Moglen: Facebook Is a Man-In-The-Middle Attack 376
jfruh writes "In an email exchange with privacy blogger Dan Tynan, Columbia law professor Eben Moglen referred to Facebook as a 'man in the middle attack' — that is, a service that intercepts communication between two parties and uses it for its own nefarious purposes. He said, 'The point is that by sharing with our actual friends through a web intermediary who can store and mine everything, we harm people by destroying their privacy for them. It's not the sharing that's bad, it's the technological design of giving it all to someone in the middle. That is at once outstandingly stupid and overwhelmingly dangerous.' Tynan is a critic of Facebook, but he thinks Moglen is overstating the case."
Email? (Score:1, Insightful)
Then in his opinion, wouldn't email be the same? It's stored on some 3rd party mail server somewhere... and for that matter, wouldn't all form of electronic communication that gets copied/stored somewhere not under your personal control also be classified as a "man in the middle attack"?
they just figured this out? this is a revelation? (Score:5, Insightful)
as with most social sites, search engines, free email services, you are not customer, you and your relationships are product
Open door (Score:5, Insightful)
A bit too dramatic (Score:4, Insightful)
Re:So is every ISP (Score:5, Insightful)
Your ISP does not see the information you transmit if it's encrypted, or email, chat, etc.
Facebook CAN see the messages you send, even if your communication to and from facebook is encrypted.
Re:they just figured this out? this is a revelatio (Score:4, Insightful)
More like it's payment for services. Did anyone sign up to facebook thinking it was a charity to help people make friends?
Not the same thing (Score:5, Insightful)
It's not the same. Obviously, we have to depend on companies every day. But if we don't like a car company, or a traditional ISP, we can switch to another car or ISP. Facebook is different. If you leave, you leave the ability to connect to many of the people that you connected to via Facebook.
I own my own domain name, and use email and blogs to communicate from a site whose name I own. I do depend on companies to support my DNS and webservice. But if I don't like what those companies do, I can switch or do it myself. I have a Facebook account, but I don't normally use it; it just creates too many problems.
We all need suppliers; that's not the problem. The problem is dependency, that is, being (practically) unable to switch. Being dependent on an external company really is a risk.
Re:So is every ISP (Score:5, Insightful)
Sigh - straw man arguments are so tiresome.
These social sites are not your ISP.
These social sites are like inviting a business into your living room to eavesdrop on conversations with your acquaintances.
And for those who say "Who cares of I publicly post all my thoughts and relationships?" I have one question:
What would McCarthyism look like with the data available today?
Re:So is every ISP (Score:5, Insightful)
Rather it seems we have to have special whole new laws because "via the internet" or "with a computer" needs to be tacked on. I'd say this is the larger problem.
Re:Utterly stupid (Score:5, Insightful)
Most facebook users have no idea how deep the analysis of their data/relationships goes or the true privacy implications related. Don't assume too much about average joe.... average joe and janette are strapped with bills, jobs, kids, housework, overtime, stress, and american media psychosis... if understanding privacy and internet data mining isn't part of their occupation, there's a slim chance they know about it.
Re:I would pay $2/month... (Score:4, Insightful)
they would take your money AND track you.
Re:So is every ISP (Score:3, Insightful)
Re:Not the same thing (Score:4, Insightful)
Facebook is still not compatible with anything else online, and it's huge, so in many ways it is a monopoly. Otherwise, you might as well say nothing is a monopoly as long as you still have smoke signals and the pony express.
Gosh, you must be brain dead (Score:2, Insightful)
Utility services? I PAY for my utilities, and the phone companies especially charged through the nose. You PAY, you are the customer. You get it for free, you are the product.
So unless you propose paying a monthly fee and a usage fee and a signup fee and a rental fee for your facebook usage, shut the fuck up with your idiotic notion that you companies got to provide you with free services and not make a single penny of you.
And if you don't like facebook, DON'T use it. It is not hard, I am not using it right now and still have time to insult your feeble self-entitled mind.
Re:So is every ISP (Score:5, Insightful)
Your ISP can see which websites you visit, how long you spend there, how often ....
Yes, but it is not part of their business model to do that.
People would be quite out-raged to receive an email from their ISP, that reads: ... P.S.: Has your daughter looked at planned parenthood?
Based on the web-sites you visited, we recommend following companies to you.
Re:So is every ISP (Score:5, Insightful)
What would McCarthyism look like with the data available today?
You remember when your president had to publicly reaffirm he wasn't a muslim but a good god-fearing christian with good wholesome christian values ? McCarthyism never left.
You americans and your battles over symbols. You raise a big stink over irrelevancies like ID-cards and Facebook and meanwhile you've got the TSA, warrantless wiretaps, draconian copyright lawsuits, etc.
Re:So is every ISP (Score:5, Insightful)
Re:So is every ISP (Score:3, Insightful)
You could do this pretty easily, the problem is most people who use facebook don't care about their privacy and the people who would use this would soon lose the need for it when all of their friends blocked them because their pictures are f'd up and everything they post is garbled.
Not to mention, if the majority of FB users started doing this, they will share their key unencrypted over status updates and PMs.
Re:So is every ISP (Score:5, Insightful)
Re:So is every ISP (Score:5, Insightful)
I'm not a huge fan of Facebook for numerous reasons, but IMHO, this whole "oh noes -- Facebook is reading my texts!" alarmism is really rather disingenuous. C'mon -- you're posting comments on a public web site. It's more like talking to your friends in the hallway back in your high school days than a telephone call. If you really expect privacy on Facebook, then you are dangerously naive.
Re:So is every ISP (Score:5, Insightful)
Re:So is every ISP (Score:4, Insightful)
(It is probably a good thing that no one has pointed out to them that 100% of terrorists breath air. They would probably regulate that or put all people who breath air on the 'no fly' list...)
Re:So is every ISP (Score:5, Insightful)
The assertion that "Facebook is a man in the middle attack" is utter bullshit. an "attack" would imply that Facebook is doing something that the user does not want to do.
The reality is that facebook/myspace/google+ et al. is a service in which the user willingly sends their information to them, and then they happen to share such information with some connections.
People do that willingly, people willingly sign up to facebook and send such information to facebook. The people who do not want to share information with facebook do not do it.
Re:Not the same thing (Score:5, Insightful)
THe problem is not exactly the switch...and whomever else they so desire.
I have to agree with you here. My biggest complaint with Facebook is that other people I know may include comments about me, photos of me, etc. on their posts, and unless I keep tabs on Facebook, I have no way of knowing what information about me is being collected. THAT, IMHO, is the biggest privacy issue with Facebook. However...
Sure, a car company might do just that but does a car company record the conversations you have in your car...whomever they so desire?
That's a flawed analogy. I didn't pay five figures to use Facebook; I knew going into the deal that Facebook mined information for targeted advertising in order to make a profit. Did you think that Zuckerberg built Facebook just out of the kindness of his heart? How else is he going to pay for servers and bandwidth and coders to add features to the site and, and, and...? On the other hand, I *did* pay five figures to buy my pickup truck. If Nissan tries to further subsidize the cost of my truck by eavesdropping on conversations while I'm driving, I'll find the best lawyer I can afford to smack them down for it. In other words, I have an expectation of privacy in my truck; I have significantly less expectation of privacy on Facebook. Quite honestly, I'm somewhat shocked that others are shocked when they find out that what they've posted on Facebook isn't exactly confidential.
It's called a "trusted middlemen" (Score:5, Insightful)
The name is "trusted middlemen", and anybody claiming it is an attack is doing yellow journalism.
It is true that the more people you have to trust, the worse off you are. It is also true that trusting a corporation can be quite worse than trusting an individual (but then, it can be quite better in other points of views). It is also true that trusting corporations that already showed that they don't deserve any trust is even worse. But equating it to a man-in-the-middle attack is a lie. Plain and simply, a lie.
Re:So is every ISP (Score:5, Insightful)
Stated another way...
Your relationship with your ISP: You are the customer.
Your relationship with Facebook: You are the product.
Re:Gosh, you must be brain dead (Score:4, Insightful)
Things you do in public aren't private. More news at 11. Face it, the only thing that Facebook changed about that was exposure. You didn't give a shit before because it wasn't cool back then to hate on Facebook. If you don't want people to know about that stuff, either don't do it, or be a social shut in and prevent people from taking pictures. This applies regardless of the existence of Facebook.
Re:So is every ISP (Score:5, Insightful)
We had this. It was called the web. Anyone could put up a website. Even host it right out of their own home. But it was a pain even for many advanced users, and impossible for many normal users to figure it out.
Re:So is every ISP (Score:2, Insightful)
Realize you're being a bit flippant, and sarcastic in that anything gets you flagged these days. But it's important to remember that even with encryption, "big brother" would still get most of what they want. Only part of the value of wiretapping is the raw message. The parties are oftentimes more invaluable.
Even with crypto, facebook would still be a free, eternal, roaming pentrace that doesn't need a warrant and tends to crudely geolocate all recipients.
If somebody's sniffing facebook, you don't just know that alice told bob "east wind, rain".
You know that alice is talking to bob. And that alice associates with bob, clarice, dave, elaine ...., all of whom like to talk with Maude...
And in the case of facebook who read it, when they read it, who they shared it with, who "liked" it, and approximately where they were when they logged in with a bit of trivial analysis.
Crypto only protects the contents of the message. Not the identities of the parties.
DHS isn't about terrorism protection--it's about witchhunts. And facebook is a free roster of "known associates" to apply profile until you find a suspect.
Chance of something going wrong? (Score:4, Insightful)
Every time an article related to real-life security (i.e., fighting terrorists) appears, Slashdotters come out of the woodwork to say that there have been an average of 300 US deaths in the past 10 years from terrorism, more people die from car wrecks and smoking, etc.
Same thing here: out of all the evil that MIGHT come from sharing on FB, how many people actually lose jobs, have government agents show up at their door, etc?* For 99.9999% of people sharing on Facebook, there might be a few somewhat-bad things that happen (most likely someone finding out more than you would have liked) but probably not too much more common than what spreads through traditional gossip anyway. I imagine very few bad-with-a-capital-B things happen. Most people will die without having experienced first-hand (or even second-hand) any disasters from sharing on Facebook, belonging to supermarket loyalty clubs, etc.
I'm not saying there's nothing wrong or potentially bad, but like most other things in life it just won't matter to most people.
* And in cases where it DOES happen, I'm sure most belong in the category of "you shouldn't have been doing that (or at least not talking about it)"--crimes, affairs, etc.
Products are replacing protocols, and for a reason (Score:5, Insightful)
The point is that more and more companies offer products that replace open protocols with open servers and clients. Email is/was SMTP with millions of servers and client applications implementing that protocol. No room to make money apart from selling bandwidth. The web as we know it is HTTP with millions of servers and clients and while there is ample room to make money it's not actually a product.
Facebook and Twitter aren't protocols. They are products, owned and controlled by companies that does all of this to make money and to achieve this they offer what people want, not what's sound and reasonable from a technological POV.
If you have a closer look at this you will find that there are reasons for this shifting picture: All the good old protocols were designed from a very technical point of view, or from the point of view of technical users. Email is complicated to set up, there's a reason for many people (if they still use email at all anymore) using some webmail service. It also doesn't do very much except sending messages and small files around. It offers no way to actually find people. The web (based on the Hyper Text Transfer Protocol) just transfers files containing clever markup and doesn't care for anything else. All of this fine and dandy from a technical POV but just doesn't address very much of what "normal" people actually want to do.
I really can't be angry about what Facebook does, because: We (as geeks) just totally failed to come up with protocols and tools for an infrastructure that would've been able to address the needs of casual users. Instead we insisted that webmail is silly and a full-featured MUA the way to go. In Usenet we were fighting HTML content and fake names even as Usenet (as a communication platform) went under. And there was never anything that even tried to implement a net-wide address book or useful calendaring. All these missing things left a gaping hole that companies like Facebook just exploded into like a gas into a vacuum.
It's easy to hate Facebook and to praise geekdom, but we just miserably failed. We were (and still are) more fascinated by the tools instead of what people might want to do.
It's one of men-in-the-middle (Score:4, Insightful)
And the public doesn't seem to care much. Remember that little skirmish about Politico.com buying analysis from FB on public and private message mentions of republican candidates to "evaluate sentiment"? A few people complained for a bit about not being able to opt-out and then it all died out (despite questions on randomization of results etc).
Add to that clickstream selling by ISPs, and attempt to gather and sell your information pretty much by everyone (heck, yellow pages delivery opt out form demands phone number and email [hyperom.com]) and people seem to be simply tired of fighting it.