Slashdot Mirror
Moglen: Facebook Is a Man-In-The-Middle Attack
jfruh writes "In an email exchange with privacy blogger Dan Tynan, Columbia law professor Eben Moglen referred to Facebook as a 'man in the middle attack' — that is, a service that intercepts communication between two parties and uses it for its own nefarious purposes. He said, 'The point is that by sharing with our actual friends through a web intermediary who can store and mine everything, we harm people by destroying their privacy for them. It's not the sharing that's bad, it's the technological design of giving it all to someone in the middle. That is at once outstandingly stupid and overwhelmingly dangerous.' Tynan is a critic of Facebook, but he thinks Moglen is overstating the case."
as with most social sites, search engines, free email services, you are not customer, you and your relationships are product
It amazes me that people think Moglen is overstating the case. He is not. Let's forget the datamining for commerce. Let's just think about what a simple post on a social network can do with ones life. People have been murdered over a post on social networks by goverments. People have been held in custody (hi USA) over posting a qoute from family guy... Moglen is right. Everything you post on facebook, twitter, hell any service that has an office in the USA will get into the FBI, CIA an SS databanks and you will get in trouble if you post something those warmongers don't like. Moglen is right. Using centralized, datamined networks is stupid and even more dangerous. It takes a lot of effort not to see that.
Your ISP does not see the information you transmit if it's encrypted, or email, chat, etc.
Facebook CAN see the messages you send, even if your communication to and from facebook is encrypted.
where is your like button?
Or better said, if you're not the farmer, you're the pig.
Free food, water and a place to live?!? What could possibly go wrong?
=================
Unix is very user friendly, it's just picky about who its friends are.
I do think it's a widespread ethical view that these utility-like services shouldn't use the information for their own gain. In the phone era, that was formalized with fairly detailed rules; AT&T couldn't just randomly listen in on your phone calls and use it to sell advertising profiles to mail-order catalogues. In the internet era technology is moving faster than people/law can keep up with.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
It's not the same. Obviously, we have to depend on companies every day. But if we don't like a car company, or a traditional ISP, we can switch to another car or ISP. Facebook is different. If you leave, you leave the ability to connect to many of the people that you connected to via Facebook.
I own my own domain name, and use email and blogs to communicate from a site whose name I own. I do depend on companies to support my DNS and webservice. But if I don't like what those companies do, I can switch or do it myself. I have a Facebook account, but I don't normally use it; it just creates too many problems.
We all need suppliers; that's not the problem. The problem is dependency, that is, being (practically) unable to switch. Being dependent on an external company really is a risk.
- David A. Wheeler (see my Secure Programming HOWTO)
Moglen is absolutely correct and I am very impressed by this great analogy: Facebook (and some other "social" media) is a man-in-the-middle attack; it's just not a technical hack but a social hack. Best 20 second explanation ever.
Google might very well join them soon - if they use profiling on gmail conversations.
Sigh - straw man arguments are so tiresome.
These social sites are not your ISP.
These social sites are like inviting a business into your living room to eavesdrop on conversations with your acquaintances.
And for those who say "Who cares of I publicly post all my thoughts and relationships?" I have one question:
What would McCarthyism look like with the data available today?
Rather it seems we have to have special whole new laws because "via the internet" or "with a computer" needs to be tacked on. I'd say this is the larger problem.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
On the very few (read one in the UK) occasion your analogy is correct there has been a massive public outrage:
http://en.wikipedia.org/wiki/Phorm#BT_trials
So people generally don't accept it when it is your ISP. They shouldn't (but ATM seem to) accept it with fb. How long that will last only time will tell - MZ will be happy once he has his billions - most things he has been saying of late in a "tech visionary" context are just complete nonsense, so I suspect he isn't in it for the long term.
Most facebook users have no idea how deep the analysis of their data/relationships goes or the true privacy implications related. Don't assume too much about average joe.... average joe and janette are strapped with bills, jobs, kids, housework, overtime, stress, and american media psychosis... if understanding privacy and internet data mining isn't part of their occupation, there's a slim chance they know about it.
... we all depend on companies every day and trust them with our personal info. There really isn't an alternative.
I wonder why?
When I arrived to the US and received my SSN, I tried to take the message that was next to it seriously : "Keep this number safe and secret" / not word by word citation/.
Then I went to get bank account, set up account for gas / electricity, driver's licence, cell phone contract, everywhere I was asked for my SSN. Seriously, why can PEPCO, GEICO, WASHGAS, AT&T oblige me to reveal this information?
My guess is that people in the US have been slowly but surely trained to surrender sensitive personal information to third parties.
Your ISP does not see the information you transmit if it's encrypted, or email, chat, etc.
If you're taking a paranoid view, a slight clarification is needed here. Your ISP does not see the unencrypted information you transmit if it's encrypted, or email, chat, etc., as long as they do not have the means to decrypt that data.
Ask me about repetitive DNA
If you use FB, you know that your friends and family will post personal information about you as well.
Worse: If you do not use FB, you know that your friends and family will post personal information about you as well.
I wonder if you could make a firefox plugin that encrypts all posts to facebook, also detects other peoples encrypted posts and if you have their pub key decrypts them to view. Could also have something similar that encrypts images to a valid jpg/gif/png what ever but only decrypts again if you have the key.
Paying taxes to buy civilization is like paying a hooker to buy love.
Your ISP can see which websites you visit, how long you spend there, how often ....
Yes, but it is not part of their business model to do that.
People would be quite out-raged to receive an email from their ISP, that reads: ... P.S.: Has your daughter looked at planned parenthood?
Based on the web-sites you visited, we recommend following companies to you.
fB is also worming their way into other sites via scripting. I play some games at an EA owned site and suddenly you can not select a game room, or even see a game room list, unless you allow scripting by facebook.net. In the interests of allowing fB members more interaction EA has in fact forced everyone using the game to send data to faceBook. Anyone not blocking scripts is totally unaware of the issue, but most of them probably think fB is a good thing anyway.
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
What would McCarthyism look like with the data available today?
You remember when your president had to publicly reaffirm he wasn't a muslim but a good god-fearing christian with good wholesome christian values ? McCarthyism never left.
You americans and your battles over symbols. You raise a big stink over irrelevancies like ID-cards and Facebook and meanwhile you've got the TSA, warrantless wiretaps, draconian copyright lawsuits, etc.
If all else fails, immortality can always be assured by spectacular error.
They'll still be able to see what sites you're visiting. Even if the actual data is encrypted it would be trivial to log tcp connections and IP's. In fact, you can bet that the black boxes in place already do it.
Yea, I've been noticing this on A LOT of sites. Pages won't load right or load at all unless the ubiquitous FB(and lets not forget Google) and it's associated sites are allowed... It's quite fascinating how quickly FB has achieved this feat, and rather disgusting. People rail endlessly about Obama and how "the gubment" is taking over, etc;. FB and Google is who people should really be concerned with.
We play the game with the bravery of being out of range
If you are really concerned about privacy, however, there is nothing (AFAIK) that would stop you from composing your message, using GPG to encrypt the text, then posting the *encrypted* text on Facebook.
I'm not a huge fan of Facebook for numerous reasons, but IMHO, this whole "oh noes -- Facebook is reading my texts!" alarmism is really rather disingenuous. C'mon -- you're posting comments on a public web site. It's more like talking to your friends in the hallway back in your high school days than a telephone call. If you really expect privacy on Facebook, then you are dangerously naive.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Back when Facebook became the Next Big Thing, I thought it seemed silly and a bit dangerous to rely so heavily on a single web site for so many things while excluding anyone who wasn't a member. You're just opening yourself up to monopoly abuses in that situation. I thought an open protocol for interfacing with social media components, whether hosted on Facebook, a competitor, or a personal site would be a more inclusive solution with less potential for exploitation or single point of failure issues. Then I realized that there would be no commercial incentive to supporting a solution that bypasses central servers, so of course it would never happen. The Internet is devolving back into AOL.
The assertion that "Facebook is a man in the middle attack" is utter bullshit. an "attack" would imply that Facebook is doing something that the user does not want to do.
The reality is that facebook/myspace/google+ et al. is a service in which the user willingly sends their information to them, and then they happen to share such information with some connections.
People do that willingly, people willingly sign up to facebook and send such information to facebook. The people who do not want to share information with facebook do not do it.
Ubuntu is an African word meaning 'I can't configure Debian'
If you send encrypted information through your ISP, they can't read it.
If you send encrypted information THROUGH Facebook, they'll remove it calling it "spam". I tried this and, supposedly, they censor all encrypted messages, only allowing clear text, unencrypted messages on Facebook. It's like they say "Don't distribute encrypted information through our service. Since we can't read it, there's no profit in it for us."
Eben Moglen is absolutely correct that Facebook is a man-in-the-middle service attempting to fool dumb people into disclosing their personal information and secrets.
The name is "trusted middlemen", and anybody claiming it is an attack is doing yellow journalism.
It is true that the more people you have to trust, the worse off you are. It is also true that trusting a corporation can be quite worse than trusting an individual (but then, it can be quite better in other points of views). It is also true that trusting corporations that already showed that they don't deserve any trust is even worse. But equating it to a man-in-the-middle attack is a lie. Plain and simply, a lie.
Rethinking email
Stated another way...
Your relationship with your ISP: You are the customer.
Your relationship with Facebook: You are the product.
We had this. It was called the web. Anyone could put up a website. Even host it right out of their own home. But it was a pain even for many advanced users, and impossible for many normal users to figure it out.
Unless you live in the UK, in which case if you use BT as your Internet provider they intercept all your communications. They then break down your data by protocol, using "deep packet inspection", and profile each subscriber for advertising purposes. All totally illegal yet done to tens of thousands of subscribers without their knowledge, not that BT cared. You can read more here.
Phillip.
Property for sale in Nice, France
You don't get to 500 million users without understanding the contents of every message. Text data mining is actually one of the simplest things to implement and can provide a wealth of attitudinal data about products and services.
My Facebook rep has gone into some of their programs for targeted display of ads. I haven't asked her too much about how it would work, but the message she keeps driving home with me is that they can target ads based on how much someone likes something. She says this is based on more than what someone clicks on.
The point is that more and more companies offer products that replace open protocols with open servers and clients. Email is/was SMTP with millions of servers and client applications implementing that protocol. No room to make money apart from selling bandwidth. The web as we know it is HTTP with millions of servers and clients and while there is ample room to make money it's not actually a product.
Facebook and Twitter aren't protocols. They are products, owned and controlled by companies that does all of this to make money and to achieve this they offer what people want, not what's sound and reasonable from a technological POV.
If you have a closer look at this you will find that there are reasons for this shifting picture: All the good old protocols were designed from a very technical point of view, or from the point of view of technical users. Email is complicated to set up, there's a reason for many people (if they still use email at all anymore) using some webmail service. It also doesn't do very much except sending messages and small files around. It offers no way to actually find people. The web (based on the Hyper Text Transfer Protocol) just transfers files containing clever markup and doesn't care for anything else. All of this fine and dandy from a technical POV but just doesn't address very much of what "normal" people actually want to do.
I really can't be angry about what Facebook does, because: We (as geeks) just totally failed to come up with protocols and tools for an infrastructure that would've been able to address the needs of casual users. Instead we insisted that webmail is silly and a full-featured MUA the way to go. In Usenet we were fighting HTML content and fake names even as Usenet (as a communication platform) went under. And there was never anything that even tried to implement a net-wide address book or useful calendaring. All these missing things left a gaping hole that companies like Facebook just exploded into like a gas into a vacuum.
It's easy to hate Facebook and to praise geekdom, but we just miserably failed. We were (and still are) more fascinated by the tools instead of what people might want to do.
it depends what you mean by text data mining. yeah, you can grab keywords, and there are some simple clues about proximity of certain simple adjectives, and you can sort of associate certain vocabularies with income and spending habits, but the R^2 is pretty low. text mining is far, far away from "understanding the contents of every message." even google does a shoddy job; many of its text mining-based ads are silly and even insulting.
most of the marketing-juice comes from (surprise, surprise) the social network. facebook has trained people (maybe not you, but probably many of your "friends") to advertise themselves! if you're 1 hop away from 6 people who all explicitly "Like"d some expensive imported chocolate or coffee, that will probably tell me a whole lot more (marketing-wise) about you than any 100 of your messages, even if i had a human being reading every one of them, which text mining is nowhere near.
"They were pure niggers." – Noam Chomsky