Facebook Privacy Updates Open Security Holes, Experts Say
Facebook officially rolled out a multitude of updates to its privacy settings last week, which it claimed would give users more control over the information they shared online. Starting Wednesday, many of the 350 million Facebook users who logged into the site were treated to a prompt requesting that they review and update their privacy settings. Users had choice of sharing their profile and status updates with "friends," "friends of friends" or "everyone." Ignoring the prompts automatically defaulted privacy settings to the "everyone" mode -- meaning that status updates, photos, Facebook friend lists and other information could be made accessible on the Internet via Google and Bing searches or by other third party applications.
Changes to Facebook's privacy settings also exposed users' Friends Lists to anyone on the Internet via search engine searches on Google, Yahoo and Bing, and Facebook-enhanced apps. The social networking giant responded to public outcry at the end of last week by implementing a feature that allows users to hide their Friends Lists from everyone, including members of their own network. However, once again, Friend Lists are exposed by default and Facebook users will be required to manually and deliberately uncheck the box marked "show my friends on my profile" if they want to implement enhanced security restrictions.
Security experts say that while Facebook has enabled more prolific and fluid communication and information sharing, it has also enabled hackers to more easily access personal information. Experts maintain that the accessibility of critical identifying Facebook information on Google and other search engines could easily obliterate a crucial layer of security used by financial and medical accounts to verify customer or patient identities.
Roger Thompson, chief security researcher for AVG, said that security often took a backseat to increased functionality, which, as with Facebook, often occurs with explosive growth.
"I think it has to open up the door to more data leakage," Thompson said. "Security and functionality tend to exist in an inverse relationship. The more functionally it has, the less secure it tends to be."
In addition, no one can ignore the fact that Facebook's privacy redesign also makes it more competitive with micro-blogging site Twitter. Microsoft recently announced a definitive deal with Twitter that aimed to channel some tweets onto the pages of its new search engine Bing. Microsoft said that it was also currently negotiating a deal with Facebook that would allow status updates content to be incorporated on its search pages, but failed to further disclose exactly what Facebook content would be exposed. And Facebook is reportedly making similar deals with search engine giant Google.
Subsequently the Facebook privacy updates raised security and privacy questions and elicited a firestorm of criticism from privacy rights groups and individuals alike.
Thompson also said that one of the biggest security concerns was the uncertainty around Facebook's multitude of third-party app builders. Information around who creates Facebook apps and surveys is murky at best. Facebook fails to disclose how users could conceivably contact the developers, and is not transparent about which of its apps are created by third party developers. Meanwhile, Facebook-enhanced apps are not subject to its privacy policies and other regulations, which opens up a gaping security hole for third-party app developers to launch malicious attacks, experts say.
"(Facebook users) haven't figured out who's doing the building let alone how to contact them," he said."Facebook has a million people building apps, and I'm fairly confident not all of that million have sweetness and light in their heart."