Trust Me, I’m Facebook

As Chester Wisniewski has reported on the Sophos blog, Facebook has had second thoughts about allowing apps (rogue or otherwise) to access your address and phone number. At least, the feature has been temporarily disabled in response to “useful feedback” which I take to mean criticism from the Sophos blog and many others, including me, in my own small way.

Well, the  Facebook developer’s blog item deserves one and a half hearty cheers, at any rate. While it leads the article with a slightly breathless summary of the advantages of sharing your info, it does at least make it reasonably clear the remediation to the issue through Facebook’s permissions process and the Application Dashboard.

However, an article by Peter Judge in eWeek quotes a statement by Facebook that seems a little less balanced: Judge says that Facebook has made a statement them that “says that users have full control over their privacy, and casts doubt on its critics’ motives.” And this is where it gets unpleasant.

Few people on this side of the security fence doubt that it’s the responsibility of the Facebook user to ensure that their privacy is maintained, which may be a more accurate but less PR-friendly way of putting “the user has full control”. And I don’t blame the FB spokesman for focusing on the benefits of sharing the information in question. I do blame him/her for dismissing rogue applications as a separate issue. They aren’t: I don’t say that no-one would care about Facebook’s attitude to privacy if there were no rogue applications, but such applications do exist, and in uncomfortably high volumes.

And that’s exactly why Facebook’s attitude (if we can assume that its position is accurately represented by its spokesman) is problematical. As John Leyden suggests in the Register, it seems reasonable to suppose that Facebook is aware of the problem and shares the concerns of those who’ve provided “useful feedback” or, as Leyden says, “it wouldn’t have decided to suspend the feature.”

Or is it? The spokesperson’s comment suggests that rogue apps are not only a separate issue, but not Facebook’s responsibility. If, indeed, they’re an issue at all. Facebook claims “strong security expertise” (well, they do employ Nick Bilogorskiy, who is certainly no idiot…), and that “Once we detect a phony message, we delete all instances of that message across the site.” Which is fine, but reactive. It certainly doesn’t absolve FB of the responsibility to take what proactive measures it can to make it harder for bad guys and bad apps to send phony messages and perform other malicious acts in the first place. But let’s assume, for the sake of argument, that FB is aware of that and acts accordingly. What are we to make of this statement?

“Certainly, [Sophos has] expertise in security, but so does Facebook,” the spokesperson added.  “The reader can decide if we have any bias or motivation because it’s clear who we are.  Fewer people know Sophos, and so it may not be clear to them that they make their living by selling products that claim to solve the problems they are espousing.”

Well, Sophos are big enough and savvy enough to defend themselves, and since I currently spend much of my time working with one of their competitors, it’s not for me to ride to its rescue, though I can say that I believe the company does good educational work in the social media arena, which is why I often cite its blogs on Small Blue-Green world blogs. And I don’t recall them claiming that their products solve the rogue app problem.

But I can tell you exactly how that statement reads to me. It says that you don’t have to worry about malware or privacy because Facebook has your back covered, and that if anyone from the security industry suggests otherwise, it’s because they have a vested interest in selling product.

So here’s what I think.

Yes, the security industry is interested in selling you product, though I’m not sure that telling you to be careful about your Facebook settings does much to further that aim, directly at any rate. Facebook is also selling product, though in FB’s case, the product is you and your data. So yes, it has a stake here. Let’s not play the Facebook game of talking about bias. However, you may wonder has the more “motivation” here.  Certainly, I see no reason here to rethink my mistrust of Facebook or my doubts about its fitness to be trusted with sensitive data. In fact, it’s just shown itself to be even less trustworthy than I previously believed.

That doesn’t mean that you shouldn’t use Facebook. But you certainly shouldn’t take it for granted that the company has at heart the best interests of you, your privacy, and your sensitive data.

David Harley CITP FBCS CISSP
Small Blue-Green World