Twitter, Facebook and Respecting Digital Privacy

Surprise, surprise: another Twitter vulnerability was exploited this weekend. Surprise, surprise: the culprit’s kind of a loser:

When asked why he created the StalkDaily worm, Mooney said, “Out of boredom. It was the middle of the night and I had nothing else better to do.” Also in the interview, Mooney both dismissed his actions and said he knew the attacks could land him in trouble. “I feel pretty bad about it, but it’s not me that left the vulnerability out in the open,” he said, then later added, “I’m not worried, though. I know that it could land me in jail.” On the StalkDaily Web site, Mooney posted a short message that read: “I have came clean and have accepted the responsibility for the worm.”

What’s interesting to me about this is the argument that “it’s not me that left the vulnerability out in the open.” Let’s try this out in some other social contexts:

It’s not my fault the lock on their front door was so easy to crack.
It’s not my fault they had their wallet hanging out of their coat pocket.
It’s not my fault these parents left their kid unmonitored on the playground for a few minutes.

Lest you think this is just some lame rationalization of criminal behavior by some loser kid with “nothing better to do,” this mentality is, for some reason, widely accepted with respect to digital privacy.

For example, last year there was some controversy over facebook data being used by social scientists. The data was “anonymized” and the research approved by Facebook, but the problems are that:

Even if you remove names from Facebook data, there’s still a lot of information there & it may be possible to still identify individuals or, at least, groups who believed their activity, not just their identities, were private.
Users set privacy options that would appear to disallow this use of their data, anonymized or not. The privacy options say “Control who can see your profile and related information.” They do not add “Unless it’s been anonymized by Facebook and handed off to researchers: you have no control over that.”

The lead researchers on the project defended what they were doing:

What might hackers want to do with this information, assuming they could crack the data and ’see’ these people’s Facebook info? Couldn’t they do this just as easily via Facebook itself? Our dataset contains almost no information that isn’t on Facebook. (Privacy filters obviously aren’t much of an obstacle to those who want to get around them.)

and

The data is already there, this is merely (!) the collection of that data. Or to put it another way, AOL users presumed that no one was watching, but this is very different from Facebook users who are intending to share with someone (if not the researchers).

Read Zimmer’s response for more details, but this is crazy. The idea that using data like this for social science research is ok because “hackers could get to it anyway” is eerily similar, I think, to the rationalization “Mikeyy” makes about hacking Twitter. Let’s try it this out in another context again: “Well, a criminal could easily break into your house anyway, so what’s the harm in me doing it for research? Don’t worry: I won’t reveal your identity to anyone!”

(To be clear, I don’t completely blame the researchers for this: I blame Facebook. They were the ones trusted with the data & they were the ones who gave it out. Facebook’s entire niche has always been—until the last few months when they’ve started to open up—that it is private. It is not a public space like a blog or a personal website. Anything you put on facebook is understood to be only visible to your “friends” and no one else unless you explicitly say so. I’m guessing there’s probably a statement in their EULA that makes giving the data away to researchers as long as it’s anonymized okay, but that doesn’t mean that the average facebook knew this or consented to it. EULA’s are a joke, but that’s for another day.)

— 2009/04/14