Archive for the ‘Identity’ Category

File Under: Identity, privacy, Social
Sep
23
2011

Facebook Wants Your Past, Present, and Future On Open Graphs and Timelines

By

Facebook will soon allow its users to integrate all of their music, media, and lifestyle actions and interactions with their profiles, Mark Zuckerberg announced at Facebook’s f8 conference yesterday. Connecting profiles to services like Spotify will allow users to fill out their own curated “Timeline,” so friends can see each others’ media activities both as individuals and aggregated over their entire network, a move that will explode the amount of content on the site.

The new arrangement is part of two new Facebook initiatives, one of which is the Timeline. Users can fill in their Timelines with both content pulled in from other services — say, an article “liked” on Ars Technica or a game played — as well as “real world” activities like photos or status updates. The real world content can be filtered by date into the timeline, so users can fill in their backstory on the site with everything that happened before Facebook existed: moves to a new city, first words as a baby, or every single relationship breakup pre-2004.

Once in place, the timeline will be the new News Feed, with friends’ updates streaming past. But not everything will make it into the Timeline: small updates, like what music friends are listening to, may be relegated to the Ticker, the integrated online friends/status update bar rolled out Wednesday. Users will be able to choose which activities are significant enough to appear in their timelines.

Zuckerberg also placed emphasis on the new use of verbs in timelines, which will allow people to sort their friends activities in different ways. For instance, with a status update reading “Casey Johnston is watching Veronica Mars for the millionth time,” users will be able to click both “watching” to see what else friends are viewing at the moment, or “Veronica Mars” to see a list of other friends who like Veronica Mars.

These updates will feed into the second new feature, Facebook Open Graph, which collects and ranks the the activities or items that friends are interacting with. Apps that integrate with Facebook will be sorted in Open Graph based on popularity with a user and his or her friends, including Spotify, Hulu, Netflix, Foodspotting, Vevo, and Nike+, among many others. Open Graph is intended to help with app discoverability, showing users what their friends are doing without flooding their feeds every time a friend kills a mobster or plants a new crop of corn.

When Timeline was introduced, Chris Cox, director of product at Facebook, noted that “there is nothing we love to summarize more than time itself,” stating that with the new features it would be possible for users to create months or years in review.

Of course, Facebook’s entire motivation isn’t just for friends to become more intimate with each others’ past and present. Daniel Ek, Spotify CEO, spoke briefly at the conference, and noted that “because our [Spotify's] playlists are social, they [users] are more engaged. And because they are engaged, they are more than twice as likely to pay for music.” For Spotify, which boasted 2 million paying members worldwide as of Wednesday, the exposure to the better part of a billion Facebook members could mean big bucks.

The new completionist Facebook is a significant departure from what Facebook’s most avid competitors, Google+ and Twitter, currently offer on their sites. If Facebook can get users to buy into putting their whole life histories on the site, the amount of content there will explode, and create an investment and representation of self users won’t be likely to abandon. And with more content comes more opportunities to target ads.

The beta for Facebook’s timelines begins today, with availability being rolled out gradually. Neither Zuckerberg nor any of the speakers mentioned a timeline for the new version, but we expect it will be sooner rather than later.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Tags:
File Under: Identity, Security, Web Basics
Apr
22
2011

EFF Wants to Secure the Web With “HTTPS Now” Campaign

By

The Electronic Frontier Foundation (EFF) has kicked off a new “HTTPS Now” campaign to educate consumers and help “make web surfing safer.”

The new campaign is a two part effort. First the EFF would like to encourage users to install the HTTPS Everywhere Firefox add-on, which will automatically redirect you to https connections. HTTPS Everywhere makes sure you’re always using a secure connection when you visit Gmail, Twitter and several dozen other sites; you don’t need to worry about checking the URL everytime you login.

While HTTPS Everywhere is a good suggestion for users, the primary thrust of the HTTPS Now campaign is aimed at popular websites. After all, HTTPS Everywhere only works if your favorite sites offer secure connections, and an alarming number of sites do not.

The EFF has partnered with Access, a digital freedom activist group, to create the new HTTPS Now website. The new site will keep track of which sites offer HTTPS connections, how much of the site is secure and whether or not the site mixes secure and insecure content.

Why all the fuss about HTTPS? Well, every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, you expose your data to the world. It’s a bit like writing your username and password on a postcard and dropping it in the mailbox.

There is a better way, the secure version of HTTP — HTTPS. That extra “S” in the URL means your connection is secure, and it’s much harder for anyone else to see what you’re doing. Think of the extra “S” as the envelop that keeps prying eyes from looking at your postcards.

The problem gets a bit more complicated than just HTTPS though. Most sites already use HTTPS to handle your login info — that’s a good first step — but once you’re logged in the sites often revert back to using an insecure HTTP connection. That means you’re vulnerable to simple attacks like those made possible by the Firesheep Firefox plugin. Firesheep sniffs network traffic and looks for insecure cookies which it then uses to spoof your login credentials to the site. Firesheep allows other people to quickly and easily become you on the web.

So why doesn’t the entire web use HTTPS all the time? The answer is slightly complicated, but the primary reason is speed. HTTPS can’t be cached on CDN networks and there are also some (minor) costs involved with HTTPS certificates.

But obviously neither cost nor minor speed hits have stopped big sites like Twitter, Facebook, Gmail and Flickr from implementing HTTPS. The EFF would like to encourage other sites to follow suit.

If you’d like to see how your favorite sites fair when it comes to protecting your data from traffic snoops, head on over to the HTTPS Now website.

Photo: Joffley/Flickr/CC

See Also:

Tags: ,
File Under: Identity, privacy
Mar
31
2011

Mozilla’s ‘Do Not Track’ Header Is Starting to Catch on With Advertisers

By

Among the many new features in Firefox 4 is support for the Do Not Track (DNT) HTTP header. If you turn on the DNT header in Firefox 4′s preferences pane, the browser will broadcast a custom header in HTTP requests which tells servers you want to opt out of any tracking cookies.

Mozilla developed the DNT header to give users an easier way to opt out of increasingly intrusive online tracking by websites and advertisers. The header is, in the long run, a far better solution than constantly updating cookie-based block lists, which is currently the main solution for most users.

The problem with the DNT header is that, until now, no websites actually looked for it.

That, however, is changing. Mozilla announced today that the AP News Registry has implemented support for the DNT header across 800 news sites, which see more than 175 million unique visitors every month. That’s a huge shot in the arm for Do Not Track, which was previously a great idea, but one with little real world application.

Starting today, provided you turn on the DNT preference in Firefox 4, the AP News Registry will no longer set any cookies.

Mozilla also reports that it is in talks with the Digital Advertising Alliance to get the self-regulating group to support the DNT header as well. Strange though it may sound, the online ad industry actually has a decent track record of working with privacy advocates and even offers its own cookie-based opt out list. In other words, there is a good chance that DNT will be broadly adopted within the online ad industry.

While the DNT header seems well on its way to becoming a de facto standard (and a real standard, provided the W3C accepts it), it’s important to bear in mind that it will never stop rogue advertisers who choose to ignore your DNT settings. For the bad apples in the bunch, cookie-based blocking will remain the only viable option.

Footprints photo by Vinoth Chandar/Flickr/CC

See Also:

Tags: ,
File Under: Browsers, Identity
Feb
9
2011

Firefox 4 Beta 11 Offers ‘Do Not Track’ Privacy Setting

By

Firefox 4 goes to eleven. Mozilla has released an eleventh beta of Firefox 4, the next major version of the browser. Beta 11 includes the usual bug fixes and speed improvements, but it also has a new feature — the “Do Not Track” setting Mozilla is hoping will become a standard.

If you’re already using Firefox 4 you should be automatically updated. If you’d like to help Mozilla test Firefox 4, head over to the beta downloads page and grab a copy of beta 11.

The Do Not Track feature is a new HTTP header that will stop behavioral advertising tools from tracking where you go on the web. To turn on the new feature just check the box under the Advanced tab in Firefox 4′s preferences.

For now all you’ll be doing is broadcasting the new header information; it won’t actually have any effect. Because no online advertisers yet support the header, the new feature won’t protect your privacy. However, some of the biggest names on internet advertising already voluntarily offer a cookie-based opt-out system and it seems likely that, with Mozilla behind the new header, the same companies will support the new option eventually.

Mozilla is planning to release at least one more beta and then a round of release candidates before Firefox 4 is finalized later this year.

See Also:

Tags: ,
File Under: Blog Publishing, Identity, Programming, Social, Web Services
Feb
3
2011

A DIY Data Manifesto

By

The word “server” is enough to send all but the hardiest nerds scurrying for cover.

The word usually conjures images of vast, complex data farms, databases and massive infrastructures. True, servers are all those things — but at a more basic level, they’re just like your desktop PC.

Running a server is no more difficult than starting Windows on your desktop. That’s the message Dave Winer, forefather of blogging and creator of RSS, is trying to get across with his EC2 for Poets project. The name comes from Amazon’s EC2 service and classes common in liberal arts colleges, like programming for poets or computer science for poets. The theme of such classes is that anyone — even a poet — can learn technology.

Winer wants to demystify the server. “Engineers sometimes mystify what they do, as a form of job security,” writes Winer, “I prefer to make light of it… it was easy for me, why shouldn’t it be easy for everyone?”

To show you just how easy it is to set up and run a server, Winer has put together an easy-to-follow tutorial so you too can set up a Windows-based server running in the cloud. Winer uses Amazon’s EC2 service. For a few dollars a month, Winer’s tutorial can have just about anyone up and running with their own server.

In that sense Winer’s EC2 for Poets if already a success, but education and empowerment aren’t Winer’s only goals. “I think it’s important to bust the mystique of servers,” says Winer, “it’s essential if we’re going to break free of the ‘corporate blogging silos.’”

The corporate blogging silos Winer is thinking of are services like Twitter and Facebook. Both have been instrumental in the growth of the web, they make it easy for anyone publish. But they also suffer denial of service attacks, government shutdowns and growing pains, centralized services like Twitter and Facebook are vulnerable. Services wrapped up in a single company are also vulnerable to market whims, Geocities is gone, FriendFeed languishes at Facebook and Yahoo is planning to sell Delicious. A centralized web is brittle web, one that can make our data, our communications tools disappear tomorrow.

But the web will likely never be completely free of centralized services and Winer recognizes that. Most people will still choose convenience over freedom. Twitter’s user interface is simple, easy to use and works on half a dozen devices.

Winer doesn’t believe everyone will want to be part of the distributed web, just the dedicated. But he does believe there are more people who would choose a DIY path if they realized it wasn’t that difficult.

Winer isn’t the only one who believes the future of the web will be distributed systems that aren’t controlled by any single corporation or technology platform. Microformats founder Tantek Çelik is also working on a distributed publishing system that seeks to retain all the cool features of the social web, but remove the centralized bottleneck.

But to be free of corporate blogging silos and centralized services the web will need an army of distributed servers run by hobbyists, not just tech-savvy web admins, but ordinary people who love the web and want to experiment.

So while you can get your EC2 server up and running today — and even play around with Winer’s River2 news aggregator — the real goal is further down the road. Winer’s vision is a distributed web where everything is loosely coupled. “For example,” Winer writes, “the roads I drive on with my car are loosely-coupled from the car. I might drive a SmartCar, a Toyota or a BMW. No matter what car I choose I am free to drive on the Cross-Bronx Expressway, Sixth Avenue or the Bay Bridge.”

Winer wants to start by creating a loosely coupled, distributed microblogging service like Twitter. “I’m pretty sure we know how to create a micro-blogging community with open formats and protocols and no central point of failure,” he writes on his blog.

For Winer that means decoupling the act of writing from the act of publishing. The idea isn’t to create an open alternative to Twitter, it’s to remove the need to use Twitter for writing on Twitter. Instead you write with the tools of your choice and publish to your own server.

If everyone publishes first to their own server there’s no single point of failure. There’s no fail whale, and no company owns your data. Once the content is on your server you can then push it on to wherever you’d like — Twitter, Tumblr, WordPress of whatever the site du jour is ten years from now.

The glue that holds this vision together is RSS. Winer sees RSS as the ideal broadcast mechanism for the distributed web and in fact he’s already using it — Winer has an RSS feed of links that are then pushed on to Twitter. No matter what tool he uses to publish a link, it’s gathered up into a single RSS feed and pushed on to Twitter.

Dave Winer's RSS-centric vision of a distributed web image by dave winer via flickr

Winer will be first to admit that a distributed system like he imagines is still a little ways off, but as they say, the longest journey starts with a single step. For Winer EC2 for Poets is part of that first step. If you’ve never set up your own server, don’t even really totally understand what a server is, well, time to find out. Head on over to the EC2 for Poets site and you’ll have a server up and running fifteen minutes from now. The distributed web awaits you.

Tags: ,
File Under: Browsers, Identity
Feb
1
2011

‘Do Not Track’ Tools Land in Firefox Nightly Builds

By

Mozilla is wasting no time putting its proposed “Do Not Track” HTTP header onto the web. The latest Firefox nightly builds now include support for the new header and it may even make the final release of Firefox 4, due later this month. The new HTTP header, which Mozilla announced last week, is designed to tell online advertisers to stop tracking your web browsing habits.

If you’d like to see how Mozilla has implemented the header, grab the latest Firefox nightly build. There have been a few changes since Mozilla first announced its plan, including renaming the header to simply “DNT.”

To turn the header on, open Firefox’s preferences panel and select the Advanced tab (eventually Mozilla will add the option to the more appropriate Privacy tab). There you’ll see a new option to “Tell websites I do not want to be tracked.” Of course even if you turn the header on today and broadcast “DNT: 1″ to the web, it won’t do anything.

For the header to actually protect your privacy, websites and online advertisers will have to support it. While there’s plenty of debate as to whether they ever will, it definitely won’t happen until the feature is widely available. Mozilla is hoping that including the new header in Firefox 4 will spur advertisers to support it.

For now, broadcasting “DNT: 1″ will be, as Alexander Fowler, the Global Privacy and Public Policy Leader at Mozilla, puts it, “akin to displaying EFF’s Blue Ribbon campaign.”

The current plan is to test the privacy header in the next beta release of Firefox 4 and then, assuming there are no bugs, roll it out with the final release of Firefox 4 later this month.

See Also:

Tags: ,
File Under: Identity, Web Standards
Jan
31
2011

OpenID: The Web’s Most Successful Failure

By

First 37Signals announced it would drop support for OpenID. Then Microsoft’s Dare Obasanjo called OpenID a failure (along with XML and AtomPub). Former Facebooker Yishan Wong’s scathing (and sometimes wrong) rant calling OpenID a failure is one of the more popular answers on Quora.

But if OpenID is a failure, it’s one of the web’s most successful failures.

OpenID is available on more than 50,000 websites. There are over a billion OpenID enabled URLs on the web thanks to providers like Google, Yahoo and AOL. Yet, for most people, trying to log in to every website using OpenID remains a difficult task, which means that while thousands of websites support it, hardly anyone uses OpenID.

OpenID promised to solve two problems. First, it would offer an easy way to log in to any website without needing to create a new account. And, second, it would enable you to have a consistant identity across the entire web. This worked well with the limited audience of bloggers and tech-savvy users that were part of the original vision.

But then as the vision of OpenID grew to encompass, well, everything, it became bogged down in the details. Despite widespread support, there is no uniform user experience. Every site that supports OpenID does it slightly differently, which only further confuses the majority of people.

The main reason no one uses OpenID is because Facebook Connect does the same thing and does it better. Everyone knows what Facebook is and it’s much easier to understand that Facebook is handling your identity than some vague, unrecognized thing called OpenID. That’s why, despite the impressive sounding billion URLs and 50,000 sites supporting OpenID, it pales next to Facebook Connect. Facebook Connect has been around less than half the time of OpenID and yet it’s been adopted by some 250,000 websites, is available to the hundreds of millions of Facebook users and has the advantage of Facebook’s brand familiarity.

Facebook also added a key ingredient that helped drive other sites to adopt Facebook Connect — sharing user data. One of the reasons more sites support Facebook Connect is that they get a piece of the user pie.

Web publishers never warmed to OpenID since it allows a user to log in to a website and leave a comment on a story, a blog post or a photo while essentially remaining anonymous to the publisher. That anonymous aspect has made OpenID less attractive to publishers who want to collect more data about their readers or interact with them — whether that means following them on Twitter, connecting with them on Facebook or sending them e-mail.

The OpenID Connect proposal aims to solve this shortcoming by using OAuth to allow publishers to request more information from a user when they log in using OpenID. But so far there has been very little support for OpenID Connect. Facebook Connect is still far more popular.

However, not everyone wants to tie their website’s login structure to a single company like Facebook. If 37Signals is the poster child for OpenID failure, Stack Overflow is the poster child for its success. The popular programming Q&A site abandoned traditional username/password based accounts in favor of OpenID and declared the experience a resounding success.

Government sites are also looking to use OpenID rather than tie themselves to Facebook. And the Obama administration has announced plans for an Internet identity system that sounds a lot like OpenID, though the exact details have yet to be revealed.

Eventually OpenID will likely disappear from the web, not because it was a failure, but because identity will be managed in other ways. Mozilla is hard at work putting identity in the browser. It’s not hard to envision Firefox managing your OpenID credentials for you, just as it does today with your passwords. In that sense OpenID may end up like RSS (another tool routinely declared dead), invisibly powering features behind the scenes, essential, but unnoticed. Eventually online identity may even come full circle and move back into the real world — chips in your phone, tokens that generate random codes or biometric devices.

The legacy of OpenID may well be that it was ahead of its time, but that hardly makes it a failure.

See Also:

Tags: ,
File Under: Browsers, Identity, Security
Jan
25
2011

Chrome Add-on Kills Tracking Cookies

By

Not to be outdone by Mozilla, Google has released a new add-on for its Chrome web browser that allows users to opt-out of online advertising tracking. While Mozilla’s privacy tool is still just a proposal, and involves a new HTTP header, Google’s add-on uses the more practical, cookie-based approach and works today.

The Keep My Opt-Outs add-on works like a very persistant cookie, but this one is working in your favor. The add-on uses Chrome’s internal cookie APIs to set the opt-out flag for each advertising network that participates in the opt-out program created by the ad industry. Not only is it easier than setting those cookies yourself, the add-on ensures that, even if you clear the rest of your cookies, the opt-out cookies remain intact.

While it works, Google’s approach is something of a hack. The add-on intercepts and rewrites cookies, which is not exactly an ideal solution. Still, if you’re a Chrome user and you’ve been looking for a way to stop advertising cookies today, the Keep My Opt-Outs add-on has you covered.

Keep My Opt-Outs also makes a viable alternative to ad-blockers, particularly for those concerned that ad-blocking add-ons are denying their favorite sites much needed revenue. Provided you don’t mind a few advertisements here and there, using the new add-on in conjunction with some smart cookie settings, you can support your favorite sites without forfeiting your privacy. And for those that do use ad blockers, keep in mind that just because the ad is not shown, doesn’t always mean it can’t set cookies.

In the long term, Mozilla’s header-based approach to stopping cookie-based tracking is a better solution, and we expect, if the idea catches on, Chrome and other browsers will support it as well. For those who want something that works today, Google’s new add-on fits the bill.

Footprints photo by Vinoth Chandar/Flickr/CC

See Also:

Tags: ,
File Under: Browsers, Identity, Security
Jan
24
2011

Mozilla Plans ‘Do-Not-Track’ Privacy Tools for Firefox

By

Mozilla wants to create a new HTTP header that will allow Firefox and other browsers to shut off web tracking tools like cookies. The new header would offer a universal way to tell websites that a user wishes to opt-out of third party, advertising-based tracking.

Behavioral advertising, as such tracking is known, is becoming increasingly common on the web. Advertisers use cookies to follow you around the web, tracking which sites you visit, what you buy and even, in the case of mobile browsers, where you go. The U.S. Federal Trade Commission has already outlined a Do Not Track mechanism (PDF link), which would work much like the FTC’s Do Not Call list, offering a way to opt-out of online tracking.

The proposed do-not-track HTTP header is one of several ways Mozilla plans to implement the FTC’s suggestions. While the header idea has been around for a while — the Do Not Track Firefox add-on from the Stanford Law School is one example — currently most online opt-out schemes use cookies to set user preferences. Mozilla believes “the header-based approach has the potential to be better for the web in the long run because it is a clearer and more universal opt-out mechanism than cookies or blacklists.”

While the new header is just a proposal at the moment, Mozilla already has some code ready and is considering adding the feature to future versions of Firefox. The current plan is to create a new preferences option that would allow you to opt-out from tracking. Check the box in the preferences and Firefox will start sending the do-not-track header each time you request a new page.

Interestingly, the header Mozilla proposes is not the same as the “X-Do-Not-Track” proposal, which is already implemented in Firefox add-ons NoScript and Adblock Plus. For more details on how Mozilla’s new HTTP header will work, see Mozilla developer Sid Stamm’s blog post.

Like Mozilla’s proposed privacy icons, the problem with the new header is getting third-party ad sites to obey it. Mozilla calls it a “chicken and egg” problem and hopes to jumpstart the idea by including the header in future releases of Firefox. At that point it would be up to third party websites to support the header and, as Mozilla puts it, “honor people’s privacy choices.”

See Also:

Tags: , ,
File Under: Identity, Web Standards
Dec
23
2010

New Privacy Icons Aim to Save You From Yourself

By

A few of the proposed privacy icons

Mozilla has taken the lead among browser vendors to make a site’s privacy settings more explicitly visible. It’s doing so by proposing visual cues in the browser that indicate what level of privacy you’re currently browsing at, and what pieces of your personal data the site you’re currently visiting is sharing with the rest of the web.

Earlier this year, Mozilla’s head user experience designer Aza Raskin proposed creating a set of icons to denote the privacy policy of a website. Now, after getting feedback from a wide range of interested groups — from the Electronic Frontier Foundation to the Federal Trade Commission — Raskin has drawn up a new and improved icon set.

The idea behind Raskin’s proposal is that the browser is the most logical place to display identity and privacy information to the user as they click around on the social web. The end goal is to produce a set for warnings similar to the way that Firefox (and other browsers) currently handle phishing attack warnings, using visual icons and simple language to explain what you’re getting into when you load a page with a different level of privacy or security.

For the active social web user, keeping track of which bits of your data are public and which are private on different sites is a chore. Some websites share your photos, status updates, your list of friends, who you’re following and other data default. Some share nothing. The rest are somewhere in the middle.

Part of the problem is the privacy policies themselves. They are complex, mind-numbingly long legal documents. We routinely ignore them, breezing past them by clicking “I agree.” Once clicked, your rights are compromised, and you may not be able to fully restore them.

A set of icons in the browser, to quickly and easily allow users to know what will happen to their data, means that users don’t need a law degree to know what’s happening to their images, status updates and other data.

The big difference between privacy icons and the phishing warnings your browser already offers, is that these icons are targeted at the websites themselves. The biggest counter-argument to Raskin’s proposal is that there’s nothing stopping a site from displaying these icons and then doing the opposite.

Raskin’s solution is to make the privacy icons supersede the written privacy policy. “When you add a Privacy Icon to your privacy policy,” writes Raskin, “it says the equivalent of ‘No matter what the rest of this privacy policy says, the following is true and preempts anything else in this document…’”

In other words, sites using the icons maliciously would face legal consequences. Of course differences in international laws mean enforcing such violations would be complex.

Still, as Raskin points out, privacy policies are fast becoming a selling point for many sites. Nearly every site we’ve tested lately has some sort of large, obvious banner that proudly proclaims the site will never share your data. Those are the kinds of sites, says Raskin, that would adopt privacy icons.

But it’s still unlikely any site would ever adopt the negative icons. If you’re sharing everything users give you with anyone who pays for it, you probably don’t want to advertise that. So the privacy icons actually become most useful when they aren’t present. Of course, as Raskin writes, “people don’t generally don’t notice an absence; just a presence.”

The solution to that problem is to make the privacy icons machine readable. The workflow would be something like this: You visit a website and decide to sign up. When Firefox encounters the sign-up form, it looks for the privacy icon. If it finds it, Firefox displays it. If Firefox doesn’t see an icon it warns you that your information may be shared using the negative icon. Either way, you know where you stand.

For now the privacy icons, good idea though they may be, are a long way from reality. Raskin calls the current mockups an “alpha” release and since Raskin is leaving Mozilla, the future of the project is unclear. If you’d like to get involved, head over the Mozilla Drumbeat Privacy Icons project page.

See Also:

Tags: , , ,
« OLDER POSTS