Wednesday, December 17, 2008

My Spaceface Book

Imagine this scenario:

You are sitting at home, minding your own bidness and the phone rings. You check your trusty caller ID and see "Anonymous." You answer anyway.

The voice on the other end begins to ask you questions. Personal questions. What's your full name? What's your birthday? What is your political affiliation? What is your religion? Are you married? Dating? Who? Sexual orientation? Email address? Can you list your phone numbers, including cell phones? And how about a list of current and past employers? Where'd you go to school? Mailing address? How about a list of people you know and/or trust? Oh, yes -- one more thing.... can you list your credit card accounts and numbers for us?

I could go on, but I suspect most people would have sworn "nunya effin bidness" about 3 questions in and hung up. Hard. Why? Well apart from not being their bidness, this just smells like a scam. I'm not sure if they're just going to charge something on your credit card or steal your identity... or some bigger nastier scam involving your entire network of friends.

And yet, it seems almost anyone is hunky dorey with doing exactly this... as long as it's done via an anonymous web interface.

Now before I rant on further, a little about me: I am a computer geek. Historically I specialized in security. I am not saying I was some guy on the front lines digging extensively through source code of the Apache Web server or identifying the latest virus and disassembling it to figure out it's threat. There are lots of guys doing this -- some that are geek celebrities. In the geek circles no one knows my name. But I've had a fair amount of experience dealing with breakins, data theft, chasing some virtual bad guys, blocking things with firewalls -- the normal everyday security geek. Think of me as the General Practitioner, not the hot shit cancer researcher or the guy that invents an artificial heart.

Being in the IT security field makes you paranoid. If you aren't paranoid, then you aren't doing your job. If you aren't thinking of a thousand ways the bad boys are out to get you, then you are just surfing the net looking at porn and getting into trouble. By the way, this is a position where you get paid to look at porn and your boss knows it and is okay with it.[1]

Okay, so I am predisposed to thinking everyone is out to get me. I am experienced, but not a super-duper, high falutin' specialist. Use your judgment as to whether I am a whack job or not. (I believe in full disclosure).

That's out of the way, so back to the story... A few weeks back, my niece begged and pleaded for me to join facebook. (Maybe "begged and pleaded" is an overstatement.) This is the same niece that begged and pleaded for me to grow a beard for absolutely no reason (and then didn't remember a month later -- showing me I was listening too verbosely.) I felt the urge to remain... or maybe become... the quirky cool uncle. I joined.

Now "joined" is maybe an exaggeration. I did sign up. But I refused to drink the kool-aid. How did I do this? Well, I lied. Oh sure, I filled out some things truthfully, but name, phone number, credit card, birthday... well, those are not just white lies, they are outright lies. I am pretty sure that violates the terms of service of the site -- though I figure I paid nothing for their service. If they pull it out from under me -- I lose nothing. The downside of the lie is that it sort of makes the service not work. If you are looking for a friend you have lost contact with, you may not be likely to know their pseudonym.

I've poked around on it for a week or two and I gotta say: I am amazed. If you've never been there, let me give you the rundown. I assume (possibly incorrectly) that myspace is similar (though I understand the app threat is not as great.)

  • As I mentioned, they want a lot of personal data. A whole lot. It's a free service and I can only assume they are using this data to pay for the service. Fair trade? I guess, if that's all they are doing. Bare minimum they can deliver seriously detailed data to an advertiser or marketeer: How many single females between 18 and 24 are politically liberal, attending the University of Virginia and are against abortion? If I assume they are more diabolical: What's their phone numbers? Or: I'd like to spam them, what's their email?[2]
  • There is a serious push to get you to give them your mobile telephone number. The upside of this? There just isn't a directory that is even remotely useful of this information. Everyone changes numbers all the time and it is impossible to keep up. Facebook is a theoretical way to keep tabs on your friends numbers. Let them move around or change jobs -- the number is still there for you. The dark side? This is a marketing company (or worse). They want your mobile number. They want to call you or sell it or SMS you or god only knows what. If I had to pay a maintenance fee and got some nice language in the acceptable use policy about how they were going to keep this in Al Gore's lock box and kiss unicorns on sunday -- If that were true, I would almost think about giving it to them. But the fact that they are paid by marketeers -- that gives me the shivers. They regularly pop up captcha boxes to prove you are a real person.... unless you give them your cell phone number. Then they stop. I find that strange. But like I already said: I am paranoid. Someone used to pay me to be paranoid. It's who I am now.
  • And while we are talking about policy... Their terms of service are odd. What's a "terms of service?" you ask? That is the tiny little box with 30 pages of scrollbar that you never read -- right before you click "I agree". I am not a lawyer but some of the wording there and in the privacy policy are a little odd. You've agreed that they can collect all sorts of data about yourself from other sources... and you've given them an irrevocable, transferable license to use that data and any data you give them. It sits wrong in my belly.
  • In a way it is a really cool data mining operation. And one where there are a billion unpaid workers doing the mining. If cute little Suzy from math class has a picture of you doing a naked kegstand at a frat party, she can post it and tag it with your name. (And I am sure no future employer will ever be tempted to look at this or your affiliation with the Ole' Miss underground Nazi party.) And if data mining bothers you, the nefarious possibilities here are endless.
  • But there is a pinnacle to this paranoia. And it doesn't lie with facebook per se. It is their API[3]. In other words, the little cutsie facebook applications. At first, they are merely annoying. Everyone wants to send you a drink or a christmas card or a quiz or a game. Sure, some of them are cool, but if you "accept" it, you get some little verbiage about "allow application access to your personal data?" Hmmm. That's weird. So I sort of took a look at it (from the 10,000ft level.) It turns out all those cute applications are not run by facebook. Nor are they hosted by facebook. They run on someone else's web server somewhere else. And when you click "give them all my scary childhood secrets" (or "yes" -- I forget which one it is) then that site more or less has the ability to get at all your data.... and the data of all your friends. So you really are no longer even relying on your own judgment of what privacy settings are safe. Now, you rely on the judgment of your least technical "click on anything that pops up" friend and the worst application they can find. Nice.

I might mention that there are a set of seriously nefarious rumors that even Oliver Stone and I don't buy into. If you are interested in conspiracy theory, there are ten or more versions of videos on YouTube. But if even I think it is too far fetched -- I wouldn't bother too much.

All in all, the idea here is cool. The idea is that everyone keeps their own data and determines what people can see it and exactly what parts can be seen. The trust factor (for me) just isn't there though. And the applications are about as secure as an unpatched Microsoft product.

  1. And that, my friend is the sound of 25 college business majors changing their major to computer science. I am going to leave out the part that, no matter what your preference is, you are going to look at a whole lot of porn you DO NOT want to see.
  2. I am not saying they do this. But I am saying it is totally within the realm of possibilities.
  3. For you non-computer geek types, this is geekspeak for how you write programs to work with facebook.


Kari said...

I could make you a tinfoil hat, if you'd like. I would even make it in the shape of a pyramid, for extra power.

Spork In the Eye said...

Hmmm. This is a tough call. You would need to use the heavy duty tinfoil from the warehouse store. And we are almost out of it. I don't want to waste any that could be used for smoking tasty meats.

Kari said...

I could use 3 layers of the regular foil, leaving a hollow space between each layer for even greater signal-scattering capabilities.

Spork In the Eye said...

I'm worried about tearing... The thin stuff is so likely to tear. You might have to bond the 3 layers together for strength, leaving out the space between them. Oh, this is so confusing.