Privacy Hacking Worse Than PR Flacking

Here's frequent Slashdot contributor Bennett Haselton who writes "Facebook apparently hired a PR firm that tried to seduce some pundits into writing negative editorials about Google. The 'attack angle' would have been that Google was endangering users' privacy by scraping information about users from Facebook and making such information easier to find with a Google search." Hit the link below to read the rest of Bennett's story.

The reliably cynical Seth Finkelstein commented that the attempted editorial-planting was just "often implicit dealing made explicit", (i.e. that pundits are drafted as fronts for corporate publicity campaigns like this all the time, and that the PR firm in this case spoiled the game by rudely blurting out the terms of the deal, like a guy offering to buy a girl dinner if she'll sleep with him). Steven Levy of Wired opined that with regard to the privacy issues, Facebook was the real villain for exposing information in the first place that many users would rather keep private.

Some perspective here: In 2008, I was corresponding with a high school student (using one of the Circumventor sites to get around their local school Internet blocker, naturally) who mentioned that he was able to see all the personal information of other students in his Facebook high school network -- including email address, phone number, and home address, if the user had uploaded that information to Facebook -- even if those users had not confirmed him as a friend. (Facebook allows users to join one or more "networks" indicating their school affiliation, workplace, city of residence, etc. -- such networks are distinct from Facebook groups and fan pages.) Double-checking with a few more users in the same network and in other high school networks, we found that it really was possible for any member of a high school network to view the profiles of any other member of that high school network and see all of their personal information.

Unlike other types of "networks" on Facebook, it is not possible to join a high school network simply by specifying it in your preferences. However, all of the students that I corresponded with said that in order to join their high school networks, they simply had to request to join the network, and then get a friend request confirmed by an existing member of that high school network. Which means that conning your way into the network would be easy: either (1) create a profile with the name and photo of a real student at that school, and send out friend requests to that student's friends, hoping that one of them would confirm you (not remembering that they had already friended that person under their real account), or (2) create a profile with a hot girl's picture and send out random friend requests to a bunch of guys in the network. Once you got confirmed, you'd have access to all the personal information that any student in that high school had posted on their profile. (I hasten to add that we did not actually try either of these things, but it stands to reason that it would work, since it wasn't functionally any different from what all of those students actually had to do in order to join their networks in the first place!)

I sent a message to Facebook's security team about this, and got a non-form-letter response from a real person -- their reply, however, was that this behavior was by design:

We believe this allows for greater sharing and helps make the site more useful for people, though we also recognize the potential for misuse. That's why we've built a peer verification system around the joining of high school networks. We also use automated systems to detect and flag anomalous behavior, like lots of messages sent to non-friends or a high percentage of ignored friend requests.

Smart, but probably not secure enough. For one thing, if someone is creating disposable accounts to send out friend requests in hopes of getting into a high school network, it only has to work once, so even if most of their accounts get flagged for "anomalous behavior," they only need one that doesn't get flagged. And even if that account does get flagged and cancelled later, by that time it might be too late, if they've already grabbed enough users' information. In any case, some time between 2008 and 2011, Facebook did change the behavior of high school networks so that members can no longer see the personal information of other members without a confirmed friend request. But this loophole was not that difficult to find, and it's likely that at least a few other users had discovered the same issue.

Now, imagine what would have happened if Facebook had announced that, for a fee of a few hundred dollars, they were offering CDs for sale containing the names, addresses, mobile phone numbers, and instant messenger names of all the high school students on their site (along with, of course, all the photos those students had posted of themselves). It goes without saying that after the class action lawsuits had finished, there'd be nothing left of the company but a smoldering crater. Now, I'm not suggesting that Facebook's security policy for high school networks was anywhere near as bad as selling CDs with all the personal information of their high school users, but it's worth thinking about why it should not be considered as bad. In either case, anybody willing to spend a few hundred dollars (or, equivalently, a few hundred dollars' worth of effort -- the effort to discover the loophole, and then to crank out the friend requests) could obtain the personal information of as many high school students as they wanted. What's the difference?

Well, obviously, there's the message that it would send if a company like Facebook offered to sell CDs full of users' personal information. It would lower the bar for future behavior by similar companies, it would make users extremely cynical about trusting the motivations of social networking sites, and in the long run it might even cause courts to decide that users had no reasonable expectation of privacy when joining those sites, because it was "common knowledge" and "common practice" that those sites offered up people's personal information for sale! On the other hand, if Facebook makes that information available indirectly through "benign neglect" -- by, for example, forcing you to create a fake high school profile and send out a bunch of friend requests and create a new profile from scratch if your first one gets canned -- that's far less likely to cause the side effects I just listed. MySpace is not going to get the idea that it's OK to start selling CDs of users' personal information because, hey, Facebook let people pry out the same information if they jumped through enough hoops.

But what this means is that fairly mild privacy issues, if they arise as a result of deliberate choice by a company like Facebook, are likely to get more press attention than far more serious privacy issues that arise as a result of benign neglect. Because when Facebook makes a deliberate choice that affects user privacy (like sharing users' preferences with Pandora), the pundits and the public are reacting to the direct privacy implications of that action, plus all the auxiliary issues, like the "message" that it sends, and the precedent that it sets for future actions by that company and other companies. Whereas if an issue arises as a result of neglect (as in the case of PlayStation Networks users' credit cards being stolen), people are reacting only to the direct privacy implications of the incident, so the issue has to be much more serious to get the equivalent amount of press.

For example, the right reason to be concerned about Facebook sharing users' personal information with Pandora, was the principle that it violated -- if users say "no" to sharing their personal information, Facebook shouldn't be allowed to switch that choice unilaterally. But as for the practical implications -- come on. Facebook and Pandora are both big faceless corporate behemoths as far as we're concerned, so why would we trust one with our personal data but not the other? Besides, what if Facebook had simply bought out Pandora? Then they could share all of our personal information with all the employees of the newly merged Facepanbookdora, and the exact same people would have had access to the exact same data, but it wouldn't have violated the agreement against sharing information with "third parties," because they wouldn't be a third party any more.

When I first found that email addresses of Ameritrade customers had been obtained by a pump-and-dump stock spammer, I was sure (as were most readers, probably) that Ameritrade was not deliberately selling its customers' email addresses; I figured that they had simply left their database inadequately secured, and some third party had broken in and stolen it. On the other hand, because the incident happened as a result of benign neglect and not deliberate choice, I figured the incident would not garner much press as a result, and that seems to have been the case -- the wholesale thievery of Ameritrade customers' personal information by financial criminals received far less press attention than, say, Facebook's decision to change their privacy policy so they could share information with Pandora.

What this means is that if you're an ardent cyber-rights hippie like me, then yes, you should care about the privacy issues that set the blogosphere afire, even if they're fairly minor privacy issues that are magnified out of proportion because they speak to the deliberate intentions of the companies involved. It matters that Facebook decided one day to share our music preferences with Pandora, even if it doesn't hurt anyone.

On the other hand, if you simply care about threats to your personal privacy, then you should heavily discount the noise being made about deliberate choices taken by companies like Facebook, and pay far more attention to dangers of benign neglect by the company guarding your privacy, when that benign neglect is exploited by malicious outsiders. If you have a stalker and you're worried about them finding your Facebook profile, it makes no sense to be worried about Google scraping the information from the public version of your Facebook profile, if it's the same information that your stalker would be able to see anyway if they were logged in to Facebook themselves. It's far more likely that your stalker would try to exploit a weakness in Facebook's privacy settings -- for example, ingratiating themselves with one of your Facebook friends and getting them to accept a friend request, so that they can then see any information on your Facebook profile that is viewable to "friends of friends." Maybe you knew about that already, but if you didn't, you wouldn't know it from reading all the punditry about the Facebook-Google kerfuffle.

Bennett Haselton Wikipedia Article?!

[eldavojohn]

This is sort of offtopic but did anyone else find it odd that the bulk [wikipedia.org] of edits for Bennett Haselton's wikipedia article are made by Reservoirhill alias Hugh Pickens [google.com] alias pickens [slashdot.org] alias Reservoir Hill [google.com] alias Ponca City, We Love You [google.com]? Nearly all of the content from that article [wikipedia.org] originates from Hugh Pickens and also one of the other editors is the Seth Finkelstein mentioned in today's contribution to Slashdot.

Hugh Pickens is a prolific contributor to Slashdot and I am thankful for his submissions but it is my humble opinion that this sort of ... wikipedic inbreeding? wikinepotism? ... somewhat deteriorates Wikiepdia's credibility. Should an encyclopedia have an article for Bennett Haselton or is he just friends with the right people inside Wikipedia?

In response to the discussion, Facebook has always been about violating privacy first to make cash and then asking the users what was wrong after it was violated. Remember when the news feed went live unexpectedly and was by default enabled? People were up in arms and privacy was the big discussion point but here we are today with everyone using it. Sometimes it works out for Facebook, sometimes it doesn't. They just too big to care about individual privacy and if they can make cash by sacrificing it, they will. Only after enough kick back will they change it.

"Deteriorates Wikipedia's Credibility" ??!

[RobotRunAmok]

Impossible.

Re:

[plunderscratch]

Impossible.

... unless credibility can be expressed as a negative value!

Re:

[FatdogHaiku]

Impossible.

... unless credibility can be expressed as a negative value!

In which case I believe you are required to register the organization as a major political party.
On the up side you can then commence the solicitation of funds to support your noble efforts. Oh, wait...

Re:

[ashidosan]

credibility can be expressed as a negative value

Citation needed.

Facebook and privacy?

[LWATCDR]

I always find it amusing when people get upset about "privacy" on Facebook. Why can't people get that their is no such thing as privacy on Facebook? It is a public website and is for sharing. What people want is just a little privacy. They want Facebook to show what they want to show to who they want show it too.
That maybe asking too much. I mean really just go with the idea that Facebook is a public place and only post to it what you want to be seen in public.
Now what your friends do is a different story. Buy hey they could be posting that picture of you from that strip club on the bathroom wall.

Re:

[overlordofmu]

You are right on the money. No mod points so a "word up" to you!

Personally, I solved the facebook privacy problem. I cancelled my facbook account, but not before I found about two dozen friends from college that I had lost track of. It was very useful to reestablish contact, but of little use after that.

Re:

[lucm]

> Why can't people get that their is no such thing as privacy on Facebook?

Yeah, that's what I told this guy who was all upset because I downloaded all the pictures of his 9 years old daughter.

> I mean really just go with the idea that Facebook is a public place

I totally agree, Facebook is a public place, like school yards, and privacy is like a restraining order, it is a violation of my civil rights.

Re:

[NoSig]

Needs more effort.

Re:

[LWATCDR]

Not even annoying much less entertaining.or infuriating, you suck at trolling you should go read CNN comments for some pointers.

Re:

[lucm]

The tendency to whining and complaining may be taken as the surest sign symptom of little souls and inferior intellects.
  -Lord Jeffrey

Re:

[LWATCDR]

Really where is this promise of privacy of which you speak? I have seen some settings but I have seen no such banner saying things would be private.

Re:

[Riceballsan]

Well I do agree on that for adults, I think the weakness however is the false sense of security the fact that teens think that only their friends can see when they are posting their schedules, where they will be when etc.... What's worse is the parents don't know either. Facebook has a pretense implying security and privacy that many parents and teens don't realize how weak it is and set things wrong.

Re:

[LWATCDR]

You see that is a new problem. You see never before in human history have teens been so dumb as to put themselves in dangerous situations. IT is sad that things have changed so much that parents have no got to keep up with potential dangers so they can help teens make good choices.
What is the world coming to.

All kidding aside back in 1982 when I was in high school a kid a knew went to a local pond and got drunk. He then got a a rope swing and swung out and back and hit the tree fell in the water and died.

Re:

[knorthern knight]

> 3. Choose good friends.

Not that easy. Today's straight A honour-roll student may get hooked on drugs next year. The quiet guy in accounting may have a large stash of child porn at home, and get raided 2 weeks after you accept his "friend" request. And how many murderers seemed like such nice guys to the whole town?

About the only way out is not to join Facebook in the first place.

Re:

[LWATCDR]

True and I don't encourage people to abandon friends in trouble. But if that drug addicted friend asks you to a party... And not getting on Facebook will not solve it. All it takes is a "friend" to get a picture of you doing something stupid to hurt you. It doesn't even have to be doing something stupid. A young lady at a sleep over could end up with a picture of her in a state of dress that she wouldn't be comfortable with being published for the world to see.

Re:

[Threni]

You might not be able to have privacy on Facebook, but that doesn't mean it's not possible. I'm waiting for a reputable company like Google to do something similar, but with all default settings to be `go away; don't share; whitelist only' so that you're completely invisible other than to people you actually want to correspond/share updates with. If Google did it there'd be no reason it couldn't have free Skype like voice (and video, if anyone actually gives a shit about that) chat. Etc.

Facebook got ther

i believe the phrase is 'conflict of interest'

[decora]

and/or "incestuous".

Re:

[ohnocitizen]

Nothing to see here, Hugh Pickens is just extremely notable and well sourced.

Re:

[mrex]

I don't know the /. team or Mr. Haselton personally. I remember Bennett's name and work on Peacefire and other projects way back in the 90s, though. He's of course also been a frequent contributor here with timely electronic civil liberties news. The Wiki article about him has merit for me, but can't speak for anyone else.

it's not google's fault

[Anonymous Coward]

Look people, it's a search engine. It searches everything it has access to. It's up to the content providers to police what is accessible or not-accessible. What is this, some kind of nanny state?

Re:

[memojuez]

They are complaining about Google to deflect the blame or owning up to their deficiencies. It was not all that long ago that /. reported that Facebook was teaming up with Micro$oft to go against Google. [slashdot.org] So Google is their ideal candidate to blame.

Re:it's not google's fault

[makomk]

Not only that, but all the information that Facebook was trying to get the media to write articles about Google abusing user's privacy by accessing is (as far as I can tell) information that Facebook considers to be public - which means that they don't let you hide it from the world, are quite happy to sell it to advertisers, etc. Facebook's attempts to smear Google were totally and utterly dishonest from the start: their position is that you have no reason to keep any of this information private, at least when they're the ones making use of it.

Re:

[VortexCortex]

Yeah, besides, it's not like Google was trying to hide the fact they are crawling any Internet site -- The user agent is:
Googlebot/2.1 (+http://www.googlebot.com/bot.html)
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Many sites actually show more information if they detect the Google bot to increase their search rankings.

Later, If you click the search listing and can't see what the bot saw, in most cases, it's not because the search database is out of date, it's because of

Re:

[Anonymous Coward]

From http://facebook.com/robots.txt:

User-agent: Googlebot
Disallow: /ac.php
Disallow: /ae.php
Disallow: /album.php
Disallow: /ap.php
Disallow: /feeds/
Disallow: /l.php
Disallow: /o.php
Disallow: /p.php
Disallow: /photo.php
Disallow: /photo_comments.php
Disallow: /photo_search.php
Disallow: /photos.php

I don't see the problem here.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[theArtificial]

It would have been great if the default for search engines would have been opt-out and only if you want it to be opt-in then it would be opt-in. Unfortunately too late for that now.

No it's not, simply refrain from placing things you don't want accessed by all in publicly accessible locations. Your opt-in is implicit when you share something on a webserver. "I've made my information freely accessible to all, but I don't want it accessible by some." The issue is that search engines are part of the 'all'.

This reminds me of a PHB/CFO at a web hosting company I worked for during the recent real estate bubble who was bothered that another company was accessing listing information on one of

Re:

[gad_zuki!]

Not to mention, Facebook's TOS is that you must use your real name when creating an account. If FB cared one whit about privacy it would let people uses aliases. It really is incredible how ghetto and scammy FB is with their tactics and policies.

Short version

[Anonymous Coward]

If you have a stalker and you're worried about them finding your Facebook profile, it makes no sense to be worried about Google scraping the information from the public version of your Facebook profile, if it's the same information that your stalker would be able to see anyway if they were logged in to Facebook themselves. It's far more likely that your stalker would try to exploit a weakness in Facebook's privacy settings -- for example, ingratiating themselves with one of your Facebook friends and getting them to accept a friend request, so that they can then see any information on your Facebook profile that is viewable to "friends of friends."

Basically, beware of both grand intent -- Facebook selling information -- and what the author calls 'benign neglect' -- lackluster security leading to abuse.

WTF?

[Anonymous Coward]

Google was endangering users' privacy by scraping information about users from Facebook and making such information easier to find with a Google search.

Isn't that the whole point of a search engine... to scrape publicly listed information?

On the other hand, apart from Facebook account names, there's almost no valuable information there.

Re:

[VortexCortex]

Not to mention, the Googlebot user agent is announce BEFORE Facebook willingly gives Google the data.

Googlebot: Hi Facebook, I want page facebook.com/xxxx.
Facebook: Sure, Googlebot, here you go! [transfers publicly visible data]
Googlebot: BuhBie! I'll talk to you again in a second or two!

How is it NOT Facebook's fault? There are two willing parties in a Client / Server connection.

Facebook promotes Like buttons and badges everywhere, then bitches when a web crawler, crawls those links, and Faceboo

Facebook wants your children, too

[Awkward Engineer]

It's not just high school students. The Zuck said he wants facebook available for kids under 13, too. Child protection laws require age verification for kiddies, and the hastle of doing that is pretty much the only thing stopping them right now. Facebook, from it's founding, has always been on morally ambiguous ground, and there's no reason to suspect they'll change in the future. -www.awkwardengineer.com [awkwardengineer.com].

Contrary opinion

[Compaqt]

I actually appreciate that you can see the "cached" version of a Facebook Google result without having to log in to Facebook (or even have an account).

I'd say that preserves your privacy by allowing you to not have a Facebook account!

Google 'scraping' information

[unity100]

as opposed to facebook just selling it to 3rd parties behind its users' backs.

whoredom.

I did not initially see who the poster of this was

[Attila Dimedici]

I did not initialy look to see who posted this. I was reading it and started thinking that the reasoning seemed circuitous and tortured, then I looked and sure enough it was a Bennett Haselton submission.

Re:

[UnknowingFool]

I don't know who approves these submissions but if I wanted to read someone's wordy personal opinion, I would read their blog. Obviously Bennett has not taken Shakespeare's advice: "Brevity is the soul of wit."

Re:

[jdgeorge]

Obviously Bennett has not taken Shakespeare's advice: "Brevity is the soul of wit."

Shakespeare's comment is more observation than advice. Seems pertinent, though.

Where is the consumer advocacy?

[SilasMortimer]

You know, I still remember those commercials and almost remember the address of that place in Pueblo, Colorado for a free booklet about consumer protection. When I was growing up, that was a phrase that was commonly heard everywhere. Including the media. You know, back when Ralph Nader was a respected name.

You could still get suckered, but there was information that had been compiled and you could get it if you looked for it (and not just from Pueblo). Then the Internet happens. Over a decade and a half after it becomes a daily thing for the average consumer and it's closer to the myth of the "Wild West" than the actual Wild West was. At times, it seems like the sheriffs aren't that much better than the bandits and occasionally you wind up sympathizing with the bandits more. And what does the hope-to-be-savvy consumer find when s/he looks for information of the kind they used to write to the fine folks in Pueblo for? "You need to get smart" is what it boils down to. How? From what? Who's the villain and who's the guy in the white hat?

Yeah, yeah, I'm oversimplifying. But really, this dichotomy isn't working for me. There's always been a chance for the consumer to get screwed, but it hasn't been so blatant since the uglier days of the Industrial Revolution. The fuckers have gotten smart and some of the fuckees have kept up, but most people are just hoping that when it happens, it's over quickly (better have "protection" installed, just in case, ya know). Most of the legislation regarding the Internet that I've heard of has been something to do with helping the straw boss keep his iron grip and helping the company sto' keep you from going to St. Peter- holy crap, my metaphors are all over the place here.

I never thought I'd say this, but I'm looking forward to the next Ralph Nader. Where the hell is he? Or she? Or it? I don't give a damn, just get here already.

I was deeply disappointed on reading this article.

[Nadaka]

Not one bit of innuendo. Not one explicit offer. So much for "seduce". I was expecting some tabloid scandal here.

FB is scared

[Sprouticus]

If google has most of the same information on FB users as FB does, they can create a similar database and sell that information (or sell access to the information) to advertisers and marketing firms who want to mine the data.

And that would mean that FB would lose out on revenue.

A bit OT - the real problem

[lucm]

I think Google should not be indexing Facebook. And they should also not be indexing websites like experts-exchange.com or bigresources.com that keep polluting the search results when I am googling for an answer to a technical problem.

I don't understand why the IT world is going down the drain like that. Ten years ago there was Dejanews - a gold mine for technical people, a place to go in your hour of need when you had this mysterious log entry and all you had to access usenet was Lynx. Also a place to hang

Re:

[Lazy Jones]

I don't understand why the IT world is going down the drain like that. Ten years ago there was Dejanews...

My generalized $0.02 on this: this resulted from "commoditization" of the Internet. Where technical prowess, cooperation and hacking ethos used to rule, nowdays you see marketability and revenues, competition and legal issues dominate the field. Spamming is highly profitable and does not involve a lot effort, so it has to win. Projects with limited resources cannot concentrate on their main task, they have to deal with SEO, PR, possibly revenue (when was the last time you saw a highly successful open sourc

Of course..

[Weaselgrease]

Instead Facebook won't sell the data, they'll just sell a piece of software to corporations that already does the loophole jumping for them, and claim that it's for educational or security evaluation purposes for their 3rd party apps.

FaceBing Live is coming.

[Torodung]

Wait for it... Here it comes... FaceBing Live. Premiering only on Windows 8.

Because you need a "decision engine" that has access to all your personal data, because you are an indecisive fool, incapable of critical thought, and you never got to know yourself as well as a comprehensive personality algorithm could. John Anderton, wouldn't you like a Budweiser?

Google had best hire a brute squad to deal with the kind of crap this unholy Zuckerberg/Microsoft marriage is going to try to pull on them.

Think that's t