Facebook Implements 'Download Your Profile' Option 114
eldavojohn writes "Facebook is rolling out some new changes (including groups) that are supposed to liberate user control. But something that might interest Slashdot readers even more is that they now allow you to download all your information from Facebook. That's everything — all your posts, pictures, videos, friend lists, etc. A video from David of the Open Source team at Facebook explains how it will work, although I don't see that option on my profile yet (they are slowly rolling it out). There's not a lot of details yet, but they at least require you to click a link from an e-mail and reenter your password to get this (to avoid spambots harvesting everyone's data and careless use of public computers resulting in data leaks). Perhaps competitors like Diaspora would be interested in using this base information to germinate user seeds?"
A nice gesture of openness (Score:1, Insightful)
Well this certainly makes it much more easier to move your nonsense-data around, but how long untill all the data is available on piratebay?
Re: (Score:3, Interesting)
Unless your account (or their servers) get hacked, it would only show up if you put it on there yourself...
Aside from being able to back up everything, it would be interesting to do this and read some early correspondence on the service.
Re: (Score:3, Insightful)
Nice move on Facebook's part to help train their users to click on links in e-mails that take them to websites to enter authentication credentials.
Re:A nice gesture of openness (Score:5, Insightful)
Re:A nice gesture of openness (Score:5, Insightful)
Those kinds of e-mails are known as phishing and spear phishing attacks. They are very common and very dangerous.
Facebook has had no end of security problems. Now with the publicity that they will be sending out e-mails that have a link, wait a few days and see what hits in computer security news.
Re: (Score:1)
They would only send these e-mails if you, as an authenticated facebook user, clicked the "Download my account" link.
So an adversary would have to time extremely well the sending of the spam link in order for the user not to be suspicious.
Even then, if facebook wanted to further deter account download masquerade phishing, they could prompt for some kind of comment at the point of requesting an account download, which they could recapitulate in the e-mail to show the request was legitimate and came from you.
Re: (Score:2, Insightful)
Re: (Score:2)
Re:A nice gesture of openness (Score:4, Insightful)
Re:A nice gesture of openness (Score:4, Informative)
Dude, it is one of the basic tenets in computer security to not click on links in e-mails that take you to websites where you enter login credentials.
Those kinds of e-mails are known as phishing and spear phishing attacks. They are very common and very dangerous.
Facebook has had no end of security problems. Now with the publicity that they will be sending out e-mails that have a link, wait a few days and see what hits in computer security news.
If you're going to train people to be security conscious, you can't half-ass it. "Don't click on e-mails that take you to websites where you enter login credentials" is most definitely the wrong message. Just because there are lots of phishing e-mails doesn't mean that every such e-mail is phishing, and it actually trains people to start drawing invalid conclusions: "well, this link didn't come by e-mail, so it's ok." Phishing websites can just as easily lead you to a malicious page where you enter your credentials.
What you actually need to be teaching people is to go to the link from the e-mail, grab the ssl certificate and check the the company name, the verifying authority, and the fingerprint. The independently go to the main website where the e-mail claims to be from, in this case Facebook, and see if the signature matches. If it does, you can type in your credentials. There is no half-assing this procedure. Anything short of it is vulnerable to the attacks you are so concerned about.
Re: (Score:1)
Re: (Score:2)
Whoosh.
All that and it didn’t even occur to you to point out how much easier it’d be to just double check to make sure the domain name in the URL in the address bar was correct; barring the possibility of DNS poisoning it’d be just as safe...
too complicated (Score:2)
"check SSL certificates". Yeah, right. I'm sure that this is the easiest concept to teach to non-computer poeple.
just ask them always log-in manually by typing the site's home page (www.facebook.com, www.ubs.ch, etc.). If it's really something important, it will be available there too.
don't mess explaining them small details of computer security they don't grasp.
Re: (Score:3, Insightful)
Your doing it wrong. Or at least applying it wrong. In your want to find something incorrect with Facebook you're ignoring the fact that sending an email to the user to confirm they are who they say they are before they are allowed to do things like change their password or download all their data is a tenet of website security in and of itself. These emails are always accompanied by the message "If you did not request this change/email then disregard this message and contact our fraud/tech/blah departme
Re: (Score:3, Interesting)
Spear phishing is phishing targeted at a single individual. Since its in Wikipedia and all over the Interwebs and all those black hatted types talk about I'm guessing the poster didn't make it up. Then again maybe he is one of those black hatty, Wikipedia writing trolls making s***t up in a conspiratorial way. You never know ...
Re: (Score:2)
I'll give them a break when they stop reseting options with new privacy policies or ToS that lowers the ability for users to lock down their accounts and defaults all options to the most open setting.
I'll give them a break when their account deletion process no longer requires users themselves to manually go through and delete everything they put on the website.
Given FB's history, a move like this makes me wonder what detrimental change they're also doing. I'm guessing the reseting of privacy options.
Re: (Score:1, Insightful)
I was speaking with a bar tender in the airport the other week.
He said he'd discovered what happens if he googles himself ... he gets loads of links into Facebook that he and others have put up, and that he had assumed was private.
He subsequently went through and deleted everything and filled in the profile with garbage information.
When a bartend
Re:A nice gesture of openness (Score:4, Informative)
I'll give them a break when they stop reseting options with new privacy policies or ToS that lowers the ability for users to lock down their accounts and defaults all options to the most open setting.
Over the summer, they added a "master control" which you can set to "friends only" (or several other settings). This will make all of your current settings "friends only" and will also make any future setting default to "friends only".
I'll give them a break when their account deletion process no longer requires users themselves to manually go through and delete everything they put on the website.
I don't believe this has been true for a while: https://ssl.facebook.com/help/contact.php?show_form=delete_account [facebook.com]
Re: (Score:2)
Wait, you mean people have only been reporting negative things about FB and largely left out anything positive that they have done?
Alright, well... there go my arguments. *Tips hat*
Re: (Score:2)
I deleted an account a few months ago and when I recently accidentally logged in to it, Facebook welcomed me back and all the info I had in my profile was still there. When I ask to delete my account, I mean everything.
Re: (Score:1)
Re: (Score:2)
Every heard of phishing, bro? This is the most common tactic used by phishers to gain info to stuff like bank account or website login info. Bad idea by Facebook in terms of the implementation, not necessarily the concept.
Re: (Score:2)
Ever, not every. Need to increase (or drastically decrease) the coffee intake.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Well, the idea is probably to use the email as additional security so that even if someone has your password, he cannot use this function, because you get a mail.
However, they could just send an unique code which you have to enter at the facebook get-data page, without a link. You already navigated to that page (otherwise you'd not have gotten that mail), and if you closed it in the mean time, you know how to get back there (after all, you found it once; and if you fear to forget how to get there, just book
Re: (Score:1)
Re:A nice gesture of openness (Score:4, Insightful)
I would think the email with the link would be sent to the user in repsonse to a request of some sort. You know, you request your data, they email you a link to get it ...
Have you never forgotten the password you use for an infrequently-visted site and had them email you a temporary one? This sounds like the same thing.
Re: (Score:2)
It also seems you are right - the user requests the download and then Facebook e-mails a link. It's not in the Computerworld story but is in the YouTube link to an explanation.
To Reiterate! (Score:5, Informative)
Unless your account (or their servers) get hacked ...
If your account gets hacked, they still need to have your e-mail hacked. The link to download the zip file is later sent to your e-mail address when the processing is done. Zipping up videos and images takes a while so basically you request this data and they put it in a queue and an hour/day/week/month later you get your data to download e-mailed to you in a link and you re-enter your user password. I thought I described this in my summary but that means that even if your account is hacked they would need access to your e-mail and for quite sometime unless you had already requested it and left that e-mail in your account. Yes, this means that if they know the e-mail associated with your Facebook account, they can just hack that and then request a new Facebook password sent to that account and then initiate the profile zipping.
... it just presents the possibility that a hacker could more easily zip up your data ... and then that requires time ... and access to another resource of yours. For me, this risk is acceptable consider the benefit involved. As I mentioned, I suspect this will allow you to move the history of your profile to another site, which is really really good.
Let's say their servers get hacked. Well, the data is still not zipped up unless they are retaining that data after someone requests it. So at most they'll have access to whoever is waiting to retrieve their data. And it's going to be a lot of data. So there are a lot of logistics involved to get access to only a few random person's data. And even if the hackers are smart enough to invoke the zip script for every single account, that's not something that will happen overnight.
Basically if they have access to your account or the Facebook servers, they already have access to everything on your profile or Facebook as a whole (respectively). So while this presents mild security issues, it's already assuming that everything is compromised
Re: (Score:3, Insightful)
To be fair, we are probably talking about people who use the same password for everything.
So What Is the Real Issue? (Score:2)
To be fair, we are probably talking about people who use the same password for everything.
Well then in your suggested case, to be fair, where is the real security issue? Is it Facebook or is it the user?
The best and most flawless computer security systems will always have a human being as a security hole. The best 'hackers' reported in the news these days are those that use social hacks like sweet talking and shoulder surfing to gain access to very secure systems.
I wouldn't go around faulting Facebook for catering to the lowest common denominator. Their security measures are okay.
Re: (Score:2)
Well, I was mostly addressing the fact that if someone was able to "hack" a facebook account, there is a high probability that the account password will match the email account that is associated with the facebook account.
It's the users' fault for re-using passwords which aren't that great, and its the users' fault for posting all their personal data on facebook, too. So, yeah, its the users' fault. It usually is.
Re: (Score:2)
Hey, 1, 2, 3, 4, 5 is easy to remember.
Re: (Score:2, Funny)
Hey, 1, 2, 3, 4, 5 is easy to remember.
Yeah, but it's very insecure, because everyone knows that sequence. That's why I use 5, 4, 3, 2, 1 instead.
Re: (Score:3, Insightful)
If I hack your FB account, can't I change the email associated with it?
Yeah But You Get a Notification with Revert Option (Score:4, Insightful)
If I hack your FB account, can't I change the email associated with it?
Yes, but the original e-mail address associated with your account gets e-mailed a notification allowing that to be blocked and if you do block it you have to change your password:
Now, you'd probably prefer that the original e-mail address has to okay the transition but that's how they have it implemented. So you're right, they could change the account associated with it if they know your Facebook password (it asks you at every step of the way). Then they could request the zip and wait to get the e-mail. But if you checked your e-mail in that time and canceled the new e-mail and changed your password you'd be safe.
That's definitely something they could do -- block the request of a new e-mail until an old one is okayed. But then you run into the trouble of someone hacking your e-mail account and gaining access to your Facebook account that way. In that case, they could change your Facebook account over to their e-mail account and then okay it in your hacked e-mail account. Once that's done, how would you reclaim your profile? They would always have the account associated with it.
Also if your old e-mail gets hacked and you have no way of getting it back, you're kind of at the mercy of the person who has your old e-mail as you'll never be able to change the e-mail address associated with your Facebook status and if you do, you'll tip them off that they also have your Facebook account to do with as they please.
What it usually boils down to is if your account is compromised, your account is compromised.
Re: (Score:2)
Re: (Score:2)
Even now, (not sure about FB), some sites realize that you may not have access to your old email account. A DoS to the old FB email (send a bunch of spammy, mostly legitimate looking 'someone hacked your FB account' emails, but with .ru links), will get most people to ignore the 'real' one, preventing them from noticing the change of email on their account.
Re: (Score:2)
They implemented this code/functionality so that when requested they have an automated way to provide the entire details an interested parties account to whatever law enforcement agency requested it. In a grand PR scheme, they figured that it would eventually be leaked this functionality exists, so they present it as a feature to users who then get used to the idea of it being possible. So finally, later on, when it is discovered that they send those pretty pr
Re: (Score:2)
Well this certainly makes it much more easier to move your nonsense-data around, but how long untill all the data is available on piratebay?
Install the Facebook application "Access others private profiles" and give it full access rights to your account, I heard that'll do the trick!
Re: (Score:2)
Well this certainly makes it much more easier to move your nonsense-data around, but how long untill all the data is available on piratebay?
I guess that depends on how long it takes a clever virus to start looking for traces of these downloads on someone's PC and start harvesting the information. My guess is less than 60 days ... but it may not be on PB first as I'm sure there are other 'markets' for this type of information.
Re: (Score:2)
No security concerns here... (Score:5, Insightful)
Re: (Score:1, Insightful)
It would have to be a permanent disabler then, or at least require external verification to re-enable (email/text/voice message ID, whatever). Not that there's much point in disabling it anyway... webpage scraping isn't that hard.
Re: (Score:2, Insightful)
Re:No security concerns here... (Score:5, Insightful)
I'll have to give FB credit here where it is due. There have been major complaints that your FB data isn't portable, so they have you stuck in a lock-in. This is clearly a response to those complaints. I'll be the first to hate on FB, and I still don't have an account, but we can't have it both ways bro. This brought me one step closer to signing up.
Re: (Score:2)
Now the phishers can just mock up the Facebook e-mail. Click [this link], and enter your Facebook password to finish downloading your information. If you didn't request a download, click [this link] and enter your password to change your settings and prevent this from happening in the future.
Re: (Score:3, Informative)
The actual announcement [facebook.com] said "To protect your information, this feature is only available after confirming your password and answering appropriate security questions."
I'm not sure what that will involve, but if it's like the security challenge they've been doing when you sign in from abroad, you have to correctly tag 8 of your friends in unlabeled photos.
You know (Score:5, Informative)
Re:You know (Score:4, Informative)
Re: (Score:3, Insightful)
Probaby because no one was using it. Combine that with their desire to add new features that would break that kind of functionality, and I can see why they wouldn't want to continue to support it.
Re: (Score:2)
And are replacing it with a much more robust option in 2010.
So what's your point?
Re: (Score:2)
Facebook used to have a feature to dump your entire profile and contacts list as a csv. They removed that in the fall of 04.
The Give Me My Data [givememydata.com] app has been working pretty well for me. If I remember to use it...
Diaspora (Score:4, Interesting)
Perhaps competitors like Diaspora would be interested in using this base information to germinate user seeds?
Maybe, but it already looks like Diaspora development is starting to slow down. OK, there have been some commits today, but I expected to see more activity than what's currently going on.
Remember when the source to Gish was released? A lot of activity and releases for about a fortnight and then nothing...
Re: (Score:1, Interesting)
I've got no faith in the Diaspora project. From what I hear, its a slow, buggy conglomeration that doesn't even really solve the problem at hand. It requires an obscene amount of gem dependencies, and it doesn't even run on Apache. It seems like it was more of an exercise in raising money by crowd sourcing, because this project is turning out to be bigger vaporware than DNF.
Re: (Score:2)
Well, The Response Was a Bit Harsh ... (Score:4, Insightful)
Maybe, but it already looks like Diaspora development is starting to slow down. OK, there have been some commits today, but I expected to see more activity than what's currently going on.
Well, following the release of the Diaspora source code everyone did kind of rip them apart [slashdot.org] (myself included [slashdot.org]). We all sort of hoped that such criticism would be constructive and the developers would redouble their efforts or seek more help or new developers would aid them.
It's equally likely that after receiving black eyes instead of kudos, developers left Diaspora in droves. It might end up being a failed project with important lessons learned [slashdot.org].
Re:Well, The Response Was a Bit Harsh ... (Score:5, Funny)
It's equally likely that after receiving black eyes instead of kudos, developers left Diaspora in droves.
If only there were a term to describe it when people suddenly flee en masse from a larger group of people and/or location.
Re: (Score:1)
It's equally likely that after receiving black eyes instead of kudos, developers left Diaspora in droves.
If only there were a term to describe it when people suddenly flee en masse from a larger group of people and/or location.
fork?
Re: (Score:2)
Re:Diaspora (Score:5, Interesting)
Even if diaspora dies, Appleseed is still around
http://www.drumbeat.org/project/appleseed-social-networking [drumbeat.org]
Wow... (Score:2, Insightful)
So now hackers have even more reason to go after your Facebook account. All that data in one nice, neat little download? Hackers paradise.
Re: (Score:1, Interesting)
Your stupidity is astounding. A 2 second Google search shows that people do indeed care about hacking into Facebook accounts, so I'm guessing you just pulled that out of your ass because, well if you think it, it must be true!
Information is everything these days. It would also be easier for a spammer to break into your account and get one nice neat little download instead of scraping back years of data.
This tool is a download option for the average user. Its also a giant gaping security breach waiting to ha
Re: (Score:2)
On the other hand, scraping is much safer because it doesn't send the user a email account with either the link to the download (which the spammer would have to somehow get access to) or a confirmation to change the email address.
Both would get the user suspicious and possibly cancel the request and change the password.
Scraping, as long as you have the password, is much safer. Yes, it may take a while, but that's what webspiders are for. At least the user won't be contacted to confirm a request.
Re: (Score:1)
Chances are if they have the FB password they already have access to the users e-mail account. Lets face it, the average user uses one password for most of their online services. Why scrape when you can just download everything in one shot? If the download doesn't work (i.e the user was smart enough to use different passwords) then fall back to scraping the old fashioned way. You can even confirm access to the e-mail account before trying the download, meaning it would be risk free to try.
Re: (Score:2)
Yes, but how is that a "giant security hole" compared to what they could already do? Being able to download all at once doesn't really change the fact that they'll get the data. It doesn't make FB any less safer than it was.
Re: (Score:1)
They can download all of the data, almost instantly, and store it offline or release it into Torrentland. Scraping takes time, and prolonged access to the account. Now they only need access for a few minutes and they have everything. Changing your account password won't help since they already have everything they need and can freely and safely browse it offline.
I can totally understand why they made this move, and overall it is probably a good thing (Makes getting away from FB when it comes crashing down a
Somehow (Score:2)
This makes me glad to know that I will soon be able to download your profiles. They got the name just right.
This could be a game changer for Apple (Score:3, Interesting)
...because right now, their Ping thing is utterly useless. Downloading all your FB data, in particular, contacts, might make it easier to get started with Ping.
High times from the past (Score:4, Insightful)
What about messages? (Score:3, Interesting)
ALL of your data? (Score:4, Insightful)
allow you to download all your information from Facebook
The question is, does it really allow you to download all of your data? Does it let you download everything anyone has ever posted on your profile? If it did, this could give you some idea of what Facebook has stored about you.
Re: (Score:2)
And not to forget everything others have entered about you.
Yeah but, When Can I Delete It? (Score:1, Funny)
I don't want to have to continuously delete tags of myself, remove posts from my wall and other annoying things while I'm trying to stay off FB. It's like a god damned disease you can't get rid of. Worse yet, my wife's profile has the delete option but she's not about to use it.
-jp
Also (Score:5, Interesting)
There are thousands of complaints posted about this already.
It doesn't take much imagination to see how not having this feature when one is expecting it can lead to comedy.
but.....the cloud! (Score:5, Interesting)
This is absolutely shocking. For the past few years it seems every article I have read has advocated that data be soley kept 'in the cloud' and that users will never need to download their data to a perosnal machine ever....
'The Cloud' is hype. Just like all the other hyped techs in the last 15 years (ATM will change networking, Java will be out OS, thin clients will rule the business world)
I? do think it will be interesting if real competition comes to FB how this will be used to transfer data.
Re: (Score:2)
They still don't need. They can. It's different.
Not that I disagree about the hype.
Great news - groups too (Score:3, Interesting)
I can't think of any compelling reason for Facebook, as the clear market leader, to provide this service. I'm glad they did though, and it makes me feel a lot more comfortable about posting pictures, etc. there for family members without having to keep a mirror somewhere else.
I saw they're also adding some type of sub-networks or groups, so you can make a post about video games and leave out your parents, or congratulate someone about a job offer without including their coworkers. I can think of a lot of tricks to making a good implementation of this, so can't wait to see how they did it.
Those are probably the two most important features that have made me frown on facebook, so seeing both in one day is a big surprise.
Re: (Score:2)
One could do that previously using Lists. However, Groups adds a "group space" for shared group content and group chat.
Re: (Score:1)
Re: (Score:2)
Maybe the second sentence is a reply to the first? For most people it doesn't matter, but for some, being able to move in the future makes them more likely to join now.
Thank you Facebook (Score:5, Insightful)
Re: (Score:2)
Give users a quick link to display a -clean- Facebook page and news feed. A lot of people are getting fed up with seeing non-stop wall posts for farmville and news feed items and application requests. I've known several people to leave the site for this exact reason. Sure, you can block various applications from showing up on your news feed, but as far as I know you can't hide them from other people's pages. Even if you could do this, it would be tedious to constantly filter
Security (Score:1)
How long until spambots start sending you messages looking just like the one from Facebook directing you to a fake URL?
Probably to make Facebook more useful... (Score:4, Insightful)
Facebook has 500 million users. At this point, they have few places to go, but down is a very likely possibility if they don't extend themselves into the fabric of the net and collaborate so they will always stick around in some form or another. Zuckerberg reportedly even made a contribution to the Diaspora guys in an undisclosed amount because he thinks the idea has merit... or, more likely, he wants to make sure there's cross-compatibility for years to come.
One other point, sort of tangential to the topic... Some of the comments in preceding discussions about Diaspora keep falling back on the "oh sure four guys in a garage with no professional experience EVER got a project off the ground" sort of sarcasm. Ok, I know it's all wonderful and cool to us nerds to rely on sarcasm and cynicism, but a little perspective should be in order as well: Facebook, Apple, Google, Yahoo and other "garage" startups... There's a reason there's only a handful of them. There are a ton of coders, but not everyone is Harvard educated, massively talented, in the right place at the right time or any combination of these. Not every coder who thinks he has a great idea can execute... ... Conversely, not everyone needs to be a Sergey Brin, Mark Zuckerberg or Steve Wozniak. In this Age of Entitlement, we all like to think life is a choice between either being rich or being nothing... but there's plenty of respectable room in between, even if all your project does is get you solid employment at someone else's company.
500 million users? (Score:1, Interesting)
No, they have 500 million *user accounts*.
Many of which are fake (spammers) or empty.
I guess they'll do anything.... (Score:2)
Anything at all to make people think they actually own and control the things they post to Facebook.
See? I can get it all back, that means it's mine.....
Facebook's had a run of bad press regarding lack of user control over posted content. This is just a feature nobody will use, dedicated to persisting the illusion of control that hides the fact that Facebook is "a place for Friending marketers".
Open Format (Score:1)
Re: (Score:2)
I read it and understood it without even thinking about it until your post here. It's concise and to the point, I don't see what's wrong with it?