Why are you still at Facebook?


why do you affect me? why do you affect me still?
why do you hinder me? why do you hinder me still?
why do you unnerve? why do you unnerve me still?
why do you trigger me? why do you trigger me still?
From Can’t Not by Alanis Morissette

This week was the occasion for yet another Facebook attack on their users sufficiently egregious to stir me out of my summer hiatus. Or was that my extended spring hiatus? Regardless of my obvious neglect of this weblog, I just couldn’t let this one pass. Basically the facts, as reported by Graham Cluley at the nakedsecurity blog, are these.

Back in April, Facebook quietly announced that it would be giving users @facebook.com email addresses so that they matched their public username (used as the URL for users’ profile pages).

However, the social network didn’t make clear that it would also be making the @facebook.com email addresses the default address displayed to your online friends.

Clearly this all part of the site’s plan to get more people using the @facebook.com email addresses, thus making the social network even harder to extricate yourself from.

As we described extensively in our examination of the Facebook messaging system, the @facebook.com email addresses are likely to prove attractive targets for spammers hawking goods and malicious links.

Facebook will have to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network’s messaging system.

My guess is that it won’t be long at all before we see criminals abusing @facebook.com email addresses for their own nefarious reasons.

Well that was just the beginning of this debacle. Turns out we didn’t have to wait for criminals to start abusing those dandy new (and mostly unwanted) email addresses because Facebook’s unbridled lust for every scrap of personal information they could steal from their users caused a really nasty side effect. The facts surrounding this (presumably) unintended consequence, as reported by Help Net Security, are these.

If you thought that Facebook’s recent unannounced change of its users’ email address tied with their account to Facebook ones was bad, you’ll be livid if you check your mobile phone contacts and discover that the change has deleted the email addresses of many of your friends and acquaintances.

According to Facebook, the glitch was due to a bug in its application-programming interface, and makes the last added email address be pulled and added to the user’s phone Contacts.

The company says they are working hard at fixing the problem, but in the meantime, a lot of users have effectively lost some of the information stored on their devices.

And Violet Blue over at CNet News wrote this.

An alarming number of people are reporting that the new e-mail address Facebook forced on users this week is changing their address books while intercepting and losing unknown amounts of e-mail.

Facebook users say contacts’ e-mail addresses on phones and personal devices have been altered without their consent — and their e-mail communication is being redirected elsewhere, and lost.

One very angry user is Adobe employee Rachel Luxemburg.

On her personal blog she writes,

 Today, a co-worker discovered that his contact info for me had been silently updated to overwrite my work e-mail address with my Facebook e-mail address. He discovered this only after sending work e-mails to the wrong address.

And even worse, the e-mails are not actually in my Facebook messages. I checked.

They’ve vanished into the ether.

For all I know, I could be missing a lot more e-mails from friends, colleagues, or family members, and never even know it.
As Luxemburg explains, this disaster is happening despite the fact that, like many others, she rushed to replace the @Facebook e-mail with their correct e-mail address once they’d found out about Facebook’s change.

When Facebook forced its hundreds of millions of users into an @facebook account, commenters across the Internet talked about alterations that had begun in their contacts and address books outside Facebook — valid e-mail addresses were being changed for @Facebook without people’s awareness or consent on their phones and computers.

So if I’m a lawyer (which I’m not, but let’s pretend) right about now I’m thinking Class Action Lawsuit, Booyah! If I’m a corporate IT guy (which I’m not – but I know quite a few of them) right now I’m thinking Holy BYOD [Bring Your Own Device] Batman! I think I’ll re-route the help-desk to those frickin’ brain donors at Facebook! And if I’m a security guy and recovering Facebookie (which I am), right about now I’m thinking Why in the name of all that is sacred is anyone putting up with this crap?

Seriously folks, things were bad enough at Facebook when I dumped them last year and wrote about it, and I’ve been kept busy by the rascals since then with this piece about Facebook’s way-too-cozy relationship with law enforcement and this post about a micro-lending start-up using Facebook “friends” as credit references. Look, I get it – Facebook gives you the illusion of being connected with long lost friends and family. And that’s not altogether terrible. But don’t kid yourself, it’s still an illusion and if you really cared to “be connected” with those people you would call them or send personal emails to them. For goodness sake, think about what you are giving up to have this virtual (read phony) social life: not only your personal information but now your personal correspondence too. What’s next? A webcam feed to Facebook from your bedroom? Or better yet, try explaining to your boss how you missed that big order because it went to your @facebook.com account which you didn’t even know you had. But Facebook did and I’ll bet they’ll be happy to sell it back to you.

Facebook will throw you under the bus

Tryin to ruin my name
Threw me under the bus
Riding all over the town
Spreading rumors around
Threw me under the bus
From Under the Bus by Lolene

In my previous post I explained why I left Facebook. Doing so freed up enough time to actually do another bl0g entry so it’s only apropos that this entry reinforce the idea that Facebook is not your friend. Unless of course your friends are conniving weasels who steal from you and will throw you under the bus in a heartbeat. Like being friends with Casey Anthony (but I digress). If you have friends like that then Facebook is what you are used to. If not then read on.

In this post by the oft quoted (by Security For All at any rate) Sharon D. Nelson, Esq. of the {ride the lightning} blog the following question is asked: How Much Data is Facebook Giving Law Enforcement Under Secret Warrants?

According to Reuters, since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorrism.

What interested me most is that these warrants demands a user’s “Neoprint” and Photoprint” – terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook’s claim that the “Download Your Account” button gives you everything that Facebook itself possesses.

Facebook doesn’t tell users about the warrants to give them a chance to challenge those warrants legally.

Yikes! Talk about throwing your users under the bus. And without notice. As Sharon points out even Twitter has a policy of notifying users before they hand over anything to law enforcement. But not Facebook.

And then there is this post by fellow Security Blogger Carole Theriault in the nakedsecurity blog that asks Does using Facebook put you at more risk elsewhere on the internet?

The Pew Research Center has shown that the more time you spend on the internet, especially social networks like Facebook and Twitter, the more trusting you become.

Not just on social networks, but everywhere – both online and in real life.

With 30% of the world estimated to be online – about 80% of North America and 60% of Europe – and more than half of these users belonging to some social networking site, an increase in trust could have major impacts on how people interact in the future.

Does this mean that social network users will eventually become a bunch of loved-up hippies? It is really difficult for me to imagine what I would be like if I shed my cynical armour.

I shouldn’t really worry: while I study social networks all the time, I am more of a voyeur than a player. Let’s be honest here – I find them really scary.

Many users of social networks seem completely addicted – they are on there all the time, recording every event of their lives. It just seems so intrusive to me…and compulsive.

So the premise is that people on Facebook are more trusting than other internet users, and MUCH more trusting than non-internet users.

It seems clear me to me that if Facebook users are genuinely more trusting, they are more at risk of online scams, both on and off social media sites.

Maybe research like this proves that social networking sites like Facebook and Twitter need to show greater interest in educating their users about being safe online.

One could argue that they should proactively protect their community against commonly encountered threats.

I agree that it would be swell if Facebook showed a greater interest in educating their users about being safe online but from where I sit I’ve only seen an interest in exploiting their users. But it is a great interest.

To borrow a soundbite (in spite of the lack of audio in this blog) from former First Lady Nancy Reagan, Just say No! to Facebook. Or friend Casey Anthony.

Why I left Facebook

Speak my friend, you look surprised
I thought you knew I’d come disguised
On angel wings, dressed in white
From Descent of the Archangel by Kamelot

Last week I finally had enough. The cumulative effect of every sleazy privacy invading stunt that Mssrs. Zuckerberg et al have pulled was definitely part of the motivation. Also the recent departure of several of security blogger “friends” including Richard Stiennon was another part. That, and the reality that I’m already following all of my blogger “friend’s” blogs so Facebook was like a cheesy notification service of new blog entries which is not only redundant  as news aggregators do a much better job, but includes tons of advertising  which I was compelled to filter.

Then there was the simple fact that Facebook is a an incredible time sink [read waste of time]. When I realized that the last two entries in this blog were Captain X-Ploit sagas – and the good captain doesn’t appear that often – it became clear that some priorities were seriously amiss. There were some mitigating factors of course not the least of which is that I work for a company that builds actual products for actual customers and the particular actual product that I’m working on is getting close to release [disclaimer: this is not a product announcement since I have nothing to do with that kind of stuff and is not meant to imply or represent anything about Ricoh products] which means plenty of work and deadlines. And the fact that I spent any time on Facebook is hard to justify.

And then there was a post that was forwarding and reposting it’s way among my less technically savvy (or possibly delusional) “friends” that went like this.

Who says Facebook friends aren’t real friends?.. They enjoy seeing you on line everyday. Miss you when you’re not there. Send condolences when you lose a loved one. Send you wishes on your birthday. Enjoy the photos you post. Put a smile on your face when you’re down. Make you laugh when you feel like crying. Repost if you are grateful for your Facebook friends. I know I am.

Seriously? Come on folks – a Facebook “friend” is an online persona. They are NOT REAL PEOPLE. You may buy into the abstraction that your “friends” represent real people, but I for one have always been very open about the fact that my Facebook profile was completely fraudulent. This was to help mitigate the privacy infringing business model of Facebook. If you really don’t mind letting Facebook have it’s way “monetizing” your personal information with no compensation to you I guess that’s your choice. Sucker.

And then there’s the legal exposure. Yeah that’s right. Legal exposure. Here’s an example from the Electronic Discovery Law blog.

In this case arising from a car accident which the plaintiff claimed resulted in physical and psychological injuries, the parties invited the court to conduct a review of Plaintiff’s social networking accounts “in order to determine whether certain information contained within Plaintiff’s accounts is properly subject to discovery.” Using Plaintiff’s log-in information, the court reviewed Plaintiff’s Facebook account, including “a thorough review of Plaintiff’s ‘Profile’ postings, photographs, and other information.”

But the thing that finally caused me to bail from Facebook was the realization that the Facebook – and nearly all social networking sites’ – business model is fundamentally flawed. This is articulated quite nicely in this article by Bob Garfield in IEEE Spectrum entitled The Revolution Will Not Be Monetized.

1. If you build it and they come, does that guarantee that there’s money to be made? (Hint: No.)

2. Which of Facebook, YouTube, and Twitter will amass the millennium’s first megafortune and a borderless virtual state, with a vast population, political influence, economic clout, and a lair in a hollowed-out volcano from which to control the world’s weather? (Well, you can probably eliminate Twitter.)

3. The Wall Street valuations of companies like Facebook, which is worth US $85 billion on the secondary market, are stratospheric. Should we stockpile ammo and canned goods for when the bubble bursts? (Not a bad idea; remember Pets.com.)

According to the Interactive Advertising Bureau, U.S. advertisers spent $25 billion online in 2010—representing about 15 percent of the $164 billion U.S. ad market and, for the first time, a bit more than their spending on print newspapers. That was no small milestone. But here’s the thing: According to eMarketer, 31 percent of Americans’ media-consuming time in 2010 was spent online. Which means, speaking broadly, marketers valued new-media time only half as much as old-media time. And that’s the rose-colored view. Chris Anderson, curator of the TED Conferences, recently crunched numbers from Nielsen, Forrester Research, the Yankee Group, and other modelers to synthesize the value, medium by medium, of an individual’s time. Globally, print publications fetched $1 per hour of reader attention. TV got a quarter for a viewer hour. Online fetched “less than a dime.”

Why is online advertising such a poor stepchild? Well, extremely delightful and informative books with pale-blue and white covers have been written on this subject, but let’s reduce the problem to its essence: The endless supply of online content means an endless supply of places where ads could go, which by definition depresses demand and, with it, price. Period.

The second problem is more basic still. Ever click on a banner ad? Have you? Ever? Of course not, because why would you leave what you’re doing—especially socializing—to go listen to a sales pitch? The click-through rate, industry-wide, is less than 1 percent—and chalk some of that up to mouse error and click fraud. Some advertisers deal with this problem by popping ads into your face, blaring audio, or subjecting you to “preroll” video messages before the video you actually wish to see. As Anderson sagely observed to a Madison Avenue audience, that was an acceptable quid pro quo in the days of passive TV viewing. Online, though, users are active and in control. “If you take control away from them,” he said, “they will hate you.” Or, put another way: Online, all advertising is spam. These two structural problems leave two possibilities: Either advertising will never be the force in new media that it was in the five predigital centuries (a theory to which I personally subscribe), or someone will crack the code.

Yep. That pretty much covers it. When you are a Facebook “member” [read product] you are essentially trading your privacy for Facebook to convince advertisers that they can target you with spam better than their competitors. It’s not even as clever as Google’s for-fee search engine poisoning (er… Search Engine Optimization) and a whole lot more intrusive.

So there you have it. I really doubt that I will be missed on Facebook. Certainly not by Facebook themselves since I never provided them with any private information and probably not by any “friends” [read online personae that I found amusing] since those who matter in any real way can either call me or find me at this blog. All the others will probably find it refreshing to not be mocked with snarky comments when they post silly nonsense on their walls. And fear not, this blog is still represented on Facebook through the intrepid David Nicholas Stone, AKA Captain X-Ploit. Feel free to become a fan.

Oh – and to my “friend” Mark Zuckerberg - Take the money and run dude! It will get ugly when the investors sober up.

Helping your online shadow rest in peace

Give me my freedom, for as long as I be
All I ask of livin’ is to have no chains on me
All I ask I of livin’ is to have no chains on me
And all I ask of dyin’ is to go naturally
I only wanna go naturally
From And When I Die by Blood, Sweat and Tears

Recently I’ve been hammering on you, dear readers, to be aware of the utter lack of privacy on social networks. So now in the interest of being fair, balanced and keeping you completely confused let’s take a look at the opposite problem: how to make all that important private online stuff available to those who need it after you are deceased. “Oh my,” I hear you thinking (recall my telepathic abilities), “Is Security for All not long for this world? Is the author suffering from some terrible terminal disease? Has this blog suddenly taken a morbid turn?” Okay, enough questions already! The answers are: “Not that I know of ” and in the immortal words of David Stone (aka Captain X-Ploit), “We’ve been over this. I still have at least 45 years left” and “This blog was always weird, so not much of a turn“. The point is that you have a very real online shadow, that like your metaphysical ghost will not rest in peace when there is unfinished business. Seriously though, have you ever considered what happens to all of that online information you keep adding to so prodigiously when you die? And how will your grief stricken loved ones be able to access your valuable online resources? In this article by Jack Cola on makeuseof.com entitled What Happens To Your Email and Social Networking Accounts When You Die? there is some great information about how different online services handle an account when a user dies. And in this recent Lifehacker piece by Jason Fitzpatrick entitled What Should I Do About My Virtual Life After Death? there’s great practical information on planning for the inevitable with respect to your online shadow. Here is my four step condensation of this valuable information.

1. Make a list of all your virtual accounts.

List everything from your email accounts to your social networking profiles to one-off accounts for posting on individual forums. Once you have a complete list go through the list and cross off accounts that you want to be lost and unknown to your family and friends. If you have an account that you use [only] for blowing off steam with snarky comments, consider letting [it] go dark upon your death. If [an] account is part of the social networking profile for your business make sure that information is available.

This is a great exercise to go through regardless of your eminent or otherwise demise. I’m willing to bet that your list will be considerably longer than you ever imagined. And once you start culling that list, you might as well be proactive and close those accounts of dubious value right now.

2. Create a secure database of logins for the account list.

This secure database could be a physical one, locked in a home safe or bank’s safety deposit box or it could take the form of a digital keyring. If the executors of your estate are unskilled at computers consider the physical option. A keyring is much safer, however, and there are many excellent solutions. We’d recommend a portable version of KeePass on a flash drive. You can read our guide to KeePass here.

For the record, I live by KeePass and use a portable version. So if you’re a regular reader of this blog, or just happened to take my advice on this excellent password safe idea, you might be thinking “Done! I’ll just pass on my KeePass USB key and I’m golden”. Sorry, please refer to step #1. While it’s likely that you already have an exhaustive list of online accounts in your password safe, which is a dandy starting point, there is still the matter of culling and trimming those to relevant and active accounts. If you are like me, you probably have several dozen entries in your password safe of accounts that are no longer valid or you just never use anymore. There also is the matter of your loved ones’ access to the secure database. If that is a password safe on a USB key, they will need to know the password to the password safe. If you put the list in your safe at home or a bank safety deposit box, they will need to know the combination or have the key. And in every case your loved ones will need to know that this secure database exists, where it is and how to access it.

3. Include detailed instructions for how you want the plug pulled on your virtual life.

Do you want your executors to make an announcement? Post your obituary? Activate a guestbook on your web site, photo blog, or other virtual outpost and turn it into a virtual memorial?

This is very important since in the absence of detailed instructions the default behavior will be either unceremoniously close the account or let it live on as a virtual zombie. They need to be made aware that should they opt for the latter (zombie) then they will be haunted by your online shadow if not your actual ghost. A swell place for these instructions is as part of the secure database of logins described in #2. Just attach a note to each entry explaining what to do with the account. In case you were wondering KeePass, and every other password safe I’m aware of, supports notes or comments for entries.

4. Include information about each website’s specific terms of service regarding user death.
While many websites don’t have a policy for unsubscribing/deregistering, let alone for closing down accounts after someone has died, most of the more popular sites do. Here are some of the most prominent. Note that most of these extraordinary measures and policies are for executors who do not have access to the login credentials for the account. In other words these policies are primarily procedures to allow next of kin to obtain access to accounts where the inconsiderate deceased failed to follow the previous 3 steps. If you leave behind passwords and detailed instructions then all they have to do is log in as you and do what you wanted. With the website none the wiser.

Gmail

If you have a Gmail account and you pass away, your next of kin will be allowed to access your emails. The account will stay open forever, but as the next of kin, you are able to request it to be deleted. To get access to the email account, you will need to supply the following information by fax or mail to Google to be granted account access of the deceased user account.

  • Your full name (next of kin), your contact information and a verifiable email address
  • The Gmail email address of the deceased person
  • An email containing the full headers of an email message that the deceased person has emailed you with the entire contents of the email
  • Proof of death
  • Documentation to prove that you are the lawfully allowed to access their email (if the deceased is over 18). If deceased person is under 18 of age, you must provide a birth certificate

After you’ve compiled the information, Google will verify it and grant you access to the user account.

Hotmail

If Hotmail accounts are left inactive for a period of time, the email account along with all the information will be eventually deleted (within the year) and therefore, you will not be able to access it. If you die, your next of kin will be granted access to your account provided they supply supporting documents such as a death certificate (similar to what Google needs). Hotmail will not reset the password for the deceased person, but you have to fax or mail information to gain access to the account such as:

  • Your email address
  • Your shipping address (as they send you a package in the mail)
  • Documents to state your are the benefactor or you have power of attorney
  • Your photocopied driver’s license
  • A photocopy of the death certificate
  • Information about the account holder such as first and last name, date of birth, city, state, zip, approximate date of the account creation and the approximate date of last sign in.

If you require more information, you can get it at Windows Live Help.

Yahoo

Yahoo has a much stricter policy over who can get access to your account. And that is no one. If you want to ensure no one has access to your emails when you die, you would want to choose Yahoo. Yahoo will not grant permission to anyone to access a deceased user’s account. The only permission Yahoo grants is for the account to be deleted. Therefore, Yahoo does not allow anyone to access your emails. The only way someone can do this is if they reset your account password.

Facebook

Facebook will not grant anyone access to a deceased user account, but if the user of the account is deceased, their page will be turned into a memorial page once reqested. By filling out the form to turn an deceased users page into a memorial page, Facebook will remove sensitive information on the account like status updates and will only allow current friends to access the page. Family members will then be allowed to customise the page of the deceased user.

MySpace

MySpace deceased user policy is a bit vague, but they state that if you are the next of kin, they will not grant you access to edit, or delete any of the content or settings on the account yourself, but you can request it to be removed if you deem appropriate. You can simply email accountcare@support.myspace.com and attach appropriate documentation such as a death certificate. However, if you have access to their email account, MySpace recommends that you reset the user password.

The point here is that unless you want your loved ones to have to jump through all kinds of nasty hoops in the event of your untimely passing, follow steps #1 though #3 so as to avoid step #4.

So the main points to take away from this admittedly morbid but hopefully informative post are as follows.

  • A huge amount of money can be saved in executor costs if you make it easier for your executors to sort out your affairs
  • Nobody has the slightest idea how much money in you have in PayPal, gold you have in World of Warcraft or dividends with other websites. That is unless you tell them.
  • Nobody wants their online shadow to become a zombie.

Social Network privacy officially an oxymoron

It’s good to know you’re thought of, it’s good someone should care
It’s good to know you’re trusted but not to know they’re there
Too late to shut your curtains they’ve caught you unaware
They’re not at your window man, they’re sitting in your chair
From Privacy Invasion by Exploited

I have attempted on numerous occasions, for example here, here and here, to get the point across that you have no reasonable expectation of privacy on social networks. Posting anything on Facebook or MySpace is the same as announcing it on network television. Only with more marginally sentient viewers. “Oh yeah, we already know all about that.” I hear you thinking (it’s a gift, my telepathy). “ But that’s only on the public part of my Facebook page and stuff I post publicly to my friends’ pages. All my private stuff is password protected and, well, private“. Yeah. You wish. This entry in the Electronic Discovery Law blog describes a ruling that should disabuse you of those social networking privacy notions forever.

In this personal injury case, defendant sought access to plaintiff’s social network accounts and requested production of his user names, log-in names, and passwords.  Plaintiff objected, arguing that the information was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days and that plaintiff should not take steps to delete or alter the existing information on his social network accounts.

Holy social privacy slapdown, Batman! You mean that a court can compel you to [that means throw your fuzzy butt in jail if you don't] hand over your Facebook logins and passwords? Yes indeed. And that’s not all, folks. The judge in this case had some very specific points to make vis-à-vis social networking [emphasis mine].

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.

The court concluded that no person could reasonably expect that his communications on a social network site would remain confidential; that confidentiality was not essential to maintain the relationships between social network users; that the relationship between users was not one that the “community seeks to sedulously foster”; and that “whatever relational harm may be realized by social network computer site users [by disclosure of their communications] is undoubtedly outweighed by the benefit of correctly disposing of litigation.” As to the last point, the court went on to reason that “[a]s a general matter, a user knows that even if he attempts to communicate privately, his posts may be shared with strangers as a result of his friends’ selected privacy settings.  The court thus sees little or no detriment to allowing that other strangers, i.e., litigants, may become privy to those communications through discovery.

So you have only the right to be hoist by your own petard and your friends’ petards and their friends’ petards and so on. Privacy? Not so much. Actually, not at all. Not now. Not Ever. I would especially like to draw your attention to the statement: the relationship between users was not one that the “community seeks to sedulously foster”.  While you should definitely look up “sedulously”, I’ll translate as a public service: the “community” doesn’t give a rodent’s pa-toot about your relationships. Don’t ask, don’t tell, don’t care. And just in case you are still holding a glimmer of privacy hope allow me to allow the court to snuff that glimmer forever.

Where there is an indication that a person’s social network sites contain information relevant to the prosecution or defense of a lawsuit, therefore, and given Koken’s admonition that the courts should allow litigants to utilize “all rational means for ascertaining the truth.” 911 A.2d at 1027, and the law’s general dispreference for the allowances of privileges, access to those sites should be freely granted.

In case you doubt the veracity of my paraphrase and quoting abilities here is the full opinion.

RIP Social Network Privacy. We only wished we knew you.

Facebook Carnac and Other Horrors

I believe I can see the future
Cause I repeat the same routine
I think I used to have a purpose
But then again
That might have been a dream
From Every Day Is Exactly The Same by Nine Inch Nails

In case you were feeling safer, more secure and comfortable these days with social networking allow me [with apologies to Stephen Colbert] to Keep the Fear Alive. Just about the time you start feeling more complacent because crack programmers are slowly but surely plugging the holes in the privacy sieve that is Facebook, stories like these rear their ugly heads.

Exhibit A comes to us from Mike Elgan on the IT Management blog. In this entry entitled ‘Pre-crime’ Comes to the HR Dept. he writes about a new service for Human Resources [Memo to HR: While I'm mostly human if you refer to me as a resource, I will slap you so hard that your unborn resources will be well behaved] that pushes the privacy violation envelope.

A Santa Barbara, Calif., startup called Social Intelligence data-mines the social networks to help companies decide if they really want to hire you.

While background checks, which mainly look for a criminal record, and even credit checks have become more common, Social Intelligence is the first company that I’m aware of that systematically trolls social networks for evidence of bad character.

Using automation software that slogs through Facebook, Twitter, Flickr, YouTube, LinkedIn, blogs, and “thousands of other sources,” the company develops a report on the “real you” — not the carefully crafted you in your resume. The service is called Social Intelligence Hiring. The company promises a 48-hour turn-around.

Because it’s illegal to consider race, religion, age, sexual orientation and other factors, the company doesn’t include that information in its reports. Humans review the reports to eliminate false positives. And the company uses only publically shared data — it doesn’t “friend” targets to get private posts, for example.

The reports feature a visual snapshot of what kind of person you are, evaluating you in categories like “Poor Judgment,” “Gangs,” “Drugs and Drug Lingo” and “Demonstrating Potentially Violent Behavior.” The company mines for rich nuggets of raw sewage in the form of racy photos, unguarded commentary about drugs and alcohol and much more.

That’s right sports fans, just like Carnac the Magnificent Social Intelligence claims predictive abilities. Although unlike Johnny Carson’s well known character who could psychically divine unseen answers to unknown questions, these clever entrepreneurs glean their predictions by a systematic dredging of the social networking cesspool. About now you might be going all Church Lady on me and thinking “Well, isn’t that special? Isn’t it a good thing that companies avoid hiring drunken, crackheaded, violent gang bangers exhibiting bad judgement? And besides, I’m comfortably employed so why should I care?” Well, quite simply, there’s an app for that too.

The company also offers a separate Social Intelligence Monitoring service to watch the personal activity of existing employees on an ongoing basis. The service is advertised as a way to enforce company social media policies, but given that criteria are company-defined, it’s not clear whether it’s possible to monitor personal activity.

The service provides real-time notification alerts, so presumably the moment your old college buddy tags an old photo of you naked, drunk and armed on Facebook, the boss gets a text message with a link.

Two aspects of this are worth noting. First, company spokespeople emphasize liability. What happens if one of your employees freaks out, comes to work and starts threatening coworkers with a samurai sword? You’ll be held responsible because all of the signs of such behavior were clear for all to see on public Facebook pages. That’s why you should scan every prospective hire and run continued scans on every existing employee.

In other words, they make the case that now that people use social networks, companies will be expected (by shareholders, etc.) to monitor those services and protect the company from lawsuits, damage to reputation, and other harm. And they’re probably right.

That’s right, even if you are gainfully employed and your sinful, poor judgement days are long past you are not immune. Not if you ever had unsavory friends. Or have friends now on Facebook. To paraphrase Queen guitarist Brian May, when asked about bandmate Freddie Mercury‘s infamously decadent parties, you’ve been there,  so you’re definitely going to hell.

But how is this legal? I mean this is the United States of America after all, state of martial law imposed after 9-11 notwithstanding. Surely the judicial branch of our government will put an end to this. Actually, no. As Exhibit B, this entry in the Electronic Discovery Law blog illustrates.

Defendant sought to discover plaintiff’s “current and historical Facebook and MySpace pages and accounts”, including deleted information, on the belief that information posted there was inconsistent with her injury claims.  The court granted the motion, despite plaintiff’s privacy concerns, upon finding the information was material and relevant and that plaintiff had no reasonable expectation of privacy, and because the defendant’s need for access outweighed plaintiff’s privacy concerns.

Regarding plaintiff’s privacy concerns, the court found that production of plaintiff’s MySpace and Facebook entries would not violate her right to privacy, and “that any such concerns were outweighed by Defendant’s need for the information.”  Specifically, the court found that “as neither Facebook nor MySpace guarantee complete privacy, Plaintiff has no legitimate reasonable expectation of privacy.”  The court supported this finding by noting that both MySpace and Facebook warned users against an expectation of privacy.  My Space, for example, warned users “not to forget that their profiles and MySpace forums are public spaces.”  The court concluded:

Thus, when Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings.  Indeed, that is the very nature and purpose of these social networking sites else they would cease to exist.  Since Plaintiff knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy.  As recently set forth by commentators regarding privacy and social networking sites, given the millions of users, “[i]n this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”

So see, not only does the court not recognize a reasonable expectation of privacy with respect to social networks, it actually gives that idea a name: theoretical protocol better known as wishful thinking. So next time you post anything on Facebook you need to get a bit stricter than don’t post anything you wouldn’t want your mother to see. Your mom knows about your failings and loves you anyway. Your boss and the courts, not so much.

Can you be social and private simultaneously?

You keep on stalking me
Invading my privacy
Won’t you just let me be?
From Privacy by Michael Jackson

So now that everyone and their mother are on FaceBook it’s just swell how social we are. Keeping track of family and friends has never been easier. And how about those cute games? And that nice Mr. Zuckerberg is there to watch out for your privacy. He said so here and here. Or not. Okay – that last little foray into social networking fantasy land was cute, but unfortunately the the facts are somewhat more pedestrian and commercial [note to self: avoid writing blog entries while drinking brandy and listening to Porcupine Tree - coherency suffers]. So let’s start this over. Here’s the fundamental reality of social networking: You are not Facebook’s customer. You are the product they offer to their real customers – advertisers. [to paraphrase a tweet by @gollmann]. So what exactly are we supposed to do to protect our privacy? Because hey, social networking really IS cool. I mean you don’t want to throw the baby out with the bath water. It turns out there are some things you can do to help preserve what little privacy you have left online. This entry in LifeHacker has some great ideas. Here is an abbreviated version of their list.

10. Run a Background Check on Yourself to Know What’s Out There
It takes only a few seconds to know what Google knows about you, but there are many, many other avenues into your past and present on the web. Want to know more about what a potential employer can know? Consumer action blog Consumerist has a nicely comprehensive list of background check tools to try out.

This one is a must. Not only is it informative it will scare the bejeezus out of you the first time you go to some of these sites. Who knows it might scare you enough to actually take some action. In this case fear is your friend.

9. Skip Incognito/Private Browsing and Really Leave No Trace
Private browsing modes might prevent your coworkers or roommates from seeing where you wander on the web, but you still leave plenty of traces for someone who knows where to look. Take the How-To Geek’s advice and really browse without leaving a trace.

That’s right, the vaunted “porn mode” of Google Chrome  - and now pretty much every other browser out there – might fool your spouse but it certainly won’t fool your teenager. Or those pesky e-Discovery folks. Sandbox it, portable-ize it and lose it forever. I’m not saying, I’m just saying…

8. Pick Better Security Questions
Some security questions and password recovery schemes offered by webapps are so bad, anyone with your casual acquaintance and a small amount of Google savvy could poke into your email whenever they felt like it. To get around weak security questions, use blogger danah boyd’s security question algorithm.

I prefer an easier solution here. I’ve mentioned many times before that I use a password manager program. I just keep track of the “security questions” and answers I provide – which are completely irrelevant nonsense. Example – Q: “Mother’s maiden name” A: “Chevrolet Belair”.

7. Set Up BitTorrent for Private Downloading
BitTorrent is a public commons of file sharing, and that means that all kinds of folks interested in, say, what your home IP address is, and what you’re downloading, can dig into it. With both a proxy and settings in your favorite torrent app, you can protect your privacy when downloading.

Yeah – I know you use it. Just be aware that you are most exposed when seeding. Sure if you don’t seed you’re just a freeloading leach. You can live with that.

6. Know Your Google Settings
If you’re anything like us, or most of our readers, you’ve got a lot of your life floating around in Google’s cloud-based apps. It pays, then, to know how to set what Google shares publicly about you, how much of your search history is being saved, and how to back up your data so you’ve always got your own copy. These are among the 10 Google settings you should know about that center on privacy and data retention, though it’s always a good idea to know the parameters of the spaces you share your data in.

Google is almost as bad as Facebook about “knowing what’s best for you”. Just ask yourself how Google makes so much money when you don’t pay them anything for those nifty free services. Then go change your settings. Now.

5. Know How to Travel Without Being Spied On
Just because some countries have widespread net access doesn’t mean it’s an open and private web. It’s often meant to deter dissidents in strong-handed regimes, but why take the chance of letting your web data fall into the wrong hands? One Lifehacker reader, wishing to remain anonymous and in a non-specific region, crafted a survival guide for traveling where privacy isn’t respected.

Lately the good old USA has been the most fascist place with respect to traveler’s privacy that I’ve been to. Full disk encryption – don’t leave home without it. Period. Most businesses, my employer included, mandate this nowadays.

4. Know Where You Stand With Facebook at a Glance
Facebook has promised “simplistic” privacy settings coming soon, but in the meantime, knowing exactly what you’ve offered to share or keep private is far from transparent. One very crafty hacker at ReclaimPrivacy has put together a settings-scanning bookmarklet that shows what you’re sharing beyond your social circle, and offers links and automatic fixes for those settings. Another coder, Ka-Ping Yee, offers a site that shows what the public web can see on Facebook, some of which you can then remove.

If you let things default then you are standing right where they want you. That’s probably not where you want to be.

3. Run Your Browser Through a Proxy
It’s not something you’ll want to do all the time, but once in a while, you might want to hide your online tracks. To do so, you can use the go-to web randomization tool,TOR, which has tools available for nearly every OS and browser.

I use TOR regularly when I need to check out unsavory or questionable corners of the web. For research purposes. Just remember that TOR is a double-edged sword – you are anonymized but you will also draw some very unhealthy attention from folks who realize that TOR users are doing something interesting.

2. Better Protect Your Mint.com or Other Financial Accounts
The thing that makes Mint.com such a convenient one-stop shop for financial data and budgeting also makes it a gold mine for anyone looking to learn more about you, or know which accounts they could try to jump into. Security professional Jason Owens provides some smart tips on better protecting your Mint.com account that can apply to any site where you manage your financials.

I’m not a big fan of online financial services. Call me old fashioned, but I just don’t trust those guys. Of course I don’t trust my bank either. And I hate my credit card companies. I find it’s safer to treat them like the enemy. More fun too. As a result my wife handles our finances.

1. Stay Available on Facebook Without Really Being In It
You might have considered quitting Facebook, but stopped short because it’s how a few far-flung friends and relatives stay in touch, or a place those without your email address can ping you. We can understand, and, luckily, have a halfway solution to recommend. Quit Facebook without really quitting.

This one is near an dear to my heart. Not only is Facebook a spectacular time sink, I really don’t like them pimping my info to their customers. So I decided to get creative. If you go to my Facebook profile you will see that I work for “The Universe at Large” as a “Transdimensional Protocol Facilitator” and that I’m a lot older than I seem, being born on 29-Feb-1904 [not bad for 106!] but then again time is a slippery thing when your in my line of work. Consider that I got my doctorate from the Ramses II Institute of Science when I was only 9 years old and went to high school at San Dimas High some 71 years later.

So here’s a shout out to all my classmates from Egypt in 1913 – it’s time to become who you really are on the internet. Then privacy isn’t such a big deal.

Left naked in the rain by social networking

I must have been out cold
But the way the story’s told
They found me lying naked in the rain
From Bible Black by Heaven and Hell

Any number of times in the past I’ve warned about the inherent lack of privacy with social networking in posts like thisthisthis and even this. But this week Sharon Nelson of the {ride the lightning} Electronic Evidence blog had a very interesting post wherein she points outs that employees who engage in social networking at work expose their employers as well as themselves.

So you have a policy against social networking on work computers? Who cares? Probably not your Millennial generation employees. 45% of them use social networking at work whether or not their employers have imposed policy restraints. Of course, you can use technology to block them from visiting these sites on their computers. And then they reach for their cell phones chanting the Millennial mantra, “There’s an app for that.”

That’s right Mr. CIO, pretty much leaves you naked in the rain. But it’s not all bad though, e-discovery folks like Sharon love these miscreants for the bounty they allow them to harvest. Well okay, maybe it is all bad for you. The post references this report from Accenture titled Jumping the Boundaries of Corporate IT which examines the Millennials’ use of technology. Some of the highlights include:

29% of those surveyed say that they don’t know if their company has a social networking policy.
17% say a policy has never been published.
11% say that what the company has published is too complex to understand.
11% say – in essence – screw the policy, I’ll do as I see fit.

If these little tidbits don’t have your IT security folks hyperventilating then you’re not paying attention. I’m thinking that it might be a really good idea to check out that Accenture report and try to understand how Millenials think and their proclivity for defying company policy and look for things that policy tells you shouldn’t exist. It’s not much but it’s better than being completely naked in the rain.

Web 2.0 Miranda

don’t say a word or we’ll surely expose
that it’s you who are wicked and vile
anything you say will be used against you
and now it is you here on trial
from Don’t Say a Word by Cici Porter

For a long time now I’ve tried to get folks to realize that there is nothing private or protected about social networking. To wit, these posts here and here. In case you think I’m overreacting you should check out this post by Sharon Nelson in the {ride the lightning} blog.

Recently, Facebook spokesman Andrew Noyes said that the company has created a team led by a former FBI employee to manage requests for information in criminal cases. According to Noyes, a big part of the job is explaining the applicable laws and the limitations on access to Facebook user information. He said that Facebook strives to respect the balance between law enforcement’s need for information and the privacy rights of citizens.

To be fair to Sharon’s point in the post, judges are increasingly ruling on the side of individual privacy in cases with requests to make social network content discoverable or admissible. But the fact that the number of such cases have increased to the point that FaceBook needs a team to “manage requests for information in criminal cases” is my concern. It almost seems like this has progressed to the point that every social networking site should display your Miranda rights prominently. In actual fact FaceBook does display, albeit not terribly prominently, something like that in their Privacy Policy.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.

Twitter has a similar statement in their privacy policy.

We may disclose your information if we believe that it is reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Twitter’s rights or property.

So what’s the big deal? These Web 2.0 site have to comply with the law just like everybody else. Exactly. So think about that the next time you want to post a photo of that truly epic party. You know, the one with the funny pictures of you and your peeps totally hammered and passing the bong. Or maybe that post where you really let everyone know how you feel about your sleazy ex. Just remember that you have been “Mirandized”. Sort of. And to the extent you have any rights you didn’t waive by using the social network.

Gray haired computing

Recently I did an article for a seniors newsletter about phishing. Specifically the perennial “limited time to add your cell phone to the national do not call list before bad stuff happens” scam. While this particular instance is more hoax than phishing since the number to call was, in fact, the real number for the do not call list the opportunity for a phishing variation is definitely there. This got me to thinking again about why computing in general and social networking in particular are so senior-unfriendly. I’ve written this about this issue in the past here and here but it’s always seemed a little bizarre to me that no major personal computer manufacturer has thought about tapping this enormous and growing market. There are some minor players starting to get into this market according to this article on the BBC.

A new computer aimed at people aged over 60 who are unfamiliar with PCs and the internet has been unveiled.

The simplified desktop – called SimplicITy – has just six buttons directing users to basic tasks such as e-mail and chat.

The computer comes pre-loaded with 17 video tutorials from television presenter Valerie Singleton.

The SimplicITy computer has no log-in screen when started up, and contains no drop-down menus. It opens straight to a front page called “square one” containing separate clickable buttons for e-mail, browsing the web, files (for storing word documents and photos etc), online chat and a user profile.

The e-mail system is a modified version of an Italian design called Eldy. All SimplicITy users with an eldy.org address will be able to chat to each other via the “chat” button.

The computer is built using Linux operating system, a free operating system that can be customised by users.
If people decide they no longer need the SimplicITy desktop, they can replace it with a standard Linux desktop.

Unfortunately these are also a one-off kind of deal and therefore carry a relatively hefty price tag.

Each made-to-order computer takes two weeks from request to delivery and can be ordered by post.

It’s not all that cheap – systems range from £299 [~$500] without screen or keyboard to £525 [~$880] for a complete system.

From what I can tell reaction to this computer system has been lukewarm to negative and almost universally snarky. Of course those reactions have been from younger people like BBC Technology correspondent Rory Cellan-Jones who quips:

There are some people who will undoubtedly feel patronised by the very idea of a computer for older users  and others will ask why they shouldn’t be taught to use Windows like just about everybody else.

But he also points out a very valid issue when it comes to selecting computing equipment for elders in this entry on the BBC News dot.life blog.

Simplicity is swimming against the tide, and may find some resistance, not from older customers, but from sons and daughters who’d rather see their parents learn the same system as themselves.

Yep – nailed it in one. Being primary technical support for a truly frightening number of older folks I know this to be absolutely true. But exhaustive yet completely unscientific polling and anecdotal evidence have led me to believe that the following statements are common to all older computer users:

My computer sucks.

My [son|daughter|younger friend]‘s computer works great.

That’s why I got mine.

But my computer sucks.

Okay I’ll admit that I paraphrased a bit but I think it reliably captured the essence. So why does grandma want a computer? As opposed to why do the grandkids think grandma wants a computer. Here’s what I think based on that exhaustive yet unscientific research.

  1. Medicare, Social Security and insurers are increasingly moving online. If you want to interact with them you need a computer.
  2. Staying in contact with the family. All the grandkids are on FaceBook and use Twitter. Everybody puts photos on Flickr and sends invitations through email.
  3. Staying abreast of current news. Hey, the local newspaper is either going, gone or online and TV news is for losers.

While there are probably a few other reasons that drive grandma’s desire for a computer, please note that “making videos” or “digitizing music” are not among them. The biggie is the first reason which is why it was cleverly positioned at #1. Grandma has no choice. As much as you would like to believe that the others are more important, the bottom line is that it’s just not practical to be an analog senior any longer. So why exactly aren’t HP and Dell marketing the heck out of computers for seniors? Maybe they aren’t aware of the market [doubtful] or maybe they haven’t been talking to the right people and think they already have such a unit among their existing offerings [most likely].

So lets help them out, shall we? Feel free to chime in with comments here. What would be the attributes of the perfect computing device for seniors? Well how about we start with some physical basics:

  1. It’s got to have a full size keyboard and a decent size display. Small form factor keyboards and screens are a non-starters. Netbooks are out. Smart phones are out.
  2. It should be portable. In every respect, including WiFi. This thing will be traveling to every family get together from now on. And who wants to wire their house for ethernet?
  3. It has to have the right pointing device for the user. Some folks like trackballs, some like tablets, some even like joysticks. Not everyone likes, or can use, a mouse. And almost nobody can use a laptop touchpad without a great deal of angst. And who needs that aggravation?
  4. It doesn’t need a very powerful processor. An older low-power processor would be fine since [pay attention here younger helpers] nobody is going to do any video editing on this machine. Ever. But increased battery life would really be swell.
  5. It doesn’t need huge amounts of memory. Yeah, I know that most popular operating systems tend to expand to fill the available resources but that just proves that modern operating systems bite wind. And have [again pay attention here younger helpers] stupid amounts of cool features that nobody will ever use. Ever.
  6. It doesn’t need a killer 3-D video subsystem. As much as you might hope, grandma is not going to play Halo 3 or Call of Duty: Modern Warfare. Ever. If she really wants to play games she should get a Wii. Not a PC.
  7. It needs a fast internet connection. Essentially everything that grandma wants use her new computer for is online. Slow internet = bad user experience.

So that’s a reasonable start on hardware, how about software? What does grandma really need to do the stuff she wants? Well, first we should forget all that ancillary stuff to protect the system from bad engineering (err… malware. I meant malware. My bad) and select an operating environment that is fast, safe and easy to use. Yep, that pretty much leaves Windows out. But we’re getting ahead of ourselves. Here’s the critical software list.

  1. A web browser. Pretty much everything that grandma wants to do is online and accessible via a browser. Email, banking, insurance, FaceBook, and Twitter. There are web sites that mashup or aggregate multiple social networking sites. Even text editors and other applications. Pretty much everything out there in the cloud.
  2. A password safe. Anything that’s done in the cloud requires some kind of authentication, usually user name (or email) and a password. And lame authentication is useless. Just ask Sarah Palin. Everybody, not just grandma, but everybody should use a password safe. That way you only have to remember one password (the safe password) and let the password safe generate unique industrial strength passwords for everything else.
  3. A good bi-directional firewall. Don’t worry – grandma will never see this and any decent operating environment will ship with a good one installed and enabled by default.

Well this is interesting. It’s looking like Google Chrome OS might be just the ticket for seniors. When it comes out next year. Except that Google is targeting Netbooks as their initial platform and we’ve already determined that Netbooks are a non-starter for seniors. Actually a MacBook might be a good choice, except for the high price and wealth of useless (for grandma) software that that comes with a Mac. So maybe the SimplicITy folks have it right. Maybe a lightweight Linux distro is a good place to start. I mean that’s really what Chrome OS is under the covers, the covers being Google’s Chrome browser.

So how about it Dell or HP? How about building an inexpensive, full size, low power, portable PC with a choice of input devices [test drives available!], loaded with Google Chrome OS or maybe a minimal version of Ubuntu or OpenSUSE with Firefox or Chromium [Chrome for Linux]. Or maybe Apple could release a senior-friendly MacBook without all the spiffy iLife stuff and make it affordable. But whoever steps up be sure and forget the crapware from your partners and instead throw in some slick training demos on things like “how to get online” and decent [non-advertising] setup wizards for networking. Or maybe you could just partner with SimplicITy and use those video tutorials with Valerie Singleton. It would be wise to ask yourselves if in this economy you can afford to alienate a growing market by ignoring their needs.