Facebook Confidential

The Age

Thursday March 27, 2008

Elissa Baxter

Your personal information can end up on more than a networking site. Elissa Baxter reports.

IT ALL seems so innocent, You're asked to fill in a few fields of information in exchange for access to Facebook, the world's hottest social networking site. It's easy stuff - your name, address, the school you went to, your favourite books. Then you can connect with long-lost friends or see photos of your relatives in Britain...and you become part of the zeitgeist.

Most people are so keen to get that pay-off they do not worry about how the information they provide is used. Privacy advocates around the world, however, worry that the millions of people entrusting their personal information to social networking sites like Facebook have almost no control over how it is used.

"Sites like Facebook are set up purely and simply to deliver consumers to advertisers," Electronic Frontiers Australia's Greg Taylor says.

Information harvesting sends chills up the spines of privacy experts but internet users have so far been sanguine about the idea that advertising is targeted at their particular interests.

The potential downside of this trust was revealed last November when Facebook launched its Beacon advertising system.

In a nutshell, Facebook agreed with a number of the world's largest corporations, including Coca-Cola and Blockbuster, to exchange information about Facebook members who used partner websites. Details of transactions on sites such as Blockbuster were sent to Facebook automatically, with only a very small window of time for users to opt out of the transmission.

Facebook then took that information and began publishing it on newsfeeds to users' friends.

The result? Facebook followed members around the web without having told them it would do so, then broadcast those movements back to the members' newsfeed for anyone else to read.

In the weeks following its launch, Beacon caused an uproar from Facebook users with more than 80,000 joining a group called "Facebook, stop invading my privacy!". The user fury and media furore forced an embarrassing backdown and apology from Facebook CEO Mark Zuckerberg in December.

Facebook now makes provision for users to opt out of the Beacon process permanently. Yet, worryingly, it seems the flow of information to Facebook from affiliated websites may not have been stopped.

A senior research engineer with security specialist Computer Associates, Stefan Berteau, ran tests on the Beacon system last December. He found that information from Facebook's affiliate sites is sent to Facebook regardless of whether a user has opted out of the Beacon service and without notifying the user.

In a blog posted on December 11, Mr Berteau summed up Facebook users' privacy situation: "Facebook has not stopped the transmission of data (from partner sites to Facebook) but they have made changes to their...privacy policy stating that this silently collected data is immediately deleted. Unfortunately, these changes do not prevent Facebook from reversing course without notifying users...The only way for a user to know if Facebook has changed this policy is to continually monitor the privacy policy for changes, which is an undue burden to place on a user in order to protect information that they never agreed to release in the first place."

The consequences of this information harvesting might seem trivial but the fact the information has been gathered, sorted and stored could have unforeseen consequences

Let's consider a scenario. Imagine you join a Facebook group with the worthy aim of combating global warming. Let's say that group organises an event, which is easy to do using Facebook where users meet to learn the gentle art of placard-making and sip herbal tea.

Then imagine that five years later the same environmental group starts a campaign against air travel because planes do, after all, pump greenhouse gases directly into the atmosphere.

Then, let's say, some radical elements of that group manage to bomb an airport in the US and bring down a plane. The environmental group is declared a terrorist organisation and all of its associates immediately fall foul of the anti-terrorism laws.

Suddenly that photo of you smiling and waving a placard with your friends is in the hands of the police. All of your Facebook messages, Superwall posts, even your Scrabble moves, have become "of interest".

What if all of that happened while you were visiting another country, for example the US? Facebook's privacy policy makes it clear that it will disclose information if it is legally obliged to and users of Facebook acknowledge that the site is subject to US law. So it might be the US Government, whose laws you are not even aware of, that takes an interest in your Facebook profile.

Sound far-fetched? Dr Mohamed Haneef was held for more then two weeks and charged with a terrorism offence in part because of the transcript of an instant messenger conversation and the donation of SIM card.

The message privacy advocates want to convey is that information on the internet is uncontrolled. Once personal information is out there, it can be copied and distributed without your knowledge.

Even if you think no government would ever care about your weekend photo collection, hackers or identity thieves might very well be eyeing your CV. Already operating in the internet space, identity thieves could mine social networking sites such as Facebook for a treasure trove of information about individuals.

Security vendor Sophos conducted research on Facebook late last year where it created a fictional profile illustrated with a photograph of a plastic frog. The user name was Freddi Staur, an anagram of ID Fraudster.

Sophos then sent friend requests to 200 Facebook users randomly chosen from around the world. Of the 200 requests sent, 87 users accepted the request, giving Sophos access to their full Facebook profiles. Of those 87, 84% gave their full date of birth, 78% listed their current address or location and one even gave their mother's maiden name.

Sophossays information is more than enough to allow a sophisticated identity thief to tap into bank account and other online details.

Sophos' head of technology for the Asia Pacific Paul Ducklin says people think of social networking sites as private conversations when in reality they are words published for all the world to see.

"Giving out information on social networking sites is not necessarily dangerous, but it is potentially dangerous," he says.

"Be circumspect about what information you include and who you allow to see it."