The case for Facebook… or something like it

I am about to write something that is extremely unpopular amongst my peers in 2019: I like Facebook and I think can can be part of a healthy and productive online diet.

Facebook has been getting high profile negative press almost daily, for what seem like a solid year. A lot of it is well warranted — Mark Zuckerberg seems to have a problematic view of privacy — and a lot of it may be FUD.

This post is not a defense of Facebook.

If you want to read a defense of Facebook, take a look at my post on Cambridge Analytica last year.

A year or two after its public launch Facebook was an objectively good product that added value to the world. It presented a set of online tools in a way that was easy to use by completely average internet users. The features everybody flocked to are still in existence in the Facebook of today, they’re just largely buried under piles of garbage.

Allow me to explain.

Connecting with long lost friends and distant relatives.

When I first joined Facebook it was a lot fun to connect with the kids I used to eat lunch with in the cafeteria every day in high school or that one guy you shared homeroom with in grade 7. At the time it was a novel way to connect with people, it felt groundbreaking and overwhelmingly, it felt good.

Over the years the novelty has worn off obviously. And Facebook’s emphasis on “News Feeds”, combined with people’s penchant for posting contentious content (or the algorithm’s encouragement of this content) has make these distant connections more tenuous. From what I’ve seen around me, I think Facebook can seem like a stereo-typically bad, never-ending, year round Thanksgiving Dinner. It can can feel bad.

But I really do think at it’s core, the ability to connect with your wife’s Grandma who lives in Edmonton could and should have a positive impact on the world.

Photo Sharing

Facebook was the first place that made it easy for me to share photos with a group of people. My extended family started to join Facebook right around when my kids were born, so I ended up using this feature quite a bit at the time.

Unfortunately, photo sharing has really fallen by the wayside. I don’t use this feature any more and have even gone so far as to migrate photos from Facebook to Google Photos.

Even so, I know my mom and others would still prefer the simplicity of sharing photos inside Facebook, rather than installing yet another app.

Messenger

Facebook Messenger is a decent, cross-platform instant messaging client. It’s almost my defacto Messaging app (especially now that I switched to Android). However, I do think there are some legitimate privacy concerns, so I actually don’t like using this one.

Facebook Connect

When it launched, Facebook Connect was groundbreaking. The ability to enable account signup/creation on other sites/apps without needing to enter a password or any other account information was amazing. It was a real move forward for online security.

It still performs that function well, I’m just a little wary of how Facebook is using these connections.

Groups

I don’t use groups much personally. But they actually seem like a decent way to keep up to speed on a given niche or a local community. My wife always seems to know what’s happening at our school and in our neighbourhood, immediately. This feels good. This feels like the thing the internet was built for.

Sure groups contain a fair bit of random gossip, the occasional spammer, asshole and that sort of thing. But I think that fact that groups are self-moderated goes a long way into keeping these communities sane.

Groups feels like something Facebook should be focusing on more.

So What?

The media has been proclaiming Facebook’s death since the day after it launched. I first commented on people quitting Facebook 9 years ago. Maybe it’s more real this time, it’s hard to say. If I was more conspiracy minded, I might suggest that some nefarious puppet-master is leading a concerted effort to bring down Facebook. Or maybe just push down the stock price for a big short.

As it stands, I feel trapped. There are absolutely no alternative to the type of “friends and family” community Facebook enables. There aren’t even any up-and-coming social networks in development that I’m aware of.

At the same time, continuing to use Facebook seems like a mistake. If the dubious advertising and privacy practices aren’t enough to keep me away. Most of the posts that find there way to the top of my page are upsetting and I find myself hitting “mute” a lot.

IMHO Facebook could do well to focus on those core features that brought people to the platform in the first place.

So what now? Thoughts?



BTW I’ve written a lot about Facebook in the past. I’ve linked some of my favourite posts above. But I think the full 12 year archive is pretty interesting. Check it out.

DIY Internet: More on personal VPNs

A few followup thoughts regarding Monday’s post about setting up a personal VPN.

Self-Sufficient, DIY Internet

All the Facebook Cambridge Analytica nonsense has really emphasized how dependent we have become on third party services and social networks.

As I thought about it, the idea of being self-sufficient online has really started to appeal to me. I mean this blog has always been independent, fully controlled by me. As a web developer with fully-stack devops ninja experience, I have all the skill and experience I need to set up any sort of web service I want.

So when I thought about the reasons for using a VPN regularly and the likelihood that I’d have to pay for a decent service, I wanted to see if i could do it myself. On severs I own.

I think there are more opportunities to DIY online, to rely less on dubious third parties.

Peace of Mind

As I alluded to in my first post, the real world security threats associated with public wifi are only a minor concern. I’m not generally too concerned, most of the time.

That said this little icon next to my WiFi connection gives me such a massive sense of security and piece of mind. The fact that it auto-connects without me having to take an action is just the icing on the cake.

Censorship

Streissand is an anti-censorship tool designed to bypass draconian government censorship like China’s Greatfirewall. You don’t live in China, do you really need do worry about censorship? Probably — and if you hang around the right subreddits — increasingly so.

Canada’s telcos are presently lobbying for a censorship regime. Perhaps the first draft targets content most of us would agree is “bad,” but who knows what the next version will look like.

Even if you’re less paranoid, there’s a good chance your workplace or school is filtering some content. Maybe it’s not content you bump in to very often. But if even if they are not filtering traffic, they’re almost certainly collecting your web traffic. That’s something I’ve never been too comfortable with.

A VPN allows you to take back your online freedom whenever you’re using a work, school or any other network that distrusts you.

Bypassing Geographic Restrictions

In case you missed, VPNs allow you to bypass geographic content restrictions. When you use a VPN, you traffic originates from the IP address of the VPN server. And since cloud providers host servers in many physical locations, you can easily bypass any geo restrictions based on IP address.


If you missed Monday’s post you can read it here:

How to: Set Up A Personal VPN

My Thoughts on Facebook and Cambridge Analytica

It has been almost a month since the massive Cambridge Analytica x Facebook improper-user-data-ex-filtration mess (don’t call it a data breach) came to light. The news is settling down despite the real numbers coming out of Facebook and a possible 600,000 Canadians possibly affected.

I’ve been mulling over how I feel about it and I’ve finally come to a conclusion.

As much as I’d like to see this as a catalyst for people to start finding (and building) alternatives to Facebook’s walled garden of exploitation, I don’t think they did anything wrong.


The basic narrative of the Cambridge Analytica story seems to be that Facebook tricked average Americans opting to share all their facebook data with some benign looking app (like a quiz); which in turn gave the app maker further access to the victim’s friends data. Without the victim’s friends’ permission. In other words, if your friends fell for this ploy, Facebook’s API gave the app maker access to your data without your permission.

I don’t believe there is any truth do this assumption. Facebook’s API never granted access to this level of data about friends (let alone friends-of-friends). They are not that stupid.

I was involved in building Facebook app integration during the time that Cambridge Analytica gathered their data, I read Facebook’s Open Graph API documentation numerous times. Unfortunately that version of the API no longer seems to be available online, but I was able to find some old how-to videos referencing it.

As far as I can piece together, the only data about your friends that Facebook ever provided via the API was their full name and user id. Any data about your likes, political affiliation, family connections, marital status, or anything else that could be used for “psychographic” modelling was never available via your friends.

However!

These personal details were available to anyone and everyone via your public profile! Assuming that you hadn’t opted out of sharing this info (and I really doubt most user were giving their privacy details much thought before they learned the name Cambridge Analytica).

In order for Cambridge Analytica and others to mine this data they would have had to write bots to scrape data directly from your public facing profile. In the past, it was very easy to gain access to these profiles in a programmatic way. Anybody could simply load http://facebook.com/profile.php?id= with your ID to see your public profile. Even a non-programmer can see how easy it would be to generate a list of targets for a bot to crawl.

At some point, Facebook started closing this “profile.php” access point as they rolled out username (I’m ohryanca). Once that was locked down, it became more complicated to scrape content and the bad actors became more clever.

I’m pretty sure I’m right

In a blog post yesterday Facebook announced an enormous array of restrictions to their APIs (which are undoubtedly pissing off a lot of sketchy developers). Regarding account recovery, they mentioned the following:

…malicious actors have also abused [account recovery] features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.

Conclusion

As much as I hate to say it, I don’t think Facebook did anything wrong. Their APIs never fed this data to any and every app developer who wanted. Cambridge Analytica and friends had jump through additional hoops. They took actions that were outside of the normal/approved methods Facebook expected and allowed app makers to access our data.

Facebook simply built a reasonable public profile feature meant to allow you to use Facebook as a home on the web. A URL to share outside the platform.

They built a reasonable account recovery feature, that allowed users to recover their logins in standard non-controversial ways.

There is no evidence that Facebook’s APIs allowed access to the type of data Cambridge Analytica took advantage of. They were just outplayed by an opponent who thought of clever ways to get what it needed.

PS

In case the mainstream media has lulled you in to a false sense of whatever; the democrats have this data too (and then some).

Here is footage of Carol Davidsen (VP of political technology at Rentrak) at a conference in 2015 gleefully explaining how the Obama campaign mapped THE ENTIRE SOCIAL GRAPH OF THE UNITED STATES who were on Facebook at the time of the 2012 election. The techniques she describes are strikingly similar to what Cambridge Analytica is accused of.

Facebook’s History of Spying

Reading Wikipedia this morning, I came across an interesting tidbit from the days when facebook was still thefacebook.com. As seen in The Social Network, after launching the site Mark Zuckerberg was under investigation for potentially stealing the idea from the Winklevoss brothers.

Not covered in the movie though, while this investigation was going on Zuckerberg did a little investigating of his own, by accessing the email accounts of the investigators:

Zuckerberg knew about the investigation so he used TheFacebook.com to find members in the site who identified themselves as members of the Crimson. He examined a history of failed logins to see if any of the Crimson members have ever entered an incorrect password into TheFacebook.com. In the cases in which they had failed to login, Mark tried to use them to access the Crimson members’ Harvard email accounts, and he was successful in accessing two of them. In the end, three Crimson members filed a lawsuit against Zuckerberg which was later settled.

~ The History of Facebook, Wikipedia

The way I read this, thefacebook.com was logging failed passwords! Meaning, when you entered an incorrect password on thefacebook.com’s login page, the website would save the text you entered. Obviously websites have to have a record of your password in order to authenticate you. Passwords are normally encrypted in such a way that developers cannot access the password. The wikipedia article doesn’t say whether or not regular passwords were encrypted.

However, if you were intending to use a website you created to log into email accounts of the site’s users, collecting  passwords that failed would give you more passwords to try when logging in to those user’s third party email accounts.

Zuckerberg was caught breaking in to 2 accounts, but one has to wonder how many other accounts he broke in to. Remember, in 2004 (prior to gmail), email accounts did not have 2-factor authentication, they did not detect suspicious login activity, they did not have the security features we’ve come to take for granted. Anybody could log into any body else’s email accounts undetected.

Password security is the most basic of implicit trust between a website and its users. A site that is logging passwords and password attempts cannot be trusted, period.

Who knows if or how the culture at Facebook has changed. Nevertheless, if the company’s CEO was willing to exploit users for personal gain in the early days, what sort of things are they willing to do when governments or other powerful entities pressure them?

Facebook Security Force

A neat little tidbit about Facebook security in this post from The Verge. Good Guy Facebook proactively scans lists of hijacked account and warns users if they appear on one of these lists.

Facebook cross references credential dumps with its entire database of user credentials, then alerts any users that match to change their passwords. By signing up for Facebook, you’ve inadvertently entered yourself into its witness protection program, of sorts. During events like the Gawker credentials leak or Playstation Network security breach last year, Facebook alerted users if their passwords were on the loose.

via The Verge