Part 1 of n

Hi Everyone!  I’m back!  The last couple years have been a hell of my own making, through the depths of depression and back again.  I’m still a bit burnt out, but definitely on the upswing.  But enough about me.

Pointedly ignoring the clusterfuck that is US and world politics right now, I’ve decided to speak on a topic that is near and dear to everyone’s heart, privacy and security.  This is something I know a bit about, having worked with private data in web and mobile, as well as a few hobby attempts at secure chat and connection apps.  Rather than go deep into the tech, in which I’m far from an expert, I’ll talk about the concepts and issues that I’ve seen.

As a disclaimer, I work for Facebook.  In this article I’ll touch on them, but I am not in any way shape or form speaking for them.  These are strictly my personal opinions.

So let’s start with a model of your basic web or mobile app.  There’s a server somewhere, or more likely a server farm (the “cloud”).  There’s the Internet itself, a web (see what I did there?) of interconnected special-purpose devices whose job it is to shuttle data around, based on attached metadata.  Then there are clients, which can be mobile devices, tablets, desktops, or a web page or custom app.  Not surprisingly, this is called a “client-server” architecture.

Whether the client is a web page or a mobile app, the people who funded the system want to see how their investment is doing, how they can make it better, and bring the site back up quickly if something goes wrong.

The servers will keep logs of how many requests were made, what information was returned, and in case of a problem, what failed and where.  The clients will also send back information, about how people are using the app, and what information was requested.

Together, these analytics let management know who to advertise to, what their interests are, and how best to serve the users and the investors.

You’ll note I’m being careful not to put a value judgment on any of this.  The bottom line is, content costs money to produce, serve, and maintain, and if the people fronting that cost aren’t making any money on that investment, they’ll find another investment.  If they know what people want from their application, it’s in their interest to provide it, since that will bring more users.

Which brings us to ads.  Once you know what people like, you have a good idea of what kinds of things they’ll buy.  If you can target the advertising you vend, they’re more likely to click your ad links, buy that stuff, and thus make you more money.  That also means that the space you reserve for advertisers will be worth more, since the clickthrough rate is higher.  In advertiser lingo, putting an ad in front of someone’s eyes is an impression, and buying the product is a conversion.

So what can go wrong?

Let’s start with the advertising itself.  Since impressions and clickthroughs are worth money, advertisers will go to great lengths to maximize their number.  This means annoyingly distracting ads, popovers, popunders, and other obnoxiousness to ensure that ads are seen and maybe even accidentally clicked.  Fortunately content providers are starting to become aware how much badly behaved ads affects their goodwill, and are taking steps.

As far as “data mining” and such, the legitimate use of my data for marketing purposes is the least of my concerns.  If I don’t want to buy something, I simply won’t, no matter how well targeted the ad.  If tracking my data means the content will be more interesting to me, all the better.

There are concerns that some sites are in fact customizing or suppressing content in order to make users feel better.  I can’t speak for my employer, but once again I’m not too worried.  I’ve seen plenty of dissenting content on my feeds, and whenever I see news that seems relevant to me I’ll check the source before believing or forwarding it.  Checking sources will be the topic of a future article, but not too far in the future.

Then there are hackers.  Some sites use woefully inadequate security, or don’t keep up with the latest exploits as they are found, and so leave themselves open.  Once someone gets in, everything is potentially up for grabs.  Also, hacking has become big business, so there are a lot of people, in and out of governments, who are doing it.

Finally, the government themselves.  No matter who is in office, there’s going to be some abstract noun that’s used as the latest witch hunt.  This means that every byte of data, once it’s left your computer (and maybe even before that, soon-to-be-upcoming article), can be copied and analyzed at any stop along its way.

A subpoena can also be issued to retrieve the analytics data that companies have on you.  Without a warrant, and without notifying you.

The primary takeaway here is if you don’t want something to be public, don’t post it.  Even if you set the most restrictive privacy settings, and the site you’re posting it to assures you that your private data remains private and yours.  You’re just one hacker, one subpoena, and/or one “Our Terms of Service Have Changed” email away from your deepest secrets becoming front-page news.