Syncing and the FTC’s Myspace settlement

Today the FTC announced a proposed settlement with Myspace, on charges that the company broke its privacy promises to consumers. I want to focus today on one of the FTC's charges, relating to possible syncing of identifiers.

Myspace, a popular social network, assigns each of its users a numeric identifier called a "Friend ID". If you know someone's Friend ID, you can use it to get their public information, by accessing the URL<Friend ID>.

Are pseudonyms "anonymous"?

Let's continue our discussion of "anonymous" data by talking about pseudonyms.

A pseudonym is any kind of identifier, other than a name, that is associated with a person or (what often amounts to the same thing) a device.  Pseudonyms are very common.   Examples include the random ID value in a tracking cookie; a device ID such as a WiFi MAC address or a phone's UDID; a synthetic identifier such as an "OpenUDID"; a mobile phone number; or a Twitter handle.

Does Hashing Make Data “Anonymous”?

One of the most misunderstood topics in privacy is what it means to provide “anonymous” access to data.  One often hears references to “hashing” as a way of rendering data anonymous.   As it turns out, hashing is vastly overrated as an “anonymization” technique.   In this post, I’ll talk about what hashing is, and why it often fails to provide effective anonymity.

Transparency as a user experience problem

One of the top-level recommendations of the FTC privacy report was greater transparency about the data practices of companies and technologies.   The report pointed to mobile apps as especially needing better transparency.   Indeed, a previous FTC staff report on mobile apps for kids found that hardly any of the apps that were studied offered full privacy disclosures.

Hello, world.

Welcome! I’m Ed Felten, Chief Technologist at the FTC. Let me introduce you to this blog.

As the nation’s consumer protection agency, the FTC works on technology issues every day. You’ll see lots of discussion of technology in our reports, cases, speeches and testimonies, not to mention the consumer and business education pieces we publish. But we haven’t had a venue for speaking, more directly and less formally, to the technically minded public about tech issues. That’s what this blog is for.