Computer scientists Arvind Narayanan and Dr Vitaly Shmatikov have proven that the anonymized data sets that social sites sell to marketing firms are not really that anonymous. It is possible to reverse engineer these data sets and obtain actual names and addresses, by looking at the content and structure of the data (in their example, correlating data from Twitter with Flickr).

• BBC Coverage
• Detailed look by Ars Technica
• The paper: De-anonymizing Social Networks

This raises grave concerns about a practice that has becoming increasingly common as social networking sites seek ways to monetize their data. They routinely release social graphs from which a few bits of personally identifiable information (PII) has been stripped to interested parties – advertisers, third-party apps, government and academic researchers. Conventional thinking is that this is good enough to protect people’s identities.

But as the paper shows, this is nowhere near good enough. It’s an interesting study that essentially redefines the term PII, and could (should) have grave implications for social networks and their responsibility towards their users.

The lesson, as Ars Technica points out, is that “anonymity is not sufficient for privacy on the web”.

Tags: PII, Privacy, Social Graph, Social Networking

Isn’t the idea behind OpenID to get to the point where I have one identity for the internet. By my reckoning, in a few years, the number of OpenIDs I have will be in the low 30s, since every service I am signed up for wants to be my OpenID provider. It doesn’t matter if I only choose to use a few of those, the others are still out there, potentially open to abuse. I can configure whether my email service supports POP3 access or not. Shouldn’t I be able to do the same with regards to whether my account is turned into an OpenID?

The Social Graph need Context
Last week, I read with great interest the saga of Scoble’s facebook account. That led to a lot of discussion in the blogosphere about who owns the social graph, and how the social graph should be made part of an open initiative, freed from the silos (Facebook, Plaxo, MySpace, …) in which it is currently “imprisoned”. But there was something about this whole dialogue that unnerved me.

And then Burton’s Bob Blakely brought his usual rational voice to the discussion. The idea of the open social graph bothered me most because by its very nature it ignores the context within which my graph was created. As Bob points out, the relationships were created within the world of a particular application that supplied context and associated controls for those relationships. I have a social graph in LinkedIn and a social graph in Facebook. Do they overlap? For the most part, no. And I don’t want them to overlap either.

The idea that you can take my contact information from Facebook and move it to another application just because we have a relationship in Facebook is a violation of my privacy. It is no different than if people who I gave my business card to in the context of a particular business meeting decided to put all that information into some online application like MySpace. It just feels wrong. Relationship-Centric IdM anyone?

Oracle Hits The Identity and Security Road
And now for some Oracle news. For those interested in finding out more about where we are headed, Oracle is setting out on a 10-city roadshow to discuss key trends in information security, identity management, emerging standards, and technology advancements. Starting at the end of this month, Oracle experts will be joined by leading security analysts Gartner and Burton Group, along with other industry solutions experts. You can find out more about the Information Security Symposium here.

Tags: Identity in Social Networking, OpenID, Social Graph

“When we talk about the social graph we are talking about the set of connections, friendships, business connections, acquaintances, that everyone has in the world… We are trying to take the social graph that exists in the world and try to map it out… We have a model of social graph that we are constructing.”

At least he has the concept right.

You can read the New York Times BITS blog post here.

Tags: Facebook, Personal Identity Management, Social Graph

In an interview that he gave to Saul Hansell for the BITS blog of the NYT, Dan Nye, the chief executive of LinkedIn, said the following about the emerging idea of a social graph for the web:

“When people tell the story that there will be one graph they are crazy,” he said. “These are different platforms that are built for different purposes, with different members and different relationships between them.”

Isn’t that kind of the reason we need a social graph? There are too many platforms for too many different purposes. But just like we want to have one identity (with multiple personas) that can be selectively used on different parts of the web, we also want to have one social graph that maps all my relationships, and then gives us the power to share certain relationships or relationship types with certain services.

Dan Nye sounds like he believes in the business model of silos. The need for a social graph for the web is similar to the need for a personal identity infrastructure for the web. Both are aimed at breaking down the silos that currently hold our identities and relationships hostage. It is a little tiring to have to become friends with the same people in multiple social networks (I personally have had to do that on both LinkedIn and Facebook).

Or does Dan Nye think that co-workers and professional contacts cannot also be friends?

Seems to me that Dan doesn’t understand the idea behind the social graph. Anyone who wants to know more should check out the following links:

• Brad Fitzpatrick & David recordon on “The Social Graph and Social Network portability“
• Microformats Wiki
• Phil Hunt on “Social Graph Search & Social Network Portability“

Interestingly enough, Google seems to be about to jump into the social graph discussion. Check out this other BITS blog post about Google’s thoughts on the relevance of the social graph in improving search.

Tags: Facebook, Identity in Social Networking, LinkedIn, Personal Identity Management, Social Graph, User-Centric Identity

In the article, he discusses an experiment that the folks at Wired did to try and build a social website like Facebook using freely available tools and widgets. They were able to get to about 90% of Facebook functionality, but the missing 10% was the most important part – the ability to link people in relationships.

Scott attributed the failure to the lack of “a generalized way to convey relationships between people’s identities on the internet”. But doesn’t that first require that we have a generalized way to represent people’s identities on the internet?

Let’s face it, relationship silos are really just extensions of identity silos.  The problem of having to create and re-create my relationships as I go from site to site mirrors my problem of having to create and re-create my identity as I go from site to site. The Facebook Platform might have one of the better Identity Provider APIs , but all the applications built on it still have to stay within Facebook itself.

There seems to be an opportunity for someone to launch a service that allows people to connect their OpenIDs using an appropriately named, tagged relationship. This could then be used as the basis for friend-style relationships in social applications. Of course, that would eliminate one of the big reasons most of these sites have experienced the growth they have – I’m on it cos my friends are on it. But it’s the same argument for not wanting to be limited by the MYG silos.

<aside>

When you choose to add an application to your profile within Facebook,
it gives you a nice message telling you that it will share your
information with the application, but never what information it will
share. Essentially it is an open-ended invitation for the application
to look at my whole profile, even if the only thing it should really
have access to is my preference of music so it can put an appropriately
blinged out icon on my page. The lack of granularity here makes it
decidedly non user-centric as far as I am concerned. Perfect place for
an IGF style governance document. Every application should declare what data from my identity profile it needs, and why. That way if the ‘Book of the Month’ application wants my political leaning, I can agree to give that
information knowing fully well it won’t get my birth date.

</aside>

Tags: Facebook, Identity in Social Networking, Personal Identity Management, Social Graph, User-Centric Identity