Alan's Ramblings - facebook tag

Facebook lives up to my worst expectations

Mon, 18 Oct 2010 19:26:35 GMT

In January 2008 I made this prediction:

it would be far more effective to use a Facebook application to harvest personal information whilst apparently offering a useful service, and then use the data elsewhere and/or at some time after the application harvested it.

And sure enough, Facebook application providers such as FarmVille and FrontierVille have been hoovering up user data via the Facebook API and selling it to 3rd party advertisers. This has been all over the web today, and is just the latest in a long line of Facebook security cockups. Of course, it's been known about for ages as well, as I pointed out in this February 2008 post:

Researchers from the University of Virginia recently announced that in a study of the top 150 Facebook applications, more than 90% were given access to information that was not needed to function correctly. That Scrabble or Superpoke application you really like? Its developers get access to your religion, sexuality and home town.
-- slashdot.org

Because the WSJ has run the story today, the webosphere is all a-flutter with the 'news':

The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.
-- WSJ

There are currently more than 550,000 Facebook apps, they haven't been audited by Facebook, and they don't run on Facebook's servers. As an application developer, you are responsible for hosting your application, not Facebook, so you have complete control to the data Facebook feeds to your application. As a developer, to get access to all this juicy data all you need to do is click on an "I agree to behave" agreement on Facebook's developer site. There is absolutely no technical means Facebook can determine what the apps are doing with user's data after the have transmitted it to the application.

Next time someone sends you an application invite, rather than blindly clicking 'Accept' ask yourself why it needs the information it is asking for access, and if you don't think it's reasonable, reject the invitation. Personally I won't use any Facebook apps at all, because I barely trust Facebook, let alone some unknown and unaccountable external company who I have absolutely no recourse against.

I think part of the reason that Facebook has become popular, apart from the 'social networking' aspects is because people believe it's somehow 'safer' than the rest of the internet because you have to log in, and there's a veneer of apparent control over your data. However, that's a dangerous assumption. You are not significantly safer on Facebook than you are on any random internet site, and in practice probably less so as Facebook is set up to encourage you to disclose information that you probably wouldn't disclose on an 'open' website.

As Scott McNealy said 11 years ago:

You have zero privacy anyway. Get over it.

Manchester Day

Tue, 22 Jun 2010 19:38:00 GMT

On Sunday we played in the Manchester Day parade. Seemingly about 75,000 people watched, so it's probably our biggest audience yet. There are loads of pictures of us on flickr, and the costumes looked fab so all the work was worthwhile. My only gripe is it wasn't really a traditional Manchester parade as it didn't rain :-)

Facebook: do I get to say "I told you so?"

Thu, 07 Feb 2008 12:26:17 GMT

Just noticed that slashdot is running a story on Facebook applications and data privacy:

Privacy activists are rallying around yet another major issue at Facebook, in which the company is secretly sharing user data with third parties. Researchers from the University of Virginia recently announced that in a study of the top 150 Facebook applications, more than 90% were given access to information that was not needed to function correctly. That Scrabble or Superpoke application you really like? Its developers get access to your religion, sexuality and home town.

The slashdot article links to articles at The University of Virginia and news.com. The University of Virginia article says that 90% of the top 150 Facebook applications request personal data that they don't need in order to function:

When Jane installs a Facebook application, the application is given the ability to see anything that Jane can see. This means that the application can request information about Jane, her friends, and her fellow network members. The owner of the application is free to collect, look at, and potentially misuse this information. The Facebook Terms of Use agreement tells application developers not to do this, but Facebook has no way of finding out or stopping them.

I'll merely point out that I already told you so :-)

Facebook faces privacy questions

Fri, 18 Jan 2008 15:27:21 GMT

Just noticed this report on the BBC News website:

Facebook is to be quizzed about its data protection policies by the Information Commissioner's Office.

The investigation follows a complaint by a user of the social network who was unable to fully delete their profile even after terminating their account. Currently, personal information remains on Facebook's servers even after a user deactivates an account.

Facebook has said it believes its policy is in "full compliance with UK data protection law".

"We take the concerns of the ICO [Information Commissioner's Office] and our user's privacy very seriously and are committed to working with the ICO to maintain a trusted environment for all Facebook users and ensure compliance with UK law," said a statement from the site.

That'll be me they are talking about...

Facebook: and so it begins...

Fri, 04 Jan 2008 04:12:44 GMT

I just came across this security advisory via The Register. A malicious Facebook application is using social engineering techniques to persuade people to install spyware/adware on their machines:

What happened is reasonably straightforward, sadly. The tremendous success and lightning fast expansion of Facebook (which, albeit resorting to debatable strategies as noted in a previous roundup, is undeniable) empowered the social networking giant with an impressive user base. Needless to say, in a digital world where web traffic equals money, such a user base attracts spammers, virus/spyware seeders, and other ethic-less online marketers like honey would attract flies.

I'm absolutely certain that this is just the first swell of an approaching tidal wave of Facebook malware. It isn't even a particularly clever example - it would be far more effective to use a Facebook application to harvest personal information whilst apparently offering a useful service, and then use the data elsewhere and/or at some time after the application harvested it. That would make it far more difficult for people to draw the connection between the harvesting app and the subsequent misuse of their personal data.

Currently there are more than 12,000 Facebook applications registered in Facebook. All you need to add an application to Facebook is an API key, and you can get one of those in seconds from the Facebook site, with no checking whatsoever by Facebook. The only mechanism Facebook seems to provide to 'protect' its users from malicious applications is a requirement that developers click on a checkbox to agree to Facebook's Developer Terms of Service. There's no vetting of the person applying for the API key, or of any applications they write.

After my previous experience of fighting with Facebook to get my account closed I'm not in the least bit surprised at their cavalier attitude to Facebook application security. I'm also doubtful that they have the resources necessary to vet 12,000+ applications even if they wanted to, and even if they did there's nothing to stop someone registering a benign version of the application and then activating the malign part after the application has been accepted.

I wonder if there's a need for an application that shows people just how much information they are agreeing to hand over when they install a Facebook application?