Ken Hawkins, BOHH Labs CTO
Now that the Facebook fire seems to be dimming in the public eye, let’s dig into the issues that really allowed our data and our friends data to be scraped and repurposed into a means to manipulate our online social behavior, and more importantly for Facebook advertisers to sell products to us.
Before we look into Facebook’s world of privacy and allowances, let’s first address how our data can be gathered and used when we make use of websites and web-based services. The term and effective service I am referring to is generally called OAuth, or more pointedly, “Allowance Tokens. OAuth was developed in 2006/2007 and is a simple way to publish and interact with protected data. However, we’ll stick with the term Token Allowance because this is the nomenclature Facebook uses as they put their unique spin on OAuth.
The Allowance Token creation and use can be loosely described as a means to allow another person or company to act on your behalf on websites and services. This is of course to make our lives easier on the Internet. One such example is to make it is easier to sign up on a website by simply choosing the option to login using another website’s login and information. When we as users choose this option, it means we allow the website we are interacting with, as well as the website who has our login information, varying access to our data and a means to act on our behalf on both sites. These tokens that are passed around can be good for minutes to days and can be used to actively monitor your activity on both sites you have linked together. There are variances of this interaction based on the Access Token type and the agreement you made when you chose the option; however, the most noninvasive Access Token usage would simply keep you from having to keep track of yet another password. Another could post updates, etc. to let your friends know what is happening in your life. Discussing it beyond the very general really needs a use case with actor’s names etc., so let’s use Facebook as the website that we trust to keep our data safe.
Armed with that cliff note of knowledge and confident that I trust CompanyA I have found this great new website and want to use my Facebook identity to sign up and log into it. Because I’m boring let’s call the website CompanyB. We have all seen the dialog for this right? Simply click the login with the Facebook button, agree to the terms, and use and the connection is made. Once we have made that connection (CompanyA with CompanyB) CompanyB can now perform varied actions based on what you agreed to. Those actions can range from simply looking at your profile and posts to posting updates on your page. You still might be thinking this is fine because now if I do something on CompanyB’s site then all my friends on CompanyA will know, and I don’t have to return to CompanyA to announce my actions. I trust CompanyA, so there should be no problem. However, I have a question for you – did you read the agreement? Did you look into exactly how CompanyB was going to use your CompanyA generated Access Token? Before we answer that, let’s get a bit more specific and call CompanyA by the name we were all thinking. Let’s talk about Facebook’s applications – and specifically the quizzes that come up.
So, we are perusing our Facebook timeline enjoying the morning coffee and what comes up in our feed? A fun type of quiz my new best friend took to find out how great they are. Out of habit or boredom, we sometimes click through to take the quiz before we really think it through. What are we presented with to take that super cool quiz? Use your Facebook login to take the quiz. It’s ok you might think I trust Facebook, this is on Facebook what is the harm? Besides I’m too lazy to not use Facebook to login and take the quiz. It is an almost certainty that the super cool quiz company will gather any and all data it can about you and your friends (if you allow it) and then in return inundate you, your friends and friends of friends with the coolest quizzes and chances to win posts for you once do this. What are they doing? Gathering trends about you and your friends for the purpose of marketing to you, or worse manipulating your feed to gently nudge your thinking in a particular direction.
OAuth, Allowance tokens and their use is a wonderful ideal, but is woefully lacking in implementation and seriously blurs the lines regarding the ownership, security and responsibility of your data. As an end user it is incredibly convenient to let the world know what I’m doing or share information via this mechanism. Interacting with Facebook and the applications/websites using its tokens to access really do make our digital lives easier. But, what is the price for this convenience? I would argue that minimally your digital life is no longer wholly in your control. Agreeing to Facebook’s terms of use is just that, an agreement with Facebook. Facebook’s agreement of terms with its development community is another. The agreement you make with another website, say our famed CompanyB, would be the tie between the three of you. Once that connection is made, Facebook and CompanyB decide how your data is captured and used between them.
This is that blurry finger pointing area between the companies and you, the person who is allowing your data to be accessed. Facebook can be in compliance with CompanyB concerning the agreement they have, and Facebook can be in compliance with you concerning its storage of your data. Now did you read the fine print when you allowed CompanyB to use your Facebook identity? This is the area of concern that is clear as mud when it comes to responsibility. We are in control of how our data is captured and used and we the end user just allowed CompanyB to gather any and all data from us and possibly our friends by choosing the easy login option or taking that funny quiz to see which movie star we looked like. One need only to look at the latest Facebook and Cambridge Analytica revelation. Each party believes they were acting within the terms of their agreement and we are left to fend for ourselves after that.
From my point of view, I think it’s ultimately our responsibility to know that is going on with the transport of our data, and even though we might not want to, read and know what we are signing up for. To that end we owe it to ourselves to truly grasp what we are doing when we choose convenience in our lives. The use of OAuth and its implementations makes our lives easier but truly not safer. It is my opinion that OAuth makes our digital lives more encumbered and our data less safe today.
No comments:
Post a Comment