Tag Archives: Facebook

Who’s the rube?

There is an old saying that when you sit down to a poker game if you can’t spot the rube, you’re the rube.

Given the recent news that Instagram has announced that they now have the rights to sell your photos, perhaps that should be good advice for online services. Here is a good hint; if you aren’t paying for a service, then at a minimum you aren’t a “customer”. Oh the service has customers all right, you’re just not in their number.

Update: of course XKCD nails this one better than I ever could.

Living and dying in reputation time

Microsoft has done an interesting study that finds %70 of hr professionals surveyed had rejected applicants due to online reputation. Clearly people need to be more careful about not putting things out there that will hurt their reputation.

But why stop with just hiding the bad? How about accentuating the good? How about inventing the good?

Perhaps there is a great opportunity for a start up that would “puff” people’s online reputations for a small fee. If your prospective employer if browsing your Facebook page, wouldn’t it be great if Reverend Smith was thanking you for your great work you did at the homeless shelter last weekend, or kudos from your kids school for getting their library book fair organized? How about posts from one of your friends about how you helped him move into his new house? A reputation buffing service could plant this kind of reputation to really make you look like the kind of person that employers would want on their team.

Or you could go out and actually do those things… nah, that’s just crazy.

School bullies

Here is a story about a school district that is being sued for punishing students based on information gleaned from Facebook after demanding the students login credentials:

In what may be the latest example, a suit was filed in Mississippi that alleges a school official—more specifically a teacher acting in her capacity as a cheerleading coach—demanded that members of her squad hand over their Facebook login information. According to the suit, the teacher used it to access a student’s account, which included a heated discussion of some of the cheerleading squad’s internal politics. That information was then shared widely among school administrators, which resulted in the student receiving various sanctions.

As we noted when Bozeman, Montana attempted to obtain login credentials from anyone applying for a municipal job, it’s easy for anyone to view pictures and text that a Facebook user has chosen to make public simply by signing up for an account with the service. By demanding login credentials, authorities gain access to materials that users have chosen to keep private. Whether this is done because people intend to get access to private data or because they are simply unfamiliar with how Facebook operates isn’t always obvious, and probably varies from case to case.

Here is a hint to school officials everywhere: anytime you undertake a course of action that involves demanding login credentials for a service unrelated to school activities, it will ultimately end badly for you. Although you have been granted the power by the supreme court to regular violate student’s privacy (unwisely in my opinion) there are limits. Even if the school wins ultimately wins this case the damage to its relationship with the students and parents is not worth whatever you think you are accomplishing. Which in this case seems to be punishing a student for gossiping.

Students are going to insult you behind your back. Get over it. Grow up or find another profession.

Vigilante privacy audits

Ian Glazer of the Burton Group has created a Facebook app called Privacy Mirror that explores Facebook app privacy behavior. His results are quite interesting:

Imagine that Alice and Bob are friends in Facebook. Alice decides to add a new application, called App X, to her profile in Facebook. (For clarity’s sake, by “add”, I mean that she authorizes the application to see her profile. Examples of Facebook applications include Polls, Friend Wheel, Movies, etc.) At this point, App X can see information in Alice’s profile. App X can also see that Alice is friends with Bob; in fact, App X can see information in Bob’s profile. Bob can limit how much information about him is available to applications that his friends add to their profiles through the Application Privacy settings. In this case, let’s imaging that Bob has only allowed 3rd party applications to see his profile picture and profile status.

After a while, Alice tells Bob about App X. He thinks it sounds cool and adds it to his profile. At this point if App X, via Alice’s profile, looks at Bob’s profile it will see not only his profile picture and status but also his education history, hometown info, activities and movies. That is significantly more than what he authorized in his Application privacy settings. What is going here?

It’s well worth reading the whole thing. In summary, Ian makes the point that there is no way a normal user of Facebook would understand what privacy policy is being applied to applications in this scenario.

Facebook needs to clarify their privacy policies. Or fix them.

An OpenID game changer

One theme I have harped over the last year of so is that it means little for the big content providers to become OpenID providers if they don’t also become relying parties. You can’t build a highway with nothing but on ramps.

So far the vast majority of OpenID announcements by the big players have been to be yet another OP, or just signing up for the OpenID Foundation. It looks like the game is finally changing. Apparently Facebook is getting ready to become an OpenID Relying Party. From Inside Facebook:

Less than three months after joining the OpenID Foundation’s board as a sustaining corporate member (i.e. putting its weight and financial support behind OpenID), Facebook has just announced at the “technology tasting” event this afternoon at its Palo Alto headquarters that users will soon be able to log in to Facebook with their OpenID.

This could be huge for OpenID adoption, if it really happens.

A different view on OpenID branding

Nico Popp has his new year’s wishes for OpenID here. There are a lot of good suggestions, but there is one I would be beg to differ with:

Everyone agrees that OpenID needs to emerge as a brand that consumers can recognize.

Clearly Nico’s definition of “Everyone” is slightly different from mine. At the very minimum it doesn’t include me. But putting semantics aside Nico continues:

Similarly to Visa for payment, Dolby for music and Gore-Tex for rainwear, OpenID ought to become the “ingredient brand” for identity. The reason the OpenID brand needs to emerge is that we need a “network mark” that transcends all the identity silos. Very much like consumers know that their bank card will work when they see the Cirrus network logo on an ATM machine, consumers need to know that their identity will work on a Web site that carries the OpenID network logo. A network mark has a simple yet powerful meaning. It does not matter whether the card is from Bank of America, Wells Fargo or WAMU, it just works with this ATM machine. It does not matter whether the identity is from Google, Yahoo! or MySpace, it just works with this Web site.

In the OpenID brand lies the one big problem. Although a strong OpenID brand will prove to be good for everyone in the long run (by creating ubiquitous interoperability, Visa helped card issuing banks make more money than they would made on their own), at this time, none of the large consumer companies involved in the OpenID foundation have any incentive to promote another brand than their own. Therefore, the foundation needs to create a forcing function. My recommendation would be to leverage its ownership of the OpenID intellectual property to enforce the network mark. Let us keep OpenID free to all, but let us require everyone who uses the technology and benefit from the free IP to display the OpenID logo.

I don’t think this is a very promising strategy. Rather than OpenID being branded, I believe the important branding is the Identity providers that would enable OpenID. In other words the brand should be Yahoo, Google, and other big identity providers, not OpenID. In the same way the brand the Facebook users care about is Facebook, not Facebook Connect.

Trying to push the OpenID branding above the identity provider branding will inhibit OpenID adoption, not enhance it.  You are then asking identity providers to do something not in thier own best interest.

The average user doesn’t care about OpenID. What they care about (if they care about such things  at all) is that by using OpenID they can use the identity provider they already have a relationship with to explore new and interesting services that would automatically know who they are, without them having to register at every page.

The comparison to Visa is a bit off the mark. People care about Visa because it is an enabling service. OpenID is not. It is a means by which an identity provider becomes an enabling service.

Just my two cents.

The next episode of the “Oh Really?” files

According to this article (hat tip to Eric Norlin) federated identity will supposedly be the end of anonymity:

To address the needs of sites wanting weed out fake personas, users will have to be authenticated in new ways. Here, companies like Facebook, Google, and others are already in position to offer a solution for making sure people are who they say they are. Facebook Connect, Google Friend Connect, and Yahoo’s Open Strategy, have all been busy trying to grab land on the new frontier of identity management. All of them want to be your de facto online identity provider.

No matter who wins, though, it’s anonymity that loses. For the sites that move to these types of authentication methods, no longer will their users be able to create disposable usernames and passwords so they can troll around harassing others and leaving juvenile comments. Instead, all participants are themselves online  – and subject to the same standards for behavior that you would expect to see if you encountered them in a real-life public situation.

Oh really?

True, these disparate federated identity do all link different account back to a central identity silo, but what is preventing the anonymity from originating there? In other words if I wanted to use Facebook Connect anonymously access a service, couldn’t I start with a fake Facebook account? Facebook doesn’t validate that I am who I say I am any more than any other site.

User will adapt quite well to the new paradigm. The rapscallions and mischief makers will create fake Facebook, Google, and Yahoo accounts (as they already do) and then go from there. To think the trouble makers won’t figure that out is naive.

And as far as the legality is concerned, this is moot point in reality. Law enforcement is simply not going troll the internet looking for fake accounts. You would only need to be concerned if you used a fake account for serious criminal activity.