What really matters is a company’s DNA. For Facebook that’s the willingness to be agile, the willingness to push things, and the willingness to change. That may occasionally backfire, however it’s proven to generally work out quite well. Especially when Facebook is willing to back down and revise as it has in the past. Mark Zuckerberg’s goal is pretty lofty, especially given the world and it’s people are struggling to figure out privacy in a connected world.

To quote him in 2010: “we’ve made great progress over the last year towards making the world more open and connected”. Balancing this mission and not crossing the line will be the challenge Facebook will face for years to come. I’ve criticized them several times in the past for either not doing enough, or not giving enough priority to the right to control privacy. Lately I’ve got less to complain about. I think that’s good for everyone.

The reason I say this is that Facebook and Twitter have become identity gatekeepers on the net. Already you can login to many sites via accounts with one of the two sites. Creating the API’s to handle purchase/subscriptions and transparently handling the billing to effectively turning a HTML5 site into an “app” is the next logical step. They could undercut Apple and still walk away with a handsome profit for not doing terribly much more than leveraging their size and reach. These apps would work on any device with a web browser. Desktop or mobile.

Given both sites need to diversify revenue streams (something Google never figured out), it seems only logical to make this step. $0.99 for Angry Birds seems more than plausible.

And yes, there are offline abilities in a browser.

The first thing I found was the hostname where the request originated was out-sw251.tfbnw.net which is obviously owned by Facebook. That’s not terribly interesting and supports my theory up above.

Then I found these two curious bits in the request:

X-FB-USER-REMOTE-ADDR: 66.249.67.211
USER-AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

That IP address is crawl-66-249-67-211.googlebot.com. That UserAgent is very telling and needs no introduction.

The request is otherwise pretty unremarkable other than no query string which a normal person would generate when hitting that canvas URL. However fb_sig_request_method is set to GET which suggests to me it’s actually using POST despite that what it claims. There’s no fb_sig_user or anything else that would suggest an actual user, which makes sense because fb_sig_logged_out_facebook is set to 1.

It appears as of March 20, 2011 Google has started crawling Facebook Apps. I’ve got no idea what it’s intent, abilities or relationship is. I can tell you that I’ve monitored since at least April 2010 and this only started a few days ago.

“I like Foursquare because I can actually pick who sees where I actually am, compared to Facebook, where I have 1,200 friends,” she said. “I don’t want 1,200 people knowing where I am.” Facebook does let users pick a smaller subgroup of friends who can see location updates, but Ms. Lovelidge said it would be too much trouble to set that up.

Emphasis mine. This isn’t lost on Facebook. Zuckerberg himself said: “But guess what? Nobody wants to make lists”.

The problem is that for every Ms. Lovelidge who at least acknowledges the risk and avoids it, there will be 10 others completely oblivious to the risks.

One great lesson here is that you can’t change the paradigm and assume an old security model, in this case the “friends” network will continue to work. This is the equivalent to turning a store into a private residence without bothering to replace the open store front with a more traditional door.

…more than half of the children surveyed (54%) don’t personally know all of the friends…

54% of teens surveyed don’t know all their “friends”. Facebook defaults the privacy settings on places to “friends”. 54% of children surveyed will likely be sharing their current location with people they don’t personally know. Places will catch on, especially once the check-in games start coming up and it becomes more fun and competitive. Half will likely share their location with people they don’t know.

Think about this for a second. Just a few years ago society would have found the idea of teenagers revealing their current location to people they don’t even personally know to be insanity.

It’s easy to fix, just setup a group and include/exclude as desired. The problem is awareness of the problem is low. Also problematic is the desire and patience to sort through several hundred “friends” and bucket people.

It would also be easy for Facebook to fix by forcing users to either select specific groups or individuals rather than just defaulting to the overly broad “friends”. They have the UI, and it’s actually pretty good (I’ve got some gripes, but they don’t apply to 99.9% of the population) they just don’t make users go through it for the sake of simplicity.

I don’t really like this.

Decisions on who qualifies as a friend may have been made a few years ago when the risks were different and content being exposed was much less harmful. Letting a stranger see your obnoxious status update is different than letting them know where you are.

MG Siegler at TechCrunch just realized this himself and cut the number of friends he had in half. To quote:

Facebook is mutating. The problem is that the original social graph isn’t built for this mutation. And we’re going to see that very clearly with things like this new location element.

I’d argue MG Siegler is brighter and more in tune to this sort of thing than 90%+ of Facebook users. Perhaps 99%. If he just realized this now, it’s going to take a long time for the more casual user to catch on.

As I wrote last week, the term “friend” has been grossly distorted over the past few years. I strongly suspect the most at risk users are the ones who distorted it the most. Defaulting things like Places to “friends” isn’t good enough.

You’ll be seeing more about this in the press over the coming several months. This is going to get messy as people leak information they didn’t intend to.

It’s worth noting that Facebook restricts check-ins to friends only. This is different from almost anything they have done in the past where they opted for more public views. Clearly they knew location was pushing the envelope and choose a more restricted view.

One of the more peculiar features, the ability for friends to “tag your location”. This essentially lets your friends check you in. From the FAQ:

The first time you use Places, or the first time a friend tries to tag you in to a Place with him or her, you will receive a notification asking you to share your location and allow friends to check you in to Places.

At any time, you can also adjust this setting by navigating to the main Privacy Settings page and clicking the “Customize settings” link at the bottom of the page. Then, simply choose the Enabled in the dropdown box next to “Friends can check me into Places.”

There are two things at play here. The first is the default of “friends”, the second is the ability for a friend to tag you. Lets start with the default of “friends”.

Default “Friends”

Because of this notice Facebook feels the product is opt-in and not opt-out. Defaulting this to “friends” and not forcing users to select a group or groups isn’t a great idea. This is especially true for minors. Thanks to Facebook being a popularity contest, things like serial friending are too common. Exposing this type of information to that many people in real-time is reckless. Decisions on who qualifies as a friend may have been made a few years ago when the risks were different and content being exposed was much less harmful. Letting a stranger see your obnoxious status update is different than letting them know where you are.

For those not familiar with sociology, Dunbar’s number is the theoretical cognitive limit to the amount people with whom one can maintain stable social relationships. It lies between 100 and 230, commonly set at 150. The *average* user has 130 friends according to Facebook’s statistics when this blog post was published. Keep in mind this is the average of all users including those who rarely and never use it and abandoned accounts. If I had to guesstimate the average for a High School or College student is likely in the low 200′s. I suspect I may actually be (intentionally) overly conservative. I don’t think anyone has real data broken down by age group (though if you do, pass it along).

We can reasonably deduce that the average teenager has more “friends” than friends. At least in some cases perhaps more than even acquaintances. Odds are they don’t even recall approving some.

Facebook should have instead made users select individual friends or groups that can view places rather than make it accessible to anyone who is a “friend”. At a minimum that should have applied to minors and those with inordinate number of friends for their demographic. Because of friending behaviors in the past the concept of a “friend” doesn’t secure this feature adequately. It may be the users fault, but “the customer is always right”.

Tagging Friends

Letting friends tag you is a whole other set of risks. I’ll quote The Consumerist since they were quite whimsical at giving examples:

This could lead to friends tagging you as being inside a peepshow, or an ex-girlfriend tagging you as being with another girl so your new girlfriend gets pissed off. The sitcom storyline possibilities are endless!

Obviously there are times most people don’t want others to know about what they are doing both innocent and nefarious. In extreme cases this could even become a safety issue. Of course crimes committed through Facebook already existed (exhibit A, exhibit B, exhibit C), this just makes it easier especially in the case of serial friending. No longer does someone need to solicit location information, it’s now being broadcasted.

It’s worth noting it’s possible to remove a place you were tagged:

If a friend has tagged you in a Place and you would like to remove your name, simply go to the Place story (you can find it on your profile, your friend’s profile, or the Place page) and select “Remove Tag.” You will no longer be connected to that Place through that story.

Remember that only your confirmed friends on Facebook are able to tag you in a Place if you have enabled them to do so in the “Customize settings” section of the main Privacy Settings page.

Of course that’s in retrospect.

People Here Now

Described by Facebook:

In the “People Here Now” section, you can see others who are checked in with you at that place. This section is visible for a limited amount of time and only to people who are checked in there. That way you can meet other people who might share your interests. If you prefer not to appear in this section, you can control whether you show up by unchecking the “Include me in ‘People Here Now’ after I check in” privacy control.

This has some obvious sore points. At a stadium or concert with hundreds or thousands of people it’s relatively anonymous with random faces and names. In a more intimate setting such as a restaurant or store it would relatively easy to match faces and full names. Given some basic info like a full name, network, current location a lot can be learned by using Google and public information databases. I suspect this has not so obvious implications for many who will not uncheck this preference.

Facebook should have used just first names to ensure some privacy.

Other Risks

There are other risks as well. Any serial use of such a feature will reveal patterns about your daily life such as when you leave and get home, visit the gym, etc. Timing attacks become easier when an attacker can plan without having to actually stake out a victim.

Then there’s the question of what will be done with all the data collected over time by millions of users. This isn’t 100% clear just yet. That’s a privacy issue, but not so much safety issue.

Bottom Line

Proceed with caution. Facebook did prepare for privacy implications better this time than any other release they have done in the past. This however is a whole new ballgame. Facebook could still improve by making some changes as I discussed above. Even with the defaults there are clear and present dangers. Unlike FourSquare or Gowalla where users subscribed with location sharing in mind, this was dropped on Facebook users who likely didn’t intend to share that much with that many people.

“Now we’ve heard from our users that we have gotten a little bit complex,” Sparapani said in a radio interview Tuesday. “I think we are going to work on that. We are going to be providing options for users who want simplistic bands of privacy that they can choose from and I think we will see that in the next couple of weeks.”

I can deal with public defaults provided it’s clear in the UI that the defaults are public and the user has an easy way to adjust privacy. What isn’t addressed is this policy of resetting things when changes are made. No comments on that as far as I can tell.

Countdown to sexual harassment for unwanted “clicking” or “liking”? I’m sure some genius will get into trouble for that.

We could of course get into a debate over if it’s objectifying women, or just make jokes about how it’s “social” and “viral”. The parallels to privacy debate, etc. But as Sigmund Freud allegedly said “sometimes a cigar is just a cigar”¹.

Before someone email’s me: yes, I posted the image and yes you can click for a full-sized one (you’re welcome). For the person who questions my judgment: It’s really no more mature than anything you’d see at a pool or beach. Grow up. For the person who is guaranteed to email asking where the original coupon is: you can find it here or here. Lastly, no, this isn’t the first time a butt has graced this blog, it’s the second time just this year.

[Hat Tip: Center Networks]

1. It’s attributed to him, but there’s no evidence he actually said it as far as I’m aware.

So why are the geeks so upset? They’re looking down the road and imagining all the things that the bad guys will be able to do once they figure out what a bonanza of information is being released. Do you remember in the 90’s when techies were hating on Windows for its poor security model? That seemed pretty esoteric for ordinary people because it didn’t cause many problems in their day-to-day usage. The next decade was when those bad decisions about the security architecture became important, as viruses and malware became far more common, and the measures to prevent them became a lot more burdensome.

I’d recommend reading the entire article.

That might be the best argument I’ve seen in a while for people who just don’t get it. When you spend enough time dealing with data you’re forced to understand the threat models that can impact your work. You become very tuned into what the potential exploits are and how it can be used to everyone’s advantage, and disadvantage. Despite surveys that show people are “concerned” about their privacy, and some “use privacy settings” I’d venture very few, likely less than 10% actually understand what harm any piece of data can have, and how exactly it’s being handled and shared.

There’s a reason the industry is so focused on this lately. There’s a reason why I’ve now dedicated a majority of recent blog posts to it.