Facebook Backtracks on Privacy Controls and Public Information

Facebook CEO Mark Zuckerberg held a press conference today announcing significant changes to the site’s privacy settings. The latest updates come after weeks of debate and criticism over Facebook’s handling of user information. Though it may take several days or weeks to roll out the new controls, an official privacy guide provides a summary of how they work. Full details are still rolling in, but certain aspects are already clear.

First, the new interface for making many changes appears to be much more streamlined. This should be a welcome change to those confused by the previous litany of options. The primary privacy page displays a table with columns for “Everyone,” “Friends of Friends,” and “Friends Only,” with rows for several categories of content. This table not only establishes settings for certain bits of profile information; it also lets users set defaults for new content shared.

Second, Facebook has removed the requirement that “connections,” such as your list of friends and the pages you “like,” always be publicly available information. A secondary page will provide access controls for certain groups of these connections, as well as who can friend you, send you messages, or see your profile in search results.

Third, users will have new options related to third-party applications that integrate with Facebook. The company had previously announced a granular permissions model for applications, and developers are in the process of transitioning to the new setup. Those permissions will now be reflected in the privacy settings, though how that will look is not yet clear. (Also, Facebook’s privacy guide assures users that applications can only request “information that’s needed for them to work,” but that’s up to developers.) Facebook is also re-instating an option to completely opt-out from the Facebook Platform. This setting had been available prior to changes last fall. However, it now appears that this opt-out will also be the only way to avoid public content being indexed by search engines.

Zuckerberg promised an “easy” way to opt-out of the controversial instant personalization program, which lets certain third-party websites automatically identify Facebook visitors, but the feature remains opt-out. Many of the other privacy settings are also still opt-out in that the site defaults appear to remain the same, presented as “Recommended” when a new user checks them.

I’ve been concerned about the tone of some Facebook responses to recent privacy concerns, and today’s presentation by Zuckerberg was no exception. He noted that the company had not seen any noticeable impact on site usage lately, and according to one report commented, “Perhaps the personal privacy preferences of liberal advocacy groups and DC politicians don’t match with those of the general public.” That may be true, though I think politicians or privacy advocates have a deeper understanding of recent changes than the general public. Still, this sort of remark comes across as at best somewhat irritated and at worst rather arrogant. It also probably won’t win over any liberal advocacy groups or DC politicians. (For the record, I don’t fall into either category.)

Other aspects of the announcements lead me to wonder how much Facebook truly understands the rising worries over the site’s handling of privacy issues.  Zuckerberg emphasized the site’s focus on sharing, that users want to share, and his belief that people want to share more openly. The default privacy options clearly reflect this belief, positioning Facebook as a site generally intended for public sharing.

But I think Zuckerberg is confusing the desire to share easily or freely and the desire to share publicly. Several researchers have explored how people approach privacy, and people constantly use services such as Facebook to post content they would not want distributed to the entire Internet. We’ve become accustomed to the idea of being private in public, since our offline conversations in public settings are not recorded and indexed for anyone to search. What would be the harm to users if content was private by default, but could be opened to the public if the author wanted that? After all, this is how Facebook operated for the first few years of its existence – and it likely played a significant role in the site’s growth.

Of course, while an opt-in approach may help many users, Facebook wants users to share more openly. More public content provides more value for other services that might integrate with Facebook, extending the site’s reach and influence. That’s part of why I find it difficult to simply accept Zuckerberg’s notion that most people are moving towards public sharing on their own: regardless of what individuals think, Facebook itself certainly has an opinion on how much you should share.

And that’s the real question – how much you share, not whether you share. I’ve never been opposed to making it easier for users to share content. But I do have a problem when a site that was built on sharing with a limited audience reorganizes to make that same type of sharing more difficult than fully public sharing – an activity that carries far more potential dangers, both social and otherwise.

Facebook has built an unprecedented audience of users who give it significant trust. I’m glad to see the company making welcome changes which assist users who actively care about privacy controls. But I remain concerned that the company’s overall perspective still reflects questionable ideas, such as the notion most people are not concerned about privacy, and either fails to recognize the company’s role as a trend-setter or ingenuously downplays it. That’s not a personal attack on Zuckerberg, whom I’ve never met, or anyone else at Facebook. It’s simply my evaluation of the service’s direction based on recent features and public relations. And I think Facebook owes its users much better.

Quitfacebookday.com happens on May 31, 2010 – Should you quit, too?

It seems like maybe I talk too much about Facebook security. But it’s a growing issue in the news these days. As you can see from the image next to this blog post on my website, one of the most searched terms in Google is now “How do I delete my Facebook account?” (In fact, as of today, if you type “Delete” into a Google search, the top suggestion is “Facebook account”) So, I’m debating quitting Facebook on May 31 with the others who are disgusted with the site’s disregard for privacy and security. (See http://www.quitfacebookday.com)

My reasons include:

(1) You can’t seem to depend on anything you put there to be kept private – more due to constant policy changes than hackers;

(2) Facebook is now one of the biggest sources of phishing scams on the Internet, which are causing real losses;

(3) On any given day, the privacy of your data may depend on your FRIENDS’ settings, not just yours;

(4) Very few people are able to decipher the privacy settings to choose meaningful rules, which leaves them exposed – even me;

(5) Facebook shares your data with other sites (through the Open Graph API, the Like Button or Instant Personalization) in ways that can cause embarrassment and lead to identity theft;

(6) Facebook does not appear to be abiding by its agreement with the Privacy Commissioner or Canada to improve its handling of private information.(http://www.priv.gc.ca/media/nr-c/2009/let_090827_e.cfm)

Arguments against quitting Facebook include:

(1) All the “hip” young people say “Privacy is dead. Build a bridge and get over it…”

– Chanting this may make them feel good, but doesn’t change the fact that the easiest place to be scammed or have your password stolen is through social media sites that have very weak security and authentication. People must still care about their privacy, if only to ensure that persecution and other politically motivated abuses don’t victimize innocent people – it’s a slippery slope.  Privacy commissioners have a very difficult job these days. But it is an increasingly important one.

(2) How will I connect to friends and family without Facebook?

– How did you do it in 2003? It also depends on whether you use Facebook for “reading” or “writing” or “both”. If you just like to “see” what’s going on, you can use Twitter, with the caveat that you need to be careful of those short URLs that can take you to dangerous places. But tools like Brizzly.com can expand the links for you, so you’ll know where they are leading you. However, if you like to write lots of personal details of your life, and only want to share it with friends, that’s the biggest challenge right now – because even Facebook doesn’t provide assurance that your private posts won’t be shared with people you might not want to see them. There aren’t many tools that are widely used and can do this. But they are coming. So, maybe it’s better to wait.

(3) One person quitting from a group of 400 Million isn’t going to make a difference.

– It’s true that the numbers make this initiative look futile. So, for most people, quitting won’t make a difference to anyone. But if you are a person of authority, especially a security or privacy authority, your actions can show the people around you that this is a serious issue. Parents telling their kids that they are quitting – and why – may or may not have an impact (depending on whether the ear-plugs are in or not).

Public figures like Leo Laporte  can have a significant effect on their followers. (Click  HERE for the story which includes a link to the WikiHow page on how to quit Facebook)

As a security consultant who has been following this trend, I am asking people to take it seriously. If you are a security manager in a company, you can also have an influence on your co-workers, as long as they don’t see you as being heavy-handed, or crying “wolf” – which may be unavoidable in some cases.

(4) If all the security and privacy advocates quit Facebook, who will counsel those who still use it to let them know about the risks in their own “element”?  Good question. I don’t have an answer to that one. I may leave a Facebook page up (which is different from a personal profile). That way, people can still reach me and see what I have to say, publicly, and maybe understand why I no longer have a personal profile… and maybe they shouldn’t either.

What will the future of social networking look like?

I believe something will come along that is more secure than Facebook, and will provide the connections we need – without as much risk. But it may take a while. There is an initiative called Diaspora (http://www.joindiaspora.com/), which has this very intent. While its initial incarnation seems to have a few serious weaknesses of its own, this is the kind of thing that needs to happen to combine a great vision for social networking with a level of trust that can be sustained.

So, what do you think?

(1) Should I quit Facebook on May 31? or sooner?

(2) Will you quit Facebook?

Feel free to comment below. (NOTE: If all you plan to say is “Privacy is Dead”, get ready for a flaming arrow!)

Here’s how to delete your facebook account – http://www.wikihow.com/Permanently-Delete-a-Facebook-Account

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.



Site Meter

Why the Current Facebook Privacy Debate Matters

Privacy has been a hot topic of discussion among all sorts of technology-minded people lately. But take a moment to consider why this debate is even happening. One could list several events involving several companies that have all influenced the controversy, but generally, much of the talk stems from changes made by Facebook over the past year.

Why the Change?

And why did Facebook make those changes? There’s no technological reason for many of them. Nothing about liking pages or using social plug-ins forced the company to remove old access controls or make “instant personalization” an opt-out feature. Facebook’s executives made a policy and business decision to push users into more public sharing. In many ways, we’re having this debate because Facebook chose to make it an issue.

That’s not a criticism, simply an observation. In fact, many would probably say that Facebook was right to challenge ideas on privacy. Popular tech blogger Robert Scoble has repeatedly argued that Facebook’s changes bring many benefits to users. One writer at Fortune questioned any backlash and gave this response to Pandora’s new social setup: “My first reaction? Creepy! My second reaction: Cool!” Is it wrong to force users into a new situation that’s uncomfortable at first if it ultimately brings significant value?

In this case, however, the ultimate value to users remains unclear. Many users will certainly find advantages to a freer flow of information. But does Facebook really have the right to decide whether content people had previously restricted should now be available publicly? How can any of us judge whether the benefits outweigh the downsides for each user? Many users chose to put information in their profiles that they did not want shared beyond certain limits. If exposing that information seems trivial, are you certain you understand why the profile owner thought limits so important to begin with?

I would argue that by pushing the envelope on our understanding of privacy, Facebook’s leadership made changes that benefit the company, partly by also benefiting developers and partners. That’s not necessarily a bad thing – Facebook is a business and has to make money. But while those changes do benefit some users, perhaps even a majority of users, they also harm the trust of many other users who had shared private content on Facebook.

Where’s the Backlash?

In the short term, the benefits outweighed the downsides for Facebook. Several high-profile users have deleted their accounts, and others are following suit. But keep in mind that even if 10 million people stopped using the site, that would only be a 2% reduction in user base.

As the company faces widespread criticism and possible regulatory changes, you might expect Facebook to back down on some of their changes. I doubt it. Facebook’s executives know the company enjoys a very strong position in the market right now. They can afford losing 2% of users without breaking a sweat. And if people do leave, where will they go?

Given that level of security, why bother talking about Facebook privacy? Why does it matter if techie types bail on the service? Should we simply get used to having less control and move on?

To put it another way, should we let Facebook dictate our understanding of online privacy?

I realize Facebook will probably never go back to the way it once was and that there’s essentially no hope of meaningful competition in the short term. Yet Facebook didn’t reach this place overnight. Industry shifts take time. And many influential people in technology are often on the bleeding edge of such shifts.

Is Privacy Dead?

For the time being, though, Facebook users will likely react in one of three ways. First, they may not understand the implications of updates and keep using the site as before. Second, they might embrace the new capabilities and voluntarily unleash more content. Third, they will decide that they derive too much value from Facebook to let it go, and thus will, perhaps begrudgingly, keep their account – but they’ll be far more careful about what they post in the future.

I suspect that as awareness grows of how much data Facebook now distributes, many people will take more precautions in using the site. That’s not necessarily a bad thing – I’ve long argued for increased education of online dangers. People need to be careful online, regardless of how “private” a service seems. But care is not the same as paranoia or having to manage your identity the way a celebrity might. If Facebook wanted to increase intimacy and authenticity among online friends, they may find they’ve actually done the opposite.

Some people, such as Scoble or perhaps Mark Zuckerberg, have chosen to live their lives with “radical transparency.” Most of us probably still want to keep certain information private, and yet we routinely share that information with parties we trust – even online. I use my credit card number when shopping at Amazon, but I’d prefer they keep it to themselves. When I filled out web-based job applications last year, I often had to disclose my social security number – a small bit of data I would not want passed around. In a more offline example, I’ve often shared personal struggles with close friends in other states by talking with them on my mobile phone.

I realize that a determined hacker could possibly steal my payment info or even my SSN when I send that data to websites. I also know that my phone can be tapped or that my friends could repeat our conversations to others. But based on a wealth of factors, I make a decision to take those risks, since I judge the likelihood of these scenarios (especially given certain precautions I take) to be minimal.

The idea that any data you transmit to another computer should be considered public has significant merit. In practice, though, much of our offline lives face the same technical threat of publicity, and channels have long existed to share electronic data with only a limited audience. Most of us would not want the entire world to see all of our e-mails, and a range of businesses let only certain people access certain servers.

Which brings me back to one of my original points: nothing forced Facebook in a direction away from privacy. They chose it. I doubt whether they would have around 500 million users today if they had chosen that direction years ago. But even if Facebook now thinks I should share all of my content with everyone, I still find value in keeping some information limited. For me, that’s the essence of online privacy. And while one website with a very large audience may have reduced privacy by keeping me from using their features in a limited way, I will continue to exercise control over my data in other ways.

What Now?

The current debate about Facebook and privacy may seem confusing, futile, or even pointless. But it’s important to evaluate the background and ramifications of Facebook changes, especially given the company’s influence on industry trends. It’s important to realize that visible competition and meaningful alternatives to Facebook will require months or even years of development. And it’s important to understand how much privacy still plays a role in the way people manage and share information, whether online or offline.

Perhaps Facebook will end up right, and most people will move away from old ideas about privacy. But I’d rather see companies educate users on new features and empower them to choose more public sharing rather than expose previously private content and encumber such a change with illusory settings. Facebook may try to say most people don’t mind their new take on privacy, but I think they’ll find this debate is far from over.

More Recent Security Problems with the Facebook Platform

I want to preface this post by noting that I have plenty of respect for the engineers at Facebook, and I realize they face many challenges maintaining the security of such a complex website. However, given Facebook’s current status and reach, I also think it important to keep the site accountable when it comes to issues that risk unwanted information disclosure or other problems for end users.

Facebook’s faced criticism for several security issues over the last few weeks. In April I reported on a vulnerability that allowed applications to be hijacked for stealing data or spreading malware. More recently, a glitch allowed users to spy on Facebook Chat sessions and problems with Yelp showed the risks of cross-site scripting in “instant personalization” sites.

Unfortunately, I have a few other holes to report. I first notified Facebook of these new issues last month, but I wanted to give time for patches before I published details on the problems. Facebook has since made several changes that address some of the issues I raised. However, some of the problems appear to remain. Given the updates and length of time since my reports, I decided to go ahead and post about these issues, but I’m withholding technical details on issues that are still active.

Weak Session Secrets

On April 19, I notified Facebook of a behavior I was observing in applications and Facebook Connect websites. Prior to the new OAuth 2.0 model, the required parameters for a Facebook API request included a session key (identifying the user’s session with the application) and a session secret (a code to verify the authenticity of the request’s source). If an application used an <fb:iframe> or <fb:swf> tag to load content from another domain (such as an advertisement), the request to the other site would include the session key, but not the session secret.

The problem I saw, however, was that the session secrets being issued were part of the session key. For example, suppose Facebook issued this session key: 2.sNXhV4G1ILRKkvdBHoIbTg__.3600.1271682500-00000000. The session secret would then simply be the first set of characters between periods: sNXhV4G1ILRKkvdBHoIbTg__. This meant that any site which acquired a valid session key could extract the session secret and make API requests. While harvesting the session key is not necessarily trivial, the code is passed around more freely than a session secret (such as the advertising example noted above) and vulnerabilities listed below could be combined with this behavior.

I’m not sure exactly when Facebook started issuing weak session secrets, but when I made the report I had observed several of them and tested that I could extract session secrets from session keys. After about a week, I once again saw session secrets issued that bore no relation to the session key, and I could no longer extract a string from the session key and use it to issue API requests.

Arbitrary FBML/FBJS on Facebook.com

On April 14, I noted an even more worrisome issue, and on April 29 I sent a similar problem using a different URI. In both cases, I’d uncovered a way to render arbitrary FBML/FBJS in the context of a facebook.com page without any typical UI chrome. Such a vulnerability presents a range of possible attacks.

First, this could enable the same sort of data harvesting I had demonstrated with the Facebook Platform vulnerability published last month. I could load a Facebook page that included inline frames pulling content from other websites. While <fb:iframe> did not appear to include the session secret in requests, it did include enough information to identify the current user, as well as the session key. Also, the <fb:swf> tag for loading Flash content did include the session secret as a parameter when loading content, even from other domains.

One could also combine the new OAuth 2.0 flow with this issue to harvest a user’s Facebook ID and access public information about them. Essentially, you could imitate the behavior of an “instant personalization” partner on any website, with or without notice. This happened because the OAuth redirect parameters allows facebook.com URIs.

Second, since the page would render on facebook.com, I could load other Facebook pages in iframes and they would not have clickjacking protection enabled. This would allow previously described clickjacking attacks to be launched once again.

Third, it was unclear to me if the vulnerability enabled some further application hijacking by a failure to check a parameter for cross-domain communications. This aspect could have been nothing, but I’ve not done enough testing to make sure.

Finally, the problem presents a dream situation for phishing. Once could easily load a convincing Facebook login form that sends the information to another server – and the URI for the page would appear to be on facebook.com.

Over the last few weeks, Facebook has altered these pages so that they no longer render all FBML or FBJS code. Specifically, iframes and Flash content will no longer work. This prevents many of the attacks described above, especially those that allow automatic data harvesting.

However, one can still render a range of code using these pages, including form elements. That means the phishing scenario described above is still an active possibility. To make matters worse, the parameters necessary to render code can be included in a POST request, meaning the URI in the user’s address bar for an attack page could be a short facebook.com address.

Below is a screenshot of this website loaded in the context of a facebook.com page using the original vulnerability reported on April 14. The second method uses a www.facebook.com page, resulting in an even shorter URI on the address bar.

Social Hacking (theharmonyguy.com) loaded on a facebook.com page

This particular issue actually came from a Facebook feature that was implemented without much security. I knew that fixing it might take some time, since a number of developers depended on the feature involved. I’m glad that some of the threats have been removed, but more still needs to be done before this feature can be considered secure.

Update: Since this post I’ve found a third implementation of the feature, and this method provides an even shorter URI.

Update 2: It appears the feature involved in this FBML/FBJS issue was deployed in July 2008, so it’s quite possible the problems I noted in April have been active for almost two years.

Don’t Simply Build a More Open Facebook: Build a Better One

Geek Level: Not overly technical, but aimed at developers and entrepreneurs.

Frustration with Facebook has appeared to reach a tipping point recently. Changes to the service have always drawn criticism and even outrage from various users, but after the latest updates, I’m seeing more people talk seriously about leaving the site. Consequently, some people have begun looking for alternatives, and a few have even started trying to build their own.

I’m among those looking for alternatives. I’ve held back from closing my account several times in the past due to a large network of friends, but my concerns continue to rise. Few other options exist, though, and any service looking to compete directly with Facebook faces an uphill battle.

Consider this post my advice to anyone who wants to tackle that challenge.

1. Avoid Pitfalls in Planning

When I’ve observed people discussing Facebook competition thus far, they invariably seem to fall prey to what I see as two mistakes. First, they focus almost entirely on the development side: what back-end technologies to support, what formats to use for data exchange, protocols for such interactions, etc. All of these aspects are important to consider, but I contend that you need to start by looking at the user side of the equation: mapping out the features you will sell to average people, designing interfaces with usability and simplicity in mind, creating processes and workflows that anyone can understand.

Second, many critics of Facebook focus on how the company fails to be “open,” a term that has long since entered buzzword territory. Ask a developer about their Facebook replacement, and they’ll probably start by telling you how it uses the Open Stack, with tools such as OpenID, OAuth, and Activity Streams. I have no problem with using these formats in a new site, but once again, you ultimately have to focus on your users. If you want your product to find mainstream adoption, you’ll have to convince average consumers that using it is worth any difficulty involved in leaving Facebook. Most people don’t care so much about whether technology is “open” or “closed” so long as it works. (Case in point: iPhone.) Rather than starting your plans by picking which “open” standards you’ll use, start by designing a better social networking service and then determine how “open” specs will help you build that service.

2. Think Through Your Setup

While I don’t recommending starting with too many technical details in planning, you still need to think through how the general structure of your application will work. Social networking services tend to involve a number of interlocking components, and the nature of the content involved can invoke problems other services don’t normally face.

For instance, nearly every Facebook alternative I’ve heard about thus far is built to be a distributed system, connecting multiple servers or platforms together into an aggregated network. This offers a number of advantages over Facebook’s centrally controlled setup.

But it also brings a number of disadvantages and hurdles that ought to be addressed. Say your social graph on a distributed service includes 500 friends, with profiles spread across 100 different servers. What sort of performance will you get when you need to pull data from 100 sources to build a news feed? If you use caching, how will you handle data retention and expiration to respect others’ privacy? What sort of fail-safe measures will be in place if a few servers are down? How will you establish trust relationships or handle malicious users? How will security vulnerabilities in one server affect others on the network? How will you ensure every server stays updated with the latest patches or features? All these questions and more come into play with distributed social networking, and I’ve yet to see many of them satisfactorily addressed by current offerings.

3. Learn from Academic Researchers

Many people in the academic community are producing research that addresses how people interact both offline and online, as well as how people understand concepts of privacy and social networking. As websites continue to reshape the fabric of our society and Facebook in particular affects notions of privacy, you simply can’t afford to ignore these studies.

While I wouldn’t want to neglect the work of anyone in this field of academics, I particularly respect and recommend works by danah boyd. For example, her talks on “Making Sense of Privacy and Publicity” and “Privacy and Publicity in the Context of Big Data” are must-read material for anyone looking to enter the world of social networking development. I’d also advise learning about the Helen Nissenbaum‘s concept of “contextual integrity,” explained well in a series of articles by Michael Zimmer. Fred Stutzman and Kaliya Hamlin (though she’s strictly not in academia) are just a few more of the many people I’ve come across who are contributing to our understanding of social media. Get familiar with more than just the technical implications of social networking: understand the social side.

4. Relationships are Not Digital

I understand that the Internet has created new possibilities and methods for people to relate to one another, and I’m not arguing there’s anything inherently wrong with those developments. But I do think some online applications generally employ constructs that fail to resemble many offline relationships. For example, many online connections with other people are essentially binary – friend or not, follower or not. Making such a connection often involves a subscription to the other person’s entire stream generated updates, regardless of type or content. Control over those updates can be limited or confusing.

I recognize that providing effective communication channels that avoid being cumbersome but also reflect social norms is a daunting prospect. It’s no wonder most of the sites we’ve seen thus far have followed previous online models of communication, such as the simple dichotomy of public discussions and private messaging. But I think it’s time we reevaluate some of our ideas about how sharing content should look and seek out new methods for staying in touch.

Of course, with this point I’m really advocating for a Facebook alternative that addresses a certain market: an online service that helps people leverage technology to stay better connected with their offline friends and associates. Remember, my overall message here is to build a better Facebook. It’s not enough to make things more open, or offer more privacy controls, or integrate with more sites. You need to provide more value. And personally, I see a great opportunity to provide more value in finding better ways for people to stay in touch. As someone who lives in a different state than the majority of my friends and family, I have enough trouble keeping up with people even with Facebook, but getting rid of my account would make that task more difficult. I would love to see a service that improves on Facebook in this area, and I imagine many others would as well.

One other note on this point: I would love to see a service try and tackle the issue of multiple identities with a more elegant solution than letting users create multiple accounts.

5. Don’t Overdo Privacy Settings

Given the uproar over Facebook’s lack of certain privacy controls and the amount of time I’ve spent talking about privacy controls, this point may seem a bit strange. But “privacy” is not simply about having granular, detailed settings for every bit of content or feature on a site. Too many choices will easily overwhelm users, and while powerful controls may help enterprises manage permissions on resources, most people don’t have the time to manage a plethora of menus and check boxes.

This ties back into previous advice on understanding the social side of social networking. Don’t simply rely on the sort of controls that you as a developer or systems administrator use for managing data. In some cases, you may even need to simplify things by eliminating layers. For instance, Facebook provides separate settings for both the photos application as a whole and the photo albums within the application. I would argue getting rid of the former and displaying available albums based on the current context.

From a high level, I think privacy controls need to clearly but concisely communicate two things to a user: who can access the data and where (or how) may the data be publicized. Whatever settings you include need to be simple enough to maintain usability but clear enough to avoid any unpleasant surprises.

6. Reduce the Noise

Facebook and other services thrive on people sharing content. These sites push people to produce more content and increase the flow of information. However, I would contend that while access to increased information can bring many benefits, we have to balance that notion with the understanding that more knowledge is not always better and that increased information does not always need to broadcast. Many online users are suffering from severe information overload, and better filters alone are not going to solve the problem. It’s time we dialed back some on the production of content to begin with.

Please don’t misunderstand my position here: I’m not trying to put an end to Wikipedia or become some sort of content police. What I am saying is that our obsession with streams and the real-time web may be driving us to lose sight of other priorities. Just because your service can track and broadcast every activity your users perform doesn’t mean that it should.

7. Integrate with Facebook

This is one bit of advice I’ve not seen anywhere else thus far: If you want to beat Facebook, use Facebook’s features against it. Over the last several years, Facebook has provided more and more access to information for third-party developers. I’ve not seen any provisions that would prevent another social networking service from taking advantage of these methods.

I’ve often heard people talk about the idea of “taking your social graph with you,” but that’s not really the problem right now. It may be a bit complicated, but you can pretty much export your entire social graph from Facebook. The real problem is this: where do you take it to? The only “import” function for most sites involves scanning a list of e-mail addresses to find other users.

With Facebook’s APIs, though, you can simply connect your other social networking profile with your Facebook profile. Be warned that you should not simply assume people who do this will want any Facebook friends who sign up for your site to know about their profile or be their friend on your site. But you at least have options to make the transition much smoother.

Also, since people criticize Facebook for taking in more information than they give out, you can simply make sure data originates outside of Facebook. Your application can push status updates, messages, and content to Facebook, and then you already have a copy on your service. Besides, nowadays you can pull a user’s inbox, updates, notifications, and so on from Facebook as well.

8. Value What Your Users Value

Building a Facebook alternative includes many details to worry about, such as monetization, advertising, and privacy. But never forget what makes any service valuable: the people that use it. If your product becomes popular, that means people will be using it to share content they deem valuable and trusting you to store content they deem valuable. You will have to earn that trust and work hard to maintain it.

Communicate with your users in a helpful, honest way. Give them meaningful support options. Provide them with default privacy settings that protect them rather than surprise them. It can be fine to let users share everything with everyone if they want, but let the users decide and empower them to choose the path they want rather than push them towards one approach.

And above all, keep providing a service that people find useful. The real reason so many people still use Facebook is that the benefits outweigh any difficulties or privacy concerns. If you’re going to compete with Facebook, you’ll have to top that.

(Oh and one last bit of advice: come up with a good, professional name for your start-up. Please.)

Users Bamboozled and Policies Eroded – Is Facebook still the valuable tool you thought it was?

Geek level: Very Low. Editorial observations and deep, introspective questions…

I just wanted to give props to some folks who are really getting the impact of the changes to  Facebook privacy policies and settings, and trying to get the message across in different ways.

Facebook privacy settings are getting so complicated, few people seem to know the implications. And as a result, most don’t bother changing them. For those of you who remember what it was like to try to program a VCR back in the 1980’s and 90’s, what goes around comes around. The comparison is scary, as tweeted by Robert Nunez and Tom Watson – “Facebook privacy settings are the new programming your VCR”

(See http://www.preoccupations.org/2010/05/facebook-2010.html )

I heard about this observation while listening to This Week in Google (at http://www.twit.tv), when Jeff Jarvis mentioned it. Leo Laporte then added, “It’s like we’re all on flashing 12:00’s”  (If you don’t remember, it’s sort of like having a digital clock that loses power and forgets what time it is.) For the old VCRs, you had to go in and reset the time, then you had to set the channels and times you want to record. It was so complicated, many people just left them with the flashing 12:00’s. I can relate to that, along with many others I’ve heard from, regarding Facebook’s increasingly convoluted privacy settings.

Facebook just seems to want people to give up on protecting their privacy. To paraphrase Jarvis, it seems strange that instead of leveraging the trust of its 400 million users, and taking the opportunity to establish itself as the “protectors” of our identities on the Net, Facebook is carelessly exploiting that trust to its fullest extent for short term profit. Too bad for them, and for all of us.

Also in that same episode of TWIG, Jeff Jarvis referred to the Electronic Freedom Foundation’s (EFF) timeline of Facebook privacy policies over the years. It’s interesting to see how convoluted it’s become since their first privacy statement in 2005, which read:

No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.

(from http://www.eff.org/deeplinks/2010/04/facebook-timeline )

Now, as of April 2010, the policy reads…

When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections and any content shared using the Everyone privacy setting. … The default privacy setting for certain types of information you post on Facebook is set to “everyone.” … Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

So, did you know this? Or have you quit Facebook – for good, or in protest – due to these moves? Or will it take one more move toward the cliff?

Not surprisingly, I don’t use Facebook for anything very personal. The stuff I put there is all pretty boring, say my friends. But if you joined a long time ago and have a significant amount of personal information in Facebook, you might want to read today’s Facebook privacy policies and consider how likely it is that what you thought was protected (by the default settings at the time you joined) may inevitably become public at some point.

Today’s trending topics might as well be “Facebook privacy settings changed” and “Facebook privacy policies changed“. So, if you still feel that privacy represents a fundamental personal value, we’d all like to know, “What value does Facebook continue to bring you as a tool, and is it worth the cost?”

How Facebook’s New APIs Affect Old Security Issues

Geek level: Fairly technical at times, but makes some general points.

Based on my experience in researching Facebook security, I was quite interested in the security ramifications of Facebook’s recent developer announcements. Some of the analysis I’ve seen thus far from others actually involve rediscovering previously reported concerns with the old platform. But Facebook’s updates include a brand-new authentication scheme for applications, possibly affecting the sort of application attacks first described last year. From a security perspective, I wondered, how much has actually changed?

New Interfaces

To begin, let’s recap some of the new developer tools. First, Facebook is phasing out its old authentication scheme. Previously, applications would generate a session by forwarding clients to a particular Facebook URI. If the user chose to authorize the app, Facebook would forward the user back to the application context, passing along a valid session key (and session secret). The application would then use that session key to generate API requests, signing each with either the session secret or application secret.

Now, Facebook has rolled out OAuth 2.0, a lightweight adaption of OAuth 1.0 and OAuth WRAP. The spec defines several models for authenticating resources, and Facebook uses the Web Server Flow. This process actually involves two major steps. First, the application again forwards clients to a Facebook URI, though this time with a list of specific permissions desired. If the users grants that list of permissions, Facebook again forwards them back to the application with a session key. However, the application must now use the session key to request an access token from Facebook. This step is done directly from the application server, and the request must be signed by the application secret.

In addition to OAuth 2.0, Facebook added new API methods for accessing data. Developers can now use a simple JSON interface to make requests using a valid OAuth access token. At the moment, applications can still interface with the old REST API, but Facebook is requiring developers to use the new permissions model (and hence OAuth) starting June 1, and it’s likely all applications will eventually use the new Graph API for data access and publishing.

I’ve noticed another aspect to the shifts in developer resources: Facebook has hardly talked about FBML recently, and the new developer documentation barely references it. The new JSON APIs are tailor-made for JavaScript use, which would only make sense in an iframe canvas application. I’m not speaking with any insider knowledge, but based on several recent observations, I expect Facebook to eventually deprecate FBML-based apps and shift developers entirely to iframe canvas apps or external websites. (The new, JavaScript-friendly interfaces unite methods used for canvas apps and external sites that previously worked with the Facebook Connect SDK.)

Security and OAuth

While the original OAuth spec has been around for some time, Facebook’s David Recordon helped write the new version, and the first draft came out right around the time Facebook announced their implementation. Consequently, OAuth 2.0 is a rather young protocol, and it’s still under development. I personally find it disheartening that a protocol handling third-party authentication for the personal data of 400 million users has a section entitled “Security Considerations” that still only contains the note, “Todo.” Why would security be an afterthought in this arena?

Facebook’s implementation does have one significant strong point, though. The two-step flow they use makes it essentially impossible to forge a request for an access token. While you may be able to hijack the first step in authentication, getting a usable access token requires the application secret, and if you have that code, you’ve already broken the application itself.

Unfortunately, the benefits end there. While I’m not yet aware of any new vulnerabilities presented by OAuth replacing the old system, using OAuth does not affect many of the previously described application attacks.

Security and Facebook Applications

In fact, attacks on applications will likely get much easier under the new setup. First, since Facebook is pushing developers towards HTML-based applications rather than FBML, exploiting cross-site scripting (XSS) holes will be simpler. Taking advantage of an FBML app requires several tricks, but in a regular HTML context, one can simply insert JavaScript and go.

Second, while the new APIs make requests easier for developers, they also make cross-site request forgery (CSRF) easier for attackers. Since OAuth only handles the initial authentication, once an app has valid session, XSS attacks can hijack that session and issue requests back to Facebook using the app’s access token. This behavior is essentially identical to previous attacks, except that now one must use the access token and make Graph API requests instead of using a session secret to make REST API requests.

Of course, executing such an attack requires an XSS vulnerability in the application to start with, and one may question how common that scenario will be in practice. If my past research is any indication, the chances are very high. Last September I published a series of posts known as the Month of Facebook Bugs which recorded exactly this sort of vulnerability in various Facebook applications. By month’s end, the series demonstrated exploitable holes in nearly 10,000 applications, including six of the top ten apps by monthly active users.

Last month, after reading an article about security on Facebook, I decided to launch the Month of Facebook Bugs Reloaded. My initial plan was to find 30 more vulnerabilities and publish a list of the affected apps, but I’ve since decided against investing the time necessary to build such a list. However, the first afternoon I started working on the project, I found exploitable holes in half of the current top ten applications, specifically: FarmVille, Birthday Cards, Texas HoldEm Poker, Cafe World, and PetVille. Ironically, the FarmVille issue came from the same parameter I’d exploited last year, but this time on a new interface. All of the new issues have been reported for patching.

If you’re not familiar with application attacks, you may wonder how much damage could actually be done. And on this point, things have actually changed slightly. The code I demonstrated last year allowed an attacker to silently and invisibly hijack the session of an application the user had authorized and issue any valid API request back to Facebook. This previously included requests for a user’s private profile information and access to viral channels for spreading links – similar to the more recent vulnerability I described in the Platform itself. Note that the spreading links part could be used for spreading full-fledged malware.

However, Facebook’s new permissions model means that many applications won’t have full access to user information or publishing abilities. Still, any application which does have broad permissions will be a valuable target. But in addition to this change, Facebook has taken much of the previously private profile information and made it public, which means it remains accessible to an attacker, but harvesting is be less of a security issue since it’s now public to begin with.

Looking Ahead

Facebook’s recent updates demonstrated the company’s broad vision for integrating with sites across the Internet. As Facebook expands its reach, though, the surface of possible attack vectors will grow as well. Each site that makes use of Facebook’s powerful APIs will become a target for attackers looking to exploit those APIs. While cross-site scripting problems tend to be rather common on websites, they become even more dangerous when they open the door to compromising a Facebook user’s application session.

Thus far we’ve seen a few attacks against Facebook users that take advantage of applications, but none have been that widespread. I predict we’ll see this change over the next year or two. The size of Facebook’s user base and the trust relationships established on the service make it a very appealing target for attackers, and reduced development friction will likely lead many of them to realize the potential of attacking applications rather than the site directly. Also, the ubiquity of Facebook’s pop-up login windows for authenticating on other websites (often with minimal window chrome) will probably make pop-up imitations a more common scheme for phishing attacks.

Furthermore, other security issues that I’ve not described here still loom for Facebook. I’ve talked before about some of the issues with Facebook’s new Open Graph Protocol previously, and I am awaiting patch confirmation before discussing a few new vulnerabilities in the Platform itself. These problems not only allowed me to replicate the silent data harvesting I’d demonstrated with the issue reported back in March, but opened up new attack possibilities, such as rendering an arbitrary login form with a simple facebook.com URI.

Any site operating at the scale of Facebook is bound to face security problems and increased scrutiny from researchers. But here I’ve chosen particularly to focus on issues with Facebook applications and Facebook-enhanced websites. Attacking Facebook directly can be quite difficult, but insecure applications open up powerful indirect channels, and so far the security track record for applications is not encouraging. That track record could become even more important over the next few months as new APIs spread and old security issues persists.

Facebook is Not Secretly Installing Apps from Other Websites

Updated 4:55 p.m.

Earlier today, Apple news site Macworld published a story with the ominous headline, “Facebook’s new features secretly add apps to your profile“. That claim will naturally get attention, and other sites have started the news.

There’s just one problem: The story appears to be incorrect.

I am not saying that Macworld’s writers are trying to mislead or that they intentionally reported incorrect statements. But I do think they did misunderstood some Facebook behaviors in their zeal to protect user privacy.

The behavior described in the article has nothing to do with “new features” from Facebook and existed under the old Facebook Connect model. When you visit a website that integrates with Facebook using application APIs, that site may load content from Facebook, such as buttons to login to the site with your Facebook account. Facebook then records a visit and lists the website’s application under the “Recently Used” section of your Application Settings page. Apart from the new instant personalization partners (Docs.com, Pandora, and Yelp), the external website does not automatically receive any of your Facebook information. Your visit will be included in the application’s active user count, but your name will not show up on the application’s information page. In fact, visiting that info page for any application has the same result – Facebook shows the app as recently used, but doesn’t transfer any data to the app.

The traditional sense of “adding” or “installing” a Facebook application is that you allow the app access to your profile by clicking through a standard prompt. For applications on Facebook, this is the familiar page asking to “Allow Access,” which did recently receive a makeover and some new features most of the time. For websites outside of Facebook, this happens when you click “Connect with Facebook” or “Login to Facebook” and then agree to the prompt that pops up. Once you’ve taken this extra step beyond just visiting, the site can then identify you and access certain information about you. Applications within Facebook can identify you and access certain public information automatically if you reach them via certain channels, such as by clicking on a friend’s news feed story. Again, all of these behaviors have been around for quite a while.

On the description page for an application, you’ll see a list of friends who have added the app. That list only includes friends of yours who have taken the extra step of “installing” the application as described above. If you only visit a Facebook-enhanced website or Facebook application but don’t agree to the extra prompt, you will never show up in that list or the general list of an application’s users.

Some people may be worried by the fact that Facebook can record visits to other websites that include Facebook content, and those concerns have credibility. But Facebook has this ability for years. Any time a website includes “like” buttons, lists of fans, or other data loaded from Facebook, footprints are left behind. This is not much different from tracking that happens with third-party advertising networks – except that Facebook knows much more about your identity. If you want to avoid tracking entirely, log out of Facebook before visiting other websites.

Readers of this blog know that I have often criticized Facebook over privacy and security issues. But I find it very important to be accurate and avoid sensationalism in such criticisms. If reports include mistaken or overblown problems, users become more confused, appropriate criticisms can be discredited, and Facebook has a chance to gloss over other legitimate concerns. Unless I misunderstood what Macworld described, I think this is one case where fears over supposedly malware-like behavior are not justified. We need to leave this story behind and focus on real issues facing Facebook users.

Note: To clarify, what I describe here does not apply to the three instant personalization partner sites: Docs.com, Pandora, and Yelp. Those sites’ applications are “installed” as soon as you visit unless you opt-out from the instant personalization program or block the apps individually.

Update: Macworld has added a response from Facebook, and the company says a bug temporarily caused external websites to show up in a user’s application list. Apparently my misunderstanding was that these sites’ applications don’t normally show up as “Recently Used,” but their appearance did not indicate any difference in functionality and the technical details I gave describing how such applications work remain unchanged. In other words, seeing these sites under “Recently Used” was consistent with their normal behavior. Facebook confirmed that no data was shared with the applications and that users’ visits were never visible to anyone else.

1 3 4 5 6 7 29