Tuesday, December 27, 2011

the problem with the "like" trade

earlier today randy abrams posted an interesting take on facebook advertising and how misleading the word "like" can be (http://randy-abrams.blogspot.com/2011/12/facebook-misleading-advertising.html). this reminded me of a beef that i've apparently had going back at least as far as may of this year (judging by the timestamp on the screenshot i took).

specifically, randy said the following:
If I have to “like” a page to get the information I want, I don’t have a problem with that
well, with all due respect to randy, i do have a problem with it. randy makes some good points about the way people's pictures get used in facebook ads when they "like" things, but a point he neglected is that forcing users to "like" or otherwise post about something before they can see the content they've been lured with is a popular tactic in facebook scams.

now, i'm not trying to suggest that security companies making use of this marketing methodology are scam artists (though i am tempted to say that all marketing is in some way a scam) but they should be aware that by utilizing this sort of marketing they are effectively endorsing a marketing methodology (developed by facebook) that breeds victims. i don't expect facebook to care about such things, since such trickery is how they make their money, but i certainly expect security companies (especially ones with as strong a leaning towards empowering users as eset) to know better than to go along with facebook's questionable methods and do things like this:
"like"s are not something to be bought from users in exchange for free or otherwise tempting content. they are an endorsement and as such can't be legitimate until after the user has sampled the content. the idea of exploiting illegitimate user endorsements should be recognized as unethical and should be understood to have consequences. by using the sort of techniques that scam artists thrive on, one is basically training people to be victims. i expect better from security companies and i think you should too.

Sunday, December 04, 2011

privacy in the age of forever

i've written before about what i think privacy is, though classifying it as an obscurity-based strategy for satisfying a basic need for safety was very high level and abstract. it could also be taken the wrong way, since people often think about safety as only applying to their physical person (i.e. physical safety). our physical bodies aren't the only thing we want to keep safe, of course. our families, our property, our reputations, our opportunities, etc. are all things we want to keep safe, all things we want to protect, and all things for which privacy can help offer some protection.

privacy is often described in terms of controlling information but on reading danah boyd's thoughts on privacy i realized it can and should be expressed a different way. controlling information is the means by which privacy is often accomplished, but it's not what privacy is actually about. while i don't agree with the narrow scope boyd used ('asserting control over social situations'), at it's root was a kernel of truth. while the means by which privacy is achieved may be the control of information, the point is the control of outcomes related to that information, whether they be social outcomes, business outcomes, educational outcomes, housing outcomes, health outcomes, political outcomes, legal outcomes, etc.

controlling outcomes is, of course, the point of any strategy. the thing about strategies, though, is that their appropriateness depends heavily on the situation, and what people largely don't realize is that there is a situation which is becoming increasingly ubiquitous under which many traditional privacy strategies don't work very well.

in the online world everything is recorded and stored for consumption at a different time or in a different place. it is essentially a persistent medium through which we can interact with each other. this is a significant point because for most of human history the real world has largely been an ephemeral medium for interaction. our behaviour, the strategies that we develop as we mature in the real world take great advantage of the ephemeral nature of our interactions with others. if you weren't present the day your best friend made a hurtful comment about you to others in your peer group then you missed out, that experience is gone, "you had to be there" as it were. this ephemeral property of the event, the fact that the information only exists in a very particular point in time and space, serves to restrict access to that information to only those who were present at the same point in time and space.

once we start interacting online that ephemeral property ceases to exist, so access to the information that we might have otherwise expected to be restricted due to it's ephemeral nature is no longer restricted in that way. we often don't realize that, however, because we take that 'ephemeral-ness' for granted. it's not easy adapting to a situation where that no longer applies.

for example, imagine for a moment that every word you speak goes into a speech bubble above your head, like in the comic books, except unlike the comics the speech bubble doesn't go away, it stays with you and allows people to read what you said 5 minutes ago or even 5 hours ago. every swear word, every uncharitable thought uttered under your breath in the heat of the moment, everything. can you imagine how you'd adapt to that sort of situation? you'd probably censor yourself a lot more than you currently do - since your utterances have become persistent the natural adaptation that would allow you to continue to control the outcomes associated with what you say is to say far less.

at first blush that might not seem unbearably bad, but let's take things a step farther because that example really only dealt with your words. this time (this is inspired by danah boyd's post, by the way), imagine you are stuck in a very large room and surrounded by everyone you ever have and ever will meet. imagine trying to live your life in this room. how do you play with your toddler in front of your business partner or a potential client? how do you woo your future wife in front of your children or your parents? how do you hang out with your high school friends in front of your future employers? how do you project an image of cool professionalism to people who saw you fall face first in a mud puddle? again, in such a situation, surrounded by people from disparate contexts of your life, the natural adaptation is to reduce the amount of information that you reveal about yourself, but think about those questions; there are certain outcomes that can't reasonably happen without revealing sensitive things about yourself.

these examples may seem absurd, but this is what it means to interact in a persistent medium. anyone, anywhere, at any time can (in theory) see the footprints you've left in that medium. your interactions in a persistent medium transcend time and space, allowing people to effectively 'TiVo' your life (or at least the portion of it that's been recorded).

obviously this represents an unacceptable state of affairs for online interaction. there's very little utility in it if it requires such profound self-censorship. that's the reason that technological privacy controls and privacy settings were invented - to help replace the access control that was lost when the information became recorded. unfortunately the technological controls don't operate the same way that ephemerality does, so trying to achieve a simliar outcome with them is complicated and often not intuitive.

sean sullivan (at least i assume it was that sean) made a post on the f-secure blog that highlighted a talk given by clay shirky where he said (as quoted by sean) that "managing privacy isn't natural". technically what shirky said was that managing privacy settings isn't natural. we manage privacy every day in every interaction we make with others, but managing privacy settings by definition can't be natural because the settings themselves are artificial. this has implications for the kind of privacy one can achieve though managing such settings - it is itself an artificial, man made analog to natural privacy, and prone not only to being incomplete in comparison to it's natural counterpart but also to breaking down as all man made things do.

but as untrustworthy as that sounds, it will have to be good enough, because we can't turn back the hands of time or halt progress. we can't even opt out of the persistent medium. oh, we might get away with staying out of the online world ourselves, but persistence is intruding into the real world more and more. public photography, for example, is turning the public sphere (which used to represent an ephemeral medium) into a much more persistent medium than it used to be. this can be a good thing when it helps to expose things like police brutality, but it poses a not insignificant problem for us as a society.

paul ducklin raised some concerns about this very problem last year on the sophos blog. at the time i didn't think his concept of public privacy made much sense, but when examined through the lens of a traditionally ephemeral medium of interaction being changed into a persistent one without people noticing or appreciating the consequences for their existing privacy strategies, it starts to be clear (to me) that this is a problem that deserves some consideration. i wouldn't consider it an invasion of privacy, per se, but perhaps it would qualify as a subversion of privacy, since it changes the environment to one where the strategies people were using to control outcomes no longer work properly, and it does so without making it clear that that had happened.

are we ready for the implications of living in a world where our actions live on beyond the moment? i don't really know. certainly we can manage our privacy settings online, and maybe we can obscure our identifying features offline (though that may interact poorly with some of our cultural norms) so that public photography becomes less of an issue. i just wonder if explaining to the next generation what it was like before everything became persistent will be the last time we ever get to use the phrase "you had to be there".