![\"\"](\"http:\/\/www.stoth.com\/wp-content\/plugins\/wp-o-matic\/cache\/94fa9_Theatershadows.jpg\")
<\/p>\n<\/p>\n
<\/p>\n
Editor’s note<\/strong>: The following guest post was written by Rohit Khare<\/a>, the co-founder of Angstro<\/a>. Building his latest project, social address book Knx.to<\/a>, gives him a deep familiarity with the privacy policies of all the major social networks.<\/em><\/p>\n I\u2019d be wishing everyone a happier New Year if it were easier to mail out greeting cards to friends on Facebook and colleagues on LinkedIn. I\u2019d like to use knx.to<\/a>, our free, real-time social address book, but their \u2018privacy\u2019 policies prevent us from downloading contact information, even for my own friends.<\/p>\n At least those Terms of Service (ToS<\/a>) that force us to copy addresses and phone numbers one-by-one also prevent scoundrels from stealing our identity; reselling our friends to marketers; and linking our life online to the real world. Right?<\/p>\n Wrong<\/em>. When RockYou can stash 32 million passwords<\/a> in the clear; when RapLeaf can index 600 million<\/a> email accounts; and when Intelius can go public<\/a> by buying<\/a> 100 million<\/a> profile pages; then our social networks have traded away our privacy for mere \u201cprivacy theater.\u201d<\/a><\/p>\n With apologies to Bruce Schneier\u2019s<\/a> brilliant coinage, \u201csecurity theater\u201d<\/a> (e.g. the magical thinking<\/a> behind forcing passengers to sit down and shut up for the last hour of international flights), social networks have been dogged by one disaster<\/a> after another<\/a> in 2009 because they pursue policies that provide the \u201cfeeling of improved privacy while doing little or nothing to actually improve privacy.\u201d<\/p>\n As long as the same information that social networks piously prohibit their own customers from using is being bought and sold on the open market by giant marketing companies, social networks are only pretending<\/em> protect your privacy<\/a>.<\/p>\n Last week\u2019s headlines<\/a> brought news<\/a> that RockYou had accumulated 32,603,388 identities over the past few years \u2014 and negligently<\/a> stored them in plaintext<\/a> in an incompetently<\/a> protected database.<\/p>\n RockYou\u2019s official bluster<\/a> about \u201cillegal intrusion\u201d should fool no one: blaming Imperva, the firm who exposed the flaw<\/a>, or accusing the hacker(s) of being the identity thieves is misdirection: it was actually RockYou who stole<\/em> those credentials, and RockYou should be held to account.<\/p>\n I realize that I\u2019m using the incendiary terms \u201cidentity theft\u201d and \u201cstole,\u201d even though I would agree that users voluntarily consented to type their passwords into RockYou\u2019s forms. I assume that both users and RockYou\u2019s developers actually only intended to share some particular bits of information: a contact list, a user photo, a friend\u2019s gender; but the bottom line is that instead of sharing that specific data, RockYou retained enough secrets to impersonate those users at will.<\/p>\n The fault, dear Reader, is not in our stars<\/a>; it lies with sites that pretend<\/a> to waive<\/a> all<\/a> care and duty by idly warning their users not to share<\/a> their account passwords with anyone else.<\/p>\n In the absence of vigorous enforcement of those ToS agreements, any RockYou developer who passed up the opportunity to, say, phish<\/a> MySpace passwords was putting their own employer at a disadvantage to any other startup that was willing to race them to the bottom.<\/p>\n RockYou minimized the scope of this breach by maintaining that it only affected their \u201clegacy platform\u201d for widgets rather than its larger \u201cpartner applications platforms\u201d that use \u201cindustry standard security protocols.\u201d After all, the advent of social networks\u2019 partner APIs was supposed to make impersonation and scraping obsolete.<\/p>\n Those APIs came with their own new ToS agreements that added new, overlapping, and sometimes-contradictory restrictions as they worked through all of the implications of letting third parties in on the fun. The ACLU released a fun quiz that makes quite clear how much information is at stake, from your hometown to your friends\u2019 sexual orientation.<\/p>\n For example, if you upload a photo of me that I find embarrassing, I could prevent you from tagging me in it, but I can\u2019t forbid you from keeping your own photo online (or keeping it private, bugs aside<\/a>). I can\u2019t even forbid another friend of ours from caching a copy in his or her browser.<\/p>\n However, the Facebook API ToS can (and does) prevent a third-party application from caching a link to the photo for more than a day (a week on Orkut). Unfortunately, direct links to the photo server didn\u2019t double-check the privacy policy, so a third-party app would be at risk of leaking images users thought were private<\/a>, unless the developer remembered to make a separate API call every time to re-verify every photo on a page.<\/p>\n In an ideal world, a third party developer shouldn\u2019t have to store any personally-identifiable information (PII). In many jurisdictions, PII is akin to toxic waste, because of the regulatory burdens and civil, even criminal<\/a>, liability for acquiring and disposing of it.<\/p>\n Here again, Facebook is the pacesetter: it\u2019s possible to display \u201cShe liked 7 photos uploaded by Mr. Smith two weeks ago\u201d using little more than a numeric user id. The developer writes a sentence in Facebook Markup Language (FBML), and Facebook\u2019s servers will dynamically substitute the name, gender, item count, and ensure grammatical agreement of pronouns, singular\/plural choices, and time intervals.<\/p>\n OpenSocial gadgets have to copy PII into the browser to format a sentence like that. LinkedIn\u2019s partners even have to copy PII to their own servers, since their Open API is currently incompatible with AJAX authentication.<\/p>\n Even though copying PII is the root of all privacy risks, there are three reasons it can be necessary: latency, history, and agility. Without caches, slow API calls can make an app\u2019s performance suffer. Without archives, analyzing only the most recent events can mislead an app\u2019s trend detection or recommendation services. Without \u201coffline\u201d access, waiting for a user to log in again delays an app\u2019s reaction to events in real-time.<\/p>\n There aren\u2019t many technical countermeasures once data has been copied. LinkedIn spent more than a year tinkering with their public API, but the only substantial difference is that it now encrypts every member id with the identity of the developer and application to trace the source of a breach. I applaud them as an industry pioneer \u2014 though they\u2019re so dependent on search-engine optimization that they still include the public numeric ids in the profile page URLs anyway.<\/p>\n Exporting PII with legal strings attached is the best policy we can hope for. While Amazon\u2019s ToS requires its associates to display accurate, up-to-date prices<\/a>, Twitter has only recently realized the implications of searching deleted tweets<\/a> and doesn\u2019t yet oblige<\/a> its API partners<\/a> to update their copies when tweets are deleted or protected.<\/p>\n If PII is so hard to protect, then the only way for social networks to protect their users\u2019 privacy must be to prohibit partners from accessing contact information in the first place. I might not be able to export my holiday card mailing list from my favorite social network\u2014 a roach motel<\/a> for our data \u2014 but giant marketing corporations can buy and sell our private information with impunity.<\/p>\n I could go to Rapleaf right now to buy an analysis of any list of email addresses to learn its makeup by gender, income, residence, and all manner of other demographic data. Who\u2019s to say how short that list could be\u2014it\u2019s a slippery slope from aggregate info to personal info. Or I could shop at one of Intelius\u2019 many fronts<\/a> and affiliates who are selling PII explicitly (TRUSTe-certified!<\/a>). Or I could barter some of the stray business cards on my desk on Jigsaw to fill in the rest of the puzzle. All of these businesses depend on PII data harvested from social networks.<\/p>\n How is that possible? None of the social networks that we\u2019ve integrated with has an API for reading email addresses \u2014 but all of them have no problem asking you to \u201cInvite your friends!\u201d \u00a0After all, most social networks remain hypocritical enough to phish passwords to other social networks themselves as soon as they ask you to \u201cInvite your friends\u201d for their own viral growth!<\/p>\n Putting aside the hypocrisy of phishing passwords to scrape those friends\u2019 email addresses in the first place, the subtler flaw is that social networks are more than happy to search their member database for those addresses to share a list of suggested friends. That\u2019s how a Rapleaf could take a mailing list, pretend that those are all friends of theirs, and slowly accumulate a \u201creverse phonebook\u201d that maps emails to social network profiles.<\/p>\n Or you could just crawl their websites. Social networks depend on search engines for traffic, so they almost universally have public pages for every member with well-known URLs and directory listings by name for crawlers to index. A mini-boomlet<\/a> in funding “people search<\/a>“\u00a0startups underwrote this massive exercise, but they sold their archives to less<\/a>–than<\/a>–savory<\/a> marketers.<\/p>\n Now, merely indexing public web pages can\u2019t be evil\u2014but reconciling online identities and 3rd-party advertising<\/a> cookies with real-world credit reports, government records, and other databases can be. Adding in all that information doesn\u2019t increase Mr. Smith\u2019s anonymity; Jeff Jonas has made a small fortune proving that semantic reconciliation dramatically collapses uncertainty<\/a>. Just think about combining Spock\u2019s 100M profiles with Intelius\u2019 20B other data points; or Wink\u2019s 200M profile<\/a>s with Reunion MyLife\u2019s 34M<\/a> members and 700M records\u2026<\/p>\n The philosophical question at hand is what rights do I have in my friends\u2019 information. When I accept a business card from someone I\u2019ve just met, I don\u2019t believe I have the right to re-sell it on Jigsaw in good conscience<\/a> (they\u2019d disagree 18M<\/a> times). If it\u2019s a colleague\u2019s card, on the other hand, I might take the initiative to forward a new lead, or even buy a gift subscription to a magazine. Does that constitute a violation of their privacy, or spam?<\/p>\n Social networks haven\u2019t let their users make their own decisions on this issue. Through selective enforcement of their policies, some startups get locked out<\/a> while big partners get exemptions. Power.com ended up in<\/a> (and out<\/a> of) court. Plaxo found out the hard way that they couldn\u2019t assist<\/a> their paying customers to OCR<\/a> Facebook email addresses; or to synchronize with LinkedIn. It says a lot about LinkedIn\u2019s draconian ToS that even with paying customers demanding it, Comcast hasn\u2019t signed up for their API. Even if users manually download their own LinkedIn address books, it won\u2019t even include links back to folks\u2019 public<\/em> profile pages.<\/p>\n I also claim that social networks are engaging in Privacy Theater because there\u2019s no shortage of examples of organizations on the Web that process vast quantities of PII while providing real privacy protection. Do you think that the \u201cbad guys\u201d haven\u2019t gone after Webmail services to phish passwords and harvest contact information? Aren\u2019t e-commerce sites sharing product information and reviews out to legions of affiliates without leaking your purchase history? How long do you think RockYou would have gotten away with it if they were asking for your online banking username instead of your email address?<\/p>\n Social network sites have not<\/a> (yet<\/a>) demonstrated the high degree of proactive surveillance and enforcement characteristic of other organizations that deal with PII on the Internet. Users see worms on MySpace<\/a> and viruses<\/a> on Facebook<\/a>, but not on Hotmail \u2014 because they defend against cross-site-scripting attacks<\/a>. Users find malware distributed on Slide<\/a>, but not on Wikipedia \u2014 because they filter content aggressively. Users are blocked by DDoS attacks<\/a> and DNS attacks<\/a> on Twitter \u2014 but Amazon stays up because they can react in real-time (mostly<\/a>). How much more quickly do Cease & Desist letters for putting up a fake PayPal logo go out than for impersonating a Facebook Page?<\/p>\n From personal conversations, I\u2019m beginning to wonder if the recent rise of Hadoop is part of the problem, surprisingly. Trying to detect patterns of abusive crawling and suspicious bursts of activity from partner apps by analyzing yesterday\u2019s log files alerts you too late to react. The culture of many social networking websites seems to emphasize page load times (especially after the great Friendster meltdown), which isn\u2019t quite the same as the enterprise IT, networking, and transactional database backgrounds of other leading Web architects. And unlike the formal (and informal) networks of security officials at online financial institutions to track distributed threats, I fear we have little evidence of coordinated responses to privacy threats that correlate identities across social networks.<\/p>\n I have first-hand experience that it takes more time (and more money) to ship applications that comply with social networks\u2019 privacy policies. If we weren\u2019t living with Privacy Theater, that might not have been a wasted investment. Inevitably, Gresham\u2019s Law kicked in, and the good guys are being driven out by the bad guys (spammy<\/a> apps, scammy<\/a> apps, sneaky<\/a> apps, conniving<\/a> apps).<\/p>\n Naturally, I prefer to think of myself as one of the \u2018good guys.\u2019 I prefer to believe that privacy protection is a competitive advantage that users (citizens!) really value. Until this outrageous RockYou breach, I didn\u2019t fully realize how irrelevant that is.<\/p>\n I\u2019d argue that the hapless state of ToS enforcement by the major social network platforms only provides the feeling of improved privacy while doing little or nothing to actually improve privacy: that\u2019s privacy theater.<\/p>\n Unfortunately, that analogy is still unfair: TSA may screen children at the airport, but at least their security theater doesn\u2019t obscure the fact we haven\u2019t had a catastrophic security failure in the US air transportation system (yet<\/a>). Our major social networks\u2019 privacy theater is distracting us from ongoing, large-scale identity theft and misuse of private and personally-identifiable information.<\/p>\n If the industry expects self-regulation to forestall government regulation, well, here\u2019s what I think it would take: An immediate ban on all of RockYou\u2019s applications by all of their partners, pending a public audit of all of their apps. That\u2019s taking a page from the audit provisions of LinkedIn\u2019s ToS and adding sunlight by publishing the results.<\/p>\n Sounds harsh? I thought the market was supposed to provide swifter, surer justice than some pesky regulator with its clunky old notions of due process and presumptions of innocence. API agreements are a private matter between ruthless corporations. Heck, if they really wanted to put the rest of the ecosystem on notice, they ought to audit every application funded by Sequoia, Partech, DCM, and Softbank, all lead investors in RockYou.<\/p>\n It\u2019s not like lawsuits<\/a> are being filed, as Marissa Mayer announced by going after work-from-home scam artists in an interview<\/a> with Mike Arrington at LeWeb. It\u2019s not like this is Scamville 2.0, since this isn\u2019t stealing users\u2019 cash, only their dignity. It\u2019s not like there\u2019s a legal spotligh<\/a>t on the issue, since there\u2019s only $9M set aside for a hazy new privacy foundation in the latest Facebook class-action settlement. It\u2019s not like it\u2019s a political issue in the headlines, since a Facebook Chief Privacy Officer is running for Attorney General<\/a>, the top law-enforcement office in California. It\u2019s not like it\u2019s as complicated as \u201cdon\u2019t be evil,\u201d since I can give you one simple tip to eliminate privacy theater: enforce your ToS and obey others\u2019 ToS \u2014 or else stop setting unrealistic expectations and just let users have their data back!<\/p>\n (Photo credit: Flickr\/FaceMePLS<\/a>).<\/em><\/p>\n Crunch Network<\/em><\/strong>: MobileCrunch<\/a> <\/em>Mobile Gadgets and Applications, Delivered Daily.<\/p>\nIndustrial-Scale Identity Theft<\/h2>\n
\n
APIs: Automating Privacy Intrusions?<\/h2>\n
He (or She) Who Must Not Be Named<\/h2>\n
Buying Back Your Own Data? Priceless.<\/h2>\n
Whose Data Is It, Anyway?<\/h2>\n
Don\u2019t Accept Incompetence<\/h2>\n
Privacy Theater: The Show Must Go On\u2026<\/h2>\n