Facebook hit by new security concerns over privacy settings

Facebook hit by new security concerns over privacy settings

Secure Computing, By Dan Raywood, April 6, 2009 
Users of Facebook could be giving away their personal information due to the way the website’s privacy settings work. A team from the University of Cambridge’s computer laboratory has showed how Facebook public profiles could be used to find out personal information despite appearing to contain only a few details. In the paper, titled ‘Eight Friends Are Enough’, the team pointed out that it was possible to reconstruct a user’s friends list in a way that could allow marketers, governments and even criminals to understand the private relationships between different people. It claimed that a search for a specific Facebook user will display every user’s name, photo and eight friendship links. Affiliations with organisations, causes, or products are also listed. The paper’s author Joseph Bonneau, said: “This is quite a bit of information given away by a feature many active Facebook users are unaware of. Indeed, it’s more information than the Facebook’s own privacy policy indicates is given away. “When the feature was launched in 2007, every over-18 user was automatically opted-in, as have been new users since then. You can opt out, but few people do – out of more than 500 friends of mine, only three had taken the time to opt out. It doesn’t help that most users are unaware of the feature, since registered users don’t encounter it. “The paper further claimed that the public listings are designed to be indexed by search engines. In the team’s own experiments, it was able to download over 250,000 public listings per day using a desktop PC and a fairly crude Python script. Bonneau said: “For a serious data aggregator getting every user’s listing is no sweat. So what can one do with 200 million public listings? Facebook’s public listings give us a random sample of the social graph, leading to some interesting exercises in graph theory. As we describe in the paper, it turns out that this sampled graph allows us to approximate many properties of the complete network surprisingly well.” “This result leads to two interesting conclusions. First, protecting a social graph is hard. Consistent with previous results, we found that giving away a seemingly small amount can allow much information to be inferred. It’s also been shown that anonymising a social graph is almost impossible.” “Second, Facebook is developing a track record of releasing features and then being surprised by the privacy implications, from Beacon to NewsFeed and now Public Search. Analogous to security-critical software, where new code is extensively tested and evaluated before being deployed, social networks should have a formal privacy review of all new features before they are rolled out (as, indeed, should other web services which collect personal information). Features like public search listings shouldn’t make it off the drawing board.” Facebook claimed that its publicly searchable pages were only introduced after an extensive privacy review. A spokesperson told the Guardian: “Public search listings are a way for those users who wish to allow people to find them in search engines to share limited elements of their Facebook profile. Their creation, continued presence, and the particular elements contained within them are entirely configurable by users. “Changes as to the presence or content of a public search listing may be made easily by any user on the privacy settings page.”