Facebook & Privacy – Pick one?

In the following I want to discuss several aspects concerning the use of online social networking sites and how the shared information might be exploited by third parties.

In general there are two different forms of how personal information might leak from social networks:

- Exploitable public information
- Malicious information gathering and hacking

The first form of information gathering looks rather harmless but the amount of user information that is freely available is alarming. In July 2010 Ron Bowes built a crawler to harvest all user information on Facebook that is available in the so called “Open Access Directory” and published 2.8GB of raw data through the BitTorrent filesharing network, downloadable for everyone. The file contains personal information of more than 100 million users that did not bother to update their security settings, sometimes including their date of birth and address [1]. A similar incident happened to the German social networking platform SchülerVZ in 2009 when more than 1 million publicly available user pages have been crawled [2].

Beside this large-scale data harvesting, plenty of public information is still easily available from social networking sites. For example the website YourOpenBook allows you to search the status updates of Facebook users in real-time [3]. Another website, called PleaseRobMe was launched in 2009 and automatically searched Twitter and Foursquare to extract information about the location of the users in order to find homes that can be broken in safely [4,5]. Although PleaseRobMe was only an attempt to raise awareness for over-sharing of information and was shut down again, the problem persists. For example current smartphones often come with an embedded GPS system that is used to tag pictures with the coordinates of the location. Uploading such pictures to Facebook reveals the exact location of a user and special attention has to be given to this threat of locational privacy [6].

In the next paragraph I want to focus on malicious information gathering and give two examples on how personal information is accessed on Facebook.

The weak link in Facebook’s security concept seems to be the API that is used for third party applications, e.g. games, calendars and surveys. In October 2010 an investigation of the Wall Street Journal uncovered that all of the 10 most popular applications on Facebook are transmitting user information and make them available to advertising and internet tracking companies. Amongst those applications is for example the popular game FarmVille that not only leaked personal information to outside companies but also information about user’s friends [7].

Another threat for privacy is the professional hacking of accounts on social networking sites. According to a report published by Computerworld, a hacker named Kirllos offered 1.5 million Facebook accounts with the associated password for sale in an underground hacker forum. For the bargain price of $25 - $45 per 1,000 accounts, depending on the number of friends a user has, anyone can buy these accounts [8]. Similar to the information leak discovered by the Wall Street Journal, Kirllos used a Facebook application to access the personal data.

An exhaustive list of threats and possible counter measures to protect your privacy on social networking sites can be found on the website of the European Network and Information Security Agency [9].

So what can users do to protect their privacy on online social networking sites?

The information leaks described in the first part have one thing in common: they’re perfectly legal. Therefore in order to protect their privacy, users have to be aware of what information they are sharing and who is able to access this information. On Facebook this can be restricted by tightening the privacy settings and for Twitter posts can be made public only for accepted contacts.

Regarding the malicious information gathering there is not much what a user can do. These leaks will always arise due to the complexity of the software and the monetary incentive for hackers and companies. The only advice for users is therefore to treat every single piece of information they upload as if it were accessible for everyone and exclude information that might be confidential.

Finally I want to raise the question why Facebook is currently estimated to be worth $33 billion [10]?

Is it the brand or the pictures people uploaded and gave the copyright to Facebook?

Or is this the estimated intrinsic value of the data that lies beyond 500+ million user profiles, their social networks, preferences, political orientation and relationship status and the potential financial gain companies expect from this knowledge?

Have a nice Sunday evening :)

Wilhelm

Sources:

[1] http://www.thinq.co.uk/2010/7/28/100-million-facebook-pages-leaked-torrent-site/
[2] http://www.heise.de/security/meldung/Ueber-1-Million-Datensaetze-bei-SchuelerVZ-abgesaugt-832232.html
[3] http://youropenbook.org/?q=leipzig&gender=any
[4] http://techcrunch.com/2010/02/17/please-rob-me-makes-foursquare-super-useful-for-burglars/
[5] http://pleaserobme.com/; http://foursquare.com/; http://twitter.com/
[6] https://www.eff.org/wp/locational-privacy
[7] http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html
[8] http://www.computerworld.com/s/article/9175936/1.5M_stolen_Facebook_IDs_up_for_sale
[9] http://www.enisa.europa.eu/act/res/other-areas/social-networks/security-issues-and-recommendations-for-online-social-networks
[10] http://www.telegraph.co.uk/technology/facebook/7963608/Facebook-now-worth-33-billion.html