Making more user information public has both privacy and security dangers, experts warn.

Last month, Facebook finally crossed a line. The company announced that it would make certain user information–including a user’s name, hometown, education, work, and “likes” and “dislikes”–permanently public.

Facebook’s default privacy policy has gradually shifted to expose more user data to the wider Web, but the reaction to this latest change has been significant. Last week, a collection of European data-protection authorities known as the Article 29 Working Group sent Facebook a letter chastising the company for not allowing users to limit access to their social data. The letter follows a similar criticism of Facebook by several members of congress, such as Sen. Charles Schumer, D-NY, over the past month. The reaction from privacy advocacy groups, and from many of Facebook’s users, has also been vocal.

Some experts also say that the increase in information disclosure could have a serious side-effect–opening up new opportunities for hackers. Kevin Johnson, a senior researcher with security firm InGuardians, uses Facebook as a starting point for his job: testing companies’ network security. Many times, he says, the most significant vulnerabilities are not in hardware or software, but in a users’ use of social networks. The information leaked on social networking sites can be used to impersonate a legitimate person, in order to recover a password, for example; or to trick users into opening a malicious file by making it appear to come from a friend or a colleague.

“As a penetration tester–as an attacker–Facebook’s privacy settings have made my job easier,” Johnson says. “In the past, before two years ago, we had to trick people into running a [rogue] application [to collect data]. Now, the majority of people out there–the bulk of Facebook–run under default privacy settings.”

Pushed by a need to monetize the data entered by users, Facebook has increasingly loosened its privacy policies. In 2005, the company’s original policy stated that no information would be shared with people “who [do] not belong to at least one of the groups specified by you in your privacy settings.” By 2010, the policy had changed to one that focuses on sharing much more information, stating that applications and Web sites “will have access to General Information about you.” The text of the company’s privacy policy has grown nearly 500 percent and users are now required to navigate some 50 different privacy settings.

Yet, as Facebook has grown, users have become savvier about their data security, Stutzman says. Students at UNC Chapel Hill, for example, have increasingly opted to set their Facebook privacy to the highest possible setting, with almost 60 percent of students using the “Friends Only” setting in 2008 compared with less than 20 percent in 2005. Stutzman says that people have to overcome their preference to run under the default settings and opt not to change them.

Alessandro Acquisti, associate professor of information science and policy at Carnegie Mellon University, argues that Facebook is likely counting on that psychology to limit the number of people who ratchet up the privacy settings. “What is happening, it is almost a bait and switch technique,” he says. “Every time they change the status quo, they are getting people more and more adjusted to the habit of disclosing information. If you told people five years ago that all these different fields are public, they would say, ‘No way.’ ”

Facebook says that some information–a person’s name, her network of connections, and pages that she likes and dislike have always been public. The user’s photo, gender, and current city have all been added to the must-be-public profile information, the company acknowledges, but it says that only a small fraction of users are changing their settings to restrict access to information.

“The overwhelming majority of users have made all of this information available to everyone,” a spokesman says. “We’ve found that the small percentage who have restricted any of this information have intended to prevent contact from nonfriends.”

However, Facebook may not find an easy way out of the current controversy. In February 2009, when users were upset about other changes to its terms of service, the company created its Facebook Principles, a list of promises of how the company would treat its users and their data, including that “people should own their information, they should have the freedom to share it with anyone they want and take it with them anywhere they want, including removing it from the Facebook Service.”

The company has failed to live up to those principles, says the EFF’s Opsahl. “It is not just a matter of, can Facebook weather the storm of criticism and keep their users–they have a real situation here,” Opsahl says. “But they have an opportunity as well. They can try and fix this problem and regain their users’ trust.”

Source: http://www.technologyreview.com/web/25346/page2/

2 thoughts on “Making more user information public has both privacy and security dangers, experts warn.

  1. I am in agreement that most users probably dont know what to do re privacy and how it works and that facebook is thinking from a “techo” perspective.

    I have four kids that use facebook and they have no idea about privacy risks (despite my attemps to educate)nor would all of their friends. They understand “stranger danger” but would not think about the longer term implications of what they are doing as teens now, and how organisations in future may use this knowledge.

    We all do things when we are young we regret later and this can equally apply to what happens in Facebook today.

    This is a dilemma that needs to be addressed by society, and individuals, not companies.

    Perhaps the “tribal elders” of our communities need to be sharing more wisdom with the youth.

    Does anyone else worry about the longer term implications of social technologies on our next generations?

  2. What really makes me think is the amount of options available and possible security implications.

    For me is one of the cases where, trying to cover every aspect of the problem, then major security problems happen.

    While I understand, but don’t like, the need that is invading everybody to have customizable and personalized solutions, I also understand that having a thousand of options is like having no options.

    On the other side, defining and maintaining all those options available is really effort consuming, especially if compared to the average Facebook user that really doesn’t know a half of these.

    I think that Facebook should understand at full extent that is no more a “geeky lab” allowed to think of everything that comes in mind

Add Comment