Distribution Scope, Security, and Useful Tools

While working on the Facebook Privacy Informer App, I had to tackle the issue of “Scope of Distribution” of your personal information. Actually, this should be more properly named as “Scope of (Intended) Distribution”. Facebook privacy controls allow you to set the distribution of various aspects of your Facebook profile. In general, the controls allow you to set distribution to: (The inappropriately named) “Only Me” A subset of your friends, Your friends Groups that you belong to The general public Why does Facebook say “Only Me” when you share information with Facebook? Shouldn’t the setting be labeled, “Only Facebook (and whoever they decide to share it with)?”. Even when you spend the time to tune those controls, there will certainly be leakage of your information beyond your intended settings. Facebook has enough money that you would think your biggest issues would be their intended privacy violations (sales of tracking ads) and your own privacy control lapses (friending people you don’t personally know). Unfortunately that’s not really true. There is a 1 in 4 chance that your account will be hacked this year. Given the information that Facebook acknowledges it holds about you, and other information it won’t tell you about, that’s somewhat alarming. With all that information, and many examples of leaky security, what happens when the almost inevitable major breach occurs? Still… Facebook is a very useful and entertaining service for many of us. So the issue is not how fast we run away from it, but how we control our risk to value ratio. The Privacy Informer Apps is intended to provide feedback on your risk and strategies for reducing that risk. The Privacy Informer for Facebook app is currently in development and has had limited demos. One of the issues I had to incorporate into the risk scoring strategy was Facebook’s distribution scope controls. Once I  added that factor to the scoring model, I saw that it could also be used to incorporate security and reputation risks into the scoring. An example of a security issue is when Facebook says that it will only share information with your friends, but then one of your friend’s account gets hacked. A reputation issue is when Facebook gives you control over some information, but then hides other information about you that it intends to monetize. In both cases, there is an expansion of scope beyond the limit your settings indicated. In this model, if you set that level to be “Friends”, I adjust the risk value calculation to include some leakage to the public. That adjustment begs the question, how does one know how much to tweak the value? That’s where some interesting tools and data sources can provide...

Read More

What is Privacy?

Like others involved in the emerging privacy marketplace, I think a lot about what “Privacy” means. There are many ways to approach this question, and this post is just one of the ways that I have been thinking about answering it. When people talk about online privacy, what do they mean? Most “Privacy” concerns seem to fall into the general buckets of: Will I be bothered by people trying to sell me stuff? Will others think bad of me? Will my property be damaged or taken? Will I be harmed? The evolution of our concern for privacy is certainly a thought provoking topic (get started here and here). Back when humans built their homes in whatever cave they could evict the current resident from, a failure to keep private had immediate health concerns. If someone, or something, knew about my daily business, they could steal my food supply, my mate, my home, or my life simply by waiting for me to sleep in my usual place. It was a competition for survival, and the more you know of your competitor, the likelier you were to live. Concerns about harm to person or property are the ones that your primitive self, your atavistic side, still recognizes. Have you ever felt someone’s eyes on you even though you couldn’t see them? Has a co-worker tracked your actions so that they could gain advantage at the next meeting? Have the hairs on the back of your neck raised as you entered your credit card number into an online store? That’s your old lizard brain, Freud’s “id,” speaking to you. That old lizard shouldn’t be brushed aside. In today’s online world there are stalkers waiting to do you harm. One could be sitting next to you at the coffee house watching your WiFi packets pass by as you login to your bank account. Another could be hacking the travel website you’re using to plan next month’s 4 week safari in Kenya. That info could be sold to someone who will have a leisurely time emptying your house. We’re lucky that most predators are simple opportunists who don’t make a business out of such things. Most methods for evading opportunists involve common-sense precautions. Still, there are the few shadowy stalkers who greatly profit by invading our privacy. Evading all of their techniques is much more difficult, and could require one to go completely off the grid. As one old punch line puts it, “You call that living?” Given that the planning predator is rare, if you practice the simple personal security techniques aimed at circumventing the opportunists, you likely won’t come to the attention of the more cunning ones. The Electronic Privacy Information Center...

Read More