Facebook Implements 'Download Your Profile' Option 114
eldavojohn writes "Facebook is rolling out some new changes (including groups) that are supposed to liberate user control. But something that might interest Slashdot readers even more is that they now allow you to download all your information from Facebook. That's everything — all your posts, pictures, videos, friend lists, etc. A video from David of the Open Source team at Facebook explains how it will work, although I don't see that option on my profile yet (they are slowly rolling it out). There's not a lot of details yet, but they at least require you to click a link from an e-mail and reenter your password to get this (to avoid spambots harvesting everyone's data and careless use of public computers resulting in data leaks). Perhaps competitors like Diaspora would be interested in using this base information to germinate user seeds?"
You know (Score:5, Informative)
To Reiterate! (Score:5, Informative)
Unless your account (or their servers) get hacked ...
If your account gets hacked, they still need to have your e-mail hacked. The link to download the zip file is later sent to your e-mail address when the processing is done. Zipping up videos and images takes a while so basically you request this data and they put it in a queue and an hour/day/week/month later you get your data to download e-mailed to you in a link and you re-enter your user password. I thought I described this in my summary but that means that even if your account is hacked they would need access to your e-mail and for quite sometime unless you had already requested it and left that e-mail in your account. Yes, this means that if they know the e-mail associated with your Facebook account, they can just hack that and then request a new Facebook password sent to that account and then initiate the profile zipping.
... it just presents the possibility that a hacker could more easily zip up your data ... and then that requires time ... and access to another resource of yours. For me, this risk is acceptable consider the benefit involved. As I mentioned, I suspect this will allow you to move the history of your profile to another site, which is really really good.
Let's say their servers get hacked. Well, the data is still not zipped up unless they are retaining that data after someone requests it. So at most they'll have access to whoever is waiting to retrieve their data. And it's going to be a lot of data. So there are a lot of logistics involved to get access to only a few random person's data. And even if the hackers are smart enough to invoke the zip script for every single account, that's not something that will happen overnight.
Basically if they have access to your account or the Facebook servers, they already have access to everything on your profile or Facebook as a whole (respectively). So while this presents mild security issues, it's already assuming that everything is compromised
Re:A nice gesture of openness (Score:4, Informative)
I'll give them a break when they stop reseting options with new privacy policies or ToS that lowers the ability for users to lock down their accounts and defaults all options to the most open setting.
Over the summer, they added a "master control" which you can set to "friends only" (or several other settings). This will make all of your current settings "friends only" and will also make any future setting default to "friends only".
I'll give them a break when their account deletion process no longer requires users themselves to manually go through and delete everything they put on the website.
I don't believe this has been true for a while: https://ssl.facebook.com/help/contact.php?show_form=delete_account [facebook.com]
Re:You know (Score:4, Informative)
Re:A nice gesture of openness (Score:4, Informative)
Dude, it is one of the basic tenets in computer security to not click on links in e-mails that take you to websites where you enter login credentials.
Those kinds of e-mails are known as phishing and spear phishing attacks. They are very common and very dangerous.
Facebook has had no end of security problems. Now with the publicity that they will be sending out e-mails that have a link, wait a few days and see what hits in computer security news.
If you're going to train people to be security conscious, you can't half-ass it. "Don't click on e-mails that take you to websites where you enter login credentials" is most definitely the wrong message. Just because there are lots of phishing e-mails doesn't mean that every such e-mail is phishing, and it actually trains people to start drawing invalid conclusions: "well, this link didn't come by e-mail, so it's ok." Phishing websites can just as easily lead you to a malicious page where you enter your credentials.
What you actually need to be teaching people is to go to the link from the e-mail, grab the ssl certificate and check the the company name, the verifying authority, and the fingerprint. The independently go to the main website where the e-mail claims to be from, in this case Facebook, and see if the signature matches. If it does, you can type in your credentials. There is no half-assing this procedure. Anything short of it is vulnerable to the attacks you are so concerned about.
Re:No security concerns here... (Score:3, Informative)
The actual announcement [facebook.com] said "To protect your information, this feature is only available after confirming your password and answering appropriate security questions."
I'm not sure what that will involve, but if it's like the security challenge they've been doing when you sign in from abroad, you have to correctly tag 8 of your friends in unlabeled photos.