Facebook Knows Your Thoughts Even When You Don’t Share

A fascinating post on Slate explains how your unfinished thoughts on Facebook may be monitored by Facebook’s algorithms. Have you ever composed a status update, only decided to not click on publish? Gmail and other email clients do store your drafts, but it is unexpected (and not wholly beneficial) why Facebook would do that too.  The two people behind the “self-censorship” study are Sauvik Das, a Ph.D. student at Carnegie Mellon and summer software engineer intern at Facebook, and Adam Kramer, a Facebook data scientist. Slate summarizes:

It is not clear to the average reader how this data collection is covered by Facebook’s privacy policy. In Facebook’s Data Use Policy, under a section called “Information we receive and how it is used,” it’s made clear that the company collects information you choose to share or when you “view or otherwise interact with things.” But nothing suggests that it collects content you explicitly don’t share. Typing and deleting text in a box could be considered a type of interaction, but I suspect very few of us would expect that data to be saved. When I reached out to Facebook, a representative told me that the company believes this self-censorship is a type of interaction covered by the policy.

In their article, Das and Kramer claim to only send back information to Facebook that indicates whether you self-censored, not what you typed. The Facebook rep I spoke with agreed that the company isn’t collecting the text of self-censored posts. But it’s certainly technologically possible, and it’s clear that Facebook is interested in the content of your self-censored posts. Das and Kramer’s article closes with the following: “we have arrived at a better understanding of how and where self-censorship manifests on social media; next, we will need to better understand what and why.” This implies that Facebook wants to know what you are typing in order to understand it. The same code Facebook uses to check for self-censorship can tell the company what you typed, so the technology exists to collect that data it wants right now.

Revealing and very troubling, especially how prevalent the behavior is. From the paper:

We found that 71% of the 3.9 million users in our sample self-censored at least one post or comment over the course of 17 days, confirming that self-censorship is common. Posts are censored more than comments (33% vs. 13%).

On the Internet of Things, Privacy, and Surveillance

Bruce Schneier paints a world where “The Internet of Things” prevails. It is reminiscent of science fiction. Sadly, this world is not too far away:

In the longer term, the Internet of Things means ubiquitous surveillance. If an object “knows” you have purchased it, and communicates via either Wi-Fi or the mobile network, then whoever or whatever it is communicating with will know where you are. Your car will know who is in it, who is driving, and what traffic laws that driver is following or ignoring. No need to show ID; your identity will already be known. Store clerks could know your name, address, and income level as soon as you walk through the door. Billboards will tailor ads to you, and record how you respond to them. Fast food restaurants will know what you usually order, and exactly how to entice you to order more. Lots of companies will know whom you spend your days –and night — with. Facebook will know about any new relationship status before you bother to change it on your profile. And all of this information will all be saved, correlated, and studied. Even now, it feels a lot like science fiction.

Will you know any of this? Will your friends? It depends. Lots of these devices have, and will have, privacy settings. But these settings are remarkable not in how much privacy they afford, but in how much they deny. Access will likely be similar to your browsing habits, your files stored on Dropbox, your searches on Google, and your text messages from your phone. All of your data is saved by those companies — and many others — correlated, and then bought and sold without your knowledge or consent. You’d think that your privacy settings would keep random strangers from learning everything about you, but it only keeps random strangers who don’t pay for the privilege — or don’t work for the government and have the ability to demand the data. Power is what matters here: you’ll be able to keep the powerless from invading your privacy, but you’ll have no ability to prevent the powerful from doing it again and again.

Is it strange that I am re-reading 1984 at this very moment?

The Hoodie Phenomenon

Tim Maly, in a thoughtful essay titled “Mark Zuckerberg’s Hoodie,” ponders the role of privacy and social behavior as the hoodie has gone mainstream:

People who know they’re being watched change their behaviour. In a world awash in surveillance devices, hoodies are an element of fashion driven by an architectural condition. They are a response to the constant presence of cameras overhead. People who don’t want to be watched wear them. People who want to be the kind of people who don’t want to be watched wear them. People who want to look like the kind of people who don’t want to be watched wear them.

Through a series of vignettes, Maly brings us from 2005 to present day:

It is January 13, 2013 and Mark Zuckerberg is promising a revolution. He’s on stage, wearing his hoodie. He seems comfortable. His colleague Tom Stocky is trying to help a hypothetical girl find a date. He runs a query and gets a list of men who are friends of friends and single. It’s a veritable cornucopia of potential men. He narrows them down to people in San Francisco. Then down to people in San Francisco who are from India. His hypothetical woman is sure to be pleased.

Just don’t wear that hoodie to a first date, you know?

Sneaky Orbitz

The online travel site Orbitz has found that people who use Macs spend as much as 30% more a night on hotels, so the site shows more expensive travel options to those using Macs vs. those using Windows machines. The Wall Street Journal reports:

Orbitz found Mac users on average spend $20 to $30 more a night on hotels than their PC counterparts, a significant margin given the site’s average nightly hotel booking is around $100, chief scientist Wai Gen Yee said. Mac users are 40% more likely to book a four- or five-star hotel than PC users, Mr. Yee said, and when Mac and PC users book the same hotel, Mac users tend to stay in more expensive rooms.

A Mac search for a hotel in Miami Beach for two nights in July displayed costlier boutique hotels on the first page of results, such as Sagamore, the Art Hotel and the Boulan South Beach, that weren’t displayed on the PC’s first page. Among hotels appearing in both searches, some pricier options (such as the $212 Eden Roc Renaissance and the $397 Fontainebleau) were listed higher on the Mac. Overall, hotels on the first page of the Mac search were about 11% more expensive than they were on the PC…

Two questions: 1) Is this legal? 2) How does it make you feel to pay more with the site tracking you in such an intrusive fashion?

I feel that this kind of targeting, however, is going to become more and more common.

World War 3.0

Michael Joseph Gross, in Vanity Fair, writes on the inevitable war for the internet:

The War for the Internet was inevitable—a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers and scientists who knew one another off­-line, the Internet was established on a bedrock of trust: trust that people were who they said they were, and trust that information would be handled according to existing social and legal norms. That foundation of trust crumbled as the Internet expanded. The system is now approaching a state of crisis on four main fronts.

The first is sovereignty: by definition, a boundary-less system flouts geography and challenges the power of nation-states. The second is piracy and intellectual property: information wants to be free, as the hoary saying goes, but rights-holders want to be paid and protected. The third is privacy: online anonymity allows for creativity and political dissent, but it also gives cover to disruptive and criminal behavior—and much of what Internet users believe they do anonymously online can be tracked and tied to people’s real-world identities. The fourth is security: free access to an open Internet makes users vulnerable to various kinds of hacking, including corporate and government espionage, personal surveillance, the hijacking of Web traffic, and remote manipulation of computer-controlled military and industrial processes.

On boundaries on the internet:

Freedom in human society, by definition, includes some concept of bound­a­ries. Freedom on the Internet has, thus far, lacked any real concept of boundaries. But boundaries are being invented. It seems certain that nations, corporations, or both will create more zones on the Internet where all who enter will have to prove their real-world identities. Google and Facebook are already moving in this direction. The most heavy-handed suggestions entail a virtual passport or ID, which could include biometric data.

Some see stringent, universal, and mandatory authentication of identity as a commonsense solution to a number of the Internet’s biggest problems. If all of our alter egos were brought into line with our analog selves, wouldn’t we all behave better? Wouldn’t online criminals stop using the cloak of anonymity to steal from and spy on people? Wouldn’t people pay for the books, music, movies, and newspapers that many now take for free?

A thought provoking read.

On Facebook Passwords and Employment

There’s been a lot of talk these days about employers asking potential employees for their social media credentials. Facebook, in particular, has issued strong resistance against this trend, going so far as publicly explaining their stance in a blog post:

The most alarming of these practices is the reported incidents of employers asking prospective or actual employees to reveal their passwords.  If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends.  We have worked really hard at Facebook to give you the tools to control who sees your information. 

As a user, you shouldn’t be forced to share your private information and communications just to get a job.  And as the friend of a user, you shouldn’t have to worry that your private information or communications will be revealed to someone you don’t know and didn’t intend to share with just because that user is looking for a job.  That’s why we’ve made it a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.

We don’t think employers should be asking prospective employees to provide their passwords because we don’t think it’s the right thing to do.  But it also may cause problems for the employers that they are not anticipating.  For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discrimination if they don’t hire that person. 

Today, The House of Representatives shut down a bill that would have prevented employers from demanding your Facebook password. So, what’s the worst that could happen?

Reginald Braithwaite has a fictional post on the matter titled “I Hereby Resign”. Just imagine if this scenario played out for real (if it hasn’t already somewhere around the world):

One of the new terms is that every prospective new hire allow their manager to “shoulder surf” as they browse their Facebook or better still, to voluntarily log their manager into their Facebook account. If I recall correctly, she claims that we have the obligation to do a “background check” on prospective hires. I’m extremely vague on the correlation between faux-promiscuous sex or drinking and employee performance, but as she is a seasoned veteran, I have to trust her when she says that things like this overrule my judgment as to who is and who isn’t fit to be a programmer in our employ.

I was willing to go along with things and see how they panned out. But today something went seriously wrong. I have been interviewing senior hires for the crucial tech lead position on the Fizz Buzz team, and while several walked out in a huff when I asked them to let me look at their Facebook, one young lady smiled and said I could help myself. She logged into her Facebook as I requested, and as I followed the COO’s instructions to scan her timeline and friends list looking for evidence of moral turpitude, I became aware she was writing something on her iPad.

 “Taking notes?” I asked politely.

 “No,” she smiled, “Emailing a human rights lawyer I know.” To say that the tension in the room could be cut with a knife would be understatement of the highest order. “Oh?” I asked. I waited, and as I am an expert in out-waiting people, she eventually cracked and explained herself.

“If you are surfing my Facebook, you could reasonably be expected to discover that I am a Lesbian. Since discrimination against me on this basis is illegal in Ontario, I am just preparing myself for the possibility that you might refuse to hire me and instead hire someone who is a heterosexual but less qualified in any way. Likewise, if you do hire me, I might need to have your employment contracts disclosed to ensure you aren’t paying me less than any male and/or heterosexual colleagues with equivalent responsibilities and experience.”
I got her out of the room as quickly as possible. The next few interviews were a blur, I was shaken. And then it happened again. This time, I found myself talking to a young man fresh out of University about a development position. After allowing me to surf his Facebook, he asked me how I felt about parenting. As a parent, it was easy to say I liked the idea. Then he dropped the bombshell.
His partner was expecting, and shortly after being hired he would be taking six months of parental leave as required by Ontario law. I told him that he should not have discussed this matter with me. “Oh normally I wouldn’t, but since you’re looking through my Facebook, you know that already. Now of course, you would never refuse to hire someone because they plan to exercise their legal right to parental leave, would you?”
Worth reading in its entirety. Think your stance on this issue doesn’t matter? Think again.

On Reading Privacy Policies

Why don’t you ever read the privacy policies associated with your browser, apps, and new software? Alexis Madrigal digs in:

One simple answer to our privacy problems would be if everyone became maximally informed about how much data was being kept and sold about them. Logically, to do so, you’d have to read all the privacy policies on the websites you visit. A few years ago, two researchers, both then at Carnegie Mellon, decided to calculate how much time it would take to actually read every privacy policy you should. 

First, Lorrie Faith Cranor and Aleecia McDonald needed a solid estimate for the average length of a privacy policy. The median length of a privacy policy from the top 75 websites turned out to be 2,514 words. A standard reading rate in the academic literature is about 250 words a minute, so each and every privacy policy costs each person 10 minutes to read.

Next, they had to figure out how many websites, each of which has a different privacy policy, the average American visits. Surprisingly, there was no really good estimate, but working from several sources including their own monthly tallies and other survey research, they came up with a range of between 1,354 and 1,518 with their best estimate sitting at 1,462. 

So, each and every Internet user, were they to read every privacy policy on every website they visit would spend 25 days out of the year just reading privacy policies! If it was your job to read privacy policies for 8 hours per day, it would take you 76 work days to complete the task. Nationalized, that’s 53.8 BILLION HOURS of time required to read privacy policies.

Alexis concludes: “The collective weight of the web’s data collection practices is so great that no one can maintain a responsible relationship with his or her own data.”

I couldn’t agree more. No wonder no one is reading those darn things.