Monday, September 28, 2009

"DataPervability" - social media and setting the right example for younger generation

DataPortability is a movement that advocates the ability for a user to extract their data from a social network or other on-line systems/community.

DataPervability riffs/remixes the term to ask the question:

Why can people perve anothers data/lifestream anonymously?

Surely it should be a reciprocal agreement?:
  • You can see me, so I should be able to see you (if I or my parents care)
  • Social networks are NOT brochureware websites - just because your profile is on some webserver doesn't mean the social contract is the same.

One of my interests in social media anti-patterns is based on establishing "norms" or "best practices" that protect the vulnerable in the community from malicious acts and actors. Look under the covers of online dating, gaming, auctions and their is plenty of grey activity that leverages information that people are willing to share. This

I've not seen sustained dialog (please correct me if I am wrong) about these elements of social media - possibly because:
a) all the early adopters are still in the hype cycle.
b) all the early adopters are consenting adults.

But we (those building and evangelizing social media) need to step back from enamorment of this new media/conversation and balance with the potential impact on the younger generations that will just "grow into" this technology.

As adults, we joke about who is "stalking" us, or how we spent some voyeuristic quality time trawling someones twitter feed or flickr photos. Have you ever wondered why you can't see a "friend-of-a-friends" Facebook profile but you can see their photos (or maybe its just everyone's photos?*) - thats just plain spooky right?

But what does that mean to kids "growing-into" Facebook or Twitter now? - as they enter these networks, who explains to them in a logical factual (not hysterical fear driven) fashion - what are the risks and traps. Its fine if kids don't care about DataPervability but at least I know.

The Australian Government (ACMA) has started some education on cyber-bullying and the overwhelming feedback from their research is the kids are aware of the technology but have not heard enough anecdotes or war stories about the down-sides. "Stranger Danger" is a paranoid response but adults and social media evangelists can take a leadership position in ensuring the kids and teens become as savvy as they think they are.

Reciprocity...Look at it this way: If you own a normal website:
  • You can use analytics to profile your users.
  • You can ask users to log in and self-verify their email address before they can access confidential parts of the site.
  • You can even use tools like LeadLander to identify what organization visits
So, why is it that Social Networks provide casual browsing of your profile, activities and friends (some Facebook API programs can get a whole lot of data) without give ANY analytical feedback to you? Its crazy.

When Facebook delivered an API, we tried to build a "Who's checking me out?" application,

This is not a Facebook bashing post - its just about the anti-patterns - it applies to all social media sites and evangelists. How will you protect the social sovereignty (privacy) of the users that help build your communities?

* I simply don't have time to figure out all the nuances of Facebook privacy, nor should I or anyone else. It should be clear, understandable and controllable based on clear and accessible user profile setup (but thats the topic of another post).

Sunday, September 27, 2009

Social media anti-patterns - how websites teach users to tolerate crap

The design of websites condition users to believe what is "normal" in behavior.

For example, back in the good old days we learned put our email address on the website so people could contact us easily. Years later (our mailboxes flooded with viagra spam because our email addresses got scraped by some harvesting bot), we changed the design pattern to something like sales AT example DOT com. My guess is that we probably needs to change that as the harvesting bots can easily scrape and harvest those addresses.

Over the last few years, in fraud protection we've learned a plethora of fraudulent methods and what website practices and design patterns actually attracts or invites fraud.

What I mean by "invites" is that a website with low fraud detection skills or poor practices suffers fraud first before their competitors - its a low hanging fruit thing.....fraudsters will make money where its easier, when you skill up, they move on to the next easy target.

But fraud protection has typically been the concern for eCommerce sites. The worst that individuals have had to tolerate is spam/malware in their email box and spam in their blog posts.

Spam in blog posts grew to such a degree that solutions: CAPTCHA, Akismet, Mollom or Defensio have emerged - because bloggers are early adopters and motivated to keep their comment feed clean.

However, as social media crosses the chasm to everyone owning a conversation - what competence will they have to spot a fraud or an attack?

Here is an example from this weekend's Twitter spam:

Now...this fine young lass doesn't seem to have any clothes or friends (Followers:0, Following:0) but she loves to send the same link to lots of folks (or maybe blokes). Blasted out 254 tweets.
The tweeted IDENTICAL link was probably spam but could easily be malware/worm. (There is several precedents and twitter account phishing attacks). But when this stuff appears in your reply stream, its pretty easy to reflex click-thru to the "attack site".

The Twitter account is still live several days later.

So - nothing new about this - but its an anti-pattern that we accept:
  • the users have no warning
  • there is no reputation in the reply stream about the sender
  • the account isn't killed (it may have been disabled invisibly, but surely twitter users should know when an account is blocked by others).
Are Twitter going to spend some of their brand-spanking new $100m investment on keeping the Twitter ecosystem clean and safe? (especially if they think they can cross the chasm with a proprietary solution).

Some examples or other anti-patterns in authentication are:
  • Username/Password (no 2-factor)
  • Allowing simple passwords
  • Making passwords so difficult that the user has to write them on a post-it note
  • Storing your Username/Password in a 3rd party (yes you Twitter API applications!)
  • Positioning single signon (SSO) as being safer
  • Auto follow
  • Really confusing privacy policies and obscured privacy settings (watch Paul Fenwick's presentation on Facebook privacy - some of you may be surprised)
  • Changing your Terms and Conditions on privacy (beacon)
  • 140 characters. Not enough to give the recipient context for the target
  • URL shorteners like, - again, these separate recipient from context of destination without any reputation on the link.
  • Not allowing users to partition their personal and public life.
  • Not educating users (like children) the ramifications of public social media behavior. It should be mandatory at primary school to learn how:

    • difficult it is to get something deleted from google cache is - especially if its not your site:
    • impossible it is to delete all known copies of an embarassing photo, vid or chat thread
Of course, we (including me) are all co-conspirators in one or more of these social anti-patterns. In fact I will use a short link pasted into Twitter *sigh*

I think I will expand on social media anti-patterns in the future, if the next generation will learn the traps too late, we will have more sites promulgating an unacceptable set of "norms".

Is there an existing repository of such?

first blog since 2003 - internet anonymity, privacy and fraud

In 1993, the famous New Yorker cartoon "On the Internet, nobody knows you're a dog" captured the beauty of a new frontier.

You could be a single person company with a great website that made you look huuuuge. History has proven the clear benefit of size doesn't count (or even location or age) - but the same benefits of anonymity have brought lots and lots of bad guys....botnets, phishing, 419 and advanced fee scammers, credit card fraud, account hijack, identity get the idea - the list goes on and on.....

Back in 2003, I finished up my role as VP R&D at Surfcontrol a few years after they acquired the email filtering company I started in a bedroom. During that period, I had seen spam grow from a trickle to a pandemic and become more of a commercial tool. Spam had shifted from open-relays and open-proxies to malware that compromised machines - the perfect storm of anonymity and compromisable Windows host was a cybercriminals best tool.

It was clear to me that once the bad guy had your PC, then spam was just one kind of fraud - my partner Scott Thomas and I built a system (SpamMATTERS) accepting crowd-sourced spam and security reports, then correlating to identify the players behind spamming operations - we built this for the federal government and remains in production today.

From this botnet tracking was a key side-effect that could be used as a security defence and in 2005, ThreatMetrix was founded. In 2009, anonymity and fraud is big business and we help websites running eCommerce, payments, dating, marketplaces enable the good guys whilst stopping the bad guys in real-time. The good news for ThreatMetrix is that in a world where identities are phished, keylogged and credit-card numbers are stolen this is a hockeystick problem that we are helping to address.

The bad news is that its a hockeystick problem.

So, I'm excited about the single-signon/auth solutions emerging (OpenID, Facebook Connect, OAUTH, FriendConnect) AND I am excited about the conversation of social media but I am pretty sure that social media spear-phishing is going to grow as more valuable assets are all contained behind one login/password.

If a bad guy gets access to your Google account, they may not merely have access to your reputation but also your Google Checkout or maybe your Google Voice account. Over the weekend, I saw on my screen - I've never signed up for Checkout but there is was. Google doing some A/B testing or maybe just a reinvention of subliminal advertising :)

With Facebook Connect, its likely/predicted that Facebook will allow you to shop purely by logging into a merchant site with your Facebook ID. This is a Paypal killer if they execute it well, an Amazon 1-click experience - but are Facebook users conscious of the risks of having their ID phished? Up until now, its been fairly isolated with mostly scam account hijacks but with purchasing power - your Facebook account is gold to a fraudster.

And it might just be micro-payment fraud. I can easily see Facebook enabling micropayments in their platform. They need to monetize somehow right? :)

I am also keen to understand the impact of mobile on commerce, all of the above applies but the smartphones now offer a semi-solution for 2-factor authentication. But are handsets vulnerable and what if your handset is lost/stolen - is it always logged into your accounts and not protected by a PIN?

Wow - what a downer of a first post - well that not my intent, I aim to post on mobile, social, startups, cloud, meta and other goodies.

stay tuned....

just a placeholder...