Archive for the ‘Privacy’ Category

Faceboook Privacy Redux

Thursday, July 15th, 2010

DeObfuscate’s been away for about a month as we worked on other projects (and got married). But we’re back! Before we get to a new post, here’s a note on our post on Facebook’s Anti-Privacy Monopoly.

In that post we described the anti-competitive nature of Facebook’s policy against the sharing of your FB username and password, and FB’s defense of the policy as a promoting a pro-security and pro-privacy internet norm. Well, looks like FB isn’t so concerned when it’s other company’s usernames and passwords at stake:

That’s right, you can’t share your FB password with others because that’s a bad way for internet businesses to behave… but they’ll gladly ask you for passwords to other services in order to grow their network.

We’ll be back on a more regular schedule, and possibly talking about the “Nullification” movement next week.

Follow Up: Facebook & Privacy

Thursday, May 6th, 2010

My post a few days ago, Facebook’s Anti-Privacy Monopoly has gotten a lot of attention and I’ve received a lot of valuable Feedback, including from some employees over at Facebook.

To reiterate, I really do like Facebook. It’s a good product and an efficient platform for communication. And to me, personally, the privacy “issues” aren’t so bad as to outweigh the value I get from the site (though I’d still prefer more easily-used privacy settings and more control over certain things). Even the recent instant personalization is a feature I can see liking. I’ve turned it off mostly because of the all-or nothing approach to the privacy settings (I can see liking instant personalization with Yelp since I use both, but don’t really want to have to turn off instant personalization on all the other sites where I don’t want it).

What I’m really trying to do is get people to recognize the commercial nature of the relationship users have with Facebook, and to see the competitive consequences (and thus privacy consequences) of the way Facebook allows (or doesn’t allow) interaction with other websites.

A few people have pointed out that allowing FB users to share usernames and passwords is a BAD idea for Security (and thus also bad for Privacy). The idea is that if you get people too used to sharing their passwords with other sites, then they’ll be more likely to fall prey to phishing scams. That makes sense. Though it’d be interesting to look at some data to determine if that’s actually the case in practice. Login-sharing has been practiced across many websites for a while, and just because a site prohibits sharing of usernames and passwords, that doesn’t mean scammers will just stop trying to solicit them.

Regardless, the anti-competitive concerns I talked about in the earlier post don’t HAVE to be addressed via password sharing, as long as some authentication system allows for interacting and exporting user content much in the same way a third party could with a simple login. This could include some solutions such as xAuth or OpenID, or even a version of the Facebook API where FB doesn’t block Google’s Friend Connect or MySpace.

Spamming and Phishing
I’m also not in love with spammers. I referred to in my prior post. They tried to develop a platform for easily porting SN content from one site to another. There are also some accusations against them for spamming on FB. They’ve been blocked by FB (and to this day you can’t say “” on a FB wall post or comment, presumably that’s a pre-emptive attack against SPAM). I don’t know if is an evil spammer or a legitimate competitor, but I do know that when Twitter first got off the ground a couple of my friends signed up and accidentally spammed everyone in their GMail contact list with invites to join. It’s not impossible that something similar happened with’s initial roll out. Regardless, even without the spamming component, a legitimate service like what tries to do isn’t allowed to interact with FB under the current rules of use.

Privacy as Control
Some people have also pointed out that reducing the transaction costs associated with switching from FB to another service actually reduces privacy by spreading information around to more places. I’m actually less interested in promoting switching to other services completely and more interested in the promotion “niche” services (such as the photo-sharing example in my original post). I do think FB is here to stay as the dominant Social Network. But to the privacy point: My conceptualization of privacy on the Internent, and I think that of most others, is one of control. Some friends share more than I do, others feel comfortable sharing less. Just because information is more widely dissipated, that doesn’t necessarily mean it’s less private if I’m sharing it with a service provider that I trust and that I choose.

I’ve also been told that I was pretty unbalanced against Facebook in my initial post. To that I’d say that I was trying to argue a point: that there are anti-competitive consequences to the way Facebook’s been operating. When advocating a position one tends to be more forceful than not with their language. The book chapter I referenced in the post takes a much more academic-toned look at the economic/privacy issues. On that note though, I do apologize for perpetuating a misquote of Mark Zuckerberg on my graphic, I’ve changed it to reflect what he really said. I encourage anyone who re-posted the graphic to link to the updated copy.

Facebook’s Anti-Privacy Monopoly

Monday, May 3rd, 2010

Many people have been complaining about the changes Facebook’s made to it’s privacy practices over the past few months, including U.S. Senators.  So I thought it was about time to write a post about it.  I’ve actually written a chapter on Facebook and Privacy in the forthcoming book “The Offensive Internet”.  Alas, it’s been in editing for so long that I fear much of it is going to be dated by the time it comes out in November.  So here’s a blog post.

First off, let me just say that I’m a huge fan of Facebook.  Let me also say that I think there’s probably only room for one dominant player in the “general” social networking space, and that in the United States, Facebook is likely going to be it.  That said, I’m also a huge fan of privacy and of free-market competition.  The real reason Facebook’s been clawing back user control over private information, and exposing more and more user info to third parties, isn’t because of some grand shift in social norms or the the conceptualization of online privacy.   Rather, it’s simply the result of what happens when a company develops a natural monopoly due to network effects:  all of a sudden they can charge more without offering additional benefits.  In this case, that “charging” occurs by extracting more value (your private info) from users without offering additional desired benefits  or services.

What does that mean?  Well, let’s take a look at the graph below that I threw together.  A few years ago Facebook and Myspace were engaged in heated competition over users, and Facebook only controlled about 30% of the Market.  As the Graph shows, things have changed, with Facebook in control about 84% of the market for “general” social networking today.  As Facebook has grown, and as users have become more entrenched, much of the Privacy-friendly functionality used to initially attract users has disappeared.  Replaced instead with many public-by-default  (if not public-with-no-other choice) options.

What gets me the most isn’t so much that Facebook’s developed a monopoly in this market.  As I said, that’s pretty much a given, and user privacy issues aside Facebook’s got a good product to offer.  What irks me is the way Facebook’s gone about establishing itself through what I see as anticompetitive practices, specifically, prohibiting users from using their username and password to log in to other websites or services.   I’m sure you’ve noticed this.  If you want to load or export contacts from G-Mail to most other online services, like Meebo, LinkedIn, etc.  You simply share your username and password and the service imports what you want.  Various aggregators for content from multiple sites also use this model.  But you can’t do this with Facebook, they prohibit it.

Facebook’s long claimed the reasoning behind it’s no-password-sharing policy is user privacy, and to prohibit sharing of user information to third parties without the consent of your friends (ie your friends haven’t consented to you sharing the fact that they’re friends with others).  Well that’s clearly hogwash since now who you’re friends with is public information according to facebook.  But the no-sharing password policy lives on.  Sites and services that desire to interact with Facebook must use “Facebook Connect”, which means you interact with Facebook on Facebook’s terms and using it requires logging in to Facebook FIRST.   The effect is to further leverage Facebook’s market power.

Let me put my concerns into a real-world example.  Let’s say a user no longer feels comfortable with having their photos on Facebook because of it’s recent privacy-degrading trend.  (After all, most of my friends are shocked when I point out that all their photos are now publicly viewable by default.)  There’s an incentive there for some other photo-sharing site to develop a tool to help people export photos, but interacting with Facebook through it’s approved channels won’t allow for this.  Sharing your username and password with a trusted competitor on the photo-sharing front, however, would.   The effect is to create an incentive for Facebook to remain privacy friendly, but Facebook’s basically neutralized the threat of any such competition.  They’re also preventing any service that might help you port content from one social network to another (thereby reducing the transaction costs of switching entrenched users from one site to another), and has sued for trying.

The biggest response I get from people when I point out these arguments is that “you can just delete your account”.  But really, no, I can’t.  Nor do I want to.  I like using Facebook too much, and not having an account would feel like being a hermit. Facebook use is becoming a somewhat integral part of our society.  But that doesn’t mean I can’t argue and fight against what I see as harmful anticompetitive conduct that destroys the bargaining relationship between Facebook users and Facebook, Inc.

If this post interests you, I recommend checking out “The Offensive Internet”, edited by Martha Nussbaaum and Saul Levmore when it comes out this November, published by The Harvard University Press.

UPDATE: It was brought to my attention that the graph formerly mis-quoted Zuckerberg. (I actually pulled the quote after checking two sites with a similar mis-quote, which was actually initially someone paraphrasing… not quoting… Zuckerberg).