Perspective: Will security become Facebook's Achilles' heel?

Editor's note: Aaron Greenspan claims ownership of the idea for Facebook.

It's hard to go anywhere--to work, to the store, to the movies, really anywhere--without hearing about Facebook.

Its popularity is nearly unprecedented, making it a success to be envied in the eyes of many businesspeople, and in particular, software developers. Yet one area that Facebook has arguably not been successful in is that of protecting its users' privacy.

Although the issue has been raised time and again by users of the site, first with the introduction of the news feed and again with the introduction of its Beacon ad targeting technology, the company seems to be perpetually fumbling the ball. One starts to wonder: what's so difficult about keeping information private?

It's not that it was meant to be; the concept of Web-based social networking was never preordained as a privacy nightmare waiting to happen. Nothing is written into the precepts of graph theory dictating that civil liberties must be violated. Facebook was originally successful in part because it restricted the flow of information between students at different schools. No, what has manifested itself in Facebook today is directly the result of its leadership's conscious decision to put privacy on the back burner.

The key turning point in Facebook's history came in September 2006 when the site switched from being a closed community of students to a global destination for everyone on the Internet. To maintain its high growth rate, the company decided that it had to widen its scope, and in doing so, it tossed user authentication out the window.

At that point, any hope of having a site that respected user privacy was completely lost. The point of authentication, after all, is to prevent people from lying about their identity, and it goes to follow that when that measure is no longer in place, lying can and will happen.

Still, even if you are who you say you are, it's still incredibly easy to share too much. Facebook encourages it, of course. Chief Executive Mark Zuckerberg has a mantra about supporting the "free flow of information," as if openness is a panacea for inefficiency.

The concept of Web-based social networking was never preordained as a privacy nightmare waiting to happen.

There's a reason for this. The more information that's accessible, the more people who want to access it. The more people who come, the more dollars that flow. (Profit, of course, has no bearing on this model.) So long as you sign up, click your mouse, and thereby yield as many advertising banner impressions as possible, you are doing your share in the grand scheme of multi-hundred-million-dollar advertising deals among Google, News Corp., Facebook, and Microsoft that are keeping these sites afloat.

Simply put, there's no way that social networks will put security and privacy first when their very business model gives them incentive to do just the opposite. Just as "the common good" became a rallying cry in the Soviet Union of decades past, only to yield a bifurcated society of poor and super-wealthy, so too has "the free flow of information" divided us into those who hire top-dollar lawyers to keep our information private, as Facebook's CEO did when a magazine ran an article he didn't like, and those of us who don't even have the right to close an account.

Add to that Facebook's spotty history regarding matters of security. It was in March 2005 that I found my first security flaw in Facebook. The site let you download the names, home addresses, birth dates, and other vital facts about thousands of its members without authorization. I alerted the company of the problem immediately. When it ignored my repeated requests for weeks on end, not knowing what else to do, I took it to the press. Only then did the company actually take the issue seriously.

Today, there doesn't even need to be a technical problem in Facebook's software for people to download the same information. The flaw is not just part of the system; the flaw is the system, as illustrated by three separate but equally alarming examples.

First, Facebook application developers (essentially, anyone) can download any member's personal data, regardless of whether those members have expressed interest in their applications.

Second, despite an uproar in the technical community, Facebook's Beacon ad service--aside from being foolish by informing members of their impending surprise gifts, disingenuous by frequently turning real friends into cheap marketing hacks, and Orwellian by peeking at others' thoughts through the eyes of retailers--still to this day tracks Facebook members' movements on the Internet, even when they aren't even signed in.

Third, when I refused to provide Facebook with my date of birth due to the above privacy concerns, not to mention a sense of fundamental injustice, the company suspended my account indefinitely.

Sadly, as the standard of success remains an index of how much one can steal from friends--whether software features or personal data--Facebook should do just fine. In the meantime, it couldn't hurt to have an alternative, privacy-conscious site ready for the day that millions of college graduates realize that they need to find--and keep--a job.

Biography
Aaron Greenspan is the author of the forthcoming book Authoritas: One Student's Harvard Admissions and the Founding of the Facebook Era. He also claims ownership of the idea for Facebook.

More Perspectives

[M C]

CNet again fans the flames for profit...

We should just call this the Sour Grapes Blog.

It would be nice to see a neutral third party's take - you know, actual journalism?

[john55440]

Just say No! to Facebook

"...when I refused to provide Facebook with my date of birth due to the above privacy concerns,...the company suspended my account indefinitely."

I don't have an account there, because I'm not interested in even giving them my real name. I'm not interested in voluntarily entering all of my personal information into an advertising database.

[sanenazok]

Move on with your life...

For you it might be "hard to go anywhere--to work, to the store, to the movies, really anywhere--without hearing about Facebook" That's mostly because you're hearing your own voice! Yes so they screwed you, and yes you need to promote your book. Still if Facebook users don't like the privacy policies of Facebook they can just go somewhere else. Here's a novel idea - set up accounts NOT using your real info...something people were being told in the early 1990s. A web company like Yahoo or Facebook ain't the IRS, you can put down whatever.

TO answer the article's question - NO, privacy will not be the "Achilles' heel" since companies do things to keep customers happy and that means sensible privacy policies otherwise people leave in droves.

[doublethought84]

Facebook is the most private...

I'm on facebook because it is the most private social networking site on the Internet. I've never gotten one spam message or false friend... anything like that.

Reading this article was mind blowing. How can cnet pay you to write about something you obviously know nothing about. Do you even use facebook? If you did, you'd know that the user controls the privacy. I get to chose what people know and don't know.

*shakes head*

[mlapchuk]

Yes you may be correct that the user does control the privacy settings but you are as ignorant as Aaron. When you join Facebook the security and privacy settings are set, by default, to the most relaxed settings possible. And if you do want to change your privacy settings it takes navigating through no less than 3 different pages just to get there. And seeing as the majority of Facebook users are not computer nerds, or even computer proficient, how can you expect someone like that to even begin to know where to start looking for the privacy settings? And you may have your privacy settings turned up to the max (once you find them) but that does not guarantee that your info is safe. Third party application developers are contractually obligated to not hold your information for more than 24 hours after you access their application. But here is the catch: the third party application is hosted on a third party server that is physically separate from the Facebook servers and that is also where all your personal information that is garnished by the application is stored. And even if Facebook says that they will go after anyone breaking the Terms of Service, how are they supposed to actually do that when they are NOT ALLOWED access to the third party servers? And even if you do not install an application, just by having someone in your friend list that has added the app, the app is allowed to see all of your personal information, regardless of your privacy settings. Try researching a little before you go off on a rant. Oh, and FYI nothing in the article says that you get a "spam message or false friend", it says that people can steal your personal identity and that Facebook, while the legally covered themselves, can do NOTHING about it.

[wbenton]

Authentication 101

>>>The point of authentication, after all, is to prevent people from lying about their identity<<<

That statement is a bit misleading at best.

Authentication is about ensuring the person is whom they claim to be.

And that is necessary to ensure the integrity of what ever is being said about what ever.

However on MOST internet sites... it's really hard to ensure that whom ever you think you're talking to is really whom they say they are.

And the only way to ensure that the person on the other end is in fact whom they say they are is via a very expensive method. One which would bring Facebook to a grinding halt if they ever did attempt to successfully implement an unthwartable authentication mechanism.

That said, most sites (Yahoo, Google, MSN... just to mention a few) have no 100% means to ensure that whom ever is typing is really whom they claim they are.

Even if ID or some other proof of identification is mandatory, with all the stolen identities floating around the internet today... it's virtually impossible to guarantee authentication.

Bottom Line: Could Facebook become more secure... YES... I don't know of ANY corporation which couldn't. There's always something more which could be done... some thing new which could be implemented, something to upgrade/update to thwart off the latest attacks/hacking attempts.

WISDOM POINT: Offering a half-[filtered word} solution foolishly/falsely making people believe they're any safer is WORSE than offering NO security at all!

There is much more to security than just authtication. And unless it's an un-deniable method of authentication, then it's hardly worth the paper it's written on as far as authentication and accountability are concerned.

Walt