[Infowarrior] - Facebook hit by new security concerns over privacy settings

Richard Forno rforno at infowarrior.org
Mon Apr 6 11:45:16 UTC 2009 

(Cambridge paper PDF @ http://www.cl.cam.ac.uk/~jcb82/8_friends_paper.pdf)

Facebook hit by new security concerns over privacy settings
Dan Raywood | Apr 6, 2009 12:53 PM

http://www.securecomputing.net.au/Tools/Print.aspx?CIID=141835

Users of Facebook could be giving away their personal information due  
to the way the website's privacy settings work.

A team from the University of Cambridge's computer laboratory has  
showed how Facebook public profiles could be used to find out personal  
information despite appearing to contain only a few details.

In the paper, titled ‘Eight Friends Are Enough', the team pointed out  
that it was possible to reconstruct a user's friends list in a way  
that could allow marketers, governments and even criminals to  
understand the private relationships between different people.

It claimed that a search for a specific Facebook user will display  
every user's name, photo and eight friendship links. Affiliations with  
organisations, causes, or products are also listed.

The paper's author Joseph Bonneau, said: "This is quite a bit of  
information given away by a feature many active Facebook users are  
unaware of. Indeed, it's more information than the Facebook's own  
privacy policy indicates is given away.

"When the feature was launched in 2007, every over-18 user was  
automatically opted-in, as have been new users since then. You can opt  
out, but few people do - out of more than 500 friends of mine, only  
three had taken the time to opt out. It doesn't help that most users  
are unaware of the feature, since registered users don't encounter it."

The paper further claimed that the public listings are designed to be  
indexed by search engines. In the team's own experiments, it was able  
to download over 250,000 public listings per day using a desktop PC  
and a fairly crude Python script.

Bonneau said: "For a serious data aggregator getting every user's  
listing is no sweat. So what can one do with 200 million public  
listings? Facebook's public listings give us a random sample of the  
social graph, leading to some interesting exercises in graph theory.  
As we describe in the paper, it turns out that this sampled graph  
allows us to approximate many properties of the complete network  
surprisingly well."

"This result leads to two interesting conclusions. First, protecting a  
social graph is hard. Consistent with previous results, we found that  
giving away a seemingly small amount can allow much information to be  
inferred. It's also been shown that anonymising a social graph is  
almost impossible."

"Second, Facebook is developing a track record of releasing features  
and then being surprised by the privacy implications, from Beacon to  
NewsFeed and now Public Search. Analogous to security-critical  
software, where new code is extensively tested and evaluated before  
being deployed, social networks should have a formal privacy review of  
all new features before they are rolled out (as, indeed, should other  
web services which collect personal information). Features like public  
search listings shouldn't make it off the drawing board."

Facebook claimed that its publicly searchable pages were only  
introduced after an extensive privacy review. A spokesperson told the  
Guardian: "Public search listings are a way for those users who wish  
to allow people to find them in search engines to share limited  
elements of their Facebook profile. Their creation, continued  
presence, and the particular elements contained within them are  
entirely configurable by users.

"Changes as to the presence or content of a public search listing may  
be made easily by any user on the privacy settings page."

More information about the Infowarrior mailing list