According to the pending class-action suit, Storm8 used a well-known backdoor method to "access, collect, and transmit" the wireless phone numbers belonging to their software's users.

Now the company has publicly responded to the suit by posting on their forums a sort of mea culpa as well as their plans to ask for a dismissal of the lawsuit due to its "complete lack of merit."

The complaint, filed on behalf of Michael Turner (and available in its entirety here), states that all the games retrieved the user's cell phone number and sent it over to the company without informing the user that this is being done. The suit also points out that there's no reason for this to occur since playing an iPhone game doesn't require the developer to have access to this sort of personally-identifiable information.

While initially Storm8 claimed the harvesting of these phone numbers was due to a "bug" in their code, attorneys for the plaintiff were quick to point out that specific software code was required in order to retrieve the numbers - no bug could have done that. In other words, the collection was intentional.

Storm8's Response: We Erred, We Fixed It, Lawsuit is Meritless

Now the company is changing its tune - well, a bit. Instead of calling it a "bug," they're claiming that the phone number collection was due to legacy code that was put in place very early on in the software development process as a way to identify specific devices. Later, the company decided to use the iPhone's Unique Device ID (UDID) instead - a much more common and accepted practice for developers needing an identification method. UDID's aren't associated with a person's name or phone number - they just identify the iPhone itself. However, even though the company changed methods, they didn't remove the old code that performed the phone number collection.

Storm8 claims that they did nothing with those phone numbers nor did they provide them to any other company. They also say that the database housing the numbers was destroyed in August after they were alerted to the issue. At that time, they took voluntary actions to update their applications to new versions with the legacy code removed.

The company states that they plan to ask for a dismissal of the suit because no user "has incurred any damage or loss" as a result of their actions. Unfortunately, they may be right. As despicable as those actions were, the law may be on their side. According to legal news site FindLaw, the law requires that not only was a personal computer accessed, but that the computer was also damaged. Turner's lawyer then will have to prove that Storm8 caused damage because it "impaired the integrity of the data stored on a protected computer." Additionally, cell phone numbers are not considered "protected data" in the same way that social security numbers or bank account numbers are. In other words, despite how icky this privacy violation makes you feel, it may not actually be illegal.

In our opinion, that's terrible news. Of course we wouldn't want this to start some sort of "sue the programmer" trend, but we do need to have more control over who's doing what with the personal data stored on our mobile phones - especially if Apple isn't going to look out for us in this case. Shouldn't there be some way to punish developers who go after this private info without our knowledge - whether intentionally and maliciously or not? It seems like we have enough concerns over privacy issues these days, we shouldn't have to worry if our iPhone apps are spying on us, too.

The dashboard itself doesn't offer the ability to change any privacy settings. It links to the respective services' privacy pages where users can make changes.

Nothing New

It is true that, as Google puts it, the "scale and level of detail of the Dashboard is unprecedented" - Google never made something like this available before. The data that appears in the dashboard isn't really the data that Google is interested in, though. All Google really cares about is the data that it can use to show you better AdSense ads.

This Is It?

As the LA Times points out, Google's "data storage revolves around precisely how and what the company does to analyze and profit from user information." This would be interesting information to have, though it's also the data that Google is the least likely to share. Google also doesn't share information it collects about you through cookies, its server logs or its advertising programs.

It is good to see that Google makes it easier for users to see an overview of all the data they have given to Google and made public. Maybe it will come as a surprise to some people that Google knows what emails they have received and that the company keeps track of all the YouTube videos they have watched. For most users, though, the dashboard won't offer any major revelations.

Late last week, a federal judge in California gave preliminary approval to a settlement of the class action lawsuit regarding Facebook's Beacon program. The controversial program, launched back in November of 2007, allowed Facebook users to share online purchases made on third-party affiliate websites with their social networking friends. The problem with the program was that it was opt-out instead of opt-in, angering many Facebook users who unknowingly shared information they wished they wouldn't have.

Details of the Agreement: Shutting Down Beacon, Paying Damages, Non-Profit Foundation

The case has been in litigation since last year, but now looks like it's drawing to a close. U.S. District Court judge, Richard Seeborg in San Jose, has approved the proposed Facebook settlement that would have the company paying out $9.5 million, two-thirds of which would go to setting up a non-profit foundation to fund "projects and initiatives that promote the cause of online privacy, safety and security." The remaining money would then be split among the lawyers and the plaintiffs, each of whom would receive damages of $1000-15,000, according to MediaPost.

The other major part to the Facebook settlement is the required termination of Facebook's Beacon program in its entirety. Although Facebook had quickly reacted to the Beacon outcry after its launch, changing the system over to opt-in and even issuing a formal apology, the program still exists today. (You can check your settings by going to Settings -> Privacy Settings -> Applications -> Settings tab. Then scroll down to the bottom to see if "Beacon websites" is checked or unchecked. Checked will ensure no Beacon stories get posted to your profile).

If the proposed settlement goes through, Facebook would then be relieved from liability from any future lawsuits regarding the same complaint and even those still pending like the Facebook/Blockbuster class action suit brought in April 2008.

Settlement Sounds Great...Especially for Facebook

On the surface, the proposed settlement sounds fair enough to all parties involved. Damages are paid and Facebook has to promote online privacy. However, as David Johnson points out on the Digital Media Lawyer Blog, Facebook is already required by law to promote online privacy and the safety and security of its users' information per FTC mandates. In addition, Facebook would get to nominate one and have say over the other two board members on the proposed Privacy Foundation's board of directors.

Says Johnson: "Facebook effectively gets most of its money back to fund projects that it is already has an obligation to perform."

Sounds like the real winner here may be Facebook.

You can read the Settlement Agreement here, courtesy of CircleID. The settlement was proposed last month, but only received preliminary approval on Friday. The affected parties have until February 1st to object to the proposed settlement.

None the less, Facebook has a clear agenda to convince you the user to willingly expose more information publicy by changing your privacy settings. Multiple Facebook execs have told us so when we asked point blank.

As is, searching public activity is good for search users (though many are skeptical), it's good for search engines and it's good for the social networks serving up the data.

But is it good for social network users that don't want their messages showing up in search results? That's the wrong question to ask because that's not going to happen.

Your Facebook profile is private by default. Your messages and media can't be seen by anyone but your friends. Some small number of users have chosen to change those settings, some even making everything they do on Facebook publicly visible to the whole world. Clearly some users would find programatic analysis of their activities anonymized and made available in builk to be a violation of privacy - but many more would not and are all ready wide-open.

That group is probably made up mostly of self-promoters, marketers, overcompensating lonely people and other exhibitionists. (My profile is public, I fall under the self-promoter category, unfortunately.)

Facebook would appreciate it if you would put yourself in this category, too. The company believes that sharing leads to understanding between people, empathy and progress towards world peace. Sharing also provides nice opportunities to advertise.

Facebook wants to display lots of your information publicly, but it won't shoot itself in the foot by breaking its promise to respect your privacy settings - whatever they may be. Is it strange that Facebook, now more populous than all but three nations in the world, has such a clear agenda to change the world's culture? It is certainly something to be aware of. But Facebook is not going to make your private messages public.

Within iTunes' user ratings section of iPhone application mogoRoad, a real-time traffic monitoring tool available in Switzerland, several users claim to have received phone calls from the development company behind the mobile software. Reportedly, the company is asking the app owners if they would like to purchase the paid version of the application. While unsolicited sales calls are annoying and intrusive, the bigger issue here is how did the company get its customers' phone numbers to begin with? According to mogoRoad, the information came from Apple.

That seems unlikely since Apple does not provide this sort of private information to App Store developers nor does it provide direct access to that information via the iPhone SDK (software development kit), the tool used by developers to build their mobile apps.

Apple Doesn't Provide Phone Numbers, but They Do Provide Access

However, it's not entirely inaccurate of the company to say that Apple did provide them with the customers' phone numbers. Although Apple doesn't directly give out this info, they do provide a relatively easy way for any app developer to retrieve mobile numbers from the phone. In other words, Apple didn't give out the numbers in question, they just provided access to them. 

Although mogoRoad won't admit it, the most likely explanation as to how they retrieved the phone numbers involves the use of an undocumented feature which allows any Apple iPhone/iPod Touch application to access the phone number of the device on which it is installed. In an article on tech blog Ars Technica from earlier this year, the process of doing so was described as "a shockingly easy thing to do:"

Apple sneaks in a hidden symbolic link between the app's sandboxed preferences and a global preferences property list...Peek in Library/Preferences with "ls -a". You'll find a symbolic link to /private/var/mobile/Library/Preferences/.GlobalPreferences.plist, which is where (among other items), you'll find a preference called SBFormattedPhoneNumber. This preference provides exactly what the name implies: the user's phone number formatted to the current locale.

In checking with multiple iPhone developers this morning, we confirmed that the trick still works as described above.

It's Not a Bug, It's a Feature

Believe it or not, this isn't actually a security hole in need of patching - it's more of a feature. "It's important to remember that perfectly legit applications can reach your phone number plus your entire address book as well," Ars Technica blogger Erica Sadun wrote back in January. "Applications can also obtain personal information from most of the iPhone file system..."

While the large majority of app developers out there would never do anything quite so nefarious as what mogoRoad did and undoubtedly wouldn't want to risk alienating their customers in this fashion, it's unsettling to know that they could. And every time you install a mobile app, you're putting yourself at risk.

As of now, Apple hasn't officially responded to requests for comment as to how they will proceed with regards to this situation, either to us or to the blog originally reporting this story, French site Mac4Ever. However, given that the development company has clearly abused an undocumented feature, that should be enough to get them booted out of the App Store...hopefully for good.

Many thanks to MacWord, which pointed us to this story.

Said Hal Abelson, a professor who co-taught the course, "[It] pulls the rug out from a whole policy and technology perspective that the point is to give you control over your information - because you don't have control over your information."

With the service being used to catch tax evaders, in addition to a conspiracy theory citing CIA ties, it'll be interesting to see how the public reacts to this latest show of Facebook data mining capabilities. While it's unlikely that terrorist suspects are friending each other on Facebook, there are a number of associations that need not be publicized to corporate partners or governments.

Photo Credit: Steve Jurvetson

While Verizon was one of the first companies brave enough to stand up against the RIAA's file sharing crackdowns, in recent years the company has come under fire for its own privacy offenses. In early 2009, the company was ordered by the FCC to stop its aggressive marketing practices. When customers were porting from phone to cable services Verizon was illegally using proprietary client information in its last chance to retain fleeing customers. Meanwhile, in March the company was widely criticized in the blogosphere for its efforts to share customer info with affiliates through an overly complicated 45 day opt-out campaign. The information to be shared with affiliates included services purchased (including call records), billing info and location info.

Although eBay and Verizon do have their merits as service providers, they hardly deserve to receive today's accolades. It looks as if these announcements are more about rewarding privacy policies rather than practices.

Photo Credit: Rob Pongsajapan

But what can be done? It's not like you can just quit Facebook, right? No - and you don't have to either. You just need to take a few precautions.

The problem in implementing these privacy options is that they're just too confusing for most non-tech savvy people to handle. And often, folks don't want to bother to take the time to learn. To simplify the process, we're offering five easy steps you can take today to help make your Facebook experience safer, more secure, and more private.

Step 1: Make Friend Lists

Yes, it will take some time, especially if you're connected to a couple hundred friends already. But this step, while not the quickest, is fairly simple. And it will be one of the most useful things you can do on Facebook.

Friend lists, like they sound, are lists for categorizing your friends into various groups. The nice thing about this feature is that once you set these lists up, you won't have to do it again. We suggest that you put your work colleagues and professional acquaintances into a friend list designated "work," personal friends you're not very close with into a list called "Acquaintances," and people you're related to into a list called "Family." Those three main categories will separate out the groups of "friends" who you may want to hide some information from.

To create a friend list, click on "Friends" at the top of the Facebook homepage. In the left-hand column, click "Friends" again under the "Lists" section. Now you'll see a button at the top that says "Create New List". Click it. In the pop-up that appears, you can name your list and pick members. If you've ever shared an application with your friends, the process of doing this will be very familiar.

When you've finished making lists, you'll be able to use them when selecting who can see what (or who can't!) when configuring the security settings described below.

Step 2: Who Can See What on Your Profile

At the top right of Facebook, there's a menu that many people probably ignore: "Settings." But this menu is now going to become your best friend. To get started, hover your mouse over the Settings menu and click "Privacy Settings" from the list that appears. On the next page, click "Profile." This takes you to a page where you can configure who gets to see certain information on your profile.

Before making changes, think carefully about the sorts of things you want public and the things you want private. Should "everyone" get to see photos you're tagged in? Or would you like to limit this only to those you've specifically chosen as Facebook friends?

Underneath each section on this page (basic info, personal info, status, etc.), you can designate who gets to see that particular bit of information. For anyone not using custom lists (see step 1), the best thing to enter here is "Only Friends." Anything else opens up your profile information to people you may or may not know. For example, choosing "Everyone" makes that info public, "Friends of Friends" lets your friends' friends see it, "My Networks and Friends" opens up your info to anyone in your networks - that means anyone in your city, your high school, your college, a professional organization you listed, etc.

You can also block certain groups from seeing these sections, too. On any item that offers an "Edit Custom Settings" option, you can click that link to display a pop-up box where you can choose people or lists to block (see where it says "Except these people"). If you haven't made custom lists as explained in step 1 above, you can enter individual names here instead. (Sorry, mom, dad, boss - this is where you get blocked.)

Step 3: Who Can See Your Address and Phone Number

Did you list your address and phone number on Facebook? While that's a handy feature, you may not want everyone you friended to have this information. To access this configuration page, you follow the same steps as above in step 2 to display the Profile Privacy page. You'll notice that the page has two tabs at the top - click on the one that reads "Contact information."

As previously described above, you can again use the drop-down lists provided to designate who gets to see what and/or block certain people or lists from viewing this information. The sections on this page include "IM Screen Name," "Mobile Phone," "Other Phone," "Current Address," "Website," and your email.

Step 4: Change Who Can Find You on Facebook via Search

Sick of getting friend requests from old high school pals? While for some the beauty of Facebook is that it lets you reconnect with everyone you ever knew throughout your life, others find this intrusive and annoying. You're not friends with any of these people anymore for a reason, right?

As it turns out, you can still enjoy Facebook without some folks ever knowing or finding you thanks to the search privacy settings.

Click on the "Settings" menu on Facebook's homepage and then click "Search" on the following page. You'll be taken to a Search Privacy page where you can specify who gets to find you on Facebook. Want to be wide open? Change the "Search Visibility" drop-down box to "Everyone." Want to keep it a little more limited? Select "My Networks and Friends," "Friends of Friends," or "My Networks and Friends of Friends" instead. Don't want anyone finding you on Facebook? Change it to "Only Friends." That means only the people who you've already friended can find you in a Facebook search.

On this page, you can also configure what information displays when your info is returned as a search result (e.g. your profile picture, your friend list, etc.). In addition, you can check and uncheck the boxes for network-based searches too. For example, if you don't want anyone from high school to find you, uncheck the box next to "people in high school networks."

Step 5: Stop Sharing Personal Info with Unknown Applications

Remember when we told you about what Facebook quizzes know about you? Using Facebook's default settings, you're unknowingly sharing a plethora of personal information (and your friends' info too!) with various Facebook applications and the developers who created them. The problem is so bad that the ACLU recently created their own Facebook Quiz to demonstrate how much information an app has access to.

It's time to take back control! From the Facebook homepage, hover your mouse over the "Settings" menu and choose "Privacy Settings" from the drop-down list. On the next page, click "Applications" then click the tab that reads "Settings" which is next to the "Overview" tab. (Oh, and if you want to really be freaked out, read that overview!)

On this page, you can check and uncheck boxes next to your personal information (picture, education history, wall, religious views, etc.). This controls what the applications your friends are using can see about you. Yes, your friends' apps can see your personal info if you don't make this change! Believe it or not, you don't have the same control over your own apps. The best you can do is head over to the Applications page and delete the apps you're not using anymore. (Use the "X" to remove them.) You see, once you authorize an application, you're telling it that it's OK to access any information associated with your account that it requires to work. While some developers may only pull what's actually required, many others just pull in everything they can. Scary, isn't it?

Conclusion

While this is by no means a comprehensive guide to Facebook security and privacy, these five steps can help you get started in creating a safer, more secure, and more private environment on the social network.

However, if you choose not to take any precautions, then you'll only have yourself to blame when an errant wall post or naughty photo makes its way online and straight into Grandma's News Feed, or worse, your boss's. These days, it's better to be safe than sorry, so go ahead and delve into those settings!

Though the company talks about privacy all the time, the fact that it will take an estimated 12 months before this situation is resolved demonstrates how invested Facebook really is behind the scenes in a "let it all hang out" philosophy.

Presumably more user trust will facilitate more use of the applications, but Facebook privacy settings will become complicated with this new policy. You'll be prompted to choose which parts of your info you are willing to expose and which you aren't - but isn't that how real life works? Real life has very granular privacy controls; it's not an all-or-nothing experience.

This spring, we wrote about Facebook's moves to encourage more users to expose more of their information to more people. We asked the company on a press call if they were trying to push people towards being less private on the site, and they confirmed that yes, they are. That's clearly in Facebook's interest, but we believe that most users are interested in using the site primarily to communicate with known friends and family.

In real life offline, we usually get to choose what information we expose to particular people in particular situations. Facebook's new policy with regard to using apps will reflect that, but it will take time to put in place and it's a departure from the general direction the rest of the site is moving in.

We would love to see developers and analysts have free access to anonymous aggregate data on Facebook (it's in the public interest), but instead the company appears fundamentally aimed at limiting access to aggregate activity while pushing individual users to expose more of their information to platform apps and advertisers.

The Danger of Quizzes

With each question in the ACLU's Privacy Quiz, you're not only told what information a quiz author can see - you're shown it. For example, after answering the first question, you learn that almost everything on your profile, even if you use privacy settings to limit access, is available to the quiz. Then, a graphic is shown which reveals selected information retrieved from your profile including hometown, groups you belong to, events attended, favorite books, and more.

The second question is even more disturbing. It informs you that everything on your profile is made available to the developers when your friends take a quiz. To drive this point home, the ACLU's Quiz loads up information pulled from your friends' profiles and displays that data below the answer for your perusal. Here, information on your friends is shown including hometowns, favorite books, political views, networks, birthdays, number of wall posts, and even personal photos. Thanks to the quiz, all that info which you can see on your friends' profiles is now available to the quiz author, too.

Lest you think your info is safe because somewhere, somehow Facebook is looking out for you, the third question shatters any illusions you may have about that, too. According to the answer to this quiz question, not only do Facebook's default privacy settings do nothing to prevent application developers from scouring your information, Facebook also doesn't screen developers for trustworthiness, nor do they require the developer to comply with a privacy policy (something we've mentioned before). It's also noted that Facebook does not use any technical measures to limit how developers can collect and use personal information. Says Chris Conley, a technology fellow with the ACLU, it's difficult to know how developers use this data, which could, in theory, be collected and sold for marketing and advertising campaigns.

Finally, the last question prompts you to take action. When the quiz asks you what you should do, the correct answer is: "demand the right to control my information without sacrificing the right to use new technology." To get the word out there, the ACLU suggests you update your privacy settings, share their quiz on Facebook, and sign their online petition.

Is This True?

The nature of the quiz makes it sound a bit like fear-mongering, especially with statements like this: "Once details about your personal life are collected by a quiz developer, who knows where they could end up or how they could be used. Shared? Sold? Turned over to the government?" However, outside of these overly dramatic tactics, the claims made by the ACLU are true. According to CNET, Facebook doesn't even deny that quiz developers have access to this sort of information. The company does point out that users can limit how much information applications (including friends' applications) can see by tweaking their privacy settings.

Note: To do this yourself, go to Settings -> Privacy Settings -> Applications. From there, you can uncheck the boxes next to the items which you don't want apps to have access to.

Still, the ACLU suggests that access to personal information such as this be opt-in rather than opt-out, as it is now. Facebook spokesman Barry Schnitt says the company "generally agrees" with the ACLU's recommendations and notes that the social network recently disabled hundreds of applications that were inconsistent with Facebook Platform policies. He also mentions the company has been working with the Canadian Privacy Commissioner, Jennifer Stoddart, to improve user data controls on Platform. 

This is just one of the concerns that will be addressed later today when Stoddart announces the agreement that has been reached between her country and the social network in terms of privacy protocols. Stoddart ruled last month that Facebook had 30 days to come up with a plan to comply with Canada's Personal Information Protection and Electronic Documents Act or face court action.

One quarter of those surveyed who reverted back to Firefox 2 cited privacy as their biggest issue with Firefox 3. In an effort to curb privacy fears, Firefox 3.5 allows for private browsing, the ability to clear a portion of the history and website blocking to stop certain websites from appearing in browser history.

If Mozilla's little location bar raised this much attention, imagine the barriers facing shared browsing services and history trackers. Skabble, Hooeey and Me.dium (Now OneRiot) must have faced enormous scrutiny around user privacy. It's interesting to see privacy become an issue with browsing habits while in other areas we allow so much of our private lives to trickle into the ether.

Acting Director of the Canadian Internet Policy and Public Interest Clinic David Fewer commented on the area of 3rd party application developers. Said Fewer, "We had a number of issues with this and so did the Privacy Commissioner. She was concerned about technological safeguards or their absence. She was concerned about Facebook taking steps to ensure that the 3rd party application developer only take the information they required. And we also had concerns about the clarity or degree to which the 3rd party application developer was accurately describing the personal information that they needed to provide the application."

Facebook is expected to submit a proposal and timeline to Stoddard within the day. A full list of the CIPPIC's 24 complaints and the Privacy Commissioner's report is available here.

On a related note, the Associated Press just published an article regarding a California-based Facebook privacy lawsuit. It appears the company will have to address concerns on a number of fronts.

Photo Credit: Makaristos