Insecurity at Orkut  − 31 January, 2004

Like many others, I've been paying attention to Orkut in the last couple of weeks. I've answered more requests to be "friends" on Orkut then I have of any of the other half-dozen Social Networking Services I've tried, and I've looking at other people's friends to see if I know anyone. I've yet to ask someone to join Orkut that wasn't already a member, and I've been careful to not have anyone as a "friend" that I didn't know reasonably well and I thought knew me. Currently I have 68 Orkut "friends", many more then I have on LinkedIn, which I've been using for several months and have 50 "connections".

In addition to this activity on Orkut, I've been reading a lot of blogs about other people's experiences on Orkut. In particular, I've found Danah Boyd's blog Apophenia a great source for thought on social networking services, so I've got it near the top of my RSS aggregator. I'd just read her rant venting my contempt for Orkut when I saw a follow up post orkut pissyness round 2 where I read:

Wanna see a big phat privacy hole on Orkut? Go to messages. Click compose. Click "friends and friends of friends." Click next. Copy & paste all of your friends and their friends' email addresses.

I tested this out, and discovered she was correct, when I clicked "friends of friends" I got a long web page of names and email address. So I sent to this list I'd generated:

A serious security hole? Yep.

I just was shown 1137 friend and friends of friends email address, including your email address. As reported by Zephoria:

http://www.zephoria.org/thoughts/archives/2004/01/30/orkut_pissyness_round_2.htm

I got a lot of replies back like "What did you expect?" and "That is why I don't use my main email for Orkut".

I also got a reply from Orkut Buyukkokten via email:

Could you please send an email to your friends and friends of friends to tell them that there is no security hole?

We worked very hard to ensure that the privacy of our members is not compromised in any way. I don't want our members to get the wrong impression.

I would greatly appreaciate it if you could pass the following message to you friends (:

You'll only see the e-mail addresses of people who chose to share them with you: if you mark your email address as not to be shared with friends and friends of friends, they won't be able to get your address this way. If you look at the list of people it's addressed to, you'll see that some are listed without addresses (unless you've got very permissive friends).

Somewhat abashed, I checked, and since the last time I'd sent an email, the interface changed. I discovered that only 356 of 1137 of my friends of friends were actually allowing their email to be shown, and the rest now showed a "lock" icon next to their name. Of course, the first 100 or so on that list coincidentally allowed their emails to be shown, so I had assumed incorrectly that all had.

So I sent Orkut's reply out to my "friends of friends" and added links to my blog and this comment:

I'm still quite uncomfortable with privacy issues of Orkut.com at this time. I've had to reveal more information then I'm comfortable, and the software is too lax in letting me see other people's info, for instance "relationship status" when I've marked myself as not interested in that. Maybe Orkut is just trying to be too much.

I sent an email back to Orkut saying that I'd sent this email, then continued to get a lot of replies to my original email, and I discovered that I was now in Orkut "jail". This meant that I could not send messages, could not add friends or groups, etc. No reason was given for why I was in jail. The only reason why I'd seen other people in jail was because they had added too many friends too fast. I had only 50+ friends at the time, so I knew that wasn't the reason. I could only assume the worse.

I'm out of Orkut "jail" this morning, but I still don't have any explanation of why. I continued to get replies both in support of my concerns:

I tend to agree with you. I've learned more information than I expected about people. Also it's been a little odd to see people I know professionally on orkut, since I first conceptualized it as a social-friends service. (Then again, I've found professors on Friendster, which is much more explicitly social, so perhaps I'd better just accept that these people have lives.)

At the same time, I think that Orkut's attempt to be all things to all people has helped it take off. I feel easier asking professional contacts to join orkut than I would for Friendster. It seems like less of a big deal to add someone to your orkut list rather than on another more focused service, as there is a level of plausible deniability as to intention.

As well as comments like:

I don't want to be too harsh, but if perhaps you, and Danah, and Cory don't want to play then really no one is forcing you to play. But whining about things that you don't like is just, well, unseemly.

I took a break to think on why I responded so negatively when Orkut has the appearance of doing something wrong (first, the 'security hole' that was a feature, and secondly the 'jail'). Then it came to me:

I'm insecure about orkut.

Some of the definitions of 'insecure' are not firm or firmly fixed; likely to fail or give way; lacking self-confidence or assurance; not safe from attack; lacking in security or safety; not financially safe or secure;. The one that fits me the best is "lacking self-confidence or assurance". Why do I feel this way about Orkut?

I guess my insecurity started out at the very beginning. As it is in beta, you can't join Orkut, you have to be invited. This made the place seem 'exclusive' and thus possibly safer. Yet right off it asks you some fairly personal questions: What is your relationship style? What is your sexual orientation? Who are you living with? What are your politics?

Later I find out by looking at other people's information that this is all completely public. It isn't limited to just friends, or friends of friends, but instead is prominent. In fact, other then your name and how many "friends" you have, your relationship style is the most prominent thing listed. Do I really want to know that my business acquaintance that I see only at technical conferences 2 or 3 times a year is in an open marriage? Or divorced? Or gay?

I live in the Bay Area and I've seen it all, and consider myself open and try to be consciously non-prejudiced. That's not to say that I'm comfortable when I'm hit on by another man, but for that matter, I'm not that comfortable when I'm hit on by a woman. The point is that I don't think about someone's sexual and personal choices when I interact with them. I don't care if you are gay, into S&M, or any other radical lifestyle. I don't care if your straight, chaste, and christian. What I do care about is your relationship to me -- if you feel that it is important to your identity to let me know, well that is between us. But I'm not going to pry. I once had a male employee in my office that wore a dress to work -- I still don't know if he is gay or not. It didn't matter to me and he didn't tell me -- what mattered was that he was good employee.

This started my 'insecurity' about Orkut. Later I read that you couldn't delete your pictures or profiles. This worried me. Then I read that the system was down because of a XML hack.

When Orkut came back after the hack, a new feature was added, fans and ratings. This made me yet even more uncomfortable. Did I really want to have to not say I was a fan of someone that said they were a fan of me? Wasn't endorsing someone a far better signifier of fan? What does Trustworthy mean? Cool? I refused to enter anything for Sexy. I worried if someone could see my ratings, or reverse socially engineer it, or hack it.

Thus these insecurities of mine led me to think the worst and to post too quickly about the "Friends of Friends Security Hole" and still feel uncomfortable about why I was put in "jail".

So far I've had no abuses of me by Orkut -- I've had only two people ask me to be friends that I don't know, and so far I've not been told that someone is my fan whom I'm not willing to honestly say that I'm a fan back. I've even found some old friends that I'd lost track of, which is exactly why I still "play" and not leave Orkut. I do believe that there may be something useful in these social network services.

Yet I feel that my old blog entry Evaluating Social Network Services that concluded with my take on The Perfect Social Network Service is still quite on track:

My ideal service would have the multiple professional affiliation features of LinkedIn, but also allow me to show non-professional affiliations. It would allow me to form intentional communities like Tribes.Net, but would also let me do a Wiki in addition to a message board. It would have meeting/party invite services like eVite, and blogging features like LiveJournal. It would have an endorsement system like LinkedIn integrated not only with professional endorsements, but personal endorsements as well, and you could even endorse intentional communities. It would let me better map and control my network, giving different friends different privileges. It would handle the release of my personal information like Ryze, but less clunky.

I'd add to that list that I'd like to have more control over my information, in particular, relationship information. That I'd like to see more "progressive disclosure" where there was more granularity of what was revealed at public, friends of friends, friends, fans, fans who I've endorsed, etc. Finally, I'd really not like to see things that are not applicable to me, such as relationship information of other people when I'm not looking for relationships, or professional information of others if I'm only using Orkut for dating.

[Update: another Orkut user and I found a different privacy hole when sending emails -- see Confirmed Email Privacy Hole at Orkut.]