Thursday February 07, 2008
Facebook: do I get to say "I told you so?"
Just noticed that slashdot is running a story on Facebook applications and data privacy:
I'll merely point out that I already told you so :-)
Posted by alanbur ( Feb 07 2008, 08:26:17 PM GMT ) Permalink Comments [0]
Friday January 18, 2008
Facebook faces privacy questions
Just noticed this report on the BBC News website:
The investigation follows a complaint by a user of the social network who was unable to fully delete their profile even after terminating their account. Currently, personal information remains on Facebook's servers even after a user deactivates an account.
Facebook has said it believes its policy is in "full compliance with UK data protection law".
"We take the concerns of the ICO [Information Commissioner's Office] and our user's privacy very seriously and are committed to working with the ICO to maintain a trusted environment for all Facebook users and ensure compliance with UK law," said a statement from the site.
That'll be me they are talking about...
Posted by alanbur ( Jan 18 2008, 11:27:21 PM GMT ) Permalink Comments [1]
Tuesday January 15, 2008
Number problems
I've just been looking at my son's maths homework, which is from the CGP Year Six Maths Workbook - Year Six in the UK is kids who are 10 to 11 years old. Here's the question:
I can think of four possible answers, depending on how you interpret the question:
- 6, i.e. the hundreds digit of 4695 is 6
- 600, i.e. the hundreds component of 4695 is 600
- 46, i.e. 100 goes into 4695 46 times, with 95 left over
- 46.95, i.e. 4695 ÷ 100
From previous experience with these books, it could be any of the first three possibilities, although the last one is an equally valid interpretation. No wonder the standard of maths in UK primary schools is so poor, if they have to use such frankly awful source material. Here's another example, from the next page:
17 × 6 + 98 ÷ 25 × 301 - 21 + 113 =
If you think the answer is 1376.92, i.e. (17 × 6) + (98 ÷ 25 × 301) - 21 + 113, you'd be wrong. The answer they seem to be expecting is 2500, i.e. ((((((17 × 6) + 98) ÷ 25) × 301) - 21) + 113). I know that's the case because the kids aren't allowed to use calculators, so the answer will be an integer value. So much for the rules of operator precedence...
p.s. Thanks to @kangcool for spotting the maths error in the original version ;-)
Posted by alanbur ( Jan 15 2008, 09:25:41 PM GMT ) Permalink Comments [3]
Friday January 04, 2008
Facebook: and so it begins...
I just came across this security advisory via The Register. A malicious Facebook application is using social engineering techniques to persuade people to install spyware/adware on their machines:
I'm absolutely certain that this is just the first swell of an approaching tidal wave of Facebook malware. It isn't even a particularly clever example - it would be far more effective to use a Facebook application to harvest personal information whilst apparently offering a useful service, and then use the data elsewhere and/or at some time after the application was harvested. That would make it far more difficult for people to draw the connection between the harvesting app and the subsequent misuse of their personal data.
Currently there are more than 12,000 Facebook applications registered in Facebook. All you need to add an application to Facebook is an API key, and you can get one of those in seconds from the Facebook site, with no checking whatsoever by Facebook. The only mechanism Facebook seems to provide to 'protect' its users from malicious applications is a requirement that developers click on a checkbox to agree to Facebook's Developer Terms of Service. There's no vetting of the person applying for the API key, or of any applications they write.
After my previous experience of fighting with Facebook to get my account closed I'm not in the least bit surprised at their cavalier attitude to Facebook application security. I'm also doubtful that they have the resources necessary to vet 12,000+ applications even if they wanted to, and even if they did there's nothing to stop someone registering a benign version of the application and then activating the malign part after the application has been accepted.
I wonder if there's a need for an application that shows people just how much information they are agreeing to hand over when they install a Facebook application?
Posted by alanbur ( Jan 04 2008, 12:12:44 PM GMT ) Permalink Comments [0]
Wednesday December 26, 2007
How to leave Facebook - followup 3
On the 14th December the UK Information Commissioner's Office set me an update on my complaint about Facebook's refusal to remove your data when you try to close your account. Here's what the ICO said:
I believe that by discussing your case with them in the context of their general approach to privacy and personal data, this will assist Facebook in the process of ensuring that all their policies are compliant with the Act and all their users are treated fairly rather than simply achieving compliance in response to individual complaints.
So the ICO clearly believe that Facebook don't comply with the Data Protection Act, and they want Facebook to have a reasonable policy for allowing account closures, rather than forcing people to have to fight to get their accounts closed on a case-by-case basis, as I had to do. Hopefully the process of closing your Facebook account will become much easier in the not-too-distant future.
Posted by alanbur ( Dec 26 2007, 11:39:12 AM GMT ) Permalink Comments [4]
Wednesday December 05, 2007
Here Comes Another Bubble
Someone posted this one one of the internal Sun email aliases. As someone who's 'virtual place of work' is the Bay Area, I found this absolutely hilarious!
Posted by alanbur ( Dec 05 2007, 12:31:03 PM GMT ) Permalink Comments [1]
Friday November 30, 2007
Facebook privacy roundup
Steven Mansour has written a nice roundup of various articles and blog entries about Facebook's stance on privacy. What is interesting to me is not so much the concentration on Facebook, it is that there seems to be a growing awareness of the importance and breadth of privacy issues amongst the general public, at least in the UK. Although I'm sure in the UK the cause of that interest is mainly because of our hapless government rather than Facebook, it is heartening to see people starting to think about the issues around online identity and data privacy.
Posted by alanbur ( Nov 30 2007, 10:16:42 AM GMT ) Permalink Comments [1]
Thursday November 29, 2007
A whiff of Garlik
Ages ago I signed up for a free trial of an "online identity protection" service provided by Garlik. They have an impressive list of managers and advisors , including the founders of online bank Egg, a CS professor at a UK university, and Tim Berners-Lee - whoever he is ;-)
Their website describes their service as follows:
- Give power back to you. We give you the tools to manage your personal information.
- Help you keep track. You can monitor your personal information online.
- Stop data abuse. With total visibility of your online data profile there's less chance of abuse.
- Keep you in the spotlight. Data security doesn't mean hiding yourself away. You decide how much or how little of your information is available online.
- Offer you comfort and assurance. With your personal data under control you can use the web without the worry.
I haven't used it very much, so I thought I'd close my account. I couldn't find any obvious way of doing this, but what I did find in their 'Help' pages is this:
Your information will be held on our database in the event that you wish to re-subscribe at a later date. But we will no longer search for or retrieve new data about you.
Which looks to me like it is in breach of UK Data Protection law - something I am mildly clued up on after my recent clash with Facebook. And it is all the more ironic that Garlik claim they are going to help you protect your online data.
Update
I emailed Garlik to point out the discrepancy between the above and the following statement in their Privacy policy:
I've just got the following reply from them:
Our actual policy is in line with the wording in our Privacy Policy and upon cancellation of your subscription your personal information will be removed from the Garlik service. We will therefore update our FAQ accordingly.
A quick, reasonable and totally satisfactory response, and a complete contrast to the attitude of Facebook. Well done Garlik!
Posted by alanbur ( Nov 29 2007, 10:44:28 PM GMT ) Permalink Comments [0]
Tuesday November 27, 2007
The Government of Wonderland - followup
Following on from my previous rant about the UK government "misplacing" the personal data of 25 million of the UK's citizens, it seems that I'm not alone in my dismay about their proposed "solution" - the National ID Card scheme. A group of six respected academics have written to a Parliamentary committee expressing their disquiet about the proposals:
The inclusion of biometric data in one's NIR record would make such a record even more valuable to fraudsters and thieves as it would - if leaked or stolen - provide the 'key' to all uses of that individual's biometrics (e.g. accessing personal or business information on a laptop, biometric access to bank accounts, etc.) for the rest of his or her life. Once lost, it would be impossible to issue a person with new fingerprints. One cannot change one's fingers as one can a bank account.
The story has been picked up by both The Register and that bastion of liberal thinking (!) The Daily Mail.
Posted by alanbur ( Nov 27 2007, 11:40:29 AM GMT ) Permalink Comments [0]
Thursday November 22, 2007
The Government of Wonderland
"But I don't want to go among mad people," Alice remarked.
"Oh, you can't help that," said the Cat: "we're all mad here. I'm mad. You're mad."
"How do you know I'm mad?" said Alice.
"You must be," said the Cat, "or you wouldn't have come here."
Alice didn't think that proved it at all.
Lewis Carroll, Alice in Wonderland
Unless you've been living under a rock for the last few days, you must have heard that the UK Government has managed to lose the personal details of 25 million people. I've just been listening to Newsnight, and Jeremy Paxman was interviewing the hapless minister who was wheeled in to put his head under Paxo's axe. One of the questions asked was "Does this mean the end of the plans for a UK National Identity Card System?". The answer literally made my jaw drop. "No, because if we had everyone's biometric data, it would be much safer". WHAT??!! Unlike bank details, biometrics can't be changed - a point that was actually made by one of the other interviewees prior to the minister's imbecilic comments. How on earth would increasing the amount of sensitive (and in the case of biometrics, irreplaceable) data they collect make it "safer"?
The fact that the people responsible for losing the data actually believe that this tale of mind-boggling incompetence can actually be used to JUSTIFY collecting more of it is utterly, utterly astounding. It is quite frankly terrifying that a group of people who have decided they are going to force us to register on a National ID Database are so completely clueless about both the technology, its implications and the potential abuses of the data they are insisting we give them.
I think as a result of this cock-up of all cock-ups, the storm of protest against ID Cards is going to make the Poll Tax unrest of the 1990s look like a vicarage tea party.
Posted by alanbur ( Nov 22 2007, 12:05:37 AM GMT ) Permalink Comments [1]
Tuesday November 20, 2007
How to leave Facebook - followup 2
See here and here for the backstory to this post.
I've had a reply from the UK Information Commissioner's Office saying that they are looking at my complaint, so things are moving there too. It also seems that I've sparked some interest in this topic, and it has been picked up by a couple of other sites:
Posted by alanbur ( Nov 20 2007, 01:08:01 PM GMT ) Permalink Comments [0]
Monday November 19, 2007
How to leave Facebook - followup 1
The electrons were barely dry on my last post when I received an email from TRUSTe about the problems I'd had getting Facebook to close my account; the interesting bit is below:
So my advice to you if you are having problems getting Facebook to close your account is to submit a complaint to TRUSTe.
Posted by alanbur ( Nov 19 2007, 07:31:35 PM GMT ) Permalink Comments [1]How to leave Facebook
As I documented in my last post, it isn't actually possible to leave Facebook, all you can do is 'deactivate' your account. I got in touch with Facebook and asked them to delete my account, and here is the reply I got from them:
I wrote back to Facebook, saying that their response was unacceptable. I noted that their Privacy Policy page says that they are a licensee of the TRUSTe organisation, and that as such they are supposed to give users "choice and consent over how their information is used and shared". I also pointed out that as they are now registered in the UK, they are probably also subject to UK data protection legislation. Finally, I pointed out that Facebook had also been mentioned in a Channel 4 news report about identity theft, and that the media were obviously interested in Facebook's stance on data privacy and protection. I explained that if Facebook wasn't prepared to close my account I was prepared to take up the issue with the three avenues open to me, the TRUSTe complaints process, the UK Information Commissioner's Office (ICO) and the UK press.
In return I got exactly the same response as the one above. I wrote back to Facebook yet again, repeating that that their response was unacceptable, and that I was therefore going to take the three courses of action I outlined above. I registered complaints at both TRUSTe, the ICO and I also emailed Channel 4 News, explaining my story.
Last week Channel 4 came to interview me, and the item went out on Channel 4 News on Saturday 17th November. A video of the item can be found on the Channel 4 website. There's also details of the response from Facebook to C4's questions about their policy and process for account closures. Once the item had aired, I wrote again to Facebook, explaining that their response was still unacceptable, and that I'd taken the three options I'd identified in my earlier mail. Here's an excerpt from my mail to Facebook:
----------
Vanessa Barnett, an internet lawyer with Berwin Leighton Paisner, told Channel 4 News: "The Data Protection Act is designed to protect individuals like me from having our data used in ways that we don't want. We get to choose how data gets processed, what people can do with it, and if we don't like it, we can say, 'Please stop'"
"Ultimately it's a question for the information commissioner as to whether someone is in breach of the act. And he has to balance two different things. Yes certainly, I as an individual have the right to say, 'please don't have my data,' but he also has to balance the rights of the business not to have to expend lots of money trying to get rid of that data."
So could Facebook argue that it's just impossible for them to provide an easier way to delete data? Or that they don't have the money to implement one? They didn't make that claim to us. In fact, they didn't engage with the question of why they need to retain data at all - they just didn't answer it.
Vanessa Barnett again: "One of the very key things that the information commissioner will look at is the resources of the business. And if that business has lots of money and lots of IT infrastructure, has the capabilities for example to easily write scripts to delete it, that will certainly sway the information commissioner into whether that data should have been deleted."
----------
I also notice that Facebook make the following statement on their Privacy Policy page:
----------
In the event that we learn that we have collected personal information from a child under age 13 without verification of parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us at XXXXXXXX.
----------
So it seems quite clear that Facebook *does* have the ability to delete accounts from the system, but for some reason chooses not to, other than for children of under 13. I will be pointing this out to the UK Information Commissioner.
Once again, I reiterate my case - Facebook has a duty to make it possible for users to delete their accounts in a reasonable and convenient manner, and from the statement on the Facebook Privacy page, Facebook clearly already has the mechanisms in place to make this possible.
I await your response with interest.
As well as sending my mail to the Facebook support person I had been dealing with, I also sent it to Chris Kelly, Facebook's Chief Privacy Officer, and Mark Zuckerberg, the Facebook CEO. Neither mail bounced, so I must have guessed their email addresses correctly. Earlier on today I received the following response from Facebook:
We have permanently deleted your account per your request. We do not retain any information about your account once it is deleted, and thus deletion is irreversible. Please let me know if you have any other questions or concerns.Hurrah! Although to be honest, this raises almost as many questions as it answers. If Facebook has the ability to delete accounts so easily, why don't they make it available to users? In their written response to C4 they say that "Facebook does not use any information from deactivated accounts for advertising purposes." If that is the case, why do they retain the information at all? And although they aren't using it for "advertising purposes", are they making other use of it, and if so, what?
I'm still waiting for responses from either TRUSTe or the ICO, I'll be sure to blog about them when I receive them. In the meantime, if you want to get Facebook to delete your account entirely, you can always try mailing them, quoting the clear precedent they have set by closing my account. I really can't understand why Facebook make the whole process so difficult, they are an extremely popular service and the amount of work involved in closing accounts properly is tiny in comparison to the volume of activity the site sees.
Posted by alanbur ( Nov 19 2007, 06:35:38 PM GMT ) Permalink Comments [13]