[tweetmeme source=”franscomputerservices” only_single=false]UPDATED 5/22/2010*, 5/23/2010**: EDIT: Added additional links
Yes, most of us do love our Facebook, or at least we enjoy the feature set and keeping in easy contact with our friends and family, but some of us feel that it is not worth the expense of our privacy and security and potential malware infections due to rogue apps on our own or others’ accounts. But Facebook privacy concerns are heating up. Or the risks from other sites getting at our data:
New security hole in Facebook through Yelp (here on our blog last week, apparently fixed now), or having our chats exposed to people other than those we are talking to, even if they are our friends.
So, you think Facebook is safe? Hmmm. Really?
A bug in Facebook’s Web site lets hackers delete Facebook friends without permission.
The flaw was reported Wednesday by Steven Abbagnaro, a student at Marist College in Poughkeepsie, New York. But as of Friday morning, Pacific time, it had still not been patched, based on tests conducted by the IDG News Service on a reporter’s Facebook friends list.
Shifty sorts have created a new worm which spread rapidly on Facebook on Friday.
The malware, for now at least, does nothing more malicious than posting a message on an infected user’s Facebook wall that point to a site called fbhole.com. Nonetheless, the speed of its spread on the social networking site has net security experts worried.
Facebook is fixing a Web programming bug that could have allowed hackers to alter profile pages or make restricted information public.
A Wall Street Journal article today draws attention to yet another unexpected way in which Facebook’s privacy practices have not complied with its public statements and have disregarded users’ privacy rights. Just last week, when asked about Facebook’s privacy practices with advertisers, Facebook executive Elliot Schrage wrote:
We don’t share your information with advertisers. Our targeting is anonymous. We don’t identify or share names. Period.
As the Wall Street Journal report shows, this was not true. In fact, Facebook’s architecture at the time allowed advertisers to see detailed personal information about some Facebook users.
Much more in the article! Must read.
My findings are exactly the contrary: Merely clicking an advertiser’s ad reveals to the advertiser the user’s Facebook username or user ID. With default privacy settings, the advertiser can then see almost all of a user’s activity on Facebook, including name, photos, friends, and more.
In this article, I show examples of Facebook’s data leaks. I compare these leaks to Facebook’s privacy promises, and I point out that Facebook has been on notice of this problem for at least eight months. I conclude with specific suggestions for Facebook to fix this problem and prevent its reoccurrence.
I sure hope that the BBC report is correct, “Facebook looks likely to cave into pressure from users and simplify its privacy settings in the near future.” But other places are saying Facebook is just simplifying the existing privacy settings.
I don’t think there are many people who have experienced Facebook that don’t love most of the features on Facebook–at least the ones that help you keep in contact with your friends and family, and share (on the Facebook site) your photos, videos, links to articles of interest, chatting, direct messaging, posting between yours and your friends/family members walls, sharing in holidays, or fun, happy, sad conversations, and more. But, Facebook is wrong about privacy – it really is still very important. It is important and for more reasons than many may think. Even the Wall Street Journal has acknowledged that Facebook, MySpace and other social networking sites are having to confront the privacy loophole.
But, when the trust that Facebook used to get people to sign up in the first place (a trust that your privacy is important to Facebook and will be protected by default – unlike MySpace, et al) is breached by that very same service, then there is a problem.
If you don’t remember the early days of Facebook, many of us do. Facebook did made claims that they would protect our privacy by default, that our privacy was important to Facebook. Zuckerberg made these ‘claims’ when they were trying to woo millions of MySpace’s users over to Facebook in Facebook’s early days. It worked too.
Privacy by default. What is that exactly? When Facebook started out and pushing to try to gain membership, and about the time that MySpace went through a huge privacy fiasco because new users had to immediately change their privacy settings if they didn’t want the whole world to see all their information (it was all public by default on MySpace). And many users, just like many new users at Facebook, didn’t know to change their settings, or even think about it. Many users were just not that savvy to know why it was even important to share only some information with the world/public. Or even understand why that might be a prudent move. But due to the marketing used by Facebook, people started to understand that privacy was important and they wanted their friends and family to be in a ‘safer’ environment. A place where they could connect and share with each other without concern that their data would be made public. After all, Mark Zuckerberg said he did care about our privacy (unlike the other guys).
Then after Facebook gets all these users, and gets them used to the convenience and ‘hooked’ on the service, THEN Facebook just seems to keep changing the rules — little by little — chipping away at the privacy and security standards that got them all the users in the first place. Not long after I finally joined Facebook, they went through this pretty big, and I actually deactivated my account at that time too. When Facebook changed their tune, I came back. Now they are doing it again, and even though I really enjoyed the service, I felt the need to again deactivate my account.
So, tell me, why would Facebook be surprised when users get up in arms about all these changes, especially in light of other security problems and vulnerabilities within their newest ‘features’ as well as their existing features? One group has even created a Facebook Group entitled, “1,000,000 Strong to leave Facebook by July 4 unless FB respects our privacy is on Facebook” (See there can be appropriate public facing things on Facebook). And EFF’s various articles enlightening folks about the changes and affects of those changes and how you can mitigate them, at least most of the problems.
Features are a great thing except when the service starts to change your privacy settings for you, and they don’t bother to tell you about it until after they have done it. That is a real problem of trust, because, if even for a short time, your data is left to the search engine spiders to start indexing data that shouldn’t have been made ‘public’ in the first place without user permission.
So, then users start complaining, and getting no satisfaction from the service because the changes they made will make them a ton of money, so some users start deactivating their accounts — many users are upset with Facebook, and for good reason. A basic trust was broken and it wasn’t by the users.
But privacy issues are not the only issues. There are also other security issues as well; vulnerabilities and more vulnerabilities. And only God knows how many more vulnerabilities are known by the bad guys that expose users’ data that are not yet known to the good guys.
I had already checked and reset all my privacy settings multiple times since December 2009 when this fiasco starting getting into high gear, even before the now known vulnerabilities that still put users at risk made me say, ‘enough is enough’. I still struggled with the decision before I decided I could put it off no longer. Even the benefits for business, family and friends wasn’t worth security risks not only directly but indirectly by friends who might get hit with these vulnerabilities, or the potential for unwise decisions about their accounts where their data might overlap with mine.
It is not an easy thing to make a decision to deactivate, or go through the hoops (or even find a link to get information) on deleting your Facebook account. Especially when you enjoy the service. And the service really is a good service, if not for the bad decisions about security and privacy have caused, and of course there are those related vulnerabilities. Sure they fix the vulnerabilities when they are made public, but how long was your data, your information, exposed through these vulnerabilities before it was brought to light?
The Consumerist actually did an article on deleting your Facebook account since it’s not easy to find. It’s entitled, “Delete Your Facebook Account Forever” by Ben Popken (April 20, 2010).
And if you think they will figure out all the vulnerabilities and then it will be safe, think again. Facebook is 440 Million strong and growing. Just like the huge bullseye target on Microsoft’s Windows’ back, Facebook is the biggest target in Social Networking. Too big for the bad guys to let it alone. It’s a treasure trove of information (and not just aggregate information like Facebook sells, oh, no, this is the actual connections, the actual information linked to individual people that’s at risk). Between the vulnerabilities, as well as some decisions by users regarding Friends, their choices of third party Facebook apps, and their privacy settings, this could become a real nightmare, very quickly, and for some it already has.
Have you ever thought how much information about you is actually public on Facebook? Or even on the Internet in general? What about your family and friend connections, or business connections? What about your choices regarding purchases, what you like or dislike? Do you want them made public? And Facebook has much of that information in one place just ripe for the picking. And who would want to pick that information? Even in aggregate form it is very valuable data, but to bad guys, it is fodder for social engineering, phishing attempts in email, potential ways to get malware on your system by presenting it as though it is from people you are friends with, and so much more.
It’s an especially hard decision when you have gotten used to keeping in contact with friends and family through one particular service via browsers and mobile devices. And it really is great to have a place where your family pictures (your children and grandchildren, travel/trips, conversations between many friends and family, and so much more), are right at your fingertips and can be posted, responded to, and still be safe from the prying eyes of the general public. At least that’s how it was, or at least we thought it was.
Of course, Facebook makes it even more difficult to make the choice to deactivate or delete your account. When you choose to deactivate, which by the way, doesn’t actually delete your data (in case you want to come back), Facebook tries to use emotional
blackmail, err, pressure to try to keep you from deactivating your account. As you are trying to deactivate, they show you some pictures of your ‘friends’ and talk about how you won’t be able to contact your friends and family anymore, or your friends and family won’t be able to contact you anymore. As if Facebook is the ONLY way to contact your friends and family?! It might make it easier, but it’s not the ONLY way to keep in contact with your friends and family.
Also, note that Facebook doesn’t allow you to delete your own account on your own — you have to actually contact them directly to ask them to delete your account — as if you were an errant child who couldn’t be trusted to do this on your own?! Even MySpace and other social networking sites let you delete your own account!
Oh, no. This is not about whether you would be able to delete your account, this is about another attempt to coerce you to stay with Facebook. Besides they don’t actually delete your data, oh, no. They still make use of that data in aggregate form, it’s just not linked by your name supposedly, after your account is deleted:
Even though it has been stated that at least 60% of users are upset and are actually considering one of these options (deactivation or deletion of their account), with over 400 million active users worldwide and over $300USD million in annual revenue (estimated in 2008) and ranked #2 site on the Internet in May 2010 according to Alexa, does Facebook even care? Have we just become so much advertising and data mining fodder that translate to hundreds of Millions of dollars annually (Billions over time) for Mark Zuckerberg and company? Is that what it was all about from the beginning? If some articles are to be believed, Mark Zuckerberg may have played a good game when he told us he was concerned about our privacy right from the beginning.
And we even have some who think that malware and hacking haven’t caught up with it all on Facebook … yet. But I think we have determined that this is not really the case.
So, even with all that, maybe you still feel it’s safe to continue to with Facebook, what next? There are some very good places to study up on how to make yourself as safe as possible, and understand the account and privacy settings, and their implications, and how they interact with each other and with your friends and the public. Things like ReclaimPrivacy and others are cropping up to help folks deal with their Facebook privacy that is so complex. Who knows if this will be squashed by Facebook, but it could help out right now to help get your settings set.
WindowsSecret’s Complimentary portion of their Newsletter has an excellent article by Scott Mace called, “Tighten your Facebook privacy settings” with a great outline of the various areas and some great thoughts on how to keep yourself as safe as you can be on Facebook.
Facebook Security | Facebook Privacy | Best Practices at Sophos (be sure to read through all the pages listed on the right side – like WindowsSecrets, Sophos goes through all the different facets of Facebook)
Fast Company also has an article to help called, “Online Privacy: Check Yourself Before You Wreck Yourself”
It’s your life, it’s your data, it’s your choice…what will you do?
UPDATED 5/22/2010*, 5/23/2010**: EDIT: Added additional links