Let us be perfectly clear: While Facebook has received a lot of criticism lately about its new privacy policies and Open Graph concept, which allows them to partner with other sites which will also have access to some Facebook user data, Facebook isn't explicitly keeping secrets from you. But some security professionals and users continually knock the site for what they say are less-than-clear explanations about where your data is going, and how secure the site really is. Joey Tyson, a social media security expert who maintains the site Social Hacking, says there are important data security and privacy issues happening under the radar of the Facebook experience. This is what Facebook isn't saying outright to members.
We don't want you to change your privacy settings
Facebook's privacy policies have evolved dramatically in the last few years since the site launched - see the Electronic Freedom Foundation's timeline of Facebook's privacy policies. At Facebook's inception, privacy was tightly controlled by the users. Today, there are some parts of the profile that the user cannot make private. Other parts can be made private, but not without a lot of work figuring it out. Changing your privacy settings on Facebook has recently been called "today's version of programming the VCR," by some security professionals.
"Facebook has shown they have been pushing users to share more and share more openly," said Tyson. "And while they offer the user controls, what they seem to WANT people to do is share openly and share publicly." Tyson notes that it is important not to think Facebook doesn't offer privacy. Facebook wants members to use the site, even if it is in a private fashion. But that is not their preference. As a result, if you engage many of the privacy controls, you will be asked if you really want to do it.
Some of the explanations that they'll have on the web site describing what a certain thing does can just be very confusing. (For an example, log into your Facebook account and go here, to adjust your privacy settings) It's almost as if they don't want to come out and say "This is what is going to happen to your data," because they don't want to scare people. They want to provide the control to people who value privacy and want to limit access. But at the same time, if they are pushing that in users' faces and reminding them of all these different privacy settings, people will be less likely to share, and that is not what Facebook wants."
Facebook's Vice President for Public Policy, Elliot Schrage, answered questions from New York Times readers this week about the new controls and even admitted the social network could do better.
"It's clear that despite our efforts, we are not doing a good enough job communicating the changes that we're making," Schrage said to readers. "Even worse, our extensive efforts to provide users greater control over what and how they share appear to be too confusing for some of our more than 400 million users. That's not acceptable or sustainable. But it's certainly fixable. You're pointing out things we need to fix."
As for the company's stance on how much privacy people actually want, Facebook founder and CEO Mark Zuckerberg defended Facebook's privacy changes in at the Crunchie Awards in January by stating: "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time."
We have little control over application security
Facebook does a good job keeping track of vulnerabilities on the site itself and protecting users in the context of the Facebook site, said Tyson. The problem is with their application programming interface (APIs) and third-party access to data.
"When you use an application that is interacting with Facebook, you are trusting that application and its level of security as well," noted Tyson. "That is something a lot of people don't understand or realize; how much trust they place in applications they use that aren't Facebook. So if there is a vulnerability within an application, that can be exploited to talk to Facebook your behalf."
The point is: Anything the application can do in terms of access to data; ie: posting links, sharing stories or images, an attacker has that same ability if they attack that application.
How common are vulnerabilities? Tyson conducted some research last September where he compiled 'a month of Facebook bugs,' as he called it. He found six of the top ten applications on Facebook were compromised in that time period. And recently he did similar research and found half of the top 10 are still compromised.
"Those numbers give you an indication that it is a serious problem that hasn't been taken advantage of yet," said Tyson. "But now that we are seeing Facebook spread more across the web, I think attackers are really going to pay attention. We are starting to see a rise in the use of social networking to spread malware."
But Facebook's Simon Axten, who is focused on security for the site, recently contacted CSO to clarify the safety of applications.
"Developers, big and small, must comply with our Platform Policy Guidelines, which require that applications provide a trustworthy experience," he said by email. "We enforce these guidelines regularly and have disabled applications that we've found to be in violation."
Axten also noted users have a number of options for controlling the information they share with applications. Including:
- If you're concerned about an app or the data it may access, don't authorize it.
- Apps are subject to application privacy settings. That is, you can configure what your friends' apps can and can't access (settings here)
- You can block applications just as you block individuals on Facebook.
But the issue goes beyond applications. Facebook is now partnering with other sites as part of its new Instant Personalization model, so the implications are also there for security on these other sites, according to Tyson. Earlier this week, a security researcher found an exploit that took advantage of Cross Site Scripting to inject malicious code into Yelp, one of the partner sites in this pilot program. The exploit discovered, before it was patched, would allow a malicious site to immediately harvest a Facebook user's name, email, and data shared with 'Everyone' on Facebook, with no action required on the user's part.
Facebook's Axten told CSOonline via email:
"Our new Instant Personalization feature is a limited pilot program with three partners (Microsoft, Pandora, and Yelp), which we carefully selected to optimize the specific experiences of collaborating on documents, discovering music, and finding local businesses."
"Each partner was pre-selected, reviewed, and is bound by contracts with Facebook; much like other partners we have worked with in other contexts to deliver unique and innovative experiences. It's important to underscore that this is a pilot program, and people are given clear notice and easy and obvious chances to opt out of this experience on the partner sites and on Facebook."
- We know which websites you're visiting
"In some ways the behavior is not that different from tracking cookies used by advertising networks," noted Tyson. "But the main difference is that Facebook now has personally identifiable information from your profile. They know you are not just an anonymous user tagged with a code on a cookie. They have a lot of information about you, your interests, specific data."
Should they have it? Tyson says while the notion certainly supports Facebooks' effort to make the web experience as personal as possible and have in them some of the beneficial features, he doubts many users don't realize the scale of information Facebook has on them and their activity beyond Facebook.
- Your information is being stored in places outside of Facebook
Facebook says it requires developers to tell users which information they will access before they download, as Axten pointed out in his email to CSO.
"Applications must get explicit authorization from the user before they can access any information that's not generally available or set to 'Everyone'. Our new permissions model, which we made available to developers two weeks ago at our f8 conference, and will be mandatory for all developers starting June 1, requires applications to specify the exact categories of information they wish to access, present these to the user, and obtain express consent before any data is shared," Axten said.
At the same f8 conference, which is aimed at developers and entrepreneurs, Zuckerberg also announced that Facebook was doing away with restrictions on user data retention within Facebook applications, which previously required that developers not store and cache any data for more than 24 hours. This means many application developers will now save information about users locally in their data base for an undetermined amount of time, said Tyson. And if an application's data base is compromised, that hacker will now have access to a lot of user information, he said.
Tyson said while he agrees Facebook's new requirement to obtain consent with a clearer explanation of what data is being accessed by an application, he doubts the average user gets it.
"I don't think people realize how much information is being passed around," said Tyson." I don't think people know that in all of these games and quizzes and apps they have approved that in doing so they are sharing a lot of information that is being stored somewhere else." CSO
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.