Archive

Posts Tagged ‘Facebook’

Privacy, not yours, other people’s….

January 30th, 2011 No comments
Screenshot of Facebook's Friend Finder Feature

Sure, give Facebook your email password, good plan!

This call to action periodically appears on Facebook as an inducement to provide them information to help you locate people you know on Facebook. It’s wrong, deeply wrong in so many ways. You don’t even need to factor Facebook’s already very checkered history with security and privacy. You don’t even need to decide for yourself to be more cautious than you are. All you need do is take a moment to consider that others might be offended, or worse, by your actions.

Don’t do it. Ever.

It’s wrong because it encourages you to decide on behalf of others what their level of privacy concern should be and to compromise their privacy without their consent.

Think about what you risk doing to others by using this feature:

  • If you use your employer’s email you have almost certainly violated their internet usage policy by granting a third party access to your account. Unless you own the company yourself, your work email account doesn’t belong to you. Your work contacts list doesn’t belong to you. Unless you’re the I.T. top dog, you’re not allowed to decide who can access password protected company resources. If you do what Facebook suggests you do with your employer’s email account without explicit permission, you should be fired. Period.
  • If you use your own email address, you have decided that you are both qualified to decide and entrusted by everyone on your contact list to share their personal information with Facebook. Believe it or not, lots of people want nothing to do with Facebook. Now they’re part of Facebook’s data pool. If you upload their contact info, Facebook has that but they also now know those email addresses are connected to you and, to a degree, to each other. Connected to you and whatever you felt like sharing with your Facebook community. Perhaps your friends aren’t too keen on being associated in a database with somebody who’s into knitting? Perhaps they’d prefer to keep their membership in the Free Masons on the down-low?

Sure, this is an extreme case. The hubris on Facebook’s part in actually asking you for log-in credentials for an account is unusual and, I hope, obviously excessive. The problem is, many sites ask you to compromise others under the pretext of doing you, or them, a service. Decide only for yourself who to trust.

Unless you’ve established a prior agreement with your friends that it’s OK….

  • Don’t use ‘send to a friend’ buttons on a web site. Copy the URL and write an email. Let them decide for themselves.
  • Don’t use evites or other  similar services to plan events by giving the service the email addresses of your friends.
  • Don’t send them ‘gifts’, real or virtual, by giving a web site their email address.

If you can’t refrain from doing these things, don’t be surprised to discover who ‘un-friends you’.

Post to Twitter Post to Facebook

Social networking sites used to welcome burglars.

September 12th, 2010 Comments off

“Be careful of what you post on these social networking sites,” said Capt. Ron Dickerson.

http://www.wmur.com/r/24943582/detail.html

It seems at least 18 of 50 August 2010 burglaries in Nashua N.H. were solved when an off duty cop heard the telltale sound of a known-to-have-have-been-stolen firework.

For the curious, whether I’m home or not, there are platoons of heavily armed Attack Wombats patrolling the entire compound. You have been warned.

– Jon

Post to Twitter Post to Facebook

Categories: Security, Social Networking Tags:

URL shorteners, the problems, the value, a solution?

September 10th, 2010 No comments

UPDATE: Gruber Explains his method and identifies a pitfall: “What I didn’t foresee was the tremendous amount of software out there that does not properly parse non-ASCII characters in URLs, particularly IDN domain names.” In retrospect, I should have been more curious and tested his cagey domain name branding. It worked for me so I just assumed. I would have tested it had I implemented it but as a user, it worked, so what did I care? Anyway, Gruber explains more here: http://daringfireball.net/2010/09/starstruck

****UPDATE AGAIN 10.6.10**** http://benmetcalfe.com/blog/2010/10/the-ly-domain-space-to-be-considered-unsafe/ Worth a read but I distill it thus:

Don’t rely on a business relationship where you don’t have the support of a legal system you can participate in. Obviously, we live in a global economy so what matters is the word ‘rely’. Participation != reliance.

————————————————————————————

URL shorteners are extremely common tools used to make links shorter, more able to fit within artificially constrained text fields, and, in some cases, more human-readable. They can also have some other, arguably indirect, benefits in some cases including click-through tracking.

One major potential problem of course is link rot which can be a pretty staggering problem if your chosen provider completely folds up shop.

One common inducement to shorten URL’s is Twitter and the 140 character count limit on the ‘microblogging‘ site’s posts. While an argument can be made that imposing a 140 character limit enforces a tone, there’s no logical reason that Twitter couldn’t accept URLs shortened by the most basic method, an HTML embedded link:an HREF with your own descriptive text and probably claims disallowing this is a security advantage. Such a claim would ring hollow since URL shorteners themselves obfuscate the real target of a link in a way that’s actually potentially worse.

By now, some of the problems with these tools should be obvious:

  • The provider of the translation from short to long can fold up shop instantly rotting all your links.
  • The user can’t hover over the link and look in the status bar of their browser to see what the actual target is.
  • Users seeing different shortened versions of the same link aren’t given the visual cue of ‘followed’ color change in their browser for links they have already seen.
  • They do nothing to encourage site maintainers to strive for more accessible and better indexable and human-readable URL schemes.
  • They insert yet another intermediary able to track users browsing habits.
  • They are, in many cases, unnecessary layers of complexity.
  • They can pose problems for content publishers wanting to be methodical about managing their own link rot. (Do you try to ‘fix’ expired shortened URLs? Can you when you don’t control them?)
  • They have SEO implications.
  • If you need to shorten URL’s on your intranet for, for example, easier tracking, you wouldn’t want to expose, or possibly couldn’t expose the URLs to a cloud based provider for security reasons.

So, let’s for the moment, set aside all the good reasons we should be hammering on Facebook, Twitter and others to exclude the characters used for posting HREFs and the links themselves from the character counts and accept, albeit grudgingly, that there could be good reasons to implement URL shortening mechanisms. How should we do it?

We should be hosting our own URL shortening mechanisms on our own sites.

John Gruber of Daring Fireball has this down to a science. If you follow Daring Fireball on Twitter you will notice every link he posts looks like this: http://✪df.ws/g4n These links are URLs he’s shortened on a server hosted in the .ws domain and they hit short tease pages on daringfireball.net in a directory called /linked. His little tease pages don’t always do the best job of telling the user what they’ll get with a click but this is part of Gruber’s editorial voice and is clearly done deliberately. The mechanics of the user experience, however, are extremely solid:

  1. Shortened URL appears in Twitter feed. (or other microblogging site or method)
  2. Shortened URL is uniquely branded as a Daring Fireball Link (issues with scaling his branding method notwithstanding)
  3. User chooses to follow the link based on other content in the ‘tweet’
  4. User is presented with a ‘tease page’ on Daring Fireball
  5. User can, unless Gruber is being cute on his tease page, make an informed choice about whether to fully follow the link.
  6. Gruber can track the response to the tweet, and, if he wanted to be a right bastard about it, outgoing clicks from his tease page could be sent through a click-through sever script.
  7. Gruber can scan the contents of his Linked directory to manage link rot on his own site.
  8. If he’s methodical about keeping track of which URLs he posts (and I bet he is), basic log analysis of referrers on requests to files in his /linked directory will tell him where he is picking up traffic. Some more complicated analytics could tell him some things about where people had propagated his links.

I happen to usually agree with Gruber, always enjoy reading his stuff and, frankly, take a certain vicarious pleasure in his occasional willingness to be a bit brash. I happen, also, to usually like the results, when he gets cute on his tease pages but, no matter what you think of Gruber and Daring Fireball, the method he uses is the basis of a really solid approach to managing a site and integration of that site with Twitter, Facebook and other mechanisms of ‘syndication’. It puts him back into a position where he is editorially engaging with his users on his own site after he used the visibility he got himself elsewhere.

It’s pretty slick and, done methodically with a transparent editorial policy, this approach could do a lot for fixing what’s wrong with the current willy nilly grabs for presence on Twitter, Facebook etc. by content companies who are now, almost always, just diluting their own brands. I happen to bristle a bit that Gruber’s hosting his URL shortener in a .ws domain (The country domain for Western Somoa and I think it’s because it was an easy way for him to register a domain branded with his UTF-8: E2 9C AA “✪” in his very short ‘✪df’ domain name but I don’t actually know why he chose .ws.) but that’s just my old school leanings when it comes to top level domains.

So, the solution, and maybe Gruber’s already built it, or maybe it’s one of these: 10 Free Scripts to Create Your Own Url Shortening Service is to host your own URL shortening mechanism on your own site. You can implement your shortened URL’s using the “The Full Gruber” and, with some good practices of your own, (mostly) mitigate every last one of the problems cited above except maybe some of the SEO issues.  Those  you could work around with other architecture and editorial choices and which would be offset by traffic to and the well organized placement of your tease pages.

No, of course, the Gruberization of link shortening practice isn’t nearly as clean, consistent and user-friendly as actual links direct to content with meaningful descriptions but, since we’ve let Twitter, Facebook etc. co-opt our control of our own presence on the net, for now, this is a more than decent workaround.

Now, as usual, the comments I get will say “But Jon, it’s not easy enough or convenient” and, for most people, yeah that’s probably true. Hell, I am expecting to bleed from the forehead trying to work out how to automate it or will just end up stupidly manually editing my .htaccess file for every link and maintaining some static structured reference file by hand or find somebody to help me set it up here because this is hardly turn-key. The point is, what should a smart company or organization do to manage how they maintain the best most direct connection to their audience rather than, usually self destructively, try to exploit Twitter, Facebook etc. to attract an audience?

Ok, so, who wants to work with me for no money to help me set all this up for my sites and publish a how-to and/or open source package that we can convince DreamHost to make a ‘One Click Install’?

Anybody feeling that charitable? 😉

– Jon

Post to Twitter Post to Facebook