November, 2007

Thoughts5 Comments
30
Nov 07

Facebook rethinks Beacon

As reported in various blog and print sources, Facebook has announced changes to Beacon, the controversial ad program. According to the reports, there will be a change to the story posting flow, requiring users to approve a story before it is sent to the Newsfeed. This does address some of the concerns regarding information leaks through Beacon.

In a nutshell, when a user on a third-party site sets off a Beacon action, they will be presented with the popup. If the users does nothing, the story will be sent to a queue, rather than to the Facebook. The next time a user sets off a Beacon action, they will be presented with a list of stories to send to Facebook, and can select or reject stories as they deem appropriate. Facebook will also make more clear the posting flow, promising prominent notifications when one logs in and is presented stories to approve.

Notably, there is no mention of a global opt-out, which I believe is a mistake. One of the critical problems with Beacon is it breaks boundaries of privacy between sites, and Facebook provides no apparatus for restoring the privacy. As a result, cookie-based pageview tracking will also continue to occur.

While the response to MoveOn’s call has been tepid – 50,000 signees, the response to Facebook Beacon is still coming. Beacon isn’t evenly distributed around the web; one may not use Fandango or Epicurious or read Techcrunch, meaning there are a lot of Facebook users out there still waiting to step on these Beacon privacy landmines. This is a distinctly different situation from Newsfeed, which was extremely direct. This story will evolve; it will be more of a rolling problem.

In other quick news, tomorrow’s Virtual Citizenship and New Technologies Symposium will be broadcast into Second Life. My talk is at 9:30AM (Eastern) if you’re interested, but I’d really recommend you checking out the talks of my very esteemed fellow presenters. If the excellent conversation we had at dinner is any indication of what to expect tomorrow, it will be worth your while. Full instructions for the Second Life simulcast on the Symposium website.

Research3 Comments
28
Nov 07

Upcoming Conferences: Detroit, Boston, New Haven

This Friday, I’ll be in Detroit, MI speaking at the Wayne State University Virtual Citizenship Symposium. I’m really honored to be part of this symposium; my fellow speakers are Russell Dalton, Wendy Chun and Vernor Vinge. I’ll be talking about collective action and participation in social networks, and I’m trying to figure out how to work some of this new Beacon stuff into my talk. If you’re interested in attending, the symposium is free, and you can find all the necessary information at the symposium’s website.

Via the Complexity and Social Networks Blog, news of a December 7 Conference on Computational Social Science. Speakers include Albert-Laszlo Barabasi, Nosh Contractor, Lada Adamic and a host of other luminaries. This conference is in Cambridge, MA, and is free to attend. The next day, Yale hosts the Symposium on Reputation Economies in Cyberspace. The student fee for this great conference has been dropped to $45, and I highly recommend making the effort to attend. If I wasn’t previously scheduled for travel on these days, I’d be trying to figure out a way to attend both. If you’re in the NY/Boston corridor, this could make for a very nerdy and fun road/train trip.

Thoughts8 Comments
26
Nov 07

We’re not sheep, you’re just not paying attention

Following MoveOn’s new Facebook membership-drive/petition, a number of important Web 2.0 bloggers have, on cue, posted about privacy apathy. These bloggers argue that we’re sheep, that we don’t care about privacy, and that like Newsfeed, we don’t care about Beacon and our cross-site privacy. These bloggers look at Facebook’s growing numbers, see the impressive trends, and conclude we don’t care about privacy or anything else Facebook does. This logic is flawed, of course – it’s sort of like saying any American who doesn’t renounce their citizenship and move to Canada agrees with President Bush.

Facebook’s brand represents a place, that place being a virtual community made up of our friends, family and contacts. To put it more bluntly, at the macro level, we’re brand agnostic when it comes to social network sites – we go where our friends are. Over the years, we’ve reified the commodity nature of these networks, migrating every few years.

If we think of the space as a commodity, it becomes apparent that the real value of the site is in connection and communication among ties. Therefore, an optimal design strategy for the site is pure transparency, where the site simply acts as the vector for useful connections. A flawless, perfectly efficient flow of information between individuals should be the goal of any social network site.

So if we really imagine Facebook as a collection of our friends, what does the brand entity of Facebook represent? The brand entity of Facebook is governmental; the only time one interacts with Facebook as entity is when they are being controlled or punished. Facebook as brand represents surveillance and domination.

You might be wondering what the point is, so I’ll get to it. For many users, Facebook does represent a community, with friends, strangers, police and government, and an economy running on social and economic capital. While this community is far from democratic, the users and their government have worked out a balance of power, negotiating and re-negotiating this balance as Facebook and new entrants introduce change.

Of course, Facebook users have little individual agency when it comes to political action. Yes, they can join groups, or add a protest application, but short of committing Facebook suicide, what can they do? The protest action comes in the form of privacy. Over the past three years, privacy has skyrocketed inside of Facebook, with millions of users making the profiles friends-only. If you’re a Web 2.0 blogger who only uses Facebook as a rolodex, this doesn’t appear strange. But to the millions of early adopters who used Facebook as a nexus for social information, this seriously devalues the network.

Think of it this way. A few years ago, Facebook was a city where no one felt the need to put locks on their front doors. Nowadays, we’ve got strangers, a police force that will kill us if we don’t use our “real names”, and surveillance bots that track us across the web and report what we do to our friends. Of course we’re going to deadbolt the house.

But here’s where things get tricky. As we’ve discussed, a social network should be transparent, connecting friends and sharing useful information. Friends should be the main feature, not the network (Facebook) itself. As people shutter themselves and share less information, Facebook is using Beacons, Applications, etc to create a pseudo-information market, hoping that I won’t notice this information is useless.

When I joined Facebook, I cared that I could find my friend’s address and see his or her pictures. However, I don’t care when my friend buys something or superpokes someone else. Since I’m getting less of that good information, Facebook is trying to stave off the what’s next problem by flooding me with “constructed” information. In making Facebook’s useless-information-production apparatus central, the real value of the network decreases.

The Web 2.0 bloggers look at Facebook’s adoption numbers and conclude that we’re not responding to the service’s continued intrusions. We’re just sheep, they say. But when you stand back a bit, things get a little bit more clear. Among mature users, privacy is skyrocketing as users shut themselves off to the world around them. And as millions of individuals join Facebook, and the useless-information-production apparatus of Beacon and Applications flood us, the site becomes less about one’s friends, and more about Facebook itself.

As Facebook becomes more about Facebook and less about our friends, we should consider what prompted these changes. We should also consider where these changes will take us. If Facebook becomes less about our friends and more about the brands we support, can we rationally make an argument that the site will stay relevant? Of course not. We’re not sheep. In fact, the users who have reacted to Facebook’s transgressions are shaping the site in powerful ways. Next time you log into Facebook, ask yourself just how much of the information spam you encounter is actually useful. The proof, as they say, is in the pudding.

Noticed / Research1 Comment
20
Nov 07

New SNS Publications

Quickly, two noteworthy new publications in the SNS space:

Finally, an interesting paper in JOIS, entitled “A comparison of academics’ attitudes towards the rights protection of their research and teaching materials.” This study found significant differences in desired rights protection between teachers and researchers. Unlike the two studies I linked above, you can’t read this one because it’s behind a paywall.

Noticed1 Comment
15
Nov 07

Weinberger on Facebook Privacy

Berkman Fellow David Weinberger has posted some thoughts on Facebook’s Beacon, and he feels that Facebook has got the defaults wrong.

When Blockbuster gives you the popup asking if you want to let your Facebook friends know about your rental, if you do not respond in fifteen seconds, the popup goes away … and a “yes” is sent to Facebook. Wow, is that not what should happen! Not responding far more likely indicates confusion or dismissal-through-inaction than someone thinking “I’ll save myself the click.”

Further, we are not allowed to opt out of the system. At your Facebook profile, you can review a list of all the sites you’ve been to that have presented you with the Facebook spam-your-friends option, and you can opt out of the sites one at a time. But you cannot press a big red button that will take you out of the system entirely.

Weinberger is right on both points; Facebook is giving us the tools to “opt out” but is banking that the technical hurdle will be high enough that many of us won’t. And of course, even if you do opt-out of Beacon, that doesn’t prevent your data from flowing to Facebook (good discussion in the comments on that post). Of course, if you do fully opt-out at the browser level, Facebook won’t get your data – but then your experience will be broken on Beacon-ized sites (Epicurious just hangs and becomes useless if you do anything that requires a Beacon call).

Noticed / ResearchNo Comments
12
Nov 07

News and Notes

A few quick items that I’ve been meaning to link:

  • The ENISA Position Paper “Security Issues and Recommendations for Online Social Networks” has been released. Co-authors include Nicole Ellison, Scott Golder, Alessandro Acquisti and myself; while there are varied opinions about the state of security in SNS, I think we all found the discursive process interesting.
  • An archived edition of a Social Networks webinar I presented has just been posted. The webinar was organized through Higher Ed Experts, and actually comes as part of a 5-presentation series on online Social Networks. This webinar is targeted towards Highed Ed administrators; I discuss the role of social networks on campus.
  • OCLC has released a comprehensive report on online social networks and their use in libraries. While I was at OCLC I was able to sit down with the team who worked on this report and I was very impressed. This should be a valuable resource for information professionals.

On another note, congratulations to Andy Baio as he moves on to new projects. Andy’s blog is required reading, and I look forward to his new focus on writing and analysis.

Update: Right after I posted this, the JCMC special issue on SNS went live. Some great stuff here – congrats to co-editors danah boyd and Nicole Ellison.

Noticed / Software / Thoughts7 Comments
10
Nov 07

Data Sharing with Facebook’s Beacon

In my last post, I linked to a site that explains how to block Facebook Beacon. I recommend that post if you’re interested in preventing Facebook from knowing what you are doing on third-party sites. At the same time, GigaOM has been asking some important privacy questions; he wants to know what data third-party sites are sharing with Facebook.

Using a packet sniffer and the wonderful Firefox extension TamperData, I’ve got the answer – at least in one case. I looked at how Epicurious has integrated Facebook Beacon, and what I’ve found is rather troubling.

The actual implementation on Epicurious’ side is pretty simple; they make a script inclusion call to Facebook on recipe page loads. With the call, the javascript file http://facebook.com/beacon/beacon.js is loaded. This call happens regardless of your Epicurious login state (even if you don’t have an Epicurious accont) – Epicurious loads this javascript for both cases.

Here’s where things get interesting. When a browser loads a “page” or file, standard information is sent back to the web server. In this case, when you load an Epicurious page, you’re also loading a Facebook page. Among the standard information sent back to Facebook is your IP, your referer location, and a cookie. Your IP is the address of your home computer, your referer location is the URL you are viewing, and your cookie includes a little value called “c_user” – your Facebook ID. Here’s what the call looks like (sanitized with [] to remove private and superfluous info):

Host=www.facebook.comUser-Agent=Mozilla/5.0 []Accept=text/xml,application/xmlAccept-Language=en-us,en;q=0.5Accept-Encoding=gzip,deflateAccept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive=300Connection=keep-aliveReferer=http://www.epicurious.com/recipes/food/views/1247213Cookie=c_user=[Faceook ID]; login_x=[Your FB login];Cache-Control=max-age=0

Therefore, regardless of your login state to Epicurious, any time you load (not just review) a recipe or any other Beacon-enabled page, Facebook knows exactly what you are looking at. In essence, this setup is sending your clickstream and path data to Facebook, precisely correlated to your Facebook identity. On Beacon-enabled pages, Facebook knows everything you do in Epicurious.

Caveats: I doubt that Facebook had much say in how Epicurious integrated, so it’s possible that this privacy leak is the fault of Epicurious, not Facebook. However, if Facebook’s integration plan is to have all its partners making Javascript include calls, this “information sharing” will be widespread. As a final note of caution, this is not much different from DoubleClick’s model; of course, with the public’s eye on Facebook, one can expect higher degrees of scrutiny for Facebook.

← Older Entries