Who Owns Your Friends?
Social-networking sites are fighting over control of users’ personal information.
Technology blogger Robert Scoble wanted help moving contact information for his 5,000 Facebook friends into his Microsoft Outlook address book. He turned to Joseph Smarr, chief platform architect at Plaxo, a company in Mountain View, CA, that synchronizes contact information between Outlook, other desktop e-mail programs, and a number of Web services. Smarr gave Scoble a short program to test out, which automatically paged through Scoble’s Facebook connections and extracted the names, birthdays, and e-mail addresses of his friends.
There was just one problem. The program triggered alerts at Facebook, which disabled Scoble’s account. “My identity disappeared,” Scoble says. “If I was your friend, I turned gray–all my information went gray. ” Scoble was transformed from a man with a small town of Facebook friends into a nonperson.
The incident brought to a head a debate that had been raging for months behind the scenes at social-networking sites: who controls the data users post on their profiles? Advocates of so-called data portability, including Scoble and Smarr, say people should be able to transfer information easily in and out of any Web services they use. Facebook, on the other hand, says it needs to safeguard the information it stores so that it isn’t misused, and that means keeping tight control over users’ information. At stake is not simply the ease and security with which people move between social-networking sites but control of the currency that gives those sites their value: personal information.
Although Scoble’s trouble managing his 5,000 Facebook friends is an extreme example, similar problems are common. Many users have five or six online accounts that use social data–perhaps an e‑mail account, an instant-messenger service, a profile on a social network, a photo-sharing site, and a blog. “Every time you try to sign up for some new service, it acts like you’ve never used another website before,” says Smarr. “You have to create a new account and password from scratch. You have to fill in your profile all over again. You have to find all the people on that site that you know, reconnect with them, and reëstablish their relationship to you. I think this adds up to a huge burden, and a lot of people aren’t using or consuming from nearly as many of these sites as they could.”
Chris Saad, cofounder and chair of the nonprofit DataPortability Project, notes that many current methods of transferring data expose users to huge security risks. For example, it’s a common practice for social sites to ask users to submit the usernames and passwords for their Web-based e-mail accounts when they first sign up; an automated service can then search the network for people listed in their address books. “The door is open right now for any application that scrapes your Gmail address book to go ahead and scrape your shopping cart as well, or scrape your searches, or keep your username and password and pretend to be you,” says Saad. “It’s a nightmare of security, and it’s something we need to solve sooner rather than later.”
Though most experts perceive a need for an easier, more secure way for users to share data among social networks, there is little agreement on a solution. “Is it going to be the closed, walled garden of infrastructure, or the more open, distributed infrastructure of the Web itself?” asks Smarr. The answer to that question could determine whether social networks are dominated by a single company–and these days Facebook has the edge–or whether users will be able to jump around effortlessly among a slew of flourishing social sites, each with its own strengths and features.
Bill of Rights
The Plaxo office in Mountain View is large, open, and half-empty, with, says Smarr, plenty of room for the company to grow. Rows of workstations at long tables have no barriers between them. At one workstation, a neon “open” sign lights up in red and blue. It looks, in other words, like a typical social-networking startup.
Indeed, since its founding seven years ago, Plaxo has in many ways mirrored the evolution of social networks as a whole–and their answers to the challenges they’ve faced. (In May, Comcast agreed to acquire the company.) Initially, Plaxo let new users import contact information from their existing e-mail accounts. It then gave them the option of automatically e-mailing their contacts to ask for updates. Many people, however, perceived the e‑mails as spam–a charge also leveled against the “viral marketing” techniques of other social networks. Two years ago the company abandoned the tool and publicly apologized for it. Plaxo then began trying to reinvent itself as a company that helps people manage their social data, which has become increasingly scattered among a variety of desktop applications and Web services.
Last summer, Plaxo launched Pulse, a site that allows users to track friends’ and family members’ online social activities. On a single page, for example, you can read and comment on a friend’s Twitter updates and blog entries or look at photos posted to Flickr. Given Plaxo’s commitment to Pulse, it is not surprising that Smarr has become a strong advocate of open communication between social sites. Posted in the Plaxo office is a hard copy of “A Bill of Rights for Users of the Social Web,” which Smarr coauthored last fall. The bill of rights reads, in part,
“We publicly assert that all users of the social web are entitled to certain fundamental rights, specifically:
Ownership of their own personal information, including:
-their own profile data
-the list of people they are connected to
-the activity stream of content they create;
Control of whether and how such personal information is shared with others; and
Freedom to grant persistent access to their personal information to trusted external sites.”
To facilitate the sharing of data across sites, community groups have developed a series of technical standards. OpenID lets users sign up once for a username and password that will then work at any compatible site. OAuth lets Web services share information about a user’s social contacts, without granting the services broader access to each other. RSS and XMPP can both automatically update a site about activity somewhere else, making it possible to track someone’s postings from a central location.
A number of companies have begun using such tools to make their data more open. Yahoo recently changed its user accounts so that they adhere to the OpenID format. Its customers can now use their Yahoo credentials to log in to sites that accept OpenIDs. Twitter is working to make its service compatible with OAuth. MySpace allows users to share their MySpace data with sites such as eBay and Photobucket. But at least one major social-networking site is bucking the trend.
Less than 10 miles down the road from Plaxo’s offices are Facebook’s, tucked away on the second floor of a nondescript office building in downtown Palo Alto. If Plaxo’s offices suggest a company redefining itself and uncertain of its future, Facebook’s are those of a highly successful startup being forced to grow up. A graffiti aesthetic dominates. A distorted face painted on the company’s elevator doors splits apart when they open, revealing other faces painted within. In the office itself, a triumphant graffiti-style fist rises beside the Facebook corporate logo.
Despite its explosive growth–it is now the second-largest social site behind MySpace, with more than 70 million active users–Facebook is still searching for a viable business model (see “Social Networking Is Not a Business,” p. 36). As part of that search, Facebook has taken steps to position itself as the social glue holding a variety of Web services together. In May 2007, it launched Platform, which allows third parties to build applications that Facebook users can install in their profiles. The result is that other sites can make their social tools available through Facebook, rather than having to build their own networks. With this strategy, Facebook hopes to circumvent the need for data portability: users can take advantage of other sites’ applications without ever leaving Facebook.
The launch of Facebook Connect this May took the idea of Platform and flipped it over. Where Platform allows people to run other applications through Facebook, Connect allows people to run Facebook through other websites: sites can add social features by building in miniature versions of Facebook. As with Platform, this means that Facebook members can use new social-networking tools without having to create new accounts or give control of their information to other companies. The service provides a kind of data portability, but the data remains subject to Facebook’s control.
“It’s not just about data portability; it’s actually about privacy portability,” says Dave Morin, Facebook’s senior platform manager. “When you go somewhere else and take those connections with you, the trust that’s been established between two people–or 5,000 people, as in the case of Scoble–continues to be maintained wherever they go.” Scoble wasn’t simply moving his own data from one place to another, argues Morin; he was moving data that belonged to his contacts. Scoble’s friends may have given him permission to access their data, but they didn’t give him permission to move it someplace where they couldn’t control it, and where they couldn’t revoke or alter Scoble’s privileged access.
With Facebook Connect, Morin says, the company hopes to let users control what happens to their personal information on all sites they use, simply by adjusting their Facebook settings. If a user decides she doesn’t like what some other site is doing with her social information, she can just rescind that site’s access to her Facebook account. Because Facebook wants to put users in charge of what happens to shared contact information, says Morin, it’s cautious about open standards; it wants to make sure they’re secure before integrating them into its site. In the meantime, he says, Facebook is content to build its own tools.
The 800-pound Gorilla
The tight controls exerted by Facebook may or may not help users, but they have certainly benefited the company, giving it an increasingly dominant position among social networks. However, that dominance is now being challenged by a player relatively new to this arena: Google.
Friend Connect, which Google announced just days after Facebook announced its own Connect, makes it simple for a site to add social-network functions by bringing in existing features and profiles from elsewhere. It competes directly with Facebook Connect, but there is a key difference: users can carry their profiles and connections to a new site from any network they belong to, as long as it supports Friend Connect. Google, in essence, is looking to become a middleman in the sharing of social information.
Despite such innovations, there is still a long way to go before data is freely shared among social-networking sites, says the DataPortability Project’s Saad. Right now, he says, many companies want data portability to be a one-way street. Some want to receive data from other sites without giving any up, while others want to provide data without receiving it–each hoping that its site will become a user’s primary social tool. In the future, Saad says, “we’re going to try and push quite firmly on the idea that you need to be both providing and consuming data; you can’t be doing one without the other.”
For users, the key question remains whether companies will find a way to make social tools work together in a simple, logical fashion. “If you can’t plug your camcorder into your VCR and your VCR into your TV, if things don’t work together, you just don’t use them,” Plaxo’s Joseph Smarr says. One way to achieve such compatibility is for a single company to control multiple online social tools; another is for a variety of companies to agree on common standards. As long as tools supporting both models proliferate, however, the users of social networks may be able to assert their preferences on the open market.