Friday, January 04, 2008

Scoblegate? Untwist your knickers!

There is much talk in't blogosphere about Robert Scoble's inglorious boot up the behind from facebook over data scraping.

While it's worth reminding ourselves not to take all this (or ourselves) too seriously (read JP Rangaswami's Applauding Our Own Behinds) I do think it's worth considering why people are getting their knickers in such a twist (if only because I'm one of Robert's 5000 friends - whose email address, date of birth etc have been 'plundered' by the plaxo app he was testing).

Scott Karp at Publishing2.o sums it all up quite nicely, referencing Dave Winer, Nick Carr and Paul Bucheit. I'd also recommend a quick squint at Jeff Jarvis (who in turn refers to Mike Arrington at TechCrunch).

I have two thoughts. First is a response to Scott's post. Scott says the fuss over Scoblegate(tm) serves to reveal a coming war over the control of data.

War implies mighty armies clashing. I think this will end up much more a free-for-all. Perhaps Scoble is going guerilla?
Seriously; what I want is an ID key which opens the safety deposit boxes of my choice. And when I leave that deposit box, I take the whole key with me. You only get to access the data I choose to share while your application does something useful for me. Then I’m gone and you’re back to doing your best to keep the conversation going between us.

Persistent conversation rather than owned/farmed/harvested data will win. The battle, for me, is not about owning data but about owning relationships.

And relationships are not based on what I did last year or even last week. They are based on engaging with me about things I care about, and doing it regularly.

Those applications/institutions/things that are good at that will win digitally just as they do in the real world.

My second point seeks to untwist knickers.
The main force in twisting knickers in the Scoblegate affair appears to be who 'owns' the personal data. ie My name, email address and date of birth is MINE. It is not SCOBLE'S!!!! (followed by much gnashing of teeth, wailing etc)

Calm down.

It's hardly For Your Eyes Only stuff is it? Your dob (and I'm speaking from the UK) is a matter of public record, my email address is far from secret (it's a business one). And isn't it about time we lightened up about email address sharing? I mean, why is it any different from letting someone know your physical address. You can get junk mail at both. So what? Bin it.

Oh, and what was that third element? Oh my gosh - Robert Scoble now knows my name. Call the cops.

If other people (or applications, if you will) knowing this much about you sends you into palpitations I suggest you buy a campervan and head for the desert.

And if knowing this is enough to unlock something meant to be truly secure and personal - go back and redesign your bloody lock!

This paranoia over identity is getting out of hand. We saw it writ large in the UK before Christmas when the Government managed to lose loads of 'personal data'. But that was a load of alarmist tosh, too.

Scoble responds and explains himself.

5 comments:

  1. I totally agree.

    What wally publishes their name, email address and date of birth, and thinks that noone would ever copy it into their own address book?

    Especially someone they've added as a friend?

    Or is it because they've added someone famous, that they don't really know, and given him permission to see their info without thinking about it first?

    ReplyDelete
  2. There's a difference between adding my email address to your own address book and passing it to some third party company which could potentially do anything with it.

    If a spammer was offering some reward for facebook users to hand over their friends' addresses to be harvested, I'd want Facebook to block it even if I'm supposed to trust my friends to not be idiots.

    Since Plaxo was directly scraping the data rather than using the API, they're not bound by the Platform TOS that aims to provide pretty much the safety deposit boxes you want (you can read anything that the user's privacy policy allows at that moment, but can't store anything). They're deliberately avoiding those rules, so I'm unsurprised that Facebook don't like it.

    The real problem is that email address is the closest thing we have to a unique identifier for a person, and it's the one thing that Facebook won't hand over to an application because it's also a way to bypass the privacy policy that the users set in Facebook. It's a problem that Open Social is going to need to solve. We need a way for an application to recognise that user X on site A is the same person as user Y on site B while still binding the application to the privacy rules of both sites.

    It needn't be difficult - a simple hash of the email address would allow plaxo to know that these 1800 of its users are those 1800 of your facebook friends without giving away anything about the rest of your friends.

    ReplyDelete
  3. It turns out that you can steal an identity with the data on those CDs. Since you can't do much except donate to charity or similar, it's a strangely altruistic form of identity theft.

    ReplyDelete
  4. Hi Steve, thanks for the update. Anyone else got more on this story? I have no idea how anyone could take money from an account simply by knowing the name, number and sort code associated with it. Surely there's been more of a breach of security here? If not, the banking industry really has woken up to quite a new year's hangover...
    More detail please

    ReplyDelete
  5. It was a simple Direct Debit. Now they can be set up online, you need only those 3 details. In practice it's not as bad as it sounds, though. Aside from donating to charity, if you want to pay your gas bill with someone else's Direct Debit then British Gas will probably expect the bank account's name to match your name. In that case you need more elaborate identity theft and this is the easy bit.

    The victim will also get their money back with no questions asked because them's the rules of Direct Debits (with the possible exception of victims who published their details in a national newspaper).

    It's very easy to stop the problem entirely by writing to you in the ten days before the recipient can take any money through the direct debit, so that you can cancel it before anything is taken. Since banks don't seem to bother with that any more, it must cost them less to deal with the occasional fraud than it did to post a letter for every legit one.

    More a cautionary tale about being cocky than a deep flaw in the banking system, but it had never occurred to me that it's possible.

    ReplyDelete