What does the Microsoft "partnership" with Facebook mean for users?

Here's the key fact: Facebook's users are not its customers. They're the targets to which Facebook's customers aim advertising. In old media this was no big deal. But Facebook isn't just a "medium". It's a vast walled garden where the social activity of members and visitors constantly improves the ability of advertisers to "target" both.

This is a Good Thing only if it works for everybody — including both those targeted as well as those doing the targeting. And if users are actually involved, they have some important questions:

  • What happens to my identity-related information?
  • How is it used, and by whom?
  • How much control do I have over my data (or data about myself) — including what Facebook "partners" do with that data?

Jeremiah Owyang visits these questions in his latest post, How Microsoft got their Passport after all. He begins,

A few hundred million is a steal for your identity, they've got plenty of money.

Microsoft and Facebook are in partnership, but what's at stake? Three things:

  1. Facebook knows who you are: your name, your gender, where you live, your martial and political status, sexual preference, age, where you work, the list goes on. The funny thing is, you've voluntarily given that information up.
  2. They also know who you connect to, who you talk to, and what you say to them (you don't own those private message ya know).
  3. Sure, up to one third of all profile information is bogus, but what about those unsaid gestures: What people do is more important than what they say. What apps you use, how frequent, what and who you click on.

Great, but why does it matter? Because the new partner likely will have access to this very precious data.

[We once rejected Microsoft's Passport identity campaign, but we’ve potentially and unknowingly just handed it over]

Two thoughts.

First, Microsoft had a very instructive failure with Passport, and the "Hailstorm" effort of which it was a part. One guy leading that instruction is Kim Cameron, primary author of the Seven Laws of Identity and creator of the Identity Metasystem concept (among other things), all which we made a cover story in the September 2005 issue of Linux Journal. To the best of my knowledge, that was the first time a Microsoft effort made the cover of the magazine — and it deserved to.

In brief, the Seven Laws are:

  1. User Control and Consent
  2. Minimal Disclosure for a Constrained Use
  3. Justifiable Parties
  4. Directed Identity
  5. Pluralism of operators and technologies
  6. Human integration
  7. Consistent experience across contexts

Second, many independent developers at companies and organizations large and small (including many individuals their own) have joined together (guided to a significant degree by Kim and his Laws) as in informal Identity Gang (now a working group of Identity Commons) with the shared purpose of empowering individuals to control their own identity-related information in the networked world. "User-centric identity" is still new, and we're all still in the early stages of Whatever This Will Be; but already much technical progress has been made, most of it in the form of open source development.

The Gang gathers at informal but highly productive Internet Identity Workshops (IIWs) — twice per year at the current rate. In fact, I'm one of the organizers. The next one is December 3-5 in Mountain View. Here's my open invitation for Facebook folks to come help the rest of us work on applying the Laws of Identity in the social contexts they're pioneering.

There is much work to be done. We'd love to have Facebook help us do it.

______________________

Doc Searls is Senior Editor of Linux Journal

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Cameron spreads FUD about SSL

Burz's picture

http://www.boingboing.net/2007/10/07/canadas-privacy-comm.html
(see the exchange in the comments section)

Microsoft is trying to move authentication and privacy apparatus out of the browser and into the OS. The kind of effort the article refers to IMO results in MS Active Directory becoming a must-have even for LAMP servers... another unworkable monopolist "de-facto" standard pops into existence because of tying with the Windows client.

Required reading from Jeremy Alison of the Samba project:
http://samba.org/samba/news/articles/low_point/column01.html

''Currently if you want to put your Windows clients and server into a "single-sign-on" environment (and let's face it, who wouldn't), your only real choice is Microsoft Active Directory. Why is this ? Well, the main obstacle is that Windows client won't log on in "Domain" mode without it, and Windows servers use information held in Active Directory to make authorization decisions for Windows clients. Enough of the protocols that the Windows clients and servers use to do this are not documented by Microsoft to make creating an inter-operable server a risky business for any commercial entity. Few have tried; Sun, with their "PC-Netlink" product was cut off from access to the Windows 2000 source code when their supplier AT&T abruptly had their contract to port the Windows source code terminated by Microsoft (thus instigating the EU case).''

It is easy to imagine all those hosting services nervously adopting AD as their standard identity server, lest they risk their ebusiness grinding to a halt because of possible glitches in CardSpace-Samba interoperability.

The same fear and uncertainty that end-users experience when contemplating non-Windows alternatives could be forced onto web admins in this way. If you can make a server product that defacto owns the web authentication market, then your product also wins the hosting market for most of the web.

( Yet another possible wrinkle is whether the CardSpace-type identity schemes require implmentation with keys undisclosed to the user -- like DRM keys only hidden in TPM hardware -- which would automatically disqualify GPL3 products like Samba. )

Steve Ballmer himself just indicated that he wants FOSS projects like PHP to 'innovate on Windows instead', using legal threats if necessary. See PJ's assessment of this at Groklaw.

...though I am sure the more garden variety of MS monopoly pressures will also be brought to bear, like warning people that they are trying to login to a "possibly insecure" https session.

Also, does MS have an easy and secure way to migrate one's CardSpace-encapsulated identity to another operating system? Or is this yet another way in which Windows will hold people hostage?

Final thoughts: If authorities and the tech community are unwilling to teach people a couple semantic rules for secure browsing, then either SSL won't get used properly and the current level of spoofing and phishing will remain, or else the Internet will turn into an authoritarian regime locking out non-monopoly technology and non-conglomerate business and opinion.

The need for semantic verification (looking at the domain name in context) by the user is irreducible when independent parties securely interact. The flashing of pretty trademarks to click on doesn't work for veracity because users cannot identify icons down to the last bit the way they can with alphanumeric information. This is why SSL certificates are keyed against domain names.

After a user checks for the lock icon along with the domain in the address bar, the only decisions left (indeed the only ones that CAN be made WRT security) are: A) is the domain spelled properly? B) do I trust them with my data? C) do I trust the Certificate Authority? Anything beyond that is like having a telephone system that tries to steer people away from dialing certain phone numbers because you might have mis-dialed in an attempt to reach a mainstream bank or chat line. All the user can do is check the number they dialed, and all the 'system' can do honestly is check that they reached the certified holder of that number.

People who use Facebook are

Anonymous's picture

People who use Facebook are nuts imo. Why give advertisers and governments and think tanks information about you? So they can target you better? I prefer my anonymity thanks.

I agree

RH's picture

Why do people use Facebook? Just watch this and you will want to delete your profile...
http://albumoftheday.com/facebook/

That's true

Didier Vardet's picture

Microsoft is putting hand on private data. Given its dedication to the society of control, I find this really frightening. Nevertheless, how worse is facebook in this than hotmail ...

--
Didier Vardet
http://www.freewebs.com/dangervaccins/

Facebook vs. Anonymity

dsearls's picture

I don't think Facebook set out to pull the veil of anonymity from the lives of 50 million users, but that seems to be, to some degree, what they've done.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix