Distribution Scope, Security, and Useful Tools
While working on the Facebook Privacy Informer App, I had to tackle the issue of “Scope of Distribution” of your personal information. Actually, this should be more properly named as “Scope of (Intended) Distribution”. Facebook privacy controls allow you to set the distribution of various aspects of your Facebook profile. In general, the controls allow you to set distribution to:
- (The inappropriately named) “Only Me”
- A subset of your friends,
- Your friends
- Groups that you belong to
- The general public
Why does Facebook say “Only Me” when you share information with Facebook? Shouldn’t the setting be labeled, “Only Facebook (and whoever they decide to share it with)?”. Even when you spend the time to tune those controls, there will certainly be leakage of your information beyond your intended settings.
Facebook has enough money that you would think your biggest issues would be their intended privacy violations (sales of tracking ads) and your own privacy control lapses (friending people you don’t personally know). Unfortunately that’s not really true. There is a 1 in 4 chance that your account will be hacked this year. Given the information that Facebook acknowledges it holds about you, and other information it won’t tell you about, that’s somewhat alarming. With all that information, and many examples of leaky security, what happens when the almost inevitable major breach occurs?
Still… Facebook is a very useful and entertaining service for many of us. So the issue is not how fast we run away from it, but how we control our risk to value ratio. The Privacy Informer Apps is intended to provide feedback on your risk and strategies for reducing that risk.
The Privacy Informer for Facebook app is currently in development and has had limited demos. One of the issues I had to incorporate into the risk scoring strategy was Facebook’s distribution scope controls. Once I added that factor to the scoring model, I saw that it could also be used to incorporate security and reputation risks into the scoring. An example of a security issue is when Facebook says that it will only share information with your friends, but then one of your friend’s account gets hacked. A reputation issue is when Facebook gives you control over some information, but then hides other information about you that it intends to monetize. In both cases, there is an expansion of scope beyond the limit your settings indicated. In this model, if you set that level to be “Friends”, I adjust the risk value calculation to include some leakage to the public.
That adjustment begs the question, how does one know how much to tweak the value? That’s where some interesting tools and data sources can provide value.
Web of Trust takes the problem of creating reputation scores and crowd-sources it. It provides a browser add-on that in real time shows what others think of the website you viewing, and allows you to contribute your own rating.
Taken together, these tools and the databases behind them inform algorithms that apply both mathematically derived and experiential data to the problem of assigning a reputation score to a website. I then use that reputation score to adjust the intended distribution scope variable. In the end, I provide a simple numeric value that relates to your privacy risk, along with information on those factors that stand out as being riskiest.