Rainblog

We live in the future. More specifically, we live in William Gibson’s cyberpunk future.

Microsoft has acknowledged the existence of a bug affecting ‘all versions of Windows’, that allows attackers to trigger execution of malicious software via a shortcut link. It’s a serious bug, and one that’s apparently ripe for exploitation.

The flaw is already being exploited, and experts predict more attacks will follow. What’s interesting, however, is that the first observed attacks using the exploit have an unusual goal. Instead of trying to turn the hijacked home or office PCs into spam relays, pestering their unlucky owners with ads, or trying to steal passwords and credit card numbers - the standard repertoire - the attack targeted systems used as controllers for industrial machinery. Moreover, according to information put out by Siemens, the goal of the malware wasn’t to disrupt the connected systems (a recurrent nightmare scenario in a world where heavy machinery and essential utilities are increasingly controlled by computers running mass-market OS’s), but to “steal secrets from manufacturing plants and other industrial facilities”.

Computer hackers using sophisticated malware to conduct corporate espionage? This is the stuff of cyberpunk fiction. The future’s so bright, we gotta wear mirrorshades.

Over the past few days, I’ve been loosely following some of the discussion of Facebook’s Open Graph API and the Like button, as well as their ever-eroding privacy policy. I’ve started to think about alternatives not just to Facebook, but also to the rather anaemic and underwhelming OpenLike proposal. And I’ve gone through the usual ritual of revisiting my Facebook page, trimming down my personal data still more, and setting any privacy options I can find on Facebook’s maze of twisty little settings pages to their most restrictive settings.

That last exercise seems particularly pointless. Facebook has finally identified their business model, and it appears to be to leak your personal data as widely and as often as possible. It’s reached the point where trying to limit who can view your information looks like an exercise in comic futility. Don’t run Facebook apps because you don’t want the developers of MafiaFishFarmVille to have access to all your personal information? Nice try, but all it takes is for one of your friends to sign up - and they will - and you’re busted. Unless, of course, you can find the magical checkbox that says not to share your information, in which case you’re safe … until Facebook changes their policy again.

Even when Facebook isn’t trying to be evil, there are the bugs. One recently-disclosed Facebook bug secretly added apps to your profile when you visited certain websites. Another bug exposed private chat sessions. And these are just the tip of the iceberg (icebug?). I don’t think Facebook are in control any more. The platform is too big and too complex, with too many interacting permissions and features. The constantly changing policies and the management’s drive to build a business around selectively allowing access to personal data must add up to a nightmare for the engineers who have to try to keep things consistent. When the pressure from higher up is to constantly open loopholes in what might once have been a simple and solid privacy architecture, something has to give. I expect to see at least one truly spectacular exposure before the end of the year.

All this was brought to the forefront of my consciousness this morning by three things that happened almost simultaneously. The first was a message from one friend saying that he was leaving Facebook for more or less the reasons outlined above. The second was the following tweet from my friend and colleague Nathan. And the third was going to CNN’s website and seeing a sidebar that said “Chan _____ recommends this story”. I blinked at that one for a moment, and thought “How the fuck? Oh, right. Facebook.”

I didn’t pick the page apart to see how that one was engineered. I didn’t need to. The mere fact that I could see a friend’s name on a CNN web page meant that someone now knew more about me than they needed to. It doesn’t matter if it’s done on the back end or the front. If a web page can greet you in the name of a friend, it means that it knows who you are and a good deal more besides.

So I’m seriously considering leaving Facebook as well. I don’t even like Facebook, or use it very much. It’s not just that I find the interface clunky and hard to navigate. It’s that I don’t want to give worthless (but costly) imaginary presents, I don’t want to nurture lonely brown cows in Farmville, and I’m not even particularly inclined to wallow in the stream of distractabilia poured out by all my friends. I like my friends, I really do, but I don’t need to know every fleeting thought that passes through their minds or keep up with the latest in funny kitten videos.

What Facebook does offer - aside from a place to spam links to my own non-Facebook Internet projects - is a way to keep in touch with a network of friends scattered across the globe. I like the fact that I can count on finding a reasonably-current contact address for folks with whom I’d like to stay in touch. I like the serendipitous rediscovery of old friends. That is the part of Facebook’s value proposition that makes me reluctant to cut the cord. But that may not be all.

I’ve long been a fan of Roger Zelazny’s book “My Name is Legion”, whose hero enjoys the privileged position of being the only person on Earth whose identity is not indexed in the central computer. In reality, however, his power comes not from his anonymity but from his ability to create new identities at will. As Facebook and its imitators increasingly insert themselves into the structure of the Web, those who opt out of the network may find themselves not liberated but limited. That’s certainly Facebook’s goal: to make their offering so compelling, so ubiquitous, so essential that un-citizens - legionnaires? - without a Facebook identity will be cut off from important slices of functionality.

So we need alternatives. I’d like to do an end run around all that. I’m starting to think increasingly about how to build open systems that offer all the social features that we enjoy from Facebook, from Twitter, from Tumblr, and all the rest of them, but do so in a way that is distributed and removed from central control. It’s pretty clear that companies like Facebook can’t be trusted to store and manage our personal information. The obvious conclusion is that we should do it ourselves.