As we move into 2012 we can be assured that there will be numerous stories of rogue applications sitting on social media sites stealing users data. Despite the spectacle that every breach causes, platform owners seem to have little interest in regulating their developers and creating user friendly platforms.
Let’s take Facebook as an example. OK, I accept that they are an easy target being the biggest of the social network sites but that also confers upon them a duty to be the best not the worst and they’ve had a torrid few years with trying to get privacy right.
Every day, as a Facebook user, I am bombarded by requests to use different applications. Many of these requests come from ‘friends’ I linked with who used an application which took their contacts in order to try and increase its user base. Some might see this as a price worth paying for a free application, but you are not just giving away your personal data, but also that of other people.
For example, most Facebook applications require you to hand over your basic information which covers name, profile picture, gender, networks, user ID, list of friends and anything else you might have made public. While Facebook allows you to edit your basic data and protect other types of data, basic information is still a very large block of data.
Let’s take a closer look at this. If I want to use a birthday application, it really doesn’t need to know my gender (limited to just male and female), or any other information I’ve made public.
I’d also argue that it doesn’t need my friends’ details because it could provide me with something to send to my friends to ask if they want their details listed on my birthday calendar. It could then ask them if they wanted to subscribe and allow them to opt out and delete their data from the application cache.
While the acquisition of my friends’ data for a birthday app, or at least their names and dates of birth can be said to be useful to make the application better, the same set of data is also gathered by games applications. Here there is absolutely no justification for gathering anything other than my name, date of birth (for age limited gaming), gender (perhaps, but not necessarily) and possibly my profile picture. The rest of the data grab is wholly unnecessary and I should be able to opt out.
In fact, Facebook could enforce this by requiring applications go through a validation process, just like the applications on iTunes. This process should be backed up by a set of strict privacy protection policies requiring applications to prove that they need users’ personal details and those of anyone they are connected to.
In addition, rather than have a catch-all of basic information, users should be able to choose exactly which pieces of data they do share. This would enforce the rule of asking people to opt-in to share data, rather than having to opt-out. As it is now becoming accepted industry best practice to require opt-in not opt-out, Facebook is failing to implement good practices.
It is not just Facebook that has this problem. Any platform owner that allows applications to be shared among users needs to look carefully at how data is gathered and shared.
Commercial platforms and federated identity
In a commercial world there is another reason for tightening what data is captured and how it is used and stored. Federated identity is becoming increasingly popular as a means for a single sign-on process for users. But as part of this mechanism, data is shared between all the parties establishing the trust. The user needs to have more control of what data the various parties are sharing about them and those managing the federated identity solutions needs to enforce the principal of minimum required data.
For example, if I buy a game from a vendor and I use a federated identity which is linked to my credit card, the only data that the game seller needs to gather is name, age (for restricted games), shipping address (unless it is downloadable), and a token to prove my ID. The token is passed from the trusted provider to the seller and all is good. Unfortunately, when you look at the information requested, it is often much more than this with no option for the user to limit what is being requested.
The solution is to allow the user to see what data is being requested about them from the site they are visiting. This needs to be provided to the user as part of the trust mechanism and allow them to opt-out of data that is not essential to the transaction.
A number of years ago, when Microsoft introduce Windows CardSpace this was exactly the issue that they highlighted. While Microsoft is no longer promoting CardSpace it is still being developed as part of the OpenID Collaboration Project.
This is not a new problem. How many times have you filled in details on a website to gain access to a presentation or other data only to have them require you home address or other detailed personal information. A lot of website owners have always given the impression that they are more interested in the personal data they can harvest than the information they provide to customers.
Another challenge for EU website owners since May 2011 has been the EU Cookie Law which severely restricts how cookies can be used and, more importantly, requires website owners to get customers opt-in for cookies rather than opt-out. Of course, some websites have gotten around this by refusing to allow you to access their website unless you accept cookies but the number that does this is slowly decreasing.
For example, www.hmrc.gov.uk uses 12 cookies in a mix of persistent and session. Compare that to www.game.co.uk who subjects users to over 180 cookies, a lot of which are third party cookies from their advertisers and for which there is no opt-in choice on their website. www.argos.co.uk is no better with over 200 cookies.
One of the reasons that companies often have so many cookies is that they are used to help advertisers and partners know where a user was redirected from. For those who are selling advertising based on click-throughs, they need some mechanism to track users. However, the user is still entitled to know that their information is being used for such purposes.
While most of this data may seem harmless to Game and Argos, legally they have no justification for it and these are just two of over 45 examples of excessive cookie usage I was able to gather in just 30 minutes of web browsing. Fortunately, as UK registered companies, they have until May 24, 2012 to fix this. After that date the UK will be enforcing EU regulations.
But does this really matter? Do people really care about how their personal data is being spread around?
The answers to these questions depend on whether you have had your identity stolen as well as your age. There is a generation that has grown up with social networks and the Internet. They do not seem to care what data is out there about them. Take a wander through Facebook, MySpace, Twitter, Google+ and see what people post. Images, data, personal statements – all of these are usable by anyone planning to steal your identity. Of equal importance is once in the public domain it is hard to delete the data.
For an older generation that has grown up with an expectation of privacy, the Internet is a challenging place to be. While this older generation has embraced the Internet, it is uncomfortable with the amount of information requested by websites.
While website owners have long played fast and loose with personal data, there are attempts being made to tighten this. However, platform owners have an opportunity to raise the bar for the protection of personal data and give users control over how their personal data is shared between applications.
Providing a better opt-in mechanism and by making sure that platforms, applications and websites use the least amount of personal data not only satisfies this older generation but will help protect the identities of a younger Internet savvy but data naïve generation.
For developers, platform owners need to publish details of how they can ask for data and have a process to check developers are adhering to those rules. Better developer education is also an essential part of this process which means providing better tutorials on how privacy needs to be protected and maintain links to sites that detail the various laws that developers need to adhere to.