Friday, 26 July 2013

Facebook's Privacy and Security

https://www.facebookbrand.com/

The following is an assessment of some of Facebook's policies pertaining to privacy and security; it is by no means comprehensive, and any legalities should be taken from their source.
Terms of Service
Data Use Policy
Facebook Principles

Privacy

Facebook outlines in a list of their principles that they believe in a free flow of information (points 1 & 3), to the extent granted by the owner of said information (point 2).

A section of their Data Use Policy outlines the kind of data Facebook gathers on its users; it mentions things like the information required for signing up to the site and information posted on the site. Such information might extend from the user's birthday and gender, to status updates and photos. It goes on to say that it also gathers information which others have posted about the user, such as when they've been tagged in a photo, and pages which the user has 'liked'.

The policy also mentions how it shares the information they've gathered. Information which is set as being publicly accessible is just that - accessible by anyone. Said information is also associated with the user, and can show up on a search of them. Other information is without a guise of being able to be made private - your name and profile picture, for example. The policy also mentions the information's role in advertisements; towards the suggestions of people you might know; service improvements and other internal operations, and so forth. It goes on to say that the information is not shared without either receiving the user's permission; giving the user notice; or removing identifying information.

They also outline in their Terms of Service (point 2, sub-point 1) that when you post a piece of intellectual property, you maintain ownership of said content, but grant them a temporary license. This temporary license "..ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.".

They go on to say that (point 2, sub-point 2) when you delete IP content, it's akin to emptying the recycling bin of your computer; it's not specified what this means, but it probably means that the reference to the file is deleted from the lookup list on the hard drive, but wouldn't be deleted from the hard drive itself until the space the file was using is overwritten, and so it renders the file inaccessible, but not necessarily unrecoverable. [1][2]


Security

In their Data Use Policy, Facebook mentions some of the things it does and doesn't want its users, developers and advertisers to do:
  • Point 3 raises points such as not uploading viruses or malicious code; not spamming or advertising without Facebook's permission; not displaying mature content without age-based restrictions, and so forth.
  • Point 4 mentions account-based activities such as sharing one's password, and the people who aren't allowed to create an account.
  • Point 5 mentions other people's rights - not gathering their data under a false guise; not breaching copyright, etc.
  • Point 9 mentions developers' responsibilities - limits to the access and use of information, particularly in relation to the user's consent thereof; misrepresentation of affiliations with Facebook; there's also a clause for Facebook to be able to audit an application to ensure its safety.
  • Point 15 mentions termination of a user's account if they violate the policy.
There are many other points which I haven't raised, but perhaps the most important is point 16, sub-point 3, which states that, while they try to keep the site bug-free, its use is without warranty, and thus at the user's peril.

The policy doesn't seem to mention what they'll do in the event of a security breach, but perhaps the gist could be inferred by their preventative measures:
There is a Facebook page set up pertaining to security https://www.facebook.com/security.
There is also a page offering a bounty starting at $500 per bug found https://www.facebook.com/whitehat.
Facebook even released a message after a bug was found via its white hat program which could have exposed the contact details of over 6 million of its users.

Some bugs have also been found throughout the course of Facebook's history, mainly involving editing the design of the page; one such example is this guy who edited the HTML DOM via JavaScript to force his own CSS, and states that "Using JavaScript, a designer is then able to modify the HTML DOM to add (or delete) page content at will.". Another example involved a self-propogating worm which changed the appearence of the profile of anyone who viewed an infected profile to a layout similar to that of MySpace. He then goes on to say that "Upon further penetration testing into Facebook, we've found at least three different XSS vulnerabilities, but none as major as the original bug. The vulnerabilities could be used to steal accounts with just the click of a button..". Typically, these bugs are patched within a day of their discovery. These are examples of XSS (cross-site scripting) bugs which are quite hazardous; an excerpt from this article explains why:
"...cross-site scripting vulnerabilities are fairly common. More serious is the design flaw that allows the vulnerability to be widely used. Once a vulnerability has been found on the Facebook site, there are no limits on what the attacker can do. Hidden form IDs can be harvested for any form. (Notably, one of these forms will submit a charge to a user's credit card.)".
This article details the creation of such a bug.

Summary

The terms outlined in the Data Use Policy and Terms of Service aren't unreasonable; Facebook has even set up a page for discussions on policy changes after an outcry over a change to the ToS which meant they could "Do anything they want with your content. Forever.". However, they ocassionally cross the line to complete invasion of privacy, and perhaps their most depraved act was their purported involvement with the NSA surveillance operation, PRISM, which Mark Zuckerberg (co-founder of Facebook) denied. The comment did, however, come under fire for its likeness to the comment released by Larry Page (co-founder of Google). One of the criticisms is the careful wording; each maintain that they've not given "direct access" to their servers, but some employees within the company have come out (under the guise of anonymity, as their divulgence of such is illegal) indicating the discussion of plans to place information on intermediary file servers. One article explains it as such:
"In at least two cases, at Google and Facebook, one of the plans discussed was to build separate, secure portals, like a digital version of the secure physical rooms that have long existed for classified information, in some instances on company servers. Through these online rooms, the government would request data, companies would deposit it and the government would retrieve it, people briefed on the discussions said."
Other such articles: [1][2][3]

So given Facebook's history of surreptitious surveillance, one's trust might begin to diminish.

https://www.facebookbrand.com/ 
By at

2 comments:

  1. AnonymousFriday, 26 July, 2013

    Hi very detailed and interesting summary. Good work!

    Andreas

    ReplyDelete
  2. UnknownFriday, 02 August, 2013

    I enjoyed reading your clear and concise explanation about Facebook privacy and security. Really great!

    I agree with you in saying that trust is not easy when it comes to Facebook and other social networking sites in general.

    Nikhil Tappoo (s2790159)

    ReplyDelete

Subscribe to: Post Comments (Atom)

Translate