Posts

Hanging by Meta’s Threads

[NB: check the byline, thanks. /~Rayne]

If you are very much online in social media, you’ve likely heard the buzz about Threads – the new microblogging platform owned and operated by Facebook’s parent, Meta.

I’m not going to get into a detailed discussion of Threads versus its problematic competitor Twitter or ex-Twitter CEO Jack Dorsey’s problematic alternative, Bluesky Social. You’re perfectly capable of doing the homework on them and other competing microblogging platforms.

Of concern to me: how will Threads eventually interact with the open source federated universe (fediverse) of platforms including Mastodon. Threads is expected to federate eventually and allow easy sharing of communications and content between member platforms in the fediverse.

There has been so much conversation about this topic in Mastodon that I’ve had to filter it out. The discussion has been warranted, but the subject has been polarizing and frankly exhausting.

Some Mastodon users – mostly those who left Twitter and miss it badly – want this new Meta project to integrate seamlessly with Mastodon so that they can encourage former Facebook folks to come over to Mastodon. They’re missing much busier levels of activity in their timelines which was driven by algorithms at Twitter and as well at Facebook. And some simply can’t handle the increased complexity Mastodon poses, from choosing an instance to finding friends old and new, or building a feed.

Some Mastodon users – like me – don’t really care to federate with Meta’s users whether from Facebook or Instagram. In my case my primary concerns are data privacy and remaining ad free. While I feel fairly confident my experience within Mastodon won’t ever involve ads, I can’t say that will be the case once I make contact with someone in Threads just as looking at a tweet on Twitter will likely expose me to advertising. I simply do not want to give my attention without my advance consent to any business advertising in social media.

(Side note: look around here in emptywheel – see any ads? How’s that shape your experience here?)

Because of these concerns I’ve been looking for ways to limit exposure of personal data now that Meta has begun a soft launch of Threads over the last 24 hours.

~ ~ ~

Ahead of a formal launch, Eugen Rochko, Mastodon’s creator, published a statement about the way Threads and Mastodon are supposed to work. This statement was the result of meetings he had with Meta about the way Threads was expected to work once it joined the fediverse.

See https://blog.joinmastodon.org/2023/07/what-to-know-about-threads/

Note this paragraph in particular:

Will Meta get my data or be able to track me?

Mastodon does not broadcast private data like e-mail or IP address outside of the server your account is hosted on. Our software is built on the reasonable assumption that third party servers cannot be trusted. For example, we cache and reprocess images and videos for you to view, so that the originating server cannot get your IP address, browser name, or time of access. A server you are not signed up with and logged into cannot get your private data or track you across the web. What it can get are your public profile and public posts, which are publicly accessible.

There’s still a problem here, if you think back to what researcher Aleksandr Kogan could do with Facebook’s data harvested ~2014. The network of people around those whose data had been obtained could still be deduced.

If some users outside Meta have past usernames in Facebook/Instagram/WhatsApp which match; and/or if users have had previous long-term contacts with Meta users, and/or if data from Twitter or other social media platforms can also be acquired and correlated, it wouldn’t be difficult to build out the social network of Threads users who interface with Mastodon or other fediverse platform users.

This gets around the reason why Mastodon in particular has been resistant to integrating search across the fediverse. Search was intentionally limited during Mastodon’s development to prevent swarming and brigading attacks and other forms of harassment targeting individuals, particularly those identified in minority and/or protected classes.

Consider for example the case of a gay person who associates with other gay people who know each other locally but communicate using these tools. It won’t take that much effort especially with the aid of GPT AI to to create the means to identify entire networks of gay persons related one to several degrees apart. Once identified, it wouldn’t take much to begin brigading them if enough other hostile accounts have been established. One could even imagine the reverse identification process applied in order find persons who are violently anti-gay and likely to welcome opportunities to harass gays.

Imagine, too, how this could affect young women contacting others looking for reproductive health care information.

~ ~ ~

There is a temporary saving grace: Threads is not approved in the EU. Not yet.

The server which hosts my Mastodon account is located in the EU and therefore will not yet allow Threads users access through federation.

The same server’s administrator also polled users and asked if they wanted to allow Threads to federate with this server they voted it down.

So I guess I’m okay where I’m at for the moment.

There are fediverse servers out there which will never allow Threads to federate with them. I’ve seen a Mastodon server which has said it will never allow Meta applications to federate because it’s against their server’s terms of use to allow entities which enable genocide and crimes against humanity to do so.

Good for them.

And good for us: PressProgress editor Luke LeBrun collected the app privacy policies for Threads, Bluesky, Twitter and Mastodon for contrast and comparison:

Can’t imagine why I would have any concerns about Threads…ahem.

~ ~ ~

This is all fairly new and unfolding even as I write this. What the fediverse will look like once Threads makes full contact is anybody’s guess.

But there are several things we do know right now, with certainty:

– Meta has been and remains a publicly-held holding company for a collection of for-profit social media businesses. Its business model relies on selling ad space based on targeted markets, and selling data. This will not change short of a natural disaster like a meteor strike taking out all of Silicon Valley and the greater San Francisco area, and that may still not be enough to change the inevitable monetization of Threads and all the platform touches.

– Meta has been operating under a consent decree issued by the Federal Trade Commission since 2011 after violating users’ privacy; it violated that agreement resulting in a $5 billion fine which it has fought against paying. Meta’s track record on privacy is not good and includes the non-consensual collection of personal data by academic Aleksandr Kogan. The data was later used by Cambridge Analytica/SCL and may have been involved in influence operations during the 2016 election.

– The EU is light years ahead of the US when it comes to privacy regulations. California as a state comes closest to the EU in its privacy regulations but it shouldn’t matter which state we are in – our privacy concerns are the same across the country, and opt-in should be the standard, period. US state and federal lawmakers have been and will likely continue to be slow to take any effective action unless there is considerable pressure by the public to meet the EU’s efforts.

– Law enforcement in the US have purchased and used without a warrant personal data collected through users’ use of social media. There has been inadequate pressure by the public to make this stop and will put the health and safety of women and minority groups at risk.

Changing the direction in which this is headed requires engagement and action. By now you know the drill: contact your representatives in Congress and demand legislation to protect media users’ privacy. (Congressional switchboard: (202) 224-3121 or Resist.bot)

That’s no slip: no form of media on the internet should be immune from protecting its users’ privacy.

You should also contact your state’s attorney general and as well as your legislators and demand your state matches California’s Consumer Privacy Act (CCPA) when it comes to privacy protections – at a minimum. Meeting the EU’s General Data Protection Regulation (GDPR) would be better yet.

Lasciando il matrimonio di Elmo

[NB: check the byline, thanks. /~Rayne]

My moderation team counterpart bmaz is a bit put out at people who are flouncing Twitter dramatically. We don’t see eye to eye about the topic of departing Twitter now. I’m among those who are unwinding their accounts now that Elmo has been forced into marrying Twitter, Inc.

Elmo’s turbulent management style is one reason I’d like to leave. Who knows what any given day will yield – will a new policy pop up out of the blue insisting users must pay for services to which they’ve become accustomed for years?

Security is another matter of concern, and in saying security I mean I have my doubts about personal data security now that Elmo has capriciously announced he’s going to fire 75% of Twitter’s personnel…and now 50% this Friday…and maybe with or without compliance with state or federal WARN Act.

Does anyone really think Twitter personnel are at top form right now when they’re looking over their shoulder for their pink slip? Could you blame them if they aren’t?

But my biggest single reason for wanting to leave Twitter is this: I do not want to be Elmo’s product.

~ ~ ~

Artist Richard Serra said of his experience viewing the painting Las Meninas (c. 1656) by Diego Velázquez:

“I was still very young and trying to be a painter, and it knocked me sideways. I looked at it for a long time before it hit me that I was an extension of the painting. This was incredible to me. A real revelation. I had not seen anything like it before and it made me think about art and about what I was doing, in a radically different way. But first, it just threw me into a state of total confusion.”

When one first sets eyes upon the painting, it appears to be one of the young Infanta Margaret Theresa of Spain and her ladies in waiting, standing next to a portraitist at work. It takes a moment to realize that the portraitist isn’t painting the Infanta but whomever the Infanta is observing, and yet another moment to realize the subject of the portrait and the Infanta’s gaze can be seen in the mirror behind them.

The painting’s observer will then realize they are standing in for the Infanta’s parents who are being painted by the portraitist — and the painting is a self portrait of Velázquez at work. The painting’s observer is a proxy who has not fully consented to their role but nonetheless becomes the subject of the painter at work.

It is this same inversion which must be grasped to understand why I refuse to be Elmo’s product.

I know that I am not Twitter’s customer. I’m not the consumer.

If I remain I am the consumed in Elmo’s forced marriage scenario.

~ ~ ~

Serra and director Carlota Fay Schoolman produced a short film in 1973 entitled, “Television Delivers People.” It was considered video art, using a single channel with a text scroll to critique television.

This excerpt explains the relationship between the audience and television:

Commercial television delivers 20 million people a minute.
In commercial broadcasting the viewer pays for the privilege of having himself sold.
It is the consumer who is consumed.
You are the product of t.v.
You are delivered to the advertiser who is the customer.
He consumes you.
The viewer is not responsible for programming —
You are the end product.

What television did in the 1970s, social media does today. It consolidates access to disparate individuals over distances into audiences of varying sizes and offers them to advertisers.

Social media is mass media.

Social media, however, doesn’t serve audiences to advertisers alone. Given the right kind of incentives and development, audiences can be bought for other purposes.

There are almost no regulatory restrictions on audiences being identified, aggregated, bought, and resold, and very little comprehensive regulation regarding data privacy.

Elmo so far doesn’t appear to understand any of this between his uneducated blather about free speech and his ham handedness about Twitter’s business model.

I do not want to be sold carelessly and indifferently by Elmo.

~ ~ ~

If you are a social media user, even if validated or a celebrity with millions of followers, you are the product. You are being sold by the platform to advertisers.*

There may even be occasions when you’re not sold but used – recall the access Facebook granted to researcher Aleksandr Kogan in 2013 as part of experimentation, which then underpinned the work of Cambridge Analytica ahead of the 2016 election.

Facebook was punished by the Federal Trade Commission for violating users’ privacy, but there’s still little regulatory framework to assure social media users they will not be similarly abused as digital chattel.

What disincentives are there to rein in a billionaire with an incredibly short attention span and little self control now that he’s disbanded Twitter’s board of directors? What will prevent Elmo from doing what Facebook did to its users?

I’ve raised a couple kids with ADD. I don’t want to be on the other end of the equation, handled as digital fungible by an adult with what appears to be ADD weaponized with narcissism.

I deserve better.

I’m only going to get it if I act with this understanding, attributed again to Serra:

If something is free, you’re the product.

~ ~ ~

By now you should be used to hearing this, but I’m leaving this marriage, Elmo.

Treat this as an open thread.

__________

* We do not sell data about our community members.

Security Saturday

[NB: check the byline as usual, thanks. /~Rayne]

I have Disney’s ‘Cinderelly’ song from the animated movie Cinderella stuck in my head now as I do my weekend cleaning.

We observed “Cinderella Saturdays” when my kids were younger. At 10:00 a.m. the morning cartoons were turned off (or the teenagers awakened) and appropriate Get Moving music put on the stereo.

For the next two to four hours we’d tear through the house with vacuums and mops and dust rags, throwing bedding in the laundry and hanging wash on the line.

It felt so good to be done with the chores by mid-afternoon. Or done with the irritating question, “When are we going be able to play?”

~ ~ ~

It’s Saturday once again, but our cleaning chores have changed. Now it’s time to address digital chores like information security, ensuring the week will be safer than the last.

— If you haven’t reset your passwords recently, it’s past time.

— If you haven’t set up Multi-Factor Authentication, it’s also past time.

— If you haven’t recently used some apps on your mobile devices, it’s time to remove those you don’t need. Please consider using a good browser to access services instead of apps because each app is a new security risk, a chance to be hacked.

— If you feel like you need more information about personal information security, visit Electronic Frontier Foundation’s Surveillance Self-Defense page.

https://ssd.eff.org

— This site by Tactical Tech is no longer being updated but it’s still a decent guide to privacy and security considerations you might want to browse as a guideline:

https://myshadow.org/increase-your-privacy

Tactical Tech also offers their own resource kit called Security in a Box:

https://securityinabox.org/en/

— If you don’t have this automated already and haven’t cleaned your browser’s cache, search and download history, cookies, site settings, now’s the time to go through them.

— If you don’t have antivirus and antimalware applications set up on an automatic schedule, it’s also time to get this done.

— If you don’t have instructions “in case of an emergency” about your online accounts for your family, now’s the time to draft them and put them wherever you also keep your legal documents like a springing power of attorney, patient advocate authorization, so on.

~ ~ ~

Now a few words about housekeeping for this site.

First, you may have noticed occasional lags or quirks in service of late. You may assume we’ve made somebody unhappy and they’re having a “tantrum,” in which case you may need to wait until the “tantrum” is done.

You can check for us online at Twitter — our accounts are:

@emptywheel
@bmaz
@raynetoday
@MasaccioEW
@JimWhiteGNV

(I don’t think Peterr has a Twitter account, sorry.)

Second, how our security works won’t be elaborated upon here, but you can guess there are triggers which may cause your comments not to make it directly onto the page. Things you can do to reduce the possibility of tripping a trigger:

— Make sure  you use the same username each time, spelled the same way. (You have NO idea how much time is spent checking users’ account information and correcting some minor typo or spelling error because it’s tripped up a comment.) Save the information in a plain text notepad file to cut-and-paste if you’re forgetful or prone to fat fingering keys.

And no, we’re not going to look for a new comment system. We do not need to maintain a separate database which may also collect and sell your data.

— If your post has links, you may wish to “break” the link by inserting blank spaces so that it’s not active when posted; an active link may cause auto-moderation. The more links you share in  your comment, the more likely your comment will go into auto-moderation.

— There are times when security is tighter, especially if you’re using a VPN. I’m sorry but this is simply a necessity for the security of the site and community members.

— Comments do not allow but a narrow range of HTML tags here; this is another security measure.

— If you’re being an ass and/or SHOUTING or swearing at community members or contributors/moderators, you can expect auto-moderation to kick in; see our Community Guidelines for more elaboration.

— For the safety of this site and others, please consider removing tracking from URLs you share in your comments. Links to sites of a questionable nature will never make it onto the site, including links to Google Docs.

Twitter links in particular are very easy to edit to remove tracking — just delete the question mark and everything after it so Twitter doesn’t have a full path from you, your machine, the person you’re retweeting/sharing, back to this site.

~ ~ ~

And now set up reminders in your calendar: clean your browser weekly, change your password monthly to quarterly, check all your other security bells and whistles at least 2-4 times a year.

You can go play when  you’ve finished your housekeeping chores.

FaceApp and Its Targeted Audience

[NB: Please check the byline, thanks! /~Rayne]

You may have seen the buzz earlier this week across social media when cellphone users loaded and used a mobile app which applied an aging filter to a selfie photo so users could see a predictive image of their future face.

Except the vain and foolish downloaded an app developed in Russia — an app with the most ridiculous terms of service. More at this Twitter thread by @PrivacyMatters:

The app doesn’t make it easy to find their Terms of Service (TOS) or Privacy Policy, which to me is a red flag.

Russia does not fall under the EU’s Global Data Privacy Regulation, meaning users cannot have expectations of privacy and government oversight protecting their data. Russia ratified the Council of Europe’s Data Protection Convention 108 in 2013 but this appears to be little more than a head fake when Russians have taken Facebook data and used it for adverse micro-targeting against U.S. citizens in 2016. If the convention had been taken seriously, Russia’s government would also have investigated the Internet Research Agency for abusing personal data without users’ consent after the Department of Justice indicted IRA members.

The app’s developers say users’ data isn’t hosted in Russia, clarifying after initial inquiries that only a limited amount of each users’ data was hosted on Amazon Web Services and Google Cloud — but how would the average user be able to validate this claim? The question of hosting seems at odds with the developers’ explanation that

The Democratic National Committee issued a warning to 2020 campaigns that FaceApp should not be used and should be removed from devices.

It’s ridiculous that after the DNC was hacked and state election systems breached or targeted by Russia in 2016 that any sentient Democrat working or volunteering for a Democratic candidate’s campaign would be stupid enough to download and use this app, if they even read the TOS. But the  viral popularity of the application and the platforms on which its output was most often shared likely propelled its dispersion even among those who should know better.

Which brings up the app’s targeted audience: younger people who share images frequently in social media.

The app required users’ social media identity; it captured the IMEI address of the device they were using. Imagine being able to TREASUREMAP all these users over the internet and LANs.

Finally, the app captured the users’ image for editing. Imagine this data linked to all of a user’s Facebook data, matched to their DMV records including their photo, validated by phone number if recorded by DMV.

It’d be insanely easy to ‘clone’ these users in both content and in photos and in videos using Deep Fake technology.

It’d be a snap to micro-target them for political messaging and to make threats using manufactured kompromat.

All of this should be particularly worrying since the audience for this application is the youngest voter age groups which are least likely to vote for Trump and the GOP.

And they are the largest portion of the U.S. military. Think of what the FitBit app disclosed to any snoopers watching military bases. How many users who downloaded FaceApp were active duty or their family members?

Imagine FaceApp and all the other social data, public and private, synced with their phone which reveals their physical location. These users are entirely touchable.

There’ve been quite a few rebuttals to those worried about FaceApp; most complain that such concerns are merely Russia-as-boogeyman fearmongering and that U.S. Big Tech and Chinese apps like TikTok are just as bad (or worse) about collecting too much personal data and misusing it without users’ consent. Or they minimize the risk by theorizing the estimated 150 million selfies collected may train a Russian facial recognition app without users’ consent.

Except Europeans can rely on the GDPR for recourse and Americans have recourse through U.S. laws; they can also press for changes in legislation (assuming the obstructive Senate Majority Leader pulls his thumb out of his backside and does something constructive for once).

One other concern not touched upon is that we don’t know what this particular app can do over the long run even if deleted.

Researchers looking at it now may find it is rather inert apart from the invasive collection of personal photos.

But what about future updates? Can this app push malware which can collect other information from users’ devices?

And what about the photos themselves, once captured and stored. Could the developers embed detailed tracking in the images just as Facebook has?

Bottomline: FaceApp is a huge security risk. It may not be the only one but it’s one we know about now.

We need to regulate not only personal data collection but applications which collect data — their developers must be more transparent and upfront with what the app does with data before the app is downloaded.

We also need to work with Big Tech platforms through which apps like FaceApp are downloaded. We’re back to the question whether they’re publishers or utilities and what role they play in enabling dispersion of apps which can be weaponized against users.

And we may need to institute some kind of watchdog to detect risks before they reach the public. Perhaps as part of the regulation of personal data collection a licensing or clearinghouse process should be established before apps are permitted access to the marketplace. Apple has done the best job of the Big Tech so far in policing which apps are permitted in its market. Should gatekeeping for national security interests rest solely on a few corporations, though?

 

This is an open thread.

Facebook on the Hot Seat Before Senate Judiciary Committee

This is a dedicated post to capture your comments about Facebook CEO Mark Zuckerberg’s testimony before the Senate Judiciary Committee this afternoon. At the time of this post Zuckerberg has already been on the hot seat for more than two hours and another two hours is anticipated.

Before this hearing today I have already begun to think Facebook’s oligopolic position and its decade-plus inability to effectively police its operation requires a different approach than merely increasing regulation. While Facebook isn’t the only corporation monetizing users’ data as its core business model, its platform has become so ubiquitous that it is difficult to make use of a broad swath of online services without a Facebook login (or one of a very small number of competing platforms like Google or Twitter).

If Facebook’s core mission is connecting people with a positive experience, it should be regulated like a telecommunications provider — they, too, are connectors — or it should be taken public like the U.S. Postal Service. USPS, after all, is about connecting individual and corporate users by mediating exchange of analog data.

The EU’s General Data Protection Regulation (GDPR) offers a potential starting point as a model for the U.S. to regulate Facebook and other social media platforms. GDPR will shape both users’ expectations and Facebook’s service whether the U.S. is on board or not; we ought to look at GDPR as a baseline for this reason, while compliant with the First Amendment and existing data regulations like the Computer Fraud and Abuse Act (CFAA).

What aggravates me as I watch this hearing is Zuckerberg’s obvious inability to grasp nuance, whether divisions in political ideology or the fuzzy line between businesses’ interests and users’ rights. I don’t know if regulation will be enough if Facebook (manifest in Zuckerberg’s attitude) can’t fully and willingly comply with the Federal Trade Commission’s 2011 consent decree protecting users’ privacy. It’s possible fines for violations of this consent decree arising from the Cambridge Analytica/SCL abuse of users’ data might substantively damage Facebook; will we end up “owning” Facebook before we can even regulate it?

Have at it in comments.

UPDATE — 6:00 PM EDT — One of my senators, Gary Peters, just asked Zuck about audio capture, whether Facebook uses audio technology to listen to users in order to place ads relevant to users’ conversational topics. Zuck says no, which is really odd given the number of anecdotes floating around about ads popping up related to topics of conversation.

It strikes me this is one of the key problems with regulating social media: we are dealing with a technology which has outstripped its users AND its developers, evident in the inability to discuss Facebook’s operations with real fluency on either the part of government or its progenitor.

This is the real danger of artificial intelligence (AI) used to “fix” Facebook’s shortcomings; not only does Facebook not understand how its app is being abused, it can’t assure the public it can prevent AI from being flawed or itself being abused because Facebook is not in absolute control of its platform.

Zuckerberg called the Russian influence operation an ongoing “arms race.” Yeah — imagine arms made and sold by a weapons purveyor who has serious limitations understanding their own weapons. Gods help us.

EDIT — 7:32 PM EDT — Committee is trying to wrap up, Grassley is droning on in old-man-ese about defending free speech but implying at the same time Facebook needs to help salvage Congress’ public image. What a dumpster fire.

Future shock. Our entire society is suffering from future shock, unable to grasp the technology it relies on every day. Even the guy who launched Facebook can’t say with absolute certainty how his platform operates. He can point to the users’ Terms of Service but he can’t say how any user or the government can be absolutely certain users’ data is fully deleted if it goes overseas.

And conservatives aren’t going to like this one bit, but they are worst off as a whole. They are older on average, including in Congress, and they struggle with usage let alone implications and the fundamentals of social media technology itself. They haven’t moved fast enough from now-deceased Alaska Senator Ted Steven’s understanding of the internet as a “series of tubes.”