Web Insecurity: Privacy and Twitter Lists

Crossposted from Web Insecurity. Please comment there if you want to comment!

I think twitter may have among the simplest privacy settings of any social network. Your choices are either everything you post is public, or everything you post is private.

But simple does not mean that things will stay private. Just like everything on the internet, the minute you post something someone else might choose to share it. Some researchers have actually studied how often people retweet private content on Twitter.

Something I haven't seen studied, however, is how private information can leak out through twitter lists.

Twitter allows you to make lists of people who you'd like to have grouped together. For example, I have a list of technical women who I follow. These are women in technology who I've met in person or interacted with extensively online, and I really made it for my own personal use but since it's a public list others can (and do) follow it. Presumably they're looking for more cool women to expand their social networks.

Twitter allows you to see what lists a person has been added to, and this is where it gets interesting. Let's take a look at the lists of which I am a member and see what we can learn about me.

Here's a few things you can get a glance:

• I have a lot of real-life friends on twitter (and now you know many of them are)


• I'm a musician


• I work in security, technology and on open source software


• I'm speaking at an upcoming conference and have attended a variety of events


• My friend Leigh is stalking me ;)


• I live in Ottawa

Wait... what? Despite the fact that I explicitly chose to say a more generic "Canada" in my profile information, my current city can be determined by the fact that it shows up in several of the lists I'm on. There's of course no way to be sure that any of this is true, but when more than one person lists me as being in Ottawa it seems fairly reasonable to guess.

I'm not personally concerned (obviously, since I'm talking about all this information in a public blog post!) but some folk are much more private than I am.

So what are your options if you want to hide this information? Well, if I don't like the lists I'm on, I can... uh... There's no apparent way to leave a twitter list. I suspect one could block the list curator, but the people revealing your location are most likely to be actual real life friends: people you wouldn't want to block. So you'd have to resort to asking nicely, but that's assuming you even notice: while you can get notifications of new followers, you do not get notified when you're added to a list. I've been asked about exactly two of the lists I've been put on (thanks @ghc!) so obviously it's not the social norm to ask (I certainly have never asked anyone I've listed!)

A quick check says I can usually get the current (and sometimes some former) cities for many of my friends, as well as information related to their occupations, interests, and events they've attended. For most of these people, I know this isn't information they consider private either. But it's obviously possible that this could be a problem... I wonder how many people it affects in a negative way?

Maybe this is a potential little workshop paper if I have time to analyse a whole bunch of twitter lists. Anyone want to lend me a student who's interested in social media privacy?

Edit: A note for those concerned about not being that privacy-violating friend. You can make twitter lists private if you want (it's just not the default), so just do that for the lists you think are sensitive and you're good to go!

CompSci Woman: How I Quit Computer Science (And What Drew Me Back)

I know, I know, I don't really need to be writing for another blog; I need to be writing my thesis. But my friend Cate and her friend Maggie started this cool project trying to make it easier for women to find real women in computer science when they hit up google trying to get a sense for what things are like. Their subject for Sept/Oct is "how I got into computer science" and I joined the group by sending in my story.

I suspect many readers of this blog have heard this story (some of you lived through it with me!) but here's a teaser anyhow:

How I Quit Computer Science (And What Drew Me Back)

To explain how I ended up in computer science, you have to understand the story of how I quit.

(…)

First year computer science was geared towards students who had little to no experience with computers, and I realised that I’d be wasting several years of my life waiting for my peers to catch up. On top of that, it was boom times and CS was being viewed a shorter path to a 6-figure salary than the more education-intensive med school or law school. The people who were there weren’t really in love with the discipline; many were just in love with the idea of being rich. I wasn’t interested in paying thousands of dollars per term to waste my time with peers I didn’t respect in a program that was boring me to tears.

I was disappointed, disillusioned, and wanted a challenge that was clearly going to be a long time coming in CS. So I dropped out.

Read the rest here.


(Those of you who are women in computer science are also welcome to join! the bottom of this page has more details.)

Things I hate about the cookie exception interface in chrome

This list is mostly for me so I don't forget something when I go to work on solving these problems. I suspect I'll submit some of these as bugs, and probably write patches for some of them if I don't just write a better cookie exception handler as an extension. Note that I've been using cslite on firefox, so some of the things I want are heavily influenced by that.

• When I add an exception to the list, I type the name and then the minute I click off it, my new entry is whisked off it its alphabetical location in the list before I can change whether it's allowed to set cookies or not.
  
• Sorting. Seriously, wouldn't it make more sense to sort alphabetically by domain, then subdomain? Or make it possible to sort by what's allowed/blocked?
  
• Search. Why is there no search in the exceptions list so I can just find the domain I want, the way there is when I'm looking at actual cookies?
  
• Why does "allow" in the dialog box always go to "allow for session?" lately? Is this a setting I chose somewhere and can't find?
  
• Why does "allow for session" mean "only allow session cookies" instead of what I expected, which was that it would allow all cookies but remove them when I closed the tab/browser? 'cause frankly, it doesn't seem like many sites use session cookies, so I wind up having to allow everything anyhow.
  
• Why doesn't clicking on the cookie with an x on it in the address bar tell me what domains are trying to set cookies? That could help a lot. Know what would be even better? Being able to add the necessary exceptions from that spot.