The Electronic Frontier Foundation has got some answers from Amazon about possible risks associated with the Silk browser technology. The responses are fairly encouraging: it sounds as if Amazon has thought about the issues and tried quite hard to respect user privacy.
Whenever a government wants to justify its latest intrusion into people’s electronic privacy, it usually does so by appeal to one of the Four Horsemen of the Infocalypse. Membership of this prestigious group is a little ill-defined, but the usual formulation is that it is made up of terrorists, pedophiles, drug dealers and organized criminals. As no one could possibly be in favor of any of these groups - so the logic goes - the government is justified in proposing whatever measures it wants to deal with them.
In recent years, the four have been joined by a fifth, copyright pirates. This is a harder sell because while most people aren’t pedophiles or terrorists, you have to look quite hard before finding someone who has never downloaded music or movies. People who might not blink when you tell them that you need to read everyone’s email to protect us all against Osama bin Laden and the international pedophile conspiracy are not quite so ready to believe that extreme measures are needed to deal with everyone who downloaded an illegal copy of “Born this Way”.
Now the five have been joined by a sixth and it is … wait for it … Internet trolls.
Randi Zuckerberg, sister of Mark, has recently declared that online anonymity “has to go away”. The reason? Antisocial behavior on line. If everyone were forced to use their real name, there’d be no more cyber-bullying and no more trolls. Apparently, Internet trolling is now a threat of the same order of magnitude as terrorism and child molesting, which is either very bad or very good news, depending on how you interpret it.
Facebook isn’t alone in calling for anonymity to be stripped away. Eric Schmidt of Google has also proposed an end to anonymity as a cure for the ills of the Internet. Schmidt actually goes further than Zuckerberg, predicting that a ‘verified name service’ will eventually be required to protect against ‘asynchronous threats’ (the Horsemen, presumably) and calling for ‘true transparency and no anonymity’. And Google’s newly-launched Plus service has recently lost some of its shine after a ham-fisted attempt to enforce a ‘real names’ policy.
While I would be the last person to question the truth of John Gabriel’s Greater Internet Fuckwad Theory, I have some doubts about these proposals. For one thing, as any child can tell you, lack of anonymity has never been an obstacle to real world bullies. For another, short of the Orwellian ‘verified name service’ proposed by Mr Schmidt, it will always be possible to circumvent attempts to force users to use their ‘real names’. For still another, it’s pretty much certain that all this transparency is only going to flow one way. It will be individuals who are required to live by Mr Schmidt’s rules of ‘true transparency and no anonymity’. Governments and corporations, as ever, will be exempt.
Defenders of privacy have pointed out that while trolls and bullies may shelter behind anonymity, so too do opponents of repressive governments, political activists, corporate whistleblowers and battered wives. And so do ‘ordinary’ users: in a world of ‘total transparency’ where every utterance can be tied to a name and a real-world identity, how many people would dare to post so much as a bad restaurant review or a dissenting opinion? There’s no shortage of people, on the Internet or off it, who are willing to lash out against anyone who disagrees with them or calls them out on their own bad behavior. Anonymity might indeed facilitate misbehavior online, but to a still greater extent it protects us against the thugs and the bullies. (A friend of mine recently told me that she wants to create a Facebook account for her young daughter, using a fake name and an untraceable email address. Why? Because she sees a fake identity as the only effective way to protect the girl from cyber-bullying).
So why do the Zuckerbergs and the Schmidts of this world want to strip it away? It’s not that they’re unaware of the value, even the necessity of anonymity online. It’s not that they really believe that ‘real names’ or ‘total transparency’ are useful or that they could be enforced without state control over the Internet so pervasive and intrusive that it would make the RFP for the Total Information Awareness project look like an EFF ‘best-practices’ document. They’re too smart to drink that particular Kool-Aid.
The various interested parties who have decided that online anonymity and privacy must die always claim that such measures are necessary to ‘protect’ us (as far as I can remember, none of them have ever taken the time to ask us if we want to be protected). But that isn’t really what’s at stake. For companies like Google and Facebook, your real identity is a salable commodity: clinching that would put the capstone on the vast information-gathering exercise that has been sold to us as ‘social networking’. Simply put, the end to anonymity serves their interests.
Not ours.
Back in 2002, riding the tide of post-9/11 paranoia, the Bush administration briefly flirted with a project to harvest and analyze vast amounts of personal information about American citizens, culled from databases and electronic communications. The project, usually referred to as ‘Total Information Awareness’, but officially known as the Information Awareness Office, was headed up by former Iran-Contra conspirator Admiral John Poindexter, a man so creepily-uncharismatic that you had to wonder if they’d only picked him because Cthulhu couldn’t get the necessary security clearances. Just to make sure that no one could fail to get the message, they then apparently launched an internal competition to see who could come up with the most horrifying logo for the project. The winning entry, depicting a menacing eye-in-a-pyramid turning its baleful gaze on the world over the Latin phrase “Knowledge is Power”, was so repellent that even Congress finally woke from its perpetual slumber and voted to defund the whole vile enterprise.
The cynics among us - myself included - simply commented that TIA would be back, and that next time it would surface in the private sector, where it wouldn’t be subject to the same kind of control or oversight as a government project.
And so, gentle reader, it came to pass. TIA’s new incarnation is called Project Vigilant, and its self-declared mission is to ‘Attribute Actions to Actors’. In case that seems a little vague to you (do they also attribute thoughts to thinkers and speech to speakers, to say nothing of vision to seers, or is that outside their remit?), Glenn Greenwald over at Salon does a fine job of summarizing what we know about Project Vigilant.
Project Vigilant (which should really be written with a final ‘e’) has been in the news recently because it turns out that ex-hacker Adrian Lamo is one of their ‘volunteer members’. And Lamo has been in the news because he was the person who turned in Specialist Bradley Manning, the soldier who (allegedly) provided Wikileaks with large quantities of classified information. Quite how Manning came to be in contact with a man who, in hindsight, was probably one of the worst people in the world that he could have chosen to confide in is probably an interesting story. Greenwald drops some hints, but declines to speculate.
Instead, he focuses on Project Vigilant itself, a ‘volunteer organization’ that “collects vast amount of private data about the Internet activities of millions of citizens, processes that data into usable form, and then … turns it over to the U.S. Government”. You’d think that violating everyone’s privacy on that scale would be a time-consuming and expensive activity, but evidently the patriots of the Project count not the cost. Moreover, according to Greenwald, they enjoy some remarkably privileged access: no less than a dozen US Internet providers are reportedly sharing data with Project Vigilant, data that the Project then massages and supplies in an easily-digestible form to the government. The Project claims to be able to track a quarter of a trillion IP addresses a day, and “develop portfolios on any name, screen name or IP address.”
So we have an ostensibly private organization - wholly immune to any scrutiny or control - with privileged access to data from ISPs, engaged in packaging up information about American citizens and turning it over to the government. I say ‘ostensibly’ because this kind of activity sounds like it would require fairly deep pockets, even if only for the infrastructure needed to process the data. And that’s assuming that the workforce are indeed all ‘volunteers’, and that the ISPs are handing over all their data for free just out of the goodness of their patriotic souls. Call me a cynic, but I can’t help wondering if the relation between Project Vigilant and Poindexter’s old total awareness infowarriors (or their successors) is really quite so hands-off as we are being led to believe. What are the odds, say, that some of that useful ISP data is actually flowing out of those secret wiretap rooms at the telcos and that at least some of Vigilant’s costs are being met, directly or indirectly, by way of a line item in a black budget somewhere?
We may never know. What’s interesting is that, if the Examiner is to be believed, Project Vigilant has been operating for more than a decade, which would mean that it was actually launched before America woke up and smelled the post-9/11 paranoia, and long before Congress ordered that Admiral Poindexter’s unlovely child should be taken out back and quietly suffocated. This is enough to make you wonder if Poindexter’s Information Awareness Office was no more than a distraction, a built-to-fail red herring whose demise would simply accelerate the transfer of state surveillance to the private sector.
If you didn’t like the idea of the government peering into every nook and cranny of your electronic life, you probably won’t feel any more comfortable with the knowledge that the work is being done by a still less accountable private organization. If the idea of government spooks rummaging through your personal data and compiling secret dossiers on you makes you a little queasy, you’re really not going to like the idea of the work being done by anonymous and unsupervised ‘volunteers’ - volunteers such as convicted hacker Adrian Lamo. And while the government almost certainly ‘facilitated’ access to some of the data being scanned by Vigilant - it’s a safe bet that when the Project knocked on the doors of the ISPs and suggested that they might like to hand over their traffic records, they had at least a letter of introduction from someone in Washington - there’s probably nothing in Vigilant’s charter that says that the results of their research have to be shared only with the government.
In many other countries, something like Project Vigilant probably couldn’t (officially) exist, because it would instantly fall foul of strong data protection laws. But US data protection laws are remarkably weak, and there are strong interests that would like to keep them that way. Don’t look for any help from that quarter.Of course, according to Greenwald, Vigilant isn’t the only private-sector entity in a cosy data-sharing arrangement with the government. There’s also Infragard, a ‘partnership’ between some 23,000 businesses and the FBI that gives the Bureau access to all the data those businesses happen to have collected on you. Among its founding members, Infragard counts Chet Uber, executive director of … Project Vigilant. Take a moment now to get over your surprise.
Even allowing for the possibility that Vigilant is exaggerating its capabilities, it’s clear that private sector organizations are now engaged in a data gathering exercise that has no historical precedent. The interested parties, of course, trot out the usual “If you’re not doing anything wrong, you have nothing to fear” line, a phrase that is now recognized as the surveillance state’s formal way of saying “Ha ha, fuck you”.
Because — as experience has shown — even if you aren’t doing anything wrong, there a great many things to fear. And somewhere close to the top of that list are secretive corporate cyber-stasis like Project Vigilant and Infragard, operating in a comfortable gray area outside the law and subject to absolutely no oversight or control.
Going back over my post about Google Social Search, which I wrote in haste last night after the new feature was pointed out to me by a somewhat agitated friend, it looks to me as if I may have been wrong about some of the pitfalls of the new system.
The potential privacy killer is the exposure of private second-order contacts. But re-reading Google’s documentation more closely today, it turns out that Google already has a notion of ‘public’ and ‘private’ contacts. ‘Private’ contacts include your Google chat list and Google contacts, and according to the documentation, these are not shared, and will not be used to “expand your social circle”. So it looks as if the sky may not be falling after all.
I apologize for misleading you all, and for maligning Google. It seems that they have learned something since Buzz.
But systems such as Social Search are not risk-free. Google’s position is that they don’t make anything public that wasn’t already public. That’s as it should be, but it’s worth bearing in mind that what Google is doing is to make obvious what’s already public. Yes, all the individual links that make up your implicit social graph may be ‘out there’, but most people won’t necessarily connect all the dots. Tools like Social Search take the complete picture and dump it in your lap.
It’s easy enough to dream up scenarios in which that can still turn around and bite you. Your strait-laced Aunt Hettie may enjoy visiting your personal website full of kitten pictures, unaware that you’re also an active member of a flourishing bondage’n’spanking online community. The day that you inadvertently create a graph link that spans your separate personae, Google Social Search is going to make all the connections and give Aunt Hettie something to think about over her breakfast coffee.
You did it to yourself, says Google. All the information was there. We just put it all together. They’re right, but that doesn’t mean that it isn’t a problem. In general, people aren’t good at thinking about what you might call the calculus of privacy: what connects to what, who has permission to see what, and how they interact. Part of it is that we just don’t think that way yet. But part of it is that the rules keep changing. Just when you think you’ve got it figured out, Google (or whoever) will add a new way of inferring connections and suddenly the whole shape of the graph has changed in ways you never imagined.
There’s another problem. Tools for managing this new ball of wax are either non-existent or ill-adapted. Google says proudly “You control who is part of your circle”, and goes on to list ways that you can do that. But the suggestions seem to amount to changing the social graph itself by removing a person (or a network). If you detect a potential exposure, the recommended fix is to take a machete to your social network.
This seems unsatisfactory. Tools designed for one purpose - such as managing your social network - are usually inadequate for another - such as protecting your privacy or controlling your online persona. If your connection to your friend Joe reveals something about you that you don’t like, Google’s answer is that you should break that connection. But when you do that, you lose whatever functionality comes from the connection.
Let’s make that more concrete with an example (not a privacy example this time, but analogous problems exist in that space as well). Suppose Joe tends to write embarrassing drunken rants on every subject under the sun. Each time you do a search, Google’s Social Search feature brings up a couple of Joe’s inebriated screeds, which may not be what you want even when the boss isn’t looking over your shoulder. But Joe’s in your social graph, and the only way to get him out of there is to remove him from your chat contact list and your Gmail address book. To manage one feature - Social Search - you’re forced to reduce the utility of two others - chat and email. Surely that’s not the way it’s supposed to be.
Connections in the social graph are overloaded. Applications built on social networking such as Google Social Search assign a ‘meaning’ to those connections that may be quite different from the ‘meaning’ intended by the user. The connections that the user creates end up being used in ways that he or she did not anticipate or intend, yet there are no tools available to let the user correct or control the way that the graph is used or interpreted. The only tools provided are tools for editing the graph itself.
It’s unrealistic to think that we can stop Google or Facebook or anyone else from adding new whizzbang features that stitch together what people reveal about themselves online and use it in ways that we never anticipated. It’s also unrealistic to think that we can ever predict the ramifications of putting any single piece of information out there (or, equally often, having it put out there by someone else). But there ought to be a middle-ground between withdrawing from online life entirely or accepting that our online persona - the sum total of information that can be learned about us online - is completely out of our control.
If someone like Google wants to think about how to build tools to give users real, flexible control over their personal information, that will impress me a great deal more than their questionably-useful Social Search.
[CORRECTION: This post contains a significant error, which I explain in this post. But while the issues with Social Search aren’t as bad as I claim here, it’s still not problem-free.]
Remember the Google Buzz fiasco? In their eagerness to roll out their latest whizz-bang new killer feature (by the way, does anyone still use Buzz?), Google didn’t bother to think about - or deliberately chose to ignore - the potential privacy implications of their model and ended up exposing everyone’s contacts. A predictable outcry followed, and Google was forced to walk it all back and put in the protections that should have been in there from the start.
But that’s all in the past now, and Google have learned their lesson, haven’t they? Well, no. Because now they’ve launched Google Social Search, another exciting innovation we didn’t need that … leaks all your contact information all over again.
How does it do that? If you’re logged in when you search for something, Google will show results that are somehow related to your ‘social circle’. Google assembles your social circle by the usual connectivity voodoo - digging through your Gmail contacts, your Google reader subscriptions and so forth. So far, there’s no great cause for alarm. But Google also includes second-order contacts - friends of your friends - in the results. And that’s where the trouble starts.
To illustrate the problem, suppose you are a married man who has been secretly carrying on with the local femme fatale. Your wife does a search for that charming little restaurant where you celebrate your wedding anniversary, and uncovers a glowing review written by that shameless hussy, accompanied by a helpful note from Google explaining that she shows up in the results because she’s a friend of yours. Marital ructions ensue.
Or you’re considering leaving your job at WidgetCo and have been sending out copies of your resume. When your boss searches for something, his social search results suddenly include half a dozen recruiters and the CEO of rival GadgetCorp, all tagged as contacts of yours. Problematic, no?
The possible scenarios go on and on. Subscribe to a mailing list for wombat fetishists? One lucky search hit and the whole world can know about your fondness for those winsome marsupials. And so on. And so on.
Friend-of-a-friend (FOAF) leaks are one of those nasty social networking gotchas that most users don’t think about. Apparently Google didn’t think about this one either because - even after the Buzz mess - they went ahead and engineered it straight into their new baby. What they didn’t do, of course, is provide any way for you to opt-out. There’s no mechanism for saying “No, dammit, don’t expose my list of private contacts to all my friends.” And unlike Buzz, which at least you had to start using before it could out all your contacts, Google Social Search will go ahead and expose your friends without you lifting a finger. I guess they call that progress.
So here we go again. Once again, we need to make a noise and get Google to undo their latest piece of thoughtlessness before it starts messing up people’s lives.
You wanna freak out over Facebook? OK, here’s one for you.
Anyone using the Xobni plug in for Outlook, which these days, many Fortune 500 companies do, will see your main Facebook profile photo pop up when you email them.
I’ve seen some pretty hilarious ones from clients I work with, and it really might be one of the biggest cautionary tales of why you shouldn’t be on Facebook, or at least be a little more careful about what you put on it.
The other day I went through my Facebook account and stripped out all the email addresses that Facebook had somehow deduced for me, leaving just the address that I used when I signed up for Facebook. That’s a ‘tagged’ address that has only been used for Facebook. I certainly won’t be using it when I send out any business email.
Of course, using an address that isn’t used anywhere else means that people won’t be able to search for me on Facebook by my email address, but that’s probably also a win. And at least future business contacts won’t be startled by a picture of me swinging an axe (actually, it’s a splitting maul).
Tagged disposable email addresses make more sense than ever. If you don’t want to use a commercial service, drop $10 on a domain name from a registrar that throws in email forwarding as part of the service. Or, if you want to get fancy and you have your own server, use Mail::Audit and roll your own custom mail-handler.
Source: soupsoup
Over the past few days, I’ve been loosely following some of the discussion of Facebook’s Open Graph API and the Like button, as well as their ever-eroding privacy policy. I’ve started to think about alternatives not just to Facebook, but also to the rather anaemic and underwhelming OpenLike proposal. And I’ve gone through the usual ritual of revisiting my Facebook page, trimming down my personal data still more, and setting any privacy options I can find on Facebook’s maze of twisty little settings pages to their most restrictive settings.
That last exercise seems particularly pointless. Facebook has finally identified their business model, and it appears to be to leak your personal data as widely and as often as possible. It’s reached the point where trying to limit who can view your information looks like an exercise in comic futility. Don’t run Facebook apps because you don’t want the developers of MafiaFishFarmVille to have access to all your personal information? Nice try, but all it takes is for one of your friends to sign up - and they will - and you’re busted. Unless, of course, you can find the magical checkbox that says not to share your information, in which case you’re safe … until Facebook changes their policy again.
Even when Facebook isn’t trying to be evil, there are the bugs. One recently-disclosed Facebook bug secretly added apps to your profile when you visited certain websites. Another bug exposed private chat sessions. And these are just the tip of the iceberg (icebug?). I don’t think Facebook are in control any more. The platform is too big and too complex, with too many interacting permissions and features. The constantly changing policies and the management’s drive to build a business around selectively allowing access to personal data must add up to a nightmare for the engineers who have to try to keep things consistent. When the pressure from higher up is to constantly open loopholes in what might once have been a simple and solid privacy architecture, something has to give. I expect to see at least one truly spectacular exposure before the end of the year.
All this was brought to the forefront of my consciousness this morning by three things that happened almost simultaneously. The first was a message from one friend saying that he was leaving Facebook for more or less the reasons outlined above. The second was the following tweet from my friend and colleague Nathan. And the third was going to CNN’s website and seeing a sidebar that said “Chan _____ recommends this story”. I blinked at that one for a moment, and thought “How the fuck? Oh, right. Facebook.”
I didn’t pick the page apart to see how that one was engineered. I didn’t need to. The mere fact that I could see a friend’s name on a CNN web page meant that someone now knew more about me than they needed to. It doesn’t matter if it’s done on the back end or the front. If a web page can greet you in the name of a friend, it means that it knows who you are and a good deal more besides.
So I’m seriously considering leaving Facebook as well. I don’t even like Facebook, or use it very much. It’s not just that I find the interface clunky and hard to navigate. It’s that I don’t want to give worthless (but costly) imaginary presents, I don’t want to nurture lonely brown cows in Farmville, and I’m not even particularly inclined to wallow in the stream of distractabilia poured out by all my friends. I like my friends, I really do, but I don’t need to know every fleeting thought that passes through their minds or keep up with the latest in funny kitten videos.
What Facebook does offer - aside from a place to spam links to my own non-Facebook Internet projects - is a way to keep in touch with a network of friends scattered across the globe. I like the fact that I can count on finding a reasonably-current contact address for folks with whom I’d like to stay in touch. I like the serendipitous rediscovery of old friends. That is the part of Facebook’s value proposition that makes me reluctant to cut the cord. But that may not be all.
I’ve long been a fan of Roger Zelazny’s book “My Name is Legion”, whose hero enjoys the privileged position of being the only person on Earth whose identity is not indexed in the central computer. In reality, however, his power comes not from his anonymity but from his ability to create new identities at will. As Facebook and its imitators increasingly insert themselves into the structure of the Web, those who opt out of the network may find themselves not liberated but limited. That’s certainly Facebook’s goal: to make their offering so compelling, so ubiquitous, so essential that un-citizens - legionnaires? - without a Facebook identity will be cut off from important slices of functionality.
So we need alternatives. I’d like to do an end run around all that. I’m starting to think increasingly about how to build open systems that offer all the social features that we enjoy from Facebook, from Twitter, from Tumblr, and all the rest of them, but do so in a way that is distributed and removed from central control. It’s pretty clear that companies like Facebook can’t be trusted to store and manage our personal information. The obvious conclusion is that we should do it ourselves.
