(surveillance camera talking to computer user) Don't you think joining that "Facebook, stop invading my privacy!" group is a little... I don't know... paranoid?

An ominous warning has been popping up from several of my friends on Facebook, suggesting the social networking site is suddenly selling your personal information. (It's been showing up as a "note", a blog-like feature the site offers.) Sounds serious – but it bears several hallmarks of a now-thankfully-dying breed of hoax email, especially the lack of any proof of the allegation, and that little viral bit at the end.

Here's the text of the note:

Apparently Facebook has started SELLING user information (surprise, surprise!) to third parties. They call it the "Facebook Development Platform."

To restrict use of your information, do the following:

1. Click "Privacy" on top right.

2. Under the "Facebook Platform" section click "Edit Settings".

3. Scroll down to the bottom and UNCHECK ALL of the items under facebook platform.

Most creepy is the inclusion of photographs!
(Do your friends a favor and repost this as your own note.)

Now, you still may want to follow those steps. But all it appears that you're doing is preventing members of your networks from accessing that information using external applications; it's nothing they can't already see using the site.

I asked Facebook if they could shed any more light on this. Here's what Facebook's director of corporate communications, Brandee Barker, told me (and kudos to them for getting back to me on the same day):

Yes, this message circulating on Facebook is false, thanks for checking. Facebook is not selling user information to anyone. In fact, Facebook Platform makes other applications — that users choose — an easy extension of their Facebook experience. Users log in to those applications the same way they do on Facebook through the safe, secure Facebook login page. Only a user’s friends and people in a user’s network can see his or her information, and everything is subject to the same privacy controls. Applications built on Facebook Platform are not allowed to store or collect user data, and again, Facebook certainly isn’t selling user information to anyone.

A cursory search hasn't turned up any previous Facebook hoaxes, so this could be a first. (Update: Way too cursory; there've been a few – see one recent example here – but I still haven't found anything viral.) Whether this was a deliberate attempt to sabotage Facebook's extension into the world of open APIs and third-party apps, or just a misguided bit of paranoia on someone's part, it points to the vulnerability of a new (or new-ish) medium to this kind of hoax.

Just as it took years for email users to look skeptically on modem-tax chain letters and the like, Facebook members will have to start adding a dose of scrutiny to the messages they receive on the site, as a flood of new, not always benevolent, users arrives.

If you've ever wondered how that online store is going to use all the information you enter when you register (not to mention when you buy stuff)...

...or where you put your login information for that photo-sharing site...

...or why you have to re-enter all of your contact names and addresses every time you join a new social networking site...

...then you've run into the gnarled and opaque world of identity and privacy.

And with everyday users experiencing identity problems ranging from the annoying (having to keep track of multiple usernames and passwords) to the critical (fraud, phishing and identity theft), you aren't alone.

Speaking at Northern Voice 2007, Eve Maler set out the case for better identity management, and how approaches have evolved.

Over the years, various players have offered solutions – mostly proprietary, sometimes self-serving and often highly controversial. Microsoft's Passport drew accusations of privacy violations; more recently, Yahoo!'s insistence that Flickr users adopt Yahoo! user IDs has come under heavy fire.

Still, there's a strong case for a service that would work with users and web sites, giving users an easy way to establish their identity, log in and control what information is being released (and under what circumstances).

For instance, SXIP's Johnny Bufu set out a sort of holy grail for identity and privacy: theoretically, you shouldn't have to give your address to Amazon. You'd say "Ship my package to this identifier code"; they hand it to FedEx, who has that identifier associated with a postal code; they pass it off to a local distributor, who has that identifier associated with a street address. At the end of the day, Amazon and FedEx head office don't have your address, and FedEx doesn't know what's in the box. (Nobody need ever know about your Baby-sitter's Club addiction.)

That may not be too far off. More open approaches are starting to catch on... and beginning to find their way past specialized users to the general public. One rising star is OpenID, championed by (among others) Bufu's colleagues at SXIP.

With OpenID, you register and authenticate your identity with one of several OpenID providers... and there are some big ones. If you have an account with LiveJournal, Typepad, Typekey, Vox, AOL or Yahoo! (some finagling required), you're already in. Microsoft is rolling out CardSpace, an identity system that will interoperate with OpenID. Services like ProtectNetwork work with several open-standard identity protocols, including OpenID, SAML and Shibboleth.

And if you use the Firefox web browser, you can quickly get an OpenID identity via SXIP's superb extension Sxipper (which helps you manage passwords as well as the information you dole out to web sites).

An interesting wrinkle: your OpenID isn't a username or email address; instead, it's a web URL. (It can even be your own web site, if you add a few lines of code to your home page's HTML file.)

Accommodating OpenID for your site's users can be nearly as easy as getting an identity in the first place. There's a WordPress plugin to enable OpenID for commenters (or group blog members). There's a Drupal module for version 4.7, and a revision under way for 5.1.

As identity management extends its reach further into the public, you'll need to start considering it for your community. It won't be long before offering its features – from single sign-on to privacy protection – is essential to attracting and keeping many users.

Some additional resources:

• Kaliya Hamlin runs a remarkably comprehensive blog on identity, and speaks frequently at workshops and conferences.
• There's a handy screencast on YouTube explaining OpenID.
• The presenters at Northern Voice included Sun's Eve Maler, SXIP's Johnny Bufu and (in a second session) Weston Triemstra, and Bryght's Boris Mann. They're all terribly smart.
  

At last week's 2006 Nonprofit Technology Conference in Seattle, I sat on a terrific panel led by Matt Blair, with Marnie Webb and Marshall Kirkpatrick, on the security implications of the new web. It was one of those amazing sessions where the audience was so engaged from the start that we had no need for the usual opening-presentations-plus-Q&A structure; we got right into a very cool 90-minute conversation.

I don't think anyone was recording the session, but I thought I'd share the notes I'd prepared for my presentation.

read more »