Facebook App Exposes Abject Insecurity

ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."

Really?

[Jurily]

Public information is public. News at 11.

Re:Really?

[Jurily]

but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.

You're assuming that all these people only have 'friends' they actually know and trust.

If you put it up for others to see it, others will see it. It's that simple.

Re:Really?

[automag]

You're assuming that all these people only have 'friends' they actually know and trust.

If you put it up for others to see it, others will see it. It's that simple.

No, actually whether a user has friends they 'know and trust' is completely moot. On Facebook someone can have their information handed over to a 3rd party developer by anyone in their network, whether they're someone trusted or not. "A strange game. The only winning move is not to play."

Re:Really?

[Jurily]

I merely assumed that people putting up information specifically for the purpose of others reading it, will consider the fact that other people will read it.

You announce your birthday or put up an invitation to a party, but you don't put the steamy details of last night up there.

Re:Really?

[RalphSleigh]

The problem is that even without you authorising any applications, as soon as any of your friends take a quiz, that application can see anything about you your friend can. The what length of wood is your dog like quiz has no need of this info, but its not simple to disable its access.

You can turn off this behavior, but only if you don't have any applications authorised yourself (I have an application I have written to fill a box with content from an external site on one of my pages, I can't have this on my profile or access the developers network app AND block quizzes from reading my info at the same time).

Trusting all your friends/networks not to do things that will compromise your privacy is also a non-stater.

Re:Really?

[automag]

It's a fair point... People join Social Networking sites because they want to be social. I think you're probably right that the 'solution' has more to do with the developers than the users.

Re:Really?

[maharb]

What about providing a checkbox for users that says "don't give out my information to anyone but friends". I am a facebook user because of what I can only call peer pressure. I would like it if no one had access to my info except friends but facebook lacks that option. I don't care about apps so why can't I remove myself from this pool of data.

"But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button! "

The issue here is that if one of my friends trusts an app then they have access to MY data. Why should this be allowed with no way to turn it off. Like I said before, I don't want to participate in the app frenzy of facebook at all. I would be perfectly happy to lose the functionality of the apps for privacy.

"I think it's safe to say that never put anything on Facebook that you wouldn't feel comfortable with the whole world seeing. And that goes for the Internet in general."

If that is what facebook and developers think about millions of people's private messages, photos etc they are going to be in for a huge struggle later. People don't realize their facebook info is up for grabs so easy. Once someone publicly demonstrates how much developers(anyone) have access to and the response from facebook is "you should have known" there is going to be a mass exodus from the service or demand for what I am advocating. The idea that information on the internet should be treated as public information is a flaw in logic and a step back for using the internet for more things(like healthcare). This is about security, permissions etc. You can keep information 'safe' on the net. I know hackers can get the info, but I am talking about not giving it out freely.

As a developer I get what you are saying. You can't provide functional apps without the data. You have to realize though that there are other perspectives, ones that may be more important than what a developer wants. As a customer of facebook, and possibly you and your apps I say I don't like what you want from me. That should be a red flag.

Re:Really?

[WCguru42]

But most Facebook users are sheep-le who won't give a second thought to this kind of thing.

It's less so that they're "sheep-le" and more so that they are not aware of technology. It's kinda like sending your car to the repair shop when you don't know shit about cars. My friend recently got bilked out of $500 because he was told he had to replace his part with a "certified" component. My friend didn't know any better so he went with what sounded reasonable but in reality it was a rip off. The same goes for most users of facebook, they don't know jack shit about computers, the internet, etc. and they don't know that when facebook updates their security measures that it's really just lip service.

Re:Really?

[Seumas]

But you might discuss them with your friends. Until you discover that your friend lets everyone on earth into their house any time they want (ie, run Facebook Applications) and one of those people (applications) has installed a listening device in the lamp and everything you thought you were discussing with your private group of friends is actually being directly pumped to some third party who is not your friend.

People throwing the "imagine that, information on the intarwebs is public!" line are being disingenuous. It's like saying you have no reasonable expectation of privacy in your email communication, just because it technically *could* be intercepted. Or that using online banking proves you're an idiot, because your login information *could* be compromised if someone got physical or root access to the bank's database server.

The nature of facebook, like many other things people use, implies a certain degree of privacy and control over your exposure. It's not at all the same as just blathering all your crap on a public forum for all of google to index and serve up somewhere.

Re:Really?

[Jeremi]

You have no reasonable expectation of privacy in your email communication.

I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".

By that measure, you certainly do have a "reasonable expectation of privacy" for your email. For example, if your ISP started posting your emails to a public web page, you would have grounds for a lawsuit. Therefore, you can "reasonably expect" that your ISP won't do that.

Re:Really?

[gilgongo]

You have no reasonable expectation of privacy in your email communication.

I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".

The trouble is that this is the first time in history when the three broad realms of "private", "semi-private" and "public" have been mixed together - and it baffles a lot of people.

In the past, if I sat on my toilet with the door locked, that was private. If I went out and spoke to some friends in a bar, that was semi-private (what I said might get around the village, but not much more), and public was pretty much impossible unless I became a politician or a journalist.

Now, however, it's very difficult to work out which state you are in at any one time, and what's worse, you often don't know what's public, which is a state that for the vast majority of humans, is totally new.

This is the worst part, in general

Not that your information is in the hands of the facebook staff. That can be scary, but the facebook people, like google, have demonstrated a fairly reasonable approach to exploitation of personal information.

The problem is that it's in the hands of all of your friends and family. If there's any aspect of your life that should remain off the internet, never share it with a facebooker.

some advice

[FudRucker]

if anyone wants to keep their personal information private then keep it off the internet, if you put your photo or real name & location on any part of internet (especially social networking websites) you can bet your life that somebody else is going to exploit that information in any way possible and for $profit$ if that is possible too.

Re:some advice

[Panzor]

The thing that annoys me is when someone ELSE posts my picture on the internet. It takes a community to keep an individual safe, and the facebook community is quite security inept.

Re:some advice

[Kral_Blbec]

What surprised me about the article is an extension of this. Not just pictures, but the entire profile is availible. I avoid all the Facebook quizes and crap because I already know it is a huge security hole that allows them to access your profile, but I never expected that it would also open up your friend's profile when you allow an app. That kind of pisses me off.

Re:some advice

Subtle social pressure, and a desire to keep track of what people are posting about you and your family. Sure your friends are going to post pictures of your kids pool party with names and addresses whether you're on or not. But at least if you're on there's a better than average chance that when Snotty "I don't care about your privacy or security" McSnotpants will helpfully tag your ugly mug and give you fair warning. You have no hope of warning if you're not a member.

Re:some advice

[silanea]

The thing that annoys me is people who seem to think that they have a right to keep a photo from appearing online just because they appear in it. [...]

At least in Germany people actually do have such a right (no english article linked, so I assume such a right does not exist in anglo-american law). Besides, for me courtesy demands that I ask people for permission before I put pictures of them online. What seems harmless to you may get another person fired, disgraced or harrassed.

Facebook App Exposes Abject Insecurity

[Dogtanian]

Yeah, I've noticed that this "Facebook" app exposes an abject insecurity.

Namely that of the users who seem to be obsessed with their not appearing popular enough, and adding as many "friends" as they can.

Privacy is simple

[verbatim]

Don't publish/post anything that you wouldn't want made public.

Simple enough, people? Seriously.

Grow. The. Fuck. Up. Stop being retarded, paranoid jackasses. Facebook, et.al., are out to make MONEY. That means collecting information, data, digesting it in some way, and then selling that information to advertisers/perverts/your mom/etc.

I just don't get why people are up in arms about "privacy" on a public website, even one with "private" areas. I mean, it's kind of interesting how people will put personal information on a public website and then build virtual walls around it to keep other people out.

Are you so embarrassed by your circle of friends/family that you really don't want other people to know?

Do you really think that you are such an interesting fucking nobody that everyone in the whole goddamn universe wants to know everything about you?

You are one nobody among a collective of nobodies. Deal. :)

Re:Privacy is simple

[gbjbaanb]

I suppose the problem is one of trust - Facebook says "set your privacy controls and you'll be safe", and some people believe this! Not everyone is educated about the internet, they treat it as they would other people, not realising its totally different. These people use Facebook.

Re:Privacy is simple

[Kral_Blbec]

It's not about posting anything you dont want public. Its about OTHER PEOPLE posting it about you.

Re:Privacy is simple

[notamedic]

Facebook is incredibly popular and the start of your third paragraph shows that (aside from an inability to stop swearing) you can't comprehend what the general non-geeky public want from the internet. Social relationships are complicated - how you interact with your friends and what they know about you may not be the same for your family and for your work colleagues.

I'm not a big fan of facebook, but the people who use pejorative terms to dismiss it obviously don't understand it.

Re:Privacy is simple

[Seumas]

I think you have missed the entire fucking point of Facebook. Facebook is not about blathering your shit to every fucking moron on earth and acquiring as many "friends" as possible, but about communicating and keeping up with a select group of people that you have chosen to communicate with. For example, colleagues, family, and close friends.

I don't give a fuck about you or what you have to say day in an day out, but your mom might. Or your school chums. Or your best friend at the office. And since Facebook allows you to restrict your interactions to just these chosen people, you have a right to expect your communication to remain between those designated individuals.

You know, sort of the same way the telephone company is a commercial enterprise, but you have a reasonable expectation for your conversations to remain private. Or do you consider talking on the telephone to be blathering to the "whole goddamn universe", too?

Unfortunately, just like your mom probably is more prone to getting a virus on her Windows machine than you are, she's probably more likely to use a "what color are you?" facebook application and thereby put you at risk of exposure.

Again, it is simply disingenuous to trash people as being idiots for using services where security is inherently implied (and options to protect it are right there in the user preferences -- even though they appear not to be adhered to in this demonstration).

That doesn't mean you should share your most private secrets on earth anywhere online that is connected with your real identity. It just means that you shouldn't have to worry that your every piece of information is being sold out from under you when you thought it was just between yourself and the people in your circle. And if you have this attitude that you should *EXPECT* that from Facebook, then you should have that same attitude toward every institution you deal with from the place you bought your car, to your electric, phone, cable companies and medical providers. After all, if your bank's databases are cracked and the data stolen and sold out from under you, it's YOUR fault for being stupid enough to give your financial information to your financial institution, right?

Also, as much as I hate Twitter and Facebook and all these things (though I like LinkedIN), you at the very least are often obligated to sign up so that you can protect your identity from being used by someone *else*. And as much as I hate attention-whores, even they deserve an expectation of a certain degree of privacy in situations where that privacy is implied.

TFTFY

[denzacar]

Not that your information is in the hands of the facebook staff. That can be scary, but the facebook people, like google, have demonstrated a fairly reasonable approach to exploitation of personal information.

The problem is that it's in the hands of all of your "friends" and family. If there's any aspect of your life that should remain off the internet, never share it with a facebooker.

Facebook friends are often not even acquaintances. They are not your friends, no matter how Facebook refers to them.

Re:TFTFY

Agreed. thus the quotes around "friends". The "friend" relationship is not akin to real social relationships--too static and black or white on information control. And facebook, etc. are now popular enough that enough people who use it in different ways are having culture clashes. The extroverted, "my life is an open book, and so is what I know about yours" and the more introverted, "this is just a handy way to keep up with my 3 best friends" groups are squabbling and the "my information is private. I'll give away yours for a free smiley icon" people are irritating everyone. Especially since that last group are usually the people who click on executable attachments and forward them to their whole contact list.

Re:There is no insecurity at all. Move along.

[Seumas]

You miss the point of Facebook, entirely. It's about sharing information with a controlled group of people you have chosen; not every person on the planet who wants it. The problem here is that a site promotes itself as a place you can associate and communicate with a selected community of people that you have individually selected and granted access to and all of its literature promotes the ability for YOU to have CONTROL over your information and interactions (otherwise, they'd just keep using Myspace or something else) while actually violating the implied spirit of everything users sign up for.

Also, I'm glad you feel that violating the entire premise of your service is okay as long as you post it in your Developer API documents that I'm sure everyone's mom and grandparents read before signing up to the service.

Re:There is no insecurity at all. Move along.

[bhartman34]

Facebook and its apps work exactly as advertised. It is a site that's ALL ABOUT SHARING INFORMATION, and guess what, that's what it does. When you take a quiz or use an app, it tells you you're granting it access to lots of stuff. I forget the exact wording, but none of this is a surprise. It takes all of a few minutes looking through the developer docs to see that if you write an app, you get access to, well, yeah, everything.

The problem here is that some people sign up on a site that exists to share personal information, run apps that give away personal information and tell you they're doing it, and are then surprised.

No, that's not the problem. The problem is that when Facebook creates a privacy setting that says "Only Friends" can view the information, that's exactly what should happen: Only friends should be able to see it. It's true that the applications all have a disclaimer saying that they can see and use friends' information, but one can easily understand the cognitive dissonance created when Facebook, on the one hand, tells you that you can designate information as private, and on the other, allows applications to violate that privacy without your giving it that permission. It's one thing if an app can access the "private" information of the person taking the quiz. It's quite another when it gets access to the personal information of people who didn't take the quiz, didn't give the app in question the rights to the "private" information, and thought they were dong "all the right things" by restricting their private information to only their friends.

The cornerstone of privacy is informed consent.

Re:How convincing is the quiz?

[tolan-b]

Because Facebook is supposed to limit your data to your friends and applications *you* choose to trust. But it doesn't give you any control over which data of yours is visible to an application installed by someone else in your network.

Therefore if your mum installs a rogue app then she gives away every piece of data she can view about all her friends and family (who happen to be on Facebook), including you. That's going to include most of your data on Facebook.

Therefore what the hell is the point of having any privacy controls at all? They're simply misleading, all your data has already been made available to multiple third parties without consulting you.

Re:Yes, ordinary people are stupid regarding priva

[RIpRapRob]

No, "Private" as in "only friends I have chosen to share information with", not as in "and every application that they are stupid enough to install".

And you are missing the point

No one is "feeding the information" to an application. The application is sucking the information without anyone being aware of it.

The solution it simple:

Whenever one of my friends grants an application access to my data, Facebook should ask me:

"You have chosen NOT to share information with applications on Facebook. Your friend XYZ has now granted Application APP1 access to your profile. What would you like to do now?

[ALLOW]---[BLOCK APP1 ACCESS TO YOUR PROFILE]---[REMOVE XYZ FROM FRIEND LIST]"

Re:Facebook/Firefox fail

[commodoresloat]

So it's impossible to take a Facebook quiz using Firefox 3.5?

That's a feature, not a bug.

Re:Yes, ordinary people are stupid regarding priva

[m50d]

No, "Private" as in "only friends I have chosen to share information with", not as in "and every application that they are stupid enough to install".

That's drawing a distinction that doesn't exist. If you give a friend access to your profile they can do anything with that data; this just makes it more immediately clear.

The application is sucking the information without anyone being aware of it.

No; the friend will get asked when they run the application, effectively "do you want to give this access to anything you can see".