What I am most disappointed about (**rant) is the way that Facebook, seem to think that an “OPT-OUT” policy is the right way to go about landing new functionality on their users. By default, Facebook allows your friends to log your geolocation at given point in time. And this is simply NOT ACCEPTABLE. As far as I am aware (and please do let me know if I am wrong), none of the other popular geo-logging services allow for other people to log your location at a given point in time. I see this as a massive invasion of your privacy, and as have others, as discussed in the following CNET article:

Shots already fired over Facebook Places privacy

An OPT-OUT policy to services which compromise your privacy and your personal information is simply NOT acceptable, and DRACONIAN. I mean, Facebook, DID NOT even attempt to inform me, that friends of mine can can geolog my location at any given point in time. I mean, what is stopping a friend of mine, who is hanging out in a brothel from geologging me, and defaming my character, by suggesting that I too was at the same place as him.

I noticed this yesterday, and then I got round to tweeting it, and had a lot of people thanking me for informing them of this change of service. So, I thought I would expand what is going on in a bit more detail. If you would like a more verbose write up on how to disable this new “feature”, visit the Garlik blog article:

Garlik Blog: Disabling Facebook Places.

As far as I am aware there has been no recent changes to Facebook’s privacy policy or their terms of service as illustrated on the awesome Terms of Service Tracking site. From my point of view, Facebook should inform their users about new functionality, especially new functionality which by definition shares your geolocation information both with people within Facebook, and with the Skyhook geolocation gazetteer.


short_open_tag = 1


This option allows for the use of the short hand "<?" and "?>" used as abbreviations for "<?php" and "php?>". And yes, shorts hand are good, I am super lazy, insofar as I am not good at setting “use strict;” when writing perl code.

Secondly, I was stung due to the fact that PHP 5.3 has clamped down on the returning of values when expecting a reference to be returned by a function, this phenomena and the necessary fix is illustrated in my previous blog post.

I have managed to get my OpenID server working, my OpenID URI being http://mmt.me.uk/blog/, but I have yet (after hours of trying), managed to get OpenID commenting fixed on my blog.

So my apologies if you try and comment on my blog using your OpenID, as it doesn’t work.

The most annoying thing about this whole issue is the fact that I get perhaps the least helpful error message ever. The following error message pops up when I attempt to use my colleagues OpenID to post a comment to one of my articles, this following error message gets sent to my STERR :

[Fri Aug 20 12:01:14 2010] [error] [client XXX.XXX.XXX.XXX] Successfully fetched 'http://steve.harris.name/': GET response code 200, referer: http://mmt.me.uk/blog/2010/07/30/the-facebook-like-button/

“200, and Successfully fetched!” my ass!

In order to get the OpenID server working I had to apply a patch, which has been raised as a ticket on the diso project issue tracker. In short, there are two required changes, due to PHP 5.3 funkiness, required to make the OpenID server work.

These couple of changes to the OpenID libraries which came with my version of WordPress is due to the fact that PHP 5.3 has clamped down on the returning of values when expecting a reference to be returned by a function, this phenomena was illustrated in the following errors :


[Sun Apr 18 23:40:05 2010] [error] [client 140.203.155.13] PHP Warning: Parameter 1 to Auth_OpenID_Server::openid_associate() expected to be a reference, value given in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1702
[Sun Apr 18 23:40:05 2010] [error] [client 140.203.155.13] PHP Fatal error: Call to a member function needsSigning() on a non-object in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1495
[Sun Apr 18 23:40:06 2010] [error] [client 78.86.167.133] PHP Warning: Parameter 1 to Auth_OpenID_CheckIDRequest::fromMessage() expected to be a reference, value given in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1576, referer: http://apassant.net/blog/2010/04/18/sparql-pubsubhubbub-sparqlpush?destination=node%2F374
[Sun Apr 18 23:49:36 2010] [error] [client 193.203.240.209] PHP Warning: Parameter 1 to Auth_OpenID_Server::openid_associate() expected to be a reference, value given in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1702
[Sun Apr 18 23:49:36 2010] [error] [client 193.203.240.209] PHP Fatal error: Call to a member function needsSigning() on a non-object in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1495
[Sun Apr 18 23:49:52 2010] [error] [client 193.203.240.209] PHP Warning: Parameter 1 to Auth_OpenID_Server::openid_associate() expected to be a reference, value given in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1702
[Sun Apr 18 23:49:52 2010] [error] [client 193.203.240.209] PHP Fatal error: Call to a member function needsSigning() on a non-object in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1495
[Sun Apr 18 23:50:27 2010] [error] [client 216.97.225.85] PHP Warning: Parameter 1 to Auth_OpenID_Server::openid_associate() expected to be a reference, value given in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1702
[Sun Apr 18 23:50:27 2010] [error] [client 216.97.225.85] PHP Fatal error: Call to a member function needsSigning() on a non-object in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1495
[Sun Apr 18 23:50:28 2010] [error] [client 78.86.167.133] PHP Warning: Parameter 1 to Auth_OpenID_CheckIDRequest::fromMessage() expected to be a reference, value given in /media/data/www/mmtmeuk/public_html/blog/wp-content/plugins/openid/Auth/OpenID/Server.php on line 1576, referer: http://www.pillwatch.com/proc_openid-login.php


There is a page which describes the patch one needs to run to overcome this:

http://patchlog.com/wp-content/uploads/2009/11/openid-server-php.5.3.diff

I need to get on with other stuff now, will revisit this in the future …

This is fanstatic news, as I can now digitally sign my emails, with my GPG identity, which can be found linked to from my FOAF file.

In short, I fear that Facebook via the Facebook Like button which you can find on many high volume, mainstream sites, such as imdb, rottentomatoes, cnn, etc, is tracking you even if you are not logged into Facebook from your browser.

So, I have no solid evidence to say that they are DEFINITELY doing so, but I will explain why it is technically possible for them to do so. And well, the cynic in me thinks that if it is technically possible for facebook to log that my facebook id is on a given page, it will, regardless of whether or not I am logged in or not.

From this point onwards, I will be referring to all of various versions of the Like button, i.e. Like, Recommend, Fan, etc as the Facebook Like button.

So, the Facebook Like button can be implemented in one of two ways, using facebook’s XFBML or via the inclusion of a Facebook iFrame. FWIW, all of the instances of the Like button I have come across have been implemented using the iFrame approach, but I will look into the XFBML method of doing things soon and will blog about it then (he says …)

So, if you are a facebook user, and you have visited facebook
since the last time you cleared you cookies, you will have a facebook cookie in your browser. It is this cookie which allows facebook to inform you of how many of your friends have liked the page your browser is currently pointing to. An example of functionality can be seen in the below screenshot.

I am aware that if you are signed out of facebook you wont see your list of friends which are have already clicked the like button, you will end up seeing something like:

So, given that the Like button is an iFrame, i.e. it is actually hosted on www.facebook.com, it means that facebook can read your facebook.com cookies, and they can tell whether you are logged in (to show you which are of your friends have “liked” the page before you). And well, technically this implies that they know who you are which enables them to tell whether you are logged in or not.

Dan Brickley created a neat drawing of the what a iFrame is actually doing (thanks Dan, and see below). The illustration highlights the fact that a page which seems to be coming from a given web address, if it includes an iFrame, is actually coming from multiple web servers.

This is danbri’s illustration of what an webpage which includes iFrame’s is actually doing

This makes me class the Facebook Like button in the same category as ad tracking sites, insofar as the fact that if you turn up to a page with a Like iFrame, and you have a facebook cookie, you are in theory being tracked, regardless of whether or not you choose to click the Like button or not.

So, why do I class this in with ad trackers, I do this because of the fact that you are being tracked passively, i.e. regardless of whether or not you choose to like something, facebook is theoretically logging the fact that you have been to that website.

So, now to give an example :

Let’s say that you turn up to cnn.com can you visit the below article:

http://www.cnn.com/2010/US/07/29/wisconsin.roush.crash/

The page them subsequently loads up the following iFrame and serves it to you, it renders the Like button on the page, the iframe revolves to a url on facebook.com

http://www.facebook.com/plugins/like.php?action=recommend&…

By going to the first URL, you are also hitting the second one. Your user-agent, which based on http://panopticlick.eff.org/, is kinda uniquely identifiable, and is therefore in facebook’s logs. Given that the iFrame (second URL above) is hosted on facebook’s site, they CAN read your facebook cookies, am NOT saying that they do as I can’t prove that in anyway, but my guestimate is that if they are not, they will be in the future.

So, I can see three scenarios, which are relevant to this

• A user is logged into facebook in their browser, and then visits a site in a different tab, not even knowing that the site has a facebook “like” button, because you will only become aware of the “like” button upon arriving at the page and having it in loaded in your browser, which is too late from my POV. This happened to me last night, and happened to me recently when I went to imdb (sighes).
• A user is not logged into facebook, but has facebook cookies in their browser, they go to cnn.com, facebook knows (with a high probability) that a given facebook ID has visited a given site, by virtue of cookies and stuff
• User has no facebook cookies, and then facebook will only get the user’s user-agent in their access logs, which I bet they store (even though once again I have no proof of this.

Ok, so solutions:

Solution 1 :

You can delete all of you facebook related cookies from your main browser (firefox being browser of choice), and then you can download another browser which you use for facebook’ing, so that you are no longer given facebook the option to track the pages you read on the web.

Solution 2 :

Which is the solution I am going for at the moment is that you can install Adblocker Plus and you can block all of the Facebook Like endpoints, using custom filters.

This is an export of my Facebook Like button filters, it is probably far from complete, and I will put it up a service which you can subscribe to in Adblocks Plus, and will update the list of URLs as and when I come by them (will blog post when I am done with this.)


[Adblock]
! Checksum: 1+81iD/9dKSZiqqW6WtQxA

The following screenshot, shows what my current step looks like in Adblocker plus:

My colleague Vaidas Jablonskis (who is awesome), pointed me to Adbocker Plus which is also totally awesome

Finally, it is worth mentioning that I am not sure whether or not all of these sites which have facebook like buttons are explicit about the fact that their users CAN be tracked passively by facebook. Or whether reputable brands like CNN have any form of agreement with Facebook regarding whether or not their users are being track. Are any of these big companies, breaking their terms and conditions ?

I will post an update on step by step instructions regarding how to subscribe to my Adblock filter list of facebook like buttons endpoints soon.

So, I suggest people download and install Adblock and block facebook like buttons, and subsequently install the Facebook Like plugin , so that they are no longer being passively tracked by Facebook, and so that they are in control of when they tell Facebook that they like a given web page.

Finally, links to existing literature in this space:

http://techcrunch.com/2010/04/23/like-buttons-evil-facebook-not-open/

http://philosophicalzombie.net/post/540799211/has-facebook-just-become-the-evil-empire-whats-wrong

Comment, corrections, or a simple “you are wrong because …” are very welcome

Happy Interneting People


[root@blanket 4store]# make test
(cd tests && make -w test)
make[1]: Entering directory `/usr/local/src/4store/tests'
(cd query && pwd && ./setup.sh --autorun)
/usr/local/src/4store/tests/query
4store[9702]: backend-setup.c:176 erased files for KB query_test_mmt04r
4store[9702]: backend-setup.c:301 created RDF metadata for KB query_test_mmt04r
../../src/frontend/4s-import: error while loading shared libraries: librasqal.so.1: cannot open shared object file: No such file or directory
Preparing for tests...
../../src/frontend/4s-delete-model: error while loading shared libraries: librasqal.so.1: cannot open shared object file: No such file or directory
[FAIL] add-and-delete
[FAIL] distinct-predicate
[FAIL] foaf-all-limit
[FAIL] foaf-bnode-vs-variable
[FAIL] foaf-construct
[FAIL] foaf-disjunctive-filter
[FAIL] foaf-distinct
[FAIL] foaf-graph-all
[FAIL] foaf-graph-pred
[FAIL] foaf-knows-name
[FAIL] foaf-knows-name-sha1
[FAIL] foaf-knows-sha1
[FAIL] foaf-knows-sha1-xml
[FAIL] foaf-multi-disjunctive-filter
[FAIL] foaf-nested-optional
[FAIL] foaf-nothing
[FAIL] foaf-optional-order
[FAIL] foaf-optional-pair
[FAIL] foaf-optional-regex
[FAIL] foaf-repeat-var
[FAIL] graphs
[PASS] integrity
[FAIL] null-optional
[FAIL] null-optional-double
[FAIL] optimiser-disjunction
[FAIL] select-bnodes
[FAIL] select-order
[FAIL] select-unused
[FAIL] size
[FAIL] tiger-broadway
[FAIL] tiger-explosion
[FAIL] tiger-fail-optional
[FAIL] tiger-harold-ave
[FAIL] tiger-landmarks
[FAIL] tiger-mixed-optional
[FAIL] tiger-reverse
[FAIL] tiger-sugar-hill
[FAIL] tiger-sugar-hill-filter
[FAIL] tiger-typical
[FAIL] tiger-water-names
Tests completed: passed 1/40 (39 fails)
make[1]: Leaving directory `/usr/local/src/4store/tests'


This struck me as odd given that when I ran the “configure” script I got the following output :

[root@blanket 4store]# ./configure
[OK ] pkg-config installed
[OK ] raptor installed
[OK ] rasqal installed
[OK ] glib2 installed
[OK ] libxml2 installed
[OK ] pcre installed
[OK ] ncurses installed
[OK ] readline installed
[OK ] z installed
[OK ] avahi installed


So these are the setup step which I had to perform in order to get 4store working and running the tests:

1. After compiling the code, used ldd to see which libs were missing

ldd src/frontend/4s-query
[root@blanket 4store]# ldd !$2
ldd src/frontend/4s-query
linux-gate.so.1 => (0x00d9a000)
librasqal.so.1 => not found
libraptor.so.1 => /usr/lib/libraptor.so.1 (0x00678000)
libxml2.so.2 => /usr/lib/libxml2.so.2 (0x04f2f000)
libavahi-common.so.3 => /usr/lib/libavahi-common.so.3 (0x051d0000)
libavahi-client.so.3 => /usr/lib/libavahi-client.so.3 (0x051bd000)
libavahi-glib.so.1 => /usr/lib/libavahi-glib.so.1 (0x004b8000)
libglib-2.0.so.0 => /lib/libglib-2.0.so.0 (0x00da9000)
libpcre.so.0 => /lib/libpcre.so.0 (0x00110000)
....


2. Fix my ld.so configuration. The issue was that I had to add the following line, which points to my librasqal.so.1, to the following empty file
/etc/ld.so.conf.d/local.conf :

/usr/local/lib


A big yay to working 4store :

[root@blanket 4store]# make test
(cd tests && make -w test)
make[1]: Entering directory `/usr/local/src/4store/tests'
(cd query && pwd && ./setup.sh --autorun)
/usr/local/src/4store/tests/query
4store[10887]: backend-setup.c:176 erased files for KB query_test_mmt04r
4store[10887]: backend-setup.c:301 created RDF metadata for KB query_test_mmt04r
removing old data
Reading
into
Pass 1, processed 63 triples (63)
Reading
into
Pass 1, processed 764610 triples (764547)
Reading
into
Pass 1, processed 764658 triples (48)
Pass 2, processed 764658 triples, 26769 triples/s
Updating index
Index update took 17.133335 seconds
Imported 764658 triples, average 19375 triples/s
Preparing for tests...
[PASS] add-and-delete
[PASS] count
[PASS] distinct-predicate
[PASS] foaf-all-limit
[PASS] foaf-bnode-vs-variable
[PASS] foaf-construct
[PASS] foaf-disjunctive-filter
[PASS] foaf-distinct
[PASS] foaf-graph-all
[PASS] foaf-graph-pred
[PASS] foaf-knows-name
[PASS] foaf-knows-name-sha1
[PASS] foaf-knows-sha1
[PASS] foaf-knows-sha1-xml
[PASS] foaf-multi-disjunctive-filter
[PASS] foaf-nested-optional
[PASS] foaf-nothing
[PASS] foaf-optional-order
[PASS] foaf-optional-pair
[PASS] foaf-optional-regex
[PASS] foaf-repeat-var
[PASS] graphs
[PASS] integrity
[PASS] null-optional
[PASS] null-optional-double
[PASS] optimiser-disjunction
[PASS] select-bnodes
[PASS] select-order
[PASS] select-unused
[PASS] size
[PASS] tiger-broadway
[PASS] tiger-explosion
[PASS] tiger-fail-optional
[PASS] tiger-harold-ave
[PASS] tiger-landmarks
[PASS] tiger-mixed-optional
[PASS] tiger-reverse
[PASS] tiger-sugar-hill
[PASS] tiger-sugar-hill-filter
[PASS] tiger-typical
[PASS] tiger-water-names
[PASS] union-nobind
Tests completed: passed 42/42 (0 fails)
make[1]: Leaving directory `/usr/local/src/4store/tests'


First of all you need to have the following installed :
4store
A java compiler (i have Sun’s Java SDK 1.6.x installed on my laptop)
Maven (to compile Dan Hanley’s 4store client libs).

I have all of the code needed for this example placed on my site here : http://mmt.me.uk/examples/4store-java-query-example/ feel free to grab and use it as you wish.

First of all, I should say that I have had to patch the 4store-client-library, as it seems to chomp all of the carriage returns at the end of the lines (“\n”). This is fine you are using the SPARQL-XML-RESULT format, by I am a tad lazy and much prefer working with the tsv format: tsv requires line breaks.

The git diff of my patch looks like so (and again yes it is a tad dirty) :

diff --git a/src/main/java/uk/co/magus/fourstore/client/Store.java b/src/main/java/uk/co/magus/fourstore/clie
index 6652874..097be43 100644
--- a/src/main/java/uk/co/magus/fourstore/client/Store.java
+++ b/src/main/java/uk/co/magus/fourstore/client/Store.java
@@ -349,7 +349,7 @@ public class Store {
String response = "";
String str;
while (null != ((str = in.readLine()))) {
- response += str;
+ response += str+"\n";
}
in.close();
return response;
~
~


This above patch allows me to make use of the TSV output as needed. The patch can be grabbed from here : http://mmt.me.uk/examples/4store-java-query-example/patch.txt.

Ok, now that I have built the 4store-client.jar file with my patch using the instructions in the git repo. I create an example RDF file, and some example java code which will query the 4store KB. All the files can be found on my site http://mmt.me.uk/examples/4store-java-query-example/.

These are the steps which I have taken to get this little demo up and running :
1. Create 4store KB called lame

4s-backend-setup --node 0 --cluster 1 --segments 2 lame


2. Start lame‘s backend (i.e. start the KB)

4s-backend lame


3. Import the example.rdf file into lame‘s backend (i.e. start the KB)

4s-import lame example.rdf


4. Start HTTPD for the KB named lame

4s-httpd -s -1 lame


And then I need to compile the exampleQuery code I knocked together

javac -cp 4store-client-1.0.jar exampleQuery.java


Finally, I run the code like so :

java -cp 4store-client-1.0.jar:. exampleQuery


Resulting in the following output:

Am about to query a sparql endpoint
A user name is:"Bob"
A user name is:"Alice"


I hope this helps!

In order to have a zero cache safari instance on my laptop I have taken the following steps :

• 1: Removed spotlight’s prying eyes, by excluding the following directories :
  • /Users/<USERDIR>/Library/Caches
  • /Users/<USERDIR>/Library/Safari
  • /Library/Caches
• 2: Setup two cronjobs to constantly delete Safari cache-dir

*/10 * * * * find /Users/<USERDIR>/Library/Safari -type f -exec rm {} \; 2>&1 > /dev/null
*/10 * * * * find /Users/<USERDIR>/Library/Caches/Metadata/Safari/ -type f -exec rm {} \; 2>&1 > /dev/null

And finally, I have created a wrapper .app file which open’s Safari, and then enables “Private Browsing” mode, as I could not find a way to do this through editing the Safari.plist file. I followed the instructions posted on the MacWorld site, and they go a little something list so:

• 1. One needs to enable the Enable Access for Assistive Devices option, which can be found in the Universal Access system preference.
• 2. Open the AppleScript editor, and type in the following commands :

  
tell application "Safari"
   activate
end tell
tell application "System Events"
   tell process "Safari"
    tell menu bar 1
     tell menu bar item "Safari"
      tell menu "Safari"
       click menu item "Private Browsing"
      end tell
     end tell
    end tell
  end tell
end tell


• 3. Save this shiny new AppleScript as an application (.app file), and I called mine “PrivateSafari.app”.
• 4. I then grabbed the icon file from Safari, and added to the PrivateSafari, and then replace the old shortcut in my Dock, with one to “PrivateSafari.app”.

It should be noted that I am well aware that the private browsing features in most of the modern web browsers have come under a certain amount of scrutiny recently, below are some links to articles for the interested reader :

• Private browsing modes leak data – BBC News
• Private browsing: it’s not so private – Ars Technica
• Private browsing ‘not so private’ – IT Pro
• Private browsing modes in four biggest browsers often fail – The Reg

Anyways, so I typed in my first and last name into the Personas site, and low and behold, this is result I was shown :

Mischa Tuffield's MIT Personas 240809

Apparently, the three most prominent of my online characteristics are : “online, sports, illegal”. Hehe, I guess the online bit makes some sense, and after scratching my head, and re-running the service I think I have sussed it :

• Online: yeah well …
• Sports: I must be due to this article I was mentioned in in the Telegraph. It was a feature in a technology section, which a part of motoring technology supplement. So, I guess that makes some sense
• Illegal: Well this one puzzled me for a while, but I think the people at MIT think I am a identity thief, hehe…

Which would definitely not be a good thing given that I am currently working trying to help people defend themselves from ID Fraud. So why, does Personas come to this conclusion? I think it is down to a blog post which a friend of mine Tom Heath wrote a while back, where you used the following words “was trying to steal my identity (presumably because he had a fragment of RDF about me in his FOAF file)”. This is a perfect example of how natural language processing can fail, and how much more sophisticated metrics must be used if we are to identify accusations, opinions, or any more complex statements from free text. Tom’s blog post was actually going on about how Google’s Social Graph API failed to understand his FOAF file, merging myself and Tom into one person, another technological fail, but I guess they follow on nicely from each other…

I should note that Google’s SocialGraph API is doing a better job than when it started, and as far as I am aware it now understands RDF natively, via libraptor.