Who is the product? Who is the customer? Do you even care?

Facebook, how big?

Facebook has obtained more than $500M from investors to grow facebook.com to the size it is today, and has not taken a single penny from any of its users. In order to pay back the investors for their extraordinary risky investment, the investors must be looking for something like 10x cash back.  That’s more than $5 billion! Of course it’s currently valued at over $50B. Just hold that thought for a second.

Now a second thought: billions of people can use email and not have to be part of one, single, organisation. How can that be?

Email is essentially a protocol. It’s called SMTP and is described by various RFCs. Any server that supports the SMTP protocol can advertise its MX record via DNS and receive email for that domain. Any client that ‘talks’ SMTP can send email to any SMTP server (it can reach). In fact, the SMTP client (or email client) can talk to its local SMTP server which will then forward on the email to its final destination.

This is, of course, a distributed system.  Due to an open protocol anybody can set up an email server and play in the big email ecosystem. Of course, the original inventors of the SMTP protocol didn’t envisage SPAM as we know it, and thus it was designed for a naive, friendly, co-operative world, where email users wouldn’t spam each other. i.e. academia.

Facebook is set up as a business. It has its customers’ interests to serve so that it can be a profitable company and return its investors money and provide a return for its financial stakeholders. The problem is, is that Facebook users are not the customer. They are the product that is sold to the actual customers who (I suspect) are advertisers. Thus, Facebook’s values aren’t necessarily aligned with their users, which means, almost inevitably, privacy is not Facebook’s key concern.

So if with Facebook, the users are the product, what are they actually selling? The social graphs its users create, along with the logged minutiae of the their lives, could just be the product that Facebook is, and will continue, to sell to advertisers. Your privacy is Facebook’s product. Your social graph (in theory) has value to advertisers. Do you want to exchange your privacy to multitudinous corporations for free access to, well, Facebook?

But the main problem with Facebook is that, in order to do Facebook with somebody else, you have to have an account at Facebook.com. It’s a closed system. Notice the difference to email? I don’t have to have an account at (the fictitious) email.com to send emails to other people. That would be absurd!

History has a habit of repeating itself. Remember CompuServe? AOL? MSN (pre-internet)? CIX? These were all silos. CompuServe had special pages only subscribers could see. Of course, they all went the way of the dinosaur, or were heavily modified, because the Internet was more useful. And Facebook is simply a better CompuServe or AOL.

Still, you may ask, “what’s wrong with a better AOL or CompuServe?”

Proprietary Silo vs Open Data and Open Protocols

Before answering that question, let’s consider what the alternative to Facebook or Twitter would be like. By way of analogy let’s look at Twitter vs status.net.

Twitter and status.net basically do the same thing: they are broadcast micro-blogging systems that let you send the equivalent of an SMS over the Internet to your followers. The best known example of status.net is identi.ca.

If you want to be part of the Twitter-verse you have to get an account at the sole provider of twitter-ness: twitter.com. Every tweet you send goes through twitter.com, is stored there, analysed and also provided to other (rich) organizations via the Twitter fire-hose. Not a great deal of privacy there, apart from the notional privacy that you can ‘protect’ your account. It’s still going through twitter.com.

status.net is like Twitter except that it is both an Open Source project and a Open set of Protocols. The difference is that status.net is like email; it’s a protocol that anybody can implement. You could subscribe to any status.net server and still be followed by any other status.net user in the world. Therefore, your tweets, or rather dents would only go through the distributed servers, the same as email today.

Another advantage of a distributed network is that it’s more resilient to failure. Twitter went down on Christmas day because every tweet goes through twitter. Email didn’t go down, except maybe a few distributed nodes did – but email didn’t fail en masse.

So back to Facebook and silos? I definitely want to put an activity stream (or lifestream) on the web. I currently use twitter for that because so many of my friends do. I also want to be able to put the odd photo up, publish a free/busy calendar, and enable old friends and new ones to find me and get in contact. But I don’t want Facebook to own that information. I want to own it. I want it under my own control, possibly in my own appliance running somewhere on the net. A distributed system that talks to other systems to exchange the data all under my control, with my privacy settings which won’t suddenly change because an over-arching corporation needs to sell more of my privacy.

Of course, it is coming, and there’s even some competition in the space. onesocialweb and Diaspora are both trying to solve the Facebook problem. The Freedom Box project, inspired by Eben Moglen, is also trying to work in that space. These will be tools that work in a distributed fashion.

When will it displace Facebook and Twitter? I think the jury is definitely out on that one; AOL, MSN, Compuserve, MySpace: the Internet is littered with the corpses of previously all-mighty corporations that owned the space.

Personally, I want Facebook to fail. I want a future where people control their own information. I want the semantic web and the power of pull, not the push-web. I want my appliance with my data and my control and I’m prepared to pay for it. I guess I’m going to have to wait a bit!

CONTENT You shall retain ownership rights in information or other content that you upload, post or otherwise transmit to or via your use of Twidroyd (“Submissions”); however, by making your Submissions through Twidroyd, you grant Licensor a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, reproduce, edit, translate, reformat, distribute, modify, transmit, prepare derivative works of, publicly display and produce the Submissions in connection with the enhancement of the Twidroyd service or otherwise in connection with Licensor’s business. You agree that these licenses include the right for the Company to make your Submissions available to other companies, organizations or individuals who partner with the Company for the syndication, broadcast, distribution or publication of such content on other media and services, subject to our terms and conditions for such content use. Such additional uses by the Company, or other companies, organizations or individuals who partner with the Company, may be made with no compensation paid to you with respect to the Submissions. We may modify or adapt your Submissions in order to transmit, display or distribute it over computer networks and in various media and/or make changes to your Submissions as are necessary to conform and adapt that content to any requirements or limitations of any networks, devices, services or media.

This is a bit like Microsoft saying, “If you use Word to write something then you grant us a license to it.”  Or Bic saying if you use their biros then they get a license.  Or perhaps your paper manufacturer.

It’s also really sneaky.  They don’t do it upfront and tell you that they want this right; they hide it in a EULA and in the Terms and Conditions.

So, this was happened when they were bought by Tweetup?  So let’s look at their Terms. Sure enough, hidden in their Terms is:

You agree that these licenses include the right for the Company to make your Submissions and, if applicable, User Content, available to other companies, organizations or individuals who partner with the Company for the syndication, broadcast, distribution or publication of such content on other media and services, subject to our terms and conditions for such content use.

Again they are hiding this.  I guess they want to use all the ‘tweets’ to try and sell them or the intelligence/analysis that they contain.  And they are a commercial company and so want to make money.  I have no problem with that.  My problem is that they aren’t being upfront about it.  And I guess they aren’t being upfront about it because they suspect that most people don’t really like the idea that their stuff (even if it has no individual value) is being sold.

Perhaps we should start paying for these services and really know what is happening to our data, rather than thinking everything is for free, and thus effectively forcing companies to do this type of thing?

Now I just need to find an alternative.  And ideas?

Don’t get me wrong; I think Alexander Hanff does great work campaigning on privacy issues.  I just wonder if, in this case, he’s seeing stuff that simply isn’t there.

For anyone who doesn’t know, Googlegate is about Google collecting un-encrypted WiFi data whilst roaming the streets with their StreetView project. Apparently, according to Privacy International et al., they have been doing this with criminal intent to record the bits of data intentionally so that they can find out more about us.

It appears that, whilst driving along, the software listened for WiFi broadcasts, discarded ALL those that were encrypted, and stored the packets, in entirety, of those that were not encrypted. This, according to conspiracy theory, means they knew that they couldn’t use the encrypted ones, and therefore were intentionally storing the unencrypted ones, even though they could have got the SSID from the encrypted WiFi broadcasts. This is the smoking gun.

Personally, I have no idea what Google were thinking, but I’m going to hazard some guesses.

WiFi access points. What kind are generally encrypted and what kind are generally open? Most home routers supplied by networks to consumers in the last few years are almost always encrypted now. If you buy off the shelf then you have to make a choice on whether to encrypt. Every Starbucks, hotel, cafe, airport, and other public access WiFi is unencrypted. Unencrypted WiFi seems like an invitation to join it, doesn’t it? It’s providing a service that you can connect to.

If I was writing software I’d probably make the decision that if anybody bothers to encrypt their WiFi then they probably don’t want their SSID used either. Hence I’d discard those packets. Also, for my roving software, to keep it simple, I’d probably just store the whole packet and pull out the SSID later during analysis. Storage is cheap. It’s easier to do, and you’d want your 24/7 software to be simple just so that it stands a better chance of not crashing. And, if it’s simpler, then it’s quicker and cheaper to write and test. Particularly if the brief is: “collect the SSIDs and geolocations of unencrypted WiFi stations”.

Why collect the SSIDs in the first place? Android phones and location services. It seems to me that it’s simply about better location services and getting more accuracy. Cell towers + SSIDs helps to place you on the map.

Should Google be collecting all this data in secret? No, I don’t think so. Are they an evil company? No, I doubt that too. Are they a large (huge?) organisation intent on making a profit? Damn right, and that’s something we should worry about. Have they got a good privacy record? Not really, especially after the Buzz debacle. Should we watch them like a hawk? Definitely. Was Google stupid? Without a doubt. But are they criminal?

My wife talks about ‘cock-up or conspiracy’. It’s a bit like ‘never attribute to malice what can adequately be attributed to stupidity’. I think Google cocked up, not that it was some conspiracy to collect our WiFi transmissions and analyse them. Still, paranoid people tend to see conspiracies everywhere.

Europeans and other potential enemies of the US are to be forced to deposit their personal details on the Department of Homeland Security’s computer system 72 hours before they get anywhere near the place.

The new rules will apply to citizens of the UK, and other countries whose citizens can travel to the US under the “visa waiver program”, from January next year. The prime motivation for the scheme is increased concern in Washington that European grown terrorists can exploit the visa waiver program to get into the US and wreak havoc.

Such a beautiful, interesting country populated by really great people; sadly governed by (apparent) idiots.

On their web site, they go to great lengths to say how safe the data will be; that the DNA and other information will be held anonymously and that they definitely won’t give the information to anyone (except if told to by the legal authorities). Except, the data isn’t held anonymously.

To quote from their web site in the confidentiality section:

• Your DNA samples and information are stored anonymously – that means any information which can identify you, such as your name and address, date of birth or NHS number is taken off your data and samples and stored separately.
• Information is encrypted. We do need to be able to identify your samples and information so that we can track your medical records, contact you again or destroy your samples if you withdraw. We do this by using a code. Only those UK Biobank staff with access to the code will be able to connect you with your information and samples.

Note that the emphasis is mine. Therefore, they can identify your DNA samples. They just keep the key in a separate database. Thus, they can equally reconstruct a database with your DNA records and name, address, and any other details that are held quite easily. They just say they won’t.

Tinfoil hat time. I can foresee a near-future event where the Government decides that 500,000 DNA records are just too interesting to be kept away from their ID database and decide to pass legislation to gather all DNA databases into the (future) ID database. It would just be too tempting for them. I just can’t take the risk. As much as I would like to help science, I really don’t want my DNA ending up on yet another poorly secured database where just about any Government employee can access it. Better yet, in the process of transferring the data, they will burn it to a CD unencrypted and leave it in a briefcase in a taxi or something similar. Sorry, don’t want to be a part of that.