Who decides what you see on the Internet?
The short answer: not you.
Who decides what you see on the Internet?
The short answer: not you.
Whenever a government wants to justify its latest intrusion into people’s electronic privacy, it usually does so by appeal to one of the Four Horsemen of the Infocalypse. Membership of this prestigious group is a little ill-defined, but the usual formulation is that it is made up of terrorists, pedophiles, drug dealers and organized criminals. As no one could possibly be in favor of any of these groups - so the logic goes - the government is justified in proposing whatever measures it wants to deal with them.
In recent years, the four have been joined by a fifth, copyright pirates. This is a harder sell because while most people aren’t pedophiles or terrorists, you have to look quite hard before finding someone who has never downloaded music or movies. People who might not blink when you tell them that you need to read everyone’s email to protect us all against Osama bin Laden and the international pedophile conspiracy are not quite so ready to believe that extreme measures are needed to deal with everyone who downloaded an illegal copy of “Born this Way”.
Now the five have been joined by a sixth and it is … wait for it … Internet trolls.
Randi Zuckerberg, sister of Mark, has recently declared that online anonymity “has to go away”. The reason? Antisocial behavior on line. If everyone were forced to use their real name, there’d be no more cyber-bullying and no more trolls. Apparently, Internet trolling is now a threat of the same order of magnitude as terrorism and child molesting, which is either very bad or very good news, depending on how you interpret it.
Facebook isn’t alone in calling for anonymity to be stripped away. Eric Schmidt of Google has also proposed an end to anonymity as a cure for the ills of the Internet. Schmidt actually goes further than Zuckerberg, predicting that a ‘verified name service’ will eventually be required to protect against ‘asynchronous threats’ (the Horsemen, presumably) and calling for ‘true transparency and no anonymity’. And Google’s newly-launched Plus service has recently lost some of its shine after a ham-fisted attempt to enforce a ‘real names’ policy.
While I would be the last person to question the truth of John Gabriel’s Greater Internet Fuckwad Theory, I have some doubts about these proposals. For one thing, as any child can tell you, lack of anonymity has never been an obstacle to real world bullies. For another, short of the Orwellian ‘verified name service’ proposed by Mr Schmidt, it will always be possible to circumvent attempts to force users to use their ‘real names’. For still another, it’s pretty much certain that all this transparency is only going to flow one way. It will be individuals who are required to live by Mr Schmidt’s rules of ‘true transparency and no anonymity’. Governments and corporations, as ever, will be exempt.
Defenders of privacy have pointed out that while trolls and bullies may shelter behind anonymity, so too do opponents of repressive governments, political activists, corporate whistleblowers and battered wives. And so do ‘ordinary’ users: in a world of ‘total transparency’ where every utterance can be tied to a name and a real-world identity, how many people would dare to post so much as a bad restaurant review or a dissenting opinion? There’s no shortage of people, on the Internet or off it, who are willing to lash out against anyone who disagrees with them or calls them out on their own bad behavior. Anonymity might indeed facilitate misbehavior online, but to a still greater extent it protects us against the thugs and the bullies. (A friend of mine recently told me that she wants to create a Facebook account for her young daughter, using a fake name and an untraceable email address. Why? Because she sees a fake identity as the only effective way to protect the girl from cyber-bullying).
So why do the Zuckerbergs and the Schmidts of this world want to strip it away? It’s not that they’re unaware of the value, even the necessity of anonymity online. It’s not that they really believe that ‘real names’ or ‘total transparency’ are useful or that they could be enforced without state control over the Internet so pervasive and intrusive that it would make the RFP for the Total Information Awareness project look like an EFF ‘best-practices’ document. They’re too smart to drink that particular Kool-Aid.
The various interested parties who have decided that online anonymity and privacy must die always claim that such measures are necessary to ‘protect’ us (as far as I can remember, none of them have ever taken the time to ask us if we want to be protected). But that isn’t really what’s at stake. For companies like Google and Facebook, your real identity is a salable commodity: clinching that would put the capstone on the vast information-gathering exercise that has been sold to us as ‘social networking’. Simply put, the end to anonymity serves their interests.
Not ours.
Going back over my post about Google Social Search, which I wrote in haste last night after the new feature was pointed out to me by a somewhat agitated friend, it looks to me as if I may have been wrong about some of the pitfalls of the new system.
The potential privacy killer is the exposure of private second-order contacts. But re-reading Google’s documentation more closely today, it turns out that Google already has a notion of ‘public’ and ‘private’ contacts. ‘Private’ contacts include your Google chat list and Google contacts, and according to the documentation, these are not shared, and will not be used to “expand your social circle”. So it looks as if the sky may not be falling after all.
I apologize for misleading you all, and for maligning Google. It seems that they have learned something since Buzz.
But systems such as Social Search are not risk-free. Google’s position is that they don’t make anything public that wasn’t already public. That’s as it should be, but it’s worth bearing in mind that what Google is doing is to make obvious what’s already public. Yes, all the individual links that make up your implicit social graph may be ‘out there’, but most people won’t necessarily connect all the dots. Tools like Social Search take the complete picture and dump it in your lap.
It’s easy enough to dream up scenarios in which that can still turn around and bite you. Your strait-laced Aunt Hettie may enjoy visiting your personal website full of kitten pictures, unaware that you’re also an active member of a flourishing bondage’n’spanking online community. The day that you inadvertently create a graph link that spans your separate personae, Google Social Search is going to make all the connections and give Aunt Hettie something to think about over her breakfast coffee.
You did it to yourself, says Google. All the information was there. We just put it all together. They’re right, but that doesn’t mean that it isn’t a problem. In general, people aren’t good at thinking about what you might call the calculus of privacy: what connects to what, who has permission to see what, and how they interact. Part of it is that we just don’t think that way yet. But part of it is that the rules keep changing. Just when you think you’ve got it figured out, Google (or whoever) will add a new way of inferring connections and suddenly the whole shape of the graph has changed in ways you never imagined.
There’s another problem. Tools for managing this new ball of wax are either non-existent or ill-adapted. Google says proudly “You control who is part of your circle”, and goes on to list ways that you can do that. But the suggestions seem to amount to changing the social graph itself by removing a person (or a network). If you detect a potential exposure, the recommended fix is to take a machete to your social network.
This seems unsatisfactory. Tools designed for one purpose - such as managing your social network - are usually inadequate for another - such as protecting your privacy or controlling your online persona. If your connection to your friend Joe reveals something about you that you don’t like, Google’s answer is that you should break that connection. But when you do that, you lose whatever functionality comes from the connection.
Let’s make that more concrete with an example (not a privacy example this time, but analogous problems exist in that space as well). Suppose Joe tends to write embarrassing drunken rants on every subject under the sun. Each time you do a search, Google’s Social Search feature brings up a couple of Joe’s inebriated screeds, which may not be what you want even when the boss isn’t looking over your shoulder. But Joe’s in your social graph, and the only way to get him out of there is to remove him from your chat contact list and your Gmail address book. To manage one feature - Social Search - you’re forced to reduce the utility of two others - chat and email. Surely that’s not the way it’s supposed to be.
Connections in the social graph are overloaded. Applications built on social networking such as Google Social Search assign a ‘meaning’ to those connections that may be quite different from the ‘meaning’ intended by the user. The connections that the user creates end up being used in ways that he or she did not anticipate or intend, yet there are no tools available to let the user correct or control the way that the graph is used or interpreted. The only tools provided are tools for editing the graph itself.
It’s unrealistic to think that we can stop Google or Facebook or anyone else from adding new whizzbang features that stitch together what people reveal about themselves online and use it in ways that we never anticipated. It’s also unrealistic to think that we can ever predict the ramifications of putting any single piece of information out there (or, equally often, having it put out there by someone else). But there ought to be a middle-ground between withdrawing from online life entirely or accepting that our online persona - the sum total of information that can be learned about us online - is completely out of our control.
If someone like Google wants to think about how to build tools to give users real, flexible control over their personal information, that will impress me a great deal more than their questionably-useful Social Search.
[CORRECTION: This post contains a significant error, which I explain in this post. But while the issues with Social Search aren’t as bad as I claim here, it’s still not problem-free.]
Remember the Google Buzz fiasco? In their eagerness to roll out their latest whizz-bang new killer feature (by the way, does anyone still use Buzz?), Google didn’t bother to think about - or deliberately chose to ignore - the potential privacy implications of their model and ended up exposing everyone’s contacts. A predictable outcry followed, and Google was forced to walk it all back and put in the protections that should have been in there from the start.
But that’s all in the past now, and Google have learned their lesson, haven’t they? Well, no. Because now they’ve launched Google Social Search, another exciting innovation we didn’t need that … leaks all your contact information all over again.
How does it do that? If you’re logged in when you search for something, Google will show results that are somehow related to your ‘social circle’. Google assembles your social circle by the usual connectivity voodoo - digging through your Gmail contacts, your Google reader subscriptions and so forth. So far, there’s no great cause for alarm. But Google also includes second-order contacts - friends of your friends - in the results. And that’s where the trouble starts.
To illustrate the problem, suppose you are a married man who has been secretly carrying on with the local femme fatale. Your wife does a search for that charming little restaurant where you celebrate your wedding anniversary, and uncovers a glowing review written by that shameless hussy, accompanied by a helpful note from Google explaining that she shows up in the results because she’s a friend of yours. Marital ructions ensue.
Or you’re considering leaving your job at WidgetCo and have been sending out copies of your resume. When your boss searches for something, his social search results suddenly include half a dozen recruiters and the CEO of rival GadgetCorp, all tagged as contacts of yours. Problematic, no?
The possible scenarios go on and on. Subscribe to a mailing list for wombat fetishists? One lucky search hit and the whole world can know about your fondness for those winsome marsupials. And so on. And so on.
Friend-of-a-friend (FOAF) leaks are one of those nasty social networking gotchas that most users don’t think about. Apparently Google didn’t think about this one either because - even after the Buzz mess - they went ahead and engineered it straight into their new baby. What they didn’t do, of course, is provide any way for you to opt-out. There’s no mechanism for saying “No, dammit, don’t expose my list of private contacts to all my friends.” And unlike Buzz, which at least you had to start using before it could out all your contacts, Google Social Search will go ahead and expose your friends without you lifting a finger. I guess they call that progress.
So here we go again. Once again, we need to make a noise and get Google to undo their latest piece of thoughtlessness before it starts messing up people’s lives.
I’ve just been looking at some of the coverage of Google’s ChromeOS, and it leaves me slightly bewildered.
The first thing that I looked at was a video demo by the Chrome project manager. In it, he stresses is that “all your data is in the cloud”. Does that mean that your ChromeOS netbook will be essentially unusable if you don’t have a net connection? If so, that’s a dealbreaker right there. Internet access is by no means as ubiquitous as Google might like to pretend, even within the United States. You could pay for an EVDO card, of course, but with plans starting at $40/month, the price of your handy-dandy netbook just doubled. Moreover, as anyone who owns a mobile phone knows, even paying $40/month doesn’t guarantee you a signal. How happy would you be with your present computer if the hard disk was simply inaccessible from time to time?
If using ChromeOS means that from time to time your netbook will become a lightweight, highly-portable brick, they aren’t going to have a lot of takers.
While I’m nitpicking, let’s take a shot at the aesthetics. ChromeOS looks like the Chrome browser, which is to say it looks like ass. I actually used the Chrome browser for a while as my main browser but I never loved the way it looked. They’ve gone in for the kind of pointless reinvented look-and-feel that you get when people who don’t normally write software have to roll their own. If you’ve ever used the bundled software that ships with a piece of hardware - a hard drive, for example, or a digital camera - you’ll know what I mean. Google has time to fix that, of course, but I wonder if they will.
A more serious objection has to do with the fact that the UI is essentially modeled on a web browser (for the very good reason that that’s what it is). Unfortunately, anyone who has tried to use a web browser to do real work for any length of time will have noticed that as user experiences go, it’s definitely second-rate. There’s a reason why modern GUI’s don’t look and behave like web browsers. Extending the web browser metaphor to the entire UI is a recipe for suck.
One thing that did intrigue me was a throwaway remark in the ChromeOS GUI concept video. The developer says that “when you log in to any ChromeOS device, you resume your previous session”. What’s not clear from the demo is whether the session is stored in the cloud, or on the local device. If it’s the former - and it might as well be, given that the whole OS has a cloud-dependency built-in - that could go some way to reconciling me to the cloud-centric nature of the OS. The idea of having a ‘virtual workspace’ that you can access from any machine actually has some appeal. (When I worked at Sony, I did some proof-of-concept work on an agent-based virtual desktop as a kind of personal skunkworks project: I still think it’s an idea whose time might yet come). I travel from time to time; I like the idea that I could sit down in a cybercafe, log in and have my private environment instantly there, just the way I left it. Currently, of course, that’s not such a great idea. Developing-world cybercafes all run Windows, which means that their machines tend to be a soup of viruses and spyware. Ten seconds after you logged in, the keyloggers would own your workspace. But one of the pitch points for ChromeOS is supposedly security. If Google could deliver on that, a ChromeOS-equipped cybercafe might actually be a place where you wouldn’t fear to log in.
One final cause for concern is that Google’s ChromeOS may be aimed at tying you ever more closely to the mothership: your ‘applications’ are, of course, GMail, and Google Docs, and whatever else Google comes up with between now and then. That’s an approach that has never made me comfortable, and not just for the reasons hinted at in this cartoon. I don’t like the increasing trend towards engineered-in dependencies on a particular corporation (Apple, I’m looking at you too). I want a computer to be a tool that I use, not a way for a large company to sneak a mini-mall into my home.
There’s an opportunity here for open-source. If ChromeOS does prove to be tied uncomfortably closely to Google, how hard would it be to build a similar lightweight web-OS based on a Linux kernel and WebKit? Make it truly open, so that the user would have free choice of which web applications they use. Some users would want to use it with open-source web-apps running on their own server, just to make sure that they really own their own data. Others might be satisfied with something run on a third-party service or even on Google. It doesn’t matter. But if we have to have web-based OS’s, let’s make them open the same way that the web is open, rather than having them tied to a single huge and increasingly pervasive provider.
