Posts Tagged: identity

Noticed3 Comments
8
Nov 07

Digital Identity Talk Tonight

Via Dave Johnson, news that Pat Patterson, federation architect for Sun Microsystems will be speaking at tonight’s TriLug. I’m going to make every effort to attend. Dave’s note follows:

Tri-LUG announcement: Pat Patterson from Sun Microsystems will provide us with a developer perspective on digital identity, starting from the emergence of LDAP in the 90s, through single sign-on, SAML and the Liberty Alliance protocols to recent developments such as OpenID, Cardspace and OAuth. The emphasis will be on understanding the protocols and how they are implemented in the real world, with a particular focus on deciding which (if any!) approach to select for a given project.

Pat Patterson is a federation architect at Sun Microsystems, focusing on federation, identity-enabled Web services and OpenSSO, Sun’s open-source implementation of those technologies. Pat’s blog centers on identity-related topics.

Speaker:   Pat PattersonTitle:     Digital Identity from LDAP to SAML and beyondDate/time: 7PM Thursday Nov. 8, 2007Location:  Red Hat HQ (map)          1801 Varsity Drive          Raleigh, North Carolina 27606          Tel: +1-919-754-3700
Noticed5 Comments
5
Sep 07

Facebook Public Search, New?

The blogosphere is abuzz with news of public Facebook profiles, but what gives? This is old news. In June I wrote about the topic:

Sometime in the past few weeks, Facebook began exposing profiles to be indexed by Google (A search today returns over 350,000 profiles). Granted, profiles are still private, but how will people feel about their profile being indexed in Google? At the same time, there seems to be no way to turn this functionality off, and Facebook help documents have no mention of this new “feature.”

These types of context-leaps have caused problems for Facebook in the past. When newsfeeds were turned on with no privacy, Facebook failed to understand that privacy was both quantitative and qualitative. A context jump from “searchable within Facebook” to “searchable in Google” is a big deal. The fact Facebook was not upfront with its users in saying “we’re going to be letting Google in to index our userbase” is troubling. Even more troubling is the seeming inability to opt in or out of this service. I’d rethink this approach.

Granted, Facebook did rethink the approach (my 350k indexed search string now returns 50 results), and kudos to them for doing so. But let’s be clear, this isn’t new. The A-list just wasn’t paying attention. ;)

Hacks / Noticed / Software / Thoughts1 Comment
30
Aug 07

Outing fakesters with an address book

If you’ve tried to add new contacts on Facebook, Flickr or LinkedIn, you’ve likely been prompted to provide your Gmail/Hotmail/AOL email credentials. Using these credentials, these sites will cross-check your contact lists with known users on their site, in an attempt to hook you up with people you already know.


While the notion of sharing your authentication credentials with a third-party sort of blows my mind (too many years as an Admin, I suppose), as 80% of us use the same password across all sites (I just made up the 80%), it probably wouldn’t be too hard for Mr. Twitter to guess your Hotmail password if he really wanted to.


No, actually what interests me is how one could use this information leak to out fakesters. The approach is pretty simple – add a couple hundred email addresses to your contact networks in Gmail/Ymail/Hmail etc, upload to a site, and see just who pretends to be who.


This raises a question: Just when did it become fair play to share my email address? When I created a Twitter account, I provided my email for verification – but I didn’t assume that a third-party would be able to correlate my email to my Twitter identity simply by uploading an address book. What’s the big deal, you say? Let’s take the case of Fake Steve Jobs. What if Fake Steve were to create a Twitter or Facebook profile and use his “real” email address for account verification – his gig would have been up a long time ago.

Why does this matter? If you’re going to be a fakester, use Mailinator, right? Valid point, there will always been advanced technical countermeasures. What troubles me is how we trade the functionality of this handy “feature” for a reduction in privacy – and I’ve yet to see anyone really question it. If I provide a service with my email address, it has generally been my right to control who sees or does not see that email address. With these new “contact” functions, I lose control. My identity information is in the public, ready for anyone with an address book to discover.

So what if you are a fakester on Twitter or any of the other sites that employ these address book searches? Unless you’ve bulletproofed your identity by using a completely throw-away email address that you’ve never used anywhere else, it’s likely your identity could be compromised.

As Web 2 is ego-centric, anonymity/pseudonymity in consistently painted in a negative light. By embracing – and not questioning – these information leakages, we’re reinforcing this mode while perpetuating the fallacy that “there’s nothng to hide if we’re not doing anything wrong.” This is an erosion a privacy, and a new form of surveillance.

Thoughts7 Comments
22
Jul 07

Facebook’s new Friendster moment

This evening, I went to approve a friend request on Facebook, only to find that I was now forced to fill out the details of my friendship with this individual. Had we lived together or worked togther? Had we met randomly, or through Facebook? Apparently, no longer do we have the option of keeping this information to ourselves – all of the details of our friendships must now be public.

Yes, I know I was a little hard on Facebook in my last post, but unannounced, unexplained changes like these can wreak havoc on the already turbulent ecosystem of FB. Furthermore, this top-down mandate is going to leave a lot of users unhappy; people like having the ability to choose how much information they make public. Facebook may not know this, but forcing people to publicly describe friendships is going to make a lot of people uncomfortable – they like having the flexibility to keep parts of their life private. It’s essentially silly to boil down something as complicated as all of your friendships into 12 pithy categories. What about the people you grew up with? Where’s the “met them at age 5 on my block” category?

Facebook has likely instituted this change for two reasons. The first is part of the overall “radical transparency” movement espoused by the techno-libertarian leadership of the company. They feel that all information should be public, if you’re not doing anything wrong, why worry, etc. So this is likely part of an overall strategy. The reason it happened now, i.e. the second part, is to stem the rampant “non-friend friending” that is going on amongst new joiners. Look at this blog post, the author brags about how many thousands of friends he has, and how elite they are. I have to imagine that even FB employees have to be a little mortified in seeing their system become nothing more than a rolodex – I’ve heard it called “the next Plaxo.”

Of course, instituting changes to control behavior at one edge of the ecosystem will affect other parts, and the longtime users are the ones who will be most displaced by this change. And it is a significant change – “friendship” is at the core of Facebook, and to now have to fit every friendship into Facebook thin lens will make many uncomfortable. Just as with the newsfeeds, in which the nature of friendship was instantly changed, now every friendship must make the uncomfortable dance of description. It’s really too bad – this feels like such a Friendster moment.

Update – Blake Ross responds: “This is a bug that will be fixed shortly. Note that even now, you need not enter any information.” I respond to Blake in the comments.

Thoughts10 Comments
29
May 07

Facebook Public Profiles

Sometime in the past few weeks, Facebook began exposing profiles to be indexed by Google (A search today returns over 350,000 profiles). Granted, profiles are still private, but how will people feel about their profile being indexed in Google? At the same time, there seems to be no way to turn this functionality off, and Facebook help documents have no mention of this new “feature.”

These types of context-leaps have caused problems for Facebook in the past. When newsfeeds were turned on with no privacy, Facebook failed to understand that privacy was both quantitative and qualitative. A context jump from “searchable within Facebook” to “searchable in Google” is a big deal. The fact Facebook was not upfront with its users in saying “we’re going to be letting Google in to index our userbase” is troubling. Even more troubling is the seeming inability to opt in or out of this service. I’d rethink this approach.

Update: French reader provides advice on how to turn public profiles off. To do so, deselect “everyone” in search privacy. This turns off the public profile. You can then re-enable the rest of the options to make yourself widely searchable in Facebook. Thanks to French reader for this important bit of information.

Update 2: Anonymous commenter writes: Facebook listened. Go to the search privacy page and there’s an option to shut this off now. Great news!

Noticed4 Comments
2
Mar 07

Facebook and (the non-salability of) your data

This morning, I came across an interesting video about privacy concerns in Facebook (via). Of course, none of the information is particularly new – but Vishal Agarwala’s presentation is compelling. View the video here.

Agarwala’s deadpan narration really makes the video, but I’m left conflicted. The Facebook seems to be sending very mixed messages about our private data. As Agarwala rightly points out, the Terms of Service allow Facebook to do whatever they want with your data. And seeing as contextual ads are being served, it seems like Facebook is taking steps to monetize the data.

However, as I was reading about the Facebook developer platform, I came across this interesting segment:

Only your friends and people in your network can see your information, and everything is subject to the privacy settings that you select; the same rules apply to outside applications as well. Outside applications are not allowed to store or collect your data, and we certainly aren’t selling your information to ANYONE. That’s yours

This is extremely interesting – Facebook, on a Facebook-owned property, has made a (legally binding?) claim that they are not selling our data. Obviously, this conflicts with the some of the rights granted in the TOS, but that’s not a problem. What is the problem is the absolute nature of the claim. If I parse it correctly, it is to state that Facebook is not monetizing our personal data at all. I’ll be interested to see if they stand by this claim, though I have to imagine any public copy has been vetted by teams of lawyers at Facebook HQ. Frankly, I’m very surprised by this claim. I’m interested to hear what you may think.

Noticed2 Comments
17
Jan 07

The panopticon in the SNS: Zephyr

In the upcoming months, Mypsace plans to release a product named Zephyr that will enable parental tracking of teenagers in Myspace. The Wall Street Journal, the Register, CBS News and Mashable have coverage.

From what I’ve pieced together, Zephyr will work like spyware. Parents will install Zephyr on their home computer, which will then capture the Myspace identities of those who use the computer to log into Myspace. It will then remotely track those identities, notifying parents of access, changes to some profile information, or movement of account names. For example, a teenager who signs on to a Zephyr-enabled computer will have their profile tracked if they later log in from a school computer via a proxy.

In some respects, a system like Zephyr sounds useful – parents have a notoriously hard time finding the profiles of their children, and this could aid them in this process. However, when the ability to spy on and track each other becomes a fundamental part of the system, what prevents abuses? For example, what prevents someone from installing Zephyr on a public computer, capturing and subsequently tracking the profiles that appeal to him/her? I see no safeguard in this process, unless Zephyr limits the amount of profiles someone can track.

Zephyr walks a fine line with regards to privacy, as it does not record all elements of the teenager’s profile. However, the tracking of “actions” such as log in/out, location of access, changes to profile information is a substantial privacy challenge. I see this type of surveillance as similar in nature to the government’s illegal surveillance of our cell phone networks – while they were not recording our calls, they were recording all accesses, dials, etc. This is very valuable information, especially in the hands of those who wish to do harm.

Is Zephyr a bottom-line-pleasing, media-friendly “solution” for parents, or does it simply introduce new privacy concerns into the system? Do we really need to track our children, monitoring their logins on computers around the world? And what does it really get us? In a sense, this is just an escalation in the Myspace arms race. The question becomes: What will the young people do to get around Zephyr?

Also interesting is that 33 state attorneys general are pressuring Myspace to integrate its account system with identity verification databases. From the WSJ article:

But a group of 33 state attorneys general led by Connecticut’s Richard Blumenthal are investigating taking legal action against MySpace if it doesn’t raise the age limit to join the site to 16 (from 14 currently) and begin verifying MySpace members’ ages against public databases.

Unfortunately, they’ve got it backwards. Myspace is the public database.

← Older Entries
Newer Entries →