Forgot your password?
typodupeerror
Social Networks The Internet Security

Facebook App Exposes Abject Insecurity 205

Posted by CmdrTaco
from the pay-no-attention-to-the-hole-in-my-pants dept.
ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."
This discussion has been archived. No new comments can be posted.

Facebook App Exposes Abject Insecurity

Comments Filter:
  • Really? (Score:4, Insightful)

    by Jurily (900488) <jurily@NOSPam.gmail.com> on Sunday August 23, 2009 @11:53AM (#29163933)

    Public information is public. News at 11.

    • Re:Really? (Score:5, Informative)

      by automag (834164) * on Sunday August 23, 2009 @12:01PM (#29164003)
      The problem isn't so much that public information is public, it's that Facebook represents itself as secure and private to its users and then leaves the barn door open for developers, betraying that trust. Should Facebook users be more cautious? Absolutely. But most Facebook users are sheep-le who won't give a second thought to this kind of thing. If someone wants to leave their own information open and public that's one thing, but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.
      • Re:Really? (Score:5, Insightful)

        by Jurily (900488) <jurily@NOSPam.gmail.com> on Sunday August 23, 2009 @12:05PM (#29164033)

        but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.

        You're assuming that all these people only have 'friends' they actually know and trust.

        If you put it up for others to see it, others will see it. It's that simple.

        • Re:Really? (Score:4, Insightful)

          by automag (834164) * on Sunday August 23, 2009 @12:20PM (#29164157)

          You're assuming that all these people only have 'friends' they actually know and trust.

          If you put it up for others to see it, others will see it. It's that simple.

          No, actually whether a user has friends they 'know and trust' is completely moot. On Facebook someone can have their information handed over to a 3rd party developer by anyone in their network, whether they're someone trusted or not. "A strange game. The only winning move is not to play."

          • Re:Really? (Score:4, Insightful)

            by Jurily (900488) <jurily@NOSPam.gmail.com> on Sunday August 23, 2009 @12:41PM (#29164303)

            I merely assumed that people putting up information specifically for the purpose of others reading it, will consider the fact that other people will read it.

            You announce your birthday or put up an invitation to a party, but you don't put the steamy details of last night up there.

            • Re:Really? (Score:5, Insightful)

              by Seumas (6865) on Sunday August 23, 2009 @01:41PM (#29164711)

              But you might discuss them with your friends. Until you discover that your friend lets everyone on earth into their house any time they want (ie, run Facebook Applications) and one of those people (applications) has installed a listening device in the lamp and everything you thought you were discussing with your private group of friends is actually being directly pumped to some third party who is not your friend.

              People throwing the "imagine that, information on the intarwebs is public!" line are being disingenuous. It's like saying you have no reasonable expectation of privacy in your email communication, just because it technically *could* be intercepted. Or that using online banking proves you're an idiot, because your login information *could* be compromised if someone got physical or root access to the bank's database server.

              The nature of facebook, like many other things people use, implies a certain degree of privacy and control over your exposure. It's not at all the same as just blathering all your crap on a public forum for all of google to index and serve up somewhere.

              • by Jurily (900488)

                It's like saying you have no reasonable expectation of privacy in your email communication, just because it technically *could* be intercepted.

                You have no reasonable expectation of privacy in your email communication.

                • Re:Really? (Score:5, Insightful)

                  by Jeremi (14640) on Sunday August 23, 2009 @02:06PM (#29164943) Homepage

                  You have no reasonable expectation of privacy in your email communication.

                  I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".

                  By that measure, you certainly do have a "reasonable expectation of privacy" for your email. For example, if your ISP started posting your emails to a public web page, you would have grounds for a lawsuit. Therefore, you can "reasonably expect" that your ISP won't do that.

                  • Re:Really? (Score:5, Insightful)

                    by gilgongo (57446) on Sunday August 23, 2009 @03:27PM (#29165551) Homepage Journal

                    You have no reasonable expectation of privacy in your email communication.

                    I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".

                    The trouble is that this is the first time in history when the three broad realms of "private", "semi-private" and "public" have been mixed together - and it baffles a lot of people.

                    In the past, if I sat on my toilet with the door locked, that was private. If I went out and spoke to some friends in a bar, that was semi-private (what I said might get around the village, but not much more), and public was pretty much impossible unless I became a politician or a journalist.

                    Now, however, it's very difficult to work out which state you are in at any one time, and what's worse, you often don't know what's public, which is a state that for the vast majority of humans, is totally new.

                • Re: (Score:2, Informative)

                  by bhartman34 (886109)

                  You have no reasonable expectation of privacy in your email communication.

                  That's only true in a business setting, and only in relation to your employer, on your employer's mail server.

                  Your employer has the right to read your email. You work for them, your email is basically your work product, and they can do whatever they want with it.

                  Your personal email account is another matter entirely. Your email can be subpoenaed, but that requires a court's intervention. Your ISP can't just post your email on a public web page and expect to get away with it. They can access your

                • by fbjon (692006)
                  What part of 'reasonable' is hard to understand?
                • by CSMatt (1175471)

                  Or that using online banking proves you're an idiot, because your login information *could* be compromised if someone got physical or root access to the bank's database server.

                  Using online banking proves you're an idiot.

            • You announce your birthday or put up an invitation to a party, but you don't put the steamy details of last night up there.

              ORLY?
              http://failblog.org/2009/08/22/facebooking-win/ [failblog.org]

        • Just like at the doctor's office; if you let others see your junk or take pictures using their network connected fancy junk picture taking machines then its on the network for everybody on a network to see.
        • Mod parent up some more, 5 points isn't nearly enough.

          Personally, I give less info to my "freinds" than is commonly available as public information on Facebook. I don't use apps - most of them are to silly to bother with, and the rest are vectors for dataminers and/or malware. Who needs them?

      • Re: (Score:3, Interesting)

        by flajann (658201)
        As a Facebook Developer myself, I have something to say on this.

        It would be really tough to have the type of security everyone wants, AND have these FB apps to be useful. Tradeoffs, guys. The whole idea in most of these FB apps is the sharing of data between friends, which means the Application will have access to much.

        You could have fine-grained security controls exposed to the user, but this would make FB security confusing to most of its users, and it also would hamper the applications and what they

        • Re:Really? (Score:5, Informative)

          by betterunixthanunix (980855) on Sunday August 23, 2009 @12:42PM (#29164313)
          "But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button!"

          As the app in question demonstrates, you do not personally have to install an app in order for the app to see your Facebook information; a friend who installed could give it the same level of access.
          • Re: (Score:3, Informative)

            by mabinogi (74033)

            The ACLU's app lies.

            When a friend installs an app, it has full access to everything _your friend_ can see in your profile, not the same level of access as an app you install yourself would have.

            It doesn't magically grant the app more rights to see stuff than the user installing it already has.

            • The ACLU's app lies. When a friend installs an app, it has full access to everything _your friend_ can see in your profile, not the same level of access as an app you install yourself would have.

              Is that not what the summary already explicitly says? "Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too." That pretty much agrees with what you just said: the app your friend runs sees what your friend can see. The problem is, my friend's app is not my friend.

        • Re:Really? (Score:5, Insightful)

          by RalphSleigh (899929) on Sunday August 23, 2009 @12:44PM (#29164327) Homepage

          The problem is that even without you authorising any applications, as soon as any of your friends take a quiz, that application can see anything about you your friend can. The what length of wood is your dog like quiz has no need of this info, but its not simple to disable its access.

          You can turn off this behavior, but only if you don't have any applications authorised yourself (I have an application I have written to fill a box with content from an external site on one of my pages, I can't have this on my profile or access the developers network app AND block quizzes from reading my info at the same time).

          Trusting all your friends/networks not to do things that will compromise your privacy is also a non-stater.

        • Re: (Score:2, Insightful)

          by automag (834164) *
          It's a fair point... People join Social Networking sites because they want to be social. I think you're probably right that the 'solution' has more to do with the developers than the users.
        • Re:Really? (Score:4, Insightful)

          by maharb (1534501) on Sunday August 23, 2009 @01:05PM (#29164461)

          What about providing a checkbox for users that says "don't give out my information to anyone but friends". I am a facebook user because of what I can only call peer pressure. I would like it if no one had access to my info except friends but facebook lacks that option. I don't care about apps so why can't I remove myself from this pool of data.

          "But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button! "

          The issue here is that if one of my friends trusts an app then they have access to MY data. Why should this be allowed with no way to turn it off. Like I said before, I don't want to participate in the app frenzy of facebook at all. I would be perfectly happy to lose the functionality of the apps for privacy.

          "I think it's safe to say that never put anything on Facebook that you wouldn't feel comfortable with the whole world seeing. And that goes for the Internet in general."

          If that is what facebook and developers think about millions of people's private messages, photos etc they are going to be in for a huge struggle later. People don't realize their facebook info is up for grabs so easy. Once someone publicly demonstrates how much developers(anyone) have access to and the response from facebook is "you should have known" there is going to be a mass exodus from the service or demand for what I am advocating. The idea that information on the internet should be treated as public information is a flaw in logic and a step back for using the internet for more things(like healthcare). This is about security, permissions etc. You can keep information 'safe' on the net. I know hackers can get the info, but I am talking about not giving it out freely.

          As a developer I get what you are saying. You can't provide functional apps without the data. You have to realize though that there are other perspectives, ones that may be more important than what a developer wants. As a customer of facebook, and possibly you and your apps I say I don't like what you want from me. That should be a red flag.

          • Re: (Score:3, Interesting)

            by Seumas (6865)

            Actually, facebook is very misleading in this way. There ARE options to make each element of your information *ONLY* available to friends. Or even to nobody.

            Unfortunately, their Facebook Application API directly violates the spirit of that by making it available to people other than your friends.

            The single most awful thing about facebook is the wealth of Applications. They're all crap and at best they're annoying. Every time I see some jack ass wasting my time (because it posts that they are using an app to

          • Isn't the issue that you provide your data to your "friends" and your friends then pass that info onto any applications -- what you want is DRM for your data -- other people can view it but not pass it on.

            hmm, where have i heard this argument before....

            anyway, if you give your friend a secret note then he accidentally allows a random third party to read it, who should you get anoyed at -- the friend, the third party, or the company which provided the paper for the note?
            • by maharb (1534501)

              I agree with this in a manual transfer of the data. If your friend manually sends off your data to people then there is nothing you can do except not give that person your data.

              What I have a problem with is the automatic transmission of this data via systems that your friends are not in charge of. I think the facebook example goes beyond the note example because of the way data is stored. Unlike in real life where physical walls block access to data, in the virtual world the "paper" provid

        • by krou (1027572)

          It would be really tough to have the type of security everyone wants, AND have these FB apps to be useful.

          Wait ... there are useful Facebook apps?? ;)

        • You could have fine-grained security controls exposed to the user, but this would make FB security confusing to most of its users, and it also would hamper the applications and what they can do.

          Hardly. at a base level, you have 3 settings: trust, trust that carries (I trust you to pick friends), and don't trust. Refining that somewhat, you can define groups you associate with - drinking buddies or whatever.

          The cool thing here is that defining your membership in a finite group allows you to see info from the other people in that group, but it's really hard to get info from some random person because trust relations are not transitive: if i'm in a poker night group with 5 other guys, I can't hop to

      • Re: (Score:3, Insightful)

        by WCguru42 (1268530)

        But most Facebook users are sheep-le who won't give a second thought to this kind of thing.

        It's less so that they're "sheep-le" and more so that they are not aware of technology. It's kinda like sending your car to the repair shop when you don't know shit about cars. My friend recently got bilked out of $500 because he was told he had to replace his part with a "certified" component. My friend didn't know any better so he went with what sounded reasonable but in reality it was a rip off. The same goes for most users of facebook, they don't know jack shit about computers, the internet, etc. an

        • *sigh* I lack sympathy. Let me get this straight. I know jack about aircraft, but I'd like to own one. So, I trot my happy ass down to the airport, find a pretty plane (with PONIES even!) and hand over my hard earned cash. Climb in, fire it up, and drive it into the trees at the end of the runway. This is whose fault, exactly? Is it the guy who sold me a plane? Was it his responsibility to investigate my background, to find out whether I even had a pilot's license? Was it his job to teach me about p

          • by Jeremi (14640)

            If people are going to be on the web, they should at least have a clue about what the web is.

            That would be nice, but face it -- if the only people who used the Internet were the people who had the time, brains, and inclination to understand how the Internet works, there wouldn't be an Internet.

            Hell, I'm willing to bet that 75% of the people on this very site (subtitle: "News for Nerds") would have trouble identifying a privacy leak before they stepped in it. Myself included.

      • by Trepidity (597)

        it's that Facebook represents itself as secure and private to its users and then leaves the barn door open for developers, betraying that trust

        In particular, Facebook doesn't make much effort to encourage better privacy practices. They could, for example, have multiple access levels for apps. A "quiz" app doesn't actually need any access to information; all it needs is the ability to post a quiz results to your wall. That's what people expect it to do. But there's no way to tell if this is what it does or n

    • Public information is public. News at 11.

      This is hardly the point. The main point is that people WANT TO and SHOULD be able to publish their information to those they choose, without it being spread to those with interests other than friendship. Normally, the only major leak in this is if you can't trust your friends. Now, there is also a leak in the basic communication infrastructure we're using. People are simply arguing that social networks like facebook have a certain responsibility to be trustworth

    • by Locutus (9039)
      but the system is designed such that it gives the impression that you invite people to share with and that includes your info. Now, I wonder why they say you can't see someones info unless you're "friends" with them when in fact, you just needs to be friends with one of their friends. And you know, when you go to click an app and see where it says the developer has access to your profile data? It didn't, and probably still doesn't, say that if any of your friends accepted the app, the developer already has
    • No. That's not good enough anymore. With the global reach, massive databases and indexing software available to most companies, it's no longer good enough to say that once your private data slips out that it's fair game for anyone to do whatever they please, whenever they like with it. I don't want Google or Facebook or anyone else spamming people who have just happened to send me an email. I don't want private companies data mining my address book and contacts list.

      You say that once my data has become "pub

  • by Anonymous Coward on Sunday August 23, 2009 @11:56AM (#29163957)

    Not that your information is in the hands of the facebook staff. That can be scary, but the facebook people, like google, have demonstrated a fairly reasonable approach to exploitation of personal information.

    The problem is that it's in the hands of all of your friends and family. If there's any aspect of your life that should remain off the internet, never share it with a facebooker.

    • Re: (Score:3, Interesting)

      by dkleinsc (563838)

      have demonstrated a fairly reasonable approach to exploitation of personal information.

      So as long as our personal information is only reasonably exploited, it's a-ok?

      • by Jeremi (14640)

        So as long as our personal information is only reasonably exploited, it's a-ok?

        Yup, that's the deal. Facebook gets to use your personal information in certain more-or-less socially acceptable ways, e.g. to choose which ads they show to you, and in return you get unlimited use of the FaceBook site, without ever having to pay anyone any money.

        That may or may not be a-ok for you, but FaceBook's user seem to find it acceptable; otherwise they presumably would not be FaceBook users.

    • TFTFY (Score:3, Insightful)

      by denzacar (181829)

      Not that your information is in the hands of the facebook staff. That can be scary, but the facebook people, like google, have demonstrated a fairly reasonable approach to exploitation of personal information.

      The problem is that it's in the hands of all of your "friends" and family. If there's any aspect of your life that should remain off the internet, never share it with a facebooker.

      Facebook friends are often not even acquaintances. They are not your friends, no matter how Facebook refers to them.

      • by daveime (1253762)

        Facebook friends are often not even acquaintances. They are not your friends, no matter how Facebook refers to them

        Surely that is up to the user who adds 1000 people who they once exchanged "lol" with, and now consider them as friends ?

        How simple can it be ? If you don't want strangers seeing your sensitive info, either don't post the fucking sensitive info in the first place, or don't add strangers just because they once said "lol" at one of your comments.

        This whole "friend of a friend" thing is nonsense t

    • Somehow this "facebook" has never acquired any information about me. Oh right, that's because I've never signed up.
  • some advice (Score:5, Insightful)

    by FudRucker (866063) on Sunday August 23, 2009 @11:57AM (#29163967)
    if anyone wants to keep their personal information private then keep it off the internet, if you put your photo or real name & location on any part of internet (especially social networking websites) you can bet your life that somebody else is going to exploit that information in any way possible and for $profit$ if that is possible too.
    • Re:some advice (Score:5, Insightful)

      by Panzor (1372841) on Sunday August 23, 2009 @12:02PM (#29164005)

      The thing that annoys me is when someone ELSE posts my picture on the internet. It takes a community to keep an individual safe, and the facebook community is quite security inept.

      • Re: (Score:2, Insightful)

        by Kral_Blbec (1201285)
        What surprised me about the article is an extension of this. Not just pictures, but the entire profile is availible. I avoid all the Facebook quizes and crap because I already know it is a huge security hole that allows them to access your profile, but I never expected that it would also open up your friend's profile when you allow an app. That kind of pisses me off.
      • Re: (Score:3, Funny)

        by ParanoiaBOTS (903635)

        The thing that annoys me is when someone ELSE posts my picture on the internet. It takes a community to keep an individual safe, and the facebook community is quite security inept.

        The thing that annoys me is people who seem to think that they have a right to keep a photo from appearing online just because they appear in it. It's not like the person went into your house, pulled out your photo album and uploaded those photos. If you don't want to appear in a photo a person may or may not put online, don't go out in public. It's as simple as that

        • Re: (Score:3, Insightful)

          by silanea (1241518)

          The thing that annoys me is people who seem to think that they have a right to keep a photo from appearing online just because they appear in it. [...]

          At least in Germany people actually do have such a right [wikipedia.org] (no english article linked, so I assume such a right does not exist in anglo-american law). Besides, for me courtesy demands that I ask people for permission before I put pictures of them online. What seems harmless to you may get another person fired, disgraced or harrassed.

          • And how can you exercise that right? It's true, you do have that right. But you can only assert that right if you know that somebody is going to upload a picture of you. So, how do you know?

            In case somebody uploaded your foto without consent, you can have them remove it and/or sue them but the information is already published and nothing will change that fact.

            And how can I know about every photo of me that has been published? How can I search for them? How do I even know when a photo has been taken - sa

        • In the UK, you do have that as a legal right. You may not publish a photograph of someone in any media without their consent, with a few exceptions (crowd scenes are one, and I believe there are some other exemptions for the press if the photographs are seen as being in the public interest).
          • by g0at (135364)

            Same is true in the States and Canada, insofar as I understand the implications of "rights of privacy and publicity".

            b

      • Or: Your privacy is only as good as the the aggregate social stupidity of your friends.

        I created a bogus ID and my image has already been tagged numerous times by other people who know my fake name (so it pretty quickly becomes a rather thin alias). Unfortunately a social site that only has me on it is not very useful (unless I want to have the social life of John Kaczynski).

        This reminds me of a recent Onion article:
        "Google Opt Out Feature Lets Users Protect Privacy By Moving To

    • Re: (Score:2, Interesting)

      by nine-times (778537)

      I generally agree with you, and therefore don't participate in social networking sites. However, I still think tis is a problem insofar as Facebook claims to keep your information private.

      To look at it another way, I don't have grounds to complain that my posts on Slashdot are being made public. I also don't think I have a lot of grounds to complain if Google wants to have automated systems reading my emails enough to feed me a relevant ad, since I know that's roughly their business model for providing f

    • Hell, I'm still struggling to keep some relatives from using websites to send me "e-greeting cards".

      I have to periodically create throw-away email addresses just to email these individuals, who complain that they have to keep changing their address books to email me.

  • by Dogtanian (588974) on Sunday August 23, 2009 @12:04PM (#29164029) Homepage
    Yeah, I've noticed that this "Facebook" app exposes an abject insecurity.

    Namely that of the users who seem to be obsessed with their not appearing popular enough, and adding as many "friends" as they can.
    • Making and keeping track of plenty of friends (by the facebook definition) is the point of facebook, according to the many people who patiently explained facebook to me.

  • Privacy is simple (Score:3, Insightful)

    by verbatim (18390) on Sunday August 23, 2009 @12:08PM (#29164061) Homepage

    Don't publish/post anything that you wouldn't want made public.

    Simple enough, people? Seriously.

    Grow. The. Fuck. Up. Stop being retarded, paranoid jackasses. Facebook, et.al., are out to make MONEY. That means collecting information, data, digesting it in some way, and then selling that information to advertisers/perverts/your mom/etc.

    I just don't get why people are up in arms about "privacy" on a public website, even one with "private" areas. I mean, it's kind of interesting how people will put personal information on a public website and then build virtual walls around it to keep other people out.

    Are you so embarrassed by your circle of friends/family that you really don't want other people to know?

    Do you really think that you are such an interesting fucking nobody that everyone in the whole goddamn universe wants to know everything about you?

    You are one nobody among a collective of nobodies. Deal. :)

    • by gbjbaanb (229885) on Sunday August 23, 2009 @12:16PM (#29164123)

      I suppose the problem is one of trust - Facebook says "set your privacy controls and you'll be safe", and some people believe this! Not everyone is educated about the internet, they treat it as they would other people, not realising its totally different. These people use Facebook.

      • Re: (Score:3, Informative)

        by pnattress (1002576)
        It's perfectly possible to set privacy settings on Facebook for applications as well as friends. You can control the information other friend's applications can see. (Settings -> Privacy -> Applications). It's not heavily advertised, because if everyone hid all their info it would devalue their API somewhat, but it's definitely there.
      • by verbatim (18390)

        I simply assume that no company/organization will ever do anything in my best interest unless I have a significant financial stake in it (and, even then...)

    • Re: (Score:2, Insightful)

      by Kral_Blbec (1201285)
      It's not about posting anything you dont want public. Its about OTHER PEOPLE posting it about you.
      • by daveime (1253762)

        So you add someone as a friend, so they *can* see all your gory details, but you don't want them to publish it or pass it on in any way ?

        How exactly are you going to stop CTRL-C, CTRL-V ? Or even ALT-PRINTSCREEN ? Have Facebook apps disable your keyboard ?

        The application "hole" is no more insecure than simply not adding strangers in the first place if you don't want them playing "Chinese Whispers" with your info.

        • by CSMatt (1175471)

          The poster was most likely referring to incidents where someone whom you know outside of Facebook is posting things on the site that you otherwise would not want on there. While it would seem that the solution is to never tell these people these things in the first place, it is worth realizing that these people are in all likelihood giving the appearance of trust, and are even otherwise genuinely trustworthy. They would not report these things to random strangers outside of Facebook, but have been duped b

    • by notamedic (1236734) on Sunday August 23, 2009 @12:43PM (#29164325)

      Facebook is incredibly popular and the start of your third paragraph shows that (aside from an inability to stop swearing) you can't comprehend what the general non-geeky public want from the internet. Social relationships are complicated - how you interact with your friends and what they know about you may not be the same for your family and for your work colleagues.

      I'm not a big fan of facebook, but the people who use pejorative terms to dismiss it obviously don't understand it.

      • by verbatim (18390)

        I would both agree and disagree. Yes, I have different social circles - work, friends, and family are three simple categories.

        However, I don't see the point in putting artificial walls between these things. Yeah, I'm not going to automatically send party announcements to my colleagues, but I also don't really care if they know what I'm doing on the weekend. I'm pretty sure that they don't care, either. And, if I happen to do something embarrassing, reckless, or stupid, then I really should be more careful w

    • by Seumas (6865) on Sunday August 23, 2009 @02:03PM (#29164915)

      I think you have missed the entire fucking point of Facebook. Facebook is not about blathering your shit to every fucking moron on earth and acquiring as many "friends" as possible, but about communicating and keeping up with a select group of people that you have chosen to communicate with. For example, colleagues, family, and close friends.

      I don't give a fuck about you or what you have to say day in an day out, but your mom might. Or your school chums. Or your best friend at the office. And since Facebook allows you to restrict your interactions to just these chosen people, you have a right to expect your communication to remain between those designated individuals.

      You know, sort of the same way the telephone company is a commercial enterprise, but you have a reasonable expectation for your conversations to remain private. Or do you consider talking on the telephone to be blathering to the "whole goddamn universe", too?

      Unfortunately, just like your mom probably is more prone to getting a virus on her Windows machine than you are, she's probably more likely to use a "what color are you?" facebook application and thereby put you at risk of exposure.

      Again, it is simply disingenuous to trash people as being idiots for using services where security is inherently implied (and options to protect it are right there in the user preferences -- even though they appear not to be adhered to in this demonstration).

      That doesn't mean you should share your most private secrets on earth anywhere online that is connected with your real identity. It just means that you shouldn't have to worry that your every piece of information is being sold out from under you when you thought it was just between yourself and the people in your circle. And if you have this attitude that you should *EXPECT* that from Facebook, then you should have that same attitude toward every institution you deal with from the place you bought your car, to your electric, phone, cable companies and medical providers. After all, if your bank's databases are cracked and the data stolen and sold out from under you, it's YOUR fault for being stupid enough to give your financial information to your financial institution, right?

      Also, as much as I hate Twitter and Facebook and all these things (though I like LinkedIN), you at the very least are often obligated to sign up so that you can protect your identity from being used by someone *else*. And as much as I hate attention-whores, even they deserve an expectation of a certain degree of privacy in situations where that privacy is implied.

  • by Jah-Wren Ryel (80510) on Sunday August 23, 2009 @12:10PM (#29164081)

    Could someone with a facebook account "review" this quiz?

    I don't have a facebook account so I can't do much with it. But I would like to send it to friends and family that do have accounts. These people aren't the type to comprehend the ACLU blog, so I'd like to know just how well the quiz makes its point. Is my 20 year-old niece who 'friends' anyone who sends a friend request going to achieve cluevana by doing the quiz, or is the quiz no more meaningful to the unenlightened than the blog post that inspired it?

    • Re: (Score:3, Interesting)

      by xiox (66483)

      Pretty convincing. It appears to show any of the information or photos I can see about myself or my friends.Presumably a very popular facebook app could harvest data on pretty well everyone in facebook, no matter their privacy settings.

      • by soliptic (665417)

        It appears to show any of the information or photos I can see about myself or my friends.

        I don't grasp how this is supposed to be an insecurity. It seems like the summary is "It can see whatever you can see". If it were "It can see stuff you otherwise couldn't see" then it would seem like a security concern, but as it stands it appears to be working exactly as intended and advertised. What am I missing?

        • Re: (Score:3, Insightful)

          by tolan-b (230077)

          Because Facebook is supposed to limit your data to your friends and applications *you* choose to trust. But it doesn't give you any control over which data of yours is visible to an application installed by someone else in your network.

          Therefore if your mum installs a rogue app then she gives away every piece of data she can view about all her friends and family (who happen to be on Facebook), including you. That's going to include most of your data on Facebook.

          Therefore what the hell is the point of having

      • Or here's an idea: Provide a toolkit for building quiz apps that is easy enough to use that almost anyone could do it. Host all the separate apps on your webserver, and include code in every app generated by it that tracks people. Then you'd have dozens (hundreds?) of quizzes all feeding you information, all "built" by other people. With this you could basically recreate all of the information that Facebook has on its users.

        For all I know this has already been done... these quizzes can't all be buil

    • TFA (Score:2, Interesting)

      by Magic5Ball (188725)

      QUESTION 1: When you take a quiz on Facebook, what can the quiz see about you?
      Only your answers to its questions.
      Only information that is set as "public" on your profile.
      Almost everything on your profile, even if you use privacy settings to limit access.

      Correct!

      Even if you have your profile information and content set to "private," quizzes can see almost everything that you share with your friends on Facebook: your politics and religion, embarassing photos, comments you leave on your friends' Wall. It doesn

  • by RIpRapRob (1346701) on Sunday August 23, 2009 @12:20PM (#29164159)

    But here is what Facebook tells their users:

    Facebook Principles

    ...

    We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information.

    ...

    Facebook follows two core principles:

    1. You should have control over your personal information.

    Yeah, there is a lot of 'small print' too, but why wouldn't the average user expect the information they put on Facebook to be private, unless they change some (default) setting?

  • Facebook might as well be regular web pages out in the open.

    However, I don't see what the ACLU has to do with any of this.

  • by speedtux (1307149) on Sunday August 23, 2009 @01:57PM (#29164857)

    Tracy [failblog.org] apparently had some trouble with the concept of "privacy" (or lack thereof) on Facebook...

    • by Anonymous Coward on Sunday August 23, 2009 @05:53PM (#29166655)

      Tracy's account was hacked by 4chan.

      4chan hacked a christian dating site, and got a list of details and passwords contained on it's servers in plaintext. Not sure of the details (whether the users of the site just had the same passwords for that and facebook or if some other step was involved), but they used this to gain access to hundreds of facebook accounts.

      They then proceeded to do their typical 4chan thing and post fake messages, porn, goatse, "coming out" messages etc. on all the compromised accounts. This was one of them.

      Don't blame Tracy. She didn't post that.

      Blame the Christian dating site for insecurity.

      Blame 4chan for being 4chan.

  • Disabled (Score:2, Informative)

    by magloca (1404473)
    Seems the app has already been disabled. Apparently, there's something in the terms you have to agree to to write an app about not collecting more info than necessary. And presumably, Facebook felt that this one did. Or maybe they thought they could distance themselves from the embarrassment. Who knows.
  • by Animats (122034) on Sunday August 23, 2009 @02:14PM (#29165015) Homepage

    That Facebook quiz page puts Firefox 3.5 into a loop at:
    "Script: file:///D:/Program Files/Mozilla Firefox/modules/XPCOMUtils.jsm:260"

    FAIL.

  • Someone I don't know is gonna see that I told a friend I really loved Brazil!

  • ...you combine object-oriented and aspect-oriented development?

  • Now, a developer has written a Linux 'Utility' based on the Facebook paranoia, which graphically illustrates all the information a normal application can get its grubby little hands on. It opens your e-mail, and prints out all the stuff your friends have sent you. Then it opens your IM program, and prints out all your friends' profiles. And their web sites. And, like, OMG, the links to their favorite games they sent you!

    Seriously folks. We're getting riled up over the idea that applications run with the pri

  • Before I post anything online I apply the Projector Test. The way this works is that I imagine that I'm in an auditorium with everyone in the world that matters to me in any way (including enemies and potential psycho stalkers). Then I imagine that what I'm posting, typing, recording, uploading, transmitting, etc will be reproduced on a 30ft screen. Further, the attendees will receive a 500 gigabyte flash drive to take the presentation home with them...searchable by keyword and image.

    So a passing grad
  • by brunes69 (86786)
    So I decided to try to run this magic quiz that can get all my information without my consent. I click on the app, and up pops the standard facebook alert...

    Allowing "What Do Quizzes Really Know About You?" access will let it pull your profile information, photos, your friends' info, and other content that it requires to work.

    Allow or cancel

    I decided to click "Cancel". Oh damn, the quiz does not work now!

    Wow, facebook is TEH EVIL! how dare they ask me if I want to run the quiz or not!

    • I think many people would make the reasonable assumption that the app will only get the information that is required for it to work. That is what the warning says, after all. But that is not true. The app has full access to everything you can see, whether it needs it or not. Why in the world should a stupid poll need to see my (and my friend's) photos?

      This is the crux of the problem. It suggests apps have limited access (based on need) when they really have unfettered access. I assume that the bar to

  • This isn't anything like pwning you but just showing that the data you shared is...shared. 

COBOL is for morons. -- E.W. Dijkstra

Working...