“How am I in danger? Do people really care about what I post or like and dislike on a social networking site? If so, what are they going to do with the information? I don’t get it.”
This question came up in the comments on my blog, and though it’s very simple, the answer’s surprisingly complex and brings up much deeper philosophical questions.
The short answer is that you’re in no danger right now, despite all the gnashing of teeth and wailing in the tech community. There’s no evidence that anyone’s using this information for malicious purposes, just as I’ve seen no actual burglars using the information in Please Rob Me.
So why are the geeks so upset? They’re looking down the road and imagining all the things that the bad guys will be able to do once they figure out what a bonanza of information is being released. Do you remember in the 90′s when techies were hating on Windows for its poor security model? That seemed pretty esoteric for ordinary people because it didn’t cause many problems in their day-to-day usage. The next decade was when those bad decisions about the security architecture became important, as viruses and malware became far more common, and the measures to prevent them became a lot more burdensome. The geeks were proven right: you can’t start with a shoddy security model and just patch it into something secure.
I think the inelegance of Facebook’s approach is what makes engineers’ skin crawl. The model they use to prevent your information leaking out is a mess, both from the API side and in the user interface. This makes it almost certain that there are unintended holes leaking information that even Facebook isn’t aware it’s revealing and also ensures that users have no clue as to what they’re opening up to the world.
Fueling the anger is the feeling that Facebook executives are being deceptive in how they’ve changed their privacy model. They appear to believe there’s a simple trade-off between making money and keeping users happy and have apparently decided that they’re in a strong enough position to ignore user complaints in order to increase their revenue. They’re making information public because they want Google Juice. The more user-generated content they have on the public web, the more visitors from search engines they’ll get, and the more important it will be for companies to have Facebook pages and advertising.
In practical terms, why is the information they’re revealing important? Here’s some of the scenarios that dance through geeks’ heads:
Embarrassment: There’s a lot of personal information we’d rather keep to ourselves that might be revealed by our fan choices or friendships. You fan a gay club, and a homophobic employer spots that. Your ex-partner’s divorce lawyer spots you’re a fan of ‘partying,’ and uses that as evidence against you in a child custody battle. Someone with a grudge targets your friends and family for harassment.
Big Brother: Social tools played an important part in the Green uprising in Iran, but there are now certainly people within the regime using the same tools to track down dissidents. There are a lot of people within Iran who are fans of Mousavi, and since people generally use their real names on Facebook they could easily be found. I actually removed detailed data from FanPageAnalytics for Iran, Burma and North Korea because I was worried about this sort of usage.
Criminals: I’m skeptical that social network information will help traditional criminals, but there’s a massive world of phishers, scammers and identity thieves I can see learning to use what’s being revealed. If you got an email that said hello to you by name, appeared to be from one of your friends, and also included a link to something you were interested in, wouldn’t you be a lot more likely to click on it? Facebook’s starting to reveal the information criminals need to personalize social engineering attacks like phishing emails, it’s just that the bad guys don’t have the sophistication to use it yet.
So, don’t panic, but pay attention to what Facebook’s doing. In the short term the biggest security issue on the site is still the spread of traditional Windows viruses and malware, so keeping your virus checkers up to date should be your first priority. Long term, we need to figure out what information we want to reveal, rather than letting Facebook decide for us.
Pete Warden
Pete Warden is a British-born programmer living in Boulder, Colorado. After spending over a decade as a software engineer, including 5 years at Apple, he’s now focused on a career as a mad scientist. He’s currently gathering, analyzing and visualizing the flood ...
Read more about Pete Warden ->
vuitton says:
I think facebook should be investigated. have you ever read thier privacy statement? scary! also, you are an idiot if you think you can post personal information on the web and expect it to be safe or private.
David James says:
SOCIAL NET WORKING & INTELLIGENCE
The simple fact is Facebook (and others) are primary source of information for intelligence gathering organizations worldwide. While it is true that most trolling comprises impersonal, program driven tagging of social info, it does not necessarily mean that these activities are all 'friendly', particularly trolling that occurs outside the United States. While this may seem an unshackeled no warrant Nirvana for certain agencies, the unintended consequences can be a diminution of the security of the United States, simply by affording foreign powers insight into the habits (read limits) of the 'watchers' that they would not otherwise have. Worse, service manipulation of social info in a foreign context to influence elections, legislation, and so forth, is accomplished in real time (thus, raising collective consciousness) outside the control of the United States and represents a serious foreign policy error that can only return to haunt us at the worst possible moment. Speaking of which . . .
The real question is (like any good planning) what is the true 'worst-case scenario' ? Expectations never do any real damage until they fail and of all the expectations interwoven with our lives, the worst possible failure occurs with our emotional expectations - in that regard, we are such a needy species (engineering aside).
Best to listen very carefully to the geeks!
NYScientist says:
From a post on eWeek:
"A girl i know bought a PC to go on face book as she seen how her friends used it , she started to put info on her PC address and had only ever typed two letters on note pad to her bank and estate agent about a flat she was going to buy that had not gone ahead .
Well a hacker got into her PC and when she went into the bank £45,000 from the loan she had got was gone and is still fighting the bank to get it back as they said it was transferred with her passwords ."
NYScientist says:
From my post on eWeek:
I would add that, instead of spending your time on Facebook or other social networks, it may be better for your overall well-being to do something more productive...spend time with your family, work around the house, go to a movie, get a part-time job, or simply relax.
I know and have known people -- both in my personal and professional life -- who spend hours on Facebook, at home and at work, even going to the extent of placing at risk their employment, interpersonal/family relationships and, of course, their privacy.
As one example of the misguided use of Facebook, the NYPD scours "social networking" sites before taking on new recruits and in an effort to further investigate officers already on the job. There's no reason to assume that other agencies don't do the same with their employees and prospective employees.
Still trying to connect with that love you lost in high school? Get a fish tank. It's safer and, in the long run, likely less expensive, personally and financially. Better yet, get a dog. They'll never cheat on you, and they're still happy to see you after a year.
Offsuit says:
If you use facebook, at all, for any reason, you are a moron. It's as simple as that. It's not open to debate, there are no mitigating circumstances, no redeeming values, no exceptions, and it has nothing to do with privacy. If you use it, you're an idiot. I pick my personal friends in large part by how involved in "social networking" they are. The less they are, the more likely I will consider them appropriate human beings to spend time with, instead of idiotic drones vomiting their personal lives all over the web and pretending that constitutes being "social".
M says:
The problem with trying to determine the level of risk currently posed by Facebook usage is that nobody can say for certain.
"I think the inelegance of Facebook’s approach is what makes engineers’ skin crawl. The model they use to prevent your information leaking out is a mess, both from the API side and in the user interface. This makes it almost certain that there are unintended holes leaking information that even Facebook isn’t aware it’s revealing and also ensures that users have no clue as to what they’re opening up to the world."
Essentially, you won't know what's possible until you get your ass pulled out from under you. It's like leaving your social security number on little slips of paper in places you feel "pretty sure" nobody will ever find them. Only a matter of time.
I deleted my Facebook account.