May 2010


I agreed to put my info in to Facebook because I do care about my relationships to people, and would like to use the platform Facebook provides.  Now there has been too many changes in the privacy settings for me to know anything about what I am sharing and who I am exposing to messages and stuff.

The settings have changed many times, and the changes Facebook has made have required me to take action.  They argue that what has happened is needed for data portability, but I agree with Chris Saad who argues against it in Facebook’s Claims About Data Portability Are False.

The  Norwegian Consumer Council have reported Facebook and Zynga to the Data Protection Agency for break of consumer expectations, arguing that Facebook and Zynga are delivering something significantly different from what people signed up to.

OK, so I did this to me.  I brought the stealing of my life onto my self, by putting effort, content and relationships into Facebook.  But by breaking expectations of privacy, and exposing my friends, I do not feel comfortable with Facebook.  Should I stay in Facebook, and try to get my life back from them (and Zynga), or should I vote with my feet?  I have spent many hours on Facebook, and greatly enjoy the service that makes it possible for me to keep an eye on who is doing what.  The greatest benefit is getting news of my friends, family and acquaintances; and being a part of their lifes.

Do I want my life back? There is no way to do that.  Information does not go away, as those of us know who have at one point said something that should have not been unsaid.  The question should probably rather be can Facebook steal more of my life? or is the damage done, and we move on?

The latest Facebook privacy erosions, as illustrated by Matt McKeon, documented Facebook timeline by EFF and commented in 10 reasons to delete your Facebook account are scary. Is this how it felt to have

  1. A small trading post established with a few services on our privacy land?
  2. Trading expeditions exploring where our natural privacy boundaries are?
  3. A few private explorers (like Zynga Games) sent out from the trading posts to check the lay of the land?
  4. Major corporations stake out the land and draw straight lines where the natural lines of the privacy landscape blur and mesh?
  5. Corporations laying down the law in “user agreements”, where the only option was to vote/click yes?
  6. Commissions delivering comments (on EU article 29)?
  7. Someone else sharing my life with others?  If slavery is illegal, can I sue Facebook for selling my (online) life to third parties?

Are we just waiting for the official sanction of the “reality on the ground”?  Will our reality be spheres of influence from the major players (Apple/iTunes, Google, Facebook, Microsoft/MSN and competitors) and some smaller ethnic states with federated login?

I may talk about the hope of Kantara Initative for UMA one day when I am less scared.  Or I may write about what the consequences are for the world when the US people decided to regulate their government, but encourage private corporations to run wild actively explore business opportunities.

But why am I feeling like an African tribe in the late 1800s?

The past two weeks I have had an iPad with me. We are doing some tests on how to use ebook readers for education. Testing, after all, needs to be done in realistic environments, like by the coffee table and in bed.  The device is not yet available in Norway, which makes some of the user interfaces weird because the AppStore does not work.  Applications have to be downloaded to a special account at a PC and then transferred by iTunes to the device.  The iPad is a cool gadget, and my sons really want one (mommy, I wish we had one for real that we could share).

On to the login:

  1. You do not log in to the iPad itself.  It is open for anyone with physical access.  Yes, it can be closed, but I operate with default.
  2. You do desperately need an iTunes account.  Without iTunes, the device is worthless.
  3. A normal person cannot change iTunes accounts without damaging major stuff (iPad, arteries, marriage).  It is just too difficult, and you end up cursing.
  4. You need accounts all over the web to access content, even if much of the content works through App Store.  Examples of accounts I ended up with after a few days: iTunes (see 2), various wireless networks (including eduroam), Amazon (to use the Kindle app), email, gaming accounts (not linked to the App Store, so this worked in Norway), twitter, Feide (for federated login)

The short summary

iPad is a portal, with iTunes as its portal framework, and a beautiful user interface.  It suffers all the usual portal problems

  • There is only one world view
  • The portal operator locks you in
  • The portal operator  can lock you out
  • Authentication is a mash-up of various solutions, with issues about reusing login

The usual portal advantages include a coherent user interface, a business model that is defined by the portal operator and apps added according to guidelines.

Watching YouTube on the iPad rocks.  Some of the apps are just beautiful (epicurious, New York Times), and the weird size makes sense for something sitting in your lap.

My son wanted one iPad that we could share in the family, but the iPad is a personal device, where sharing is not intended.  This is partly a result of the iTunes business model, and partly a result of the “tweak and download apps until I cry”-attitude the user is lured into.  Or the last could be just me, running wild in the hope of getting better stuff.

I am concerned about the lock-in of the iTunes business model.  Free speech in society is often measured by how much smut we are willing to put up with, and the iPad apps are smut free.  On the other hand, a quick search yielded a number of web based iPad-friendly porn sites.  You can take free speech out of the regular apps, but the users route around it.

A precise analysis of the situation we are in, is given by Chris Palmer, Seth Schoen and Peter Eckserly  in It’s Time to Fix HTTPS.  They make some key points that I would like to see stressed more in the discussions:

  1. Usability is the number one problem for security on the Internet
  2. The security model for browser PKI certificates is not properly understood by users, developers or administrators.
  3. SSL certificates are subject to some perverse incentives that lowers the real security

I like the statement about security:

  • If people don’t understand it, we engineered it wrong.

and the more realistic statement

  • Let us start by making a security model that requires only one advanced degree to understand.

If the solution proposed in the presentation is a good one I do not know.  Any solution that trusts everchanging sources runs the risk of being gamed.  Any static solution runs the risk of not being updated.

I hope the last statement about making something that requires only one advanced degree is possible.  The current use of SSL certificates is what I regard as

  • The server promised to encrypt your communication, and they may be who they claim to be (but check out of band if you really care)