Paid Advertising
web application security lab

Facebook Says You Should Not Expect Privacy

If there are any people left who think social networking is a safe place to enter your information I think this is a pretty telling story. Times Online has an interesting article on the latest move by Facebook regarding information that previously was inaccessible to search engines. Guess what? They’re going to make it publically accessible. It’s like people never learn (remind anyone of the AOL search query fun?). Okay - to be fair they said it’s only going to include, “basic details, including names and photographs” available.

I’m not sure I agree that it makes ID theft easier as Keith Reed, of Trend Micro said in the article, but it may make recon easier. I’m not saying that that’s not bad - because it very well may be bad, but it’s not as bad as it definitely could have been. But it’s a slippery slope. This quote caught my eye regarding Chris Kelly, Facebook’s chief privacy officer:

He suggested that internet-users could no longer expect to remain anonymous online, but could control only the amount of information about them that is available on the web.

I’m not going to disagree with the reality of the situation, but is it really okay that a social network takes this stance? Shouldn’t they instead be saying something like, “While we cannot guarantee your privacy, we will do everything in our power to insure our consumers have the highest level of privacy we can provide”? Granted, in the end it’s all about the dollar signs. They need to find a better way to monetize their traffic, and a lot of that means they need more users, they need to use the data they have better, and they need the search engines to start sending them more search engine traffic.

10 Responses to “Facebook Says You Should Not Expect Privacy”

  1. Tyler Reguly Says:

    I actually blogged on this in response to another blog…

    I don’t see it as that big of a deal… Most people’s names can be found online, the same goes for pictures these days… Considering it’s a 32×32 or 64×64 thumbnail or whatever it is, it’s not useful for a whole heck of a lot…

    I can see upsides… I may make my public info include simply my college name… old friends can now find my facebook profile using Google.. the college I went to isn’t exactly a secret…

  2. RSnake Says:

    Hey Tyler - while I agree in principle that it’s FUD (the problems that they are currently facing) I do see it as a slippery slope. You said that DOB has come the way of the dodo in terms of secret questions and I would agree to some extent (I still see it pretty often actually) but the reason it’s gone away is because people keep leaking that info. The more info we have that’s searchable the more this will happen. I agree the article was a tad overly enthusiastic, but I think the privacy issue is something often overlooked. That people know your name may not be a problem for you, but it is for lots of people. That they know your DOB may not seem like a bad thing, but that’s how Yahoo’s zodiac system was used to hack accounts. It’s definitely not a cut and dry problem.

  3. Wayne Smallman Says:

    For those that make serious money out of ID theft, Facebook is hardly going to be their first port of call.

    There are easier, old, tried & tested ways of getting the personal details of people, which typically involves a trip to your local government / council hall of records, the library and a phone book.

    Or, just scrounge around the rubbish bins outside someone’s home.

    OK, privacy is a serious subject. But if people are serious about their privacy, then don’t use the likes of Facebook.

    It’s like people complaining about sex, violence and bad language on TV after 9pm. All they have to do is switch over…

  4. Awesome AnDrEw Says:

    You’re absolutely correct in stating that it all comes down to monetary values. It cannot be expected of any company, especially those in the social-networking niche, to guarantee or to promise that privacy will be upheld when such services are being used to generate a profit. If one does not want information about them available outside of public record one should simply forego entering it.

  5. Legionnaire Says:

    Facebook offers the option to hide yourself from search engines. Also, by default not only do you have to be registered but also a declared friend of a person to access his or hers details.

  6. Hubert Says:

    I think this post is alarmist and unfair to Facebook. They were very upfront about the upcoming changes that will make profiles appear in Google searches, it’s not like they rolled this out secretly without telling anyone.

    Every user was informed of the change in advance after login, and you were clearly shown how your profile would appear, with clear & easy instructions on how to change your privacy settings before the public profile pages went live. My existing settings already meant that my profile was not going to appear, and it clearly told me this.

    I think Cris Kelly’s comments are being taken out of context, when saying that users can’t expect anonymity online he’s talking about the web in general, not facebook. The post is implying that their stance is “users can’t expect to remain anonymous, so we’re dumping it all on google” which is clearly not what they said.

  7. Joey Adams Says:

    I think you are all missing the point RSnake was making, of course he knows there are other, easier alternatives for data mining, and maybe facebook does require you to be a friend before you find any info out.

    I think the real idea was that it is shocking that the chief privacy officer of a social networking giant like facebook, would take this kind of stand. Sure, that may be the current online state of security, but view it in a different way.

    Imagine if your bank said that you should control how much info is leaked through their banking service. Users of the social communities provide an enormous ammount of personal information, using this info, and from enumerating other online communities and search engines, you can find out more about a person than their best friend, and in just a couple of minutes.

    Is it dumb for people to have that much information online, yes, is it their fault. No. “We” as application developers cannot expect the user to be secure, we have to protect them, and this kind of statement just doesn’t instill faith in the future development or progress of privacy and protection.

  8. Dhaval Shah (aka dkcreatto) Says:

    Ok. What I feel as *A user* of social networking site is that what Chris Kelly had said is *TRULY* current situation. C’mon man can you garrenty me that *YOU -the developer* will “secure” my -personal INFO- from most of the frauds???

    As I am not a hardcore blogger I cant write the way you might understand but I have been on net since its inception I had seen & remember all the tryouts of *securing* my *privacy. I would certainly say that YOU CANT SECURE ANYTHING ON NET UNLESS ITS NOT ONLINE, by online I mean any kind of -that includes your backyard dustbin also.

    I agree with Joey saying “Imagine if your bank said that you should control how much info is leaked through their banking service.” but I also know the fact that Wayne correctly picked out that “For those that make serious money out of ID theft, Facebook is hardly going to be their first port of call.”

    My mind says that RSnake is playing safe on both ends… Just check his comment —Atleast I cant findout any sentence supporting other… Might be I need a coffee :)

  9. Dhaval Shah (aka dkcreatto) Says:

    hey thats “”guaranty”" in second line…

    sorry for typo… :^)

  10. Jacob Tuscon Says:

    Facebook doesn’t have to expect an invasion of privacy, the users do. A good chunk of them list their jobs, their phone numbers and everything inbetween. What is to stop a good social engineer from calling up TMobile and using his newly required information to gather more or to add a new phone to the account?

    I think it boils down to risk mitigation and common sense. If the users are dumb enough to give out all their information online, don’t expect anyone to hold your hair while you cry about your newly acquired debt.