Slashdot Mirror
Facebook Implements 'Download Your Profile' Option
eldavojohn writes "Facebook is rolling out some new changes (including groups) that are supposed to liberate user control. But something that might interest Slashdot readers even more is that they now allow you to download all your information from Facebook. That's everything — all your posts, pictures, videos, friend lists, etc. A video from David of the Open Source team at Facebook explains how it will work, although I don't see that option on my profile yet (they are slowly rolling it out). There's not a lot of details yet, but they at least require you to click a link from an e-mail and reenter your password to get this (to avoid spambots harvesting everyone's data and careless use of public computers resulting in data leaks). Perhaps competitors like Diaspora would be interested in using this base information to germinate user seeds?"
I hope there is an option to disable this in case your account is hacked and someone wants to download all of your data, oh wait, doh....
Having a bookmark to Google does not make you an expert on everything.
Unless your account (or their servers) get hacked, it would only show up if you put it on there yourself...
Aside from being able to back up everything, it would be interesting to do this and read some early correspondence on the service.
Living With a Nerd
Facebook used to have a feature to dump your entire profile and contacts list as a csv. They removed that in the fall of 04.
Perhaps competitors like Diaspora would be interested in using this base information to germinate user seeds?
Maybe, but it already looks like Diaspora development is starting to slow down. OK, there have been some commits today, but I expected to see more activity than what's currently going on.
Remember when the source to Gish was released? A lot of activity and releases for about a fortnight and then nothing...
Summation 2
So now hackers have even more reason to go after your Facebook account. All that data in one nice, neat little download? Hackers paradise.
Can anyone tell me why 99% of
...because right now, their Ping thing is utterly useless. Downloading all your FB data, in particular, contacts, might make it easier to get started with Ping.
Maybe, but it already looks like Diaspora development is starting to slow down. OK, there have been some commits today, but I expected to see more activity than what's currently going on.
Well, following the release of the Diaspora source code everyone did kind of rip them apart (myself included). We all sort of hoped that such criticism would be constructive and the developers would redouble their efforts or seek more help or new developers would aid them.
It's equally likely that after receiving black eyes instead of kudos, developers left Diaspora in droves. It might end up being a failed project with important lessons learned.
My work here is dung.
Facebook sending users an e-mail with a link to click on just invites spam and fake websites to harvest user's logins and passwords.
Nice move on Facebook's part to help train their users to click on links in e-mails that take them to websites to enter authentication credentials.
Unless your account (or their servers) get hacked ...
If your account gets hacked, they still need to have your e-mail hacked. The link to download the zip file is later sent to your e-mail address when the processing is done. Zipping up videos and images takes a while so basically you request this data and they put it in a queue and an hour/day/week/month later you get your data to download e-mailed to you in a link and you re-enter your user password. I thought I described this in my summary but that means that even if your account is hacked they would need access to your e-mail and for quite sometime unless you had already requested it and left that e-mail in your account. Yes, this means that if they know the e-mail associated with your Facebook account, they can just hack that and then request a new Facebook password sent to that account and then initiate the profile zipping.
... it just presents the possibility that a hacker could more easily zip up your data ... and then that requires time ... and access to another resource of yours. For me, this risk is acceptable consider the benefit involved. As I mentioned, I suspect this will allow you to move the history of your profile to another site, which is really really good.
Let's say their servers get hacked. Well, the data is still not zipped up unless they are retaining that data after someone requests it. So at most they'll have access to whoever is waiting to retrieve their data. And it's going to be a lot of data. So there are a lot of logistics involved to get access to only a few random person's data. And even if the hackers are smart enough to invoke the zip script for every single account, that's not something that will happen overnight.
Basically if they have access to your account or the Facebook servers, they already have access to everything on your profile or Facebook as a whole (respectively). So while this presents mild security issues, it's already assuming that everything is compromised
My work here is dung.
I love how people used to bitch that you couldn't get your data off of Facebook (which wasn't even completely true, given Platform and Connect), but now that they added that exact feature, people are bitching that it will allow spammers to get information or that it trains users in some bad way. Can you give them a fucking break? They are honestly trying to add a feature exactly for the demographic here (most users probably don't care about this level of data portability one bit) and all most people can do is still complain.
Omnes stulti sunt.
I would think the email with the link would be sent to the user in repsonse to a request of some sort. You know, you request your data, they email you a link to get it ...
Have you never forgotten the password you use for an infrequently-visted site and had them email you a temporary one? This sounds like the same thing.
I don't care why you're posting AC
Dude, it is one of the basic tenets in computer security to not click on links in e-mails that take you to websites where you enter login credentials.
Those kinds of e-mails are known as phishing and spear phishing attacks. They are very common and very dangerous.
Facebook has had no end of security problems. Now with the publicity that they will be sending out e-mails that have a link, wait a few days and see what hits in computer security news.
FINALLY!!! A way to preserve all the comments from people I havent seen in 20 years telling me we need to smoke a joint together,..
Does this download include all messages received and sent?
"I'm just here to regulate funkiness."
allow you to download all your information from Facebook
The question is, does it really allow you to download all of your data? Does it let you download everything anyone has ever posted on your profile? If it did, this could give you some idea of what Facebook has stored about you.
One thing that seems to be in the same update is removal of the "Clear Chat History" button in the chat window.
There are thousands of complaints posted about this already.
It doesn't take much imagination to see how not having this feature when one is expecting it can lead to comedy.
I'll give them a break when they stop reseting options with new privacy policies or ToS that lowers the ability for users to lock down their accounts and defaults all options to the most open setting.
Over the summer, they added a "master control" which you can set to "friends only" (or several other settings). This will make all of your current settings "friends only" and will also make any future setting default to "friends only".
I'll give them a break when their account deletion process no longer requires users themselves to manually go through and delete everything they put on the website.
I don't believe this has been true for a while: https://ssl.facebook.com/help/contact.php?show_form=delete_account
Omnes stulti sunt.
This is absolutely shocking. For the past few years it seems every article I have read has advocated that data be soley kept 'in the cloud' and that users will never need to download their data to a perosnal machine ever....
'The Cloud' is hype. Just like all the other hyped techs in the last 15 years (ATM will change networking, Java will be out OS, thin clients will rule the business world)
I? do think it will be interesting if real competition comes to FB how this will be used to transfer data.
If I hack your FB account, can't I change the email associated with it?
Yes, but the original e-mail address associated with your account gets e-mailed a notification allowing that to be blocked and if you do block it you have to change your password:
Now, you'd probably prefer that the original e-mail address has to okay the transition but that's how they have it implemented. So you're right, they could change the account associated with it if they know your Facebook password (it asks you at every step of the way). Then they could request the zip and wait to get the e-mail. But if you checked your e-mail in that time and canceled the new e-mail and changed your password you'd be safe.
That's definitely something they could do -- block the request of a new e-mail until an old one is okayed. But then you run into the trouble of someone hacking your e-mail account and gaining access to your Facebook account that way. In that case, they could change your Facebook account over to their e-mail account and then okay it in your hacked e-mail account. Once that's done, how would you reclaim your profile? They would always have the account associated with it.
Also if your old e-mail gets hacked and you have no way of getting it back, you're kind of at the mercy of the person who has your old e-mail as you'll never be able to change the e-mail address associated with your Facebook status and if you do, you'll tip them off that they also have your Facebook account to do with as they please.
What it usually boils down to is if your account is compromised, your account is compromised.
My work here is dung.
I can't think of any compelling reason for Facebook, as the clear market leader, to provide this service. I'm glad they did though, and it makes me feel a lot more comfortable about posting pictures, etc. there for family members without having to keep a mirror somewhere else.
I saw they're also adding some type of sub-networks or groups, so you can make a post about video games and leave out your parents, or congratulate someone about a job offer without including their coworkers. I can think of a lot of tricks to making a good implementation of this, so can't wait to see how they did it.
Those are probably the two most important features that have made me frown on facebook, so seeing both in one day is a big surprise.
Thank you Facebook for supporting data portability and not use it as lame anti-competitive lock-in feature like Yahoo and M$ does.. I don't care how other slashdotters think, but you will earn more of my respect as you make your platform more open and release more open source projects. Well done for your effort, keep it on!
Dude, it is one of the basic tenets in computer security to not click on links in e-mails that take you to websites where you enter login credentials.
Those kinds of e-mails are known as phishing and spear phishing attacks. They are very common and very dangerous.
Facebook has had no end of security problems. Now with the publicity that they will be sending out e-mails that have a link, wait a few days and see what hits in computer security news.
If you're going to train people to be security conscious, you can't half-ass it. "Don't click on e-mails that take you to websites where you enter login credentials" is most definitely the wrong message. Just because there are lots of phishing e-mails doesn't mean that every such e-mail is phishing, and it actually trains people to start drawing invalid conclusions: "well, this link didn't come by e-mail, so it's ok." Phishing websites can just as easily lead you to a malicious page where you enter your credentials.
What you actually need to be teaching people is to go to the link from the e-mail, grab the ssl certificate and check the the company name, the verifying authority, and the fingerprint. The independently go to the main website where the e-mail claims to be from, in this case Facebook, and see if the signature matches. If it does, you can type in your credentials. There is no half-assing this procedure. Anything short of it is vulnerable to the attacks you are so concerned about.
Your doing it wrong. Or at least applying it wrong. In your want to find something incorrect with Facebook you're ignoring the fact that sending an email to the user to confirm they are who they say they are before they are allowed to do things like change their password or download all their data is a tenet of website security in and of itself. These emails are always accompanied by the message "If you did not request this change/email then disregard this message and contact our fraud/tech/blah department". It would be neigh impossible for a spammer to somehow manage to send such a spam email that would show up next to the real one the very instant the user requested the feature that told them they will receive this email. .
You have a lot of faith in users. I know too many people who wouldn't realize that the link is only sent on request and think it sounds interesting to download their account.
Facebook has 500 million users. At this point, they have few places to go, but down is a very likely possibility if they don't extend themselves into the fabric of the net and collaborate so they will always stick around in some form or another. Zuckerberg reportedly even made a contribution to the Diaspora guys in an undisclosed amount because he thinks the idea has merit... or, more likely, he wants to make sure there's cross-compatibility for years to come.
One other point, sort of tangential to the topic... Some of the comments in preceding discussions about Diaspora keep falling back on the "oh sure four guys in a garage with no professional experience EVER got a project off the ground" sort of sarcasm. Ok, I know it's all wonderful and cool to us nerds to rely on sarcasm and cynicism, but a little perspective should be in order as well: Facebook, Apple, Google, Yahoo and other "garage" startups... There's a reason there's only a handful of them. There are a ton of coders, but not everyone is Harvard educated, massively talented, in the right place at the right time or any combination of these. Not every coder who thinks he has a great idea can execute... ... Conversely, not everyone needs to be a Sergey Brin, Mark Zuckerberg or Steve Wozniak. In this Age of Entitlement, we all like to think life is a choice between either being rich or being nothing... but there's plenty of respectable room in between, even if all your project does is get you solid employment at someone else's company.
If everyone knew what they're doing then that'd be fine but the average user is an idiot. They will click an email link supposedly from their bank warning them that there's a problem with their account. Then they will enter all the account login information. If people do this with bank info, they're going to do it with facebook info as well. This happens all the time.
Spear phishing is phishing targeted at a single individual. Since its in Wikipedia and all over the Interwebs and all those black hatted types talk about I'm guessing the poster didn't make it up. Then again maybe he is one of those black hatty, Wikipedia writing trolls making s***t up in a conspiratorial way. You never know ...
+--------------------- You idiot! I told you we were facing the wrong way!