Modern Software Experience

2008-07-14

FaceBook

FaceBook is this big social networking site that you’ve probably heard of. Its not as wild as MySpace but not as formal as LinkedIn either.

viral

FaceBook is viral. Some friend or family member signs up, and then invites you to look at their profile - but you cannot view their profile and the embarrassing pictures they posted unless you become a member yourself. This is deliberately user-unfriendly design. The friendly thing to do would be for members to show a public profile. But no, you must sign up, become a member, set up your profile and invite your friends.

chain letter

FaceBook’s aggressive signup-and-invite policy is the web equivalent of a chain letter. All recipients get the same invitation, the same promise of access, and are then expected to send that same invitation to as many others as possible. Chain letters are illegal, so I wonder about the legality of this sign-up policy.

signing up

Facebook is not interested in smart users that browse safely. Their sign-up procedure only works when you browse unsafely. You need to allow scripting on multiple domains (facebook.com, fbcdn.net and recaptcha.net), just to sign up.

Internet identity

Facebook really cares about your privacy - they’d like to have it. They show how much they care by asking you for name and email. Sure, many sites do, but on those sites, you can any Internet identity, some name and email you’ve set up. When your sister invites you to Facebook, she expects you see your real name and personal email address. Using some Internet identity isn’t an option. The FaceBook trap is set up to capture your real identity.

high expectations

One truly insidious aspect of Facebook is that people really expect you to follow them onto Facebook. Tell them that Facebook is a privacy problem will not make them see the light, and leave Facebook. They will not tell all their friends how stupid they were to fall into the Facebook signup-and-invite trap and how good you were to save them by patiently explaining the privacy issues to them, but how mean you are for snubbing their kind invitation with some ridiculous privacy excuse.

good site

Facebook isn’t a good web site. The site does not validate. It has a chain letter signup-and-invite model. The Facebook site does not allow safe browsing. The entire site uses the antilogical date format, and it even expect you to enter day of birth in the antilogical date format. You must really hate your friends to subject them to all that, yet Facebook’s owners expect you to invite them.

profile

When you sign up, Facebook asks for your name and your email address. It also wants to know your gender, your date of birth (in antilogical date format) and wants you to categorise yourself into one of four broad demographic categories: in college/graduate school, at a company, in high school, none of the above. You must solve the captcha and click the link on the email you receive.
Once you’ve done all that, you have a profile on Facebook, or rather, Facebook has your profile.

email

Once you’ve clicked the emailed link to let Facebook have your profile, you get to see what looks like a login screen. Surely, this is bad design, you’ve just created your account and just clicked the confirmation link, why should you need to log in? Take a good look at that screen. It has a "logout" link in the upper right corner - you are logged in. Facebook is asking you to log in, but is not asking you to log into Facebook. It is asking you to provide the password to your email service!

You know, don’t you? Never give out your password.
Yet Facebook asks for your email password even before you’re don setting up your profile.

Facebook password

The real funny part about this is what Facebook says about giving out your Facebook password. Their terms of service (which you had to claim to have read and agreed to when you signed up) states that

"In consideration of your use of the Site, you agree to (a) provide accurate, current and complete information about you as may be prompted by any registration forms on the Site ("Registration Data"); (b) maintain the security of your password and identification; (c) maintain and promptly update the Registration Data, and any other information you provide to Company, to keep it accurate, current and complete; and (d) be fully responsible for all use of your account and for any actions that take place using your account."

In plain English: you must provide accurate profile data so we make more money on the advertising we plaster all over your Facebook pages, so don’t give your password to anyone else.

education and company

Facebook labels importing email addresses as step 1 of filling out your profile. That really already tells you everything you need to know about Facebook. Step 2 is providing information on your education and company, and step 3 is telling them your hometown. Luckily, you can skip all these steps.

Facebook privacy

Facebook has a privacy policy. It is ridiculously long, and that is not a good sign. The friendliest thing I can say about its length is that is seems designed to turn you off the idea of ever reading it. An less friendly remark would focus on any of the things in there, but the most important thing is near the end: "We reserve the right to change our Privacy Policy and our Terms of Use at any time.". That single sentence practically voids everything else That’s in there. It does not matter much what’s in there, ’cause they can change it anytime they feel like doing so.

There are 3725 words on that page today, not counting menus, header and footer, and that single sentence tells you it don’t mean a thing. Or as they say, "Facebook’s Privacy Policy is designed to help you understand how we collect and use the personal information you decide to share", i.e. this is where we explain how we take advantage of your profile data - when you really wanted to know how your privacy is protected.

FaceBook Beacon

Just how much Mark Zuckerberg really cares about your privacy was shown by the introduction of FaceBook Beacon on 2007 November 6. The subtitle to their "Leading Websites Offer Facebook Beacon for Social Distribution" press release dishonestly claims that "Users Gain Ability to Share their Actions from 44 Participating Sites with their Friends on Facebook". A truthful subtitle would have read "Users embarrassed to see all their web activity on affiliate web sites exposed.", as Beacon bluntly published your surfing behaviour, whether you liked that or not.

Their dishonest subtitle implies that Facebook Beacon is an opt-in program, but it was not even an opt-out program! - As soon as you bought anything on ebay.com, all your friends would be informed about it. Users were understandably upset this. Facebook had to bow to public pressure, and change Beacon into an opt-in program.
On 2007 Nov 29, Stefan Berteau, a security research with Computer Associates, published research that showed that FaceBook was collecting data on affiliate site activity even, not only when you’ve opted out, but even when you’ve logged out of Facebook. He found that the affiliate data is always sent to Facebook, no matter what your settings are.

privacy violation

He quotes an email from Facebook that claims that "as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook". He then notes that this claim contradicts his findings, and that his test have been verified by independent parties.
I’ll add one more observation to his comments about their claim; if their claim were true, it would imply that Facebook is either actively informing its affiliates when you log in or out, or allowing them to query your Facebook status when you visit their site. Lawyers may want to figure out whether either practice is in line with Facebook’s privacy policy, and whether that statement of theirs is an admission of guilt, but both practices seem a violation of any reasonable privacy policy and user expectations to me.

opt-in

The decision to change Beacon into an opt-in system was not published as another press release, but only as a post on Mark Zuckerberg’s blog, and only after Nate Weiner posted instructions to block Facebook Beacon.

Facebook security

forgotten passwords

Facebook does not send plain-text passwords when you’ve forgotten your password, it emails you a link to reset your password instead. So, it is apparently not as insecure as MySpace, which will mail you your password, which implies they have the password on file as plain-text. As soon as anyone breaches their security, they’ll have all the passwords.

source code leak

Facebook keeps its source code secret, but on 2007 Aug 11, some of that code leaked. It was not much code, and it was just some user interface code, but it raised concerns about Facebook’s security. Facebook claims that this particular incident was caused by a defect in their Apache server, which is not entirely impossible, but operator error is more likely.
The biggest problem with the official explanation is that it does not address the bigger issue. From the moment they accidentally published some source code, FaceBook security was suspect. Users became concerned, and Facebook has done nothing to alleviate their concerns.

Part of the public fear stems from a security through obscurity mindset, the belief that the system is safe as long as you don’t know how it works, but there is a real issue here; how difficult is it to hack Facebook when all the code becomes public?

fair use

The code circulated around the web for a while, and those who’ve seen it were generally not very impressed by its quality. Low quality code is a good indicator that the site may be vulnerable to an SQL injection attack, and there is the code itself to help you get started analysing the site prior to such an attack.

Facebook claims republication of the code offers no useful insight into the inner workings of Facebook, which is either nonsense from an incompetent marketroid a a deliberate lie. Even though it is only user interface code, is shows you their coding style and conventions, or lack thereof and it cannot help but hint at the overall structure of the code.
Facebook additionally claims that the reprinting of this code violates several laws, which is simply too vague to take seriously at all. They can try to claim that the code embodies trade secret, but they already undid any such secret themselves. It is public knowledge now that the Facebook code contains comments such as Holy shit, is this the cleanest fucking frontend file you’ve ever seen?!. That embarrassing secret stopped being secret the moment they published the code.

Facebook published it on their web site, for everyone to see. Members are probably bound by the Facebook terms of service that forbid republication of site content elsewhere, but visitors are not. That Facebook published it publicly does not change the copyright status of the code, but it is fair use to quote parts of a published work in a story about that work.

not so private photos

On 2008 Mar 24, Associated Press published a story about computer technician Byron Ng circumventing Facebook’s broken privacy controls to access private picture in Paris Hilton and Mark Zuckerberg’s own account. It was so easy that that reporters had no problem doing it themselves. Facebook claims to have closed the loophole only hours after AP broke the story to the mass media. AP credited Byron Ng for coming up with it, but that Facebook is susceptible to simple URL hacking has been public for months. David Murphy of Maximum PC rightly points to the Facebook Application Smashing blog, which reported a bunch of problems with this on 2007 Jul 22 already. Their comment: Too easy. It was also already reported in the Winter 2007/2008 issue of 2600 The Hacker Quarterly, so Facebook was not fast, but tardy as a drunken snail without a sense of direction.

Facebook apps

Facebook is pushing itself as an application platform. You can install various small applications on your profile. These programs are not supposed to collect data from your profile but it is not clear whether there is any practical way for Facebook to stop these from doing so. If its security measures are like bolting down the front door with make-believe locks, its application platform seems to be opening the garage door at the back.

It takes just one malicious application....
Farfetched? No, when you open that backdoor to everyone, they will come. In 2008 January, Facebook was embarrassed by Facebook applet Secret Crush installing Zango malware on user’s computers. When security gateway vendor Fortinet reported it, Secret Crush was already installed by three percent of all Facebook users.

open source

A year after announcing the Facebook platform, the platform has gone open source. The decision to go open source is not a security-related move, but a response to Google’s OpenSocial API. It is likely that several security firms are having a look at the Facebook code, and will publish reports about its quality and vulnerabilities soon. With Facebook’s lousy security history as a realistic indicator, my expectations are not high.

final fatal Facebook failure

I’d love to say that their history suggest that we should not wonder whether Facebook will be compromised, but when it will compromised. Sounds so dramatic, so wise and all that, but it would be wrong. After all, the sad fact is that Facebook has been compromised multiple times already. Even worse is that Facebook does not seem to take any incident seriously until it hits the mainstream press. Unless Facebook starts getting serious about security, the one thing to bet on is how long we have to wait on the final, fatal Facebook failure, the one that will compromise all private Facebook data completely.

delete

It is my not so humble opinion that it is unwise to post lots of private information on sites like Facebook and MySpace, or rely on privacy features that simply do not work.

The most interesting experience is trying to leave those sites. You can sign out, but it seems impossible to delete your profile. All Facebook offers is the ability to deactivate your account, which is far from the same thing. Nothing is deleted. Facebook will reactive your account as soon as you (or someone else) logs in again. You cannot delete your account. No option to do so is provided.

As things stand now, FaceBook will delete your profile, but only if you write them a special email to request it, and then will still first claim that they cannot do this until you clean out everything from your profile.

The problem is not technical, it is social; Facebook has a rather nasty once we have it, we keep it; attitude.

simple

Truth is, deleting all your information is very simple thing to do for them, they just run a ready-made database query that deletes all record containing your user id.
It would also be quite simple for them to offer that ability directly to you, email you to ask for confirmation, and include a maximum of perhaps four weeks during which you can restore your profile. They could even offer to download your data to your own PC for safekeeping and later restoration, or allow transfer to another social site. The problem is not technical, it is social; Facebook has a rather nasty once we have it, we keep it attitude.

The Facebook support staff has apparently been instructed to lie about Facebook’s ability to delete your data, to discourage deletion of your profile. There is no practical reason for their demand that you delete all your content first, but it sure presents more discouragement, as the only way to remove your content is to remove every item one-by-one. If such behaviour, which is practically a refusal to delete, isn’t a violation of privacy law already, it sure should be. Its high time some regulators looked into this.

invite

I was prompted to write this by a FaceBook invite from one of my sisters. Sis, please remove all your data from MySpace and Facebook, then get your accounts deleted. Today is Facebook freedom day, today is Facebook deletion day. Make sure your data is not on there when their systems are compromised.

Treat your email address book with proper respect. A free blog is not worth selling out your friends and family for. Apologise to everyone for ever suggesting that they sign up for this ad-infested that spies on their every click to see and hope they forgive your mistake. Break the viral signup request chain. Delete your Facebook profile and celebrate your Facebook freedom - freedom from Facebook. Then set up your personal site up just the way you like it.

Use email to keep in touch. Keep your private stuff of the web. Share public stuff using the free web space or blog your ISP provides. Share it unburdened by advertisements. Share it without letting some marketroid track every click your visitors make. Share it without requiring sign-ups, and if you ever get an signup invite again, send them a link to this text in return.

update

2009-01-23 FaceBook

I have joined FaceBook since I wrote this, mainly as yet another way to connect with others professionally, not to share my private life with everyone.

2011-04-23 FaceBook Open Source

FaceBook broke the link to their Open Source Projects page. It has been replaced with a link to the FaceBook Developers Open Source page.

2012-05-20 SecurityAdvisor blog gone

The SecurityAdvisor blog with Stefan Berteau's blog post Facebook’s Misrepresentation of Beacon’s Threat to Privacy: Tracking users who opt out or are not logged in is no more. The link has been removed.

links