Distribution Scope, Security, and Useful Tools

While working on the Facebook Privacy Informer App, I had to tackle the issue of “Scope of Distribution” of your personal information. Actually, this should be more properly named as “Scope of (Intended) Distribution”. Facebook privacy controls allow you to set the distribution of various aspects of your Facebook profile. In general, the controls allow you to set distribution to: (The inappropriately named) “Only Me” A subset of your friends, Your friends Groups that you belong to The general public Why does Facebook say “Only Me” when you share information with Facebook? Shouldn’t the setting be labeled, “Only Facebook (and whoever they decide to share it with)?”. Even when you spend the time to tune those controls, there will certainly be leakage of your information beyond your intended settings. Facebook has enough money that you would think your biggest issues would be their intended privacy violations (sales of tracking ads) and your own privacy control lapses (friending people you don’t personally know). Unfortunately that’s not really true. There is a 1 in 4 chance that your account will be hacked this year. Given the information that Facebook acknowledges it holds about you, and other information it won’t tell you about, that’s somewhat alarming. With all that information, and many examples of leaky security, what happens when the almost inevitable major breach occurs? Still… Facebook is a very useful and entertaining service for many of us. So the issue is not how fast we run away from it, but how we control our risk to value ratio. The Privacy Informer Apps is intended to provide feedback on your risk and strategies for reducing that risk. The Privacy Informer for Facebook app is currently in development and has had limited demos. One of the issues I had to incorporate into the risk scoring strategy was Facebook’s distribution scope controls. Once I  added that factor to the scoring model, I saw that it could also be used to incorporate security and reputation risks into the scoring. An example of a security issue is when Facebook says that it will only share information with your friends, but then one of your friend’s account gets hacked. A reputation issue is when Facebook gives you control over some information, but then hides other information about you that it intends to monetize. In both cases, there is an expansion of scope beyond the limit your settings indicated. In this model, if you set that level to be “Friends”, I adjust the risk value calculation to include some leakage to the public. That adjustment begs the question, how does one know how much to tweak the value? That’s where some interesting tools and data sources can provide...

Read More

Facebook Privacy Settings

I’m working through Facebook’s Privacy settings this morning as part of a new design and engineering project. Johnny Lang in the background singing “Good Morning Schoolgirl” seems very apropos. Have you taken the time to look through your Facebook settings lately? While I expected most of what I saw, what really struck me as weird were the permissions that may be allowed for friends-of-friends, and for the apps that friends install. Like many others, I personally know all of my Facebook friends. Like most others who use Facebook, I have friended some who are only brief acquaintances. Even of those friends that I know well, I don’t have a lot of trust in their ability to identify online scams and data harvestors. And given what little trust I have for my friends in that area, none of it transfers to friends-of-friends or the apps my friends use. Why would anyone give friend-of-friend access to their detailed profile and social network information? Why would Facebook, by default, allow friends-of-friends to view my birthday, wall posts (and my friends’ wall posts), political and religious views,  and photos? Why should the apps that my friends install have access to my profile by default? If you don’t already have a good understanding of Facebook privacy settings, I suggest that you read this [updated 1/14/2016]. If you also want to see all the permissions that Facebook apps may request, check out...

Read More