Here's a blog post I wrote back in 2015 for my then-employer that I was reminded of while recording the latest episode of the Roll For Enterprise podcast. Since the original post no longer seems to be available via the BMC web site, I assume they won't mind me reposting it here, with some updated commentary.

xkcd, CIA

There has been a certain amount of excitement in the news media, as someone purportedly associated with ISIL has taken over and defaced US Central Command's Twitter account. The juxtaposition with recent US government pronouncements on "cyber security" (ack) is obvious: Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity.

The problem here is the usual confusion around IT in general, and IT security in particular. See for instance CNN:

The Twitter account for U.S. Central Command was suspended Monday after it was hacked by ISIS sympathizers -- but no classified information was obtained and no military networks were compromised, defense officials said.

To an IT professional, even without specific security background, this is kind of obvious.

Penny Arcade, Brains With Urgent Appointments

However, there is a real problem here. IT professionals also have a blind spot here: they don't think of things like Twitter accounts when they are securing IT infrastructure. This oversight can expose organisations to serious problems.

One way this can happen is credential re-use and leaking in general. Well-run organisations will use secure password-sharing services such as LastPass, but many times without IT guidance teams might instead opt for storing credentials in a spreadsheet, as we now know happened at Sony. If someone got their hands on even one set of credentials, what other services might they be able to unlock?

The wider issue is the notion of perimeter defence. IT security to date has been all about securing the perimeter - firewalls, DMZs, NAT, and so on. Today, though, what is the perimeter? End-user services like Dropbox, iCloud, or Google Docs, as well as multi-tier enterprise applications, span back and forth across the firewall, with data stored and code executed both locally and remotely.

I don't mean to pick on Sony in particular - they are just the most recent victims - but their experience has shown once and for all that focusing only on the perimeter is no longer sufficient. The walls are porous enough that it is no longer possible to assume that bad guys are only outside. Systems and procedures are needed to detect anomalous activity inside the network, and once that occurs, to handle it rapidly and effectively.

This cannot happen if IT is still operating as "the department of NO", reflexively refusing user requests out of fear or potential consequences. If the IT department tries to ban everything, users will figure out a way to go around the restrictions to achieve their goals. The risk then is that they make choices which put the entire organisation and even its customers at risk. Instead, IT needs to engage with those users and find creative, novel ways to deliver on their requirements without compromising on their mandate to protect the organisation.

While corporate IT cannot be held responsible for the security of services such as Twitter, they can and should advise social-media teams and end-users in general on how to protect all of their services, inside and outside the perimeter.

There are a still a lot of areas where IT is focused on perimeter defence. Adopting Okta or another SSO service is not a panacea; you still do need to consider what would happen when (not if) someone gets inside the first layer of defence. How would you detect them? How would you stop them?

The Okta breach has also helpfully provided an example of another important factor in security breaches: comms. Okta's comms discipline has not been great, reacting late, making broad denials that they later had to walk back, and generally adding to the confusion rather than reducing it. Legislation is being written around the world (with the EU as usual taking the lead) to mandate disclosure in situations like these, which may focus minds — but really, if you're not sufficiently embarrassed as a security provider that a bunch of teenagers were apparently running around your network for at least two weeks without you detecting them, you deserve all the fines you're going to get.

These are no longer purely tech problems. Once you get messy humans in the mix, the conversation changes from "how many bits of entropy does the encryption algorithm need" to "what is the correct trade-off between letting people get their jobs done and ensuring a reasonable level of security, given our particular threat model". Working with humans means communicating with them, so you’d better have a plan ready to go for what to say in a given situation. Hint: blanket denials early on are generally a bad idea, leaving hostages to fortune unnecessarily.

Have a plan ready to go for what you will say in a given situation (including what you may be legally mandated to disclose, and on what timeframe), and avoid losing your customers’ trust. Believe me, that’s one sort of zero trust that you don’t want!

As the token European among the Roll For Enterprise hosts, I'm the one who is always raising the topic of privacy. My interest in privacy is partly scarring from an early career as a sysadmin, when I saw just how much information is easily available to the people who run the networks and systems we rely on, without them even being particularly nosy.

Because of that history, I am always instantly suspicious of talk of "personalising the customer experience", even if we make the charitable assumption that the reality of this profiling is more than just raising prices until enough people balk. I know that the data is unquestionably out there; my doubts are about the motivations of the people analysing it, and about their competence to do so correctly.

Let's take a step back to explain what I mean. I used to be a big fan of Amazon's various recommendations, for products often bought with the product you are looking at, or by the people who looked at the same product. Back in the antediluvian days when Amazon was mainly about (physical) books, I discovered many a new book or author through these mechanisms.

One of my favourite aspects of Amazon's recommendation engine was that it didn't try to do it all. If I bought a book for my then-girlfriend, who had (and indeed still has, although she is now my wife) rather different tastes from me, this would throw the recommendations all out of whack. However, the system was transparent and user-serviceable. Amazon would show me transparently why it had recommended Book X, usually because I had purchased Book Y. Beyond showing me, it would also let me go back into my purchase history and tell it not to use Book Y for recommendations (because it was not actually bought for me), thereby restoring balance to my feed. This made us both happy: I got higher-quality recommendations, and Amazon got a more accurate profile of me, that it could use to sell me more books — something it did very successfully.

Forget doing anything like that nowadays! If you watch Netflix on more than one device, especially if you ever watch anything offline, you'll have hit that situation where you've watched something but Netflix doesn't realise it or won't admit it. And can you mark it as watched, like we used to do with local files? (insert hollow laughter here) No, you'll have that "unwatched" episode cluttering up your "Up next" queue forever.

This is an example of the sort of behaviour that John Siracusa decried in his recent blog post, Streaming App Sentiments. This post gathers responses to his earlier unsolicited streaming app spec, where he discussed people's reactions to these sorts of "helpful" features.

People don’t feel like they are in control of their "data," such as it is. The apps make bad guesses or forget things they should remember, and the user has no way to correct them.

We see the same problem with Twitter's plans for ever greater personalisation. Twitter defaulted to an algorithmic timeline a long time ago, justifying the switch away from a simple chronological feed with the entirely true fact that there was too much volume for anyone to be a Twitter completist any more, so bringing popular tweets to the surface was actually a better experience for people. To repeat myself, this is all true; the problem is that Twitter did not give users any input into the process. Also, sometimes I actually do want to take the temperature of the Twitter hive mind right now, in this moment, without random twenty-hour-old tweets popping up out of sequence. The obvious solution of giving users actual choice was of course rejected out of hand, forcing Twitter into ever more ridiculous gyrations.

The latest turn is that for a brief shining moment they got it mostly right, but hilariously and ironically, completely misinterpreted user feedback and reversed course. So much for learning from the data… Twitter briefly gave users the option of adding a "Latest Tweets" tab with chronological listing alongside the algorithmic default "Home" tab. Of course such an obviously sensible solution could not last, because unless you used lists, the tabbed interface was new and (apparently) confusing. Another update therefore followed rapidly on the heels of the good one, which forced users to choose between "Latest Tweets" or "Home", instead of simply being able to have both options one tap apart.

Here's what it boils down to: to build one of these "personalisation" systems, you have to believe one of two things (okay, or maybe some combination):

• You can deliver a better experience than (most) users can achieve for themselves
• Controlling your users' experience benefits you in some way that is sufficiently important to outweigh the aggravation they might experience

The first is simply not true. It is true that it is important to deliver a high-quality default that works well for most users, and I am not opposed in principle to that default being algorithmically-generated. Back when, Twitter used to have "While you were away" section which would show you the most relevant tweets since you last checked the app. I found it a very valuable feature — except for the fact that I could not access it at will. It would appear at random in my timeline, or then again, perhaps not. There was no way to trigger it manually, or any place where it would appear reliably and predictably. You just had to hope — and then, instead of making it easier to access on demand, Twitter killed the entire feature in an update. The algorithmic default was promising, but it needed just a bit more control to make it actually good.

On the other hand, I quite like “while you were away” and wish I could access it on demand, instead of being reduced to hoping it shows up, like a peasant praying for rain.

— Dominic 🇪🇺🇺🇦🏳️‍🌈 (@dwellington) June 29, 2021

This leads us directly to the second problem: why not show the "While you were away" section on demand? Why would Netflix not give me an easy way to resume watching what I was watching before? They don't say, but the assumption is that the operators of these services have metrics showing higher engagement with their apps when they deny users control. Presumably what they fear is that, if users can just go straight to the tweets they missed or the show they were watching, they will not spend as much time exploring the app, discovering other tweets or videos that they might enjoy.

What is forgotten is that "engagement" just happens to be one metric that is easy to measure — but the ease of measurement does not necessarily make it the most important dimension, especially in isolation. If that engagement is me scrolling irritably around Twitter or Netflix, getting increasingly frustrated because I can't find what I want, my opinion of those platforms is actually becoming more corroded with every additional second of engagement.

There is a common unstated assumption behind both of the factors above, which is that whatever system is driving the personalisation is perfect, both unbreakable in its functioning and without corner cases that may deliver sub-optimal results even when the algorithm is working as designed. One of the problems with black-box systems is that when (not if!) they break, users have no way to understand why they broke, nor to prevent them breaking again in the future. If the Twitter algorithm keeps recommending something to me, I can (for now) still go into my settings, find the list of interests that Twitter has somehow assembled for me, and delete entries until I get back to more sensible recommendations. With Netflix, there is no way for me to tell it to stop recommending something — presumably because they have determined that a sufficient proportion of their users will be worn down over time, and, I don't know, whatever the end goal is — watch Netflix original content instead of something they have to pay to license from outside.

All of this comes back to my oft-repeated point about privacy: what is it that I am giving up my personal data in exchange for, exactly? The promise is that all these systems will deliver content (and ads)(really it's the ads) that are relevant to my interests. Defenders of the model will point out that profiling as a concept is hardly new. The reason you find different ads in Top Gear Magazine, in Home & Garden, and in Monocle, is that the profile for the readership is different. But the results speak for themselves: when I read Monocle, I find the ads relevant, and (given only the budget) I would like to buy the products featured. The sort of ads that follow me around online, despite a wealth of profile information generated at every click, correlated across the entire internet, and going back *mumble* years or more, are utterly, risibly, incomprehensibly irrelevant. Why? Some combination of that "we know better" attitude, algorithmic profiling systems delivering less than perfect results, and of course, good old fraud in the adtech ecosystem.

So why are we doing this, exactly?

It comes back to the same issue as with engagement: because something is easy to measure and chart, it will have goals set against it. Our lives online generate stupendous volumes of data; it seems incredible that the profiles created from those megabytes if not gigabytes of tracking data have worse results than the single-bit signal of "is reading the Financial Times". There is also the ever-present spectre of "I know half of my ad spending is wasted, I just don't know which half". Online advertising with its built-in surveillance mechanisms holds out the promise of perfect attribution, of knowing precisely which ad it was which caused the customer to buy.

And yet, here we are. Now, legislators in the EU, in China, and elsewhere around the world are taking issue with these systems, and either banning them outright or demanding they be made transparent in their operation. Me, I'm hoping for the control that Amazon used to give me. My dream is to be able to tell YouTube that I have no interest in crypto, and then never see a crypto ad again. Here, advertisers, I'll give you a freebie: I'm in the market for some nice winter socks. Show me some ads for those sometime, and I might even buy yours. Or, if you keep pushing stuff in my face that I don't want, I'll go read a (paper) book instead. See what that does for engagement.

🖼️ Photos by Hyoshin Choi and Susan Q Yin on Unsplash

Whenever the gravitational pull of social networks comes up, there is a tendency to offer a quick fix by "just" letting them integrate with each other, or offer export/import capability.

Cory Doctorow tells an emotional tale in Wired about his grandmother's difficult decision to leave all of her family and friends behind in the USSR, and concludes with this impassioned appeal:

Network effects are why my grandmother's family stayed behind in the USSR. Low switching costs are why I was able to roam freely around the world, moving to the places where it seemed like I could thrive.

Network effects are a big deal, but it's switching costs that really matter. Facebook will tell you that it wants to keep bad guys out – not keep users in. Funnily enough, that's the same thing East Germany's politburo claimed about the Berlin Wall: it was there to keep the teeming hordes of the west out of the socialist worker's paradise, not to lock in the people of East Germany.

Mr Zuckerberg, tear down that wall.

As appealing as that vision is, here is why interoperability won't and can't work.

Let's take our good friends Alice and Bob, from every cryptography example ever. Alice and Bob are friends on one social network, let's call it Facester. They chat, they share photos, they enter a bunch of valuable personal information. So far so good; information about each user is stored in a database, and it's pretty trivial to export user information, chat logs, and photographs from the system.

Here's the problem: the account data is not the only thing that is valuable. You also want the relationships between users. If Alice wants to join a new network, let's call it Twitbook, being able to prepopulate it with her name and profile picture is the least of her issues. She is now faced with an empty Twitbook feed, because she isn't friends with anyone there yet.¹

Alice and Bob's relationship on Facester is stored in a data structure called a graph; each link between nodes in the graph is called an edge. While this structure can be exported in purely technical terms, this is where things start getting complicated.

What if Alice and Bob's sworn enemy, Eve, registers on Twitbook with Bob's name? Or maybe there's simply more than one Bob in the world. How can Twitbook meaningfully import that relationship from Facester?

There are various policies that you could come up with, ranging from terrible to more terrible.

If both Alice and Bob go to a certain amount of effort, entering their Facester profile info on Twitbook and vice versa, the export and reimport will be able to reconcile the data that way — but that's a lot of work and potential for error. What happens if even one of your friends hasn't done this, or gets it wrong? Should the import stop or continue? And does the destination network get to keep that dangling edge? Here in what we still call the real world, Facebook already creates "ghost profiles" for people who do not use its services, but whose existence they have inferred from their surveillance-driven adtech. These user records have value to FB because they can still be used for targeting and can have ads sold against them.

Alice and Bob's common friend Charlie has chosen not to register for Twitbook because they dislike that service's privacy policy. However, if either Alice or Bob imports their data from Facester into Twitbook, Charlie could still end up with one of these ghost profiles against their wishes. Contact data are not the property of the person who holds them. Back to the real world again, this is the problem that people have with the likes of Signal or Clubhouse, that prompt users to import their whole address book and then spam all of those people. This functionality is not just irritating, it's also actively dangerous as a vector for abuse.

Another terrible policy is to have some kind of global unique identifier for users, whether this means mandating the use of government-assigned real names, or some global register of user IDs. Real names are problematic for all sorts of reasons, whether it's for people who prefer to use pseudonyms or nicknames, or people who change their name legitimately. Facebook got into all sorts of trouble with their own attempt at a real-name policy, and that was just for one network; you could still be pseudonymous on Twitter, precisely because the two networks are not linked.

People do want to partition off different parts of their identity. Maybe on Facester Alice presents as a buttoned-up suburban housewife, but on Twitbook she lets her hair down and focuses on her death metal fandom. She would prefer not to have to discuss some of the imagery and lyrics that go with that music at the PTA, so she doesn't use the same name and keeps these two aspects of her personality on separate networks. Full interoperability between Facester and Twitbook would collapse these different identities, whatever Alice's feelings on the matter.

Some are invoking the right to data portability that is enshrined in GDPR, but this legislation has the same problem with definitions: whose data are we talking about, exactly?

The GDPR states (emphasis mine):

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Applying this requirement to social networks becomes complicated, though, because Alice's "personal data" also encompasses data about her relationships with Bob and Charlie. Who exactly does that data belong to? Who can give consent to its processing?

GDPR does not really address the question of how or whether Alice should be allowed to obtain and reuse data about Bob and Charlie; it focuses only on the responsibility of Facester and Twitbook as data controllers in this scenario. Here are its suggestions about third parties’ data:

What happens if the personal data includes information about others?

If the requested information includes information about others (eg third party data) you need to consider whether transmitting that data would adversely affect the rights and freedoms of those third parties.

Generally speaking, providing third party data to the individual making the portability request should not be a problem, assuming that the requestor provided this data to you within their information in the first place. However, you should always consider whether there will be an adverse effect on the rights and freedoms of third parties, in particular when you are transmitting data directly to another controller.

If the requested data has been provided to you by multiple data subjects (eg a joint bank account) you need to be satisfied that all parties agree to the portability request. This means that you may have to seek agreement from all the parties involved.

However, all of this is pretty vague and does not impose any actual requirements. People have tens if not hundreds of connections within social networks; it is not realistic that everybody get on board with each request, in the way that would work for the GDPR's example of a joint bank account, which usually involves only two people. If this regulation were to become the model for regulation of import/export functionality of social networks, I think it's a safe bet that preemptive consent would be buried somewhere in the terms and conditions, and that would be that.

Tearing down the walls between social networks would do more harm than good. It's true that social networks rely on the gravity of the data they have about users and their connections to build their power, but even if the goal is tearing down that power, interoperability is not the way to do it.

UPDATE: Thanks to Cory Doctorow for pointing me at this EFF white paper after I tagged him on Twitter. As you might expect, it goes into a lot more detail about how interoperability should work than either a short Wired article or this blog post do. However, I do not feel it covers the specific point about the sort of explicit consent that is required between users before sharing each others' data with the social networks, and the sorts of information leaks and context collapse that such sharing engenders.

🖼️ Photos by NordWood Themes, Alex Iby, and Scott Graham on Unsplash

The conversation about the proposed Australian law requiring Internet companies to pay for news continues (previously, previously).

Last time around, Google had agreed to pay A$60m to local news organisations, and had therefore been exempted from the ban. Facebook initially refused to cough up, and banned news in Australia — and Australian news sites entirely — but later capitulated and reversed their ban on news pages in Australia. They even committed to invest $1 billion in news.

So, I asked my Australian friends what they thought of the News-free News Feed and, uh.... pic.twitter.com/iVDG81zNkz

— evelyn douek (@evelyndouek) February 24, 2021

One particular thread keeps coming up in this debate, which is that news publications benefit from the traffic that Facebook and Google send their way. This is of course true, which is why legislation that demands that FB & Google pay for links to news sites is spectacularly ill-conceived, easy to criticise, and certain to backfire if implemented.

Many cite the example of Spain, where Google shuttered the local Google News service after a sustained campaign — only for newspapers to call on European competition authorities to stop Google shutting its operation. However, it turns out that since the Google News shutdown in Spain, overall traffic to news sites went largely unchanged.

Getting the facts right in these cases is very important because the future of the web and of news media is at stake. The last couple of decades have in my opinion been a huge mistake, with the headlong rush after ever more data to produce ever more perfectly targeted advertising obscuring all other concerns. Leaving aside privacy as an absolute good, even on the utilitarian terms of effective advertising, this has been a very poor bargain. Certainly I have yet to see any targeted ads worth their CPM, despite the torrent of data I generate. Meanwhile, ads based off a single bit of information — "Dominic is reading Wired" (or evo, or Monocle) have lead me to many purchases.

The worst of it is that news media do not benefit at all from the adtech economy. Their role is to be the honeypot that attracts high-value users — but the premise of cross-site tracking is that once advertisers have identified those high-value users, they can go and advertise to them on sites that charge a lot less than top-tier newspapers or magazines. The New York Times found this out when they turned off tracking on their website due to GDPR — and saw no reduction in ad revenues.

Of course not every site has the cachet or the international reach of the NYT, but if you want local news, you read your local paper — say, the Sydney Morning Herald. Meanwhile, if you're an advertiser wanting to reach people in Sydney, you can either profile them and track them all over the web (or rather, pay FB & G to do it for you) — or just put your ad in the SMH.

Hard cases make bad law. The question of how to make news media profitable in the age of the Web where the traditional dynamics of that market have been completely upended is a hard and important one. This Australian law is not the right way to solve that question, even aside from the implications of this basically being a handout to Rupert Murdoch — and one which would end up being paid in the US, not even in Australia.

Let us hope that the next government to address this question makes a better job of it.

🖼️ Photo by AbsolutVision on Unsplash

The framing of Australia's battle against Google and Facebook continues in a new piece with the inflammatory title Australian law could make internet ‘unworkable’, says World Wide Web inventor Tim Berners-Lee.

Here's what Sir Timothy had to say:

"Specifically, I am concerned that that code risks breaching a fundamental principle of the web by requiring payment for linking between certain content online"

This is indeed the problem: I am not a lawyer, nor do I play one on the internet, so I won't comment on the legalities of the Australian situation — but any requirement to pay for links would indeed break the Web (not the Internet!) as we know it. But that's not the issue at risk, despite Google's attempts to frame the situation that way (emphasis mine):

Google contends the law does require it to pay for clicks. Google regional managing director Melanie Silva told the same Senate committee that read Berners-Lee’s submission last month she is most concerned that the code "requires payments simply for links and snippets."

As far as I can tell, the News Media and Digital Platforms Mandatory Bargaining Code does not actually clarify one way or the other whether it applies to links or snippets. This lack of clarity is the problem with regulations drafted to address tech problems created by the refusal of tech companies to engage in good-faith negotiations. Paying for links, such as the links throughout this blog post, is one thing — and that would indeed break the Web. Paying for snippets, where the whole point is that Google or Facebook quote enough of the article, including scraping images, that readers may not feel they need to click through to the original source, is something rather different.

Lazily conflating the two only helps unscrupulous actors hide behind respected names like Tim Berners-Lee's to frame the argument their own way. In law and in technology, details matter.

And of course you can't trust anything Facebook says, as they have once again been caught over-inflating their ad reach metrics:

According to sections of a filing in the lawsuit that were unredacted on Wednesday, a Facebook product manager in charge of potential reach proposed changing the definition of the metric in mid-2018 to render it more accurate.

However, internal emails show that his suggestion was rebuffed by Facebook executives overseeing metrics on the grounds that the "revenue impact" for the company would be "significant", the filing said.

The product manager responded by saying "it’s revenue we should have never made given the fact it’s based on wrong data", the complaint said.

The proposed Australian law is a bad law, and the reason it is bad is because it is based on a misapprehension of the problem it aims to solve.

Google and Facebook have been feuding with the Australian government for a while, because in our cyberpunk present, that's what happens: transnational megacorporations go toe-to-toe with governments. The news today is that Google capitulated, and will pay a fee to continue accessing Australian news, while Facebook very much did not capitulate. This is what users are faced with, whether sharing a news item from an Australian source, or sharing an international source into Australia:

I see a lot of analysis and commentary around this issue that is simply factually wrong, so here's a quick explainer. Google first, because I think it's actually the more interesting of the two.

The best way to influence the outcome of an argument is to apply the right framing from the beginning. If you can get that framing accepted by other parties — opponents, referees, and bystanders in the court of public opinion — you’re home free. For a while there, it looked like Google had succeeded in getting their framing accepted, and in the longer run, that may still be enough of a win for them.

The problem that news media have with Google is not with whether or not Google links to their websites. After all, 95% of Australian search traffic goes to Google, so that’s the way to acquire readers. The idea is that Google users search for some topic that’s in the news, click through to a news article, and there they are, on the newspaper’s website, being served the newspaper’s ads.

The difficulty arises if Google does not send the readers through to the newspaper’s own site, but instead displays the text of the article in a snippet on its own site. Those readers do not click through to the newspaper’s site, do not get served ads by the newspaper, and do not click around to other pages on the newspaper’s site. In fact, as far as the newspaper is concerned, those readers are entirely invisible, not even counted as immaterial visitors to swell their market penetration data.

This scenario is not some far-fetched hypothetical; this exact sequence of events played out with a site called CelebrityNetWorth. The site was founded on the basis that people would want to know how rich a given famous person was, and all was well — until Google decided that, instead of sending searches on to CelebrityNetWorth, they would display the data themselves, directly in Google. CelebrityNetWorth's traffic cratered, together with their ad revenue.

That is the scenario that news media want to avoid.

Facebook does the same sort of thing, displaying a preview of the article directly in the Facebook News Feed. However, the reason why Google have capitulated to Australia's demands and Facebook have not is that Facebook is actively trying to get out of dealing with news. It's simply more trouble than it's worth, netting them accusations from all quarters: they are eviscerating the news media, while also radicalising people by creating filter bubbles that only show a certain kind of news. I would not actually be surprised if they used the Australian situation as an experiment prior to phasing out news more generally (it's already only 4% of the News Feed, apparently).

There has also been some overreach on the Australian side, to be sure. In particular, early drafts of the bill would have required that tech companies give their news media partners 28 days’ notice before making any changes that would affect how users interact with their content.

The reason these algorithms important is that for many years websites — and news media sites are no exception — have had to dance to the whims of Facebook and Google's algorithms. In the early naive days of the web, you could describe your page by simply putting relevant tags in the META elements of the page source. Search engines would crawl and index these, and a search would find relevant pages. However, people being people, unscrupulous web site operators quickly began "tag stuffing", putting all sorts of tags in their pages that were not really relevant but would boost their search ranking.

And so began an arms race between search engines trying to produce better results for users, and "dark SEO" types trying to game the algorithm.

Then on top of that come social networks like Facebook, which track users' engagement with the platform and attempt to present users with content that will drive them to engage further. A simplistic (but not untrue) extrapolation is that inflammatory content does well in that environment because people will be driven to interact with it, share it, comment on it, and flame other commenters.

So we have legitimate websites (let's generously assume that all news media are legit) trying to figure out this constantly changing landscape, dancing to the platforms' whims. They have no insight into the workings of the algorithm; after all, nothing can be published without the scammers also taking advantage. Even the data that is provided is not trustworthy; famously, Facebook vastly over-inflated its video metrics, leading publications to "pivot to video", only to see little to no return on their investments. Some of us, of course, pointed out at the time that not everyone wants video — but publications desperate for any SEO edge went in big, and regretted it.¹

Who decides what we see? The promise of "new media" was that we would not be beholden to the whims of a handful of (pale, male and stale) newspaper editors. Instead, we now have a situation in which it is not even clear what is news and what is not, with everybody — users and platforms — second-guessing each other.

Things I learned this morning, when searching for @timnitGebru on desktop, the results for "news" are hidden (dark patterns). However searching for any other human in history (including Alexander the Great).. they're prominent featured. pic.twitter.com/ld5uWe7tti

— Devin Guillory (@databoydg) February 10, 2021

And so we find ourselves running an experiment in Australia: is it possible to make news pay? Or will users not miss it once it's gone? Either way, it's going to be interesting. For now, the only big loser seems to be Bing, who had hoped to swoop in and take the Australian web search market from Google. The deal Google signed with News Corporation runs for three years, which should be enough time to see some results.

🖼️ Photo by Markus Winkler on Unsplash

Everyone is talking about Clubhouse, and I just can't get excited about it.

Wait Clubhouse is literally just people talking? Like a giant phone call? Absolutely the fuck not

— Sophie (@jil_slander) February 12, 2021

Part of the reason people are excited about Clubhouse is that everyone is always on the lookout for the next big thing. The problem is that the Next Big Things that actually catch on tend to be the ones that are fun and even look like toys at the beginning — TikTok, or Snapchat before it. A floating conference call full of California techbros bigging each other's jobs up? Honestly, I'd pay good money to get out of that.

Clubhouse is not like TikTok in some important ways — and I'm talking about more than just the average age of their respective user bases. TikTok's innovation is its algorithm, which means that TikTok does not rely on existing social networks. Clubhouse is the polar opposite, piggybacking on users' social networks — and even their actual contact lists. Yes, it does that thing everyone hates where it tells you that somebody whose contact info you'd forgotten you had is on the new app you just joined — and worse, it tells them too.

My phone every day is just

- Your worst acquaintance joined Telegram
- Your friend’s former roommate just signed up for Clubhouse! Free to welcome them in?
- Your landlord from 2016 is on Signal!

— freia lobo (@freialobo) February 15, 2021

Is this the next thing after podcasts? After all, podcasts are very one-directional; there is no inline interaction. The way my own Roll for Enterprise podcast works is, we record an episode, we clean it up and put it out, and people download it and listen to it. If you want to comment on something we said, you can message us on Twitter or LinkedIn — or of course start up your own podcast, and correct the record there.

The biggest reason I'm not convinced by Clubhouse, though, is that there seems to be an assumption that most users are going to listen passively and in real time to what is effectively an unmoderated radio phone-in panel. I listen to a number of podcasts, but I listen on my own schedule. The whole point is the offline nature of the podcasting, which means they're waiting for me when I'm ready for them, not vice versa. When it's time to shave or wash the dishes, I have a library of new episodes I can listen to. I don't have to worry about whether my favourite podcasters are streaming live right now; I have the recording, nicely cleaned-up and edited for my listening pleasure.

Clubhouse is the first AirPods social network.

— Ben Thompson (@benthompson) February 5, 2021

The whole podcast model is that once it's recorded, it's done and unchangeable. Clubhouse is not that; in fact it's the opposite of that. It's not even possible to record Clubhouse rooms from inside the app (although apparently they do retain recordings for their own purposes). This is where the problems start. Because right now Clubhouse seems to be just Silicon Valley insiders talking to each other, about each other, in their own time, there is basically nobody else in the world outside the West Coast of the US that can join in. Evening in California is too late for even New York, let alone Europe.

Or is this going for the Pacific market? People in Tokyo or Sydney spending their lunch break listening to American after-work chatter?

I've been wrong about social networks before, so I'm not saying this thing doesn't have a future. I'm saying it definitely isn't for me. If you disagree, you should come on the Roll for Enterprise podcast and tell us all what we're missing.

🖼️ Photo by Josh Rose on Unsplash

They said they need real-world examples, but I don’t want to be their real-world mistake

That quote comes from a NYT story about people attacking self-driving vehicles. I wrote about these sentiments before, after the incident which spurred these attacks:

It’s said that you shouldn’t buy any 1.0 product unless you are willing to tolerate significant imperfections. Would you ride in a car operated by software with significant imperfections?
Would you cross the street in front of one?
And shouldn’t you have the choice to make that call?

Cars are just the biggest manifestation of this experimentation that is visible in the real world. How often do we have to read about Facebook manipulating the content of users’ feeds – just to see what happens?

And what about this horrific case?

An open letter to @Facebook, @Twitter, @Instagram and @Experian regarding algorithms and my son's birth: pic.twitter.com/o8SuLMuLNv

— Gillian Brockell (@gbrockell) December 11, 2018

Meanwhile, my details were included in last year’s big Marriott hack, and now I find out that my passport details may have been included in the leaked information. Marriott’s helpful suggestion? A year’s free service – from Experian. Yes, that Experian, the one you know from one of the biggest hacks ever.

I don’t want to be any company’s real world mistake in 2019.

🖼️ Photo by chuttersnap on Unsplash

Users (including me) are deleting Facebook, but FB reports no drop in active users. What gives?

It’s not just Bloomberg, either; a survey published in Forbes claims that More Than 1 in 4 Americans Have Deleted Facebook. I’m not American, nor do I play one on TV, but I deleted the FB app from all my devices a while ago. I still have my account, but I went from checking it multiple times per day to glancing at it once every couple of weeks. Informally, I speak to lots of people who have done the same thing.

Once again, what gives?

Counting And Overcounting

There is nothing surprising here: any action is enough for FB to count you as active, so they can claim with a straight face that even someone like me is still "active" for purposes of their statistics – and the rates they can charge advertisers.

Remember when Facebook inflated video viewing stats for two years? Good times, good times. Turned out, they were counting anything over three seconds as if you had viewed the whole thing. The only problem is, it might take you that long to figure out how to dismiss the annoying thing.

Unsurprisingly, advertisers who had been paying through the nose for those video ad placements were not best pleased, especially as the scale of the over-counting became clear:

Ad buying agency Publicis Media was told by Facebook that the earlier counting method likely overestimated average time spent watching videos by between 60% and 80%

On A Mission

Facebook take their mission extremely seriously. Currently it says this:

Give people the power to build community and bring the world closer together.

The old formulation was perhaps clearer:

To give people the power to share and make the world more open and connected.

Either way, the Rohingya in Burma¹, to cite just one example, might have preferred if people had not shared libels and built communities around hunting them down and ejecting them from their villages.

Facebook, however, in dogged pursuit of this ideal, builds and maintains so-called shadow profiles, even for users who had the foresight never to sign up for Facebook. These profiles are built up by using various tracking mechanisms that follow users around the Web – famously, the Like button, although supposedly that has now been defanged. One also suspects a certain amount of information sharing between Facebook’s various properties, notably Instagram and WhatsApp.

The AOL Of Our Century

The bottom line is, you’re not getting out of Facebook that easily, if only because of the famous truism of the ad-funded web: "if you’re not paying for it, you’re the product". With Facebook, as with all social media sites, that is true in a very literal sense. What they are selling to their advertisers is exposure to the greatest number of eyeballs, ideally filtered according to certain characteristics. If the pool starts shrinking, their opportunity to make money off advertisers shrinks commensurately. If people start seriously messing with the stats, for instance by using tools like fuzzify.me, such that the filters no longer return groupings of users that are attractive to advertisers, that will also be a problem. Any drop in Daily or Monthly Active Users (DAU and MAU) would be a much more immediate threat, though, and that is why as long as users check Facebook even occasionally, there will never be a serious drop in usage reported – right up until the day the whole thing dies unceremoniously in a corner.

This notification was on my iPad:

A HUNDRED messages? Okay, maybe something blew up. I’ve not been looking at Facebook for a while, but I’ve been reluctant to delete my account entirely because it’s the only way I keep in touch with a whole bunch of people. Maybe something happened?

I open the app, and I’m greeted with this:

Yeah, no notifications whatsoever inside the app.

Facebook is now actively lying to get its Daily Active Users count up. Keep this sort of thing in mind when they quote such-and-such a number of users.

To Facebook, user engagement stats are life itself. If they ever start to slide seriously, their business is toast. Remember in 2016, when Facebook was sued over inflated video ad metrics? Basically, if you scrolled past a video ad in your feed, that still counted as a “view", resulting in viewer counts that were inflated by 80%.

Earlier this year, Facebook had its first loss in daily active users in the US and Canada. They are still growing elsewhere, but not without consequences, as the New York Times reports in a hard-hitting piece entitled Where Countries Are Tinderboxes and Facebook Is a Match.

At this point, I imagine anyone still working for Facebook is not nearly as forward with that fact at dinner parties or in bars, instead offering the sort of generic “yeah, I work in IT" non-answer that back-office staff at porn sites are used to giving.