About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Tuesday, October 19, 2010

Facebook's most recent privacy controversy

I was listening to the radio this morning and heard an interesting discussion of Facebook's most recent privacy issue (first reported by the Wall Street Journal).  I follow Graham Cluley's blog so I was completely not surprised to learn that the source of this privacy leak (it's nowhere near big enough to be a "breach") was Facebook applications.  However, I was surprised to learn that they weren't talking about the genuinely malicious applications out there.  Instead, this is what the WSJ was concerned about:
The information being transmitted is one of Facebook's basic building blocks: the unique "Facebook ID" number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person's name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private
Ok, so what's the concern here?  It's just the number that uniquely identifies your Facebook profile, plus the information you've marked Public and the information that you specifically authorize the application to collect.  If you don't read that page that comes up every time you try and add an app, you should.

This is really nothing new.  It's amazing to me that people look at these free apps and don't bother thinking about what what the app developer stands to gain from this.  It all goes back to what our parents should have taught us back in elementary school, nothing in life is free.  The best modern phrasing I've seen about this is "If you are not paying for it, you're not the customer; you're the product being sold." - Blue Beetle.  Facebook (and their apps) and Google both buy our personal information with fun toys and features.  They purchase our information because it's valuable to advertisers.


If you're aware of this, you can make an intelligent decision about whether or not you really want to play MafiaWars or FarmVille.  Is that toy adequate payment for the information they're asking for in exchange?  If so, go right ahead and play that game knowing what you're exchanging.  If not, then don't.


The much bigger issue, in my opinion, are the genuinely malicious Facebook apps, the ones that post spam to your wall, or persuade you to fill out surveys for them.  They're fundamentally dishonest about what they're doing, and impersonating the user to spread their spam.

No comments:

Post a Comment