Digital Media

You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.

A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.

The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.

Here's a look at some of the specific threats users of the sites face and what they can do about it.

FACEBOOK

A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.

(Credit: Trend Micro)

Problems: Malware, account hijacking, phishing, and social engineering

The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.

Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.

Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.

Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.

Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.

Problem: Rogue applications

Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.

Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?

Problem: Privacy leaks due to user error

Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.

Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.

These instructions explain how to keep most people from viewing your friends list on Facebook.

(Credit: CNET)

Problem: Privacy leaks due to design or implementation issues

Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.

Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.

Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.

Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.

Problem: Privacy leaks related to marketing

The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.

Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.

Problem: Information used to suppress dissent and target political activists

As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.

"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.

Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.

TWITTER

This screen shot shows a Koobface attack message on a Twitter page.

(Credit: Trend Micro)

Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.

Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."

Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.

Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.

Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.

Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.

Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.

I have often wondered if being a divorce lawyer makes you feel better about humanity or worse. Perhaps it merely keeps you in intimate contact with all the pitfalls of relationships on a daily, even hourly, basis.

Still, whose heart could possibly lose so much as a throb on hearing that almost one in five divorces in the UK are fueled by Facebook?

No, it's not that Facebook's employees are so irresistible that anyone who comes into contact with them, even in the UK, immediately leaves their spouse. Rather, it seems that the constant lack of trust in marriages causes much trawling around spouses' Facebook pages until one party decides the party's over.

It has already been established by one study that Facebook turns lovers a painful shade of green. However, the Telegraph quotes a law firm declaring that almost one in five divorce petitions make Facebook the scene of the crime.

The managing director of Divorce-Online told the Telegraph: "I had heard from my staff that there were a lot of people saying they had found out things about their partners on Facebook and I decided to see how prevalent it was. I was really surprised to see 20 percent of all the petitions containing references to Facebook."

Facebook is the home of love, surely.

(Credit: CC Sabrina Campagna/Flickr)

Some of the biggest culprits, according to the Telegraph, are flirty e-mails and messages found on Facebook, which are "increasingly being cited as evidence of unreasonable behavior."

And it was only in February that Emma Brady discovered her husband was divorcing her when he updated his Facebook status to: "Neil Brady has ended his marriage to Emma Brady."

Are people who leave themselves so exposed on Facebook merely careless? Or does the liberating new medium of social networking allow them to deliberately tell their spouses that they have had enough without having the courage to look them in the eyes?

Perhaps, though, Facebook might use this phenomenon to advertise its own power. The site should create a special group: the Facebook Disconnects group. It would bring together all those whose marriages that ended because of wall posts and the like, thereby showing how Facebook relationships are more powerful than any out there in the dumb ole' analog, touchy-feely world.

That way, advertisers might finally realize that it's better to put all of their money into digital relationships on Facebook rather than into those quaintly ancient TV spots.

It's an odd tradition. Well, it is Britain, where they have a talent for clutching traditions like Posh Spice clutches many things with a D&G logo.

The particular tradition that fascinates at this time of year consists of really caring about which song is the best seller at Christmas.

Once upon a time, some of the greatest music ever composed was Britain's Christmas No. 1. Yes, Slade's "Merry Christmas Everybody," Mud's "Lonely This Christmas," and the slightly less melodic "Another Brick In The Wall (Part 2)" by Pink Floyd.

In recent times, Simon Cowell, a man with more tentacles than T-shirts, has timed one of his reality talent shows to coincide with the Christmas period.

No sooner is the winner announced than he or she has a song that is then downloaded beyond distraction straight to the top of something that is still quaintly called the Singles Chart. (Recent examples include the stunning Leon Jackson and Alexandra Burke.)

This year, Londoners Jon and Tracy Morter decided that something must be done. So they created a Facebook group, Rage Against the Machine for Christmas No. 1.

Sentiment in the snowy English shires was clearly strong. Because around 1 million people declared their belief in the cause. And Sunday it was announced to huge acclaim that the Facebookers had got their way. The Rage Against the Machine song, so CNN tells us, "Killing in the Name," is the No. 1 Christmas single.

It is not easy to defeat the intentions of Cowell. He is the man who dominates "American Idol" rather beautifully and the man who brought Susan Boyle to the world's attention through yet another pulsating show called "Britain's Got Talent." He is also the man who created "The X-Factor," another talent show designed to create instant fodder for Christmas. (Oh, of course it's coming to the U.S., did you have to ask?)

The Morters claimed on the Facebook group's page that the campaign was not remotely personal. Some might think this not entirely true, as the Guardian tells us that when they launched the group they said: "Fed up of Simon Cowell's latest karaoke act being Christmas No. 1? Me too."

Cowell, for his part, told a press conference that the Facebook campaign was "stupid" and "cynical."

You might be wondering why the Morters chose Rage Against the Machine. Well, Jon Morter told NME.com: "It's been taken on by thousands in the group as a defiance to Simon Cowell's 'music machine'. Some certainly do see it as a direct response to him personally."

So one machine has defeated another in the place where they always tell us the Industrial Revolution began. It's a touching Christmas story, isn't it?

Facebook has released a demographic study of its 350 million users. The upshot: Facebook isn't just for white and Asian people anymore.

In fact, Facebook's demographics resemble the base of Internet users. That finding makes a lot of sense because Facebook, like AOL way back when and Google today, represents a proxy for the Internet and population overall. If you're on the Internet you've probably stumbled on Facebook. In the early days of Facebook, the site was dominated by white and Asian folks.

In a note, Facebook walks through its analysis and how it compared surnames of users with U.S. Census Bureau. By analyzing surnames, Facebook cooks up a racial breakdown over the history of the site.

Read more of "Facebook's audience is diverse (and ready to be carved up for advertisers)" at ZDNet's Between the Lines.

Facebook last Wednesday announced new privacy settings that give users some additional control over what information they share, while taking away the ability to hide a few pieces of information from the general public.

One particular piece of publicly available information--users' friends lists--caused a bit of an uproar from a number of sectors, including business people who don't necessarily want to expose their professional networks to the public and their competitors. It is also a concern to some parents who might not want their kids--or a list of their kids' friends--to be widely available.

Facebook quickly backtracked. A day later, the company announced on its blog that users can now uncheck the "Show my friends on my profile" option in the Friends box on their profile so that your friend list won't appear on your publicly viewable profile.

Unfortunately, they weren't very clear on exactly how you make the change. ... Read more

Editors' note: This is a guest column. See Larry Downes' bio below.

It's been a bad week for those, like me, who feel the debate over data privacy too often casts information businesses as evil Halloween monsters, determined to terrorize and humiliate their customers just for the fun of it.

On Monday, the Federal Trade Commission held the first of three conferences on privacy and technology, at which a parade of consumer advocates and legal scholars warned of an imminent data apocalypse.

Recent events seemed, alas, to support that view. Sprint, for example, reported that over the last 13 months, it has received more than 8 million requests for GPS data about customer location and movement from law enforcement agencies. (Sprint is now determining the number customers affected, estimated to be in the thousands.)

Verizon and Yahoo filed objections to a Freedom of Information Act request that asked how much the companies charge to comply with government surveillance orders, claiming that release of the information would "shock" and "confuse" customers.

Then, Google's notoriously private CEO, Eric Schmidt, brushed aside a CNBC's reporter's question about concerns that users are putting too much trust in his company, saying, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

Most disturbing at all is what happened over at Facebook, the social-networking behemoth that now hosts more than 350,000,000 members. Based in part on complaints by government agencies in Canada and Europe, the company announced in July that it had begun testing a more comprehensive and simplified set of privacy settings, promising to give users "even greater control over the information they share and the audiences with whom they share it."

After months of what looked like careful planning, Facebook implemented its new privacy policy and user tools this week.

The announcement landed flat on, well, flat on its face. A chorus of the usual suspects, including the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California cried multiple fouls, objecting both to the nature of the changes and the way in which they were being imperiously foisted on users. "Under the banner of simplification," said Electronic Privacy Information's Center's Marc Rotenberg, "Facebook has pushed users to downgrade their privacy."

First, a word about the changes themselves. In a detailed exegesis published on Wednesday, EFF's Kevin Bankston divided the revisions into three categories: the good, the bad, and the ugly.

In the good column, Bankston noted that all Facebook users are being required to review their privacy settings and have been given new tools to simplify the process. For each individual post to their page, users can now limit who among their friends gets to see what. In the bad department, EFF doesn't like the recommended settings, which pretty much let everyone see everything.

The ugly, however, are genuinely ugly. The version of a user's Facebook page open to Facebook members and nonmembers alike will now show the user's name, profile picture, location, and gender, as well as a complete list of her friends. Most of that information can no longer be controlled other than by not providing it in the first place. (Facebook has already backtracked on the public availability of friends information.) And users can no longer opt out of letting Facebook and third-party applications, such as all those quizzes and tests my friends seem to spend most of the day filling out, access at least some information from their account and that of their friends.

Logic behind privacy policy changes
I understand why Facebook wants these changes. Given the sheer number of Facebook users, it's increasingly difficult to find friends when presented with a list of dozens of profiles with matching names and no other information.

As the company moves to find ways of making money from its network, moreover, open access to information about users is not just important--it's essential. Constraining the company's ability to publish and otherwise monetize that information limits the chances Facebook and other social-networking sites can continue to secure funding, compete in a wide-open market, and ultimately survive as a commercial enterprise.

That, at least, is the kind of reasonable explanation for the changes the company could have provided. Instead, it announced the new policy and implemented it at the same time, leaving no opportunity for user review or comment. According to EFF's Bankston, Facebook didn't disclose the creation of the new category of "publicly available information,"--that is, information about a user that cannot be controlled--until "the very day it is forcing the new changes on users." (Facebook did, in fact, allow a one-week comment period on a draft of the new policy, which is more than 5,000 words long, in early November.)

The company's reliance on good relations with its users makes the ham-fisted and tone-deaf nature of these changes both "shocking" and "confusing." After a minirevolt erupted earlier this year over changes to Facebook's terms of service, in which the company seemed to grant itself a more generous license for user data, a chastened CEO Mark Zuckerberg quickly reversed course.

More than that, Zuckerberg promised that future modifications would be developed in collaboration with users on an open-source model. "Our terms aren't just a document that protects our rights," Zuckerberg wrote on the company's blog, "it's the governing document for how the service is used by everyone across the world. Given its importance, we need to make sure the terms reflect the principles and values of the people using the service."

Exactly. So why didn't Facebook learn from its own painful lesson? While the company tested the new features with some users and solicited comments on the privacy policy over the last several months, Facebook reported in November that the number of comments it received on its draft proposal "did not reach the threshold to hold a vote." That's not a good thing.

Lessons not learned
Despite the high level of emotion, rightly or wrongly, that users attach to the topic of privacy, the new policy and tools simply arrived, providing some new protections even as existing controls were unceremoniously removed. Did the company think no one would notice? These and other recent privacy gaffes and missteps have unfortunate consequences.

Consumers, already uneasy about how increasingly intimate information is being handled online, will trust companies less, raising the potential for government regulations and new privacy agencies to fill a perceived void. That would be a dangerous result, and ultimately a counterproductive one.

Introducing new layers of regulatory bureaucracy will slow the pace of exciting innovations in information technology that have kept users engaged in the first place. And interjecting government oversight over any data raises the possibility of misuse of that information by other parts of the government, a problem made all too clear by continued revelations about secret surveillance under the wide umbrella of the Patriot Act and other antiterrorism measures.

The reality is that most information services do a good and responsible job of balancing user interests in controlling information access with value derived from transactional and other data that pay for much of what happens online.

Though often implicit, users today trade the use of information about their activities, purchases, and interests for innovative and often free services that analyze and aggregate that data. Such services help cell phone users locate their friends with Loopt, consumers simplify their search for products and services on Amazon and eBay, and connect with each other in the low transaction cost world of social-networking applications such as Facebook and Twitter.

The real problem: PR
The real problem here is not of policy but rather of public relations. Start-up companies increasingly invest early and often in legal counsel, in part to navigate the complex waters of intercompany relationships and in part to avoid potentially lethal litigation from patent trolls, unhappy competitors, and a global army of business regulators.

At the same time, marketing, as well as public and government relations, get little attention, as companies believe that enthusiastic users are now the best form of PR a young company can get and at a price that can't be beat.

Maybe so. But as information exchanges have moved from the purely pedestrian business-to-business networks of the 1980s to the everything-and-everybody sharing that characterizes our increasingly digital lives, companies who discount or dismiss the emotional and even irrational attachment consumers have to information about themselves do so at their peril.

It's not that Google, Facebook, and others need to change in any fundamental way how they do business. They must rather rethink the casual, careless, and often conceited way with which they communicate to users, business partners, regulators, and other stakeholders. When the lawyers lead, everyone loses.

For companies like Facebook today and everyone else tomorrow, users and the data they provide are not just the most valuable asset; they are the only asset. As consumers absorb that fact, they will increasingly use the tools of online communities--ironically, tools provided by social-networking sites themselves--to express their dissatisfaction with unequal exchanges of information for value. Better to collaborate with them now than to negotiate later, at the end of a gun.

Facebook, as Mark Zuckerberg correctly noted, is a kind of virtual nation, where terms of service and other policy documents serve as Constitution and governing law. As such, changes to both policy and practice require honest deliberation and engagement with the residents.

They can no longer be delivered as fait accompli. For one thing, it's pretty easy for virtual citizens to revolt against a government they don't like, or simply pack up and move somewhere less tyrannical. Easier than it is in the physical world, in any case.

Sites owned by Yahoo, AOL, and Google have joined Facebook and MySpace in expelling New York sex offenders from their rolls.

New York Attorney General Andrew Cuomo announced Thursday that Google's Orkut.com, AOL's Bebo.com, and Yahoo's Flickr.com are among 13 additional social-networking sites to use sex offender data available through New York's Electronic Securing and Targeting of Online Predators Act (E-Stop) to find and disable accounts associated with registered sex offenders.

Other companies that have agreed to cooperate include BlackPlanet.com, Classmates.com, Flixster.com, Fotolog.com, hi5.com, MyLife.com, Stickam.com, and Tagged.com.

New York Attorney General Andrew Cuomo

(Credit: NY Attorney General's Office)

There are still some holdouts. Cuomo called on other sites, including Friendster.com, Buzznet.com, eSpin.com, Habbo.com, and LiveJournal.com, "to commit to using the list." He urged parents and children to consider not using sites that haven't complied.

On December 1, Facebook and MySpace deleted the accounts of more than 3,500 sex offenders based on the New York law.

By comparing this data with their own user roles, Facebook was able to identify and delete 2,782 registered sex offenders. MySpace deleted 1,796 accounts.

In addition to deleting the accounts of any known registered sex offenders, the companies will turn over information about the accounts to law enforcement officials.

In a statement, Cuomo said: "It is no secret that sexual predators abuse social networking websites to find and manipulate victims and to insinuate themselves into their victims' lives."

The E-Stop law, which was passed in 2008, requires registered sex offenders from New York to disclose their online identities to officials. Information must include e-mail addresses, instant-messaging screen names and social-networking account names. The law also requires the state's Division of Criminal Justice Services to release state sex offender Internet identifiers to social-networking sites and other online services so that they can prescreen or remove individuals who match the list. It also imposes restrictions on sex offender's use of the Internet if the victim was a minor and if the Internet was used to commit the crime. Restrictions include banning the offender from social-networking sites, as well as prohibiting access to online pornography or communicating with anyone with the intention of promoting sexual relations with a minor.

Cuomo is one of several state attorneys general who have expressed concerns about the danger of Internet predators. In 2008, Cuomo and 48 other attorneys general entered into an agreement with MySpace that resulted in the Internet Safety Technical Task Force, whose report concluded that the actual threat of predators is less than many had feared and that kids are far more likely to be harmed by bullying and harassment from other youth. I served on that task force as a representative of ConnectSafley.org, a nonprofit Internet safety organization I help operate.

The lack of access to Facebook has created a lot of anguish among young Vietnamese.

(Credit: Dong Ngo/CNET)

HANOI, Vietnam--Vietnam's access to Facebook has been intermittent at best for about a month. However, after two weeks here in Hanoi, I haven't been able to get an official answer as to whether the popular social-networking Web site is being blocked here.

Internet service providers in Vietnam blame the spotty access on "technical issues," without offering an estimate for when the problems will be resolved. A representative from Viettel, a DSL and cell phone service provider, told me "there might be something wrong with Facebook."

None of the government personnel I was able to talk to during a recent trip back to my homeland would give me an answer, either. Some seemed to be unaware of the outage. However, during a media briefing on December 3, Nguyen Phuong Nga, a representative of Vietnam's Foreign Ministry, affirmed that agencies have been evaluating the contents of certain social Web sites because "many people in Vietnam have been upset that a number of social Web sites have been misused," basically posting information of an undisclosed nature that is deemed inappropriate.

I'm unaware of any misuse, but the upset seems much louder from the other side. With more than a million users and counting, the limited access to Facebook has created a lot of anguish. Lan Nguyen, a 23-year-old English student in Hanoi said, "I use Facebook daily. Now, it feels like something just got stolen from me." She uses FPT Telecom, one of the biggest DSL providers in Vietnam.

Ha Do of Ho Chi Minh city, another mid-20s, self-proclaimed Facebook addict who has some 1,800 friends, put it simply: "This sucks big time!" She revealed, however, that she still could access the site from some cafes, though definitely not from home. Upset and disappointment are common feelings among those I talked to about the matter.

This also affects a lot of small businesses in Vietnam, especially bars, restaurants, and tourism agencies that use Facebook to promote themselves to the outside world.

A curious silence
The week before I arrived in Vietnam, I was wondering why most of my Facebook friends in the country completely ignored my poking and never updated their pages. I'm afraid things won't get any better.

Facebook users are about to see an unfamiliar screen when they sign on to the service--a request to configure their privacy preferences. But it's not really a request. It's a requirement.

"As far as we know, it's the first time in the history of the Internet," said Facebook spokesman Simon Axten, "that so many people have been required to make affirmative decisions about their privacy."

The company on Wednesday provided details of the changes that CEO Mark Zuckerberg blogged about last week. These include eliminating regional networks and giving users more granular control over who can see individual pieces of content while making some basic profile information available to everyone. Also, Facebook is simplifying what this blogger and others have criticized as overly complex privacy controls, but it is also requiring members to make some information available to the public.

All Facebook users will be asked to configure privacy settings

(Credit: Facebook)

Controversial privacy history
Over the years, Facebook has been the subject of criticism, lawsuits, and threatened federal action over various changes to its privacy policy.

In 2007, Facebook announced its Beacon advertising service, which broadcast member activity on partner sites to their Facebook friends. If you bought a movie ticket on Fandango, for example, all of your Facebook friends would immediately know about it. The Beacon program unleashed a campaign from consumer advocacy groups including MoveOn.org as well as a class action law suit that was settled this September. As part of that settlement, Facebook agreed to shut down Beacon and to donate $9.5 million to an independent foundation to "fund projects and initiatives that promote the cause of online privacy, safety, and security."

In February of this year, Facebook found itself at the center of another privacy storm after it announced a change in its policy that would give the company seemingly perpetual control over user-supplied content. That prompted the Electronic Privacy Information Center to threaten filing a complaint with the Federal Trade Commission and also led to the formation of a Facebook group called People Against the new Terms of Service that attracted nearly 150,000 members protesting the changes. The uproar caused the company to rescind those changes and resulted in CEO Mark Zuckerberg holding a press conference where he announced that the company would create "a new approach to site governance" so that its decisionmaking would be more transparent.

Mandatory privacy settings
All users will soon be confronted with a "privacy announcement" informing them that they must configure their settings. Initially, you will be able to "skip for now" but you will later be required to go through the steps in order to continue using the service, according to Axten.

To encourage people to share information, Facebook has set the default to "everyone," but you can later go back to set more restrictive settings. You can also keep your old settings. If you're not sure what they are, you can display them by hovering over the radio button.

New Facebook privacy setting page

(Credit: Facebook)

In the final step, Facebook displays your settings and gives you a chance to change them. At this point or at any time in the future you will be able to adjust any of your settings

Final stage verifies new settings.

(Credit: Facebook)

The Facebook settings will be based on four basic levels: friends, friends of friends, everyone, and customize. If you belong to a network, you will also have the setting friends and networks. As before, you will also be able to customize settings to include or exclude specific friends or groups of friends.

Some information must be publicly available
Some information--including name, profile picture, gender, current city, networks you belong to, friend lists, and pages you're a fan of--will be available to everyone. The only way to keep that information from the general public is to not include it as part of your Facebook profile. Users also have the ability to limit what can be found via a search on Facebook and what information Facebook will make available to search engines like Google and Bing.

According to Axten, that information is being made publicly available to make it easier to find people using Facebook search, especially people with common names. If you locate a "John Smith" in a Facebook search, seeing his picture and knowing where he lives can make it easier to pinpoint the right person. Though not mandatory, Facebook, according to a spokesperson, is encouraging people to make other information public such as where they went to school or where they work. However Axten added that if a user had previously configured their privacy settings, they should keep what they already have.

While adults have the option of making content available to everyone, the maximum exposure available to users under 18 will be friends of friends or school networks.

Control over who gets to see your posts
The most important change is that you will now be able to specify who can see each piece of your content including status updates, photos, and videos. Each time you add content, you'll be able to determine whether it can be seen by everyone, friends and network, friends of friends, only friends, or a custom setting. Customized settings allow you to include or exclude individual people or lists of people. For example, one could share last night's exploits with his fraternity brothers but not with his fellow church members or office mates. The list feature, which has long been available, allows you to divide your friends into groups. For example, as a journalist, I encourage readers to "friend" me at Facebook.com/larrymagid, but I also maintain a list of "real world friends."

Third-party application settings
As in the past, you will have some control over the information that can be seen by operators of third-party Facebook applications. Facebook has added the ability to fully block an application from accessing any information but, in most cases, that will disable the application.

Facebook's Axten said that application developers will have access to all publicly available information, but can only access other information with the user's permission. Applications are also required to only access user information that is essential for them to run. The company, said Axten, has an enforcement squad to ensure compliance.

Facebook is also launching a new Privacy Center that will offer "a comprehensive guide that helps users understand and control how they share information."

Disclosure: Facebook is one of several companies that provides support to ConnectSafely.org, a nonprofit Internet safety organization I help run.