Open Social Web – Google + Feedburner Really Is Bad For RSS

 

I honestly laughed when I saw the new “Open Social Web” Bill of Rights launched yesterday, not because it isn’t to some extent a useful idea, but because of one specific term…

Control of whether and how such personal information is shared with others

10 months ago I fired off a heated debate about RSS sharing, and how Google with it’s easy to share feeds could be killing the future of RSS.
Now I say I fired it off, but honestly it would have been a storm in a teacup without Robert Scoble taking part with one of his most controversial headlines.
I think I had about 30 subscribers at the time.

Today Robert is championing the Bill of Rights he signed up for, but unfortunately Google Reader and Google’s recently purchased Feedburner don’t support the level of control over your feeds to allow Robert, and his friends wishes to be fulfilled, and they really only have their selves to blame, for championing Google Reader without encouraging Google to allow for self determination of what happens with the data.

RSS Sharing – Path of Discovery

I already knew that RSS could be protected using RSS Authentication, and that was something Google doesn’t support, but Bloglines does, and they block your ability to share authenticated feeds. +1 Bloglines

Open Social Web is really about applications such as Facebook, and my voyage of discovery into content access control in Facebook actually started quite by accident about a week ago.

Facebook provides a way to get your notification by RSS

The URL looks like this


http://www.facebook.com/feeds/notifications.php?id=576942190&viewer=576942190&key=10characterkey&format=rss20

Google Reader allows you to add that feed, and share it

Shared item uses javascript, though I could easily also feed it to anywhere, such as a WordPress blog

Facebook shared on Google Reader

I could have also shared it in a primary shared feed totally by accident.
Now there currently isn’t any really private information in there, other than allowing others to know who my friends are, and who I am communicating with, but then you wouldn’t want to share your email headers either…

Being allowed to share data doesn’t mean it should be as easy as hitting a hotkey when reading a “river of news”

I Appologise To My Facebook Friends

I will remove the sharing in 24 hours, but I feel it is important to use real data to demonstrate this point because for some reason 99% of the tech industry just didn’t understand it 10 months ago.

Facebook & Bloglines Understand it

Facebook point to their help information on notifications

Facebook Notifications

Lets take a look at what Facebook think about sharing and privacy, and why they implemented specific security measures.

Does this mean that everyone can see all my notes now?

No. Each person that can see your notes on Facebook is given a different RSS or Atom feed URL that is unique for them. Only the notes that they are allowed to see will be syndicated via that URL. If you change your privacy settings or friend links, then all the feeds will be appropriately updated.

Unfortunately those people can share those links by accident

Won’t Bloglines and other similar services make my notes content searchable by the world if my friends enter the URL for my Notes feed into those services?

Atom and RSS feeds from Facebook include the Bloglines Feed Access Control extension , and we set the access parameter to “deny” for all of our feeds. We also indicate in our robots.txt that feeds should not be visited or indexed by bots. The major aggregators and search engines (Bloglines, Technorati, Google, Yahoo!) all appear to respect these directives. If you are very concerned about the possibility of someone seeing your notes that you don’t want him or her to see, we’ve added a privacy option that you can set on your notes privacy page which will prevent any of your Notes from being syndicated in any RSS or Atom feed.

The major search engines do support Robots.txt, though I am not sure robots.txt would be sufficient to stop someone hacking.

Bloglines Feed Access Control extension was introduced last August, and it seems no one in the Technology blogging world really took an interest.
Google Reader certainly doesn’t support it as I have proven above.

People can make all this content searchable by mistake, broadcast it on Twitter etc

Doesn’t providing different URLs to every person that views my notes create inefficiency because services that do aggregation will have to retrieve and store my Notes from multiple feeds?

Yes. This is the only way that we can maintain your privacy settings on a per-viewer basis.

Facebook (and Bloglines) seem to be very keen to support privacy and choice, but Google Reader by not supporting “access:restriction relationship” seems to think privacy (and copyright) is a waste of time.

access:restriction relationship=”deny”

Feedburner is now owned by Google and you would expect them to treat all services the same, and to support initiatives that give content owners a choice in what happens to their content.

They have an interface to allow introduction of sharing control within Feedburner, but for some reason only support the blocking of sharing with a service provided by a Google competitor, Yahoo Pipes.

noindex no pipes

This adds the following code to your feed, and I currently have on my feed, though I will probably switch back.

<xhtml:meta xmlns:xhtml="http://www.w3.org/1999/xhtml" name="robots" content="noindex" /><meta xmlns="http://pipes.yahoo.com" name="pipes" content="noprocess" />

this means that it is not indexed, but all links are still followed (so links back to the feed still give me some juice), and is meant to prevent someone using your content in Yahoo Pipes.

Of course it doesn’t….

Once any content enters Google Reader, it can be tagged and filtered automatically, and Google Reader doesn’t include any of the access controls.

I have fed my protected feed into Google Reader, and then shared it
It took me 2 minutes to set that up and is realistically unblockable – any splogger using Google Reader cannot be prevented from taking your content and feeding their “Made for Adsense” sites.

Facebook Opening Up?

Actually they are already wide open, because the various feed readers other than Bloglines are not supporting their controls.
The announcement today of limited search ability doesn’t matter, someone could easily program an app that would allow people to share everything and have everything searchable, without seeking permission from those sharing.

Ownership and Control of RSS Content

10 months ago everyone seemed perfectly happy to slam me and tell me that I was wrong. The tech blogging fraternity thought at that time that once something is in RSS format, you should no longer have control of it, and have no legal right to complain about other people using it.

The more creatively and more personal RSS feeds become, the more control the owners of that content need for how that content is used, either on purpose, or by mistake.
It shouldn’t be possible to hit a hotkey and share Facebook content with 50,000 subscribers, but it is currently possible.

This is about choice, and privacy

This also isn’t the only problem with Feedburner as as I pointed out when Feedburner were purchased by Google.

Update

I have now switched to using a screenshot rather than a live Javascript feed to improve privacy a little

 

Liked this post? Follow this blog to get more. Follow

Comments

  1. says

    Interesting look at things Andy. I think i need to check out all the sources to have a better response than this ;). I noticed Jeremiah from Web Strategist has signed up to this ‘Bill of Rights’ aswell.

    Never knew you had a big debate with Scoble in the past ;)

  2. says

    Great post! In this Google-dominated world, I think we have all given up any rights to privacy we once had. From tracking cookies to stolen feeds, from behavioral targeting to email scrapers, I do not know where it will end.

    I have given up trying to stop people from using my feeds. I wish there was a way to put a watermark on our feeds that says, “If you are not reading this on (name of blog), this person stole it. Report them for $10.” Think it would work?

    Have a great day.

  3. says

    Hey man,

    Not sure we see eye to eye on the monetization front, but we definitely agree on the frustration over an inability to control/manage RSS feeds and personal information.

    Nice sum up. Just linked to you in an article on my blog.

    Sean

    • says

      Sean I tend to fight uphill battles, but I get there in the end.

      I am pretty sure if I did a paid review of any Web2.0 service it would be more in depth than you will find on Techcrunch, and arguably less biased, because my affiliations are fairly out in the open and the amount I get paid for a review isn’t enough to sway my opinion, or break the social contract with my subscribers (which is why they keep increasing)

  4. Ms Wahala says

    Stirring up trouble again, I see. I think you should keep this post on the front page until it causes the controversy it deserves. ;)

  5. says

    Ever since I signed up for Facebook a couple of months ago I’ve had this nagging feeling that my information isn’t as secure as it seems. Thanks for pointing out why.

    I cringe when I see some of the things people post freely on Facebook and other social networks, often viewable by anyone. This just makes it that much worse.

    The problem with restrictions on the internet, such as what you’re talking about here with RSS, is that it’s only as good as the weakest link. If Google decides they don’t care about supporting it, suddenly it might as well not exist at all. Anyone who wants to circumvent it can easily do so, and they don’t even have to have any kind of hacking skills.

    @CyberCelt

    I disagree that we’ve given up our right to privacy. I think we still have that right, it’s just that most of us are willing to trade it away for convenience. Google’s free tools are anything but free – they just don’t cost money.

    The unfortunate thing is that once you make the decision, you can’t undo it. That information is out there to stay.

  6. says

    So that was your rise to fame secret…

    There is an answer to this and strangely it does involve technology (for a change) as the answer (as opposed to the problem).

    What we have here is an authentication, identification and trust issue. RSS, ATOM and all other XML feed technologies run over http just like web pages. In fact html is simply a more “sloppy” version of XML. But enough teaching grandma to suck eggs.

  7. says

    I believe we all have the right to choose what people see about ourselves through RSS.

    Strange enough though I am of the notion that once you put yourself up online it does become game to who ever wants your “stuff” badly enough. Not unlike in the real world, where regardless of how many security systems one installs around their property to deter a hacker/thief from stealing; they will break through if they want it.

    GREAT post!

  8. says

    You do have a point, especially with these new extensions that didn’t exist when we last had an argument.

    That said I just wouldn’t subscribe to a feed that doesn’t want me to reblog their stuff.

    I guess that you are asking me to stop doing that, right?

    • says

      Robert, I publish under GPL, I don’t even mind commercial use of my content as long as I am given attribution, and I don’t chase down sploggers.

      These controls were in place when we had out last conversation, but I wasn’t aware of them, and nore were you.

      Bloglines introduced their code in August last year

      Obviously I would prefer conversations happening on my own blog but you can’t win everything and I would prefer more readers, as eventually readers have a habit of filtering back to the source.

      WebProNews publish my full content all the time on their sites, and I see traffic from it all the time.

      Sometimes I even manage to rank for my own content these days until the link attribution kicks in. They link to my permalink in each article they republish.

      I am however fairly unique, I don’t know many people who publish under GPL, even though people love GPL software, they seem to think that commercial use of their content is bad.

      In my feed you will see a very clear GPL license because I know that otherwise if it gets shared any machine visible copyright gets stripped out.

  9. Ms Wahala says

    Ooo, Robert, did you say “argument” so are you officially “fighting”? Because it doesn’t sound like it. I miss controversy. :( Andy, you have to say more mean things that don’t make sense to get the blogosphere in an uproar. lol…

    Just kidding! I’m actually wondering what your answer to Robert’s other question is, Andy.

  10. says

    I think there’s a BIG difference between reblogging stuff from people’s feeds and the potential for private information to get released, whether intentionally or by accident.

    I don’t think there’s anything wrong with reblogging provided the original source is cited. Even if their feed is protected, it’s easy enough to go to their website, pull a few quotes from the article and blog about it on your site.

    It’s not so easy to get into someone else’s Facebook account and see all their private information.

    • says

      John but when you are browsing your river of news and share an item that a friend sent you that wasn’t intended to be shared, and it ends up being sent to 5000 twitter accounts, it is fairly serious.

      Facebook has controls built in, Bloglines created those controls 13 months ago.

      Google Reader not only ignores the controls, it strips them out along with any controls added by their sister Feedburner service.

      It is also interesting to note that Robert signed up for the Open Social Web, but today was writing about how he is tied to Google Reader, locked in, because he can’t extract his historical feed data to move to another service.

      It is also important to think of legal issues.

      If you by a license to an image for use on your site, you can probably also publish it in your feed to your subscribers, because that is still you using it.
      If someone then republishes it somewhere else, they are breaking copyright.

      That person wouldn’t know, because the copyright information that was in the original feed was stripped out.

      Just do a search for how many people are even aware that this extension exists.

      It is almost like there is a conspiracy in San Francisco to hide the information. A “nip slip” from a “C” celebrity would get a lot more attention, even among tech bloggers.

  11. says

    Well, I have a very clear view on copyright issues: if the data is “out there”, it is out there. Ie. I don’t believe in paying for copies of data, and as soon as anyone (more or less) has it you might as well stop fighting to stop the wider distribution of it.

    This is of course a problem when it comes to privacy, and fundamentally I do not see a idiot-proof solution.

    If you have no idea what I am talking about, what if someone re-wrote your private feed on their public blog? Or even re-write in with a pen on a paper (Yes they still exist!)? You can’t do anything against that. So, if there is information you don’t want spread, do not spread it in the first place.

    How would this be handled in the real world? Via trust, not by any technical restrictions (“hey, I can tell you my secret, because I trust you, but it will be DRM forward locked!” is not how reality goes)

    Trust would work equally well for electronic data: if you share data with people you trust not to re-share it by purpose, and also by accident! Of course there is also the technology to trust here, but that is generally easier to trust than humans today in my opinion. Of course, people that honestly do not want to share private is going to do so by mistake from time to time, but that applies equally well to the real world! The issue here, as this blog is really touching upon, is we need to make the electronic world a lot more like the physical world, ie. a lot harder to share information.

    So, what is left of the problem? Absolutely nothing. Don’t send your valued data to sloppy people or public channels!

    • says

      John it is not a simple as that.

      No one has yet come up with an email client that I am aware of where you read a “river of email” with the ability to share jokes with your whole address book with a single hotkey.

      Wouldn’t it be faster to read your email that way?

      But there are dangers, you might share a private email.

      Some RSS feeds are also private, there needs to be respect for built in controls.

Trackbacks