Facebook App Exposes Abject Insecurity 205
ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."
Really? (Score:4, Insightful)
Public information is public. News at 11.
Re:Really? (Score:5, Informative)
Re:Really? (Score:5, Insightful)
but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.
You're assuming that all these people only have 'friends' they actually know and trust.
If you put it up for others to see it, others will see it. It's that simple.
Re:Really? (Score:4, Insightful)
You're assuming that all these people only have 'friends' they actually know and trust.
If you put it up for others to see it, others will see it. It's that simple.
No, actually whether a user has friends they 'know and trust' is completely moot. On Facebook someone can have their information handed over to a 3rd party developer by anyone in their network, whether they're someone trusted or not. "A strange game. The only winning move is not to play."
Re:Really? (Score:4, Insightful)
I merely assumed that people putting up information specifically for the purpose of others reading it, will consider the fact that other people will read it.
You announce your birthday or put up an invitation to a party, but you don't put the steamy details of last night up there.
Re:Really? (Score:5, Insightful)
But you might discuss them with your friends. Until you discover that your friend lets everyone on earth into their house any time they want (ie, run Facebook Applications) and one of those people (applications) has installed a listening device in the lamp and everything you thought you were discussing with your private group of friends is actually being directly pumped to some third party who is not your friend.
People throwing the "imagine that, information on the intarwebs is public!" line are being disingenuous. It's like saying you have no reasonable expectation of privacy in your email communication, just because it technically *could* be intercepted. Or that using online banking proves you're an idiot, because your login information *could* be compromised if someone got physical or root access to the bank's database server.
The nature of facebook, like many other things people use, implies a certain degree of privacy and control over your exposure. It's not at all the same as just blathering all your crap on a public forum for all of google to index and serve up somewhere.
Re: (Score:2)
It's like saying you have no reasonable expectation of privacy in your email communication, just because it technically *could* be intercepted.
You have no reasonable expectation of privacy in your email communication.
Re:Really? (Score:5, Insightful)
You have no reasonable expectation of privacy in your email communication.
I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".
By that measure, you certainly do have a "reasonable expectation of privacy" for your email. For example, if your ISP started posting your emails to a public web page, you would have grounds for a lawsuit. Therefore, you can "reasonably expect" that your ISP won't do that.
Re:Really? (Score:5, Insightful)
You have no reasonable expectation of privacy in your email communication.
I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".
The trouble is that this is the first time in history when the three broad realms of "private", "semi-private" and "public" have been mixed together - and it baffles a lot of people.
In the past, if I sat on my toilet with the door locked, that was private. If I went out and spoke to some friends in a bar, that was semi-private (what I said might get around the village, but not much more), and public was pretty much impossible unless I became a politician or a journalist.
Now, however, it's very difficult to work out which state you are in at any one time, and what's worse, you often don't know what's public, which is a state that for the vast majority of humans, is totally new.
Re: (Score:2, Informative)
You have no reasonable expectation of privacy in your email communication.
That's only true in a business setting, and only in relation to your employer, on your employer's mail server.
Your employer has the right to read your email. You work for them, your email is basically your work product, and they can do whatever they want with it.
Your personal email account is another matter entirely. Your email can be subpoenaed, but that requires a court's intervention. Your ISP can't just post your email on a public web page and expect to get away with it. They can access your
Re: (Score:2)
Re: (Score:2)
Or that using online banking proves you're an idiot, because your login information *could* be compromised if someone got physical or root access to the bank's database server.
Using online banking proves you're an idiot.
Re: (Score:2)
The content as a work belongs to the writer. The information contained within it does not. I can summarize a 1000-word email from you as "You slept with John's wife", completely violating your [incorrectly] expected privacy without violating your copyright.
Re: (Score:2)
You announce your birthday or put up an invitation to a party, but you don't put the steamy details of last night up there.
ORLY?
http://failblog.org/2009/08/22/facebooking-win/ [failblog.org]
Re:Really? Really! (Score:2)
Re: (Score:2)
Mod parent up some more, 5 points isn't nearly enough.
Personally, I give less info to my "freinds" than is commonly available as public information on Facebook. I don't use apps - most of them are to silly to bother with, and the rest are vectors for dataminers and/or malware. Who needs them?
Re: (Score:3, Interesting)
It would be really tough to have the type of security everyone wants, AND have these FB apps to be useful. Tradeoffs, guys. The whole idea in most of these FB apps is the sharing of data between friends, which means the Application will have access to much.
You could have fine-grained security controls exposed to the user, but this would make FB security confusing to most of its users, and it also would hamper the applications and what they
Re:Really? (Score:5, Informative)
As the app in question demonstrates, you do not personally have to install an app in order for the app to see your Facebook information; a friend who installed could give it the same level of access.
Re: (Score:3, Informative)
The ACLU's app lies.
When a friend installs an app, it has full access to everything _your friend_ can see in your profile, not the same level of access as an app you install yourself would have.
It doesn't magically grant the app more rights to see stuff than the user installing it already has.
Re: (Score:2)
The ACLU's app lies. When a friend installs an app, it has full access to everything _your friend_ can see in your profile, not the same level of access as an app you install yourself would have.
Is that not what the summary already explicitly says? "Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too." That pretty much agrees with what you just said: the app your friend runs sees what your friend can see. The problem is, my friend's app is not my friend.
Re:Really? (Score:5, Insightful)
The problem is that even without you authorising any applications, as soon as any of your friends take a quiz, that application can see anything about you your friend can. The what length of wood is your dog like quiz has no need of this info, but its not simple to disable its access.
You can turn off this behavior, but only if you don't have any applications authorised yourself (I have an application I have written to fill a box with content from an external site on one of my pages, I can't have this on my profile or access the developers network app AND block quizzes from reading my info at the same time).
Trusting all your friends/networks not to do things that will compromise your privacy is also a non-stater.
Re: (Score:2, Insightful)
Re:Really? (Score:4, Insightful)
What about providing a checkbox for users that says "don't give out my information to anyone but friends". I am a facebook user because of what I can only call peer pressure. I would like it if no one had access to my info except friends but facebook lacks that option. I don't care about apps so why can't I remove myself from this pool of data.
"But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button! "
The issue here is that if one of my friends trusts an app then they have access to MY data. Why should this be allowed with no way to turn it off. Like I said before, I don't want to participate in the app frenzy of facebook at all. I would be perfectly happy to lose the functionality of the apps for privacy.
"I think it's safe to say that never put anything on Facebook that you wouldn't feel comfortable with the whole world seeing. And that goes for the Internet in general."
If that is what facebook and developers think about millions of people's private messages, photos etc they are going to be in for a huge struggle later. People don't realize their facebook info is up for grabs so easy. Once someone publicly demonstrates how much developers(anyone) have access to and the response from facebook is "you should have known" there is going to be a mass exodus from the service or demand for what I am advocating. The idea that information on the internet should be treated as public information is a flaw in logic and a step back for using the internet for more things(like healthcare). This is about security, permissions etc. You can keep information 'safe' on the net. I know hackers can get the info, but I am talking about not giving it out freely.
As a developer I get what you are saying. You can't provide functional apps without the data. You have to realize though that there are other perspectives, ones that may be more important than what a developer wants. As a customer of facebook, and possibly you and your apps I say I don't like what you want from me. That should be a red flag.
Re: (Score:3, Interesting)
Actually, facebook is very misleading in this way. There ARE options to make each element of your information *ONLY* available to friends. Or even to nobody.
Unfortunately, their Facebook Application API directly violates the spirit of that by making it available to people other than your friends.
The single most awful thing about facebook is the wealth of Applications. They're all crap and at best they're annoying. Every time I see some jack ass wasting my time (because it posts that they are using an app to
Re: (Score:2)
hmm, where have i heard this argument before....
anyway, if you give your friend a secret note then he accidentally allows a random third party to read it, who should you get anoyed at -- the friend, the third party, or the company which provided the paper for the note?
Re: (Score:2)
I agree with this in a manual transfer of the data. If your friend manually sends off your data to people then there is nothing you can do except not give that person your data.
What I have a problem with is the automatic transmission of this data via systems that your friends are not in charge of. I think the facebook example goes beyond the note example because of the way data is stored. Unlike in real life where physical walls block access to data, in the virtual world the "paper" provid
Re: (Score:2)
Wait ... there are useful Facebook apps?? ;)
Re: (Score:2)
You could have fine-grained security controls exposed to the user, but this would make FB security confusing to most of its users, and it also would hamper the applications and what they can do.
Hardly. at a base level, you have 3 settings: trust, trust that carries (I trust you to pick friends), and don't trust. Refining that somewhat, you can define groups you associate with - drinking buddies or whatever.
The cool thing here is that defining your membership in a finite group allows you to see info from the other people in that group, but it's really hard to get info from some random person because trust relations are not transitive: if i'm in a poker night group with 5 other guys, I can't hop to
Re: (Score:3, Insightful)
But most Facebook users are sheep-le who won't give a second thought to this kind of thing.
It's less so that they're "sheep-le" and more so that they are not aware of technology. It's kinda like sending your car to the repair shop when you don't know shit about cars. My friend recently got bilked out of $500 because he was told he had to replace his part with a "certified" component. My friend didn't know any better so he went with what sounded reasonable but in reality it was a rip off. The same goes for most users of facebook, they don't know jack shit about computers, the internet, etc. an
Re: (Score:2)
*sigh* I lack sympathy. Let me get this straight. I know jack about aircraft, but I'd like to own one. So, I trot my happy ass down to the airport, find a pretty plane (with PONIES even!) and hand over my hard earned cash. Climb in, fire it up, and drive it into the trees at the end of the runway. This is whose fault, exactly? Is it the guy who sold me a plane? Was it his responsibility to investigate my background, to find out whether I even had a pilot's license? Was it his job to teach me about p
Re: (Score:2)
If people are going to be on the web, they should at least have a clue about what the web is.
That would be nice, but face it -- if the only people who used the Internet were the people who had the time, brains, and inclination to understand how the Internet works, there wouldn't be an Internet.
Hell, I'm willing to bet that 75% of the people on this very site (subtitle: "News for Nerds") would have trouble identifying a privacy leak before they stepped in it. Myself included.
Re: (Score:2)
it's that Facebook represents itself as secure and private to its users and then leaves the barn door open for developers, betraying that trust
In particular, Facebook doesn't make much effort to encourage better privacy practices. They could, for example, have multiple access levels for apps. A "quiz" app doesn't actually need any access to information; all it needs is the ability to post a quiz results to your wall. That's what people expect it to do. But there's no way to tell if this is what it does or n
Missing the point (Score:2)
This is hardly the point. The main point is that people WANT TO and SHOULD be able to publish their information to those they choose, without it being spread to those with interests other than friendship. Normally, the only major leak in this is if you can't trust your friends. Now, there is also a leak in the basic communication infrastructure we're using. People are simply arguing that social networks like facebook have a certain responsibility to be trustworth
Re: (Score:2)
Re: (Score:2)
No. That's not good enough anymore. With the global reach, massive databases and indexing software available to most companies, it's no longer good enough to say that once your private data slips out that it's fair game for anyone to do whatever they please, whenever they like with it. I don't want Google or Facebook or anyone else spamming people who have just happened to send me an email. I don't want private companies data mining my address book and contacts list.
You say that once my data has become "pub
This is the worst part, in general (Score:4, Insightful)
Not that your information is in the hands of the facebook staff. That can be scary, but the facebook people, like google, have demonstrated a fairly reasonable approach to exploitation of personal information.
The problem is that it's in the hands of all of your friends and family. If there's any aspect of your life that should remain off the internet, never share it with a facebooker.
Re: (Score:3, Interesting)
have demonstrated a fairly reasonable approach to exploitation of personal information.
So as long as our personal information is only reasonably exploited, it's a-ok?
Re: (Score:2)
So as long as our personal information is only reasonably exploited, it's a-ok?
Yup, that's the deal. Facebook gets to use your personal information in certain more-or-less socially acceptable ways, e.g. to choose which ads they show to you, and in return you get unlimited use of the FaceBook site, without ever having to pay anyone any money.
That may or may not be a-ok for you, but FaceBook's user seem to find it acceptable; otherwise they presumably would not be FaceBook users.
TFTFY (Score:3, Insightful)
Not that your information is in the hands of the facebook staff. That can be scary, but the facebook people, like google, have demonstrated a fairly reasonable approach to exploitation of personal information.
The problem is that it's in the hands of all of your "friends" and family. If there's any aspect of your life that should remain off the internet, never share it with a facebooker.
Facebook friends are often not even acquaintances. They are not your friends, no matter how Facebook refers to them.
Re: (Score:2)
Facebook friends are often not even acquaintances. They are not your friends, no matter how Facebook refers to them
Surely that is up to the user who adds 1000 people who they once exchanged "lol" with, and now consider them as friends ?
How simple can it be ? If you don't want strangers seeing your sensitive info, either don't post the fucking sensitive info in the first place, or don't add strangers just because they once said "lol" at one of your comments.
This whole "friend of a friend" thing is nonsense t
Re: (Score:2)
some advice (Score:5, Insightful)
Re:some advice (Score:5, Insightful)
The thing that annoys me is when someone ELSE posts my picture on the internet. It takes a community to keep an individual safe, and the facebook community is quite security inept.
Re: (Score:2, Insightful)
Re: (Score:3, Funny)
The thing that annoys me is when someone ELSE posts my picture on the internet. It takes a community to keep an individual safe, and the facebook community is quite security inept.
The thing that annoys me is people who seem to think that they have a right to keep a photo from appearing online just because they appear in it. It's not like the person went into your house, pulled out your photo album and uploaded those photos. If you don't want to appear in a photo a person may or may not put online, don't go out in public. It's as simple as that
Re: (Score:3, Insightful)
The thing that annoys me is people who seem to think that they have a right to keep a photo from appearing online just because they appear in it. [...]
At least in Germany people actually do have such a right [wikipedia.org] (no english article linked, so I assume such a right does not exist in anglo-american law). Besides, for me courtesy demands that I ask people for permission before I put pictures of them online. What seems harmless to you may get another person fired, disgraced or harrassed.
Re: (Score:2)
In case somebody uploaded your foto without consent, you can have them remove it and/or sue them but the information is already published and nothing will change that fact.
And how can I know about every photo of me that has been published? How can I search for them? How do I even know when a photo has been taken - sa
Moreover.. even if you do find your picture posted (Score:2)
Moreover.. even if you do find your picture posted, the moment you ask that somebody remove it, you are likely to incite the Streisand Effect; and even 'the Slashdot crowd' will point and laugh at you and help disseminate the picture you asked somebody to take down.
Re: (Score:2)
Re: (Score:2)
Same is true in the States and Canada, insofar as I understand the implications of "rights of privacy and publicity".
b
Some pointless advice indeed (Score:2)
Or: Your privacy is only as good as the the aggregate social stupidity of your friends.
I created a bogus ID and my image has already been tagged numerous times by other people who know my fake name (so it pretty quickly becomes a rather thin alias). Unfortunately a social site that only has me on it is not very useful (unless I want to have the social life of John Kaczynski).
This reminds me of a recent Onion article:
"Google Opt Out Feature Lets Users Protect Privacy By Moving To
Re: (Score:2, Interesting)
I generally agree with you, and therefore don't participate in social networking sites. However, I still think tis is a problem insofar as Facebook claims to keep your information private.
To look at it another way, I don't have grounds to complain that my posts on Slashdot are being made public. I also don't think I have a lot of grounds to complain if Google wants to have automated systems reading my emails enough to feed me a relevant ad, since I know that's roughly their business model for providing f
Re: (Score:2)
Hell, I'm still struggling to keep some relatives from using websites to send me "e-greeting cards".
I have to periodically create throw-away email addresses just to email these individuals, who complain that they have to keep changing their address books to email me.
Facebook App Exposes Abject Insecurity (Score:4, Insightful)
Namely that of the users who seem to be obsessed with their not appearing popular enough, and adding as many "friends" as they can.
Re: (Score:2)
Making and keeping track of plenty of friends (by the facebook definition) is the point of facebook, according to the many people who patiently explained facebook to me.
Privacy is simple (Score:3, Insightful)
Don't publish/post anything that you wouldn't want made public.
Simple enough, people? Seriously.
Grow. The. Fuck. Up. Stop being retarded, paranoid jackasses. Facebook, et.al., are out to make MONEY. That means collecting information, data, digesting it in some way, and then selling that information to advertisers/perverts/your mom/etc.
I just don't get why people are up in arms about "privacy" on a public website, even one with "private" areas. I mean, it's kind of interesting how people will put personal information on a public website and then build virtual walls around it to keep other people out.
Are you so embarrassed by your circle of friends/family that you really don't want other people to know?
Do you really think that you are such an interesting fucking nobody that everyone in the whole goddamn universe wants to know everything about you?
You are one nobody among a collective of nobodies. Deal. :)
Re:Privacy is simple (Score:5, Insightful)
I suppose the problem is one of trust - Facebook says "set your privacy controls and you'll be safe", and some people believe this! Not everyone is educated about the internet, they treat it as they would other people, not realising its totally different. These people use Facebook.
Re: (Score:3, Informative)
Re: (Score:2)
I simply assume that no company/organization will ever do anything in my best interest unless I have a significant financial stake in it (and, even then...)
Re: (Score:2, Insightful)
Re: (Score:2)
So you add someone as a friend, so they *can* see all your gory details, but you don't want them to publish it or pass it on in any way ?
How exactly are you going to stop CTRL-C, CTRL-V ? Or even ALT-PRINTSCREEN ? Have Facebook apps disable your keyboard ?
The application "hole" is no more insecure than simply not adding strangers in the first place if you don't want them playing "Chinese Whispers" with your info.
Re: (Score:2)
The poster was most likely referring to incidents where someone whom you know outside of Facebook is posting things on the site that you otherwise would not want on there. While it would seem that the solution is to never tell these people these things in the first place, it is worth realizing that these people are in all likelihood giving the appearance of trust, and are even otherwise genuinely trustworthy. They would not report these things to random strangers outside of Facebook, but have been duped b
Re:Privacy is simple (Score:4, Insightful)
Facebook is incredibly popular and the start of your third paragraph shows that (aside from an inability to stop swearing) you can't comprehend what the general non-geeky public want from the internet. Social relationships are complicated - how you interact with your friends and what they know about you may not be the same for your family and for your work colleagues.
I'm not a big fan of facebook, but the people who use pejorative terms to dismiss it obviously don't understand it.
Re: (Score:2)
I would both agree and disagree. Yes, I have different social circles - work, friends, and family are three simple categories.
However, I don't see the point in putting artificial walls between these things. Yeah, I'm not going to automatically send party announcements to my colleagues, but I also don't really care if they know what I'm doing on the weekend. I'm pretty sure that they don't care, either. And, if I happen to do something embarrassing, reckless, or stupid, then I really should be more careful w
Re:Privacy is simple (Score:4, Insightful)
I think you have missed the entire fucking point of Facebook. Facebook is not about blathering your shit to every fucking moron on earth and acquiring as many "friends" as possible, but about communicating and keeping up with a select group of people that you have chosen to communicate with. For example, colleagues, family, and close friends.
I don't give a fuck about you or what you have to say day in an day out, but your mom might. Or your school chums. Or your best friend at the office. And since Facebook allows you to restrict your interactions to just these chosen people, you have a right to expect your communication to remain between those designated individuals.
You know, sort of the same way the telephone company is a commercial enterprise, but you have a reasonable expectation for your conversations to remain private. Or do you consider talking on the telephone to be blathering to the "whole goddamn universe", too?
Unfortunately, just like your mom probably is more prone to getting a virus on her Windows machine than you are, she's probably more likely to use a "what color are you?" facebook application and thereby put you at risk of exposure.
Again, it is simply disingenuous to trash people as being idiots for using services where security is inherently implied (and options to protect it are right there in the user preferences -- even though they appear not to be adhered to in this demonstration).
That doesn't mean you should share your most private secrets on earth anywhere online that is connected with your real identity. It just means that you shouldn't have to worry that your every piece of information is being sold out from under you when you thought it was just between yourself and the people in your circle. And if you have this attitude that you should *EXPECT* that from Facebook, then you should have that same attitude toward every institution you deal with from the place you bought your car, to your electric, phone, cable companies and medical providers. After all, if your bank's databases are cracked and the data stolen and sold out from under you, it's YOUR fault for being stupid enough to give your financial information to your financial institution, right?
Also, as much as I hate Twitter and Facebook and all these things (though I like LinkedIN), you at the very least are often obligated to sign up so that you can protect your identity from being used by someone *else*. And as much as I hate attention-whores, even they deserve an expectation of a certain degree of privacy in situations where that privacy is implied.
How convincing is the quiz? (Score:3, Interesting)
Could someone with a facebook account "review" this quiz?
I don't have a facebook account so I can't do much with it. But I would like to send it to friends and family that do have accounts. These people aren't the type to comprehend the ACLU blog, so I'd like to know just how well the quiz makes its point. Is my 20 year-old niece who 'friends' anyone who sends a friend request going to achieve cluevana by doing the quiz, or is the quiz no more meaningful to the unenlightened than the blog post that inspired it?
Re: (Score:3, Interesting)
Pretty convincing. It appears to show any of the information or photos I can see about myself or my friends.Presumably a very popular facebook app could harvest data on pretty well everyone in facebook, no matter their privacy settings.
Re: (Score:2)
It appears to show any of the information or photos I can see about myself or my friends.
I don't grasp how this is supposed to be an insecurity. It seems like the summary is "It can see whatever you can see". If it were "It can see stuff you otherwise couldn't see" then it would seem like a security concern, but as it stands it appears to be working exactly as intended and advertised. What am I missing?
Re: (Score:3, Insightful)
Because Facebook is supposed to limit your data to your friends and applications *you* choose to trust. But it doesn't give you any control over which data of yours is visible to an application installed by someone else in your network.
Therefore if your mum installs a rogue app then she gives away every piece of data she can view about all her friends and family (who happen to be on Facebook), including you. That's going to include most of your data on Facebook.
Therefore what the hell is the point of having
Re: (Score:2)
Or here's an idea: Provide a toolkit for building quiz apps that is easy enough to use that almost anyone could do it. Host all the separate apps on your webserver, and include code in every app generated by it that tracks people. Then you'd have dozens (hundreds?) of quizzes all feeding you information, all "built" by other people. With this you could basically recreate all of the information that Facebook has on its users.
For all I know this has already been done... these quizzes can't all be buil
TFA (Score:2, Interesting)
QUESTION 1: When you take a quiz on Facebook, what can the quiz see about you?
Only your answers to its questions.
Only information that is set as "public" on your profile.
Almost everything on your profile, even if you use privacy settings to limit access.
Correct!
Even if you have your profile information and content set to "private," quizzes can see almost everything that you share with your friends on Facebook: your politics and religion, embarassing photos, comments you leave on your friends' Wall. It doesn
Re: (Score:2)
I've no clue what the Men in the Black Helicopters want with a bajillion pictures of people in semi-compromising situations and a ton of half-thought out wall posts and other such drivel, but there we are.
Not necessarily MitBH. Could also be geeks looking for suitable mates to get laid.
Re: (Score:2)
Yours Truly,
- MitBH
(No need for me to post AC - nobody messes with me now that I have a black helicopter.)
Yes, ordinary people are stupid regarding privacy (Score:5, Interesting)
But here is what Facebook tells their users:
Yeah, there is a lot of 'small print' too, but why wouldn't the average user expect the information they put on Facebook to be private, unless they change some (default) setting?
Re: (Score:3, Insightful)
No, "Private" as in "only friends I have chosen to share information with", not as in "and every application that they are stupid enough to install".
And you are missing the point
No one is "feeding the information" to an application. The application is sucking the information without anyone being aware of it.
The solution it simple:
Whenever one of my friends grants an application access to my data, Facebook should ask me:
"You have chosen NOT to share information with applications on Facebook. Your friend XYZ
Re: (Score:2, Insightful)
That's drawing a distinction that doesn't exist. If you give a friend access to your profile they can do anything with that data; this just makes it more immediately clear.
The application is sucking the information without anyone being aware of it.
No; the friend will get asked when they run the application, effectively "do you want to give this access to any
Is the ACLU recommending surgeon general's warning (Score:2)
Facebook "security" is a joke (Score:2)
Facebook might as well be regular web pages out in the open.
However, I don't see what the ACLU has to do with any of this.
Tracy sure didn't get it... (Score:3, Funny)
Tracy [failblog.org] apparently had some trouble with the concept of "privacy" (or lack thereof) on Facebook...
Re:Tracy sure didn't get it... (Score:4, Informative)
Tracy's account was hacked by 4chan.
4chan hacked a christian dating site, and got a list of details and passwords contained on it's servers in plaintext. Not sure of the details (whether the users of the site just had the same passwords for that and facebook or if some other step was involved), but they used this to gain access to hundreds of facebook accounts.
They then proceeded to do their typical 4chan thing and post fake messages, porn, goatse, "coming out" messages etc. on all the compromised accounts. This was one of them.
Don't blame Tracy. She didn't post that.
Blame the Christian dating site for insecurity.
Blame 4chan for being 4chan.
Disabled (Score:2, Informative)
Facebook/Firefox fail (Score:4, Informative)
That Facebook quiz page puts Firefox 3.5 into a loop at:
"Script: file:///D:/Program Files/Mozilla Firefox/modules/XPCOMUtils.jsm:260"
FAIL.
Re: (Score:3, Insightful)
So it's impossible to take a Facebook quiz using Firefox 3.5?
That's a feature, not a bug.
Oh NOES (Score:2)
Someone I don't know is gonna see that I told a friend I really loved Brazil!
Is "abject insecurity" what you get when... (Score:2)
...you combine object-oriented and aspect-oriented development?
Linux App Exposes Abject Insecurity (Score:2)
Now, a developer has written a Linux 'Utility' based on the Facebook paranoia, which graphically illustrates all the information a normal application can get its grubby little hands on. It opens your e-mail, and prints out all the stuff your friends have sent you. Then it opens your IM program, and prints out all your friends' profiles. And their web sites. And, like, OMG, the links to their favorite games they sent you!
Seriously folks. We're getting riled up over the idea that applications run with the pri
Re: (Score:2)
The problem is that such an app should not be able to see everything that user's friends have designated as private, because that app is not anyone's "friend".
Again, unlike real applications. Where the application gets all the access of the running user.
The Facebook apps shouldn't get higher privileges than actual human beings.
I see no indication that this particular piece of paranoia is true. Please point me to evidence that a friend's application can ever have more access than the friend does.
Re: (Score:2)
Er... (Score:2)
Allowing "What Do Quizzes Really Know About You?" access will let it pull your profile information, photos, your friends' info, and other content that it requires to work.
Allow or cancel
I decided to click "Cancel". Oh damn, the quiz does not work now!
Wow, facebook is TEH EVIL! how dare they ask me if I want to run the quiz or not!
Re: (Score:2)
I think many people would make the reasonable assumption that the app will only get the information that is required for it to work. That is what the warning says, after all. But that is not true. The app has full access to everything you can see, whether it needs it or not. Why in the world should a stupid poll need to see my (and my friend's) photos?
This is the crux of the problem. It suggests apps have limited access (based on need) when they really have unfettered access. I assume that the bar to
This is not lack of security (Score:2)
Re: (Score:3, Funny)
Don't look now, but I think they achieved Step 3 without Step 2.
Re: (Score:2)
Not quite--
THAT is the problem as I understand it: apparently you can't deny information to apps that your friends have authorized but you have not.
Re: (Score:2, Informative)
Actually you can:
http://www.facebook.com/home.php#/privacy/?view=platform&tab=other [facebook.com]
Simply untick all the boxes there.
Re: (Score:2)
Ah, I stand educated. Thank you.
If that page works as advertised, it needs to be displayed more prominently here. (Mod parent up?)
Re: (Score:2)
Simply untick all the boxes there.
Hmm. "You are unable to fully opt out of sharing information through Facebook platform because you are currently using applications build on Platform. To enable this option, you need to remove any applications you have added, and remove your permissions to all external applications that you may have used".
Sounds like you can have either privacy, or the use of FaceBook applications, but not both.
Re: (Score:2, Insightful)
You miss the point of Facebook, entirely. It's about sharing information with a controlled group of people you have chosen; not every person on the planet who wants it. The problem here is that a site promotes itself as a place you can associate and communicate with a selected community of people that you have individually selected and granted access to and all of its literature promotes the ability for YOU to have CONTROL over your information and interactions (otherwise, they'd just keep using Myspace or
Re: (Score:2, Insightful)
Facebook and its apps work exactly as advertised. It is a site that's ALL ABOUT SHARING INFORMATION, and guess what, that's what it does. When you take a quiz or use an app, it tells you you're granting it access to lots of stuff. I forget the exact wording, but none of this is a surprise. It takes all of a few minutes looking through the developer docs to see that if you write an app, you get access to, well, yeah, everything.
The problem here is that some people sign up on a site that exists to share personal information, run apps that give away personal information and tell you they're doing it, and are then surprised.
No, that's not the problem. The problem is that when Facebook creates a privacy setting that says "Only Friends" can view the information, that's exactly what should happen: Only friends should be able to see it. It's true that the applications all have a disclaimer saying that they can see and use friends' information, but one can easily understand the cognitive dissonance created when Facebook, on the one hand, tells you that you can designate information as private, and on the other, allows applicatio
Re: (Score:2)
You may wisely choose to never be friends with "SociopathicStalker53" and thereby keep your information away from them. But if they write a cutesy "quiz" that one of your friends decides to run, despite your precautions you're fscked anyway.
And this state of affairs is entirely Facebook's fault, because it's baked in to th
Re: (Score:2)
It technically is the case - FB has very strict regulations about what you can and can't keep, and for how long.
Essentially, any personal information outside of a user's username is 'illegal' to keep for more than 24 hours.
This includes name, birthday, relationships (friends, friends of friends, etc), photos, posts, updates, etc.
This also covers your app pulling that information and prefilling forms with it.
However, it's obviously impossible to police all of this: if you as a viewer can see information, the