Tag Archives: address book importing

Will Google use email contact lists to build a new social network?

Rumours of Google’s new social network are flying this week. The BNET Technology blog has some thoughtful speculation about its form here.

What will it look like? What elements of existing Google products will it incorporate? And how much control will users have over their profile information and data?

But what’s of interest to me was captured in a tweet by Adam Ostrow, editor-in-chief at Mashable – journalists and anyone interested in protecting email contacts data should take note:

Google’s supposed new social network will be doomed unless they start over from scratch on the contact/friends list.

Another Twitter user, Marshall Haas (@marshallhaas), asked him why it was a problem; Ostrow answered:

“Same problem as Buzz … Gmail’s contact list isn’t an accurate definition of who my ‘friends’ are. At all.”

He’s talking about automated ‘friend’-making systems, in which Gmail contacts (i.e. email address book data) are automatically connected to you in a new system – as originally happened with Google Buzz.

Many users were not happy to see private email connections made public via Buzz; an issue Google quickly addressed. When developing its new connection tools for the new social network, Google would do well to remember the furore it faced over auto-friending in Buzz.

On a related topic, a few months ago Journalism.co.uk examined the practice of address book importing, in which social networks use members’ email address books to make connections between users and issue invitations.

As we reported, tools used by social networks to harvest new members can threaten the privacy of confidential sources and put journalists’ careers in jeopardy.

We tested out various services we showed that by using someone’s email address book data, a social network can link users publicly, risking source exposure.

Facebook, the social network on which we focused most of our attention, concerned us with its use of users’ data and descriptions of systems were muddled. We called on Facebook to make their systems clearer.

Facebook’s European policy director Richard Allan later told us: “[I]f somebody were a journalist with a professional [contacts] list, it would make sense for them clearly not to use any of these address book importers at all”.

In subsequent email correspondence with Facebook’s public relations team, I was told that for some users (who wish to import an email address list, but not reveal certain contacts): “… it may be better to upload your contacts from an Excel sheet or similar so you can remove ones you don’t wish to upload”.

While concerned about Facebook’s unclear and potentially misleading settings around address book importing and recommendations, we were impressed by the effort they made to answer our enquiries and we’ll be watching to see how they develop their systems.

Interestingly, this week I received this message from Twitter, in my inbox:

XXX knows your email address: YYY@googlemail.com. But Twitter can’t suggest you to users like XXX because your account (@YYY) isn’t configured to let users find you if they know your email address.

It then provided a helpful button to allow me to: “Review & confirm your settings”.

To explain: a friend (XXX) has shared her address book and Twitter has matched my email address to an unused Twitter account I hold (@YYY). I am then given the option to connect with this person, or open up my account to email address matching. i.e. I have to opt *in* to her sharing of email address book data.

It’s curious because in the past, I’ve received follows from people in my email address book to this same Twitter account – an account, I should add, that’s not in my name. I’m surprised therefore they found it without importing their email addresses, but I don’t know this for certain. With only four followers to this account, it seems unlikely two of them should be in my address book!

Anyway, in my case, it wasn’t important whether they followed me via this unused account or not, but anonymous bloggers out there (public service workers or political dissidents for example) should be careful to *never* use their real email addresses when registering social network accounts. Even if the account is in a different name, and the email address is private, the connection can still be made.

For a journalist, Twitter’s new alert system is good news. Twitter may not have answered any of Journalism.co.uk’s numerous enquiries about its address book importing methods, but at least it is developing techniques to allow users to make informed choices about who and how they connect with contacts with whom they have exchanged emails.

Has Twitter changed its ABI system? Did it read Journalism.co.uk’s initial enquiries outlining our concerns? I’ve sent the press people a line, but I’m not holding my breath.

I also contacted Google to ask about the rumoured network and whether Gmail address book data will be used for building membership. The spokesperson’s comment? Simply: “We do not comment on rumour or speculation”.

Facebook and Google to be quizzed on whether the internet is safe for free speech

Index on Censorship is to host a debate on the internet and free speech at the Free Word Centre in London, tonight [12 May] at 6.30 pm.

It will feature:

  • Richard Allan, director of policy EU, Facebook
  • Anthony House, European policy and communications manager, Google
  • Gus Hosein, policy director, Privacy International

If like Journalism.co.uk, you’ve been increasingly alarmed by social network tactics that threaten journalists’ safety and confidentiality, you might like to submit a question to be asked at the event, at this link: ‘Put your questions to Facebook and Google – We ask is the internet safe for free speech?’

Background:

#snprivacy: Journalists’ privacy plea to social networks

This post was written following months of mounting concern about the way new sharing and connection features are being implemented on the most popular social networks. If you agree with what we ask of social network developers, feel free to quote this blog, or tweet marking your messages #SNprivacy. Journalism.co.uk will be putting more questions about privacy policy to Facebook later this week. To have your say, please leave comments below, tweet @journalismnews, or email judith [at] journalism.co.uk.

Re: Privacy policy

Dear social networks,

You say you want to reflect real world relationships and connections. Well, in the real world there are connections and information that journalists don’t want made public, shared or given to third parties. Please help us protect our privacy, so vital to responsible journalistic work. It will help you avoid law suits and government inquiries, too.

We know that we need you to help us work more effectively as journalists, to share with others, and to make connections in ways impossible before your birth. But likewise social networks need users and their endorsement. Google’s head of public policy and government relations, Susan Pointer, recently said: “We live or die by the trust our users have in our services.”

Social networks also rely on bloggers and technology/media journalists to communicate new and changed tools accurately.

We realise there is some shoddy and inaccurate reporting around social networking, especially in some of the mainstream press, but there are also many writers who care about relaying information responsibly.

We believe changes to Facebook’s privacy settings are particularly worrying for journalists and bloggers, who have good reason for protecting their privacy and confidential sources.

As the US blogger and librarian Bobbi L. Newman reported, users now have to ‘opt out’ of auto-personalisation settings that allow their friends to share their content.

Furthermore, as developer Ka-Ping Yee exposed, privacy breaches were made in the original open API which allowed external access to Facebook users’ ‘event’ information. We are pleased to see Facebook has reacted to this and corrected the privacy error.

We believe Google Buzz was naive in setting up auto-connections between contacts in Gmail address books. The public availability of email addresses on Buzz, as reported by TechCrunch, was also of concern. We are pleased to see Google has amended these privacy errors.

Journalism.co.uk has recently revealed misleading information surrounding Address Book Importing (ABI), which we feel does not adequately explain how social networks are using – and keeping – users’ email address book information.

We argue that the default options should always be set so that the privacy of the user is respected. With friend friend finder tools, like Facebook’s, users should have to opt in to share email addresses and opt in to each one shared.

It’s an issue publicly highlighted by Facebook’s former chief privacy officer, Chris Kelly (currently running for office as attorney general in California):  he is calling on Facebook “to structure all its programs to allow Facebook users to give permission before their information is shared with third parties”.

We are worried by Twitter and Friendster’s lack of engagement with us on privacy and ABI issues.

Facebook, with which we did enter lengthy dialogue, has said it welcomes feedback. Nonetheless, we are concerned it continues to dismiss the issues thrown up by its friend suggestions and connection features, which are implemented with harvested email addresses.

In light of the privacy breaches and concerns outlined above, we ask six things of growing social networks.

1. Please conduct thorough user research before you implement new features

2. Please publicise new features before you launch them fully, allowing us time to change new or existing privacy settings as necessary

3. If you change privacy settings, please ask us to opt *in*, not opt *out*. Social networks should NEVER set the default option to share users’ information

4. Please provide clearer explanations about how data is shared and how connections are made

5. Please test your new features more thoroughly before launching

6. Please answer our emails or postings on your forums about privacy concerns and reports of privacy breaches – written as either users or journalists / bloggers

Note to bloggers: please feel free to reproduce this plea on your own blogs, with a link back to the original post.

Comment: It’s time for social networks to tell us how our data is used

We explain why we consider Address Book Importing (ABI) and friend connection tools dangerous  for journalists; and why we believe it’s time for social networks to be more upfront about how they use our data.

Our research on social networks and Address Book Importing (ABI) published today shows that Facebook has a big problem, which will only get bigger, as it develops its connection-making features.

[See full report: How social networks are using your email address book data – and what it means for journalists]

If you are a member, like 400 million other people worldwide, then that problem could become your problem through no fault of your own. Journalists, in particular, are more vulnerable than most.

Why they do it

Like all social networks, Facebook strives to be seen as indispensable. Facebook wants you to tell it who you are connected to and it has a vested interest in making those connections public.

For Facebook, the more connections it can make between people the better. That’s what drives membership and visits and profits. Many claim that user privacy is the main casualty of a business model that depends on users revealing personal information online.

It is an issue that has come to involve stalking, grooming and identity theft. Facebook argues that instead of imposing regulation on social networks, governments should leave the control of personal information in the hands of the users.

That argument would carry weight if the company’s privacy controls were transparent and easy to use, and its members were given the information they need to make informed decisions.

Threat to journalists

But here’s the crux. Our in-depth look at the practice of ABI reveals that Facebook is failing to provide users with the information they need to properly protect their privacy. From the perspective of a journalist, this means ABI can threaten the privacy of your sources and even your career.

Facebook presents its ‘Find People you Email’ tool as a way for you to check if people you know are also Facebook members. You do this by giving Facebook access to your online contacts file on Gmail or Yahoo for example, or by giving it access to your desktop contacts file.

Facebook says: ‘Upload a contact file and we will tell you which of your contacts are on Facebook.’ Sounds harmless enough and sounds like it will do what you expect. Use the ‘learn more’ option here and Facebook tells you that they may use the imported information to generate ‘suggestions’ for you and your contacts on Facebook (see statement below).

But we’ve pieced together what Facebook doesn’t tell you. Not only does Facebook ‘find people you email’ on Facebook, it downloads all the email addresses in your contacts file whether you want it to or not.

Users aren’t given clear information that this will happen. Then, without giving you any control over the process, it uses the email addresses to generate ‘friend recommendations’ for people you know – and those you don’t.

Then, without telling you and without your control, Facebook generates ‘recommendations’ linking you directly with others in your contact file on any email invites you choose to send. Facebook also holds on to your contacts file – linking you to your file on an on-going basis.

You may have countless reasons why you don’t want to be publicly connected with people in your contacts file. People in that file may be professional contacts, confidential sources, business associates or even the target of a long-running investigation; people from whom you may want to keep a discreet distance for any number of reasons.

If you are not completely aware what ABI means, the potential for disaster is endless. Imagine if you use Facebook’s ABI to check if your mates are on Facebook and you give it access to your desktop address book.

On there are your friends, your sources and your colleagues. Many may not be impressed if, out of the blue, they are ‘recommended’ your husband, your boss and your mate who has tagged you in a dozen Christmas party pictures.

What if the NHS manager you’ve lined up to interview is ‘recommended’ to the health service whistleblower you’ve cultivated? What if your source in an investment bank is ‘recommended’ to your source in the Financial Service Authority? Will any of them trust you again?

Strange recommendations

We grew suspicious about Facebook’s ABI tool precisely because two of us at Journalism.co.uk started to receive bizarre recommendations. Recommendations that could only mean one thing – Facebook had accessed the email addresses of our contacts.

We think the majority of Facebook users and, certainly, the vast majority of journalists, wouldn’t use ABI if they were given the full picture. Patti Laubaugh’s devastating experience with Facebook’s ABI reveals what can happen when you mistakenly mix your professional and private lives on social networks.

As we’ve reported, Reuters is so concerned about the potential for calamity that it is warning its journalists: “Be aware that you may reveal your sources to competitors by using ‘following’ or ‘friending’ functionality on social networks.” But this doesn’t mention the risk of ABI.

We had a useful dialogue with Facebook about our findings but nothing it told us made us any more relaxed with the practice of ABI.

The company defended its practice by stating that people can opt to ‘learn more’ about the Friend Finder tool by accessing this statement:

“We may use the email addresses you upload through this importer to help you connect with friends, including using this information to generate suggestions for you and your contacts on Facebook.”

Time to be more upfront

We think Facebook members are not adequately warned exactly how ABI is used and could be misled by the information provided.

Worse still, users have to click through to yet another window before they learn that they can delete an uploaded contacts file. Facebook knows better than anyone that the more clicks you ask a user to perform the less likely they are to get somewhere you don’t particularly want them to find.

It added:

“We believe that people come to Facebook to find their friends, and so we provide this as part of our efforts to help people find each other, and to share and stay in touch.  We use a variety of different factors to determine whether to suggest that people connect on Facebook and we respect privacy settings of the users when we do.”

But in order to use the privacy settings in an informed way users must be given the whole picture. Like Gus Hosein of Privacy International says in our main report, it’s time for social networks to stop pretending they’re cuddly start-ups and face up to their privacy control responsibilities as world communication systems.