Are you in danger from Facebook’s privacy changes?

Photo by Johnny Grim

"How am I in danger? Do people really care about what I post – like and
dislike on a social networking site? If so, what are they going to do
with the information? I don't get it.

This question came up in the comments of my blog, and though it's very simple, the answer's surprisingly complex and brings up much deeper philosophical questions.

The short answer is that you're in no danger right now, despite all the gnashing of teeth and wailing in the tech community. There's no evidence that anyone's using this information for malicious purposes, just as I've seen no actual burglars using the information in Please Rob Me.

So why are the geeks so upset? They're looking down the road and imagining all the bad things that the people wearing Black Hats will be able to do once they figure out what a bonanza of information is being released. Do you remember in the 90's when techies were hating on Windows for its poor security model? That seemed pretty esoteric for ordinary people because it didn't cause many problems in their day-to-day usage. The next decade was when those bad decisions about the security architecture became important, as viruses and malware became far more common, and the measures to prevent them became a lot more burdensome. The geeks were proved right, you can't start with a shoddy security model and just patch it into something secure.

I think the inelegance of Facebook's approach is what makes engineers' skin crawl. The model they use to prevent your information leaking out is a mess, both from the API side and in the UI. This makes it almost certain that there's unintended holes that leak information that even Facebook aren't aware they're revealing, and ensures users have no clue about what they're opening up to the world.

Fueling the anger is the feeling that Facebook is being deceptive in how they change their privacy model. They appear to believe there's a simple trade-off between making money and keeping users happy, and have apparently decided that they're in a strong enough position to ignore user complaints in order to increase their revenue. They're making information public because they want Google Juice. The more user-generated content they have on the public web, the more visitors from search engines they'll get, and the more important it will be for companies to have Facebook pages and advertising.

In practical terms, why is the information they're revealing important? Here's some of the scenarios that dance through geek's heads:

Embarrassment: There's a lot of personal information we'd rather keep to ourselves that might be revealed by our fan choices or friendships. You fan a gay club, and a homophobic potential employer spots that. Your ex-partner's divorce lawyer spots you're a fan of 'partying', and uses that as evidence against you in a child custody battle. Someone with a grudge targets your friends and family for harassment.

Big Brother: Social tools played an important part in the Green uprising in Iran, but you can bet your bottom dollar that there's now people within the regime using the same tools to track down dissidents. There's a lot of people within Iran who are fans of Mousavi, and since people generally use their real names on Facebook they could easily be found. I actually removed detailed data from FanPageAnalytics for Iran, Burma and North Korea because I was worried about this sort of usage.

Criminals: I'm skeptical that social network information will help traditional criminals, but there's a massive world of phishers, scammers and identity thieves I can see learning to use what's being revealed. If you got an email that appeared to be from one of your friends, said hello by name and giving you a link to something you were interested in, wouldn't you be a lot more likely to click on it? Facebook's starting to reveal the information criminals need to personalize social engineering attacks like phishing emails, it's just that the bad guys don't have the sophistication to use it yet.

So, don't panic, but pay attention to what Facebook's doing. In the short term the biggest security issue on the site is still the spread of traditional Windows viruses and malware so keeping your virus checkers up to date should be your first priority. Long term, we need to figure out what information we want to reveal, rather than letting Facebook decide for us.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: