Facebook App Exposes Abject Insecurity 205
ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."
How convincing is the quiz? (Score:3, Interesting)
Could someone with a facebook account "review" this quiz?
I don't have a facebook account so I can't do much with it. But I would like to send it to friends and family that do have accounts. These people aren't the type to comprehend the ACLU blog, so I'd like to know just how well the quiz makes its point. Is my 20 year-old niece who 'friends' anyone who sends a friend request going to achieve cluevana by doing the quiz, or is the quiz no more meaningful to the unenlightened than the blog post that inspired it?
Re:How convincing is the quiz? (Score:3, Interesting)
Pretty convincing. It appears to show any of the information or photos I can see about myself or my friends.Presumably a very popular facebook app could harvest data on pretty well everyone in facebook, no matter their privacy settings.
Yes, ordinary people are stupid regarding privacy (Score:5, Interesting)
But here is what Facebook tells their users:
Yeah, there is a lot of 'small print' too, but why wouldn't the average user expect the information they put on Facebook to be private, unless they change some (default) setting?
Re:Really? (Score:3, Interesting)
It would be really tough to have the type of security everyone wants, AND have these FB apps to be useful. Tradeoffs, guys. The whole idea in most of these FB apps is the sharing of data between friends, which means the Application will have access to much.
You could have fine-grained security controls exposed to the user, but this would make FB security confusing to most of its users, and it also would hamper the applications and what they can do.
And if you were to implement such stringent security procedures now, it would break many of the apps in use.
I think it's safe to say that never put anything on Facebook that you wouldn't feel comfortable with the whole world seeing. And that goes for the Internet in general.
But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button!
Having said that, there should also be some ethical guidelines for FB developers.
TFA (Score:2, Interesting)
QUESTION 1: When you take a quiz on Facebook, what can the quiz see about you?
Only your answers to its questions.
Only information that is set as "public" on your profile.
Almost everything on your profile, even if you use privacy settings to limit access.
Correct!
Even if you have your profile information and content set to "private," quizzes can see almost everything that you share with your friends on Facebook: your politics and religion, embarassing photos, comments you leave on your friends' Wall. It doesn't seem like a quiz developer has any reason to poke around in your profile, but it's temptingly easy to do so.
For example, here are just a few things this quiz can see in your profile:
[Random stuff from your own profile. *Some data/counts in aggregate*]
QUESTION 2: What info about you can a quiz see when your friends take a quiz?
Nothing at all, unless they use your name in an answer somehow.
Only information from your profile that is visible to everyone on Facebook.
Almost everything on your profile, even if you use privacy settings to limit who can see that information.
Correct!
Yes, that's right: when your friend takes a quiz, the quiz maker gets access to your information! So even if you're being careful, if you haven't changed the right privacy settings, your information could be collected by anyone who writes a quiz that your friends take!
Check out what this quiz can see about some of your friends (loads slowly - give it a sec!):
[Random stuff from your friends' profiles. *Some data/counts in aggregate*]
QUESTION 3: There must be safeguards somewhere, right? My information is safe because:
Facebook's default privacy settings prevent application developers from scouring my information.
Facebook carefully screens developers to ensure that they are trustworthy and requires that they post and comply with a privacy policy.
Facebook uses technical measures to limit how developers collect and use personal information.
None of the above - and that's a real problem.
Correct!
The only protection Facebook offers by default is its Terms of Service, which state that developers must collect only the information that they need and use it only in connection with Facebook.
But all it takes to be a developer is an email address, and so few of even the top developers have a privacy policy at all, it's hard to believe that Terms of Service will hold them back if they want to collect information, and (as this quiz has shown) they can access a lot of it.
And once details about your personal life are collected by a quiz developer, who knows where they could end up or how they could be used. Shared? Sold? Turned over to the government?
QUESTION 4: OK, that sounds like a real problem. So what should I do?
Give up and quit Facebook forever.
Resign myself to losing control over my personal information.
Demand the right to control my information without sacrificing the right to use new technology.
Of course you know the answer: take a stand and demand control!
What's going on with these quizzes just isn't right. It's time for Facebook to upgrade its privacy controls so that you decide who gets to see your personal information.
That's where you come in. As we've seen before, Facebook does respond when users protest. So we need to make some noise!
*
Update your own privacy settings.
*
Share this quiz on Facebook and encourage your friends to take it!
*
Sign our online petition and tell Facebook that you want more control of your own information.
*
And, finally, help the movement grow by becoming a fan of the dotRights campaign and voting for our "The Secret Lives of On
Re:some advice (Score:2, Interesting)
I generally agree with you, and therefore don't participate in social networking sites. However, I still think tis is a problem insofar as Facebook claims to keep your information private.
To look at it another way, I don't have grounds to complain that my posts on Slashdot are being made public. I also don't think I have a lot of grounds to complain if Google wants to have automated systems reading my emails enough to feed me a relevant ad, since I know that's roughly their business model for providing free email. However, if I found out Google was allowing their advertisers to read my email, that I would be pretty upset about that. Whether or not it's wise of me to trust Google, they've given me the impression that my emails are private and they aren't going to allow other people to read them.
Similarly, I have limited sympathy for these people who post their drunken antics on social networking sites and expect that their coworkers and employers simply won't ever bother to look at the site. However, if Facebook is offering you to let you have private pages that are only visible to friends which you select, but they are then allowing others to view those pages, that seems like a problem.
Re:This is the worst part, in general (Score:3, Interesting)
have demonstrated a fairly reasonable approach to exploitation of personal information.
So as long as our personal information is only reasonably exploited, it's a-ok?
Re:There is no insecurity at all. Move along. (Score:1, Interesting)
One thing that scares me about them is that a few months ago their list suggesting people for me to add as friends changed wildly, and included people I didn't recognize. I did a search, and it turns out that many of these people were ones I had had one email exchange with a couple of years ago using my Hotmail account -- the account I used for my Facebook account. If these oddball suggestions had happened over the course of time, I could understand it being the other people letting facebook pillage their email for addresses and then suggesting us to each other; however, since it happened all at once, the only conclusion I can come to is that Facebook must have made a deal with Hotmail to get access to associated addresses. I never gave Facebook permission, my password is definitely not the same for Facebook as it is for Hotmail, and people contacted via my main email account -- which thankfully is not Hotmail -- have not shown up on this suggestion list.
Re:Really? (Score:3, Interesting)
Actually, facebook is very misleading in this way. There ARE options to make each element of your information *ONLY* available to friends. Or even to nobody.
Unfortunately, their Facebook Application API directly violates the spirit of that by making it available to people other than your friends.
The single most awful thing about facebook is the wealth of Applications. They're all crap and at best they're annoying. Every time I see some jack ass wasting my time (because it posts that they are using an app to my information stream) doing another "what kind of dog turd are you?" quiz, it makes me hate humanity just a little bit more.