Flaws emerge in Facebook's new privacy controls
Facebook launched a bunch of new privacy controls today, and has received a significant amount of positive press as a result. The praise is perhaps not so deserving--as the new privacy controls can be easily evaded.
The new privacy settings allow users to customize which friends can view specific details in their own profile. Users can lock down specific bits of information to their friends, friends of friends, or even particular individuals.
Facebook's new privacy controls
There is, however, a significant design flaw present in this new feature. Facebook users can select which types of strangers can view their profile. That is, a student at Stanford University can decide to allow other undergrads to view their profile, while specifically forbidding staff and professors who have not been made a friend from viewing it.
This sounds like a great idea, and should be a significant benefit to those students who find that their Facebook-advertised parties were busted by police who found out about the events through the social-networking site.
The primary problem is that Facebook has no way of determining what someone's university status is. The company is only able to verify that the user has a valid .edu e-mail address, which could mean that the person is a student, staff member, professor, or alumni. As a result, Facebook asks users to self-report this information.
Given an example situation where a student doesn't wish for the Facebook-using professors at their university to be able to view their profile, it would be trivially easy for a professor to log in, and change his or her own status to that of an undergrad.
To test this out, I changed my own status at Indiana University to that of an undergrad, a staff member, and an alumni before switching back to being a graduate student. Facebook's system didn't complain once, and I was able to verify that the updated status was indeed reflected on my own profile.
Changing status in Facebook
This is a fairly significant security flaw in Facebook's fancy new privacy controls, and frankly, there isn't too much the company can do to fix it. In the real world, it's perfectly possible for an administrative staff member to go back to school (and thus become an undergrad), or for a grad student to become a professor. The status controls need to be modifiable.
At least under the old controls, Facebook users (in theory) knew that their profiles could, by default, be viewed by any other Facebook user at the same university. This new system provides little in the way of real additional protection, yet may give users a false sense of security, leading the millions of users to post even more stupid and embarrassing things to the site than they currently do.
I spoke with a Facebook spokesperson shortly before press time, who told me that she could not comment on the specific issues I raised.
Disclosure: I am a part-time technology policy fellow at the Electronic Privacy Information Center, where one of my projects involves social-networking privacy issues.
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
-
by mtnbik3r
March 19, 2008 7:33 PM PDT
- The fact is that there really IS a big flaw in their new privacy controls. I expected that this article was going to be about that.
-
Reply to this comment
-
(4 Comments)What is the flaw? You can't set permissions for an empty friends list - think about the implications of that.
I set up a "work colleagues" friends list, and then attempted to modify the permissions of that list, except the "work colleagues" list doesn't even show up on the privacy page unless one of your friends is already assigned to that list. Yet the whole point of me making this list is so that I can invite work friends without letting them see specific parts of my Facebook profile.
Did they even test this thing?