Privacy

Facebook is not the real privacy threat

Facebook is certainly a good example of a bad approach to privacy policy, but the dangers of Facebook depend entirely on our own failures.

Facebook is regularly raked over the coals by privacy advocates and security experts for the company's policies and the site's functionality. One common complaint relates to the way users' privacy configurations have tended to get reset to non-private settings whenever there is a major change to the site. Another is the fact that Facebook sells private information to advertisers. Several articles here at TechRepublic have addressed these problems, including two of them by me:

Perhaps this will be surprising news, especially given those earlier articles, but Facebook is not the real threat. We are.

The Onion, a satirical news network that from humble beginnings grew to include online video "reporting", an actual dead-tree format newspaper publication, and television "news" programs, offers an amusing take on the way Facebook represents a danger to privacy:

CIA's 'Facebook' Program Dramatically Cut Agency's Costs

This satirical "report" -- brought to my attention by TR editor Selena Frye, in relation to a privacy article of mine -- points out the often overlooked fact that the biggest threat to our privacy is our own behavior. It does not matter how much security software is made available to us, how carefully corporations like Facebook and Google may guard our data in their possession, or even how carefully agents of government might avoid violating the US Constitution's Fourth Amendment prohibition against unreasonable searches and seizures, if we give away everything they might learn without anyone having to ask.

Some of us, of course, do try to guard our privacy. For us, those violations do matter, even if they do not matter so much for those who do not realized the damage they do to their own security by posting addresses, birthdays, their childrens' photographs and names, GPS location data, love letters, financial information, and every other detail of their lives to the Web. For those of us who know enough to care about privacy, security software such as OpenPGP utilities, packet filtering firewalls, and SSH proxies are a huge benefit; for those who do not, these tools are never even used. In fact, many who cannot be bothered to think about their own security -- and measure security only by how slow their computers get -- do not ever take the time to maintain subscriptions for antivirus updates. Those of us who care, though, may go so far as to select an operating system that does not even need AV software, per se.

Aside from those of us who care, and pay attention, and do something to try to protect our private lives from malicious attackers of every kind, the rest of the world desperately needs some kind of wake-up call. Given that someone else's poor security practices can affect the security-conscious, it seems obvious that the most important thing we can do to improve security is to ensure that others get that wake-up call.

Smart security experts resist the siren call of the broken Windows fallacy. They realize that they not only serve their clients' well-being when they choose to help others avoid security compromises as much as possible, but also serve their own well-being as well. They operate according to a maxim that has been foremost among my concerns as an IT professional for a long time:

The true professional works toward the day his or her services are no longer needed.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

27 comments
mike five
mike five

If the NSA, CIA, or FBI are monitoring your computer usage, you have much bigger problems than your Facebook information being distributed!

wendygoerl
wendygoerl

Many ignore the fact that it's a seller's market when it comes to signing up on various webistes, just as taking employment with employers. Technically, you have the choice (meet all their terms or take a hike), but realistically, you have no alternative but to accept their terms because you NEED it (to access something via a particular site, this job becuase it's the only offer and you have to put food on the table. etc.) For example: you want your social security check when you turn 60-whatever? You MUST have a checking account to receive electronic deposit. Don't like ANY privacy policy of ANY bank? Tough tits, pick one and suffer. Think Medicare's a leaky sieve that wastes your money, maybe someday will sell your med info to pay down the debt? Pay anyway, or you won't get your social security check (Some seniors actually sued about this; they lost).Yo got no right to live off the Grid, and the Grid can make you agree to anything they want. Look at the banks and credit cards: bust their control in one place, and they tighten it up somewhere else. Why should user rights and your personal data be any different?

Con_123456
Con_123456

You even are not allowed to encrypt data on your computers or your electronic communication, as per USA PATRIOT act. Your options to effectively protect your private data are therefore very limited.

sysop-dr
sysop-dr

Our greatest weapon in security is educating everyone around us. And the battle never stops.

jp-mattenet
jp-mattenet

The premise that you are responsible, and that you should know better, has in my opinion a flaw. For 99% of the FB users utilities like; OpenPGP utilities, packet filtering firewalls, and SSH proxies are just noise in the background, with no connection with their reality. And they are the ones being taken hostage of the current situation. Now, we need to see through this maze and ask ourselves what kind of internet we want in 10 or 15 years. Letting companies run wild and step over our privacy has the potential to create such a backslash from the users that the ultimate goals of the internet as a place of freedom, sharing, and exchange will be in danger. We will then rise our own kingdoms, hide behind our firewalls, and stop sharing, in fear that some power (public or company) may mis use what we have shared in the past. welcome to middle age of the digital millennium.

darkgarge
darkgarge

I agree fully with your stance on this. In our increasingly technological world, security concerns are eclipsed by peoples 'need' for convenience and 'ease of use'. All of these great social networking tools have opened up an unprecedented feeling of inter-global connectedness, while at the same time leaving behind gaping holes in personal security. The only good solution is user education. Sadly, most news tends to focus heavily on the failings of these technologies with very few practical steps that non-tech-savvy users can easily implement. Additionally, most security software is either fairly pricey or it slows the user down such that they choose to forgo security for the sake of convenience (again) or present-cost (sadly, most people do not have any understanding of Net Present Value, or they would grasp that $50-$100 now will save them $1000's later). I realize that this is difficult to do (believe me, if I had a way I would be rich :-) ). Just my two cents.

jsaubert
jsaubert

A few days ago I posted on the "Which do you trust more with your data?" poll about this vary thing. At a Halloween party two years ago I was able to "tell fortunes" by using the internet; mostly Facebook but a few other sites as well. Everyone was amazed by Madame Jane's powers! After the performance we told everyone that our magic source was a fast internet connection and Google. I was amazed too. Just at the openness people have on the internet. In 5-10 minutes I discovered more than enough to convince a person I was "psychic" and while I know I'd never do anything bad with that information it's real easy to see how it happens.

winxile
winxile

Unfortunately people both individually and in business have a blinkered approach to computer security . Almost like a blind faith in that it can't happen to them, until it does.... It takes a lot of effort to change this mind-set , especially when dealing with people who are not really computer literate. In a work environment it is neccessary to have suppport from the top echelon to push a security program forward. It takes time and patience,publishing numerous examples (video and quizzes work best) and updates to the user community. A carrot and stick appproach can reap benefits and even though the aim is not to make everyone paranoid wrecks, the lesson is to make people think about what they are doing. I implemented a security awareness program at one of the companies I worked for and was successful in changing the culture significantly by publishing regular updates regarding threats, the potential impact of the these and links to readily available security awareness web sites. http://www.sans.org/tip_of_the_day.php for instance. There are many more sites out there, just google "Security Awareness". It's an uphill battle , but one that I believe must be fought as the efforts made by security aware users can be undone by an unaware community of clones.

mexia36
mexia36

All you guys seem to be in agreement on the problem, but no one has suggested a clear cut approach. You have the experience but.., do you have an answer? ..or a suggestion of what should we do?

CharlieSpencer
CharlieSpencer

even if those of us in the choir are the only ones who'll hear you.

bjswm
bjswm

While I largely agree with this, it isn't quite good enough. I myself am VERY careful, very security conscious, and guard my privacy very well, and steer very clear of things like Facebook. Unfortunately it isn't totally up to me. I have received facebook emails from strangers across the world who have found details about me put up by others who I do know. Any of my friends and family can put up anything they like with no thought to the consequences. What am I supposed to do? Hide myself in a cave and cut off all contact with the world? Thus any tool like facebook that encourages and helps people do this sort of thing really is a danger to us careful types too.

seanferd
seanferd

No matter how bad FB is, the user is responsible for their use thereof. When FB, or Sony, or your bank violates their end of the bargain, then it is their fault. But the user should be prepared for the eventuality as well.

SKDTech
SKDTech

All the crying about security does nothing if we regularly give out the very information we should be keeping closest to our breasts. As the family IT guy I can't count the number of times I have helped someone set up a PC or online account and explained to them the importance of good security and privacy practices with them nodding all along only for them to remove or have me remove any protections just to be able to access the latest shiny bauble.

JCitizen
JCitizen

to take on the giants, about this privacy mess. Consumer's Union now has an action arm that is getting bigger than the NRA. When they jump - congress usually asks how high. I like to enter their action campaigns and give them a little money when I can afford it. The only laws we have won lately were largely because of one big CU special interest lobby. Lobbing is the only thing congress understands, so we use it.

CharlieSpencer
CharlieSpencer

""Facebook, Google, Yahoo, all these major U.S. organizations have built-in infaces (sic) for US intelligence." I'd like to see his documentation or evidence for this one. I don't question his position that social networks could be used by governments to spy on their citizens, but that bit above is going to require some proof before I'll go along.

CharlieSpencer
CharlieSpencer

"...that the ultimate goals of the internet as a place of freedom, sharing, and exchange..." Who declared those to be the goals of the Internet? Did I miss the mission statement? The original goal was a closed network to facilitate data exchange between a very limited number of US universities working on Dept. of Defense research projects. Anything else being done with it was added after the creation, and any other 'goals' are the objectives of individual users. The Internet has no more goals than pizza and beer do.

apotheon
apotheon

Yours is exactly the kind of behavior I'd like to inspire with these articles. Keep up the good work!

CharlieSpencer
CharlieSpencer

For some people it will require a complete change in how they view the Internet. Many people assume they're 'safe' until proven otherwise. Actually, the approach to take is to assume EVERYTHING you post is visible to EVERYONE else, until proven otherwise. You can usually assume Western financial institutions are secure, and most on-line retailers. Otherwise, don't post any personal information you wouldn't spray-paint on an athletic field during a nationally televised championship game, because everyone is going to see it and half of them are going to re-sell it. Don't allow vendors to store your credit card number 'for convenience'. Don't post information useful to non-electronic criminals ('Going to the Bahamas for 2 weeks!'). If you feel you absolutely can't live without using social networks, be sure to explore all the security settings, and e-mail the site for assistance if you need it. That should get you started.

apotheon
apotheon

. . . maybe the choir can carry the message to others as well. If nothing else, perhaps my articles provide a convenient place to send people who need the lesson.

apotheon
apotheon

The biggest problem with the age of the social networking Website is that we have to be secure not only as individuals, but in droves. This is just one more reason that we should help others understand the importance of security rather than just hoarding that knowledge for ourselves. My security depends to some extent on that of the people around me, too.

apotheon
apotheon

Google has a law enforcement interface to ease the process, for instance. I mentioned it in an earlier article of mine about Google, 'round the time the Chinese intrusion into Google's network(s) occurred. I'm feeling too lazy to look it up right now, though.

apotheon
apotheon

You're ninety-eight percent dead-on. Only one problem: > If you feel you absolutely can't live without using social networks, be sure to explore all the security settings, and e-mail the site for assistance if you need it. Even that is placing far too much trust in the hands of the social networking site's managers. Facebook, for instance, regularly resets users' privacy settings to less-protected defaults, sells supposedly private information to third parties, and generally obviates the benefits of taking that (at first glance, apparently careful) approach.

slam5
slam5

Well, even if you tell them and even explain to them why it is not secure to put their real b'day on their FB page they won't listen. Until one day they suffer identity theft, they don't really care.

apotheon
apotheon

I decided to go looking for the article in which I discussed Google's law enforcement portal: How China exposed Google's hypocrisy. > Good enough for me. I'm flattered, but I'd still rather provide a link -- so I did.

CharlieSpencer
CharlieSpencer

Your word carries more weight with me than Assange's does (or doesn't).

apotheon
apotheon

We need to figure out ways to educate people such that they actually do something with the knowledge we offer, rather than -- as you pointed out -- simply ignoring it like usual.

Editor's Picks