Thursday, May 27, 2010

Evil

There are as many Facebook groups lamenting the death/loss/explosion of a phone as there are words in Cryptonomicon. If you have a Facebook account, you're no doubt familiar with someone noting that their phone was destroyed by Telsa's ray gun, or perhaps by a more quotidian incident (e.g. dropped in toilet). Said victim is desperately in need of his friends' phone numbers, and fate has smitten his sole copy of his address book. So he does what any reasonable person would do: he sends a group request to all of his 1,000 Facebook friends requesting that they join a group (titled something grammatically immaculate, with judicious use of exclamation points) and post their phone numbers to the group. Except when Jove robbed him of his phone, he also rendered his common sense inert, so he makes the group public. "Public" in the Facebook vernacular means visible to anyone on the Internet, regardless of whether they have a FB account.

Enter Evil.

Evil is a proof-of-concept site -- it does something shocking to prove to how easy it is for someone with truly malicious intent to perform the same action. In this case, the software searches for public groups that serve the purpose described above and harvests the names, pictures, and phone numbers of everyone in the groups. In English: it shows how easy it is to collect people's private phone numbers from Facebook groups. Given that this site is just meant to teach, it redacts the last digits of the phone numbers, but if you'd like to get a clearer picture of what we're talking about, check this out. Scary, huh?

I shudder to think of what will happen when marketers figure this out -- text-message SPAM, anyone?

Thursday, May 13, 2010

Follow-up on sending messages through Google searches

So remember when I said that my students had a lot of fun sending the message "Chris Mustazza is a jerk" to me via my Google Analytics logs? Well, I checked my Analytics account today and saw this query logged:

"chris mustazza is certainly not a jerk and is an awesome professor...who ga[v]e me an a"

Well played, sir or madam!

Evolution of Facebook Default Privacy Settings

One of the topics we discuss in my class is the degree of ethical responsibility Facebook has to provide sufficient default privacy settings. That is, when you create a new Facebook account, should FB provide you with tight defaults that you can loosen as you see fit, or should the default to be an open environment where users can revoke access until they are confortable. This argument basically comes down to personal responsibility vs. a provider's obligation to consider the well-being of its users. Should a person be responsible to fully understand the information dissemination architecture of a system to which he entrusts personal information? Or is it unreasonable to assume that the average user will take the time to understand the system, thereby creating a responsibility on the part of the system to protect him? Normally, I side with personal responsibility -- I oppose taxing soda or banning salt in NY restaurants -- because I believe people should do what is in their own best interests. This, however, is a case where I side with imposed protections.

Check out this graphical representation of evolution of Facebook's default privacy settings:


While the scale of the image seems to shift to provide a more dramatic effect, I think it still does provide a pretty accurate description of the direction Facebook is moving in. I remember when I had to provide my Penn email address to sign up for Facebook because it was restricted to the Ivies. Such a setup implicitly granted a degree of privacy. With the gradual opening of the system to the world -- including the advent of public profile pages, visible to those who don't even have Facebook accounts (!) -- Facebook has a responsibility to provide an intuitive, simple set of privacy controls for its users -- and to restrict access by default!

Wednesday, May 12, 2010

Sending Messages Via Google Searches

If you're one of the 14 ardent followers of this blog: a) thanks!, and b) you may recall a post I wrote alluding to the privacy implications of Google Analytics. To summarize, Analytics compiles stats on visitors to a website, including information that can be aggregated to be personally identifiable in certain cases, and presents the data in a graphical way to the website's operator(s). It allows the site owners to see everything from each visitor's city to his ISP to his screen resolution. But one of the most fascinating stats provided is the listing of keywords searched to get to the site.

I never cease being curious about the search terms that drive users to my blog. For the record, the most popular search term is "port 587," which goes to post I wrote about this alternate SMTP port (I know, quite the nerdy digression). Of course, being a semi-vain jerk, my favorite is when I find people who have searched for me by name; nothing brightens my day more than seeing a "Chris Mustazza" query in the list. Anyway, vanity aside, here is what's interesting: I've discovered that one doesn't actually need to visit the site to have the search term and his information logged!

Here's what I mean: I Googled (ack, I hate using derivatives of "Google" as verbs!) for "Chris Mustazza is a jerk," and my blog came up as the first link (I assume for this to work the site has to come up high in the search rank); I didn't actually click the link to go to my site, but the search query was logged in my Analytics report. Why? I don't know; it's bizarre. I showed the students in my class this "feature" that I had discovered, only to find 16 more queries for "Mustazza is a jerk" logged in my Analytics (you win this round, students).

So what can we deduce from this? That it's possible to send messages via Google searches, provided that the recipient actively (read: obsessively) checks his Analytics records. For example, you could Google (ugh, did it again) for "Chris Mustazza, you're awesome," and I would get it.

Perhaps this is the digital Tristero. So, Thomas Pynchon, if you are one of the 14 subscribers to this blog, you now have the basis for The Crying of Lot 50.