Today, a tweet rehashed an annoyance regarding a tactic on websites to alter copy/paste and put a link with tracking code in your clipboard. I could opt out, but that doesn’t fix when websites roll their own. It’s a fairly simple thing to implement. In my mind there’s little (read: no) legitimate justification for oncopy, oncut or onpaste events.

So I did an hg pull while working on some other stuff. I came back and wrote a quick patch, started compiling and went back to working on other stuff.

Then came back to a shiny new Firefox build with a shiny new preference that disabled the offending functionality. A quick test against a few websites shows it works as I intended by simply killing that event. You can’t do these things with closed source.

Of course I found the relevant bug and added a patch for anyone interested.

A 15 minute diversion and my web browsing experience got a little better. Sometimes I forget I’ve got experience on that side of the wire too .

What really matters is a company’s DNA. For Facebook that’s the willingness to be agile, the willingness to push things, and the willingness to change. That may occasionally backfire, however it’s proven to generally work out quite well. Especially when Facebook is willing to back down and revise as it has in the past. Mark Zuckerberg’s goal is pretty lofty, especially given the world and it’s people are struggling to figure out privacy in a connected world.

To quote him in 2010: “we’ve made great progress over the last year towards making the world more open and connected”. Balancing this mission and not crossing the line will be the challenge Facebook will face for years to come. I’ve criticized them several times in the past for either not doing enough, or not giving enough priority to the right to control privacy. Lately I’ve got less to complain about. I think that’s good for everyone.

Firefox has two basic abilities, you can clear cookies, or you can browse and delete cookies. That’s great but not terribly clear that there’s more than cookies.

Chrome as far as I know has no cookie browser like Firefox has, but (edit: Erunno notes in the comments you can via chrome://settings/cookies) explicitly lets you “Delete cookies and other site and plug-in data”. That’s pretty good.

Today, I think Safari’s UI is the closest to perfect. Each hostname shows exactly what it has. My only gripe is that Safari doesn’t let you see what’s there. That’s a “power-user” feature however and I think it does an adequate job regardless.

Websites use more than just cookies these days. I discussed this a little over a year ago. The reason evercookie is controversial is that browsers don’t quite give users the level of control (real or perceived) that they expect for objects other than cookies.

Here is another use case for why this is needed. Google Analytics is used on perhaps half the internet’s websites. It sets a cookie every time. That means 230 bytes added to every http request for a lot of websites. Google could switch to localStorage and free up that 230 bytes. While they technically could do this, in practice, this could create a firestorm of attacks against them. The problem is it would be spun as Google trying to evade cookie deletion and and a privacy violation. The same storm that evercookie created. I suspect that’s why it hasn’t been done to date. The truth is the Google Analytics team has done a lot for improving performance including making it entirely async. But this move would be controversial.

It’s no longer about “cookies”, but “user data”.

Here’s the dream: one lock-screen, two PINs. One for me, one for anyone else who might use my phone but doesn’t necessarily need to see everything.

Not only is it a good idea for there to be a guest mode, the implementation is quite nice and simple. Maps, Phone, Clock, Calculator, Safari. Perhaps the ability to granularity add/remove from that default set. Everything is stateless and rest when guest mode ends.

This could potentially even lower the divorce rate in the US.

Apple notably failed in a few key ways which should serve as a lesson to others:

1. Always disclose what you’re doing. – Never just assume what you’re doing with someone’s information is cool. Apple could have mitigated a lot of this had they disclosed what the phone was actually doing from day 1. Never transmit anonymous or personal information without letting the user know first.
2. Never store more than you need – I can’t believe how many companies mess this up. Storing user information is a liability. A good business limits it’s liabilities to only what’s necessary to conduct business. Storing so much data, and not expunging was a very bad move and amplified the situation. On top of not letting users know what was going on, there was no way to purge information. This just made things much worse. Apple went as far as backing up what should be an expendable cache.
3. Always be paranoid with information – Apple states “The local cache is protected with iOS security features, but it is not encrypted. Beginning with the next major release of iOS, the operating system will encrypt any local cache of the hotspot and cell tower location information.” in the response to Edward J. Markey. This should have been encrypted since day 1. Various tools existed for a few years that could read this data in the surveillance community. Apple undoubtedly knew people were using this data sometimes for illicit purposes. No company has gotten in trouble for being to secure with customer information with anyone other than the NSA or FBI.

It’s worth noting that their software update in response to this controversy is actually pretty good and pretty thorough. I’m surprised they couldn’t quickly shim some encryption around it. The iOS is loaded with enough DRM and crypto.

On another note, I fully expect some court cases to be reopened now that “cell phone records” are not quite as accurate as they were falsely billed to be. Also companies who marketed software are capable of showing a users location history may be liable as this wasn’t accurately vetted. If they did good testing they would have seen the extent of it’s “tracking”. It seems inevitable.

Lastly, I wonder how much battery life, and how much bandwidth this was utilizing. Some customers are on metered WiFi (especially some hotspots). To geo-tag one must turn on GPS, meaning battery life was being drained behind the scenes.

Apple’s full response can be found on Congressman Ed Markey’s website (copied here for perpetuity).

The Real Deal

Persistent cookies are nothing new. Essentially the strategy works like this: Store data everywhere you can on the users footprint, and if data it deleted in a few locations, you copy it back from another location the next time you can. It’s regenerative by design. A popular example is evercookie which uses:

• Standard HTTP Cookies
• Local Shared Objects (Flash Cookies)
• Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in and reading out Web History
• Storing cookies in HTTP ETags
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite

Note that several of these aren’t HTML5 specific. More than one of which isn’t cleared by just “erasing cookies”.

HTML5 does add a few new possibilities, but they are also by design as easy to control, monitor and restrict as your browser (or third-party add-on) will allow. HTML5 storage mechanisms are bound to the host that created them making them easy to search/sift/manage as HTTP cookies. Much worse are some of the more obscure cookie methods (Flash Cookies, various history hacks). They don’t really provide any more of a privacy risk than what the browser already has been offering for the past decade.

To Shut Up The Geolocaiton Conspiracy Theorists

Before someone even attempts the “Geolocation API lets advertisers know my location” myth, lets get this out of the way. The specification explicitly states:

User agents must not send location information to Web sites without the express permission of the user. User agents must acquire permission through a user interface, unless they have prearranged trust relationships with users, as described below. The user interface must include the URI of the document origin [DOCUMENTORIGIN]. Those permissions that are acquired through the user interface and that are preserved beyond the current browsing session (i.e. beyond the time when the browsing context [BROWSINGCONTEXT] is navigated to another URL) must be revocable and user agents must respect revoked permissions.

Some user agents will have prearranged trust relationships that do not require such user interfaces. For example, while a Web browser will present a user interface when a Web site performs a geolocation request, a VOIP telephone may not present any user interface when using location information to perform an E911 function.

To my knowledge no user agent implements Geolocation without complying with these specifications. None.

No HTML5 Needed For Fingerprinting

Even if you do manage to wipe all the above storage locations, you’re still not untraceable. Browser fingerprinting is the idea that just your system configuration makes you unique enough to be traceable. This includes things like your browser version, platform, flash version, and various other bits of data plugins may additionally leak. The EFF recently did a rather impressive study to learn about the accuracy of this technique. Computers with Flash and Java installed sport 18.8 bits of entropy and result in 94.2% of browsers being unique in the EFF study [cite, pdf]. Of course their data was likely skewing towards more experienced web users who are more likely to have an assortment of customizations to their computer (specific plugins, more variety in web browsers, operating systems, fonts) than the average internet user. I’d wager that their data downplays the effectiveness of this technique.

The idea that HTML5 is a privacy risk is FUD. It doesn’t provide any worse security than anything else already out there. It’s actually easier to counteract than what’s already being used since it’s handled by the browser.

The Future

I still believe all browsers out there can do a much better job of protecting privacy when it comes to local data storage for the purpose of tracking. What I believe what needs to happen is web browsers need to start moving away from the “cookie manager” interfaces that are now a decade+ old and move towards a “my data management” interface that lets users view and delete more than just cookies. It needs to encompass all the storage methods listed above as supported by the browser. Hooks should also exist so that plug-ins that have data storage (like Flash) can also be dealt with using the same UI.

Additionally it needs to be possible to control retention policies per website. For example I should be able to let Google storage persist indefinitely, Facebook for 2 weeks, and Yahoo for the length of my browser session should I wish.

My personal preference would be for a website to denote the longest storage time for any object on a webpage in the UI. Clicking on it would give a breakdown of all hostnames that makeup the page, what they are storing and let the user select their own policy. With 2 clicks I could then control my privacy on a granular level. For example visiting SafePasswd.com would give me a [6] in the UI. Clicking would show me a panel this:

+------------------------------------------------------------------------------+
| My Data Settings for SafePasswd.com:                                         |
|                                                                              |
|  Host                        Longest Requested Lifespan    Your Choice       |
|                                                                              |
| *safepasswd.com              2 years                       [site default]    |
| googleads.g.doubleclick.net  6 years                       [browser session] |
|                                                                              |
|                                                                              |
|                                                       (Done)  (Cancel)       |
+------------------------------------------------------------------------------+

I could then override googleads.g.doubleclick.net to be for the browser session via the drop down if that’s what I wanted. I could optionally forbid it from saving anything if that’s what I wanted. I could optionally click-through for more detail or view the data to help me make my decision. Perhaps this would also be a good place for P3P like data to be available. One of the notable failures of P3P that impeded usage was it was never easy to view so it never caught on.

The browser would then remember I forbid googleads.g.doubleclick.net from storing data beyond my browser session. This would apply to googleads.g.doubleclick.net regardless of what website it was used on.

This model works better than the “click to confirm cookie” model that only a handful of people on earth ever had the patience for. It provides easy access to control and view information with minimal click-throughs.

It also makes a web page much more transparent to an end-user who could then easily see who they are interacting with when they visit one webpage with several ads, widgets, social media integration points etc.

One click to view data policies, two clicks to customize, three to save.

HTML5 is not a risk here. The web moving to HTML5 is like going from the lawless land to a civilized society where structure and order rule.

“I like Foursquare because I can actually pick who sees where I actually am, compared to Facebook, where I have 1,200 friends,” she said. “I don’t want 1,200 people knowing where I am.” Facebook does let users pick a smaller subgroup of friends who can see location updates, but Ms. Lovelidge said it would be too much trouble to set that up.

Emphasis mine. This isn’t lost on Facebook. Zuckerberg himself said: “But guess what? Nobody wants to make lists”.

The problem is that for every Ms. Lovelidge who at least acknowledges the risk and avoids it, there will be 10 others completely oblivious to the risks.

One great lesson here is that you can’t change the paradigm and assume an old security model, in this case the “friends” network will continue to work. This is the equivalent to turning a store into a private residence without bothering to replace the open store front with a more traditional door.

…more than half of the children surveyed (54%) don’t personally know all of the friends…

54% of teens surveyed don’t know all their “friends”. Facebook defaults the privacy settings on places to “friends”. 54% of children surveyed will likely be sharing their current location with people they don’t personally know. Places will catch on, especially once the check-in games start coming up and it becomes more fun and competitive. Half will likely share their location with people they don’t know.

Think about this for a second. Just a few years ago society would have found the idea of teenagers revealing their current location to people they don’t even personally know to be insanity.

It’s easy to fix, just setup a group and include/exclude as desired. The problem is awareness of the problem is low. Also problematic is the desire and patience to sort through several hundred “friends” and bucket people.

It would also be easy for Facebook to fix by forcing users to either select specific groups or individuals rather than just defaulting to the overly broad “friends”. They have the UI, and it’s actually pretty good (I’ve got some gripes, but they don’t apply to 99.9% of the population) they just don’t make users go through it for the sake of simplicity.

I don’t really like this.

Decisions on who qualifies as a friend may have been made a few years ago when the risks were different and content being exposed was much less harmful. Letting a stranger see your obnoxious status update is different than letting them know where you are.

MG Siegler at TechCrunch just realized this himself and cut the number of friends he had in half. To quote:

Facebook is mutating. The problem is that the original social graph isn’t built for this mutation. And we’re going to see that very clearly with things like this new location element.

I’d argue MG Siegler is brighter and more in tune to this sort of thing than 90%+ of Facebook users. Perhaps 99%. If he just realized this now, it’s going to take a long time for the more casual user to catch on.

As I wrote last week, the term “friend” has been grossly distorted over the past few years. I strongly suspect the most at risk users are the ones who distorted it the most. Defaulting things like Places to “friends” isn’t good enough.

You’ll be seeing more about this in the press over the coming several months. This is going to get messy as people leak information they didn’t intend to.

It’s worth noting that Facebook restricts check-ins to friends only. This is different from almost anything they have done in the past where they opted for more public views. Clearly they knew location was pushing the envelope and choose a more restricted view.

One of the more peculiar features, the ability for friends to “tag your location”. This essentially lets your friends check you in. From the FAQ:

The first time you use Places, or the first time a friend tries to tag you in to a Place with him or her, you will receive a notification asking you to share your location and allow friends to check you in to Places.

At any time, you can also adjust this setting by navigating to the main Privacy Settings page and clicking the “Customize settings” link at the bottom of the page. Then, simply choose the Enabled in the dropdown box next to “Friends can check me into Places.”

There are two things at play here. The first is the default of “friends”, the second is the ability for a friend to tag you. Lets start with the default of “friends”.

Default “Friends”

Because of this notice Facebook feels the product is opt-in and not opt-out. Defaulting this to “friends” and not forcing users to select a group or groups isn’t a great idea. This is especially true for minors. Thanks to Facebook being a popularity contest, things like serial friending are too common. Exposing this type of information to that many people in real-time is reckless. Decisions on who qualifies as a friend may have been made a few years ago when the risks were different and content being exposed was much less harmful. Letting a stranger see your obnoxious status update is different than letting them know where you are.

For those not familiar with sociology, Dunbar’s number is the theoretical cognitive limit to the amount people with whom one can maintain stable social relationships. It lies between 100 and 230, commonly set at 150. The *average* user has 130 friends according to Facebook’s statistics when this blog post was published. Keep in mind this is the average of all users including those who rarely and never use it and abandoned accounts. If I had to guesstimate the average for a High School or College student is likely in the low 200′s. I suspect I may actually be (intentionally) overly conservative. I don’t think anyone has real data broken down by age group (though if you do, pass it along).

We can reasonably deduce that the average teenager has more “friends” than friends. At least in some cases perhaps more than even acquaintances. Odds are they don’t even recall approving some.

Facebook should have instead made users select individual friends or groups that can view places rather than make it accessible to anyone who is a “friend”. At a minimum that should have applied to minors and those with inordinate number of friends for their demographic. Because of friending behaviors in the past the concept of a “friend” doesn’t secure this feature adequately. It may be the users fault, but “the customer is always right”.

Tagging Friends

Letting friends tag you is a whole other set of risks. I’ll quote The Consumerist since they were quite whimsical at giving examples:

This could lead to friends tagging you as being inside a peepshow, or an ex-girlfriend tagging you as being with another girl so your new girlfriend gets pissed off. The sitcom storyline possibilities are endless!

Obviously there are times most people don’t want others to know about what they are doing both innocent and nefarious. In extreme cases this could even become a safety issue. Of course crimes committed through Facebook already existed (exhibit A, exhibit B, exhibit C), this just makes it easier especially in the case of serial friending. No longer does someone need to solicit location information, it’s now being broadcasted.

It’s worth noting it’s possible to remove a place you were tagged:

If a friend has tagged you in a Place and you would like to remove your name, simply go to the Place story (you can find it on your profile, your friend’s profile, or the Place page) and select “Remove Tag.” You will no longer be connected to that Place through that story.

Remember that only your confirmed friends on Facebook are able to tag you in a Place if you have enabled them to do so in the “Customize settings” section of the main Privacy Settings page.

Of course that’s in retrospect.

People Here Now

Described by Facebook:

In the “People Here Now” section, you can see others who are checked in with you at that place. This section is visible for a limited amount of time and only to people who are checked in there. That way you can meet other people who might share your interests. If you prefer not to appear in this section, you can control whether you show up by unchecking the “Include me in ‘People Here Now’ after I check in” privacy control.

This has some obvious sore points. At a stadium or concert with hundreds or thousands of people it’s relatively anonymous with random faces and names. In a more intimate setting such as a restaurant or store it would relatively easy to match faces and full names. Given some basic info like a full name, network, current location a lot can be learned by using Google and public information databases. I suspect this has not so obvious implications for many who will not uncheck this preference.

Facebook should have used just first names to ensure some privacy.

Other Risks

There are other risks as well. Any serial use of such a feature will reveal patterns about your daily life such as when you leave and get home, visit the gym, etc. Timing attacks become easier when an attacker can plan without having to actually stake out a victim.

Then there’s the question of what will be done with all the data collected over time by millions of users. This isn’t 100% clear just yet. That’s a privacy issue, but not so much safety issue.

Bottom Line

Proceed with caution. Facebook did prepare for privacy implications better this time than any other release they have done in the past. This however is a whole new ballgame. Facebook could still improve by making some changes as I discussed above. Even with the defaults there are clear and present dangers. Unlike FourSquare or Gowalla where users subscribed with location sharing in mind, this was dropped on Facebook users who likely didn’t intend to share that much with that many people.