Despite all those people who honoured May 31st 2010 as Quit Facebook Day - well, 31,000 people, maybe not an enormous dent in the 500 million users Facebook recently claimed - Facebook marches on. Clearly they're doing something right. But what?
It's probably not the personal charm of founder Mark Zuckerberg, who when he's not being noticeably evasive about Facebook's stance on privacy is trying to live down referring to some of his early, over-trusting customers by a phrase I don't feel it necessary to include here.
It's clearly not the company's demonstrable commitment to taking exhaustive measures to keep its users private data secure. While it might be unfair to blame Zuckerberg or his company for the appalling action of one Ron Bowes, described as an "online security consultant", who posted a file containing the personal data of 100 million Facebook users on Pirate Bay, their reaction - "no private data has been compromised" - is instructive. Strictly speaking, FB is correct: these data are not private, because they were not protected by the stricter privacy settings that are available to cautious FB users. But...
- Did the individuals concerned expect some self-serving, self-publicizing "researcher" to come along and funnel their data into an easily searchable format on an all too public site? I doubt it.
- Did they realize that their data was even visible to people other than their friends? By no means all of them, I'm sure.
- What happens if they now decide to change their settings for better privacy? Well, they can do that, but their data are already out there and thousands of people have, apparently, already downloaded the file, so in a sense that ship has already sailed.
- Does Ron Bowes care? Evidently not. He commented, apparently:
"Facebook helpfully informs you that "[a]nyone can opt out of appearing here by changing their Search privacy settings" — but that doesn't help much anymore considering I already have them all (and you will too, when you download the torrent). Suckers!"
- Does Facebook care? Well, it didn't back in January 2010 when Zuckerberg said that:
The rise of social networking online means that people no longer have an expectation of privacy...[and] ... privacy ...[is]... no longer a "social norm".
Well, let's give them the benefit of the doubt. Maybe the frequent adjustment of Facebook settings is gradually moving towards a more consistently secure model where secure rather than insecure is the default. I've always had a well-hidden optimistic streak.
Let's not forget, though, that Facebook has gradually been replacing Usenet and email as the channel of choice for the distribution of out-and-out hoaxes as well as the promulgation of misinformation with the intention of luring victims towards malicious binaries. While I covered some of that not so long ago here, it's become clear this month that it's not only Facebook and its affiliates that are after your data. Looking at the dramatic spread of recent scambait like the 'truth about Coca-Cola' and 'Teacher nearly killed this boy' stories, where videos (fake or otherwise) are used to persuade people to respond to polls asking for information that they really shouldn't be giving away, it's evident that Facebook users can't get enough of rogue applications that use their accounts to spread and wide.
With Facebook friends like this, who needs enemies?
https://www.welivesecurity.com/?s=facebook+privacy
http://www.newsweek.com/blogs/techtonic-shifts/2010/05/26/facebook-friend-foe-or-frenemy-.html
http://www.computerworld.com/s/article/9177645/Facebook_s_Zuckerberg_reignites_privacy_brouhaha
http://www.fiercemobilecontent.com/story/facebook-privacy-public-relations-nightmare/2010-06-03
http://www.pamil-visions.net/mark-zuckerberg-and-facebook-ceos-are-their-brand/217313/
http://www.guardian.co.uk/technology/2009/dec/10/facebook-privacy
https://www.welivesecurity.com/?s=facebook+malware
David Harley CITP FBCS CISSP
ESET Senior Research Fellow