Julianna Yau’s blog

Yesterday, the Office of the Privacy Commissioner of Canada wrote about Facebook’s laxness on privacy and third-party applications. I was a bit surprised by the quality of the post, because their blog typically provides a good amount of relevant information. However, even after following the links in the post, I found it difficult to piece together (a) how the applications can “steal” your information, or (b) what the applications can steal.

It wasn’t until I followed a link from one of the BBC articles to Click’s advice for worried Facebook users that I understood what the concern is. Applications can have access to your name, networks and lists of friends, plus your selection of the following:

• Profile Picture
• Basic Info
• Personal info (activities, interests, etc.)
• Current location (what city you’re in)
• Education history
• Work history
• Profile status
• Wall
• Notes
• Groups you belong to
• Events you’re invited to
• Photos taken by you
• Photos taken of you
• Relationship status
• Online presence
• What type of relationship you’re looking for
• What sex you’re interested in
• Who you’re in a relationship with
• Religious views

This was certainly not news to me (particularly after I wrote a Primer on Privacy & Facebook, available as a PDF or OpenDocument download. Although I agree that it would be good for Facebook to more actively promote usage of their privacy settings (someone suggested that they include a privacy setting walkthrough in the post-setup activities), I more strongly believe that users need to start taking accountability for learning to use the privacy controls at their disposal.

Michael Geist has launched iOptOut, a free online service to send opt-out requests in bulk to companies. It’s an interesting service and I commend Geist for continuing to respond to issues about which he’s passionate (even if it comes with much flair and self-promotion). I do wonder how necessary the service really is. I don’t get too many unsolicited calls or emails, and it’s few enough that it’s easier for me to opt out of them individually. But, of course, that may a result of me being careful about how much information I give to companies and diligent about responding to their updates to privacy policies.

Last week, Facebook launched their new privacy control settings. Soon afterwards, the Office of the Privacy Commissioner of Canada picked up on a supposed flaw of the update. Although the flaw is true, it is (as many have pointed out), not a new flaw.

This weekend, I have updated my Primer on Privacy & Facebook, available as a PDF or OpenDocument download. The primer is available under the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 Canada licence. If you have any feedback on the primer, feel free to leave a comment on this post or contact me directly.

I’ll be getting back to my deconstruction of copyright next week. Here’s what’s been floating around the web and blogosphere in the past week…

While most discussions about copyright infringement and the internet is focused on users as infringers, Digital Copyright Canada picks up on the itWorldCanada article We’re not thieves. We just can’t read contracts (McAfee and Open Source). Monica Hesse of the Washington Post also writes about the topic, focusing on corporate misuse of copyrighted photos.

The Crave blog finds software that allows users to record free, unlimited MP3 audio with your cell phone and hardware to share content between iPods.

Both Michael Geist and Russell McOrmond pick up on the Privacy Commissioner of Canada’s public letter to the Industry Minister and Canadian Heritage Minister on the impacts DMCA-style legislation has on privacy.

The Vancouver Sun also publishes an article arguing that reformed copyright laws shouldn’t suppress creativity.

Meanwhile, Howard Knopf picks up on another camcording bust.

And I’m still behind on my reading of some blogs I recently discovered:

• Northworthy
• ©ollectanea
• Scrutiny
• The Patry Copyright Blog

The Privacy Commissioner blog has a great post about privacy rights and data portability, pointing to the Privacy Manifesto for the Web 2.0 Era drafted by Alec Saunders and the Data Portability project.

Yesterday, Facebook issued an apology for the poor product launch of Facebook Beacon and added the option for users to block all Beacon updates in the “Privacy Settings for External Websites” portion of their privacy settings page.

I’m sorry that Beacon was so poorly launched. I enjoy sharing my activities with my friends (to their amusement or annoyance), sending updates on the movies I’ve watched, blog postings I’ve written, books I’m reading and websites I’ve visited, and creating about a bajillion status updates. Being extremely concerned about privacy,  I also enjoy having full control over exactly what is shared with my friends. It seems Beacon could have been much better received if they were more transparent about how it works, and more proactive about giving users control over the updates from day 1.

Facebook finally decides to make Beacon an opt-in program rather than an opt-out program.

Canada’s Privacy Commissioner blog points to a report from the Information Commissioner’s Office in Great Britain on youth, privacy and the internet.

Although the report focuses on British youth aged 14-21, I doubt the results would be drastically different for a different demographic.

There has been so much whining recently about Facebook Beacon invading everyone’s privacy that I would like to pose this open question to the world: How does Facebook Beacon technically work?

Yes, yes. I know that Beacon is supposed to steal your information from non-Facebook websites and broadcast it to your friends via the Facebook news feed. But how does it actually do this?

Facebook’s own page about Beacon is very vague about how it works—just some of techno-/pr-jargon boasting how cool it is. A Google search for “facebook beacon” is not much more help…mostly just links to the people complaining about Beacon invading their privacy and articles regurgitating the complaints. Others, such as Om Malik, have also tried to get more information about Beacon, but with little more than a hyped response from Facebook.

After some digging, I was able to find MoveOn.org’s “demo” of how Facebook Beacon works. This so-called demo is a low-tech slide show moving at a speed almost as fast as Beacon’s notification reportedly disappears. Essentially, it was a “chain of events” presentation with some commentary and some missing links (and not much technical information). Dave McClure’s walk-through of Beacon was more useful, providing not only clear screenshots but also (gasp!) links to how people can change their privacy settings. However, it still did not provide any information to remove the smoke and mirrors of Beacon.

Although I’m very concerned about my privacy being breached, I also like to know the facts (or at least try something for myself) before I start waging war. Trying Beacon for myself was, surprisingly, as daunting as trying to find some information online about its inner workings.

After repeated attempts, I couldn’t get Facebook Beacon to invade my privacy.

After reading a few articles and press releases, I chose my targets: eBay, Amazon and Livejournal. These are all companies with which I have accounts, but I worried a bit because I use different email addresses on all of them (and Facebook) to reduce the chance of the accounts all being compromised. I assumed, from what I know about website and computer settings, that a common email address for all accounts could be a possible way for the accounts to be linked due to the information stored on cookies (I was neither able to prove or disprove this assumption).

I started with Livejournal, because it was the only site which had any help documentation on Beacon. It even uses an opt-in option for users to activate the service (kudos to LJ!). After several attempts (including: different login chronology for Facebook and Livejournal; using and not using the Facebook Toolbar; and even changing my Livejournal email address to match the one used for Facebook) I was unable to trigger a news event to my Facebook page. I tried this in Firefox in Linux, and both Firefox and IE in Windows—nada.

Frazzled, I tried adding an item to my Amazon wish list and watching an item on eBay…still nothing in Firefox or IE. Of course, I could have purchased something from Amazon or eBay to really test it but, as curious as I am, I refused to purposely spend money to possibly have my privacy invaded.

So, for now, I am not only unable to determine how Beacon works, but I’m unable to get the damned thing to work!

The Privacy Commissioner of Canada blog has a post on the privacy comments made earlier this week by the U.S. security official.