Intellect or Insanity, Jonathan Klinger's Blog

WPP, the advertising giant, leased a database that allows profiling more than 500,000,000 internet users and allows showing them, using this information, relevant and tiered ads. The profile based advertising method means that there is no actual knowledge about the specific person browsing the internet, but the advertising companies know better than him what he likes, where he browses and other information.

The collection of the information was made available mostly by third party cookies, the same cookies which are set in your computer when you browse websites by advertising and media companies. These companies have a better understanding than the specific sites they provide services to. For example, if WPP purchases media in websites A and B, it knows who uses both A and B, and moreover, it knows that if C, a person, uses the sport section more both in A and B, it will show him sport-related advertisements when it uses D, a non-sport website.

Well, as troubling as it may sound, just when we are are meant to be calmed down with privacy issues things get worse. Google’s launch of Google Plus, the search giant’s antisocial network, which was meant to be with privacy by design and allows sharing of information according to different circles of proximity: a person could be a left-winged activist for his immediate family, but be a closet right-wing bigot for his school friends. It’s not that the other antisocial-netowork, Facebook, does not have the functionality to create friend lists and share the information, but it’s a lot more complicated there.

So, Google Plus was meant to be a haven for privacy seekers: It brought the best from Facebook, which was a walled garden for many years and from Twitter, which allows asynchronous social contacts (meaning I could add Benjamin Netanyahu as a person I follow, without him having to follow me ). Theoretically, an intertopia.

But the question is: how does Google benefit from Plus? (or what’s the plus for Google). Google is a media and advertising giant more than anything else. It earns money from selling advertising space; therefore it is in need for two indices: the first is the number of webpages viewed by end users and the time they consume in said pages (billboarding) and the second is the quality of the data it has for selling advertisements better (profiling).

In billboarding, Google suffered a grave loss recently; people spend less time in Google’s services and more in the other antisocial network; moreover, Google, that displays advertisements in 3rd party websites, is in fear of the day where Facebook shall launch a competing service and allow displaying “Facebook Ads”. In profiling, Google had a not-so-awful knowledge on your browsing behaviour, the things you liked and the people you connected with, it just didn’t know how to organize them. For example, if you’re interested in three different data, Google did not have the ability to connect datum to datum.

In came Google Plus and helped to solve the two problems: First, at least in the launch date, more and more people use this service to meticulously sort their friends in close circles and spend more time in their website (more billboards and profiling).

Now, all that Google needs to do is to integrate the social network seamlessly in the services it already provides. If Facebook made people take effort to amend their website’s code and display the “Like Button” in one million websites within a year of the product’s launch [which, of course, allows behavioural targerting] then Google could take one simple step to kill the like button, which is reasonable and mean.

A material portion from the websites, as said, implement Google-Analytics, Google’s statistics service that collects behavioural data. It is activated every time that a user browses a website and retrieves a file from Google’s servers which include JavaScript commands that request data and collect statistics. In the same manner, Google could change the file to allow social interaction and display a social toolbar in a same way to how Wibiya interacts with websites, and they can do it without obtaining the websites’ consent.

Indeed, it is not an optimal step and might cause antagonism, but it could be implemented to wipe Facebook’s remains from the earth, just because it already holds a neat market share. At this moment, Google has the best data to sell advertisements, and that cannot be taken away.

0.Why are everyone afraid of open source?
One of the most amazing things is that in a material portion of the Share Purchase Agreements (or investment agreements) I’ve reviewed in my life, the invested company was prohibited from using Open Sourced software as a material condition for the investment. The “No-Open-Source” clause was added in companies which a major part of their business model was open source or cloud services, so that in fact there were clauses that excluded the specific Open-Source applications used from the warranty and prohibited the company to utilise any other Open Source application. This prohibition, in my humble opinion, represents and archaic misconception that investment in start-ups is in liquidatable property such as patents or copyrights, and not in the persons behind the company.

1. Why is the cellular market afraid of open source?
Both Apple and Microsoft are afraid of Open-Source. Apple recently banned the open sourced VLC player to attend its cellular festivities as it was released under the popular GPL (and a funny story with XPilot) and so does the Windows Phone 7 developer agreement which states that open sourced software may not be distributed by the WP7 marketplace (which caused several developers to change their licensing models). But Microsoft and Apple’s prohibition comes from ignorance in regarding to the licenses more than anything.

2. About Microsoft’s misconception?
Microsoft prohibits inclusion of what they refer to as “Excluded Licenses”, which are “any license requiring, as a condition of use, modification and/or distribution of the software subject to the license, that the software or other software combined and/or distributed with it be (i) disclosed or distributed in source code form; (ii) licensed for the purpose of making derivative works; or (iii) redistributable at no charge” (clause 1.l) but, open source licenses apply only when there is distribution of the software, and not when there’s use, therefore, many cloud services use open sourced software (as they don’t distribute the code, only use it). A clause prohibiting excluded licenses in any software reigns over applications developed for WM6.x and WP7. In some portions of the application are server side or server dependant, some interesting questions raised.

3. Open source prohibition and cloud computing?
This next case is purely theoretical: Facebook, which bases most of its activity on open source infrastructure, develops a Windows Phone 7 application which interacts with the Facebook servers which are under open source licenses. While these open source components are used, they are definitely not distributed and therefore the draconian clauses of Microsoft’s license are terrible. A better example would be more feasible; imagine that some person grabs Wikipedia and creates a mobile application; Wikipedia’s content is released under a Creative Commons license which allows free distribution as long as any amendment or contribution is distributed under the same license. Now, Microsoft may come to the developer in questions and claim that clause 5.e to the developer agreement was in breach and remove Wikipedia from its marketplace.

4. Why Microsoft was afraid of Open Source??
Microsoft’s scare from open source licenses is clear. Microsoft is terrified from the misconception of the GPL’s viral nature which was perceived as turning all proprietary code which interacts with open-source code turns open-source and is afraid of defending itself against he who comes and asks it to open it’s code. However, this fear is disproportional: like the VCs who heard, somewhere, that there’s a risk in open source and decided to ban it completely, Microsoft detaches itself from a world that can do it only good: Microsoft could have started its marketplace with thousands of free applications from day one and giving it a competitive edge over Apple. Microsoft, however, is afraid of not being able to limit its users, and that’s what it does.

5. So now?
The solution is quite obvious, if Microsoft restricts open source from its playground, it will restrict popular browsers, media players and other software from playing the game and it will fail. There’s no comfort in locking the garden, just another step towards the separation between the proprietary world and the open source one.

[Originally in Hebrew]

Bonus for my English readers, my Open Source Presentation:

0.
The Wall Street Journal’s findings that Facebook applications share personal and identifiable information with 3rd parties and advertising networks was not surprising though it echoed in the mediashpere and even made some changes coerced the removal of some applications of the popular social network; However, the disturbing part was what Facebook did not do, and that is to remove Zynga, Facebook’s new strategic partner and the developer of the popular game FarmVille.

1.
In brief, the Wall Street Journal’s findings were that most of the popular applications in the social network transmit or convey information to advertising networks and 3rd parties. These activities go against Facebook’s clause 8 to the developer policy that prohibit the transmission of any personal information obtained from Facebook to an advertising network. The prohibition, of course, is not due to worries on your privacy, but because Facebook wants its monopoly over advertising in the network. Following this publication, Facebook removed some applications by the popular developer, LOLapps, who was one of those who conveyed information and restored it after a few hours (see LOLapps release).

2.
But the removal did not inherently cause from conveying information; but as the Inquirer states, the information was passed because of the way the internet was build, where in every click information about the referring page is transmitted, so at least in some of the causes, advertising companies received the information solely because they knew what was the referring page. On the other hand, one can say that by reasonable steps this security breach would have been fixed and therefore allowing reasonable measures to be taken is one part of security.

3.
Up to here there’s nothing new: Facebook removes a certain application because it infringes on your privacy (and Facebook’s ability to monetize by being the exclusive designated advertiser) and וfour and a half million dollars go down the drain because they solely rely on the Zuckerberg family’s whims, where they determine the laws of the game. However, what needs to be learned is what Facebook did not do, and how it relates to your privacy.

4.
The question why Zynga was not removed from Facebook is the exact signaling for the reason why Facebook removed LOLapps; both applications infringed the same developer agreement and your privacy, however, Zynga signed a commercial agreement with Facebook and uses the Facebook currency as its payment method and promotes Facebook’s business. This was a signaling to other developers: either migrate to Facebook’s services and be a part of the Zuckerberg family’s ecosystem, or find yourselves subject to our whims. Facebook’s commercial dependency on Zynga doesn’t allow Facebook’s interests to remove it; and LOLapps? it can seek its friends elsewhere.

[Originally in Hebrew]

0.
Erez Wolf reports about a serious security problem which resulted from hacking an Israeli website and stealing the usernames, emails and passwords of 32,561 accounts. The database of that commercial website contained user login details: usernames, emails and passwords, where using the presumption that most people use the same login details for most websites, allowed Turkish hackers to hack and deface many user accounts in Facebook, as well as other sites, who depended on the login details in the database. In the Turkish website containing the list, there are more indications of websites hacked, including account details of 70,000 other accounts.

1.
We can point out two problems: the first, which we all know we do, is using the same password in more than one website. Even security experts do it (we call it bitch password) in unimportant websites. The problem is that most people cannot remember more than a few passwords so they use the same password over and over. More than 20% of the passwords people use are in a short 5,000 password list; moreover, people use their birthdate, phone number or SSN as their passwords.

2.
The first problem, however, is the layperson’s problem. The second problem is the law authorities problem. The hacked website kept the passwords in retrievable format in case the user forgets it. Meaning: the password was saved in plain text in the database, and accessible to more than just the website’s administrator. The common method to retain passwords is Password Hashing, which means that the passwords are unilaterally encrypted and the password could only be authenticated, but never restored. By using this method, you could never send the user his own password but only reset it when the user forgets it. Therefore, you need to authenticate the user’s identity in a different form, like email; this ties the user identity and allows more credibility in e-commerce, but has other implications as well.

By using this method, if the database is hacked, there is no way to use the passwords (with one exemption, if the password is a dictionary word and by using Cain & Able). Therefore, you can be certain that if your database is stolen, no one could use it.

3.
The problem becomes a tad more legal when you understand the Israeli Privacy Protection Act which defines Information Security in clause 7 as “protection of the Data’s integrity, or protecting the data from disclosure, use or copying, and all without legal authority”. Clause 17 states that an owner of a database, its manager or the holder of it are all liable for the database security and integrity; meaning, that the owner of this website, and whoever provided him with the information security services, are liable for the data protection here and may face criminal sanctions. However, up to today, no criminal charges were brought against people who violated the data protection clauses, but it seems that this time, the the Israeli Law, Technology and Infromation Authority should apply its legal power and apply sanctions.

4.
When the authority wants more and more power, where amongst other powers is the power to search databases, it shows it has the intent to enforce the law. On the other hand, the leak of 30,000 records of usernames and passwords show how the lives of people may be hurt solely because of faulty data protection procedures. In any other case where thirty thousand people would suffer damages, the case would seem different. When Heftziba, a big contractor, became insolvent, it left 4,300 people homeless or with half-built apartments. People became angry, sued and criminal charges were brought.

5.
The information in the database is highly personal, it is dangerous and there are people who are liable for its leak, will they go to prison? I doubt it. However, they did not apply means to protect the data and no reasonable security person would allow what they did. Someone has to pay.

[Originally Published in Hebrew]

0.
It is only a matter of time until both the Facebook Application Developers and Facebook Users join together and tell Facebook “there is no taxation without representation” while requesting Facebook both to amend its terms of service for enhanced privacy and allow application developers to rely on business models that are not subject to Facebook’s whims. The sanction, if not understood, is not mass removal of accounts, but blocking Facebook’s 3rd party services when not browsing in Facebook, therefore harming Facebook’s new found business model.

1.
The reason? Facebook has been vigorously expanding its control over both user information and application developers. It began today when Facebook coerced Zynga into an agreement to use Facebook Credits as its currency after a long dispute, and will continue when Facebook will do so to other application developers.

2.
Facebook forgot that it is solely a conduit, the incumbent who provides connection between users, other users and applications. It is not a core application and its business model is not based on being such. Two years ago, I wrote that “In a year or two Facebook’s shareholders will come to their senses and start asking money from the leading hundred applications, as they are allowed to do” … “when you develop a Facebook application or any other social network based application, you’re writing your source code on ice; it’s more than reasonable to assume that Facebook won’t charge you anything and will never shut you down. The problem starts when you want to establish a business model on something that’s more than “more than reasonable” (like investing your pension funds). That’s why, like you wouldn’t deploy a real product without contracting your deployment contractor, you really should consider doing the same with Facebook”.

3.
The time has come when Facebook wants to have its day. Facebook Application Developers raise capital from investors, some VCs target only Facebook apps, other VCs invest in another icy road, iPhone Apps raise capital as well, and quite a lot of it. The iPhone app store is also known to block applications, especially when those applications compete with Apple’s business models. Some day, Venture Capitalists will say to application developers that they will not invest in applications where the conduit may revoke them at any time and for no reason. Therefore, application developers will have to look for stable business models, such as using OpenID as a social network or allowing data portability, applications may prefer to use old social models or rely on Twitter as a social network instead of Facebook, just so they will not be coerced into using a currency of choice. No one will develop for a platform that has no stability (this is why, by the way, net neutrality is so important)

4.
Users, from the other end of the scope, will negotiate with Facebook. Explaining that it may not be as simple as Facebook reckons, and that without users, it is a mere conduit, connecting sockets and bits. “If you want us to stay here“, they will say, “you have to grant us our rights. We want to have the privacy of our choice, we want to have the ability to control, and if you grant us those rights, we will grant you the information you need to sell to ³rd parties“.

5.
Without such negotiations, Facebook is doomed. Funds will not invest in companies who develop Facebook Applications, as these applications have no solid business model, and Users will leave (or block) Facebook. It will remain with a magnificent apparatus that is left unused. And when unused, it will be sold, like scrapmetal.

Sometimes, we prefer to lose our privacy in exchange for comfort; we do so when we store our contacts on a cellular phone or when we print business cards which we exchange with strangers; the social interaction itself is a difficult and dangerous transaction. However, the real danger lies where privacy and comfort decide to interact, in involuntary exchange of information.

Today’s, Techonomy, a conference about the interaction between technology and economy, was held in Tel-Aviv. The winners of the Start-up competition were face.com. face.com provides a face recognition platform for social networks (in the meantime) which locates images of you and your friends in other users’ tagged photos. face.com’s face recognition is quite amazing and has the ability to find you even when you’re in the background or wearing sunglasses. They are currently in closed alpha, and I had the pleasure to play with it for a few minutes before writing this blogpost (which was sufficient to know that it’s quite efficient).

However, my main concern comes from face.com’s database. face.com can recognise faces of your facebook contacts even though they are not in your albums, but in friends’ albums. This means that by cross indexing a relatively small amount of facebook connectors, face could retain (or store) the facial recognition of a high percentage of users.

Here comes the privacy issue from the privacy freak; however. Now, take Israel’s new attempt to establish a biometric and face database and their recent attempts for installing cctvs and imagine the hypothetical scenario where our benevolent dictator comes and asks face.com’s database in order to examine a suspect in terrorism or issues a warrant to require face.com to search for a specific missing/suspected person in social networks and/or cctvs. Can face.com actually refuse such generous offer?

When face.com only indexes my own photos, and only tags me if I gave my consent (and not opted out) then it’s all yet consensual waiver of privacy; privacy in exchange for comfort, what we usually do. However, when it’s other’s faces, without their consent or knowledge, such a database might be extremely dangerous. I’d love to inspect the guts of face.com’s database and see how can they protect users’ privacy without limiting this application, but if they manage to do that, well, let them sell it to our government

[Also in Hebrew]

0.

“You acknowledge and agree that Facebook may at any time in its sole discretion, without liability, with or without cause and with or without notice: (a) terminate this Agreement; (b) terminate or suspend your access to Facebook Platform, Facebook Properties and/or the Facebook Site or any portion or feature of any of them; and/or (c) remove, block, delete or disable access to your Facebook Platform Applications and/or or any Facebook Platform Application Content, including without limitation if we determine, in our sole discretion, that your Facebook Platform Application or any Facebook Platform Application Content is unsuitable for Facebook Platform, Facebook Site or Facebook Users (…)

1.
While the blogoshpere and the technological sections in the newspapers are running around the Web 2.0 buzz (and some of the 3.0 buzz as well), We keep forgetting where the real bubble for this technology lies. When Om Malik explained yesterday at TWS2008 that advertisers are the ones impeding the net from developing and dot com startups that develop Facebook applications without any business models get millions of dollars in funding, there’s only one question: when will people realise what Facebook‘s real business model?

2.
Google shut down a few blogs which opposed Barack Obama, possibly because Obama supporters tagged them as spam. It was ll executed by automatic systems where the censorship was made by private entities, but it doesn’t actually matter, as Blogspot’s terms of service state that “Google may, in its sole discretion, at any time and for any reason, terminate the Service, terminate this Agreement, or suspend or terminate your account”.

3.
Constitutional Law is probably dead and irrelevant; what was the private sector until recently  was settled in under “Private Law” or “Civil Law”, but today everything changed: Companies that develop applications for social networks or webservices are subjected to the new constitutional law, the Terms of Service.: The problem begins when stable business models that companies build upon and get their funding due to them are based on social networks’ grace. This is not a stable agreement, but a unilateral agreement that grants the social network (or the search engine) an exclusive right to terminate the agreement and prevent the company from operating. (And it’s important to understand that when I relate to facebook in this post I also mean any other social network or webservice like Twitter that allows 3rd party applications)
4.
Now, some might say that Facebook’s income and  value are derived from the amount of applications it has. Cynicists may say something completely different: Facebook’s value is derived from its ability to monetize the applications that those will be able to run on the platform.
Mark Zuckerberg, Facebook’s founder, photo by KK+ under cc-by-nc-sa license.

5.
In a year or two Facebook’s shareholders will come to their senses and start asking money from the leading hundred applications, as they are allowed to do. Their policy would be similar to this: An application with less than a million users may run freely, but once you obtained a million users, you’ll pay us one US$ per user. That’s fair, isn’t it? And then what? will these companies shut down and go home? not really.

6.
It’s crucial to understand that when you develop a Facebook application or any other social network based application, you’re writing your source code on ice; it’s more than reasonable to assume that Facebook won’t charge you anything and will never shut you down. The problem starts when you want to establish a business model on something that’s more than “more than reasonable” (like investing your pension funds). That’s why, like you wouldn’t deploy a real product without contracting your deployment contractor, you really should consider doing the same with Facebook.