His follow-up post describes Facebook’s response, but the ‘tracking’ cookie to which I was referring has not been removed. According to Nik’s post, Facebook admit this will remain after logout to track the browser, but for ‘safety and spam purposes’.

According to this WSJ article, ‘not all of the data is logged’. That’s good.

The bottom line for me is that Facebook are so powerful that they need to be as answerable to their populous as a government. That means a certain level of transparency and being clear about their intentions. If they go back on their word, who holds them accountable? Are our laws even adequate? Should Facebook be audited, or should we just trust them?

I don’t expect I’d be too happy about having my servers audited, but I’m not Facebook. When nearly half a billion people log into your site each day to give you their data, you have a serious amount of responsibility on your shoulders.

Appendix

As it happens, I couldn’t replicate Nik’s findings. He found that the user ID cookie was not deleted at log out and continued to be sent to Facebook. I can’t explain that; but regardless, my issue was with an anonymous tracking cookie that remains today.

Here’s a quick technical explanation of how this tracking would be possible.

The cookie I refer to is an anonymous identifier with the name datr. This is set when you visit facebook.com, regardless of logging in. Once you do log in, its value does not change. Crucially, when you log out the value does not change either. This means that subsequent Like button impressions could be associated with your account despite your user ID no longer being sent along with it. If the full dataset was stored it would be trivial to associate this anonymous browsing data with your account.

Wow.

This adds a “Health and Wellness” Life Event to your Timeline.
(Timeline is new Zuckspeak for Wall, and Wellness is American for, erm.. Health)

Why would you tell a company that sells data that you were ill? … seriously, why?

I’ve already written my theories about what markets Facebook could enter with this kind of data at their disposal. I wrote about it on my own blog, and later a much shorter piece for NMA.

Previously I wrote about the problem of extrapolating this data from ‘noise’ and how the technology to do that doesn’t seem to have arrived yet. A nearer-term solution would be to get people to voluntarily participate in medical history form-filling in order to to structure that data. The Timeline seems like the perfect vehicle.

I’m staggered to see this so quickly. It seems like a very bold addition and I’m wondering whether the appearance of Google+ has caused Facebook to act more hastily than usual. They’ve been nudging us for years, but they seem to have suddenly given us a rather big push. Some will revolt, but will it put a dent in their 800 million? Unlikely, but never say ‘never’.

Well, no. Nobody seems particularly outraged; possibly because the site I’m alluding to is for sharing photographs of men without their consent. Tubecrush.net.

I don’t feel I need to list everything that’s hideous about this service. I hope that any intelligent person can see why the concept is morally broken, and legally questionable.

[Update]

Upon reflection, it isn’t the photographs which I find most alarming. As my commenters point out, the photographs are intended to be complimentary, and as they point out themselves: you have no right to privacy in public places. Plus, there are exceptions in data protection where photography is for artistic purposes.  (So that just leaves morals then).

I think the time and location is possibly more creepy as it implies you might be able to find this person again if you wished to do so. This is essentially surveillance data. Their legal disclaimers make no mention of time and location data. They do however indemnify themselves from any ‘damage’ arising from someone featured on the site being ‘communicated’ with. A clear acknowledgement that posting this kind of data is potentially dangerous.

One comment usually brings the issue home quite nicely though. I ask:

“How often to you mention being drunk, or being hungover on your Facebook wall?”

- the answer is invariably “often”

“What if in five years you can’t get life insurance because you’ve been profiled as a high risk for alcohol-related illness?”

Should I be paranoid?

Long version coming up

I got a Debenhams store card the other week. I was asked the usual credit-check questions, but after the first dozen I got suspicious. I asked the lady if these questions were ‘optional’; she confirmed that they were, so I opted out.

We’ve become more-or-less comfortable with the concept of credit checks – they’re a necessity of our financial lives. But these optional questions were pushing the boundary a bit, they seemed like more general demographic profiling questions. I suspect that my card was approved as soon as they had my name and address.

Most people are aware (I hope) of how our purchasing habits (through things like Nectar) can be used to build up a profile of us as consumers. It all seems pretty harmless when you get a voucher for tiramisu through your door, but what if marketing data affected more important things in your life than free cake?

Insurance profiling

A recent article in Wired led me to an experiment by Deloitte Consulting. The experiment was a predictive modelling approach to the usual methods of Aviva’s life insurance underwriting. 37% of the model’s predictive ability came from consumer-marketing data. Think about that for a moment — not just facts in your medical history, but what you like to do at weekends. What we’re talking about here is extrapolation of the probability of your death.

Not only does this concept scare the crap out of me, but I immediately think about all the data I’ve pumped into Facebook and Twitter over the years. Extracting value from this kind of noisy data is clearly a hot area for startups too. Some firms (like Google-acquired Fflick) are using machine learning to turn status updates into discernible data. Once this technology is more reliable, the face of consumer profiling will take a serious leap.

The direct marketing division of Equifax was acquired last year by Alliance Data Systems for $117 million. (that’s 0.2% of Facebook’s valuation). We already know the value Facebook can bring to targeted advertising. Just imagine if Facebook entered the profiling market at this level. The ubiquitous Like button even gives Facebook the potential ability to know what other sites you visit. You may not even need to tell them you prefer the FT to the Daily Mail – they may already know.

An obvious caveat to Facebook’s profiling ability is that your Facebook isn’t necessarily tied directly to your legal identity, or exact postal address. I am merely “Tim W” and they don’t have my mobile number. However, I imagine I’m in the minority here – Facebook are very aggressive in farming this data. They even use an irritating Captcha to coerce you into ‘verifying’ your account.

How long before you can enter a person’s name and address into a system and get back a quantified likelihood of that person crashing a car, getting arrested, dying of liver failure, or skiing off a cliff?

I love this. The simple idea that yesterday’s wall posts are yesterday’s news. Not only may they be irrelevant, but once forgotten who knows how they may come back to bite you? They’re still there, discoverable by other users and of course by the API.

These insights challenge my assumption that the next generation of adults won’t care about privacy. Teenagers may not have quite the same concerns as I do about these issues, but it’s fascinating to see how a website (designed by adults) leaves them to solve their own problems their own way.

The paranoid bit

Whitewalling in particular got me thinking about the notion of digital permanence. That the data we pump into the Internet is quite possibly going to live forever, or at least as long as we do. That raises questions about what it could be used for in a future we don’t yet know.

Fast forward to some advances in artificial intelligence and changes in the law: suppose ten years of Facebook wall posts could psychologically profile you such that your credit rating is affected, or an insurance company won’t insure you. Worse still, suppose you got into trouble with the law – even accidentally. How might this profile affect your chances of a fair trial? I know I sound paranoid, but if this data serves you no purpose then you may as well delete it while you can.

The personal bit

I was at a dinner party last week discussing my personal life. The previous two months had been a disaster – I wanted them erased. What was standing in the way of that? A permanent record of everywhere I’d been, what I was thinking/saying, and to whom – all nicely supported with photographic documentation.

“.. his Myspace page still says “Status: Horny”
30 Rock – 3.13

It wasn’t just the social corpus either. It was how status updates and comments between people were used to exemplify a situation – to infer what people might be doing, or thinking. The number of times Facebook came up in conversation was sickeningly profound. Despite being in our 30s, we sounded like a bunch of teenagers.

“.. she just changed her status from ‘working on it’ to ‘weirdsies’.”
30 Rock – 4.8

The bit where I try Whitewalling

Four years of verbal diarrhoea is a lot of data to delete by hand. As a developer I figured there must be a quick way to do this. First of all I tried to build a Facebook app to wipe my wall back to the day I joined Facebook, but it turned out to be technically impossible. So, I started deleting posts by hand, one at a time; sometimes requiring up to three clicks. I conquered a year in about two hours and gave up for fear of RSI. I’ll do the rest later… probably.

It was quite a trip down memory lane. And along the way I found examples of exactly why it was a good idea. Comments about people who at the time weren’t on Facebook; who became friends later on. Comments from ex-girlfriends that could jeopardise future relationships.

It wasn’t just posts to my own wall either; it was comments on other people’s content which was most time-consuming. Deleting these would mean not just deleting the post, but clicking through first and deleting the comment. What a nightmare.

The bit at the end

If there was any point to this post at all, it was to say: This data will live forever. You don’t know how technology, law and privacy will change in the future. So whether you welcome or fear your Zuckerbergian future, just remember that this data is yours, and you still have power to delete it if you choose to do so.

]]> http://timwhitlock.info/blog/2011/01/20/whitewalling-and-digital-permanence/feed/ 1 http://timwhitlock.info/blog/2011/01/07/is-facebook-tracking-your-web-browsing-history/ http://timwhitlock.info/blog/2011/01/07/is-facebook-tracking-your-web-browsing-history/#comments Fri, 07 Jan 2011 19:24:43 +0000 tim http://timwhitlock.info/?p=1016 I recently saw this paper: “Facebook Tracks and Traces Everyone: Like This!”
(download the PDF)

Short version

Zuckerberg's 'open' and 'connected' world

Every time you merely visit a site that displays a Like button, data is sent to Facebook which includes the address of the site you are visiting. Assuming you’ve also logged into Facebook, they have all the information they would need to associate these external page views with your Facebook identity.

What are they actually doing with this data? Possibly nothing, but I don’t see any statement saying “Don’t worry, we don’t store web page URLs you view, even though we could“. The usual guff about ‘anonymized’ data and cookies being required for functionality doesn’t quite cut it with me. This is Big Brother stuff, and they need to be crystal clear about what they could do and what they are doing.

Long version

I can’t say I’ve thought about this until now, and it’s nothing particularly new on the surface anyway. Banner ads have historically been able to track your browsing history. Each advert sets a cookie in your browser, (just a simple identifier). When you visit another site with ads served by the same provider, this cookie will be sent back with the referring URL.

Bingo! The ad provider knows a portion of your browsing history. Of course the ad serving company may have no idea who you are – you’re just a number. But the same can’t be said of Facebook.

This privacy leak with display advertising is easily plugged by your browser refusing third party cookies. It knows that the ads aren’t what you’re really visiting for – these cookies probably don’t enable any useful functionality, so they may as well be blocked – no harm done.

So all good then, just block third party cookies and Facebook can’t track you? Not quite!

The Like button is different to dumb display advertising because the ‘third party’ is a site you’re actually going to visit. As a Facebook user, even if you’re blocking third party cookies, you’re still going to be sending back this data.

Here’s a bit of techie explanation of how Facebook gets around third party cookie blocking -

The third party cookie loophole

If you visit facebook.com directly (nevermind logging in – just visit) the tracking cookie will be set in your browser, because it isn’t [in this instance] third party. To avoid this, you’d have to set your browser to completely reject all persistent cookies. This is problematic and most browsers don’t provide very good options for this.

The upshot of this is that after visiting Facebook, the tracking cookie will still be sent to Facebook when any Like buttons are loaded on other sites, regardless of third party cookie blocking settings. This actually makes sense, because this is exactly what cookies are designed to do.

I tested this in Chrome, Safari and Internet Explorer and they all render third party cookie blocking useless once you’ve visited facebook.com. Interestingly, my version of Firefox seems to be extra strict – it recognises that this cookie was originally third party and refuses to send it. (This actually breaks the like button, because it doesn’t know when you’re logged in to Facebook).

Even if you log out of Facebook, the tracking cookie is still sent, because the cookie has a two year expiry. The only way to avoid this is to delete all Facebook cookies from your browser, or surf in your browser’s incognito/anonymous mode.

What next?

First of all, I wouldn’t be surprised if we started seeing Facebook-served advertising outside of Facebook.com. This would give Google AdWords some serious competition. (I’d welcome that in itself). They just got a nice bit of pocket money to get cracking on a project like that.

But there’s still this invasion of privacy to deal with. We can debate the small print all day, but I don’t see any clear statement from Facebook that they aren’t associating passive browsing data with specific Facebook accounts, and I doubt very much that the average Facebook user is aware they have this power.

In descending order of interestingness and importance, here are a few things you may not know about Twitter DMs.

1. All third party applications you authorize can read your DMs *
2. Deleting a DM you’ve sent or received also deletes it from the other person’s account;
3. Deleting DMs sends some Twitter clients into a confused frenzy;
4. DMs don’t have a ‘reply to’ ID, so they can’t be threaded properly;
5. The new Twitter interface only loads your most recent 100 messages;
6. I’ve written a tool for backing up and deleting all your DMs – imaginatively titled DM Cleaner.

1. All third party applications you authorize can read your DMs

* Think about it – if you can read your DMs on your iPhone, what do you think is happening? That’s an external application [that you've authorized] accessing your Twitter account. Twitter don’t offer the kind of fine-grained permissions that Facebook do – access is access – so any developer you authorize can read your DMs any time they like until you revoke that app’s privileges.

I have over 40,000 authentication keys for TwitBlock, with a revoke rate of a mere 3%. By authorizing a third party, you are trusting them not to do anything irresponsible with your data, and that includes messages you may consider private. Think about that the next time you DM your private email address, or worse. It’s called direct messaging, not private messaging

2. Deleting a DM you’ve sent or received also deletes it from the other person’s account

DMs are basically just tweets – despite being shared between two people, you are both looking at the same copy. If you delete a received messaged it is removed from your friend’s sent items. If you delete a sent message it disappears from your friend’s inbox. However, some Twitter clients (like Twitter for iPhone) cache messages on the device, so you may not notice a message is missing for some time.

3. Deleting DMs sends some Twitter clients into a confused frenzy

Have you ever suddenly received an old message you’ve seen before out of the blue? I have (especially using Twhirl) and I’ve only just worked out why it happens. It’s other people deleting your DMs at their end.

Direct messages are requested from the Twitter API by either specifying the newest one you’ve already got (checking for new messages), or by specifying the oldest one you’ve already got (paging back through history). If a Twitter client specifies one of these with a DM that has been deleted you don’t get back what you expect.

4. DMs don’t have a ‘reply to’ ID, so they can’t be threaded properly

Not very interesting, but true nonetheless. When you reply to a DM, you are just sending a new message. This means while they can be ordered chronologically (i.e. linearly) there is no way to see exactly which message is a reply to which. Fine for light usage, but I’ve had frantic conversations that have resulted in overlaps, such that the chronological ordering isn’t accurate and it becomes a mess.

5. The new Twitter interface only loads your most recent 100 messages

This may be temporary, but the new site only provides access to the most recent 50 messages you’ve sent, and the most recent 50 messages you’ve received. These are stitched together into their individual conversation threads.

The new Twitter site has no “more” button to load older messages. There are non-trivial problems with a load more mechanic when the messages are displayed as conversation threads. Loading more doesn’t mean cascading more messages downwards as it used to; the new messages have to be loaded into the message threads already visible. This is more of a UI problem than a programming problem.

I fully expect to see API method changes to get around this problem.

6. I’ve written a tool for backing up and deleting all your DMs

I built DM Cleaner this week – it lets you back up full DM conversations to your email, and then trash them from Twitter permanently. New Twitter may have improved the direct messaging experience, but backing up and deleting is not really a feature that’s in Twitter’s interests to provide, so there you go – I’ve provided it.

This app is only hosted on my tiny demo site, and it uses quite a lot of juice, so don’t be surprised if it goes down. Also, it’s hungry and might use up your rate limit. Please feed back to me if something is broken, or if you’d like to see any new features.

Please hold for media storm on privacy ..

This will be the topic of most discussion around Facebook Places and I think that’s a good thing. At least it will be if the discourse is informed, focussed, rational and avoids sensationalism – fat chance!

The US have already seen reports of burglars using Facebook – as it happens this turned out not to be anything to with Places specifically, as if that’s going to stop it being news. This is tabloid gold, but it’s not new to location based services. I particularly like the guy who stole a mobile phone, photographed himself and posted it to the phone-owner’s Facebook page! (can’t find link right now, sorry).

Don’t get me wrong, the privacy implications of Places are important, but the genie’s out of the bottle if you ask me.  Zuckerberg’s more open and connected world is real, and [particularly for younger generations] if you choose not to share, you’ll find yourself out in the cold. This is just going to be day-to-day living from now on, and we’re still adjusting to it. Maybe we’ll be forever adjusting; maybe this is Future Shock.

I’m not going to analyse the privacy implications of Places any further. There will always be complacency; there will always be ignorant people, there will always be irresponsible tabloids, and there will always be corporations pushing you features you didn’t know you needed. If you’re smart you’ll look after your digital life the same way you look after any aspect of your life. The best we can hope for is that people are educated as well as possible by the media and by the companies that offer these features. Facebook have learned their privacy lesson the hard way, but they will always be prodding – they will always walk right up to the line and try not to cross it. Every now and then though, they will take a leap – Places is one of those leaps.

There is so much to discuss around this and it’s not even out of the lab yet. In a rare display of focus, I’ll devote my first post on the topic to one of the more obvious questions – Can they (or do they need to) get 400 million people to migrate away from Facebook?

The idea of a decentralized, open source social network where you truly own your data appeals to many a privacy-concerned geek, but I think perhaps the announcement of Diaspora and their rapid public funding is timely more than anything. After the F8 conference Facebook are predictably under the spotlight again – this time there’s even infoporn - See: Mat McKeon and the New York Times.

So we’re all ‘concerned’ about our privacy, and maybe even what Facebook are up to in general, but as Fernando Rizo muses on his blog today, are you going to quit? No, of course not. Well, not without a decent alternative, because you don’t want to miss out. (See FOMO). Well let’s assume for a moment that Diaspora becomes that alternative – what then?

Tipping the other way

In theory I don’t see a reason the Network Effect can’t work in reverse. It takes early adopters to populate a site like Facebook in the first place – perhaps a trend in rejection could result in a tipping point in the opposite direction. If you joined Facebook because your friends did, and they went somewhere else – you’d eventually go too. Somebody has to go first of course.

I grumble about Facebook all the time, but I use it as much as the next guy – in fact more than most of my friends. I don’t want to shut my account down. Going cold turkey would be a serious commitment. I think for this to happen for me there would have to be some kind of transitional phase.

If Diaspora allowed me to view and publish content to and from Facebook, that would surely defeat its primary function. You could argue that it depends what the content was, but it would still mean keeping my Facebook account active. It might however be a way to soften the blow, and at the same time entice my peers into migrating too.

I don’t have the solution, (and I probably don’t understand the problem), but many of us are far too attached to our digital homes for this to be a clean break. As Fernando points out we’ve seen mass migration before (away from MySpace) but I’d say it’s a bigger deal this time. I remember quitting MySpace (~2007) and I really didn’t miss it. I had a handful of photos and about 30 friends. It was also incredibly annoying. Despite my moaning, I really like Facebook, it’s a very usable site and there’s vastly more content than I had access to three years ago.

Would an exodus be necessary?

Diaspora are proposing a hosted, turn-key option for their software (a la WordPress) and perhaps, as is common with open source products, providers will be permitted to package up and sell the product themselves in a healthy, competitive fashion. To move 400 million people over to Diaspora, this would surely be essential – how many Facebook users know what a GPG key is?

I joked earlier (complete with typo) that if Diaspora took off, perhaps Facebook could move to a hosted-Diaspora revenue model. Perhaps this wasn’t such a joke. Facebook need your data to profit, if you’re going to abscond and not give them any more data and not look at any more ads, then a premium service where you can interact with your friends without getting ‘graphed’ seems reasonable to me. The privacy concerned few could pay, while the complacent masses continue to trade their personal lives for a free ticket.

I’m thinking out loud and probably sound like an idiot, but I’m hungry and need to go home…. just gotta check my Facebook.

Here’s one: the ‘like’ button. This has become more than just a casual way to show your friends you think something is cool. It’s become more powerful for advertisers, more useful for Facebook, and for you … ? You’re going to start seeing ‘like’ buttons all over other websites, including this one; What you probably won’t realise straight away is what it means to click this. Clicking a ‘like’ button on anything, anywhere instantly creates a Facebook ‘page’ for that ‘thing‘ and makes you a ‘fan’. Being a fan of a page (as you probably know) means the owner of that page can publish content into your news feed. So, essentially, by clicking my ‘like’ button on this page is the same as you saying you want to be a fan of this article and you want to allow me to deliver content to you about it any time I like. All at the casual click of a button.

There, that’s it. I just thought you should know. Make up your own mind about whether you think this is sneaky or not. Personally, I think it is. Here’s a good article on the topic by Channel 4′s technology correspondent.

–
I’ll be writing more about the announcements from F8 and Chirp later on. This was just a quickie, because I think the ~400 million Facebook users that aren’t Internet professionals need to be kept in the loop.