I want a "Red Teaming"
Michael Schneider
Your life has value. That’s what the Internet thinks. Sure, occasionally the net is a horrible abyss of unspeakable things and stuff that is just plain weird, but there are good, wholesome places. Like Google. Parental filter enabled, Safe Search on, you can google even the weirdest stuff and you’re still not in need of a psychiatrist just so that you can be a productive member of society again. Facebook is also nice. There’s filters and ignore functions and thanks to those, you haven’t gone postal because you’ve been asked to help your friends out with Farmville one too many times.
But the thing is, both Facebook and Google are multi-billion dollar companies. And companies trade in something. Somehow, they need to be generating revenue. How else do you think that Google manages to afford their trips around the world in cars with cameras on the roofs, their weird “Internet on a balloon”-experiment thing or the development of Google Glass? What Facebook needs the money for other than keeping itself alive is not entirely clear, but that’s not the point of this Labs.
The point is: You are their money. Everything you say or do or post or click or voice search… that’s where they make their money. Every single bit of data you give them is used for one purpose and one purpose only: Advertising revenue. “How do they do that”, you ask? Here’s a very simple example.
Therefore, you are very interesting. Everything you do or say is suddenly marketing value. Therefore, both Google and Facebook have been working hard on getting as much out of you as they possibly can. This results in the following reality we find ourselves in: Facebook and Google know even the stuff we don’t post.
Google likes users. In fact, one of Google’s core principles at some point was Don’t be Evil. It sort of still is, because if we’re being honest, Google could be much more evil if they wanted to. The slogan was supposed to be a jab at their then-competitors who according to Paul Buchheit, creator of Gmail and Google employee, “were kind of exploiting the users to some extent.” This is somewhat ironic, seeing as Google is after your every bit of data these days. Everything you’ve ever looked for? They know it. And they even know where you’re sitting right now.
“How are they doing that”, I hear you ask? Simple. Most of the time, they help you find it. Let’s assume you’re trying to figure out who is watching the watchmen (that quote, by the way, is attributed to the Roman poet Juvenal in Latin Quis custodiet ipsos custodes? and gained popularity with Alan Moore’s graphic Novel called Watchmen where the phrase became graffiti).
So off to Google you are. The search-box pops up and you start typing away. Google is nice, really. They suggest what you might be looking for:
So how does it do that? It’s simple. It’s a JavaScript command called onKeyPress. It goes like so:
<input type="text" onKeyPress="myFunction()">
In Google’s case, myFunction()
is something that queries their entire database and guesses what you might be looking for, which is what that weird thing about prostitution invaded my search for the Roman quote.
In fact, it does it so well that if you have the automatic search enabled, you can see how it works. Not only is the autocomplete-feature at work, but also this. Look at the URL-bar. It refreshes itself with every push of a button.
What happened? Basically this:
onKeyPress
and correlate the data with previously collected data.This results in the following: Even if you decide to not perform the search, Google knows what you were looking for.
Note: It doesn’t have to be onKeyPress
seeing as there is probably a similar function out there, but onKeyPress
would be the easiest solution, seeing as it’s a default Java-function.
Not bad enough? It gets worse and much more personal.
The girl you have a crush on posts a picture. She smiles at the camera, you want to tell her she’s beautiful. In a rare fit of courage, you click on the comment-box, and you start typing the words “You’re beautiful”. But just as quickly as the courage got you, it leaves you again. You delete those words.
But Facebook knows. Again, onKeyPress
makes it possible. Even if you only got to “You’re beauti” and then decided to not do it, it doesn’t take a genius to figure out what you meant. In fact, you just wrote 76.5 percent of the message you decided to not post. Way more than enough for a clever computer to figure out what you were trying to say.
Of course Facebook doesn’t tell us that they’re doing that. So how do we know? We know this because Sauvik Das of Carnegie Mellon and Adam Kramer of Facebook have recently published a study titled Self-Censorship on Facebook. In the abstract, the following can be read:
We report results from an exploratory analysis examining “last-minute” self-censorship, or content that is filtered after being written, on Facebook. We collected data from 3.9 million users over 17 days and associate self-censorship behavior with features describing users, their social graph, and the interactions between them.
So there you have it. Facebook even has the capability to analyze what you didn’t post. And they did so to figure out the following:
Our results indicate that 71% of users exhibited some level of last-minute self-censorship in the time period, and provide specific evidence supporting the theory that a user’s “perceived audience” lies at the heart of the issue…
Wonderful. The fact that you are occasionally not posting things apparently makes it okay to know that you’re crushing on that woman you talk to at work. Does this sound okay to you?
Google’s method is primarily aimed at bettering their own search function. Besides, you’re not very likely to tell Google that she’s beautiful. Granted, you might be looking for the cure to some embarrassing illness you might have contracted somewhere, but that is nowhere near as devastating to your social life as what Facebook does. Generally: Google aims at improving their service. Which makes them not quite as evil as they could be.
Facebook on the other hand has little to no reason to monitor status-boxes with onKeyPress
. Because, looking at it from a service-oriented perspective, what possible use could you have for an autocomplete-function similar to Google’s in the field you write your status into? Or the one you write a message to your brother? Or the one you post your status. Besides, bought new t-shirt #yolo as a status is not something you post often.
You don’t.
You can disable JavaScript entirely. This will make your surfing the Net a complete nightmare, seeing as most websites use some sort of JavaScript somewhere. However, there’s a number of plug-ins – the most popular arguably being NoScript – that will allow you to selectively disable JavaScript on certain pages. The issue here is that setting this up takes a lot of time and effort.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!