Spam via Facebook Events Highlights Ongoing Challenges

Earlier today, I received an invitation to a Facebook event from “Giovanna” – someone I’d never heard of and certainly never added as a friend. The invite came as a bit of a surprise, since my profile was fairly locked down. While anyone could search for it, all profile information was set to “Friends Only,” and sending messages or making friend requests was limited to “Friends of Friends.” None of my friends seem to know Giovanna, and her profile is probably fake anyway.

The event title proclaimed “iPhone Testers Needed!” and might be enticing to users who want an iPhone. While the event page included more information on the supposed testing program, the invite was followed by a message from the event creator. Once you’re on the guest list for a Facebook event, the event administrators can send out Facebook messages you’ll receive, regardless of privacy settings. This particular message (which also arrived in my e-mail inbox due to notifications settings) included a link to the iPhone opportunity, which unsurprisingly was a typical “offer” page that required me to submit personal information and try out some service before I could get my fancy new phone.

I began investigating how this all happened. When you create a Facebook event and try to invite people, you’ll only see a list of your friends to choose from. But it turns out that on the backend, nothing prevents you from submitting requests directly to Facebook with other people’s Facebook IDs. In my testing, I’ve been able to send event invitations to other users even if we’re not friends and they have tight privacy settings. I’m guessing that using this technique to invite more than a few people could raise a spam alert, but I’m not sure. Also, an event invitation does not give the event creator increased access to any profile information of guests, but as already noted, it does let event administrators send messages to people they might otherwise not be able to contact.

I’m sure Facebook will take action soon to clamp down on this particular loophole, so I think it unlikely we’ll see it exploited too widely. (The iPhone testing event currently has around 1800 guests – significant, but tiny compared to other Facebook scams.) But it does demonstrate the sort of challenges Facebook is having to handle as their network and power expand. Several years ago, when the site was used for little besides keeping in touch with college classmates and other offline friends, Facebook was seen as mostly spam-free, in contrast to services like Myspace. Now that applications, social gaming friends, and corporate brands have all become integral parts of the Facebook experience, black hat marketers keep finding new ways to spread links among users. And worse, those tricks can often be used to spread malware as well.

I do think that Facebook wants to avoid annoying users with spam, and works to prevent your inbox on the site from becoming as flooded as a typical e-mail account. But a network of 500 million people presents a very enticing target, and we’ll keep seeing new scam ideas pop up as Facebook expands and adds features. In the mean time, continue to be wary of any links  promising a glamorous reward for free.

Facebook Backtracks on Privacy Controls and Public Information

Facebook CEO Mark Zuckerberg held a press conference today announcing significant changes to the site’s privacy settings. The latest updates come after weeks of debate and criticism over Facebook’s handling of user information. Though it may take several days or weeks to roll out the new controls, an official privacy guide provides a summary of how they work. Full details are still rolling in, but certain aspects are already clear.

First, the new interface for making many changes appears to be much more streamlined. This should be a welcome change to those confused by the previous litany of options. The primary privacy page displays a table with columns for “Everyone,” “Friends of Friends,” and “Friends Only,” with rows for several categories of content. This table not only establishes settings for certain bits of profile information; it also lets users set defaults for new content shared.

Second, Facebook has removed the requirement that “connections,” such as your list of friends and the pages you “like,” always be publicly available information. A secondary page will provide access controls for certain groups of these connections, as well as who can friend you, send you messages, or see your profile in search results.

Third, users will have new options related to third-party applications that integrate with Facebook. The company had previously announced a granular permissions model for applications, and developers are in the process of transitioning to the new setup. Those permissions will now be reflected in the privacy settings, though how that will look is not yet clear. (Also, Facebook’s privacy guide assures users that applications can only request “information that’s needed for them to work,” but that’s up to developers.) Facebook is also re-instating an option to completely opt-out from the Facebook Platform. This setting had been available prior to changes last fall. However, it now appears that this opt-out will also be the only way to avoid public content being indexed by search engines.

Zuckerberg promised an “easy” way to opt-out of the controversial instant personalization program, which lets certain third-party websites automatically identify Facebook visitors, but the feature remains opt-out. Many of the other privacy settings are also still opt-out in that the site defaults appear to remain the same, presented as “Recommended” when a new user checks them.

I’ve been concerned about the tone of some Facebook responses to recent privacy concerns, and today’s presentation by Zuckerberg was no exception. He noted that the company had not seen any noticeable impact on site usage lately, and according to one report commented, “Perhaps the personal privacy preferences of liberal advocacy groups and DC politicians don’t match with those of the general public.” That may be true, though I think politicians or privacy advocates have a deeper understanding of recent changes than the general public. Still, this sort of remark comes across as at best somewhat irritated and at worst rather arrogant. It also probably won’t win over any liberal advocacy groups or DC politicians. (For the record, I don’t fall into either category.)

Other aspects of the announcements lead me to wonder how much Facebook truly understands the rising worries over the site’s handling of privacy issues.  Zuckerberg emphasized the site’s focus on sharing, that users want to share, and his belief that people want to share more openly. The default privacy options clearly reflect this belief, positioning Facebook as a site generally intended for public sharing.

But I think Zuckerberg is confusing the desire to share easily or freely and the desire to share publicly. Several researchers have explored how people approach privacy, and people constantly use services such as Facebook to post content they would not want distributed to the entire Internet. We’ve become accustomed to the idea of being private in public, since our offline conversations in public settings are not recorded and indexed for anyone to search. What would be the harm to users if content was private by default, but could be opened to the public if the author wanted that? After all, this is how Facebook operated for the first few years of its existence – and it likely played a significant role in the site’s growth.

Of course, while an opt-in approach may help many users, Facebook wants users to share more openly. More public content provides more value for other services that might integrate with Facebook, extending the site’s reach and influence. That’s part of why I find it difficult to simply accept Zuckerberg’s notion that most people are moving towards public sharing on their own: regardless of what individuals think, Facebook itself certainly has an opinion on how much you should share.

And that’s the real question – how much you share, not whether you share. I’ve never been opposed to making it easier for users to share content. But I do have a problem when a site that was built on sharing with a limited audience reorganizes to make that same type of sharing more difficult than fully public sharing – an activity that carries far more potential dangers, both social and otherwise.

Facebook has built an unprecedented audience of users who give it significant trust. I’m glad to see the company making welcome changes which assist users who actively care about privacy controls. But I remain concerned that the company’s overall perspective still reflects questionable ideas, such as the notion most people are not concerned about privacy, and either fails to recognize the company’s role as a trend-setter or ingenuously downplays it. That’s not a personal attack on Zuckerberg, whom I’ve never met, or anyone else at Facebook. It’s simply my evaluation of the service’s direction based on recent features and public relations. And I think Facebook owes its users much better.

Social Media Security Podcast 14 – Recent Facebook Hacks and Controversy, Diaspora, Swipely

This is the 14th episode of the Social Media Security Podcast recorded May 14th, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Users Bamboozled and Policies Eroded – Is Facebook still the valuable tool you thought it was?

Geek level: Very Low. Editorial observations and deep, introspective questions…

I just wanted to give props to some folks who are really getting the impact of the changes to  Facebook privacy policies and settings, and trying to get the message across in different ways.

Facebook privacy settings are getting so complicated, few people seem to know the implications. And as a result, most don’t bother changing them. For those of you who remember what it was like to try to program a VCR back in the 1980’s and 90’s, what goes around comes around. The comparison is scary, as tweeted by Robert Nunez and Tom Watson – “Facebook privacy settings are the new programming your VCR”

(See http://www.preoccupations.org/2010/05/facebook-2010.html )

I heard about this observation while listening to This Week in Google (at http://www.twit.tv), when Jeff Jarvis mentioned it. Leo Laporte then added, “It’s like we’re all on flashing 12:00’s”  (If you don’t remember, it’s sort of like having a digital clock that loses power and forgets what time it is.) For the old VCRs, you had to go in and reset the time, then you had to set the channels and times you want to record. It was so complicated, many people just left them with the flashing 12:00’s. I can relate to that, along with many others I’ve heard from, regarding Facebook’s increasingly convoluted privacy settings.

Facebook just seems to want people to give up on protecting their privacy. To paraphrase Jarvis, it seems strange that instead of leveraging the trust of its 400 million users, and taking the opportunity to establish itself as the “protectors” of our identities on the Net, Facebook is carelessly exploiting that trust to its fullest extent for short term profit. Too bad for them, and for all of us.

Also in that same episode of TWIG, Jeff Jarvis referred to the Electronic Freedom Foundation’s (EFF) timeline of Facebook privacy policies over the years. It’s interesting to see how convoluted it’s become since their first privacy statement in 2005, which read:

No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.

(from http://www.eff.org/deeplinks/2010/04/facebook-timeline )

Now, as of April 2010, the policy reads…

When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections and any content shared using the Everyone privacy setting. … The default privacy setting for certain types of information you post on Facebook is set to “everyone.” … Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

So, did you know this? Or have you quit Facebook – for good, or in protest – due to these moves? Or will it take one more move toward the cliff?

Not surprisingly, I don’t use Facebook for anything very personal. The stuff I put there is all pretty boring, say my friends. But if you joined a long time ago and have a significant amount of personal information in Facebook, you might want to read today’s Facebook privacy policies and consider how likely it is that what you thought was protected (by the default settings at the time you joined) may inevitably become public at some point.

Today’s trending topics might as well be “Facebook privacy settings changed” and “Facebook privacy policies changed“. So, if you still feel that privacy represents a fundamental personal value, we’d all like to know, “What value does Facebook continue to bring you as a tool, and is it worth the cost?”

Social Media Security Podcast 13 – Details on the recent changes to Facebook, Blippy CC issue, Bye bye Basic Auth

This is the 13th episode of the Social Media Security Podcast recorded April 30, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Facebook Privacy & Security Guide Updated to v2.1

The Facebook Privacy & Security Guide has been updated to version 2.1 to reflect recent changes that Facebook has made.  Updates to the guide include minor changes to the privacy navigation structure and details on the new “Instant Personalization” privacy setting.  Also, I included information on Facebook Ads.  Please print it out for your own use or share with friends and family!  Questions and comments can be posted here or sent to feedback[aT]socialmediasecurity.com.

Download the updated version of the Facebook Privacy & Security Guide

Social Media Security Podcast 12 – New Facebook Privacy Changes, Social Gaming Threats, Social Media in the Workplace

This is the 12th episode of the Social Media Security Podcast recorded March 28, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Facebooks Proposed Privacy Changes: What You Need to Know

I won’t put together a long post about the recently proposed Facebook Privacy Policy/Statement of Rights and Responsibilities changes.  There are already some very good analysis on the subject.  However, below are links to some of the best blog posts and research to check out.  Note that the comment period ends on April 3, 2010 at 12am PDT.  Make your comments on the Facebook Site Governance document page here.

Links to the proposed changes
Facebook Privacy Policy and Statement of Rights and Responsibilities Updates

Detailed Analysis Worth Reading
Facebook Proposes Broad Updates To Governing Docs — Our Analysis (from Inside Facebook)
How Facebook is Adding an Identity Layer to the Internet (from theharmonyguy)
Yet Again, Facebook Misunderstands Privacy (from MichaelZimmer.org)
Facebook Again to Test Privacy Boundaries (from Fred Stutzman)
Is Facebook Unliking Privacy? (from the ACLU of Northern California)

Also, be sure to check out Social Media Security Podcast Episode 12 which will be released soon!  Scott Wright and I will be talking about these changes with some analysis as well.

1 2 3 4 5 6 14