A brief example: A few years ago I ran a survey about privacy on Facebook. Over 90% of the respondents (both genders, across all ages) responded that privacy is important to them. However, their actions contrasted sharply with this concern. By merely responding to my survey, they had agreed to provide me access to all of their private information on Facebook. So much for privacy. There is a tendency to assume that we’re being protected, that some geek somewhere has decided something that will guard our information. This is not a valid assumption. Read on!
“Privacy” on Facebook
We’ve all heard, and presumably know, that what we do online isn’t private unless we take extra efforts to make it private. This is what one might think that Facebook’s so-called “privacy settings” are designed to do. You tell Facebook that you’d like a particular status update, photo or any other item to be maintained “private” or accessible only to “Friends.” You expect that this is what will happen, right?
I’m sorry to be the bearer of bad news but this is not the case. Every photo you load in Facebook is immediately available on a public web server that does not require any sort of authentication or special sign-on in order to see the photo.
To demonstrate this, I loaded this picture to Facebook (using a dummy user account) and specified its privacy to “Friends only.” The image URL (web address) was immediately accessible to anybody whether they are signed on to Facebook as the original uploader, a friend, or are not signed on to Facebook at all. Indeed, anyone can go to this URL: http://a5.sphotos.ak.fbcdn.net/hphotos-ak-snc7/423719_128582700596711_100003349463924_127843_1794341758_n.jpg and view the photo (UPDATE: see update below why the link broke).
You are probably thinking that it would be unlikely that anyone would simply stumble upon this photo since it would be unlikely to appear in any search engine. However, if anyone shares the URL (as I just did), it becomes public. Note that the original owner’s permission is not needed nor would that owner even know about that the picture is circulating. Herein lies Lesson #1: Be aware that there are many people besides those with whom you share a picture that can pass it on to others if they so choose. Photos on Facebook are not private.
Now you could be saying to yourself that this is okay since Facebook is “designed for sharing” and therefore those who use it should not have an expectation of privacy. Why then, does Facebook have “privacy settings?” Those settings give people the illusion that the information is private – what a delusion! Thinking that what they’re uploading is private, the photo takers among us may share more as a result of believing that what they’re sharing is private. Big mistake. (Case in point, my friend who found out her husband was fooling around with her bridesmaid via a “private” picture on Facebook.)
“Privacy” on Amazon Windowshop
Amazon has a great service called Amazon Windowshop. You can access it at www.windowshop.com or on the Windowshop application on an iPad, though you might want to read ahead before trying this just yet.
With Windowshop, you can browse a virtual endless storefront of Amazon. It’s a gorgeous, very compelling app. I’ve spent hundreds of dollars due to this app alone. Obviously, it works best when it’s connected to your online profile. Through this, you can make instant purchases and be shown items that are closely related to things that you’ve looked at in the past, items you purchased, and stuff on your various lists. Windowshop personalizes the shopping experience. However, most shoppers would probably prefer that their shopping lists, past purchases, and items that they’re interested in remain private. Why? Well, aside from benign items in the “consumer electronics” space, these lists show the types of books, magazines, drugs, dietary supplements, toys and all sorts of things you are interested in, something that most people consider private.
Perhaps surprising to Windowshoppers, there is currently a “small” privacy breach with Amazon Windowshop. When you access Windowshop at the office, for instance, Amazon remembers what IP address you came from (which is shared with the rest of the office). Then, if anybody else in your office accesses windowshop.com, they can see your (supposedly) personalized storefront. Even if they are not logged in as you nor know your Amazon user/password, they can see all of the items you purchased, considered or listed. Basically, your shopping interests are revealed to everyone in your physical vicinity. Do you really want your office colleagues to know all of your likes/dislikes, medicines, personal care items, hobbies and product desires? (Note that this is also true when you access Windowshop through any WiFi hotspot such as coffee shops, a friend’s home, the airport.)
To demonstrate this “small” breach, I include here two screen captures. One is from the iPad that is logged into my account on Amazon. This is a screen capture of the “benign” consumer electronics section of the store. Then, I connected with another computer at the office and took a screen capture of the same section of the store. As you can see, the list of items is almost identical. Trust me, this happens also in much more personal item categories. At this point, anybody in the office can see my personalized shopping experience.
What can you do? Well, don’t use Amazon Windowshop unless you’re at home and are fine with those living there viewing your shopping choices. Or, only shop for those items that you wouldn’t mind being associated with you on, say, the front page of your local newspaper.
In both cases described here, it didn’t require a malicious user to get access to information that is considered “private” or set as private. As you might well suspect, malicious users have many more ways to get access to such information. I highlight these basic privacy vulnerabilities to make you realize how privacy on the Internet is much more of an “illusion” than reality.
Lesson #2: Beware. Nothing that you do online can be assumed to be private. Your best assumption is that it can – and might – be viewed.
Yesterday, I was speaking to someone, let’s call her Cathy, who wants to start a blog. Cathy has “explosive information” that she wants to share. However, she wants to do so anonymously because this is the only way that she’ll feel comfortable sharing such weighty information. What Cathy didn’t realized is that being anonymous, just like maintaining privacy, is an illusion. If her blog becomes so sensational and interesting, she would have to become a computer forensic expert to TRY to cover her tracks and keep her identity private. In the long run, it is extremely likely that Cathy will be revealed. My advice to her: Think through all of the ramifications of what you do online because it could be traced back to you. This brings me to Lesson #3: If you want to keep something private, really private, be very careful with it. Once it’s out there on the net, it’s very difficult to prevent it from becoming public.
What happens when people have the “illusion of privacy”? Naturally, they feel more comfortable in sharing information, uploading photos and videos online, etc. Once they feel more comfortable about doing so, they do it more often. This, obviously, is the intention of Facebook, and many other corporations. As Sheryl Sandberg, COO of Facebook recently explained at DLD, a key trend is that people are moving from being receivers of information to broadcasters of information. It seems to me that Facebook is confusing what people do with what people want to do. People broadcast publicly when they don’t intend to do so. People are too often simply confounded by the illusion of privacy.
I’d love to hear what you think and if you are aware of other gaping privacy vulnerabilities that people might need to know about. Don’t forget to share this blog with those you think could benefit from giving more thought to their online meanderings.
UPDATE (Nov 8, 2012): Facebook apparently decided to remove my photo that was marked as private (I can no longer find it on Facebook). So it disappeared and the link broke. So I replaced it with a static image. I don’t think this has fundamentally changed what is said above – since email sharing of any private image on Facebook is still well supported by Facebook – allowing users to share any image (including those set to be “private”) with anybody, with or without a Facebook account.