The eighth rule of Facebook is, verbatim: if you don’t need to use Facebook for work then walk away soldier, and don’t look back, even for a second. For everyone else, here are some tips for protecting your privacy and information security on The Social Network.

First up is some background information in the form of a rant, with more movie references. If you just want the “how to” details, then skip to Global Privacy Settings.

Facebook wants you to over-share

Over the past five years Facebook has gradually changed it’s default privacy settings for both new users and new features. If you join in 2010 and do not change your default privacy settings then your activity can be observed by a lot more people than if you had done the same thing in 2005. Here is a nice set of pie charts that illustrates the story.

Similarly, if you joined in 2005 and have never changed your privacy settings then your activity has gradually become available to a larger number of people because Facebook has added new features that don’t respect or relate to your existing privacy settings. Places, discussed below, is a good example of this.

Two levels of concern

Given the creeping exposure of all manner of personal data over time, there are two levels of concern with Facebook. The first is that your activity may be observed by undesirables (employers, children, parents, stalkers, etc.): the privacy problem. You want to be sure that you configure and use your Facebook account in such a way that your disclosed data can only be observed by the people you choose. The easiest way to deal with this is to treat everything you do on Facebook as potentially a public statement. Another way is to use friend lists.

The second level of concern is that even with good privacy controls that protect you from other individuals on Facebook, your activity over time may generate a behavioural profile that can be used to identify you even if your name never appears in the data comprising that profile. This is exacerbated by factoring in your activity on other social networks. Facebook, its advertising partners or, potentially, law enforcement or hackers have access to aggregate data that could be used to de-anonymise you: the information security problem.

Evil fireball

Just like the evil space fireball in The Fifth Element, that only grows bigger when General Staedert orders his crew to fire at it, Facebook gobbles data and the more active you are, the more it knows about you. Example: deleting a photo you don’t like equals more data about you (she didn’t want that photo to be seen by her friends). Deletions, by the way, are recorded. The data that is deleted remains recorded, etc. Everything is saved. Evil fireball.

Of course, jerks who see the world in black and white because it suits their agenda will tell you that if you have done nothing wrong ever in your entire life, and know that you never will, then you have absolutely nothing to hide from the fireball. They do not care about your privacy and liberty, they just want you to get out of their way. Nevertheless: the best way to deal with these problems is not to join Facebook. The second best way is to treat everything as public even if you have taken measures to control who sees it.

Global privacy settings

On May 26 Facebook replaced it’s convoluted privacy controls with a unified and simplified global settings panel. Nick O’Neill, who has written many useful articles on Facebook privacy, provides and overview in his post “Ten things about today’s privacy changes.” This is easiest way to start protecting your privacy.

Go to Account → Privacy Settings and choose something other than “Everyone” or “Recommended”. Facebook’s “Recommended” settings are, naturally, not very private. If you want my advice, choose “Friends Only” and lock that in first, then customise it further to restrict some of the settings to either a list, a specific group of names, or “Only Me.”

Note that at the top of the settings page there is a section called “Basic Directory Information”. Click on the unassuming little link that says “View settings” to both view and change your default directory settings. This is basically the information that people can find out about you through Facebook’s various search features.

At the bottom of the settings page there is also a section called “Applications and Websites”. Click on “Edit your settings” to set limits to the kinds of data that Facebook applications can access about you by default should you choose to install them (something that I recommend you avoid as much as possible).

Settings for ‘Places’

Following the popularity of location-based social networks like Foursquare and Gowalla, Facebook in August launched a location “check in” feature called Places that allows you to send your geographic coordinates to the system to let people know where you are. With all of their usual charm and tact they set up this feature to allow, by default, other people to check you in to places. (Bruce Schneier, whom I linked to a couple of times above, calls this type of information about you incidental data.)

Nick O’Neill again provides a good overview and some advice in “Places privacy settings.” The most important thing is probably to prevent other people from being able to check you in to places so be sure to set “Friends can check me in to Places” to “Disabled.”

Customising your settings

If you plan to use Facebook to say things that really do need to be restricted to a smaller group of people then you should customise your privacy settings. O’Neill’s post “Five privacy tips,” written before the privacy simplification changes in May, is still very useful in this regard, especially for the details it provides on using fine-grained Custom permissions, which is what you need to use if you want to restrict a data type to yourself or a short list of specific indiviuals.

Related to this is a change to the Publisher that went into effect this week, and relates to your everyday use of Facebook. The Publisher is the open text box at the top of your Wall and News Feed screens that invited you to start typing something (“What’s on your mind?”) has now been replaced with a Share bar that presents the following options: Status, Question, Photo, Link and Video.

When you one of these you get either a text box for typing, or a set of upload options, as well as a Permissions drop-down that allows you to limit who can see what you type or upload. Use the permissions feature to restrict your status updates to trusted friends if you are planning on sharing sensitive information.

Or, better yet, don’t share sensitive information on Facebook.

Related posts:

• Bad cookies
• Ramifications
• How to make a Facebook page

This sucks:

More than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies, UC Berkeley researchers reported Monday.

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Ah, but there’s more:

Several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called “re-spawning” in homage to video games where zombies come back to life even after being “killed,” the report found. So even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as the “backup.”

You had better read the whole thing.

Cleaning up

More light reading about this glorious privacy debacle:

• Adjust your Flash Global Privacy Settings
• Adjust your Flash Website Privacy Settings
• Overview piece: “How Flash Cookies Threaten Your Privacy”
• Wikipedia page on Local Shared Objects
• Mozilla Firefox plugin: BetterPrivacy
• Windows optimization, privacy and cleaning tool: CCleaner
• Flash cookie removal tool for Mac OS X: Flush.app

Warning on the first two links: you might find, as I did, that going to a weird-arse Adobe web page over plain old http with no authentication to adjust your Flash privacy settings is creepy. Thank you, once again, Macrodobia for making Internet so fun.

Related posts:

• Protecting your privacy on Facebook
• How may we surveil you?
• Simpson, eh?

As you can see the system is logged in with an account that has Administrator Privileges. There is no “hacking” this box…. You just walk up to it.

When he returned, without the adapter I needed, he noticed that I had the command prompt up. He asked me the basic questions like, “What the hell are you doing?” Which I answered truthfully with the necessary mitigation steps. You see, I am a pathetic, hopeless white hat. I spent a few seconds re-explaining the problem to him while his eyes glassed over. When I was done he said that he would need to take my name and a copy of my drivers license so he could run this “incident” by the management and possibly the police. It was my turn for my eyes to glass over and quickly leave the store. The irate store clerk was shocked that I would just walk away without complying with a perfectly sound and logical request to hand over my PII to a store that cannot secure a simple terminal.

To my horror, all of the Verizon stores in my area were set up the exact same way.

The moral of this story is not to use public terminals wherever you may find them, as the people who set them up may not usually don’t know what they are doing. (Read back through this year’s Philosecurity posts for more examples.)

Related posts:

• Bad cookies
• Protecting your privacy on Facebook

We have a number of ideas for sustaining our project beyond a dependency on grants, like building a local advertising engine and/or selling hosted versions of the open-source software, but we’re sure there are other ways for EveryBlock to be a successful business. That brings me to the reason I’m posting this—we’re looking for ideas and partners who would be interested in helping us figure this out. If you have any ideas or suggestions, get in touch with me. I’m confident we’ll make something happen; it’s just a matter of how.

EveryBlock’s core innovation is to take existing public information (civic and municipal data, journalism, photographs, user reviews, etc.), and to expose it on the web based on the physical locations to which that information applies. Among other things, EveryBlock has played a key role in opening up government data on the web; Daniel X. O’Neil:

At EveryBlock, where my main role is to work with municipal governments to uncover new data sets, we’re experimenting with a new form of journalism where we treat freshly updated public records as block-level news. It’s a big job to acquire ongoing feeds of government data, and we have a broader goal of spreading the gospel of open data.

If you have thoughts I urge you to share them with the development team. EveryBlock is a point of genuine innovation that has produced a useful new service, in a landscape increasingly littered with irrelevance.

Update: On August 17, 2009 Adrian Holovaty announced that EveryBlock has been acquired by MSNBC.com:

We’ll continue to run the first and best microlocal news Web site on the planet, with the same six people, with the same logo and design, with the same everyblock.com domain. MSNBC.com has hired our whole team, and they’ve made it clear to us that we’ll be driving the site’s strategy and implementation, and that our site will remain an independent destination as a community service.

Sounds like good news.

Related posts:

• Skewed data
• Google Flu Trends
• Flu trends comparisons

The data set for the competition consists of more than 100 million anonymous movie ratings, using a scale of one to five stars, made by 480,000 users for 17,770 movies. Note that the user-item data set for this problem is sparsely populated, with nearly 99% of user-item entries being zero. The distribution of movies per user is skewed. The median number of ratings per user is 93. About 10% of users rated 16 or fewer movies, while 25% of users rated 36 or fewer. Two users rated as many as 17,000 movies. Similarly, the ratings per movie are also skewed: almost half the user base rated one popular movie (Miss Congeniality^†); about 25% of movies had 190 or fewer ratings; and a handful of movies were rated fewer than 10 times.

So regarding users: there is rich data about atypical users, and sparse data about the majority. And regarding movies: there is copious information about popular movies, and little about the long tail.

† WTF?

Related posts:

• Netflix streaming video
• Protecting your privacy on Facebook
• What’s next for EveryBlock?

It’s a great interview, mixing technical details with broader sociological questions, but one thing strikes me as odd: for someone so intimate with the technology of manipulation, Knox’s take on what constitutes advertising is surprisingly unreflexive:

To the extent that advertising is beautifully targeted, it ceases to become advertising is now more informational. The most encouraging example of this is Gmail. I see nothing but Ruby on Rails developer jobs and Scheme developer jobs on Gmail.

It ceases to appear as advertising. It’s still advertising. It’s goal is to shape behaviour by converting an impression into a sale. Whether a person is interested in the product or service doesn’t change that fundamental relation. That so many people tend to think of well-targeted advertising as “just” information is a source of endless fascination to me.

† Via Bruce Schneier.

Related posts:

• The future of advertising
• What’s next for EveryBlock?
• Protecting your privacy on Facebook

This desire to get in, get it over with and get out spills over into other forms of reading. Maybe you can just barely endure a quick flip through one section of a newspaper, but could you even read a book of short stories? I ‘read’ 200 books annually, yet even I barely manage to begin five fiction books a year; of those, I might finish one. I manage the other 200 books solely because the books can be skimmed over or simply flipped through, as though they were a fashion magazine.

He has a point, and I don’t think it’s just the medium (hypertext) that is causing this. For me graduate school had a similar effect on my ability to read novels—because of the demand to read so much (and I’m a slow reader) my reading habits changed so that it became common to read only fragments of a text. Even when I did, technically, read an entire book it wasn’t by starting at the first chapter and proceeding systematically to the last.

The fact that there is so much writing produced about very specialised topics is part of the problem. This is more about the political economy of higher education and status attainment than about the technology of reading. Information culture pervades daily life because utterable, sourced information has become the principle currency of various status economies that thrive in conditions of plenty.

But, and this is Clark’s point, the Internet facilitates this effect unlike any other mass medium. The web has transformed reading practice faster, and for more people, than film, radio or television and in world history it is at least as ubiquitous as any of those things, and potentially more so. The most provocative part of Clark’s argument then, is the claim that our collective behaviour may be destroying a cultural competency that many of us value.

Like I said, I think he has a point.

Related posts:

• The current days of the Internet
• ‘A computer without the Internet is useless’
• The Third Decrease