Tag Archives: facebook

Facebook “Simplistic” Privacy Settings Coming Soon

Posted on by
1

I’d be nothing but a jerk if I didn’t post this considering I’ve spent a fair amount of time criticizing Facebook’s privacy policies. Facebook head of public policy Tim Sparapani as quoted in Wired:

“Now we’ve heard from our users that we have gotten a little bit complex,” Sparapani said in a radio interview Tuesday. “I think we are going to work on that. We are going to be providing options for users who want simplistic bands of privacy that they can choose from and I think we will see that in the next couple of weeks.”

I can deal with public defaults provided it’s clear in the UI that the defaults are public and the user has an easy way to adjust privacy. What isn’t addressed is this policy of resetting things when changes are made. No comments on that as far as I can tell.

Victoria Secret – You Like This

Posted on by
Reply

Victoria Secret "Like" Limited EditionI couldn’t resist posting this one. Apparently Victoria Secret has a free “limited edition” (with store purchase of course) panty with “you like this” printed on the back with a thumbs up, an obvious homage to Facebook.

Countdown to sexual harassment for unwanted “clicking” or “liking”? I’m sure some genius will get into trouble for that.

We could of course get into a debate over if it’s objectifying women, or just make jokes about how it’s “social” and “viral”. The parallels to privacy debate, etc. But as Sigmund Freud allegedly said “sometimes a cigar is just a cigar”1.

Before someone email’s me: yes, I posted the image and yes you can click for a full-sized one (you’re welcome). For the person who questions my judgment: It’s really no more mature than anything you’d see at a pool or beach. Grow up. For the person who is guaranteed to email asking where the original coupon is: you can find it here or here. Lastly, no, this isn’t the first time a butt has graced this blog, it’s the second time just this year.

[Hat Tip: Center Networks]

1. It’s attributed to him, but there’s no evidence he actually said it as far as I’m aware.

Why “The Geeks” Are Upset About Privacy

Posted on by
4

Pete Warden on why everyone should pay attention to “the geeks”:

So why are the geeks so upset? They’re looking down the road and imagining all the things that the bad guys will be able to do once they figure out what a bonanza of information is being released. Do you remember in the 90’s when techies were hating on Windows for its poor security model? That seemed pretty esoteric for ordinary people because it didn’t cause many problems in their day-to-day usage. The next decade was when those bad decisions about the security architecture became important, as viruses and malware became far more common, and the measures to prevent them became a lot more burdensome.

I’d recommend reading the entire article.

That might be the best argument I’ve seen in a while for people who just don’t get it. When you spend enough time dealing with data you’re forced to understand the threat models that can impact your work. You become very tuned into what the potential exploits are and how it can be used to everyone’s advantage, and disadvantage. Despite surveys that show people are “concerned” about their privacy, and some “use privacy settings” I’d venture very few, likely less than 10% actually understand what harm any piece of data can have, and how exactly it’s being handled and shared.

There’s a reason the industry is so focused on this lately. There’s a reason why I’ve now dedicated a majority of recent blog posts to it.

Google Should Use Google Wave Against Facebook

Posted on by
2

Help me Google; you're my only hopeGoogle should use Google Wave against Facebook.

It’s not as crazy as it sounds. I will be the first to say I was unimpressed by Google Wave from a user point of view. I should note Google Wave was pitched as an email alternative, and it’s not great at that job. The technical perspective was pretty impressive. It is however a potentially killer distributed social media network. It will take slight retooling to adjust it for the task, but it is already better suited to compete against Facebook than against email.

It’s actually a pretty good alternative if the UI were better tuned to the task. Allow me to explain:

It’s close feature wise

I won’t go into point after point, but Google Wave can carry out many of the same things that Facebook can. It’s a good way to communicate in an open or closed fashion and each wave can already be granular in terms of privacy. It can be used to share much more than text. It can be used for the purposes of photos or video. It can be extended by third parties utilizing its API. It already has chat support. It’s built on XMPP. It can easily parody Facebook in almost every way already. It can be extended to do what it can’t today. Profiles are the biggest thing it lacks. I suspect that wouldn’t take much to add in. I’m thinking an extendable XMPP vCard from the technical side.

It’s distributed

Google Wave is hosted by Google, but it’s also an open protocol and Google’s releasing chunks of their implementation. That means they can partner with other large companies (AOL, Yahoo, Microsoft, Apple etc.) who can federate and let their users all instantly be part of one huge social network. Users already have “friends” via their address books for email. Importing from other sources is easy, just look how Facebook did it. If Google got AOL, Yahoo, or Microsoft to partner join them they would overnight reach a huge chunk of the Internet population via their e-mail users.

For those who are going to try and argue that Facebook users don’t have email addresses, yes they do. It’s a primary method of notifying users of things other than SMS and is required to signup for an account.

This also means you can host yourself, or use the provider of your choice. Your not subject to Facebook deciding your fate, or any one company.

It would be more private

One of the primary gripes against Facebook is its privacy measures are inadequate. Facebook has motives to force people to be more public. There’s little incentive to help you stay private, since the alternatives are slim. With Google Wave being hosted by several providers they will need to give you more control, or you will just move to a provider that will give you the controls you want. Just like with email. By using your own domain to point to a provider you would have portability of your identity. Once again Google Wave by design is more granular than Facebook. It’s based already around the concept of sharing data. What Google Wave really needs is a robust profile implementation with granular permissions and the ability to bucket contacts to make permissions more manageable.

Despite its UI and marketing pitch, it’s a surprisingly close Facebook competitor.

It would be a healthier ecosystem

Like I mentioned before, Google Wave has a fairly decent API already. What is great about it is that providers would be pressured to provide a robust enough API so that the killer apps exist on their platform. Again, no more reliance on a single source. By standardizing at least a subset of the API developers can target multiple providers and implementors. It also means providers will need to allow for more granular controls over privacy settings for third-party apps or once again, people will be switching.

Google wins too – keeps them in the center of the universe

Google likes to be the center of things, especially information. By doing this Google would still be able to organize a users information in meaningful ways for them, which is really what Google Wave’s main goal for Google is. Google has a major win. Anyone a user trusts to index their information can do so. If the user is paranoid, they can keep totally private. If you really want to be private you could run it on your own private server. If you don’t trust Google, you can avoid them but still join the party.

It would be more permanent

Facebook is still not guaranteed to be around in 10 years. Email however is overwhelmingly likely to still be around. Just like newsgroups and IRC still have their place, even if they aren’t as mainstream anymore. Why? Because they are all open standards and not tied to one companies profitability. I can still find and read old newsgroup posts from over 20 years ago. Feel that confident about Twitter? Facebook? foursquare? How much time do you invest in them?

What about dispora or _______?

diaspora is a clever effort and a noble one getting a lot of press today. It really is. But I think it’s to complex for real widespread adoption, especially in the era of easy to use web apps. It’s true that users flocked to P2P apps despite complexity but that’s because of no alternatives with less overhead. I’d give most of these efforts a 5% chance of any real success.

StarWars is copyright Lucasfilm

What Facebook Apps Know About You

Posted on by
Reply

The ACLU put together a clever quiz on Facebook that lets you see what a Facebook application knows about you.

I doubt most people realize how much they are giving an application, and how unnecessary the information is to the application. There is no legitimate need for something as simple as a quiz to require that much information. And yes, if your friend takes a quiz, your information is shared too.

I mentioned the other day that that Facebook changed the data retention policy. So this gives a little more context regarding what is actually at stake here.

I’ve been unable to confirm if Facebook gives applications the same data for minors (those under 18) as they do for adults. I know they restrict information shared via the website, but not sure if that extends to the API level. If anyone has a minor child and can shed some light on that, I’d be interested to see how they treat privacy of children in Facebook applications. I’m also not sure if they adjust what data is shared for users, in particular children in other countries where laws may be different. If you know, please share. If you can share a few screenshots of what’s revealed contact me (I won’t share unless you explicitly say so).

Yes, I know this is my third Facebook related blog post in a week. I promise to go back to ignoring them soon enough, but the privacy implications of their applications is pretty interesting to say the least. This is especially true if online privacy and security have long interests of yours.

On Facebook Permitting Longer Storage Of User Data

Posted on by
Reply

Previously the rules only permitted storage of some data for 24 hours. Notice I said “rules”. The truth is that there is no technical means of enforcement that I can find. This is done on the honor system. Facebook in theory could look at usage and wonder “how are they doing this without refetching data?”, but monitoring all the apps in that way seems highly impractical. You’d need good knowledge of how the every app actually functions to make that decision. That still doesn’t cover the case of not deleting data when a user removes the application or changes privacy settings.

I’m sure there are some shady application vendors who have forever ignored this requirement. I’m sure some have also captured data they weren’t supposed to store. It seems naïve to think otherwise. That’s not to say everyone does it, or even a sizable number. I suspect most companies are honest and follow the rules. The change to remove the limit is actually more honest and straight forward. It is a step closer to reflecting reality.

Facebook should really have some sort of audit policy for apps over X number of users, or make it clear that there’s no real technical means limiting what an application can store once you share data with it. They don’t know for certain that just because a user deleted an application that the application has purged the data. There’s no technical means behind it, and that’s not something that’s easy to fix.

This is an important thing to clarify. Just because they had a policy of a time limit, that doesn’t equate to a technical solution. This is akin to passing a law that says “no identity theft”. It’s a novel thing to do, but it doesn’t prevent theft. It simply clarifies the official position on the activity. If this method worked, we wouldn’t need law enforcement or a legal system, just a few clever people with pens to write laws.

Facebook can obviously shut down anyone who it feels violated their policies, and can likely take legal action against such parties. I’m pretty sure they shut down applications, I’m not sure about legal action.

Bottom line: only share data if you’re willing to accept this risk. Their clarification of warning dialogs before you authorize an application is a good step in this direction.

Another Brick In The Facebook Wall

Posted on by
Reply

I ran across the problem recently trying to write to a users wall using the Facebook API. The Facebook documentation is hardly sane as it’s a mix of languages, not entirely up to date, and lacks good examples. The error messages are hardly ideal either. “A session key is required” at least leads me in the right direction. “Invalid parameter” is just unacceptable and makes me stabby.

So here’s some cleaned up pseudocode I pulled together that will hopefully be of use to others who bang their heads against the wall. This “works for me” in my limited testing over several days:

require_once(‘./facebook-platform/php/facebook.php’);
 
$facebook = new Facebook($apiKey, $appSecret);
 
// This gets us the uid
$canvasUser = $facebook->get_canvas_user();
 
// And the session key
$sessionKey = $facebook->api_client->session_key;
 
// You need both of these permission bits
$user = $facebook->require_login($required_permissions = ‘publish_stream,offline_access’);
 
// You’ll likely have an application sitting here and at
// some point in your application be doing the following
 
// Here’s where we actually set the status
$facebook->api_client->call_method("facebook.status.set", array(
    ‘uid’ => $canvasUser,
    ‘status’ => "All in all it’s just another brick in the wall.",
    ‘session_key’ => $sessionKey
));

Getting the right permissions is key.

The thing that ends up being the most confusing is the session_key. After reading the docs, I was inclined to do:

$token = $facebook->api_client->auth_createToken();
$sessionKey = $facebook->api_client->auth_getSession($token);

What you really want is:

$sessionKey = $facebook->api_client->session_key;

You can also use adapt this to use stream.publish if you’d like.

Facebook’s HipHop For PHP

Posted on by
Reply

I mentioned the other day that Facebook was about to open source a method for speeding up PHP. Today they announced HipHop a code transformation tool that converts PHP into C++ and compiles using g++. There is apparently a server component to this strategy as well.

I’m slightly skeptical that this approach will have much more success than the other attempts in the past. This approach may make sense for Facebook, but I don’t think it will pay off for most smaller (relatively speaking) sites.

I think for most users doing something similar to the Unladen Swallow, an effort for Python which is trying to build a custom virtual machine with a JIT built on top of LLVM would be best. Perhaps even Nanojit could be a potential option.

I suspect HipHop will be a fork more than anything else. Regardless it’s a pretty cool project and some really interesting technology.

Facebook’s New PHP “Runtime”

Posted on by
Reply

According to SDTimes Facebook is about to release a new open source project where it has either re-written the PHP Runtime (unlikely) or built a PHP compiler (more likely).

There is another possibility. It could be a Zend extension acting as an opcode cache (APC, XCache, etc.) and a FastCGI replacement.

It’s also possible they used Quercus as either a starting point or inspiration and it’s actually Java based, but that sounds unlikely.

Regardless, it will be interesting to see what comes of this.

Embedded JavaScript For Web 3.0

Posted on by
5

John Resig has an interesting blog post on embedded JavaScript. It’s something I’ve been thinking about for a little while.

It would be awesome to see a PHP extension to embed SpiderMonkey into PHP. As far as I’m aware Facebook is the only one that’s taken a step in that direction with FBJS, which uses Mozilla source code. Perhaps that could be a starting point.

Considering the ubiquity of JavaScript, using SpiderMonkey, which is already available for Perl and Python, or Rhino (for Java) would make sense. It would allow for JavaScript to be for logic what XML is for data. In my mind that is nirvana for the web.

XML made our data portable. JavaScript can make our logic portable. Seems practical enough right?

For those who question security, it’s really up to the client to decide if it should parse JS, and what subset it should allow (perhaps no eval()). Having an API based on JS is really no less secure than any other language including one that’s home made. It’s advantage is that it’s used everywhere else and makes your API easier to work with.

This could be cornerstone of Web 3.0. Web 2.0 was largely about shared data and isolated small services. Web 3.0 could be about shared data and shared services.