 When I quit Facebook twice, I had my public account, I had my private account that my private account wasn't supposed to exist. And on the day I quit, I quit my public account first and it was offering for me to be friends with my private account. There was my profile picture that I swore nobody was ever supposed to see. So anyway, without further ado, Chris Connolly and hacking Facebook privacy. Well, thank you. Thank you guys all for coming out. I see I found the magic combination of hacking and privacy and Facebook and that fills up a room, even a DEF CON. I do have a couple of caveats in front of you. So I was once a hacker or at least a computer scientist. I'm now a lawyer, so if that makes you want to evacuate, please do so now before I get rolling because once I get talking I get really angry. People do that. Second thing is, you know, well, that's actually my only caveat. So I'm Chris Connolly. I make technology and civil liberties follow for the ACLU of Northern California. I assume most people know what the ACLU is. We are the country's largest and oldest civil liberties and civil rights organization. And part of what we do is offending things like online speech, online privacy, online association, all of these things, which got us interested in the concept of Facebook, which got us into the concept of what is Facebook doing, which got us really confused because they're doing a lot of things that a lot of people don't really like, especially in this room. So what we started off with was the idea of, you know, how can we approach this? How can we get people informed? How can we get people engaged? And the thing we found was the best way to get people engaged is to hack it, is to find a way to create tools that work within Facebook, that work around Facebook, that work with Facebook somehow to make people aware of what's going on, to give them the opportunity to do something better than Facebook does. Because once you do that, then Facebook kind of is in a position of saying, they can't say we can't do that anymore. Yeah, you can. It took me 20 minutes in a little bit of a JavaScript. So it gives us an opportunity to actually use hacking as a way to create change. And so that's what I'm actually talking about. I'm not talking about how to get 100 million user records from Facebook. If you want that, there's a school called BitTorrent. You just download it, you're done. So you don't need me for that. This is about how we can go about, as technologists, as hackers, building tools, building extensions, working with the system we have, and making it better. In particular, I'm talking about the system being Facebook, the 500 million pound, 500 million user gorilla in the room against, you know, our squad of hackers. I'll put the ads on us, but we'll see how it works out. So what I'm going to do is basically just talk through a few things. And this is the wordiest slide you're going to see, so don't worry about that. But I just want to give you a few examples of some of the Facebook hacks or the Facebook privacy hacks that I'm calling them that exist today. What have people done thus far? What have they tried to accomplish? How have they done it? It's not going to be a technical talk. I said I'm a lawyer these days, so I'm not going to say anything beyond JavaScript, Burk Marklet, anything like that. But what have they done? And how has it worked? What kind of challenges are they facing? How often does Facebook sue you for doing this? What have they accomplished? Are we actually seeing things happening? Is it letting the people in this room who already actually understand the concept of privacy do better? Or are we able to make this into something that creates broader change, whether it's getting lots and lots of people to use these tools, or whether it's simply getting Facebook to change itself? And then finally, where do we go from there? Which is mostly my question to everyone here, because there are people in this room who have far better technical skills than the people things that I've done and some of the more impressive but still limited things that other people have done. How do we as hackers make change? How do we push Facebook to do better? How do we give users more opportunities and more information and more control over their information so that they can reclaim their privacy so that they can take back the rights and the privacy and the freedoms that they should have without having to surrender Facebook, because as we just saw, nobody in this room or not nobody, but many people in this room like Facebook. Nobody's not aware that Facebook doesn't have privacy issues, but you use the controls you have, you try to do the best you can. What we want is a situation where Facebook is actually about privacy. It was five years ago, now it's not so much. So what do we do about that? I'm going to start by going in the right direction, and then I'm going to talk about where I got started, which is, as I said, I was a computer scientist, it's really rusty, so what can I do? I can still write Facebook applications. So the first privacy hack that I'm going to talk about is my own. Mostly because it's the first thing I did. It's also the simplest and least sophisticated, and I don't have to talk about it anymore, so I can get out of the way. Essentially, all this was a quiz on Facebook. About a year ago, quizzes were everything. Which Barbie Princess are you? How many children will your best friend's dog have? Whatever the case may be. And so we said, well, these quizzes are actually accessing huge amounts of information. If you run an application on Facebook, not only does it have access to your information, it may have access to your friend's information. And your friend isn't being told you're running a quiz. It isn't being told anything about this. There was, at that point, no transparency, no granularity, no controls around this. There were controls, but you had to find them. They were very well hidden behind three layers of privacy. There was something like this. Actually, this is today's, I didn't save a screenshot from then, but you go in, you find your privacy settings, you go down to the little application corner, you click on the what can my friend see, and you see that I use mine, which is no longer like that. But by default, most of this is checked. But people don't know that. They don't go in and really viscerally see what's happening when you tell them you're sharing things with your friends. On the other hand, if you use an application, if you use technology to show them what actually happens, people start responding. So you wrote something that was pretty simple. You take a little quiz, you answer some questions, there's very obvious right answers if you know who the ACLU is and what we care about, but then you see what happens. What can this quiz see about you? Well, it can see your pictures, it can see your groups, it can see your books, it can see your events, it can see your activities, it can see your friends, it can see your friends' books, it can see your friends' events. And showing people that and making that visible was effective in a way that Facebook's own, here's how we explain our privacy policy with 15 pages of legalese was not. So it was a way to just hack Facebook really quickly, really simply. As I said, it took me a couple of days of scraping off computer science skills to get it to work, a few more days to get it, well, pretty is not the right word, but a little bit more functional, and let it go. And I'll talk about what it did and what it didn't a little later, but that's like the starting point is, okay, I can run something, I can write a web page. That's basically what a Facebook application is. I can write a web page, I can connect it, I can make something happen, people can use it, and they can do something. Then there's a few other examples I want to walk through. There's an application called Reclaim Privacy. It's actually a bookmarklet, so it's not an application within Facebook. And as you can see, it's a little bit out of date at the moment, but the concept is very similar to what I wrote, which is, well, how do you get people to really see what's going on? In this case, the question was, how do you get the privacy settings? So not just what can applications do, but what's going on? If you go to Facebook, you have this screen now, which is you can see, you've got some settings, minor custom, but you can change it to everyone, friends of friends, or only friends for some settings. But then there are all these other little bits. There's your basic directory information, and you can edit the settings there if you happen to notice that's a link. There's the applications of websites, and you can edit the settings there with a little buried link there. So there's lots more going on than Facebook's actual interface provides for people. One way to do that is to wrap it or to create an extension that actually takes through and gives you a little more information. So all this tool does is basically go through your privacy settings and evaluate them, and say it uses good, bad, ugly, but that's not necessarily the right answer, but it gives you a tool. Okay, what does it mean? Instapersonalization is currently turned on. There's a privacy page where this will highlight. When you go to Yelp, when you go to docs.com, that site instantly has your information. You don't have to opt in. You haven't found the right button to opt out. Oh, here's where it is. You can go click on that. So it's just a wrapper. It's nothing sophisticated. It's not the most complex hack in the world, but it is a whole lot more effective than what Facebook has offered. So that's kind of the starting point. Okay, well, we can give people a little bit more information. Just make them aware of what's going on. Give them a pointer to where to fix things. But actually, we can actually do quite a bit more. There are a couple more hacks which are mostly about actually controlling your information rather than just pointing you to Facebook's controls. This is actually one of the more clever ones I've seen. It's called the green safe. So this application, it's actually an application within Facebook that provides an alternative to profile information. So instead of storing your profile information with Facebook, you can move it into the green safe, and then you don't have to have it on Facebook anymore. Now what this does, of course, is that means Facebook doesn't have it and the green safe does. Now whether or not you trust the green safe, it also means no other application can get it because it's held away from that. You have a different set of privacy controls. You have a different way of managing your own information within Facebook through something that is just a hack, but it gives you a whole new layer of control. You can put a panel on your profile, you can share it with friends, and you can keep it away from applications, and you can keep it away from Facebook without my profile, which is on Facebook, which can be mined by advertisers, which can be, you know, I can't keep some of this information from being public. I have the limits and the choices that Facebook gives me, and instead I have an alternative. You know, I have my information here. It doesn't have a profile picture because I didn't add one to this. It doesn't have, you know, it has my interest that I put in here, but it's a separate way of doing this, of communicating within Facebook. My friends can still go to my profile, they can see my green safe box, and see exactly what I chose to put there, but if they run an application, as I talked about before, they can't see it because it's not part of my Facebook profile, it's part of my green safe profile. So this is just another tool to kind of pull a little bit of information out of Facebook, or, well, it's out of Facebook's hands, but it's still within Facebook. So you don't have to quit Facebook. You don't have to leave Facebook. You can just actually move from a system where you can interact with other Facebook users without doing so with Facebook controlling everything that you do, and Facebook applications having access to everything that you post, and all that kind of things. So that's, you know, another example of how do we hack Facebook? How do we pull this information into someone else's control using technology? So there's another extension that came out today, or came out about two months ago, which is called antisocial. Now, if all of you have used NoScript, this is NoScript for dummies. This is how do we focus NoScript or anything that's a JavaScript blocker on Facebook? Because the people in this room can configure NoScript. The 500 million Facebook users aren't going to. And the reason that's important these days is because of these wonderful social plug-ins. So Facebook introduced a few months ago social plug-ins. You go to CNN.com, you go to Yelp, you go wherever else, and you can see your friend shared this, your friends liked this, 17 of your friends liked this. Even if it's just a like button, you see a little bit of information. What you don't see, because you're not a DefCon attendee, well, you see, but most people don't see, is that, well, actually, that means Facebook knows I'm on CNN.com. They're logging my activity on the web everywhere I go. They have a record of this. Now, they have a current policy that they only made public after someone pointed out this was happening, that they're only using it in aggregate. They're anonymizing it, they're deleting after 30 days, which is all good. It's also not permanent, because, as we know, Facebook's policies tend to change. So the simplest way, of course, is doing this, instead of trying to configure your privacy settings and keep up with Facebook, why not just opt out? So what anti-social does, it's basically just a narrow, tailored JavaScript blocker and domain blocker. If it's a third-party cookie going to Facebook, it gets blocked. So my friend's information doesn't show up, because Facebook doesn't know I'm on CNN. It can't tell CNN who my friends are. You can do the same thing within Facebook. You block third-party applications with the same tool so that they can't see my information when I'm running, because it's basically limiting things to the first-party domain. It's nothing technically sophisticated. It's nothing mind-blowing for anyone in this room. But for the general user, it's a new concept of, wait, I can, not only A, I know that Facebook's tracking me if you explain that to people, but here's what I can do to opt out. I run Firefox. I add a plug-in. I'm done. It's a hack. It's simple. It's easy to use, which, as I'm going to say, is important, but it does something. It actually limits the amount of information that is being shared with Facebook. And it gives users more control and more choices and more possibilities. So it's something that's new. It's something that probably many people in this room haven't heard of. I hadn't heard of it, and that's my job. It's kind of sad. So it's just a concept. And then you get to the next step, which as I said earlier, a lot of people have decided I'm done with Facebook. But what does that mean? If you want to delete your Facebook account, it's a little better than it was a year ago, but at one point it was hard. You could deactivate your account, and then it would sit in storage forever. You could try to delete, and they would say, well, okay, we'll get rid of some things, and we might not get rid of others, and in 30 days we'll give you another reminder. And if you ever log back in, we'll just keep it around for you just in case. And you had to fight and fight and fight to delete your account. Do you want to commit seppuku? Do you want to kill yourself online? Do you want to actually wipe out your Facebook account? Well, you could use this service. You have to give the service your Facebook username and password, and then it will go through and delete everything for you, all of your pictures, all of your posts, all of your friends, everything. It will destroy each bit of information using Facebook's interface, which means it's not totally clear that everything in Facebook's record is gone, but at least it will clean out your profile before I delete it. So it's a tool that Facebook doesn't have. Facebook now does have better deletion, but they're still, you know, still useful to wipe out everything. I've forgotten my accounts. I've forgotten whatever else. I can use tools like this to do that. And there's seppuku. There's the Web 2.0 suicide machine, which is a great name. So apparently a better name, because this actually made an appearance on South Park. But you have these tools that are getting around what Facebook allows. Facebook doesn't let you delete. Well, these tools can. And then, of course, you get to the bottom question, which is, well, okay, we're talking about all of these hacks for fixing the little things that Facebook's doing. And then they do some other thing. And it's really annoying, and we work around it, and we make it mostly better for the people who get this. Well, maybe the hack we should be talking about isn't fixing Facebook. Maybe the hack we should be talking about isn't just deleting your identity on Facebook. Maybe we should be talking about getting, you know, replacing Facebook. It's not going to go away. But what can we do to hack making it easier to move out of Facebook? You know, we have ideas like diaspora. The privacy-aware, personally controlled, do-it-all open-source social network. Sounds wonderful. How do you get people there? You know, it's going to launch in September. You'll have the people who care who will be there. What about the rest? What about the people who say, okay, well, I'll sign up for that because it sounds like fun. But I've got 172 friends on Facebook, how do I make it easy for people to move? That was related to. It's not exactly the same, but I have to fudge my talk a little bit to make this work. The idea by Power.com. Power was actually more of a social aggregator. But the concept was, well, what you can do is you can give us your Facebook login and password and we'll just collect all of your information. We'll find all your connections. We'll hold it for you in our site. In this case, it was so we can connect you between Facebook and MySpace and LinkedIn and you can also see it as a way to migrate. Because once you migrate from Facebook to the Espera to an open privacy friendly social network, and you can bring all your friends with you and you can do that really easily, it becomes a much more viable alternative. Because, you know, fighting the Facebook Goliath is hard because they have 500 million users. And one at a time you can leave, but that means you're giving up social networking. You can take 100 people with you, but unless that's your entire circle of friends some of them are going to go back to Facebook and they're going to keep using it. So if you can get something that actually makes it smoother to transition that gives you alternatives to porting your information, to porting your connections to using these other services, then maybe you can get things to happen. Now, of course, Power.com was wonderful. It integrated with Facebook. And this is what it looks like today. You'll notice one icon that is missing. So I've talked about I've actually summarized the hacks I'm going to talk about because there are a few more, but they mostly do the same thing. They talk about education. They talk about controls within Facebook. How do you control information? How do you protect Facebook from getting it? Or they talk about deleting or moving from Facebook. There are other examples of those and I want to make sure that I save some time to talk to you guys about that. But what I want to talk about now are the challenges. And as you can see Power, although not exactly a privacy hack is running into some of these. There are a few basic sets of challenges. And these are ordered from, well, easiest first and the last. The technical challenge is not hard. None of the hacks I've shown you were long-term projects. They were a couple of days a week. They took some JavaScript knowledge. They took writing an application that was Facebook. Now, when you get to something like Power, a sophisticated alternative, that's a much bigger project. But most of these other tools are pretty quick. You've got a lot of privacy settings. You JavaScript away to single click. Change all of them at once. You've got something. So you write a bookmarklet. You write a browser extension. You write a PHP set of pages and you attach it to Facebook. That's not hard. The harder part might actually be, well, what about the moving target? What if Facebook starts blocking your IP? What if Facebook just keeps changing? Well, that's a pain in the ass. It's kind of... Frankly, it's a mixed blessing because often, if Facebook is changing something, it's because they're responding to something and maybe they're responding in the right way. If you set up something that is about here's how to simply control your privacy settings as Reclaim Privacy did and Facebook does something to make them simpler, well, that's good. Of course, it might not go all the way. Facebook has a tendency to take one big step forward and one little step back and say, oh, that even out. It doesn't work that way. So there's constantly going to be need for these tools to revise and update and continue to build. But it certainly is, in some sense, a good thing that you're accomplishing something when your tool breaks because Facebook changed something. So the technical challenges are easy. Legal challenges are a little fuzzier. I mean, if you are successful, if you are power.com, if you are viewed by Facebook as someone they're challenged by, they may come after you. And I'm going to talk very little about power.com. I'm going to encourage you all to corner Jennifer Granik from EFF because she's written amicus briefs on this and ask her all the hard questions. I'm just going to talk about the general areas. But you will run into a few things. The main thing is what were the terms of service? Did you violate the terms of service? And of course, the question becomes what's you? If you wrote a book, Marklet, well, the user might have run it, but you didn't do it. Well, again, I'm going to be non-lawyery and say, it depends. It's not an easy question. But what you see is that there are possible legal challenges. And the biggest one is the term of service. And a lot of things break down from that. Well, if you violate the term of service, have you gained unauthorized access to a computer network? Are you criminally liable for that? That's what Facebook is saying about power.com right now. We will see how that all plays out, but that's one of the ugly, Laurie Drew is the case a year ago when you didn't have access, meaning you did something the site asked you not to, you violated terms of service by providing an incorrect, false name, or you violated terms of service by logging in for a user when Facebook says users must log in themselves, you must not use automated tools, even if they do things with your own information that you want them to do. So that's a challenge. But the biggest challenge for these is really practical. You've written a great hack, and I hope we've already thought of a couple of great hacks. I could do this, I could change, I could automatically untag everything. I'm sick of having my, I put up my fake profile picture and then everyone tags me every time they take a picture of me. I want one button click that will untag everything in Facebook. But how do you get that from something I can use, something that people in this room can use, to something that the world can use? And not only that, it's something that makes a difference. It's something that Facebook has to respond to by actually making this easier because they can no longer say it's hard. They can no longer say people don't care. How do you get adoption of your hacks? How do you get them to actually make a difference? And some of it is basically having something that's good. Which good meaning both A, it does something that people care about and B, it's easy. Because we know that if you have a six-step process for setting your Facebook settings, a lot of people won't do it. If you have a one button click that actually makes everything private, and the second challenge of course is once you've got that, how do you make that happen? How do you push it out? You talked to me to start with because that's why I came here is to pitch that. But the basic idea is you need to use as many channels, as many avenues as you can to make this happen. You need to talk to your advocacy groups. You need to talk to Facebook. You need to talk to the press. You need to do the same thing that you do with all these hacks. You've got a great video. You've got a great pitch. You make these things happen. You use the ACLU or whoever else wants to talk about this to make things happen. And frankly, I want to talk a little bit about what these hacks have done so far and how we've what we've seen. So what have we seen? We have seen Facebook do some good things. Now again, it's usually a big step forward, small step back approach. But the challenge is we do see some successes. We do see some responses. We've seen granular application controls and permissions, so that applications have to actually say I want to see your friend's profile picture before they can see that friend's profile picture. Now, it's not fully granular and it doesn't actually involve asking me when my friend's app wants to see my profile picture, but it is certainly a step in the right direction. We've seen simplified privacy controls. That's a good concept. There are some good things there. Before it's also simplified in the sense of we simplified this set of controls and pushed everything off to the corner that we don't care about. So that's something that these hacks and these approaches can still work towards addressing, is how do we make these controls more robust, well, more comprehensive but also simple to use. And that's a way to look at hacking. But the biggest thing we've seen, the biggest reason these things I think have been successful thus far and why I hope they will continue to be used and people will continue to try to do this is that they're actually raising awareness of privacy issues. It's no longer surprising when you open a New York Times or you look at CNN and you see something about Facebook and privacy. Facebook did something and somebody wrote about it and it went away. And now it's actually a discussion. People are actually talking about privacy. People are actually engaging the idea of, well, what can Facebook do? And if you present, well, they could do this. It pushes the discussion forward. It's a way that just having your own protection, setting your own settings doesn't. So that's really the biggest success we have seen. And as I said, my little application, the most primitive Facebook hack I've seen, we had 100,000 people use it and that's because we got collection, we got the weight of the ACLU behind it and we made things happen. And we actually got a dialogue with Facebook and we've seen some progress. Now again, we are going to fight with Facebook because Facebook is making Facebook compete with somebody else. But what we are seeing is that Facebook does respond to enough awareness. They respond when people complain about privacy. Even Mark Zuckerberg, he of the you lack integrity if you have multiple online identities, steps back when suddenly, oh wait, the public doesn't like that. They start saying things. They start threatening. They start making noise. If they start making noise, Congress might get angry. And where that starts is not with someone making a really strong argument to ACLU or to the New York Times or to anyone else. It starts with somebody showing exactly what happened. It starts with somebody presenting an alternative. It starts with a hack. It starts with somebody just opening people's eyes to what is possible with Facebook by using the Facebook system to change how people control their own information, what privacy options they have and again, where do we go from here? So this is kind of the open-ended part of the talk. I really think that we have the opportunity because there are so many people in this room who understand Facebook, understand the technologies far better than I do. But the concept is we have the tools. We have the skills to actually make a difference. You think about things like tagging. You think about mobile location which is going to be the next brown of Facebook privacy battles. You think about different approaches to making things more transparent, making people more aware, encouraging people to think about privacy, encouraging people to take action on privacy and then encouraging them to push, making, building consensus. And again, this is about, this is the hack. The hack is not about using the technical tool to fix Facebook. The hack is using the technical tool to get people aware. To build the social awareness, to build the, basically to build people into the sense that we can change Facebook. And I'd like to think that that's what the ACLU and that's what we can do. So my job at the ACLU, which I spilled off a little bit, is part of a campaign called demand your dot rights. And this campaign is about raising awareness of issues around online privacy, around the connection between the information that Facebook collects, the information that applications have access to, and the government's demand for this information. And what we do is try to keep people aware of how do you control your privacy? What can you do? What can't you do? Why can't you do it? Why won't Facebook allow this? And a lot of times this is about hacking. This is about changing people's understanding of the system by using your knowledge of the system. It's not just about making a compelling argument, well, you shouldn't put that on Facebook, because people do. They love Facebook. Everyone in this room loves Facebook. Even the people who are people don't love is the fact that they lack control. And giving them control is a way to get them involved and engaged in the system in a way that just, you know, you avoid the, well, I can't do anything about it. I might as well just give up on my privacy response. You know, by giving them controls, even if it's limited, even if it's just, you know, an easier way of viewing your privacy settings, even if it's just a way to kill yourself if you need to, it helps people be aware, it helps the idea of online privacy and it helps put pressure on Facebook to make changes. And that's really what we want to accomplish here. So I think the hacking is not so much about breaking Facebook as about fixing Facebook. I do think that having alternatives to Facebook is a part of fixing Facebook, but I also think that Facebook is, you know, we all hope that it will go the way of my space and it will be replaced by something better. But we don't know that. So I hope that we can work together to make sure that all of these results can find compelling ways to do this and to introduce new hacks, new techniques, new tools that show what Facebook can do, that show what Facebook can't do, that address the challenges that people have with user privacy and that make it happen. And what I really want to do today and why I came here and I left some time for questions. I didn't know that wasn't part of the general presentation scheme here, I apologize, but is to get people to use it about Facebook privacy that I wish I could have happened? And how do I make it happen? Do I need a little bookmarklet? Do I need to write a script? Do I need to do something that people in this room can do easily that can make that happen? And then if I care about it, if I'm aware of that problem, well, how do I make this happen not just for me, not just for the next year's DefCon where I can show my little script, but how do I make it happen more broadly? How do I change Facebook? How do I push it in the social network world by using the hacking skills that I have? And I really hope that people will continue this dialogue that you'll come and talk to me, that you'll talk to each other, that someone will come up with a great new tool that I can give to a smaller audience next year perhaps, but that really will help people understand what happens with Facebook and help people understand what they can do and how they can change it. And again, I want to be part of that. I'm not a hacker that's working on the skills and they have the knowledge and they care. They came to this discussion because they care about privacy and making that happen is something that the people at DefCon have a great ability to do and we want to be part of it because we want to take advantage of your skills and we hope you want to take advantage of our networks and our relationships and we want to work together with other organizations, with other groups that can make this happen. So I'm going to actually share with you that I've run out of things to say myself, so I'd be happy to talk to someone on the microphone. Otherwise, I really want to thank everyone for coming and help hope that you all are thinking about ways to hack Facebook.