social networks, but everywhere – both online and in real life.

With 30% of the world estimated to be online – about 80% of North America and 60% of Europe – and more than half of these users belonging to some social networking site, an increase in trust could have major impacts on how people interact in the future.

Does this mean that social network users will eventually become a bunch of loved-up hippies? It is really difficult for me to imagine what I would be like if I shed my cynical armour.

I shouldn’t really worry: while I study social networks all the time, I am more of a voyeur than a player. Let’s be honest here – I find them really scary.

Many users of social networks seem completely addicted – they are on there all the time, recording every event of their lives. It just seems so intrusive to me…and compulsive.

So the premise is that people on Facebook are more trusting than other internet users, and MUCH more trusting than non-internet users.

It seems clear me to me that if Facebook users are genuinely more trusting, they are more at risk of online scams, both on and off social media sites.

Maybe research like this proves that social networking sites like Facebook and Twitter need to show greater interest in educating their users about being safe online.

One could argue that they should proactively protect their community against commonly encountered threats.

I agree that it would be swell if Facebook showed a greater interest in educating their users about being safe online but from where I sit I’ve only seen an interest in exploiting their users. But it is a great interest.

To borrow a soundbite (in spite of the lack of audio in this blog) from former First Lady Nancy Reagan, Just say No! to Facebook. Or friend Casey Anthony.

Why I left Facebook

Speak my friend, you look surprised
I thought you knew I’d come disguised
On angel wings, dressed in white
From Descent of the Archangel by Kamelot

Last week I finally had enough. The cumulative effect of every sleazy privacy invading stunt that Mssrs. Zuckerberg et al have pulled was definitely part of the motivation. Also the recent departure of several of security blogger “friends” including Richard Stiennon was another part. That, and the reality that I’m already following all of my blogger “friend’s” blogs so Facebook was like a cheesy notification service of new blog entries which is not only redundant  as news aggregators do a much better job, but includes tons of advertising  which I was compelled to filter.

Then there was the simple fact that Facebook is a an incredible time sink [read waste of time]. When I realized that the last two entries in this blog were Captain X-Ploit sagas – and the good captain doesn’t appear that often – it became clear that some priorities were seriously amiss. There were some mitigating factors of course not the least of which is that I work for a company that builds actual products for actual customers and the particular actual product that I’m working on is getting close to release [disclaimer: this is not a product announcement since I have nothing to do with that kind of stuff and is not meant to imply or represent anything about Ricoh products] which means plenty of work and deadlines. And the fact that I spent any time on Facebook is hard to justify.

And then there was a post that was forwarding and reposting it’s way among my less technically savvy (or possibly delusional) “friends” that went like this.

Who says Facebook friends aren’t real friends?.. They enjoy seeing you on line everyday. Miss you when you’re not there. Send condolences when you lose a loved one. Send you wishes on your birthday. Enjoy the photos you post. Put a smile on your face when you’re down. Make you laugh when you feel like crying. Repost if you are grateful for your Facebook friends. I know I am.

Seriously? Come on folks – a Facebook “friend” is an online persona. They are NOT REAL PEOPLE. You may buy into the abstraction that your “friends” represent real people, but I for one have always been very open about the fact that my Facebook profile was completely fraudulent. This was to help mitigate the privacy infringing business model of Facebook. If you really don’t mind letting Facebook have it’s way “monetizing” your personal information with no compensation to you I guess that’s your choice. Sucker.

And then there’s the legal exposure. Yeah that’s right. Legal exposure. Here’s an example from the Electronic Discovery Law blog.

In this case arising from a car accident which the plaintiff claimed resulted in physical and psychological injuries, the parties invited the court to conduct a review of Plaintiff’s social networking accounts “in order to determine whether certain information contained within Plaintiff’s accounts is properly subject to discovery.” Using Plaintiff’s log-in information, the court reviewed Plaintiff’s Facebook account, including “a thorough review of Plaintiff’s ‘Profile’ postings, photographs, and other information.”

But the thing that finally caused me to bail from Facebook was the realization that the Facebook – and nearly all social networking sites’ – business model is fundamentally flawed. This is articulated quite nicely in this article by Bob Garfield in IEEE Spectrum entitled The Revolution Will Not Be Monetized.

1. If you build it and they come, does that guarantee that there’s money to be made? (Hint: No.)

2. Which of Facebook, YouTube, and Twitter will amass the millennium’s first megafortune and a borderless virtual state, with a vast population, political influence, economic clout, and a lair in a hollowed-out volcano from which to control the world’s weather? (Well, you can probably eliminate Twitter.)

3. The Wall Street valuations of companies like Facebook, which is worth US $85 billion on the secondary market, are stratospheric. Should we stockpile ammo and canned goods for when the bubble bursts? (Not a bad idea; remember Pets.com.)

According to the Interactive Advertising Bureau, U.S. advertisers spent $25 billion online in 2010—representing about 15 percent of the $164 billion U.S. ad market and, for the first time, a bit more than their spending on print newspapers. That was no small milestone. But here’s the thing: According to eMarketer, 31 percent of Americans’ media-consuming time in 2010 was spent online. Which means, speaking broadly, marketers valued new-media time only half as much as old-media time. And that’s the rose-colored view. Chris Anderson, curator of the TED Conferences, recently crunched numbers from Nielsen, Forrester Research, the Yankee Group, and other modelers to synthesize the value, medium by medium, of an individual’s time. Globally, print publications fetched $1 per hour of reader attention. TV got a quarter for a viewer hour. Online fetched “less than a dime.”

Why is online advertising such a poor stepchild? Well, extremely delightful and informative books with pale-blue and white covers have been written on this subject, but let’s reduce the problem to its essence: The endless supply of online content means an endless supply of places where ads could go, which by definition depresses demand and, with it, price. Period.

The second problem is more basic still. Ever click on a banner ad? Have you? Ever? Of course not, because why would you leave what you’re doing—especially socializing—to go listen to a sales pitch? The click-through rate, industry-wide, is less than 1 percent—and chalk some of that up to mouse error and click fraud. Some advertisers deal with this problem by popping ads into your face, blaring audio, or subjecting you to “preroll” video messages before the video you actually wish to see. As Anderson sagely observed to a Madison Avenue audience, that was an acceptable quid pro quo in the days of passive TV viewing. Online, though, users are active and in control. “If you take control away from them,” he said, “they will hate you.” Or, put another way: Online, all advertising is spam. These two structural problems leave two possibilities: Either advertising will never be the force in new media that it was in the five predigital centuries (a theory to which I personally subscribe), or someone will crack the code.

Yep. That pretty much covers it. When you are a Facebook “member” [read product] you are essentially trading your privacy for Facebook to convince advertisers that they can target you with spam better than their competitors. It’s not even as clever as Google’s for-fee search engine poisoning (er… Search Engine Optimization) and a whole lot more intrusive.

So there you have it. I really doubt that I will be missed on Facebook. Certainly not by Facebook themselves since I never provided them with any private information and probably not by any “friends” [read online personae that I found amusing] since those who matter in any real way can either call me or find me at this blog. All the others will probably find it refreshing to not be mocked with snarky comments when they post silly nonsense on their walls. And fear not, this blog is still represented on Facebook through the intrepid David Nicholas Stone, AKA Captain X-Ploit. Feel free to become a fan.

Oh – and to my “friend” Mark Zuckerberg - Take the money and run dude! It will get ugly when the investors sober up.

Helping your online shadow rest in peace

Give me my freedom, for as long as I be
All I ask of livin’ is to have no chains on me
All I ask I of livin’ is to have no chains on me
And all I ask of dyin’ is to go naturally
I only wanna go naturally
From And When I Die by Blood, Sweat and Tears

Recently I’ve been hammering on you, dear readers, to be aware of the utter lack of privacy on social networks. So now in the interest of being fair, balanced and keeping you completely confused let’s take a look at the opposite problem: how to make all that important private online stuff available to those who need it after you are deceased. “Oh my,” I hear you thinking (recall my telepathic abilities), “Is Security for All not long for this world? Is the author suffering from some terrible terminal disease? Has this blog suddenly taken a morbid turn?” Okay, enough questions already! The answers are: “Not that I know of ” and in the immortal words of David Stone (aka Captain X-Ploit), “We’ve been over this. I still have at least 45 years left” and “This blog was always weird, so not much of a turn“. The point is that you have a very real online shadow, that like your metaphysical ghost will not rest in peace when there is unfinished business. Seriously though, have you ever considered what happens to all of that online information you keep adding to so prodigiously when you die? And how will your grief stricken loved ones be able to access your valuable online resources? In this article by Jack Cola on makeuseof.com entitled What Happens To Your Email and Social Networking Accounts When You Die? there is some great information about how different online services handle an account when a user dies. And in this recent Lifehacker piece by Jason Fitzpatrick entitled What Should I Do About My Virtual Life After Death? there’s great practical information on planning for the inevitable with respect to your online shadow. Here is my four step condensation of this valuable information.

1. Make a list of all your virtual accounts.

List everything from your email accounts to your social networking profiles to one-off accounts for posting on individual forums. Once you have a complete list go through the list and cross off accounts that you want to be lost and unknown to your family and friends. If you have an account that you use [only] for blowing off steam with snarky comments, consider letting [it] go dark upon your death. If [an] account is part of the social networking profile for your business make sure that information is available.

This is a great exercise to go through regardless of your eminent or otherwise demise. I’m willing to bet that your list will be considerably longer than you ever imagined. And once you start culling that list, you might as well be proactive and close those accounts of dubious value right now.

2. Create a secure database of logins for the account list.

This secure database could be a physical one, locked in a home safe or bank’s safety deposit box or it could take the form of a digital keyring. If the executors of your estate are unskilled at computers consider the physical option. A keyring is much safer, however, and there are many excellent solutions. We’d recommend a portable version of KeePass on a flash drive. You can read our guide to KeePass here.

For the record, I live by KeePass and use a portable version. So if you’re a regular reader of this blog, or just happened to take my advice on this excellent password safe idea, you might be thinking “Done! I’ll just pass on my KeePass USB key and I’m golden”. Sorry, please refer to step #1. While it’s likely that you already have an exhaustive list of online accounts in your password safe, which is a dandy starting point, there is still the matter of culling and trimming those to relevant and active accounts. If you are like me, you probably have several dozen entries in your password safe of accounts that are no longer valid or you just never use anymore. There also is the matter of your loved ones’ access to the secure database. If that is a password safe on a USB key, they will need to know the password to the password safe. If you put the list in your safe at home or a bank safety deposit box, they will need to know the combination or have the key. And in every case your loved ones will need to know that this secure database exists, where it is and how to access it.

3. Include detailed instructions for how you want the plug pulled on your virtual life.

Do you want your executors to make an announcement? Post your obituary? Activate a guestbook on your web site, photo blog, or other virtual outpost and turn it into a virtual memorial?

This is very important since in the absence of detailed instructions the default behavior will be either unceremoniously close the account or let it live on as a virtual zombie. They need to be made aware that should they opt for the latter (zombie) then they will be haunted by your online shadow if not your actual ghost. A swell place for these instructions is as part of the secure database of logins described in #2. Just attach a note to each entry explaining what to do with the account. In case you were wondering KeePass, and every other password safe I’m aware of, supports notes or comments for entries.

4. Include information about each website’s specific terms of service regarding user death.
While many websites don’t have a policy for unsubscribing/deregistering, let alone for closing down accounts after someone has died, most of the more popular sites do. Here are some of the most prominent. Note that most of these extraordinary measures and policies are for executors who do not have access to the login credentials for the account. In other words these policies are primarily procedures to allow next of kin to obtain access to accounts where the inconsiderate deceased failed to follow the previous 3 steps. If you leave behind passwords and detailed instructions then all they have to do is log in as you and do what you wanted. With the website none the wiser.

Gmail

If you have a Gmail account and you pass away, your next of kin will be allowed to access your emails. The account will stay open forever, but as the next of kin, you are able to request it to be deleted. To get access to the email account, you will need to supply the following information by fax or mail to Google to be granted account access of the deceased user account.

  • Your full name (next of kin), your contact information and a verifiable email address
  • The Gmail email address of the deceased person
  • An email containing the full headers of an email message that the deceased person has emailed you with the entire contents of the email
  • Proof of death
  • Documentation to prove that you are the lawfully allowed to access their email (if the deceased is over 18). If deceased person is under 18 of age, you must provide a birth certificate

After you’ve compiled the information, Google will verify it and grant you access to the user account.

Hotmail

If Hotmail accounts are left inactive for a period of time, the email account along with all the information will be eventually deleted (within the year) and therefore, you will not be able to access it. If you die, your next of kin will be granted access to your account provided they supply supporting documents such as a death certificate (similar to what Google needs). Hotmail will not reset the password for the deceased person, but you have to fax or mail information to gain access to the account such as:

  • Your email address
  • Your shipping address (as they send you a package in the mail)
  • Documents to state your are the benefactor or you have power of attorney
  • Your photocopied driver’s license
  • A photocopy of the death certificate
  • Information about the account holder such as first and last name, date of birth, city, state, zip, approximate date of the account creation and the approximate date of last sign in.

If you require more information, you can get it at Windows Live Help.

Yahoo

Yahoo has a much stricter policy over who can get access to your account. And that is no one. If you want to ensure no one has access to your emails when you die, you would want to choose Yahoo. Yahoo will not grant permission to anyone to access a deceased user’s account. The only permission Yahoo grants is for the account to be deleted. Therefore, Yahoo does not allow anyone to access your emails. The only way someone can do this is if they reset your account password.

Facebook

Facebook will not grant anyone access to a deceased user account, but if the user of the account is deceased, their page will be turned into a memorial page once reqested. By filling out the form to turn an deceased users page into a memorial page, Facebook will remove sensitive information on the account like status updates and will only allow current friends to access the page. Family members will then be allowed to customise the page of the deceased user.

MySpace

MySpace deceased user policy is a bit vague, but they state that if you are the next of kin, they will not grant you access to edit, or delete any of the content or settings on the account yourself, but you can request it to be removed if you deem appropriate. You can simply email accountcare@support.myspace.com and attach appropriate documentation such as a death certificate. However, if you have access to their email account, MySpace recommends that you reset the user password.

The point here is that unless you want your loved ones to have to jump through all kinds of nasty hoops in the event of your untimely passing, follow steps #1 though #3 so as to avoid step #4.

So the main points to take away from this admittedly morbid but hopefully informative post are as follows.

  • A huge amount of money can be saved in executor costs if you make it easier for your executors to sort out your affairs
  • Nobody has the slightest idea how much money in you have in PayPal, gold you have in World of Warcraft or dividends with other websites. That is unless you tell them.
  • Nobody wants their online shadow to become a zombie.

Social Network privacy officially an oxymoron

It’s good to know you’re thought of, it’s good someone should care
It’s good to know you’re trusted but not to know they’re there
Too late to shut your curtains they’ve caught you unaware
They’re not at your window man, they’re sitting in your chair
From Privacy Invasion by Exploited

I have attempted on numerous occasions, for example here, here and here, to get the point across that you have no reasonable expectation of privacy on social networks. Posting anything on Facebook or MySpace is the same as announcing it on network television. Only with more marginally sentient viewers. “Oh yeah, we already know all about that.” I hear you thinking (it’s a gift, my telepathy). “ But that’s only on the public part of my Facebook page and stuff I post publicly to my friends’ pages. All my private stuff is password protected and, well, private“. Yeah. You wish. This entry in the Electronic Discovery Law blog describes a ruling that should disabuse you of those social networking privacy notions forever.

In this personal injury case, defendant sought access to plaintiff’s social network accounts and requested production of his user names, log-in names, and passwords.  Plaintiff objected, arguing that the information was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days and that plaintiff should not take steps to delete or alter the existing information on his social network accounts.

Holy social privacy slapdown, Batman! You mean that a court can compel you to [that means throw your fuzzy butt in jail if you don't] hand over your Facebook logins and passwords? Yes indeed. And that’s not all, folks. The judge in this case had some very specific points to make vis-à-vis social networking [emphasis mine].

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.

The court concluded that no person could reasonably expect that his communications on a social network site would remain confidential; that confidentiality was not essential to maintain the relationships between social network users; that the relationship between users was not one that the “community seeks to sedulously foster”; and that “whatever relational harm may be realized by social network computer site users [by disclosure of their communications] is undoubtedly outweighed by the benefit of correctly disposing of litigation.” As to the last point, the court went on to reason that “[a]s a general matter, a user knows that even if he attempts to communicate privately, his posts may be shared with strangers as a result of his friends’ selected privacy settings.  The court thus sees little or no detriment to allowing that other strangers, i.e., litigants, may become privy to those communications through discovery.

So you have only the right to be hoist by your own petard and your friends’ petards and their friends’ petards and so on. Privacy? Not so much. Actually, not at all. Not now. Not Ever. I would especially like to draw your attention to the statement: the relationship between users was not one that the “community seeks to sedulously foster”.  While you should definitely look up “sedulously”, I’ll translate as a public service: the “community” doesn’t give a rodent’s pa-toot about your relationships. Don’t ask, don’t tell, don’t care. And just in case you are still holding a glimmer of privacy hope allow me to allow the court to snuff that glimmer forever.

Where there is an indication that a person’s social network sites contain information relevant to the prosecution or defense of a lawsuit, therefore, and given Koken’s admonition that the courts should allow litigants to utilize “all rational means for ascertaining the truth.” 911 A.2d at 1027, and the law’s general dispreference for the allowances of privileges, access to those sites should be freely granted.

In case you doubt the veracity of my paraphrase and quoting abilities here is the full opinion.

RIP Social Network Privacy. We only wished we knew you.

Facebook Carnac and Other Horrors

I believe I can see the future
Cause I repeat the same routine
I think I used to have a purpose
But then again
That might have been a dream
From Every Day Is Exactly The Same by Nine Inch Nails

In case you were feeling safer, more secure and comfortable these days with social networking allow me [with apologies to Stephen Colbert] to Keep the Fear Alive. Just about the time you start feeling more complacent because crack programmers are slowly but surely plugging the holes in the privacy sieve that is Facebook, stories like these rear their ugly heads.

Exhibit A comes to us from Mike Elgan on the IT Management blog. In this entry entitled ‘Pre-crime’ Comes to the HR Dept. he writes about a new service for Human Resources [Memo to HR: While I'm mostly human if you refer to me as a resource, I will slap you so hard that your unborn resources will be well behaved] that pushes the privacy violation envelope.

A Santa Barbara, Calif., startup called Social Intelligence data-mines the social networks to help companies decide if they really want to hire you.

While background checks, which mainly look for a criminal record, and even credit checks have become more common, Social Intelligence is the first company that I’m aware of that systematically trolls social networks for evidence of bad character.

Using automation software that slogs through Facebook, Twitter, Flickr, YouTube, LinkedIn, blogs, and “thousands of other sources,” the company develops a report on the “real you” — not the carefully crafted you in your resume. The service is called Social Intelligence Hiring. The company promises a 48-hour turn-around.

Because it’s illegal to consider race, religion, age, sexual orientation and other factors, the company doesn’t include that information in its reports. Humans review the reports to eliminate false positives. And the company uses only publically shared data — it doesn’t “friend” targets to get private posts, for example.

The reports feature a visual snapshot of what kind of person you are, evaluating you in categories like “Poor Judgment,” “Gangs,” “Drugs and Drug Lingo” and “Demonstrating Potentially Violent Behavior.” The company mines for rich nuggets of raw sewage in the form of racy photos, unguarded commentary about drugs and alcohol and much more.

That’s right sports fans, just like Carnac the Magnificent Social Intelligence claims predictive abilities. Although unlike Johnny Carson’s well known character who could psychically divine unseen answers to unknown questions, these clever entrepreneurs glean their predictions by a systematic dredging of the social networking cesspool. About now you might be going all Church Lady on me and thinking “Well, isn’t that special? Isn’t it a good thing that companies avoid hiring drunken, crackheaded, violent gang bangers exhibiting bad judgement? And besides, I’m comfortably employed so why should I care?” Well, quite simply, there’s an app for that too.

The company also offers a separate Social Intelligence Monitoring service to watch the personal activity of existing employees on an ongoing basis. The service is advertised as a way to enforce company social media policies, but given that criteria are company-defined, it’s not clear whether it’s possible to monitor personal activity.

The service provides real-time notification alerts, so presumably the moment your old college buddy tags an old photo of you naked, drunk and armed on Facebook, the boss gets a text message with a link.

Two aspects of this are worth noting. First, company spokespeople emphasize liability. What happens if one of your employees freaks out, comes to work and starts threatening coworkers with a samurai sword? You’ll be held responsible because all of the signs of such behavior were clear for all to see on public Facebook pages. That’s why you should scan every prospective hire and run continued scans on every existing employee.

In other words, they make the case that now that people use social networks, companies will be expected (by shareholders, etc.) to monitor those services and protect the company from lawsuits, damage to reputation, and other harm. And they’re probably right.

That’s right, even if you are gainfully employed and your sinful, poor judgement days are long past you are not immune. Not if you ever had unsavory friends. Or have friends now on Facebook. To paraphrase Queen guitarist Brian May, when asked about bandmate Freddie Mercury‘s infamously decadent parties, you’ve been there,  so you’re definitely going to hell.

But how is this legal? I mean this is the United States of America after all, state of martial law imposed after 9-11 notwithstanding. Surely the judicial branch of our government will put an end to this. Actually, no. As Exhibit B, this entry in the Electronic Discovery Law blog illustrates.

Defendant sought to discover plaintiff’s “current and historical Facebook and MySpace pages and accounts”, including deleted information, on the belief that information posted there was inconsistent with her injury claims.  The court granted the motion, despite plaintiff’s privacy concerns, upon finding the information was material and relevant and that plaintiff had no reasonable expectation of privacy, and because the defendant’s need for access outweighed plaintiff’s privacy concerns.

Regarding plaintiff’s privacy concerns, the court found that production of plaintiff’s MySpace and Facebook entries would not violate her right to privacy, and “that any such concerns were outweighed by Defendant’s need for the information.”  Specifically, the court found that “as neither Facebook nor MySpace guarantee complete privacy, Plaintiff has no legitimate reasonable expectation of privacy.”  The court supported this finding by noting that both MySpace and Facebook warned users against an expectation of privacy.  My Space, for example, warned users “not to forget that their profiles and MySpace forums are public spaces.”  The court concluded:

Thus, when Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings.  Indeed, that is the very nature and purpose of these social networking sites else they would cease to exist.  Since Plaintiff knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy.  As recently set forth by commentators regarding privacy and social networking sites, given the millions of users, “[i]n this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”

So see, not only does the court not recognize a reasonable expectation of privacy with respect to social networks, it actually gives that idea a name: theoretical protocol better known as wishful thinking. So next time you post anything on Facebook you need to get a bit stricter than don’t post anything you wouldn’t want your mother to see. Your mom knows about your failings and loves you anyway. Your boss and the courts, not so much.

Can you be social and private simultaneously?

You keep on stalking me
Invading my privacy
Won’t you just let me be?
From Privacy by Michael Jackson

So now that everyone and their mother are on FaceBook it’s just swell how social we are. Keeping track of family and friends has never been easier. And how about those cute games? And that nice Mr. Zuckerberg is there to watch out for your privacy. He said so here and here. Or not. Okay – that last little foray into social networking fantasy land was cute, but unfortunately the the facts are somewhat more pedestrian and commercial [note to self: avoid writing blog entries while drinking brandy and listening to Porcupine Tree - coherency suffers]. So let’s start this over. Here’s the fundamental reality of social networking: You are not Facebook’s customer. You are the product they offer to their real customers – advertisers. [to paraphrase a tweet by @gollmann]. So what exactly are we supposed to do to protect our privacy? Because hey, social networking really IS cool. I mean you don’t want to throw the baby out with the bath water. It turns out there are some things you can do to help preserve what little privacy you have left online. This entry in LifeHacker has some great ideas. Here is an abbreviated version of their list.

10. Run a Background Check on Yourself to Know What’s Out There
It takes only a few seconds to know what Google knows about you, but there are many, many other avenues into your past and present on the web. Want to know more about what a potential employer can know? Consumer action blog Consumerist has a nicely comprehensive list of background check tools to try out.

This one is a must. Not only is it informative it will scare the bejeezus out of you the first time you go to some of these sites. Who knows it might scare you enough to actually take some action. In this case fear is your friend.

9. Skip Incognito/Private Browsing and Really Leave No Trace
Private browsing modes might prevent your coworkers or roommates from seeing where you wander on the web, but you still leave plenty of traces for someone who knows where to look. Take the How-To Geek’s advice and really browse without leaving a trace.

That’s right, the vaunted “porn mode” of Google Chrome  – and now pretty much every other browser out there – might fool your spouse but it certainly won’t fool your teenager. Or those pesky e-Discovery folks. Sandbox it, portable-ize it and lose it forever. I’m not saying, I’m just saying…

8. Pick Better Security Questions
Some security questions and password recovery schemes offered by webapps are so bad, anyone with your casual acquaintance and a small amount of Google savvy could poke into your email whenever they felt like it. To get around weak security questions, use blogger danah boyd’s security question algorithm.

I prefer an easier solution here. I’ve mentioned many times before that I use a password manager program. I just keep track of the “security questions” and answers I provide – which are completely irrelevant nonsense. Example – Q: “Mother’s maiden name” A: “Chevrolet Belair”.

7. Set Up BitTorrent for Private Downloading
BitTorrent is a public commons of file sharing, and that means that all kinds of folks interested in, say, what your home IP address is, and what you’re downloading, can dig into it. With both a proxy and settings in your favorite torrent app, you can protect your privacy when downloading.

Yeah – I know you use it. Just be aware that you are most exposed when seeding. Sure if you don’t seed you’re just a freeloading leach. You can live with that.

6. Know Your Google Settings
If you’re anything like us, or most of our readers, you’ve got a lot of your life floating around in Google’s cloud-based apps. It pays, then, to know how to set what Google shares publicly about you, how much of your search history is being saved, and how to back up your data so you’ve always got your own copy. These are among the 10 Google settings you should know about that center on privacy and data retention, though it’s always a good idea to know the parameters of the spaces you share your data in.

Google is almost as bad as Facebook about “knowing what’s best for you”. Just ask yourself how Google makes so much money when you don’t pay them anything for those nifty free services. Then go change your settings. Now.

5. Know How to Travel Without Being Spied On
Just because some countries have widespread net access doesn’t mean it’s an open and private web. It’s often meant to deter dissidents in strong-handed regimes, but why take the chance of letting your web data fall into the wrong hands? One Lifehacker reader, wishing to remain anonymous and in a non-specific region, crafted a survival guide for traveling where privacy isn’t respected.

Lately the good old USA has been the most fascist place with respect to traveler’s privacy that I’ve been to. Full disk encryption – don’t leave home without it. Period. Most businesses, my employer included, mandate this nowadays.

4. Know Where You Stand With Facebook at a Glance
Facebook has promised “simplistic” privacy settings coming soon, but in the meantime, knowing exactly what you’ve offered to share or keep private is far from transparent. One very crafty hacker at ReclaimPrivacy has put together a settings-scanning bookmarklet that shows what you’re sharing beyond your social circle, and offers links and automatic fixes for those settings. Another coder, Ka-Ping Yee, offers a site that shows what the public web can see on Facebook, some of which you can then remove.

If you let things default then you are standing right where they want you. That’s probably not where you want to be.

3. Run Your Browser Through a Proxy
It’s not something you’ll want to do all the time, but once in a while, you might want to hide your online tracks. To do so, you can use the go-to web randomization tool,TOR, which has tools available for nearly every OS and browser.

I use TOR regularly when I need to check out unsavory or questionable corners of the web. For research purposes. Just remember that TOR is a double-edged sword – you are anonymized but you will also draw some very unhealthy attention from folks who realize that TOR users are doing something interesting.

2. Better Protect Your Mint.com or Other Financial Accounts
The thing that makes Mint.com such a convenient one-stop shop for financial data and budgeting also makes it a gold mine for anyone looking to learn more about you, or know which accounts they could try to jump into. Security professional Jason Owens provides some smart tips on better protecting your Mint.com account that can apply to any site where you manage your financials.

I’m not a big fan of online financial services. Call me old fashioned, but I just don’t trust those guys. Of course I don’t trust my bank either. And I hate my credit card companies. I find it’s safer to treat them like the enemy. More fun too. As a result my wife handles our finances.

1. Stay Available on Facebook Without Really Being In It
You might have considered quitting Facebook, but stopped short because it’s how a few far-flung friends and relatives stay in touch, or a place those without your email address can ping you. We can understand, and, luckily, have a halfway solution to recommend. Quit Facebook without really quitting.

This one is near an dear to my heart. Not only is Facebook a spectacular time sink, I really don’t like them pimping my info to their customers. So I decided to get creative. If you go to my Facebook profile you will see that I work for “The Universe at Large” as a “Transdimensional Protocol Facilitator” and that I’m a lot older than I seem, being born on 29-Feb-1904 [not bad for 106!] but then again time is a slippery thing when your in my line of work. Consider that I got my doctorate from the Ramses II Institute of Science when I was only 9 years old and went to high school at San Dimas High some 71 years later.

So here’s a shout out to all my classmates from Egypt in 1913 – it’s time to become who you really are on the internet. Then privacy isn’t such a big deal.