There is so much to discuss around this and it’s not even out of the lab yet. In a rare display of focus, I’ll devote my first post on the topic to one of the more obvious questions – Can they (or do they need to) get 400 million people to migrate away from Facebook?

The idea of a decentralized, open source social network where you truly own your data appeals to many a privacy-concerned geek, but I think perhaps the announcement of Diaspora and their rapid public funding is timely more than anything. After the F8 conference Facebook are predictably under the spotlight again – this time there’s even infoporn - See: Mat McKeon and the New York Times.

So we’re all ‘concerned’ about our privacy, and maybe even what Facebook are up to in general, but as Fernando Rizo muses on his blog today, are you going to quit? No, of course not. Well, not without a decent alternative, because you don’t want to miss out. (See FOMO). Well let’s assume for a moment that Diaspora becomes that alternative – what then?

Tipping the other way

In theory I don’t see a reason the Network Effect can’t work in reverse. It takes early adopters to populate a site like Facebook in the first place – perhaps a trend in rejection could result in a tipping point in the opposite direction. If you joined Facebook because your friends did, and they went somewhere else – you’d eventually go too. Somebody has to go first of course.

I grumble about Facebook all the time, but I use it as much as the next guy – in fact more than most of my friends. I don’t want to shut my account down. Going cold turkey would be a serious commitment. I think for this to happen for me there would have to be some kind of transitional phase.

If Diaspora allowed me to view and publish content to and from Facebook, that would surely defeat its primary function. You could argue that it depends what the content was, but it would still mean keeping my Facebook account active. It might however be a way to soften the blow, and at the same time entice my peers into migrating too.

I don’t have the solution, (and I probably don’t understand the problem), but many of us are far too attached to our digital homes for this to be a clean break. As Fernando points out we’ve seen mass migration before (away from MySpace) but I’d say it’s a bigger deal this time. I remember quitting MySpace (~2007) and I really didn’t miss it. I had a handful of photos and about 30 friends. It was also incredibly annoying. Despite my moaning, I really like Facebook, it’s a very usable site and there’s vastly more content than I had access to three years ago.

Would an exodus be necessary?

Diaspora are proposing a hosted, turn-key option for their software (a la Wordpress) and perhaps, as is common with open source products, providers will be permitted to package up and sell the product themselves in a healthy, competitive fashion. To move 400 million people over to Diaspora, this would surely be essential – how many Facebook users know what a GPG key is?

I joked earlier (complete with typo) that if Diaspora took off, perhaps Facebook could move to a hosted-Diaspora revenue model. Perhaps this wasn’t such a joke. Facebook need your data to profit, if you’re going to abscond and not give them any more data and not look at any more ads, then a premium service where you can interact with your friends without getting ‘graphed’ seems reasonable to me. The privacy concerned few could pay, while the complacent masses continue to trade their personal lives for a free ticket.

I’m thinking out loud and probably sound like an idiot, but I’m hungry and need to go home…. just gotta check my Facebook.

You didn’t expect me to have only nice things to say, did you? There are a couple of things I have to question.

It’s only a draft

Despite this spec being a draft, Facebook (who are represented in the working group) have gone ahead and implemented it anyway. Although this is a step up from the non-standard methods they’ve employed to date, it does make me wonder. Will the spec be finalised according to their implementation? Will they change their implementation if the spec changes? Or will they end up going in separate directions? (think ECMAScript 4/ActionScript). As with my gripes about the Open Graph, how “open” are standards when we have self-interested corporations in the driving seat.

Looser security for JavaScript clients

The so-called “user_agent” journey serves the needs of front-end applications that don’t have access to a web server. (i.e. JavaScript only apps). This support comes at a cost to security because request signing is not required. (More to the point, signing would be redundant). The risk is a limited one – the “bearer tokens” must only be sent over SSL, so the worst you can do is take control of an app under the authentication of your own account. Still, I imagine it would be possible to post content that the app did not intend. (use your imagination!) My main gripe here is in justifying the trade off. The loosening of security is in favour of making apps easier to implement for more people – i.e. a Facebook business interest. I don’t think that’s a good enough reason to weaken the specification.

I’ve been saying to people that I’m not too excited about the announcements from F8 last week. I suppose this is because I was expecting the announcement that many were – that Facebook would launch a geolocation service. I still expect they will (even if it’s by way of acquisition). With 400 times the user base of Foursquare, just imagine how much faster they could build their ‘places’ database than the numerous firms all racing to do so; and what a valuable chunk of data that would be too.

Well, we didn’t get that announcement, but it’s taken a few days to dawn on me that geolocation is only one part of a much bigger picture – and that announcement we did get. It’s the Open Graph.

The Open Graph

Graphing the social web was only the beginning. Connecting people to places may be an obvious next step, but a place is only one kind of ‘object’ and Facebook [it seems] want them all – Your dog, your favourite band, your kitchen sink. The location of all these objects will follow soon enough – the embryonic Open Graph protocol already has fields for geolocation and address information, it’s just that Facebook have been fairly quiet on the topic.

What’s most significant about the graphing of these objects is that it extends beyond Facebook’s walled garden to the wider web. Facebook has trained us like chimps to click ‘like’ buttons for [however long] and now these clicks are going to index the entire web for them. These humble little buttons can now be attached to anything, anywhere and the collected data will have real meaning as to what and where these things are.

The Semantic Web

As I tweeted from the F8 live stream, there are fairly obvious overlaps with Facebook’s Open Graph protocol and Twitter’s proposed annotations. Perhaps they have different goals, but they are both essentially an attempt to make sense of the vast amounts of data flowing through their networks. They in fact have similar goals to the elusive Semantic Web. If you tune out the marketing babble and social media pontification there are some huge issues here, privacy being an obvious one, but also we may ask: how ‘open’ is it?, why are they doing it? and who benefits?

Through open standards some very clever people have been trying to steer us toward the Semantic Web for years. Facebook could easily stroll along and “do a Microsoft” on the whole thing. Regardless of the word “open”, they are still a self-serving corporation and with their reach extending beyond the walls of facebook.com this can have a real impact on the future of the Internet.

I’m far from being an expert on the Semantic Web, but here’s what some real experts have to say about the Open Graph.

Who benefits?

Privacy and open standards aside, this was the first question that popped into my head when watching the F8 keynote. Before writing this post I Googled “who benefits from the open graph?” to see if anyone had already blogged it – it threw up a great post by Chris Messina, so I’ll try not to replicate what he has to say.

It was this brief twitter conversation that got me thinking about the parties involved and what they each have to gain from all of this. Take the new ‘like’ button process, which is equivalent now to opting in to a fan page. Of the three parties, the user appears to benefit the least.

• Facebook get tonnes of data. (cue links to articles on “the price of free”). More fan pages will also drive more ad sales.
• The advertiser (publisher/brand/whatever) gets to push more content to you and gets tonnes of stats into the bargain. Visit your favourite agency blog to read how brilliant for brands this is.
• We get the thrill of seeing that we like the same thing as our friends (or not) and if it’s something we really like, we might enjoy the content that is subsequently pushed into our news feed.

Regardless of my usual cynicism and choice of imagery – I’m not saying any of this is bad, as a developer it’s pretty exciting (contradicts self).  I just think these questions need to be asked, and I wish all 400 million Facebook users would do the same.

Here’s one: the ‘like’ button. This has become more than just a casual way to show your friends you think something is cool. It’s become more powerful for advertisers, more useful for Facebook, and for you … ? You’re going to start seeing ‘like’ buttons all over other websites, including this one; What you probably won’t realise straight away is what it means to click this. Clicking a ‘like’ button on anything, anywhere instantly creates a Facebook ‘page’ for that ‘thing‘ and makes you a ‘fan’. Being a fan of a page (as you probably know) means the owner of that page can publish content into your news feed. So, essentially, by clicking my ‘like’ button on this page is the same as you saying you want to be a fan of this article and you want to allow me to deliver content to you about it any time I like. All at the casual click of a button.

There, that’s it. I just thought you should know. Make up your own mind about whether you think this is sneaky or not. Personally, I think it is. Here’s a good article on the topic by Channel 4’s technology correspondent.

–
I’ll be writing more about the announcements from F8 and Chirp later on. This was just a quickie, because I think the ~400 million Facebook users that aren’t Internet professionals need to be kept in the loop.

If you don’t already know that I’m a huge cynic, then you will do shortly. I’m going to lay out my observations as factually as I can, but they will be tainted with my usual dose of suspicion, fear and resentment. Below is a list of feature creep that I’ve observed, but there is an underlying point. If you don’t want to read the list, just skip to the bit at the end.

Account verification via mobile phone

I thought I’d start with this one, because it erks me the most. My personal account has long since been verified. i.e. Facebook is satisfied that I am a real person, and not a robot.  If you aren’t verified you must pass a CAPTCHA test for any significant activity such as posting, or friend-adding. This isn’t new, but what seems to be new is that the only option for verifying that you are human now seems to be a SMS-based security check.

What erks me about this is that the CAPTCHA itself is the human/robot test – the mobile phone check is not proof of life; it is in fact little better than an email-based method which just proves an email address exists; it doesn’t prove that there’s a person at the end of it. I question Facebook’s motivation here. The upshot of this is that if you don’t give Facebook your mobile number you will be badgered with CAPTCHAs until you get so annoyed you verify. It also suggests they put a lower value on your email address. (Project Titan anyone?)

The “username” (vanity URL) feature is also denied to you if you do not verify. I particularly like the prompt to try another time.

iPhone address book feature

Continuing the mobile phone number theme: The superb Facebook iPhone app recently added a new feature which allows you to add your Facebook friends’ profile pictures to the corresponding entries in your phone’s address book. Before you enable this feature, you must make this fabulous clickwrap agreement (see image):

Now, don’t get me wrong – I’m not suggesting that Facebook are doing evil things with your friend’s numbers, I’m sure they really do need the phone numbers to automate this feature. I assume it’s the only unique identifier that could associate an address book entry with a Facebook profile and a manual process would ask too much of the user. But regardless of the technical reasons, this is still an example of the increasingly prevalent ‘features for data’ trade we are becoming more comfortable with. It can only make us more complacent about our own privacy.

“Tim W is no longer in a relationship”

This was actually the first of my recent observations. Facebook used to have user settings that allowed you to prevent certain events from being published as ‘news stories’. The example of relationship status is pertinent in that it is so personal. I actually went though a ‘Facebook breakup’ in 2008, but had the publishing of this story disabled. I also had the “X is now friends with Y” story disabled (for reasons I can’t be bothered to go into), but the point is that these options have disappeared. Why? Because Facebook want more activity not less, and that’s no secret.

The real-time shift accelerated by Twitter at al is to blame for this. Much of Facebook’s UX tweaks in 2009 were blatantly geared towards encouraging more chatter, more sharing, more data. Again we’re encouraged to publish more activity, but in this example it’s been achieved through denying us the right to keep it private. In my view, that’s sneaky.

“friends-of-friends”

This relatively new privacy option took me by surprise. Certain rather innocuous settings, such as showing the “Add as a friend” button have had their tightest option reduced to friends-of-friends. This seems reasonable, but with 300 friends each having 300 of their own, we’re talking about 90,000 people. The chance of a colleague, employer, or client being amongst that is high – In my case it’s guaranteed. Fortunately the most sensitive settings, such as photo albums, still have much tighter options, but the option itself is still a nudge toward publishing more data to more people.

The bit at the end

I must point out that I’m not accusing Facebook of any evil-doing, or breaking any laws. These examples are here to illustrate what I think is a clear direction in our use of the free (as in beer) web, and our relationships with companies like Facebook and Google where our activity has become both product and payment.

The greatest threat to our privacy is our own complacency over it. We want features, we want them for free, and we’re increasing willing to hand over whatever data is required to access them. What worries me is not what companies are doing with this data now, and not even what they might do with it in future; what worries me is how this creep is discreetly changing our behaviour such that we [as a society] no longer even care about our privacy.

We need to keep an eye on the direction in which we’re being nudged and keep an eye on the organisations that are doing the nudging. Geolocation is clearly the next thing for us to get complacent about, and personal data doesn’t get much more personal than your physical location. The recent Please Rob Me site, however tongue-in-cheek, should be enough for even the least educated to sit up and pay attention to the potential dangers of publishing your location.

What’s the new feature?

Essentially it’s Facebook’s version of forwarding content through the network, as retweeting is to Twitter. I can’t find an official announcement of this feature. Mashable and All Facebook have referred to it as the “via” feature, or the “Facebook retweet”. Both ugly terms. I prefer “repost”, although “reshare” would be more inline with the Facebook lexicon. To cut a long story short, it lets you share with your friends something that a friend of yours has shared with you. At first glance this may seem like it circumvents the walled garden of your friend network. i.e. people you don’t want seeing your content seeing your content. gasp.

The repost privacy test

From my personal account (where I am simply known as Tim W and have every privacy feature locked down its strictest setting) I posted a link with appropriately alarming status update, as follows:

Then from my professional account (which is 100% public having the loosest privacy settings) I temporarily befriended myself and naturally saw the post from the elusive Tim W in its full glory. Nothing unexpected so far. I clicked the “share” button and reposted this link for all my friends on this profile to see.

Now I needed a third account that wasn’t friends with Tim W, but as a Facebook member could access the second profile in full. So I set up a Facebook account in the imaginative name of Mit Kcoltihw (Polish I imagine) and accessed the page of my public, professional profile. Lo and behold there was the reposted link, as below:

( ignore, if you can, the fact that my profile photos are the same. The repost doesn’t show the original poster as it does in Twitter)

What we see is that the posted link, and its meta data are visible, but my status update is missing. A non-friend seeing your link even if you set “Posts by me” to “Only friends” looks rather like a breach. It seems Facebook doesn’t consider this content as being “by you” as it came from a public source. However, if you change the link description text to your own text when posting the original link, this is also visible, and that’s definitely a loophole.

Links are one thing, but photos are a bit more serious. I tried the same test with a wall photo post, and you’ll be relieved to hear that the repost was completely invisible to third parties. Good.

So in conclusion – not so black and white. Your privacy settings are maintained to an extent, and you don’t need to worry about status updates and photos getting into the wrong hands, but there is definitely creep here. I think the  “posts by me” privacy setting is now misleading and needs addressing, and the reposting of custom link descriptions is highly questionable. I won’t lose any sleep over this one, but I won’t be getting complacent any time soon either. If you’ve spotted a loop hole let me know by commenting below, but double check your privacy settings first.

More in my next post about Facebook privacy creep.

1. A brief back-and-forth on Twitter with @kaigani where I outlandishly claimed that Facebook Connect is a phishing scam waiting to happen
2. The warning of another Twitter scam that typically exploits the layman’s inability to spot a fake URL.

Facebook and Twitter both offer authentication services arguably known as “single sign-on”. Facebook Connect is a proprietary system, and Twitter offers a system based on the OAuth standard. These services do something quite marvellous – They allow you to authenticate with a another website without the third party ever seeing your password. What’s makes it even more handy is that you’re probably already signed in to these popular services, so you may not need to enter your password at all. The problem is when you do.

If the mother service decides you aren’t logged in, it will have to present you with a username/password prompt just as if you were entering the main site. Here’s an example Facebook Connect popup:

A complacent user is likely to fill in these credentials without checking whether this page belongs to Facebook. This is the classic Phishing model, and I would argue that it is made worse by the additional trust the user may place in this familiar system. Furthermore, some implementations present this dialogue in a overlay form where no address bar appears at all.

There are various lines of defence available to the user at this point, and they are all in the browser.

1. The URL
Most phishing scams use cleverly manipulated URLs that can easily trick an untrained eye. The fact is that the address bar and the URL are (from an end-user perspective) quite technical aspects of using the Internet. These “connect” dialogues are prone to this problem, and to make it easier for the phishing gangs they don’t have to recreate the whole home page,  just one small window. Even for Internet professionals, an accurately copied design may provide little reason to glance at the address bar.

2. The SSL Certificate
In the unlikely event that hackers have infiltrated your ISP, you still have the server certificate to ensure the site is legit. Observant readers will notice that the above image does not show a secure page. This is a failing of the vendor and of Facebook. A secure page does exist for Facebook Connect [see below] but Facebook should not offer standard HTTP at all and in this example the vendor should have used the SSL version.

Twitter also fails to restrict their authentication screen exclusively to SSL. To make matters worse their SSL screen does not contain full identity information (see below). Many Twitter apps don’t use the SSL page, and in fact the application settings page for developers lists the OAuth service URLs as HTTP variants only.

Is this a technology problem, or a human problem?

These scams exploit ignorance and complacency – Two things that user-friendly web services like these can only perpetuate. All the cryptography magic and clever security models behind these services can’t actually prevent phishing scams, and as they become more common and more trusted, perhaps they just make phishing scams easier to pull off.

I’m not convinced these problems can be solved by technology; at least not by technology in the websites themselves.  I think this can only be solved by something that sits between the user and the trap – For example: the web browser, your ISP, or the HTTP protocol itself.

• Chrome and IE8 both offer a neat address bar feature where the host name is bolder than the rest of the URL making fake URLs much easier to spot;
• Firefox has more obvious server certificate and identity information, makes more of song and dance about invalid certificates and shows the host name in the status bar;
• Various browsers offer warnings of known scam URLs and no doubt many ISPs aid this effort

However, these features still require education and awareness. Above all, any solution requires the attention of the complacent masses who just want to get on with their life and click “OK” until they get what they want.

I think the main reason I didn’t see the point at first is that it was too easy to draw a direct comparison to the larger, more popular social playgrounds – Facebook et al. It stands to reason that a rather late new-comer like myself would look to these larger sites as a way of understanding what Twitter is and why they might want to use it, or whether they need to use it to be a valid member of the human race. At first glance the obvious conclusion is that it’s – “a bit like Facebook but with just the status, and that’s it? what’s the point in that?” – I am quoting an imaginary person here you see. This person is called John; he gets annoyed by knowing what his friends are having for lunch, but he’s got a Facebook account anyway because he’d hate to miss out, so he just grumbles about it.

Nano blog?

The “status update” is ultimately a dumbed-down incarnation of the micro blog; a nano blog perhaps? It seems practically every website that you log onto offers you a way to express yourself and validate your presence in some trivial fashion. This dumbing down is much less prevalent on Twitter, which I am now starting to see as its raison d’etre. I was most amused to compare my brother’s tweets to his Facebook status updates. The latter being somewhat inane, humorous references for the masses, and the former being much more considered prose; invariably eloquent and clearly aimed a more selective, professional readership. Not just a man who knows his audience, I thought, but proof if proof be needed that Twitter is much more of a cult than Facebook, and (dare I say?) an occasionally pretentious one at that (yes, I dared). I made the heinous error of adding the Facebook Twitter application which set my Facebook status with each Tweet. I am ashamed that the Twitter audience had to suffer my vacuous existence during that period. (hangs head).

So what would happen if Twitter reached a tipping point like Facebook did a couple of years ago? If people start joining because they find their friends are communicating in some kind of secret club and they don’t want to miss out. Let’s face it (no pun intended) this was the impetus for a reluctant many that followed a geeky few. Of course I can’t validate that statement with any kind of fact, but I’m sure you too have witnessed the annoyance of the non-facebooker. “Oh, sorry I didn’t email you about the party; I forgot you weren’t on Facebook”. – That was Caroline; she likes tagging people but not herself; well, only if it’s a good photo.

Despite seeing a fair amount of Twitter in the popular press recently, I am somewhat sceptical that it will reach the dizzy heights of Facebook, at least not in it’s current form. Extending the platform would defeat its simplicity which is largely the point of it, but if it did become engulfed with 100 million users then I’m sure the community would naturally find ways to block out the sandwich-eating references and get more of the existential poetry they crave without offending their friends. People may just maintain multiple accounts? A case for “channels” perhaps? serving the same purpose as groups on Facebook where you can choose to express yourself as you see fit in more fenced-off areas. Maybe we’d also find out for sure whether Ruby on Rails doesn’t scale. Anyway, I think I’ve rambled enough – tweet me! Do you say that? is that the correct conjugation?

You can see the South Park Down and Dirty application in action here. This link is my public Down and Dirty profile and does not require you to add the app, although you can add it here in the usual fashion.

Pick up Campaign or some such publication and no doubt you’ll be able to read all about the strategy, the creative, the design, even the metrics. Less likely you’ll read about the technical execution, which is where I come in…

I joined the team once the creative and design had been signed off, and from that point I was sole developer on the project. This meant developing the back end, (PHP/MySQL), and front end (FBML/CSS) and quite a bit of non-trivial Flash content (AS2). The total development time from briefing to launch was 13 days – 13 long, hard days.

This project threw up some interesting technical points worth mentioning. If you are interested in any of these topics, let me know and I’ll write a more in depth article on each;

First up was the seemingly trivial problem of linking to parts of the app from within Flash content. Something even the least technical Flashers have been doing for years. However, this was until Adobe implemented this security feature in the Flash Player. This led me to implement all Flash content across the app within iframes, as opposed to using Facebook’s fb:swf tag.

The good old Flash security model came into play on this project too. Loading images directly from Facebook’s servers into a third party Flash app is not a problem if all you want to do is display the image. This is all I needed to do in my first ever Facebook app FBPlayer. This can be achieved simply with the MovieClipLoader, but as advanced Flashers will know, if you want to do anything remotely cool you need to use the wonderful BitmapData class. Take note: an image that has been loaded into Flash from outside your sandbox is subject to the same security lockdown as an external SWF. In a nutshell – it is not scriptable! Therefore BitmapData.draw() does not work on the image data. The obvious solution is an image proxy. Not difficult in the least and one has to wonder what the point in this security feature really is when it is so easily circumvented with a perfectly legitimate technique. The image proxy I implemented in PHP was about 12 lines long [excluding library code], and took all of 5 minutes to write and test.

Another surprise was related to Facebook privacy. Accessing friends’ photo albums via the API was yielding empty results in some cases – It transpires that plenty of punters are aware they can block applications from accessing their data. This is obviously not the default setting, but as more people become aware of these capabilities the functionality of apps like Chin Balls become more restricted because users’ friends have to be more willing participants. Although I support this approach in sentiment, it unfortunately increases applications’ need to persuade people to add in order to function, which makes apps more irritating and ‘spammy‘.

This does not necessarily mean you must add an application to interact with it at all. A little known fact [it seems] is that a Facebook canvas page is viewable by anyone logged into a Facebook account. The only reason you see immediate ‘add application‘ prompts is that the app authors are being pushy and lazy. The South Park app has a public profile page where you can see the same content that I can see. You do not need to add the app to see my profile. – Why? - Because this functionality does not require the app to know who you are. In fact it cannot know even your user id until you authorize it. When you view this page the app is using my authorization for you to see the content. Why not give new users an experience up front and let them decide if thy like the app before being coerced into adding it? There are privacy issues at stake here too of course, but I am blithering on enough as it is. Let me know your thoughts!

The basic premise is that you may contact a friend-of-a-friend who you feel you have made a bad first impression upon in real life. The challenge from both a technical and a user experience perspective was to effectively use an intermediary friend as a messenger in the end-to-end process. This throws up plenty of Facebook security problems, such as not being able to send notifications to people who are not your friend. The individual user processes become quite complicated too, and that’s tough to solve by just writing good copy, because people just plain don’t read it. There is also the problem of fall out, as you have two users faced with the ignore button rather than just the usual one.

I also learned something new on this project. There are some privacy settings within Facebook, which I’d imagine most people have not found. It is possible for you to prevent applications [that you have not authorized] from accessing any of your data. This appears to also apply even if the application user is your friend. In some cases I found that we are unable to even print as person’s name on the screen.