February 22, 2008 9:00 AM PST
Perspective: Will security become Facebook's Achilles' heel?
See all Perspectives
- Related Stories
-
Facebook welcomes outside services
May 24, 2007 -
Facebook goes corporate
April 28, 2006 - Related Blogs
-
Facebook to let other sites access platform code
December 12, 2007 -
Seeking 'veritas' in Facebook's latest legal battle
November 30, 2007 -
Facebook's Zuckerberg: 'We simply did a bad job' handling Beacon
December 5, 2007
It's hard to go anywhere--to work, to the store, to the movies, really anywhere--without hearing about Facebook.
Its popularity is nearly unprecedented, making it a success to be envied in the eyes of many businesspeople, and in particular, software developers. Yet one area that Facebook has arguably not been successful in is that of protecting its users' privacy.
Although the issue has been raised time and again by users of the site, first with the introduction of the news feed and again with the introduction of its Beacon ad targeting technology, the company seems to be perpetually fumbling the ball. One starts to wonder: what's so difficult about keeping information private?
It's not that it was meant to be; the concept of Web-based social networking was never preordained as a privacy nightmare waiting to happen. Nothing is written into the precepts of graph theory dictating that civil liberties must be violated. Facebook was originally successful in part because it restricted the flow of information between students at different schools. No, what has manifested itself in Facebook today is directly the result of its leadership's conscious decision to put privacy on the back burner.
The key turning point in Facebook's history came in September 2006 when the site switched from being a closed community of students to a global destination for everyone on the Internet. To maintain its high growth rate, the company decided that it had to widen its scope, and in doing so, it tossed user authentication out the window.
At that point, any hope of having a site that respected user privacy was completely lost. The point of authentication, after all, is to prevent people from lying about their identity, and it goes to follow that when that measure is no longer in place, lying can and will happen.
Still, even if you are who you say you are, it's still incredibly easy to share too much. Facebook encourages it, of course. Chief Executive Mark Zuckerberg has a mantra about supporting the "free flow of information," as if openness is a panacea for inefficiency.
There's a reason for this. The more information that's accessible, the more people who want to access it. The more people who come, the more dollars that flow. (Profit, of course, has no bearing on this model.) So long as you sign up, click your mouse, and thereby yield as many advertising banner impressions as possible, you are doing your share in the grand scheme of multi-hundred-million-dollar advertising deals among Google, News Corp., Facebook, and Microsoft that are keeping these sites afloat.
Simply put, there's no way that social networks will put security and privacy first when their very business model gives them incentive to do just the opposite. Just as "the common good" became a rallying cry in the Soviet Union of decades past, only to yield a bifurcated society of poor and super-wealthy, so too has "the free flow of information" divided us into those who hire top-dollar lawyers to keep our information private, as Facebook's CEO did when a magazine ran an article he didn't like, and those of us who don't even have the right to close an account.
Add to that Facebook's spotty history regarding matters of security. It was in March 2005 that I found my first security flaw in Facebook. The site let you download the names, home addresses, birth dates, and other vital facts about thousands of its members without authorization. I alerted the company of the problem immediately. When it ignored my repeated requests for weeks on end, not knowing what else to do, I took it to the press. Only then did the company actually take the issue seriously.
Today, there doesn't even need to be a technical problem in Facebook's software for people to download the same information. The flaw is not just part of the system; the flaw is the system, as illustrated by three separate but equally alarming examples.
First, Facebook application developers (essentially, anyone) can download any member's personal data, regardless of whether those members have expressed interest in their applications.
Second, despite an uproar in the technical community, Facebook's Beacon ad service--aside from being foolish by informing members of their impending surprise gifts, disingenuous by frequently turning real friends into cheap marketing hacks, and Orwellian by peeking at others' thoughts through the eyes of retailers--still to this day tracks Facebook members' movements on the Internet, even when they aren't even signed in.
Third, when I refused to provide Facebook with my date of birth due to the above privacy concerns, not to mention a sense of fundamental injustice, the company suspended my account indefinitely.
Sadly, as the standard of success remains an index of how much one can steal from friends--whether software features or personal data--Facebook should do just fine. In the meantime, it couldn't hurt to have an alternative, privacy-conscious site ready for the day that millions of college graduates realize that they need to find--and keep--a job.
Biography
Aaron Greenspan is the author of the forthcoming book Authoritas: One Student's Harvard Admissions and the Founding of the Facebook Era. He also claims ownership of the idea for Facebook.
See more CNET content tagged:
Facebook,
social networking,
privacy,
networking,
security
It would be nice to see a neutral third party's take - you know, actual journalism?
I don't have an account there, because I'm not interested in even giving them my real name. I'm not interested in voluntarily entering all of my personal information into an advertising database.
TO answer the article's question - NO, privacy will not be the "Achilles' heel" since companies do things to keep customers happy and that means sensible privacy policies otherwise people leave in droves.
Reading this article was mind blowing. How can cnet pay you to write about something you obviously know nothing about. Do you even use facebook? If you did, you'd know that the user controls the privacy. I get to chose what people know and don't know.
*shakes head*
That statement is a bit misleading at best.
Authentication is about ensuring the person is whom they claim to be.
And that is necessary to ensure the integrity of what ever is being said about what ever.
However on MOST internet sites... it's really hard to ensure that whom ever you think you're talking to is really whom they say they are.
And the only way to ensure that the person on the other end is in fact whom they say they are is via a very expensive method. One which would bring Facebook to a grinding halt if they ever did attempt to successfully implement an unthwartable authentication mechanism.
That said, most sites (Yahoo, Google, MSN... just to mention a few) have no 100% means to ensure that whom ever is typing is really whom they claim they are.
Even if ID or some other proof of identification is mandatory, with all the stolen identities floating around the internet today... it's virtually impossible to guarantee authentication.
Bottom Line: Could Facebook become more secure... YES... I don't know of ANY corporation which couldn't. There's always something more which could be done... some thing new which could be implemented, something to upgrade/update to thwart off the latest attacks/hacking attempts.
WISDOM POINT: Offering a half-[filtered word} solution foolishly/falsely making people believe they're any safer is WORSE than offering NO security at all!
There is much more to security than just authtication. And unless it's an un-deniable method of authentication, then it's hardly worth the paper it's written on as far as authentication and accountability are concerned.
Walt