Law in the Internet Society

View   r8  >  r7  ...
YuShiFirstPaper 8 - 18 Jul 2010 - Main.YuShi
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<
(Revised and Ready for Review)
>
>
(Second Revision, Ready for Review)
 
Changed:
<
<

Apathy, Vigilance, and an Amorphous Fear

>
>

Facebook, Google, and the Facade of Privacy

 -- By YuShi - 16 Nov 2009
Changed:
<
<
By now most people in my generation probably have some degree of awareness that they do not hide behind a veil of anonymity while online, nor are their activities forgotten once they go offline. After all, these days we are inundated not only with news articles that warn of privacy invasions, but also frequently hear of stories in which people land in embarrassing situations because of something that they placed or did on the web. While many of us are no longer oblivious to the idea of online privacy invasions, I find - at least among my peers - that many people’s responses to this threat tend to be either one of nonchalant apathy or extreme vigilance. In this paper, I first describe the two contrasting types of response and argue that neither is rational; I then explore a possible explanation for why my peers are handling this issue in very different but nonetheless irrational manners. The essay concludes with my ideas for what we can do to avoid creating and perpetuating an amorphous fear.
>
>
It is becoming increasingly difficult, if not impossible, to find people my age who do not use Facebook or Google. These two services have become such a part of young people's lives that they are now both nouns and verbs, and one who does not own a Facebook or Gmail account risks the stigma of being labeled a social anomaly. Despite the ubiquitous presence and widespread use of Facebook and Google, however, people still do not have an adequate understanding of privacy risks that such services pose. In this essay, I first discuss the average person's understanding of Facebook and Google privacy options, then explain the latent but grave threats that are not apparent to the average user.
 
Changed:
<
<

Group 1. Let’s Be Paranoid

>
>

The Facade of Privacy: What the Average User Knows

 
Changed:
<
<
One day this past August, I suddenly noticed that my number of Facebook friends dwindled by at least twenty. It did not take long to figure out that many of my peers here at Columbia have deactivated their Facebook accounts in preparation for Early Interview Program (EIP). This is an example of the kinds of extreme measures that some people take in response to threats of online privacy invasion.
>
>
The average person's understanding of Facebook and Google privacy is unfortunately influenced and undermined by what they hear from these companies. Facebook, for example, seeks to portray itself as privacy-conscious by appearing to give users a plethora of privacy control options: you can exclude categories of people from seeing your profile or you can exclude certain individuals, you can hide this part of your profile or that part of your profile. By inundating users with these "privacy" options, Facebook is attempting to convey the perception that they genuinely care are vigilant about every minute detail of your privacy.
 
Changed:
<
<
As a risk-averse person myself, I am more often than not sympathetic to the “better safe than sorry” school of thought. Deactivating one’s Facebook account for EIP, however, seemed absurd even to me. Although Facebook certainly has more than its share of privacy loopholes, it does have privacy settings that one can adjust so that only a selected group of people is able to view the profile. Most of the people who deactivated their account already had their profiles set to “private” anyway, limiting their information to just their friends. The only way, then, an employer could have seen their profile would be to ask one of the student’s friends to look at it and report back any shady findings. That is by all means a highly-unlikely scenario. Circumspection is one thing, but to think that a law firm will take the effort to find out who your friends are, then to contact that friend for information about you, and finally to have your friend agree to sabotage you by consenting to deliver unseemly information about you to the firm borders on absurdity.
>
>
The average user sees the wide array of privacy options and feels like he is in control over his information. For the average user, it seems like he exercises total control over who sees what, and if that is the case, then what more is there to fear? He thinks that at worst a hacker might hack into Facebook's central database and pilfer data, but then he realizes a thief can also break into his house and steal personal information. One, of course, cannot plan for every single contingency. The average user, then, is complacent, and for the most part, feeling secure.
 
Changed:
<
<
Yes, perhaps. But because Facebook's business model, and its incredibly bad technology, means that there's only one kind of friend, people who have been building networks of "friends" in law firms by accepting or initiating contacts inside law firms have also put all their personal lives inside those law firms, even if only their "friends" can see it. (There's no architectural reason why social sharing has to be designed that way, but Facebook offers an outstandingly bad implementation.) So there's plenty of opportunity for informal diffusion of information into unintended locales even if people know how to manage what little residual control Facebook allows them.

Group 2. Privacy Views: Apathetic

In direct contrast to the previous group, the apathetic ones know that their information is probably not secure online, but they just do not care. They have public Facebook profiles, with links to their blogs (not privatized), and even their full dates of birth shown. All their photos are, of course, also open to public viewing. People in this group usually defend their nonchalance by saying that they only post innocuous content on their personal pages, or that they are too insignificant for anyone to want to “target” them in any way that might be threatening.

With the growing sophistication of identity theft, it is naïve to think that such complete disclosure of personal information can be forever harmless. In the summer of 2008, about 5,000 current and former Columbia undergraduates were notified that a security breach resulted in their private information being exposed for a period of time. The breached information alone may not have been enough to pose significant danger to the affected people, but if combined with additional data such as one’s hometown and date of birth (taken from public Facebook profiles), an identify thief could have wrecked substantial damage on someone’s good name. Public Facebook profiles leave the door open for such attacks, and there is no justification for why someone cannot take three seconds to modify their Facebook privacy settings so that their profiles are only visible to friends.

Identity theft is not a retail matter. Credit card numbers, SS#s, maiden names and all the other relevant data allowing fraudulent purchases or (until lately) the initiation of fraudulent loans are circulated in buckets of thousands or tens of thousands, not units, having been stolen from places where one breach yields the whole database, not photographs of someone using a beer bong. Retail intrusion such as you are imagining people could protect themselves against by changing privacy settings (which is puerile, because a real attempt against a person will involve simply hacking the Facebook account by stealing the target's almost certainly non-random Facebook password) has a direct motive behind it, and will not be deterred in the slightest by the sort of trivial "protection" Facebook affords. Putting things you wouldn't want your most motivated and most destructive enemy to know in someone else's commercially-managed, ill-secured database is a recipe for disaster unless your worst enemy is a technically-illiterate eight-year-old who spends all her time in church.

An Amorphous Fear

While a sizable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is.

Which is true because they are carefully not educated in what the threats are, which is in turn true because money and power don't want them to understand what the threats are because money means to make money, and power means to make power, out of their ignorance. Your essay, so far, does nothing whatever to disturb that process of embedding ignorance, because you haven't described for the reader what the threats actually are or what to do about them. That you can fancy you are writing seriously about privacy threats and responses while implying that Facebook-using is consonant with even minimal respect for privacy is demonstrative.

The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post,

It's much more tangible. The lamppost is visible only to people who happen to be close enough to read what's on it. The data you put carelessly on the net is visible to everyone on earth.

and it is certainly not as real as a thief breaking into one’s house and taking confidential files.

Burglary is hard and risky. Data-stealing is easy and almost entirely riskless.

Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.

So you should be providing a clear understanding of the actual threats and what to do about them. I explained both in class, and here you are obfuscating them again.

What Can We Do?

I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in an informed manner is to become as informed as possible.

But you're not informing anybody, are you?

Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from?

They get it from the one big ill-secured database run for the purpose of spying on you that you voluntarily decided to put all your social data in for no good reason. The right response is to move your social data out of that big unsecured centralized database.

By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to really understand such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.

But that would be ignorance, and you're recommending it.

My response to the first draft was that you needed a more ambitious theme, not a less informative and more obscurantist one. A naive reader facing this draft would know nothing helpful she didn't know before reading it. A knowledgeable reader could only conclude either that you are yourself ignorant or that you are deliberately white-washing Facebook. Either way, the knowledgeable reader, like the naive one, has gained nothing.

I still think what you need here is more ambition. If this is the topic, then the ambition should be to learn more facts and imagine fewer ones. In my own view, this "in the middle-ism" between what you think of as paranoia (and which isn't even moderate concern for privacy, just cluelessness) and utter heedlessness is a poorly-chosen vantage. You should be speaking from actual expertise about something you fully understand because you have learned about it in detail. I taught a course meant to enable such a vantage for you, but perhaps I did it poorly. If you want to talk more about the matter, let's make an appointment.

>
>

The Evil That Lurks Beneath

Unfortunately, the average user is missing the point and overlooking a real source of danger. Yes, one can block his neighbor from seeing his Facebook profile, and sure, one can hide his profile from people who are not his "friends." But who is there to prevent FACEBOOK (and that includes people associated with the company, people with whom Facebook does business, etc) from having access to your information? It is certainly not the average user who naively posts everything about himself on Facebook, thinking that he has painstakingly adjusted his privacy options so that his profile is off-limit to strangers. That is tantamount to guarding the front door when the thief is already inside, and leaving the backdoor open. The people at Facebook knows more about you than you can imagine. Want proof? Facebook can predict whom you will date. They probably also know if you are gay, even if you do not tell them. If one thinks these information will always and forever be kept confidential, then he must have forgotten that Facebook is a for-profit company.

Then there is Google. Try looking at the "Web History" section under "My Account." You will probably not like what you see. Are you really comfortable with this omnipresent spy tracking every step of your internet search activity? If you use Gmail, you must have noticed the advertisements on your Gmail page. How do you think these ads are chosen if not based on the text of your emails? Does the thought of having your emails perused by others trouble you? Well, all the emails you have on Gmail have been read by Google's computers. Maybe at this time you are comfortable with having your emails read by an insentient being, but understand that your email address is now associated with certain keywords. The potential for abuse is overwhelming: what if Google compiles a list of email addresses that are associated with certain keywords and send them to a third-party or the government? That might cause, at the very least, some embarrassment.

So What?

It is not the purpose of this essay to persuade people to stop using Gmail or deactivate their Facebook accounts. Rather, the aim of this paper is to let people understand that Facebook and Google's many privacy control options are merely a facade that belies a vast potential and capability for abuse. Thinking that one has his information sealed airtight just because he played around with Facebook's privacy control is like believing that one has annihilated an entire army by killing one foot soldier.

I am aware that people want Gmail because of their desire for a particular form of e-correspondence and storage, and people use Facebook due to fear of becoming a social pariah. If one values those services to such an extent that he would rather be spied on than go without those services, then that is certainly the individual's choice. It might not be the wisest choice, but at least it is an informed one.


Revision 8r8 - 18 Jul 2010 - 03:59:42 - YuShi
Revision 7r7 - 11 Jul 2010 - 14:12:35 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM