Madhouse Beyond

Beware of Link Previews

Hilarity ensued on Twitter this week - an image went round showing a story on the Guardian website with a rather unexpected headline. Thing is, the article didn't actually say that, and although it could have been a clever photoshop, most people seem to think that some clever techie at the Guardian's website modified the page's meta-tags in order to make social media links to the article say something sweary while the actual article is clean as a whistle.

pic.twitter.com/3BgucCVqTl

Whatever the reason, there is a very good point here that lots of people have missed, and that's that it's a piece of cake to fake links on Facebook or Twitter. Even if we ignore the incredibly dangerous practice of link-shortening that Twitter kinda forces you to use in order to keep within the character limit, it appears that modern link-sharing sites try to be clever by showing the user a preview of what they're going to see if they click the link.

But this is really, really easy to abuse. When a web server responds to a web request (eg you, clicking on a link) it will normally respond with the page requested, but it doesn't have to. It can send what it likes. In this case it's really easy to program a web server to respond to Facebook with one thing and everyone else with something else. A while back I did a proof-of-concept of this in action on this very site...

http://www.madhousebeyond.com/cuteandfluffy

It works by sending Facebook the cute and fluffy picture promised, but everyone else gets the scary picture of the bear and the skeleton from Look Around You. The upshot is that if you share any of the links on that page on Facebook, the auto-generated preview will show that the page contains something completely different to what you'd actually see if you clicked the link. Feel free to fool your friends!

Obviously this is just harmless fun and I'm not an actual scammer, but this is actually the method a lot of scams use in order to work. A recent scam on Facebook shows up in your news feed as a link to a 'shocking' video of an horrific rollercoaster accident (which didn't actually happen). The preview makes it look like a link to an actual news site, but clicking on the link takes you to the permissions page for a malicious Facebook app with the same name as a popular news site, attempting to con you into granting access to your account to the scammers. This scam almost certainly works the same way, as there's clearly no photo of a rollercoaster or news story on the page linked to, yet we're so used to seeing 'previews' of links that we don't really notice.

To summarise: beware of Facebook and Twitter links. If you click a link and get something you didn't expect, there's a very real risk that someone's trying to screw with you, you should restart your web browser and return to the page you were originally looking at.

Facebook Home

Facebook have announced Facebook Home, a UI for the Android operating system. Normally when Facebook announce a new feature, I write a ranty blog post telling everyone why they shouldn't use it (which people usually ignore, at least until the BBC publishes an almost identical article a year later.)

So this time I'm not going to say anything technical at all. My views on the subject are irelevant - I won't be using Facebook Home, and most of my less tech-savvy friends are iPhone users so they can't even if they want to.

What is starting to bug me are Facebook's tech demos. Specifically, the sample data they're using. It's far more interesting than any of my actual friends. For example, check out www.facebook.com/home. It shows off some of the new (er - repackaged) features that you can use with Facebook Home. You can get status updates right on your home screen. Elisabeth Carr wants to tell you "Just finished my first marathon and qualified for Boston!" Nicholas Arioli asks "Finally paid off my student loan, who wants to help me celebrate?". The reality is, of course, that most people (at least most people I know) don't post status updates nearly as interesting - it's usually something along the lines of "OMG, my parcel is late, I took the day off for nothing", "My ex-husband is such a dick" or "Just saw a squirrel piss on a cat LOL."

The sample photos on the demo are fantastic too - Facebook Home allows you to see all your friends' photos on your home screen as they're shared. Look at Amanda Johnston's beautiful photo of Lake Tahoe. Look at Will Bailey's fabulously arty photo of his lone tent in a corn field. The reality is, of course, that the photos will probably be of your mate Dave passed out on the floor of a toilet cubicle. Or your old high-school friend Lauren (who you never really spoke to anyway) and her 50th photo of her kid today. Perhaps an over-saturated photo of some sushi, or, if you're really lucky, a photo of the aforementioned squirrel pissing on a cat.

The simple fact is that most people are fucking boring. It's not their fault, each to their own. But continual connection to everyone else is a bad thing, not a good thing. If my friends did continually post photos of their skydiving trips, or their camping expeditions in beautiful places, or wrote about interesting things, then I'd have much more time for Facebook and social networking in general. I can only imagine that the sample data is based on Mark Zuckerberg's naive assumption of what having any friends is actually like. Maybe there's a niche market here - I should start a service that actually fills your Facebook feed with interesting (if completely fictional) things, so you can pretend your friends' mundane life experiences are actually worth reading about.

I'm going to stop ranting now, if you'd like more information about Facebook, please consult the great Oatmeal.

The Information Monopoly

Just recently there have been two new products announced that make it easier to communicate, and keep track of messages by aggregating all your messages from different sources into one place.

The first of these products is the long-awaited Windows Phone (aka Windows Mobile 7) which is a complete re-write of Microsoft's mobile platform to make it less computer and more phone. They seem to have taken a leaf out of Apple's book with a lot of the design choices (ie no cut and paste or multitasking in the initial version) and there are lots of 'silly' things, like an in-built Zune and Xbox 360 integration. However, the main feature that everyone in the tech world is raving about is the fact that it makes messaging so easy, in fact, its simplicity is the main focus of the current TV advert. It does this by turning messaging on its head. You have all these communication methods - SMS, email, Facebook, MSN, etc - on your phone anyway, so why not combine them into an easy 'people' hub where you can sort all your messages by person and subject, rather than have to keep them seperated by delivery method, or in different apps. It also, being written by Microsoft, will probably crash quite a bit.

The other of these products is Facebook Messages. It performs roughly the same task, keeping your email, texts and Facebook messages together. Suddenly all the messages you get sent via Facebook can be read at the same time as your email, you don't have to check them both. And when you send text messages on the go, and then later continue the conversation online via email or chat, you can see the previous text messages there too and refer back to them without having to switch to your phone. It also, being a feature of Facebook, will probably crash quite a bit.

These two services have a crucial difference. Facebook Messages works server-side and Windows Phone works client-side. I will explain. If you have a smartphone, you probably already manage your text messages, email, etc all on your phone anyway, albeit in different apps for each communication type. The only additional functionality that Windows Phone gives you is the ability to view them all in one place. They're still all delivered to and stored on your phone the same way, and as far as anyone but you is concerned, nothing has changed. You don't have to change providers, your email provider doesn't have access to your Facebook posts, Facebook doesn't have access to your MSN, Microsoft don't have access to your text messages, etc etc. The only place where everything comes together is right in your hand, where it belongs. Facebook's alternative is different in that everything now happens through Facebook. You just have one connection - to Facebook - and all your email, texts, chat, etc all have to go through them before they get to you. Of course, to be fair, Windows Phone means buying a new phone, so it's the more expensive option as Facebook's service doesn't cost you a penny. But you do still have to pay for it, in the traditional Facebook currency that is your privacy - and by switching everything over to Facebook you're effectively giving them a monopoly on your personal data.

It's no secret that Facebook is a security nightmare. The fact that it's so easy to view strangers' data makes it an unwise decision to upload anything even remotely private, and many computer security experts suggest that you really shouldn't upload anything to Facebook that you wouldn't put on the public internet... that is, of course, excluding the ones that believe nobody should be using Facebook in the first place. There are many stories of people who have been far too naive on social networks, I personally know of at least three people who have been in trouble with their boss over things posted on Facebook, and there are actually people who have been fired and even killed over things they've put on there. Even if we forgive Facebook's murky reputation, there's always a risk letting one company have control of so much information, as recent news reports about HMRC and ACS:Law show. As I've blogged before, You can never be entirely sure who has access to this information when it's in someone else's care. So why would anyone want to turn their entire communications network over to Facebook, or any other company for that matter?

The answer is, of course, in the question: naivety. People are naive enough to talk about their personal life after 'friending' work colleagues, people are naive enough to post rants about their boss and co-workers online and people are naive enough to talk about everything they've ever done despite the fact that their employer, boyfriend, girlfriend and even the police have access to it. People are naive enough to put their email password into Facebook's 'Friend Finder' and then get surprised when the service starts advertising their presence to their psychotic ex, or some guy they emailed once to exchange insurance details after a prang. People are naive enough to click 'Yes' when an application that claims to be just a silly quiz or gift app asks for permission to access their account even when they're not online. So, when offered a simple method of keeping all their communications together without paying a penny, of course people are going to be naive enough to sign up.

But in reality, nothing is really free and anything that seems too good to be true usually is. People say I'm cynical, negative and paranoid, but can say with 100% certainty that my boss will never see a photo of me drunk.

The Unknown Known

People often ask me why I trust Google more than Facebook. After all, both provide services in return for personal information, both are big US companies based on a clever piece of technology, both were started by university students, and both are worth an awful lot of money. Both have privacy issues, most have been identified and many have been fixed. Both are opt-in, you don't have to use them. The reason I trust one more than the other is simple: the unknown known.

Here's a good example. Check out Google's privacy policy. It states happily that when data is 'deleted' from their services, the data may be retained by Google even if not publically available. Facebook contains no such line, so it's implied that deleting something actually deletes it from Facebook's servers. Yet I had a Facebook profile that I deleted about two years ago, and the photos I uploaded to the account before I deleted it were still accessible to anyone with the JPG URL some eighteen months later. In fact, the only reason I can't access them now is because Facebook changed their URL structure a few months back and all old URLs became invalid; I don't for a minute believe that those images aren't still on Facebook's servers. There are good reasons why the images don't disappear immediately - residual data and backups being the main two. But the fact is that Google announces this up front, and Facebook doesn't. And this is the crux of why I don't trust Facebook as far as I can throw it.

Another issue of contention with Facebook is the Friend Finder feature. You enter your Hotmail or GMail username and password and Facebook logs into your account and hoovers up all the email addresses it can find. It specifically states that it doesn't store your password, but it doesn't mention keeping a login session active and it certainly doesn't say what it does with the emails and contacts that it finds. Someone I know, who has never had a Facebook account, recently had an invite email sent via Facebook saying "[x] wants to be your friend". Contained within the email were suggestions for about a dozen other people she knows, some of whom were family members who had no contact whatsoever with the person who sent the invite. The only way this could have happened is that the family members also used the Friend Finder, and Facebook stored all the connections for future use. Basically, Facebook has a sort of dark network underneath its world-facing one to which you have no access and can't opt out of, Facebook account or not. If you have an account you can delete all your Friend Finder history, but this doesn't really help you if you choose not to have a Facebook account, or if someone who has your email address has previously used the Friend Finder.

Back to photos, you may already know that when a digital camera takes a photo it stores lots of information about the camera as hidden data within the JPG file. The time, the date, the camera settings, make and model. Smartphones with GPS often geo-tag images, meaning that the location in which the photo was taken gets stored as well. When you upload images to Facebook, it processes them to optimise them for web use, and this includes removing meta-data - download a photo from Facebook and load it into an EXIF viewer and you'll see it has no meta-data whatsoever. However, recently Facebook have started trying to encourage people to 'check in' to places they've visited and occasionally you'll get one of your photos shown to you with the message "this photo looks like it was taken in [y]". It gets this information from the geo-tag, which it's been storing, inaccessible to you or other Facebook users, since the photo was first uploaded. It's not that Facebook are trying to do something clever with the geo-tag information, it's the fact that they're clearly storing meta-data and not telling anyone that I have a problem with.

There is a movie called The Social Network, which tells the story of the creation of Facebook. The opening scenes show founder Mark Zuckerberg building a collection of photos of every Harvard student without their knowledge or consent, and hosting it on a public server for everyone to see. Zuckerberg's complete contempt for anyone's privacy is illustrated further in an infamous leaked IM conversation between Zuckerberg and an anonymous friend. He offers his friend personal info from Facebook's database. When asked how he got the data, he simply replied "They 'trust' me. Dumb fucks." Zuckerberg is still running Facebook, and probably has complete access to all sorts of information about you, whether you use his website or not. At least the information Google collects is used in their products and services to their users, and not just hoarded away where only the site admins can see it. Google even has a dashboard feature where you can see exactly what information they have on you and with whom they're sharing it, which gives you the opportunity to delete information if you don't want it shared. Facebook has no such feature.

So, to summarise: Google take your information, are completely transparent about what they're collecting and how, and give you something useful back in return. Facebook take your information, often without your knowledge or consent, fuse it with information they've conned out of your friends and family, and then hide it away, sometimes even denying they have it. It's not really surprising that I trust Google more.

Thoughts on the Social Network

At the weekend, I watched The Social Network, the movie based on the creation of Facebook. Not sure how much of it is fictional and how much is genuine to true life, but it did re-affirm several things in my mind.

Facebook do more with your photos than they like to let on.
Harvard jocks are the worst kind of jock.
Hollywood will never produce a realistic depiction of England.
Mark Zuckerberg is an arsehole.

As a postscript, with the exception of Eduardo Saverin, who gets absolutely crapped on, and Erica Albright, the first person in the movie to tell Mark Zuckerberg he's an arsehole, by the end of the movie I hated every single character in it yet still quite enjoyed the film overall. I can't remember the last time that happened. Also, kudos is due for being reasonably technically accurate and not just spouting off reams of meaningless techno-babble like most movies do. Overall, I enjoyed the movie but probably won't watch it again.