Are You in Danger From Facebook’s Privacy Changes?

This question came up in the comments on my blog, and though it’s very simple, the answer’s surprisingly complex and brings up much deeper philosophical questions.

The short answer is that you’re in no danger right now, despite all the gnashing of teeth and wailing in the tech community. There’s no evidence that anyone’s using this information for malicious purposes, just as I’ve seen no actual burglars using the information in Please Rob Me.

So why are the geeks so upset? They’re looking down the road and imagining all the things that the bad guys will be able to do once they figure out what a bonanza of information is being released. Do you remember in the 90′s when techies were hating on Windows for its poor security model? That seemed pretty esoteric for ordinary people because it didn’t cause many problems in their day-to-day usage. The next decade was when those bad decisions about the security architecture became important, as viruses and malware became far more common, and the measures to prevent them became a lot more burdensome. The geeks were proven right: you can’t start with a shoddy security model and just patch it into something secure.

I think the inelegance of Facebook’s approach is what makes engineers’ skin crawl. The model they use to prevent your information leaking out is a mess, both from the API side and in the user interface. This makes it almost certain that there are unintended holes leaking information that even Facebook isn’t aware it’s revealing and also ensures that users have no clue as to what they’re opening up to the world.

Fueling the anger is the feeling that Facebook executives are being deceptive in how they’ve changed their privacy model. They appear to believe there’s a simple trade-off between making money and keeping users happy and have apparently decided that they’re in a strong enough position to ignore user complaints in order to increase their revenue. They’re making information public because they want Google Juice. The more user-generated content they have on the public web, the more visitors from search engines they’ll get, and the more important it will be for companies to have Facebook pages and advertising.

In practical terms, why is the information they’re revealing important? Here’s some of the scenarios that dance through geeks’ heads:

Embarrassment: There’s a lot of personal information we’d rather keep to ourselves that might be revealed by our fan choices or friendships. You fan a gay club, and a homophobic employer spots that. Your ex-partner’s divorce lawyer spots you’re a fan of ‘partying,’ and uses that as evidence against you in a child custody battle. Someone with a grudge targets your friends and family for harassment.

Big Brother: Social tools played an important part in the Green uprising in Iran, but there are now certainly people within the regime using the same tools to track down dissidents. There are a lot of people within Iran who are fans of Mousavi, and since people generally use their real names on Facebook they could easily be found. I actually removed detailed data from FanPageAnalytics for Iran, Burma and North Korea because I was worried about this sort of usage.

Criminals: I’m skeptical that social network information will help traditional criminals, but there’s a massive world of phishers, scammers and identity thieves I can see learning to use what’s being revealed. If you got an email that said hello to you by name, appeared to be from one of your friends, and also included a link to something you were interested in, wouldn’t you be a lot more likely to click on it? Facebook’s starting to reveal the information criminals need to personalize social engineering attacks like phishing emails, it’s just that the bad guys don’t have the sophistication to use it yet.

So, don’t panic, but pay attention to what Facebook’s doing. In the short term the biggest security issue on the site is still the spread of traditional Windows viruses and malware, so keeping your virus checkers up to date should be your first priority. Long term, we need to figure out what information we want to reveal, rather than letting Facebook decide for us.