Digital Media

You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.

A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.

The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.

Here's a look at some of the specific threats users of the sites face and what they can do about it.

FACEBOOK

A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.

(Credit: Trend Micro)

Problems: Malware, account hijacking, phishing, and social engineering

The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.

Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.

Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.

Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.

Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.

Problem: Rogue applications

Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.

Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?

Problem: Privacy leaks due to user error

Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.

Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.

These instructions explain how to keep most people from viewing your friends list on Facebook.

(Credit: CNET)

Problem: Privacy leaks due to design or implementation issues

Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.

Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.

Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.

Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.

Problem: Privacy leaks related to marketing

The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.

Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.

Problem: Information used to suppress dissent and target political activists

As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.

"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.

Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.

TWITTER

This screen shot shows a Koobface attack message on a Twitter page.

(Credit: Trend Micro)

Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.

Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."

Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.

Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.

Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.

Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.

Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.

Facebook last Wednesday announced new privacy settings that give users some additional control over what information they share, while taking away the ability to hide a few pieces of information from the general public.

One particular piece of publicly available information--users' friends lists--caused a bit of an uproar from a number of sectors, including business people who don't necessarily want to expose their professional networks to the public and their competitors. It is also a concern to some parents who might not want their kids--or a list of their kids' friends--to be widely available.

Facebook quickly backtracked. A day later, the company announced on its blog that users can now uncheck the "Show my friends on my profile" option in the Friends box on their profile so that your friend list won't appear on your publicly viewable profile.

Unfortunately, they weren't very clear on exactly how you make the change. ... Read More

Editors' note: This is a guest column. See Larry Downes' bio below.

It's been a bad week for those, like me, who feel the debate over data privacy too often casts information businesses as evil Halloween monsters, determined to terrorize and humiliate their customers just for the fun of it.

On Monday, the Federal Trade Commission held the first of three conferences on privacy and technology, at which a parade of consumer advocates and legal scholars warned of an imminent data apocalypse.

Recent events seemed, alas, to support that view. Sprint, for example, reported that over the last 13 months, it has received more than 8 million requests for GPS data about customer location and movement from law enforcement agencies. (Sprint is now determining the number customers affected, estimated to be in the thousands.)

Verizon and Yahoo filed objections to a Freedom of Information Act request that asked how much the companies charge to comply with government surveillance orders, claiming that release of the information would "shock" and "confuse" customers.

Then, Google's notoriously private CEO, Eric Schmidt, brushed aside a CNBC's reporter's question about concerns that users are putting too much trust in his company, saying, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

Most disturbing at all is what happened over at Facebook, the social-networking behemoth that now hosts more than 350,000,000 members. Based in part on complaints by government agencies in Canada and Europe, the company announced in July that it had begun testing a more comprehensive and simplified set of privacy settings, promising to give users "even greater control over the information they share and the audiences with whom they share it."

After months of what looked like careful planning, Facebook implemented its new privacy policy and user tools this week.

The announcement landed flat on, well, flat on its face. A chorus of the usual suspects, including the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California cried multiple fouls, objecting both to the nature of the changes and the way in which they were being imperiously foisted on users. "Under the banner of simplification," said Electronic Privacy Information's Center's Marc Rotenberg, "Facebook has pushed users to downgrade their privacy."

First, a word about the changes themselves. In a detailed exegesis published on Wednesday, EFF's Kevin Bankston divided the revisions into three categories: the good, the bad, and the ugly.

In the good column, Bankston noted that all Facebook users are being required to review their privacy settings and have been given new tools to simplify the process. For each individual post to their page, users can now limit who among their friends gets to see what. In the bad department, EFF doesn't like the recommended settings, which pretty much let everyone see everything.

The ugly, however, are genuinely ugly. The version of a user's Facebook page open to Facebook members and nonmembers alike will now show the user's name, profile picture, location, and gender, as well as a complete list of her friends. Most of that information can no longer be controlled other than by not providing it in the first place. (Facebook has already backtracked on the public availability of friends information.) And users can no longer opt out of letting Facebook and third-party applications, such as all those quizzes and tests my friends seem to spend most of the day filling out, access at least some information from their account and that of their friends.

Logic behind privacy policy changes
I understand why Facebook wants these changes. Given the sheer number of Facebook users, it's increasingly difficult to find friends when presented with a list of dozens of profiles with matching names and no other information.

As the company moves to find ways of making money from its network, moreover, open access to information about users is not just important--it's essential. Constraining the company's ability to publish and otherwise monetize that information limits the chances Facebook and other social-networking sites can continue to secure funding, compete in a wide-open market, and ultimately survive as a commercial enterprise.

That, at least, is the kind of reasonable explanation for the changes the company could have provided. Instead, it announced the new policy and implemented it at the same time, leaving no opportunity for user review or comment. According to EFF's Bankston, Facebook didn't disclose the creation of the new category of "publicly available information,"--that is, information about a user that cannot be controlled--until "the very day it is forcing the new changes on users." (Facebook did, in fact, allow a one-week comment period on a draft of the new policy, which is more than 5,000 words long, in early November.)

The company's reliance on good relations with its users makes the ham-fisted and tone-deaf nature of these changes both "shocking" and "confusing." After a minirevolt erupted earlier this year over changes to Facebook's terms of service, in which the company seemed to grant itself a more generous license for user data, a chastened CEO Mark Zuckerberg quickly reversed course.

More than that, Zuckerberg promised that future modifications would be developed in collaboration with users on an open-source model. "Our terms aren't just a document that protects our rights," Zuckerberg wrote on the company's blog, "it's the governing document for how the service is used by everyone across the world. Given its importance, we need to make sure the terms reflect the principles and values of the people using the service."

Exactly. So why didn't Facebook learn from its own painful lesson? While the company tested the new features with some users and solicited comments on the privacy policy over the last several months, Facebook reported in November that the number of comments it received on its draft proposal "did not reach the threshold to hold a vote." That's not a good thing.

Lessons not learned
Despite the high level of emotion, rightly or wrongly, that users attach to the topic of privacy, the new policy and tools simply arrived, providing some new protections even as existing controls were unceremoniously removed. Did the company think no one would notice? These and other recent privacy gaffes and missteps have unfortunate consequences.

Consumers, already uneasy about how increasingly intimate information is being handled online, will trust companies less, raising the potential for government regulations and new privacy agencies to fill a perceived void. That would be a dangerous result, and ultimately a counterproductive one.

Introducing new layers of regulatory bureaucracy will slow the pace of exciting innovations in information technology that have kept users engaged in the first place. And interjecting government oversight over any data raises the possibility of misuse of that information by other parts of the government, a problem made all too clear by continued revelations about secret surveillance under the wide umbrella of the Patriot Act and other antiterrorism measures.

The reality is that most information services do a good and responsible job of balancing user interests in controlling information access with value derived from transactional and other data that pay for much of what happens online.

Though often implicit, users today trade the use of information about their activities, purchases, and interests for innovative and often free services that analyze and aggregate that data. Such services help cell phone users locate their friends with Loopt, consumers simplify their search for products and services on Amazon and eBay, and connect with each other in the low transaction cost world of social-networking applications such as Facebook and Twitter.

The real problem: PR
The real problem here is not of policy but rather of public relations. Start-up companies increasingly invest early and often in legal counsel, in part to navigate the complex waters of intercompany relationships and in part to avoid potentially lethal litigation from patent trolls, unhappy competitors, and a global army of business regulators.

At the same time, marketing, as well as public and government relations, get little attention, as companies believe that enthusiastic users are now the best form of PR a young company can get and at a price that can't be beat.

Maybe so. But as information exchanges have moved from the purely pedestrian business-to-business networks of the 1980s to the everything-and-everybody sharing that characterizes our increasingly digital lives, companies who discount or dismiss the emotional and even irrational attachment consumers have to information about themselves do so at their peril.

It's not that Google, Facebook, and others need to change in any fundamental way how they do business. They must rather rethink the casual, careless, and often conceited way with which they communicate to users, business partners, regulators, and other stakeholders. When the lawyers lead, everyone loses.

For companies like Facebook today and everyone else tomorrow, users and the data they provide are not just the most valuable asset; they are the only asset. As consumers absorb that fact, they will increasingly use the tools of online communities--ironically, tools provided by social-networking sites themselves--to express their dissatisfaction with unequal exchanges of information for value. Better to collaborate with them now than to negotiate later, at the end of a gun.

Facebook, as Mark Zuckerberg correctly noted, is a kind of virtual nation, where terms of service and other policy documents serve as Constitution and governing law. As such, changes to both policy and practice require honest deliberation and engagement with the residents.

They can no longer be delivered as fait accompli. For one thing, it's pretty easy for virtual citizens to revolt against a government they don't like, or simply pack up and move somewhere less tyrannical. Easier than it is in the physical world, in any case.

Facebook users are about to see an unfamiliar screen when they sign on to the service--a request to configure their privacy preferences. But it's not really a request. It's a requirement.

"As far as we know, it's the first time in the history of the Internet," said Facebook spokesman Simon Axten, "that so many people have been required to make affirmative decisions about their privacy."

The company on Wednesday provided details of the changes that CEO Mark Zuckerberg blogged about last week. These include eliminating regional networks and giving users more granular control over who can see individual pieces of content while making some basic profile information available to everyone. Also, Facebook is simplifying what this blogger and others have criticized as overly complex privacy controls, but it is also requiring members to make some information available to the public.

All Facebook users will be asked to configure privacy settings

(Credit: Facebook)

Controversial privacy history
Over the years, Facebook has been the subject of criticism, lawsuits, and threatened federal action over various changes to its privacy policy.

In 2007, Facebook announced its Beacon advertising service, which broadcast member activity on partner sites to their Facebook friends. If you bought a movie ticket on Fandango, for example, all of your Facebook friends would immediately know about it. The Beacon program unleashed a campaign from consumer advocacy groups including MoveOn.org as well as a class action law suit that was settled this September. As part of that settlement, Facebook agreed to shut down Beacon and to donate $9.5 million to an independent foundation to "fund projects and initiatives that promote the cause of online privacy, safety, and security."

In February of this year, Facebook found itself at the center of another privacy storm after it announced a change in its policy that would give the company seemingly perpetual control over user-supplied content. That prompted the Electronic Privacy Information Center to threaten filing a complaint with the Federal Trade Commission and also led to the formation of a Facebook group called People Against the new Terms of Service that attracted nearly 150,000 members protesting the changes. The uproar caused the company to rescind those changes and resulted in CEO Mark Zuckerberg holding a press conference where he announced that the company would create "a new approach to site governance" so that its decisionmaking would be more transparent.

Mandatory privacy settings
All users will soon be confronted with a "privacy announcement" informing them that they must configure their settings. Initially, you will be able to "skip for now" but you will later be required to go through the steps in order to continue using the service, according to Axten.

To encourage people to share information, Facebook has set the default to "everyone," but you can later go back to set more restrictive settings. You can also keep your old settings. If you're not sure what they are, you can display them by hovering over the radio button.

New Facebook privacy setting page

(Credit: Facebook)

In the final step, Facebook displays your settings and gives you a chance to change them. At this point or at any time in the future you will be able to adjust any of your settings

Final stage verifies new settings.

(Credit: Facebook)

The Facebook settings will be based on four basic levels: friends, friends of friends, everyone, and customize. If you belong to a network, you will also have the setting friends and networks. As before, you will also be able to customize settings to include or exclude specific friends or groups of friends.

Some information must be publicly available
Some information--including name, profile picture, gender, current city, networks you belong to, friend lists, and pages you're a fan of--will be available to everyone. The only way to keep that information from the general public is to not include it as part of your Facebook profile. Users also have the ability to limit what can be found via a search on Facebook and what information Facebook will make available to search engines like Google and Bing.

According to Axten, that information is being made publicly available to make it easier to find people using Facebook search, especially people with common names. If you locate a "John Smith" in a Facebook search, seeing his picture and knowing where he lives can make it easier to pinpoint the right person. Though not mandatory, Facebook, according to a spokesperson, is encouraging people to make other information public such as where they went to school or where they work. However Axten added that if a user had previously configured their privacy settings, they should keep what they already have.

While adults have the option of making content available to everyone, the maximum exposure available to users under 18 will be friends of friends or school networks.

Control over who gets to see your posts
The most important change is that you will now be able to specify who can see each piece of your content including status updates, photos, and videos. Each time you add content, you'll be able to determine whether it can be seen by everyone, friends and network, friends of friends, only friends, or a custom setting. Customized settings allow you to include or exclude individual people or lists of people. For example, one could share last night's exploits with his fraternity brothers but not with his fellow church members or office mates. The list feature, which has long been available, allows you to divide your friends into groups. For example, as a journalist, I encourage readers to "friend" me at Facebook.com/larrymagid, but I also maintain a list of "real world friends."

Third-party application settings
As in the past, you will have some control over the information that can be seen by operators of third-party Facebook applications. Facebook has added the ability to fully block an application from accessing any information but, in most cases, that will disable the application.

Facebook's Axten said that application developers will have access to all publicly available information, but can only access other information with the user's permission. Applications are also required to only access user information that is essential for them to run. The company, said Axten, has an enforcement squad to ensure compliance.

Facebook is also launching a new Privacy Center that will offer "a comprehensive guide that helps users understand and control how they share information."

Disclosure: Facebook is one of several companies that provides support to ConnectSafely.org, a nonprofit Internet safety organization I help run.

Facebook users are too willing to give out their personal information, security firm Sophos has found.

According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.

After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.

Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."

The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."

Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.

Yahoo announced on Monday a new consumer tool called "Ad Interest Manager."

BoomTown is going to ignore the could-it-be-duller name for the feature, which--Yahoo said in a press release you can see below--gives users a "central place where Yahoo visitors can see a concise summary of their online activity and make easy, constructive choices about their exposure to interest-based advertising served from the Yahoo Ad Network."

What fortuitous timing, since the first of three of the Federal Trade Commission's "Exploring Privacy: A Roundtable Series" begins Monday in Washington, D.C.

And, of course, the bigger backdrop is the pending regulatory approval of the massive search and advertising partnership between Yahoo and Microsoft. The two companies announced Friday that they had completed the definitive agreement for the deal.

(Credit: FTC)

One of the key issues for regulators, of course, is the privacy implications of combining the search and online ad technologies of the No. 2 and No. 3 players.

The FTC's day-long agenda (PDF) is chock-full of academics and privacy group folks, but there is an Microsoft lawyer on a panel. (The next roundtable takes place at the University of California, Berkeley, School of Law on January 28.)

Said the FTC on its site:

The Federal Trade Commission will host a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.

There will surely be lots to discuss, since privacy groups are wary of self-regulation by the very companies that link consumer data to advertising.

And, they have a point.

Visiting my Ad Interest Manager page is kind of freaky, to be honest. It shows I am interested in entertainment, technology and travel, checking in most on the finance and television pages. Correctomundo!

Also, it has detailed data about my computer, including its color depth, as well as my age and gender.

If I want, it is pretty easy to opt-out of the whole "interest-based" ad completely or by category, with on-off switches, which is a good thing.

If you want to know more, here is the Yahoo press release:

YAHOO! INTRODUCES AD INTEREST MANAGER

PROVIDES CONSUMERS WITH GREATER TRANSPARENCY AND CONTROL OVER THEIR ONLINE ADVERTISING EXPERIENCE

Today Yahoo! Inc. (NASDAQ: YHOO) released a beta version of a new consumer tool called Ad Interest Manager, which takes transparency in online advertising to a new level for building user trust. Ad Interest Manager http://privacy.yahoo.com/aim is a central place where Yahoo! visitors can see a concise summary of their online activity and make easy, constructive choices about their exposure to interest-based advertising served from the Yahoo! Ad Network.

"Ads tailored to users' interests make online experiences more compelling and user-focused, and the new tool Yahoo! is launching today will provide transparency into how Yahoo!'s interest-based advertising works," said Yahoo! Vice President of Policy and Head of Privacy, Anne Toth. "Yahoo! is committed to providing consumers with increased transparency and control when they are online. Ad Interest Manager will show users what interests we think they have, and also let them edit and change those interests to reflect the most up-to-date information." Anne Toth also pointed out: "Importantly, users who don't want interest-based ads can turn them off completely."

Yahoo!'s new Ad Interest Manager tool:

• Provides a central point where Yahoo! visitors can assert even greater control over their online experience.

• Gives visitors an unparalleled view into the information used to deliver interest-based advertising.

• Shows the visitor both Yahoo!'s educated guesses about their interests and a summary of observations, along with other information they have provided.

• Provides a list of specific interest categories that Yahoo! has placed a user into and lets people turn those categories off.

• Allows people who don't want to see interest-based ads to turn them off entirely.

"Yahoo! has long provided its users with products and services for free, thanks to a business model based almost entirely on advertising, and we've found that consumers are more likely to click on advertising that speaks directly to them and their interests," said Yahoo!Vice President and General Manager of Display Advertising, David Zinman. "With the introduction of Ad Interest Manager, users can not only get a better understanding of how the process works, but they can also communicate better with Yahoo! and our advertisers about what most interests them."

Yahoo!'s Ad Interest Manager is currently available in beta in the U.S. and will soon be made available to UK and European users. Planned future enhancements to the Ad Interest Manager will also let users add categories of interest that Yahoo! may have missed.

To see what the new Ad Interest Manager looks like and how it works, please visithttp://privacy.yahoo.com/aim.

Yahoo! was one of the first companies to implement a layered privacy center http://info.yahoo.com/privacy/us/yahoo/details.htmlmodel more than eight years ago, which provides people with a central place to understand and control their privacy online, as well as their options when it comes to the use of personal data. This information is coupled with our industry-leading data-retention policy http://ycorpblog.com/2008/12/17/your-data-goes-incognito/, which anonymizes most Web log data within 90 days. The policy also strives to ensure that Yahoo! retains data only long enough to serve the business and create the highest-quality user experiences, while simultaneously maintaining the ability to fight fraud, secure systems, and meet legal obligations.

And here is the consumer privacy groups' press release on the FTC hearings:

Consumer and Privacy Groups at FTC Roundtable to Call for Decisive Agency Action

Washington, DC, December 6, 2009-On Monday December 7, 2009, consumer representatives and privacy experts speaking at the first of three Federal Trade Commission (FTC) Exploring Privacy Roundtable Series will call on the agency to adopt new policies to protect consumer privacy in today's digitized world. Consumer and privacy groups, as well as academics and policymakers, have increasingly looked to the FTC to ensure that Americans have control over how their information is collected and used.

The groups have asked the Commission to issue a comprehensive set of Fair Information Principles for the digital era, and to abandon its previous notice and choice model, which is not effective for consumer privacy protection.

Specifically, at the Roundtable on Monday, consumer panelists and privacy experts will call on the FTC to stop relying on industry privacy self-regulation, because of its long history of failure. Last September, a number of consumer groups provided Congressional leaders and the FTC a detailed blueprint of pro-active measures designed to protect privacy, available at: http://www.democraticmedia.org/release/privacy-release-20090901.

These measures include giving individuals the right to see, have a copy of, and delete any information about them; ensuring that the use of consumer data for any credit, employment, insurance, or governmental purpose or for redlining is prohibited; and ensuring that websites should only initially collect and use data from consumers for a 24-hour period, with the exception of information categorized as sensitive, which should not be collected at all. The groups have also requested that the FTC establish a Do Not Track registry.

Quotes from Monday's panelists:

Marc Rotenberg, EPIC: "There is an urgent need for the Federal Trade Commission to address the growing threat to consumer privacy. The Commission must hold accountable those companies that collect and use personal information. Self-regulation has clearly failed."

Jeff Chester, Center for Digital Democracy: "Consumers increasingly confront a sophisticated and pervasive data collection apparatus that can profile, track and target them online. The Obama FTC must quickly act to protect the privacy of Americans,including information related to their finances, health, and ethnicity."

Susan Grant, Consumer Federation of America: "It's time to recognize privacy as a fundamental human right and create a public policy framework that requires that right to be respected. Rather than stifling innovation, this will spur innovative ways to make the marketplace work better for consumers and businesses."

Pam Dixon, World Privacy Forum: "Self-regulation of commercial data brokers has been utterly ineffective to protect consumers. It's not just bad actors who sell personal information ranging from mental health information, medical status, income, religious and ethnic status, and the like. The sale of personal information is a routine business model for many in corporate America, and neither consumers nor policymakers are aware of the amount of trafficking in personal information. It's time to tame the wild west with laws that incorporate the principles of the Fair Credit Reporting Act to ensure transparency, accountability, and consumer control."

Story Copyright (c) 2010 AllThingsD. All rights reserved.

An e-mail was sent on Thursday to Facebook users who were members at the time that its controversial, now-defunct Beacon advertising program was operated: it's the official notice about the proposed settlement for the class-action lawsuit against Beacon. The terms of the settlement have been public since September, but the court-ordered summary notice is the last step in the process before final approval on February 26.

"This is not a settlement in which class members file claims to receive compensation," the notice explained (possibly crushing the hopes of any Facebook members who might have got excited that this would be an easy way to make some pizza money). "Under the proposed settlement, Facebook will terminate the Beacon program. In addition, Facebook will provide $9.5 million to establish an independent nonprofit foundation that will identify and fund projects and initiatives that promote the cause of online privacy, safety, and security."

A Web site has been set up to explain the terms of the settlement for the case Lane et al. vs. Facebook Inc. et al., which was originally filed last summer.

Beacon, an advertising program that shared members' activity on participating third-party sites on their Facebook profiles without much warning or notification, was a much-hyped part of the Facebook Ads initiative that debuted in the fall of 2007. But it was, unfortunately for Facebook, a complete public relations disaster.

Pressure from privacy and activist groups resulted in notable changes to the product and member controls thereof, but image repair proved to not be enough and Facebook let Beacon fade to black.

Facebook on Tuesday announced that it has decided to adopt a revised privacy policy designed to be more accessible and easier to understand.

The social network had just completed a weeklong comment period for the new revision and, though "a lot of people participated," less than 7,000 members commented. According to Facebook's rules, this meant that a vote was unnecessary, Michael Richter, Facebook deputy general counsel, wrote in a company blog.

Overall, members supported the proposed changes, including the simplification of the language used to describe the policy and the document's new structure, Richter said.

The site also plans to add visual resources designed to make the document more accessible, such as a glossary of important terms and informational "learn more" videos. Facebook expects to post the revision in English, French, Italian, German, and Spanish soon.

The revision is the latest chapter in Facebook's privacy saga. In July, an investigation by Canada's privacy commissioner suggested that Facebook is unconcerned with members' privacy and called on it to do more. Commissioner Jennifer Stoddart expressed concern that while it's easy for members to deactivate their accounts, the process of actually deleting them is less clear. Facebook could therefore retain member data from deactivated accounts for an indefinite period of time, in violation of Canadian privacy law.

The social network went through a user backlash over the introduction of its News Feed in 2006, and a bigger one over the controversial Beacon advertising program in 2007. More recently, a revision to Facebook's terms of use prompted consumer advocacy blog The Consumerist to highlight language that it said meant that Facebook claimed ownership of user profile data and photos.

Here's the story. Or at least most of it.

Some 19 years ago, a man in Germany, together with his half brother, reportedly murdered an actor named Walter Sedlmayr. The man was convicted and served 15 years in jail.

Now he is free. And, according to Wired, he has exercised that freedom by instructing lawyers, the elegantly named firm of Stopp and Stopp, to sue Wikipedia.

The lawsuit claims that German privacy law, designed to help criminals re-integrate into society, prevents the man being named in association with Walter Sedlmayr's murder.

Wired quotes Jennifer Granick from the Electronic Frontier Foundation as saying that the lawyers are not only demanding that publications change whatever they write now, but that online archives must endure revision, too.

In writing to Wikipedia, the lawyers offered a very interesting approach: "As your article deals with a local German public figure (such as the actor Walter Sedlmayr), we expect you are aware that you have to comply with applicable German law."

Well, gosh, perhaps not everyone realizes when they mention, say, Boris Becker or that interesting actress who was in the first of the Bourne movies, that one is subject to German law when one does so.

Geek.com quotes the Electronic Frontier Foundation as adding: "At stake is the integrity of history itself. If all publications have to abide by the censorship laws of any and every jurisdiction just because they are accessible over the global Internet, then we will not be able to believe what we read, whether about Falun Gong (censored by China), the Thai king (censored under lèse majesté) or German murders."

(Credit: CC Schoschie/Flickr)

You might be wondering why I have not mentioned this German murderer's name. You see, as I write, I am reminded that the world seems to revel in the persona of murderers. In some slightly twisted way, they become figures of fascination.

I have a strange suspicion that the more the name of Walter Sedlmayr's murderer is mentioned, the more famous he will become. And the more famous he will become, the more money he might be able to make from the fame he claims not to desire.

So I am conducting a fame-reduction experiment. Moreover, I know that everyone who chooses to discover his name can do so in a myriad of ways.

I wonder how many people tried to access information about this man who murdered the German actor Walter Sedlmayr and how many people have done so in recent days.

I also wonder how Wikipedia will choose to respond to this interesting and rather revisionist-minded lawsuit. At the time of writing, the full names of both murderers are still there in the Wikipedia entry for Walter Sedlmayr.

However, the Wikipedia Administrators' noticeboard has a spirited discussion about all aspects of the case.

The solution proposed by a poster called Zara 1709 on the noticeboard is to "remove the full name from the article and the article talk page, but leave in the edit history of the article and the talk page. We would even have some sources that mention the full names in the reference, simply because they provide other, relevant information, too."

The precedent for this is the so-called Star Wars kid case, in which a 14-year-old Canadian boy waved around a golf-ball retriever like a lightsaber and then endured painful taunts, leading to an equally painful lawsuit.

Zara1709 noted that: "It is quite important to point out that, on Wikipedia, regard for people's privacy applies to criminals and former criminals, too."

However, another poster, Baseball Bugs, dissented: "There is no justification whatsoever for censoring the names of the killers. The notability argument is bogus, there is no privacy or BLP issue, and the 'doing harm' argument is crystal-ball and thus is irrelevant. And some anonymous German judge has no jurisdiction over Wikipedia."

In reading all this, I am left with the words that were often drubbed into me by teachers: "History is written by the winners."

So if this German request succeeds, might some consider that the winner is Wolfgang Wehrle, the man who, with his half brother Manfred Lauber, murdered Walter Sedlmayr 19 years ago? Dash it, I couldn't help myself. I hope I'm not causing undue work for some future editor.