Slashdot Mirror
Moglen: Facebook Is a Man-In-The-Middle Attack
jfruh writes "In an email exchange with privacy blogger Dan Tynan, Columbia law professor Eben Moglen referred to Facebook as a 'man in the middle attack' — that is, a service that intercepts communication between two parties and uses it for its own nefarious purposes. He said, 'The point is that by sharing with our actual friends through a web intermediary who can store and mine everything, we harm people by destroying their privacy for them. It's not the sharing that's bad, it's the technological design of giving it all to someone in the middle. That is at once outstandingly stupid and overwhelmingly dangerous.' Tynan is a critic of Facebook, but he thinks Moglen is overstating the case."
as with most social sites, search engines, free email services, you are not customer, you and your relationships are product
It amazes me that people think Moglen is overstating the case. He is not. Let's forget the datamining for commerce. Let's just think about what a simple post on a social network can do with ones life. People have been murdered over a post on social networks by goverments. People have been held in custody (hi USA) over posting a qoute from family guy... Moglen is right. Everything you post on facebook, twitter, hell any service that has an office in the USA will get into the FBI, CIA an SS databanks and you will get in trouble if you post something those warmongers don't like. Moglen is right. Using centralized, datamined networks is stupid and even more dangerous. It takes a lot of effort not to see that.
Besides the term doesn't apply -- in a man in the middle attack, the man in the middle needs to be invisible. Though I suppose you could argue that the vast majority of people using FB don't understand how the Internet works enough to know that they are really sharing information through a third party that holds on to everything, instead thinking of their communication as analogous to sending a paper letter...
weinersmith
Your ISP does not see the information you transmit if it's encrypted, or email, chat, etc.
Facebook CAN see the messages you send, even if your communication to and from facebook is encrypted.
where is your like button?
More like it's payment for services. Did anyone sign up to facebook thinking it was a charity to help people make friends?
your thin skin doesn't make me a troll
Or better said, if you're not the farmer, you're the pig.
Free food, water and a place to live?!? What could possibly go wrong?
=================
Unix is very user friendly, it's just picky about who its friends are.
I do think it's a widespread ethical view that these utility-like services shouldn't use the information for their own gain. In the phone era, that was formalized with fairly detailed rules; AT&T couldn't just randomly listen in on your phone calls and use it to sell advertising profiles to mail-order catalogues. In the internet era technology is moving faster than people/law can keep up with.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
It's not the same. Obviously, we have to depend on companies every day. But if we don't like a car company, or a traditional ISP, we can switch to another car or ISP. Facebook is different. If you leave, you leave the ability to connect to many of the people that you connected to via Facebook.
I own my own domain name, and use email and blogs to communicate from a site whose name I own. I do depend on companies to support my DNS and webservice. But if I don't like what those companies do, I can switch or do it myself. I have a Facebook account, but I don't normally use it; it just creates too many problems.
We all need suppliers; that's not the problem. The problem is dependency, that is, being (practically) unable to switch. Being dependent on an external company really is a risk.
- David A. Wheeler (see my Secure Programming HOWTO)
There's also the additional fact that your local email provider isn't going around data-mining your emails to serve you ads, unlike facebook and google. And that if they tried, there'd be heck to pay, lawsuits, and $$$.
Let's call it what it is, Anti-Social Media.
Moglen is absolutely correct and I am very impressed by this great analogy: Facebook (and some other "social" media) is a man-in-the-middle attack; it's just not a technical hack but a social hack. Best 20 second explanation ever.
Google might very well join them soon - if they use profiling on gmail conversations.
Sigh - straw man arguments are so tiresome.
These social sites are not your ISP.
These social sites are like inviting a business into your living room to eavesdrop on conversations with your acquaintances.
And for those who say "Who cares of I publicly post all my thoughts and relationships?" I have one question:
What would McCarthyism look like with the data available today?
Rather it seems we have to have special whole new laws because "via the internet" or "with a computer" needs to be tacked on. I'd say this is the larger problem.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
On the very few (read one in the UK) occasion your analogy is correct there has been a massive public outrage:
http://en.wikipedia.org/wiki/Phorm#BT_trials
So people generally don't accept it when it is your ISP. They shouldn't (but ATM seem to) accept it with fb. How long that will last only time will tell - MZ will be happy once he has his billions - most things he has been saying of late in a "tech visionary" context are just complete nonsense, so I suspect he isn't in it for the long term.
Most facebook users have no idea how deep the analysis of their data/relationships goes or the true privacy implications related. Don't assume too much about average joe.... average joe and janette are strapped with bills, jobs, kids, housework, overtime, stress, and american media psychosis... if understanding privacy and internet data mining isn't part of their occupation, there's a slim chance they know about it.
Then in his opinion, wouldn't email be the same? It's stored on some 3rd party mail server somewhere... and for that matter, wouldn't all form of electronic communication that gets copied/stored somewhere not under your personal control also be classified as a "man in the middle attack"?
No, email is not centralized (unless you refer to gmail and other BIG email providers). You know that you can run your own email server? - It's easy.
... we all depend on companies every day and trust them with our personal info. There really isn't an alternative.
I wonder why?
When I arrived to the US and received my SSN, I tried to take the message that was next to it seriously : "Keep this number safe and secret" / not word by word citation/.
Then I went to get bank account, set up account for gas / electricity, driver's licence, cell phone contract, everywhere I was asked for my SSN. Seriously, why can PEPCO, GEICO, WASHGAS, AT&T oblige me to reveal this information?
My guess is that people in the US have been slowly but surely trained to surrender sensitive personal information to third parties.
In the internet era there are businesses built around things that would not be permitted using other communication channels.
Your ISP does not see the information you transmit if it's encrypted, or email, chat, etc.
If you're taking a paranoid view, a slight clarification is needed here. Your ISP does not see the unencrypted information you transmit if it's encrypted, or email, chat, etc., as long as they do not have the means to decrypt that data.
Ask me about repetitive DNA
NEVER post anyting on FB (or any other social media type site) or willingly give up personal information online without VERY good reason and then ONLY using HTTPS or other secure/encrypted means. A social site wants your birth date? Forget it or lie to them... They ask you for your mother's maiden name as a "security question"? Really forget it, it's not worth the risk. Social Security Number? You got to be kidding! Credit Card number? Rreally? If you really *must* then do what I do and contrive an alternate "backstory" with all this kind of information to give out online. At least with a fictional life story, your not as easy a target for ID theives like my poor nephew is now. Hopefully, not being the easy target might save you the trouble of clearing your name, or (shudder sudder) your kid's credit history.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
If you use FB, you know that your friends and family will post personal information about you as well.
Worse: If you do not use FB, you know that your friends and family will post personal information about you as well.
they would take your money AND track you.
Read radical news here
Then in his opinion, wouldn't email be the same? It's stored on some 3rd party mail server somewhere... and for that matter, wouldn't all form of electronic communication that gets copied/stored somewhere not under your personal control also be classified as a "man in the middle attack"?
Gmail certainly is, its whole point is targeted advertising. Wonder how many of the Facebook tinfoil hat crowd has got a gmail address.
If all else fails, immortality can always be assured by spectacular error.
Your ISP can see which websites you visit, how long you spend there, how often you visit the site and what time of day you go there. It will be easy enough to build a profile on a user with just this information.
You want a "social networking" platform that doesn't track or use any relationship or other personal data? What exactly would it do then? That seems counter to the very idea of a social network.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
I wonder if you could make a firefox plugin that encrypts all posts to facebook, also detects other peoples encrypted posts and if you have their pub key decrypts them to view. Could also have something similar that encrypts images to a valid jpg/gif/png what ever but only decrypts again if you have the key.
Paying taxes to buy civilization is like paying a hooker to buy love.
I must respectfully disagree with your statement. It's not being paranoid; it's looking realistically at what you give up to maintain "vanity" sites. As far as alternatives go, everything available to you prior to selling out to Facebook, Twitter, Google+ and the rest of the services people find so "convenient" in their lives are still there. Telephone (excluding texting), e-mail to individuals or groups of friends, real mail (cards, notes, etc. - I know, "how 20th century" (eyeroll)), actual face to face lunches, beers, whatever, maintaining a few real close friends instead of hundreds of "acquaintances", etc.
I am always surprised that people hand over the keys to their life so cheaply.
As always, this is just my opinion.
"Life is not magic." Dr. Ron Weiss - "If we don't play God, who will?" Dr. James Watson
Utility services? I PAY for my utilities, and the phone companies especially charged through the nose. You PAY, you are the customer. You get it for free, you are the product.
So unless you propose paying a monthly fee and a usage fee and a signup fee and a rental fee for your facebook usage, shut the fuck up with your idiotic notion that you companies got to provide you with free services and not make a single penny of you.
And if you don't like facebook, DON'T use it. It is not hard, I am not using it right now and still have time to insult your feeble self-entitled mind.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Your ISP can see which websites you visit, how long you spend there, how often ....
Yes, but it is not part of their business model to do that.
People would be quite out-raged to receive an email from their ISP, that reads: ... P.S.: Has your daughter looked at planned parenthood?
Based on the web-sites you visited, we recommend following companies to you.
fB is also worming their way into other sites via scripting. I play some games at an EA owned site and suddenly you can not select a game room, or even see a game room list, unless you allow scripting by facebook.net. In the interests of allowing fB members more interaction EA has in fact forced everyone using the game to send data to faceBook. Anyone not blocking scripts is totally unaware of the issue, but most of them probably think fB is a good thing anyway.
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
What would McCarthyism look like with the data available today?
You remember when your president had to publicly reaffirm he wasn't a muslim but a good god-fearing christian with good wholesome christian values ? McCarthyism never left.
You americans and your battles over symbols. You raise a big stink over irrelevancies like ID-cards and Facebook and meanwhile you've got the TSA, warrantless wiretaps, draconian copyright lawsuits, etc.
If all else fails, immortality can always be assured by spectacular error.
They'll still be able to see what sites you're visiting. Even if the actual data is encrypted it would be trivial to log tcp connections and IP's. In fact, you can bet that the black boxes in place already do it.
Sigh - straw man arguments are so tiresome.
These social sites are not your ISP.
These social sites are like inviting a business into your living room to eavesdrop on conversations with your acquaintances.
Except that they do sell themselves as that friendly neighborhood cafe where everyone hangs out - like in the dream world of Friends.
- Just that the owner listens in on your conversations and keeps a file on all of the guests.
You could do this pretty easily, the problem is most people who use facebook don't care about their privacy and the people who would use this would soon lose the need for it when all of their friends blocked them because their pictures are f'd up and everything they post is garbled.
Not to mention, if the majority of FB users started doing this, they will share their key unencrypted over status updates and PMs.
But the fact is that we all depend on companies every day and trust them with our personal info.
Very, very, true. I work for some of them. However.... it is worth noting that there are some pretty strong NDA's and SLA's in place that define exactly how we store the data, what we will do with that data internally, how we might use 3rd parties to provide service, our own backup policies etc.
Also, the companies I work for get paid by you. YOU ARE OUR CUSTOMER . With Facebook, YOU are the product, the advertisers are the customer.
Now it is not tremendously difficult to understand there is a huge difference between Facebook and other SaaS companies out there. So it is a bit disingenuous to draw that kind of comparison when offsite storage services don't have a vested interest in pouring over your data for marketing information to sell to the highest bidder.
It's not being paranoid when Facebook is going to be filing reports with the FCC soon on how they profited on violating your privacy.
Yea, I've been noticing this on A LOT of sites. Pages won't load right or load at all unless the ubiquitous FB(and lets not forget Google) and it's associated sites are allowed... It's quite fascinating how quickly FB has achieved this feat, and rather disgusting. People rail endlessly about Obama and how "the gubment" is taking over, etc;. FB and Google is who people should really be concerned with.
We play the game with the bravery of being out of range
If you are really concerned about privacy, however, there is nothing (AFAIK) that would stop you from composing your message, using GPG to encrypt the text, then posting the *encrypted* text on Facebook.
I'm not a huge fan of Facebook for numerous reasons, but IMHO, this whole "oh noes -- Facebook is reading my texts!" alarmism is really rather disingenuous. C'mon -- you're posting comments on a public web site. It's more like talking to your friends in the hallway back in your high school days than a telephone call. If you really expect privacy on Facebook, then you are dangerously naive.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Back when Facebook became the Next Big Thing, I thought it seemed silly and a bit dangerous to rely so heavily on a single web site for so many things while excluding anyone who wasn't a member. You're just opening yourself up to monopoly abuses in that situation. I thought an open protocol for interfacing with social media components, whether hosted on Facebook, a competitor, or a personal site would be a more inclusive solution with less potential for exploitation or single point of failure issues. Then I realized that there would be no commercial incentive to supporting a solution that bypasses central servers, so of course it would never happen. The Internet is devolving back into AOL.
Yeah and exactly how crazy will that make the DHS? Every encrypted message would probably put you on a terror watch list.
(It is probably a good thing that no one has pointed out to them that 100% of terrorists breath air. They would probably regulate that or put all people who breath air on the 'no fly' list...)
They log this info under CALEA regulation in the US, probably keeping it forever. There is no warrant required for the sharing of the info with the govt. because they are considered the 'owners' of this info, not the end user.
The assertion that "Facebook is a man in the middle attack" is utter bullshit. an "attack" would imply that Facebook is doing something that the user does not want to do.
The reality is that facebook/myspace/google+ et al. is a service in which the user willingly sends their information to them, and then they happen to share such information with some connections.
People do that willingly, people willingly sign up to facebook and send such information to facebook. The people who do not want to share information with facebook do not do it.
Ubuntu is an African word meaning 'I can't configure Debian'
I post about this each time it comes up (and some google fanboys mod me down since they can't stand the truth).
I buy parts at electronics places like mouser.com, digikey.com and so on. very well known, famous, respected, trusted parts sellers. large companies buy from them. anyone doing r/d that has any soldering aspect, goes thru a place like that eventually.
yet, you can't order parts or shop for parts *entirely in their site* without a google ads or syndication or some other google domain coming into place.
note, I did not start out searching, I went directly to digikey or mouser and stayed there. but the browser area that shows what outbound connects are happening, shows google this and google that.
pretty unnerving. and unnecessary.
soon you won't be able to do business unless you whitelist these places. I'm talking about google here, yes.
--
"It is now safe to switch off your computer."
If you send encrypted information through your ISP, they can't read it.
If you send encrypted information THROUGH Facebook, they'll remove it calling it "spam". I tried this and, supposedly, they censor all encrypted messages, only allowing clear text, unencrypted messages on Facebook. It's like they say "Don't distribute encrypted information through our service. Since we can't read it, there's no profit in it for us."
Eben Moglen is absolutely correct that Facebook is a man-in-the-middle service attempting to fool dumb people into disclosing their personal information and secrets.
"Actually the world you see now is probably the most privacy conscious that has ever existed."
Losing your privacy raises your consciousness.
I am glad that "I have nothing to hide (TM)" but I worry when I hear things like the two Brits who were sent back home from the US after our ever vigilant and effective Border Patrol found that they had Tweeted something like "destroy america and dig up marilyn monroe" which is apparently some kind of slang for "party hard". In our Brave New World, everything you say and do is recorded and can be held against you by those without a sense of humor.
I don't read your sig. Why are you reading mine?
The name is "trusted middlemen", and anybody claiming it is an attack is doing yellow journalism.
It is true that the more people you have to trust, the worse off you are. It is also true that trusting a corporation can be quite worse than trusting an individual (but then, it can be quite better in other points of views). It is also true that trusting corporations that already showed that they don't deserve any trust is even worse. But equating it to a man-in-the-middle attack is a lie. Plain and simply, a lie.
Rethinking email
A lot of companies use Google tracking instead of internal log analysis. You should be able to block the Googlebugs safely (for now).
Forget diamonds, copyright is forever.
Stated another way...
Your relationship with your ISP: You are the customer.
Your relationship with Facebook: You are the product.
We had this. It was called the web. Anyone could put up a website. Even host it right out of their own home. But it was a pain even for many advanced users, and impossible for many normal users to figure it out.
Correction, they haven't been caught recording or reselling that information. It'd take a helluva lot of convincing for me to believe that they do not in any way record that information. The reselling, if not already happening, will likely happen in the not too far future once technology has developed enough for that information to be more processable and useable.
Enough of the hyperbole. Facebook only has as much on you as you let them have. No one died in the transition from MySpace to Facebook and no one is going to die when Facebook goes the way of MySpace.
People just want to be lazy about their lives and blame others when things go wrong for doing so. Facebook can't share anything with anyone I don't let share myself to begin with.
Yup, you're right. No way other people could tag me in their photos and have that violate my own privacy.
I've always view Facebook as a modern day, War Games. The only winning move is not to play.
=================
Unix is very user friendly, it's just picky about who its friends are.
Unless you live in the UK, in which case if you use BT as your Internet provider they intercept all your communications. They then break down your data by protocol, using "deep packet inspection", and profile each subscriber for advertising purposes. All totally illegal yet done to tens of thousands of subscribers without their knowledge, not that BT cared. You can read more here.
Phillip.
Property for sale in Nice, France
Exactly. Cable TV was once ad-free. That was why you paid money for it. Then they stated adding advertisements. Now it's as bad as over-the-air TV, and yet people keep sending money. The same thing would happen with a paid version of Facebook.
or maybe they don't want people distributing binaries or running a number station on their service, for liability reasons.
not that i disagree necessarily; i just don't think facebook has very sophisticated text mining (yet).
"They were pure niggers." – Noam Chomsky
ISP's do often record that information. They don't resell it. Which is precisely how Facebook works. They collect your information. They use it to decide if they should show you ads from other parties.
They don't resell the information, for two reasons. First, that's how they make money. Second, if they violated this little social contract they have with their users, they'd be opening up a gaping hole for a competitor.
People are pretty lenient, but they wouldn't tolerate Facebook selling their personal info. They'd jump ship.
Agree. 100%
I'm Starting With The Man-In-The-Middle
I'm Asking Him To Change His Ways
And No Message Could Have
Been Any Clearer...
"Flyin' in just a sweet place,
Never been known to fail..."
Sigh, people who start their comments with "sigh" are bordering on the ridiculous.
Especially when they are ACs.
In fact, an ISP that *does not* log this info will not be around log. The reason is that a competant ISP will keep packet logs for at least a couple days in order to catch a blackhat. Bigger ISPs might keep logs for 3 months so they have something when they get a motion of discovery (similar to mugging money -- got nothing to show to the guys in suits with the constable, say buh-bye to your business, because your biz will be then the defendant named in short order.)
Realize you're being a bit flippant, and sarcastic in that anything gets you flagged these days. But it's important to remember that even with encryption, "big brother" would still get most of what they want. Only part of the value of wiretapping is the raw message. The parties are oftentimes more invaluable.
Even with crypto, facebook would still be a free, eternal, roaming pentrace that doesn't need a warrant and tends to crudely geolocate all recipients.
If somebody's sniffing facebook, you don't just know that alice told bob "east wind, rain".
You know that alice is talking to bob. And that alice associates with bob, clarice, dave, elaine ...., all of whom like to talk with Maude...
And in the case of facebook who read it, when they read it, who they shared it with, who "liked" it, and approximately where they were when they logged in with a bit of trivial analysis.
Crypto only protects the contents of the message. Not the identities of the parties.
DHS isn't about terrorism protection--it's about witchhunts. And facebook is a free roster of "known associates" to apply profile until you find a suspect.
Every time an article related to real-life security (i.e., fighting terrorists) appears, Slashdotters come out of the woodwork to say that there have been an average of 300 US deaths in the past 10 years from terrorism, more people die from car wrecks and smoking, etc.
Same thing here: out of all the evil that MIGHT come from sharing on FB, how many people actually lose jobs, have government agents show up at their door, etc?* For 99.9999% of people sharing on Facebook, there might be a few somewhat-bad things that happen (most likely someone finding out more than you would have liked) but probably not too much more common than what spreads through traditional gossip anyway. I imagine very few bad-with-a-capital-B things happen. Most people will die without having experienced first-hand (or even second-hand) any disasters from sharing on Facebook, belonging to supermarket loyalty clubs, etc.
I'm not saying there's nothing wrong or potentially bad, but like most other things in life it just won't matter to most people.
* And in cases where it DOES happen, I'm sure most belong in the category of "you shouldn't have been doing that (or at least not talking about it)"--crimes, affairs, etc.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
You don't get to 500 million users without understanding the contents of every message. Text data mining is actually one of the simplest things to implement and can provide a wealth of attitudinal data about products and services.
My Facebook rep has gone into some of their programs for targeted display of ads. I haven't asked her too much about how it would work, but the message she keeps driving home with me is that they can target ads based on how much someone likes something. She says this is based on more than what someone clicks on.
The point is that more and more companies offer products that replace open protocols with open servers and clients. Email is/was SMTP with millions of servers and client applications implementing that protocol. No room to make money apart from selling bandwidth. The web as we know it is HTTP with millions of servers and clients and while there is ample room to make money it's not actually a product.
Facebook and Twitter aren't protocols. They are products, owned and controlled by companies that does all of this to make money and to achieve this they offer what people want, not what's sound and reasonable from a technological POV.
If you have a closer look at this you will find that there are reasons for this shifting picture: All the good old protocols were designed from a very technical point of view, or from the point of view of technical users. Email is complicated to set up, there's a reason for many people (if they still use email at all anymore) using some webmail service. It also doesn't do very much except sending messages and small files around. It offers no way to actually find people. The web (based on the Hyper Text Transfer Protocol) just transfers files containing clever markup and doesn't care for anything else. All of this fine and dandy from a technical POV but just doesn't address very much of what "normal" people actually want to do.
I really can't be angry about what Facebook does, because: We (as geeks) just totally failed to come up with protocols and tools for an infrastructure that would've been able to address the needs of casual users. Instead we insisted that webmail is silly and a full-featured MUA the way to go. In Usenet we were fighting HTML content and fake names even as Usenet (as a communication platform) went under. And there was never anything that even tried to implement a net-wide address book or useful calendaring. All these missing things left a gaping hole that companies like Facebook just exploded into like a gas into a vacuum.
It's easy to hate Facebook and to praise geekdom, but we just miserably failed. We were (and still are) more fascinated by the tools instead of what people might want to do.
yes, but facebook rate limits messages also! with a coding scheme as sparse as that, you'd be lucky to send a kilobyte per hour.
"They were pure niggers." – Noam Chomsky
And the public doesn't seem to care much. Remember that little skirmish about Politico.com buying analysis from FB on public and private message mentions of republican candidates to "evaluate sentiment"? A few people complained for a bit about not being able to opt-out and then it all died out (despite questions on randomization of results etc).
Add to that clickstream selling by ISPs, and attempt to gather and sell your information pretty much by everyone (heck, yellow pages delivery opt out form demands phone number and email) and people seem to be simply tired of fighting it.
Hyperom.com
If you use FB, you know that your friends and family will post personal information about you as well.
Worse: If you do not use FB, you know that your friends and family will post personal information about you as well.
This is why I don't have any friends, and avoid family.
Be seeing you...
it depends what you mean by text data mining. yeah, you can grab keywords, and there are some simple clues about proximity of certain simple adjectives, and you can sort of associate certain vocabularies with income and spending habits, but the R^2 is pretty low. text mining is far, far away from "understanding the contents of every message." even google does a shoddy job; many of its text mining-based ads are silly and even insulting.
most of the marketing-juice comes from (surprise, surprise) the social network. facebook has trained people (maybe not you, but probably many of your "friends") to advertise themselves! if you're 1 hop away from 6 people who all explicitly "Like"d some expensive imported chocolate or coffee, that will probably tell me a whole lot more (marketing-wise) about you than any 100 of your messages, even if i had a human being reading every one of them, which text mining is nowhere near.
"They were pure niggers." – Noam Chomsky
I agree and never noticed the tracking which is done until I installed and used Ghostery. I have it set up where it has the popup which shows all the sites which silently track my web usage and many sites have over a dozen different trackers, the vast majority of them are Google and FB.
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
your loss of money on lottery tickets. It is a voluntary tax in ignorance. Facebook (and the lottery people) know that there are huge numbers of ignorant people out there who are willing to part with something valuable for something of very little (or no) value simply because they don't understand what they are parting with and what they are gaining/losing.
Oh yeah, and Windows is malware.
that's true, but even then facebook will recompress your jpeg even if it's the "right" dimensions. they might even being do this expressly to defeat steganography (in addition to saving disk); research would be required. the standard steg algs can't survive a recompression, although should be doable in principle.
"They were pure niggers." – Noam Chomsky