The Electronic Frontier Foundation sued the CIA, the U.S. Department of Defense, Department of Justice, and three other government agencies on Tuesday for allegedly refusing to release information about how they are using social networks in surveillance and investigations.
The nonprofit Internet rights watchdog group formally asked more than a dozen agencies or departments in early October to provide records about federal guidelines on the use of sites like Facebook, Twitter, and Flickr for investigative or data gathering purposes, according to the lawsuit.
The requests were prompted by published news reports about how authorities are using social networks to monitor citizen activities and aid in investigations. For example, according to the lawsuit, government officials have: used Facebook to hunt for fugitives and search for evidence of underage drinking; researched the activities of an activist on Facebook and LinkedIn; watched YouTube to identify riot suspects; searched the home of a social worker because of Twitter messages regarding police actions he sent during the G-20 summit; and used fake identities to trick Facebook users into accepting friend requests.
The EFF needs access to the information to "help inform Congress and the public about the effect of such uses and purposes on citizens' privacy rights and associated legal protections," the lawsuit said.
None of the agencies contacted had complied with the EFF's Freedom of Information Act (FOIA) requests and only one, the IRS, had asked for an extension, according to the suit.
The suit, filed in federal court in San Francisco, names the defendants as the CIA, the office of the Director of National Intelligence, and the departments of Defense, Justice, Homeland Security, and Treasury.
The FOIA requests and the lawsuit were filed on behalf of the EFF by the Samuelson Law, Technology, and Public Policy Clinic at the University of California at Berkeley School of Law.
Government surveillance of citizens, particularly in areas they consider private, should have oversight, said Shane Witnov, a law student who worked on the case for the Samuelson Clinic.
"Social-networking sites are becoming a part of the way we communicate every day and everyone thinks they are sharing information [on the sites] with just their friends," he said. "Governments are using the sites but not in the way [citizens] expect when they sign up."
The government agencies could not be reached for comment Tuesday afternoon.
Updated 4:55 p.m. PST with comment from Samuelson Clinic law student.
ORLANDO, Fla.--OK, IT managers, it's time to loosen up.
That's how analysts advised Gartner Symposium attendees here Monday, arguing that corporate computing departments shouldn't block social networking and that security shouldn't completely lock down communications with the outside world. And even if information technology authorities want to shut down such activity, they can't.
Carol Rozwell, a Gartner vice president
(Credit: Stephen Shankland/CNET)"Banning access to social media from the corporate network is futile," said Carol Rozwell, a Gartner vice president. "The world we live in is digitally enabled and socially connected."
The advice reflects the transformation of the information technology world as the Internet steadily pervades more and more corners of everybody's life. Although the Gartner event historically has concerned itself with matters such as justifying the expense of a new enterprise resource management computing system, the broadening show reflects the growing scope of work that IT managers face.
Overall, companies must acknowledge that not everything is under control of their own top-down administration, said Peter Sondergaard, senior vice president of research at Gartner.
"We're moving from control to greater autonomy," Sondergaard said. Managers also must find an appropriate place on the spectrums of in here vs. out there and owned vs. shared.
... Read more
I'm not an employee of MySpace, but I was able to join its Facebook network.
(Credit: Facebook)I do not work for MySpace. But my Facebook profile now says I do, thanks to what appears to be a sneaky little flaw in MySpace's recently launched e-mail client.
Professional networks on Facebook are intended to be limited to employees, and require a corporate e-mail address to which Facebook sends a confirmation e-mail to verify accuracy. But when MySpace launched MySpace Mail this summer, it made e-mail addresses with the myspace.com domain--which is also used internally for corporate e-mail--available to any members of the News Corp.-owned social network.
A reader tipped off CNET News to the hack, which requires a little bit of HTML know-how. We're not going to give detailed instructions out of the interest of MySpace employees' own security--and it looks like Facebook has put a fix in place, because when a CNET colleague used a MySpace Mail address to register around 2:40 p.m. PT on Wednesday, he was informed that the address was invalid.
See what happens?
(Credit: Facebook)In vague terms, it looks like MySpace was aware of the fact that members might try to register for its network on Facebook, because the confirmation link to Facebook does not work in MySpace Mail, nor does copy-pasting it. Basically, it's mangled somehow. But, the tipster explained, the real link is still in the page's HTML source. And indeed, I was able to join MySpace's network on Facebook.
This does have security implications, because many Facebook members limit some of their profile data to people who went to their schools or work for the same company--Facebook first launched corporate networks in the spring of 2005. Many may display their cell phone numbers, photo albums, or home addresses only to college alumni or co-workers.
It's an issue for Facebook as well because the massive social site does have an obligation to make sure that its restricted networks don't lie fallow. If there's a change in corporate e-mail structure at a company with a Facebook network, particularly a big one, that can mean something big with regard to potentially thousands of Facebook members' security.
A MySpace representative told CNET News that the company was looking into the matter and would be able to comment soon.
This post was updated at 2:44 p.m. PT on Wednesday to note that the problem appears to have been corrected by Facebook.
A recent simplification of Facebook's user privacy controls wasn't enough for some policymakers.
On Thursday, in conjunction with the Canadian Privacy Commissioner, Facebook announced a new set of modifications to its user privacy controls as well as its developer API, and the targets of these changes are the thousands of third-party applications built on Facebook's developer platform. That means there may be major implications for developers--some of whom rely almost exclusively on Facebook activity as a revenue source.
The Canadian Privacy Commissioner's office released a set of recommendations for Facebook last month, specifically highlighting concerns that third-party applications could access a significant amount of users' personal data. "It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," commissioner Jennifer Stoddart said in a release at the time.
Facebook's newest set of changes will require third-party applications to specify which fields of user data they access (birthdays, favorite music, geographic location, etc.) and will require users to offer explicit permission before an app can access any of their friends' profile data. This is also in tune with recommendations offered earlier this week by a chapter of the American Civil Liberties Union, which highlighted the amount of personal data that third-party apps can access--sometimes without a user knowing it.
"Our productive and constructive dialogue with the Commissioner's office has given us an opportunity to improve our policies and practices in a way that will provide even greater transparency and control for Facebook users," Elliot Schrage, Facebook's vice president of global communications and public policy, said in a release Thursday. "We believe that these changes are not only great for our users and address all of the Commissioners' outstanding concerns, but they also set a new standard for the industry."
But what does it mean for developers? This could make it difficult for some apps--particularly the sillier ones that rely on heavy viral spread and often one-time use--to gain traction and stay effective. These are similar concerns to those that arose when Facebook cracked down on apps that it deemed "spammy" (and often rightfully so). But on the other hand, the new privacy controls could stem off bad press that could easily paint the developer platform as a whole as unsafe or untrustworthy.
"It is important for developers to have access to information, but we want to balance that with transparency and control for users," Ethan Beard, Facebook's director of platform product marketing, said in a blog post geared toward developers.
"We have committed to making these enhancements over the next twelve months, and anticipate a lengthy beta period including opportunities for you to provide input, multiple blog posts, and updated documentation delivered well ahead of time," Beard's post continued. "Understanding that this will likely require modifications to your code base, we want to give you the earliest heads up that these enhancements are on our road map."
The Northern California chapter of the American Civil Liberties Union has put out a campaign designed to raise awareness of the privacy implications of Facebook's developer platform. It's focusing specifically on the popular "quiz" applications, like "Which Cocktail Best Suits Your Personality?" and "Which Wes Anderson Movie Character Are You?" These are largely one-time-use apps that many a Facebook user clicks on and tries out with little concern.
According to the ACLU chapter, "millions of people on Facebook who use third-party applications on the site, including the popular quizzes, do not realize the extent to which developers of quizzes and other applications have access to personal information. Facebook's default privacy settings allow nearly unfettered access to a user's profile information, including religion, sexual orientation, political affiliation, photos, events, notes, wall posts, and groups." For the promotion, it's put together a quiz about how much you know about Facebook-based quizzes.
Side note: Creating a Facebook quiz app to draw attention to the pratfalls of Facebook quiz apps is very meta.
"It's time for Facebook to upgrade its privacy controls so that quizzes can only see what people want them to see," Chris Conley, technology and civil liberties fellow at the ACLU of Northern California, said in a release. "Users need stronger protections than Facebook currently provides."
So are the ACLU-NC's claims legitimate? The most damning one asserts that "regardless of whether a user's Facebook profile is 'private,' by taking a quiz the user allows its developer to gain access to the user's profile information...by Facebook default, every time one of a user's friends takes a quiz, the quiz has access to that user's profile information." That could have particularly alarming security implications if an app turns out to be malicious.
Facebook does not deny this, but notes that "sensitive" information like contact details are not available to third-party apps, and that Facebook has settings for users to tweak exactly how much their friends' apps can see.
Last month, the company modified its privacy settings to make them more user-friendly.
The ACLU chapter recommends that Facebook make it an opt-in, rather than opt-out process for apps to access a user's friends' data and require that apps list the specific profile data fields that they will be accessing.
"We generally agree with (the ACLU's) recommendations and have already made public announcements about relevant changes that are under way," Facebook spokesman Barry Schnitt said in an e-mail. "Specifically, we recently disabled hundreds of applications, including quiz applications, that were inconsistent with Facebook Platform policies...We've also had productive discussions with the Canadian Privacy Commissioner about improving user data controls on Platform. We'd be glad to also have productive discussions with the ACLU and generally catch them up, if they want to give us a call."
The office of the Canadian Privacy Commissioner, which has taken issue with Facebook's privacy policies, is holding a press conference on Thursday to address the subject, and Facebook plans to hold a conference call with reporters in response.
Well, here's an innovative way to get some buzz: FBHive, a new blog devoted to the discussion of all things Facebook, has debuted with the revelation that its creators have discovered a hack that can expose some crucial profile data.
No, it won't expose your personal photos or wall posts. But, FBHive says, it can bring up all the "basic information" that you have entered into your profile, even if you've elected to keep that information private. This is the section that includes location, gender, relationship status, relationships (significant other, parents, siblings), political views, religious views, birthday, and hometown. That's enough to be a problem in the identity theft department, as it could easily expose frequent password hints like dates of birth and mothers' maiden names.
Security holes are nothing new to social networks: last year, Facebook plugged a leak that exposed members' protected photos via the Facebook mobile site, and another hole was discovered about a year ago that exposed members' birth dates.
Admirably, FBHive has not shared the details of the newly discovered hack; more disconcertingly, it said Facebook has done nothing since it alerted the social network to the issue earlier this month.
"We are not malicious hackers, by any means, and our skills are far from advanced," the post read. "We here at FBHive are fans of Facebook, but when a security hole as big as this is discovered and brought to (Facebook's) attention, it shouldn't take 15 days to fix."
A Facebook representative said the company is currently "looking into" the matter and will have more information soon.
UPDATE at 11:14 a.m. PT: "We have identified this bug and closed the loophole," an e-mailed statement from Facebook read. "We don't have any evidence to suggest that it was ever exploited for malicious purposes."
It's clear that the line between work and play is blurring. Many people check work e-mail accounts in their off hours as much as they check their personal e-mail accounts. And who isn't occasionally distracted by something on Facebook or YouTube during the work day?
Security specialist FaceTime Communications commissioned a survey of nearly 530 IT managers and end users to find out exactly how people are using the Internet at work and what impact those activities have on their IT departments.
Ninety-seven percent of end users surveyed reported using one or more Internet applications at work, up from 85 percent last year, and 82 percent say they use Web conferencing, according to the survey due to be released on Monday.
All that Web use has a downside, though. Seventy-three percent of IT managers reported having had to deal with at least one Internet-related attack at work, with viruses, Trojans, and worms being the most common type, followed by spyware.
On average, IT managers reported 34 incidents per month. A typical incident takes 22 hours to fix and can cost a company as much as $50,000 based on an hourly IT worker wage of $70, according to the report.
Social networks and social media sites are particularly popular in office settings. More employees use social media sites at work for personal reasons (82 percent) than for business reasons (79 percent), the survey found. LinkedIn is the most commonly used site for professional purposes, while YouTube, Facebook, and MySpace are the top three social media sites used for personal purposes.
But the most common personal use of a corporate PC is for e-mailing friends and family. Then people like to Web surf; bank; shop; visit music, photo, or video sites; IM with friends and family; and connect with friends via social networks.
Corporations also continue to keep a watch on employee activities on the Web. Nearly 80 percent said they monitor corporate e-mail, 65 percent monitor Web browsing, 40 percent monitor peer-to-peer file sharing, 38 percent monitor IM messages, and 36 percent monitor social-networking activity.
FaceTime's survey found that personal e-mail is the most popular non-work Internet activity for corporate workers, followed by Web surfing, banking, and shopping.
(Credit: FaceTime Communications)Yesterday I ranted on Facebook about how annoyed I was with it. I've also had my share of emotional posts about various topics on Twitter. And I'm frequently opinionated in my blog postings on this site.
Unless you are following my writings on all the various sites, you might not know how cranky and critical I can be. My emotions and opinions may not be of concern to anyone beyond my close personal friends and co-workers (who have to listen to my occasional verbal tirades). But if you did care, there might soon be an easy way to track my online mood swings--a digital emo-meter, if you will.
Nitesh Dhanjani, senior manager and leader of application security services at Ernst & Young, and Akshay Aggarwal, Microsoft InfoSec team's practice manager for North America, are developing a "proof-of-concept" tool that analyzes a feed from peoples' various online presences. The dashboard looks at the stream for expressions of emotion in real time and uses colors to indicate different emotions.
Inspired by the site WeFeelFine.org, the researchers plan to unveil their tool at the BlueHat Security briefings Microsoft will host in October, and at the Hack in the Box conference in Kuala Lumpur later that month.
Nitesh Dhanjani
(Credit: Nitesh Dhanjani)"It will tell you what's going on in your brain," Dhanjani said. "Reading the mind or emotions, people haven't looked at that before" on social networks.
We all know how photos on social networks can get us into trouble. There's the 22-year-old student who was sentenced to more than 5 years in jail for a drunk driving accident that killed her passenger after the judge said photos of her drinking on her MySpace page after the accident showed her lack of remorse. And then there's the bank intern whose photo of him at a Halloween party on Facebook was seen by his bosses who thought he had skipped work because of a family emergency.
But our own comments about our mental state can also be very revealing, to friends and enemies alike, said Dhanjani. He foreshadowed his research on his blog last month blog and elaborated on it in several subsequent interviews with CNET News.
Such a psychological analysis dashboard could be used for predicting and possibly preventing negative behavior. For instance, if law enforcement had been able to monitor the hateful postings one MySpace user wrote about his wife on his blog, immediately followed by a post in which he talked about how much he loves her, authorities may have been alerted to erratic psychological behavior that eventually led to his murdering her, according to Dhanjani.
In another scenario, people could use the tool to monitor other people's emotional states and either do things to try to make them feel better, or worse, he said.
"It's almost like it gives other people the power to play God and glean what's happening inside your head," Dhanjani said. "I can see implications for economics, business, and psychology."
And I thought behaviorally targeted ads were scary!
Updated 6:50 p.m. PT with Facebook saying no hole in Free Gifts app.
MySpace was working to fix a security hole on Monday that allows people to see private comments friends have written on members' pages.
"MySpace is committed to keeping all users as safe and secure as possible. Today, MySpace was alerted to an issue within the MySpace Mobile WAP site and is working to roll out an immediate fix," a MySpace spokesperson wrote in an e-mail.
With the MySpace hole, people have to go through the company's mobile page and know the user ID of a member to read their private comments, said Canadian computer technician Byron Ng, who alerted CNET News to the issue and said he had previously contacted MySpace as well.
Getting someone's user ID is easy; just hover over the name and the user ID is the first group of numbers buried in the coding at the bottom of the page.
In addition, security vulnerabilities publicized by Ng in June that allow MySpace users to delete bulletins from groups they don't control, to pin and unpin topics in groups they aren't members of, and to post messages to a group they are banned from remained unfixed. Those issues are expected to be fixed within the week, MySpace said.
Meanwhile, Facebook was investigating possible security issues of its own, including a third-party app that lets people see comments written on member pages, even if they aren't their friends.
"We're still checking on Advanced Wall but we've confirmed that there is not a hole in Free Gifts," a Facebook spokesman wrote in an e-mail. "It's only public gifts that can be seen in the manner you propose below, which is how they are meant to be seen.... Private gifts are not shown on this page."
Facebook users should remember that photos and videos are public unless the person who posts them sets the privacy setting to private.
Beyond these security issues, people can use a method called "social engineering" to get access to a stranger's profile by being accepted as a friend in their network, Ng said.
For instance, someone could create a profile that looks like a party promoter that many members will become friends with just to hear about events. Or, someone could create a profile with the same name as someone who is already in a target's friend list with the hopes that the target will be confused and accept the imposter, Ng said.
"If the average citizen is worried about people spying, never add anyone, even a 'friend,' without telephone or e-mail confirmation that it is legitimate," Ng writes in an e-mail.
For people who want to keep an eye on who is viewing their MySpace pages, there are two sites that offer tracking services: ProfileSnitch.com and WhoVisited.com.
Those sites allow MySpace members to embed HTML code in their profile pages that reports back to the tracking sites so members can see who was viewing their pages. This only works with MySpace and not Facebook, however, because MySpace allows members to use HTML in their profiles and Facebook does not, NG said.
Just because a "friend" sends you something on Facebook or MySpace doesn't mean you should trust it.
A new worm is spreading via Facebook and MySpace, turning victims' computers into zombies on a botnet, Kaspersky Lab said on Friday.
Basically, infected machines are propagating the worm by sending messages via the social networks to friends in the network.
The messages look like they contain links to video clips. When clicked on they prompt the recipient to download an executable file that purports to be the latest version of Flash Player. Instead, it is the worm itself, infecting yet another victim.
When infected machines log onto the social networks the next time their computers automatically send the malicious messages out to new victims grabbed from the friend list, said Ryan Naraine, security evangelist at Kaspersky.
"We've seen these types of worms before, typically around MySpace," he said. "People are more trusting of things they receive from a friend," and many people don't recognize that what they are downloading isn't a legitimate Flash Player file, but a malicious program.
Naraine repeated the refrain that security professionals have been spreading for years: be careful about downloading anything to your computer, even if it appears to come from a friend; and be diligent about applying security patches to your computer.
