Apple’s latest privacy woes – the price to pay for an “always connected” life?

Yesterday, it was revealed that iPhones/iPads (with iOS 4.0 or later) have been logging the location information of the device and store that in a hidden file on the phone or the iPad.

This discovery, presented by researchers Alasdair Allan and Pete Warden, at the O’Reilly Where 2.0 conference this week, has sent shock waves through the high tech community. “What? This file contains my whereabouts for the past year? WTF?” was most people’s first reaction when the news broke.

Many iPhone/iPad apps have access to the geolocation of the device, but most only access it at a given point of time and do not attempt to log or create a history file of this information. The discovery that such logs exist begs the question why Apple was logging this data and whether it has any intention of utilizing the information.

I can imagine a number of reasons why Apple would want to collect this data and how they might use it. Device tracking, for instance, is a popular parental control feature that users want. Think your teenager lied to you about his/her whereabouts yesterday? No problem, just log into MobileMe and verify the location tracking information. Similarly, a credit-protection app can be instructed to report the phone’s general location at the time of a suspicious credit card transaction—if the card is used in England and the credit card owner’s phone is in Alabama, hmm..something could be amiss here.

But none of these scenarios could conveniently justify storing a year’s worth of location data, and even stranger is the fact that the phone automatically syncs this data to the host. Mind you, not all data from the phone is transferred to the host during the synchronization—Apple really intends to keep this data around. But why?

Legal experts are quick to point out that the mere collection of this data isn’t illegal. Sure, other GPS-enabled devices may collect this type of information as well. But on a device like iPhone/iPad where so many other activities can happen at the same time, the risk is different.

The first question we must ask is how this file can be accessed. It’s not immediately clear whether any apps could access the file. Typically, an iPhone app would ask for the user’s permission in order to access system resources such as GPS info. But that is enforced through the operating system APIs. Since what we talk about here is a plain file, which, from the sounds of it, is not in the “protectionComplete” class  (ProtectionComplete means the file remains encrypted as long as the device is locked. The strongest protection class for file system objects on iOS). It’s unclear if the operating system prevents other apps from accessing the information.

Another critical question is that why Apple didn’t present an “opt-out” option to this tracking feature, or better yet, present it as an “opt-in” only feature. It continues to surprise me (well, I guess it shouldn’t  surprise me anymore) how companies always elect the privacy-invasive features as default.  

Some blogs I read yesterday talked about the danger of having this information available on the sync-ing host. If the host is compromised, this data would be available to intruders. True, but if your sync-ing host is compromised, you’ve got a bigger problem to worry about – ever heard of Apple’s “Escrow keybag” concept?

The real danger, in my opinion, isn’t in the existence of these logs. It is in the potential that the information contained within could be misused. Imagine if you are able to correlate this data with the user’s activity stream, you can then determine precisely where I bought a Starbucks coffee, where I gassed up my car, where I looked up a restaurant on the Yelp app, and where I checked into a flight. If this isn’t a complete invasion of privacy, I don’t know what is.

As mobile technologies continue to penetrate our everyday lives, privacy becomes an increasingly elusive notion. Consumers must sometimes make a choice between the loss of privacy and the convenience of the “always connected” lifestyle. But consumers cannot make that choice if they are not given the necessary information. C’mon, Apple, let the consumers decide that they want other apps or services prying into their every move, don’t do it for them.

At the Churchillclub, with Scott McNealy and Ed Zander (and Lady Gaga)

Last Thursday evening I went to a Churchillclub event: Scott McNealy in conversation with Ed Zander. I was attracted to the event because of the two speakers. Scott McNealy, the former CEO of Sun Microsystems, is a Silicon Valley legend. Ed Zander, the former CEO of Motorola and former COO and President of Sun, is another highly influential figure in the high tech industry.

The event turned out to be much larger than the typical Churchuillclub get-togethers–apparently more than half of the attendees were ex-Sun employees. At the cocktail hour, all round people were catching up, embracing, and reminiscing on old times at Sun.  

McNealy walked in around 6:30, looking fit and thin. You know as soon as he is in the room, because practically everyone stood up to greet him. As he moved about, there was a human bubble moved with him around the room. The ex-Sun folks lined up to shake his hands; many had tears in their eyes. “Sun was an institution. You have to be there to understand”, the ex-SUN employee sitting to my right said. 

The evening started with Zander playing a music video of McNealy singing in a “rock band”. The video was clearly taken in the heyday of Sun, which included footages of McNealy and co. kicking two SGI boxes off the roof of a Sun building with McNealy singing the lyrics: “The Sun will always shine”. <Hilarious>. There are clearly some inside jokes in the video, as the room was rolling with laughter’s.

As the evening went on, I learned a great deal about Mr. McNealy and his time as Sun’s chief. But what came across more loud and clear than anything else were his staunch political views. When asked which corporation is the “evil empire” today, McNealy responded: “Big corporations are not the problem, I think the biggest threat to innovation and our economy today is the public sector.”  Later on, he said: “More than 20% of the GDP is tied up in the public sector, and that is what is stifling innovation”. Clearly not a fan of President Obama, when asked to describe Obama in one word, McNealy responded: “Unfortunate”.

McNealy was vocal about Sun’s achievements. He said: “If we didn’t put TCP/IP in the computers we built back in the days, there will not be cloud computing today.” Sun is credited with the phrase: “The network is the computer”, a visionary phrase, perhaps, but to say without Sun computers, there would not be cloud computing is, with all due respect, a bit overreaching. He said the best decision he ever made at Sun was bringing Bill Joy onboard. <No argument there>. McNealy also acknowledged a few mistakes. He said: “If we took Solaris and put it on a commodity Intel chip, and slap together some pizza boxes, Linux would not be around today. Companies like Google and Amazon will be running Solaris.”  Yep. Hindsight is 20-20. On archenemy Microsoft, McNealy said, in a resigned tone: “They clearly won, they are still around.”

At one point in the interview, Zander asked: “I remember we were this close to buying Apple, for $5 or $6 a share, what happened?” Interesting. This was a fact that I had known. McNealy said: “A tough i-banker on Apple’s side spoiled the deal … Heck, there wouldn’t have been any iPhones/iPads if we had bought Apple, ‘coz I would’ve screwed that one up too!” The audience laughed and the Twitterverse heaved a collective sigh: “Ah, we dodged that one”. (For those of you who are counting scores out there, Sun instead bought Cobalt networks. Apple’s share today stood at $350)  

No. McNealy is not a Facebook or Twitter user. When asked about social media, McNealy said: “I just don’t see what you can do with social media that you cannot do with good, old-fashioned email.” <Really?> McNealy compared Twitter to mass mailing, and questioned whether LinkedIn provides anything beyond what emails offer. On the point of user-generated content, he said: “Emails ARE user-generated content”. He later added: “Guess what Facebook’s latest invention is, it’s email!” <Hmm… I’m starting to detect a pattern here… > When Zander asked him to describe Facebook in one word, McNealy replied: “Zucks”. We also learned that McNealy was not a fan of Lady Gaga. When Zander asked him what he thought of the fact that Lady Gaga had 8+ million followers on Twitter, “That’s just unfortunate.” McNealy said.  

A point McNealy went back to over and over again in the course of the evening was that government should not be meddling with the private sector. He contended that corporations are the stewards of innovation, and as such, they should be left alone. Of course McNealy completely failed to mention that the practices of some of the corporations, acting out of greed, nearly collapsed the American financial system and in turn ignited a global economic crisis.

The night closed with one final question from the audience, a former Sun employee. “The dotcom crash was hard on a lot of companies”, the audience member said, “but there were still plenty of opportunities around; e-commerce was growing, commodity computing market was growing, I want to know why we missed the boat. I am not sure that I got a satisfactory answer form tonight’s discussion.” Before McNealy ventured an answer, Zander said, “Let’s not go there. Let’s move on. Tonight is about celebration”

McNealy was clearly a natural leader. He was articulate, passionate about what he believed in, charismatic, occasionally self-deprecating, all qualities of a good leader. It was easy to see why 2/3 of the room respected and revered him. But the man couldn’t be more wrong about social media, and his complete conviction that he was right was simply mindboggling.

At the end of the evening, as the crowd dissipated and I drove west on 237 in the light rain, with a Lady Gaga song appropriately playing on the radio, I thought about my evening at the Churchill club and caught myself saying: “Lady Gaga: 1, Scott McNealy: 0”.

HBGary, Anonymous, WikiLeaks, and the concept of Openness

Recently I’ve been reading the excellent work by Jamais Cascio and thinking about the concept of Openness. Much of Jamais’ work is focused on geoengineering but the concept of openness has profound implications on many fields, including computer security.

For those of you who have been following the unfolding story of HB Gary Federal and the Anonymous Group, this story is what Hollywood movies are made of. In fact, I don’t think a script writer could have penned any better than the real life version. If you haven’t been following the minute details of this story, this Tech Herald article is an excellent read on how the whole thing started.

A condensed version of the events is as follows,

1. A week before RSA 2011, the CEO of HB Gary Federal, Aaron Barr, said in a Financial Times interview that his firm had infiltrated and discovered the identities of the high level operatives for the well known Internet hacktivism group Anonymous, and that he planned to publicly discuss his findings at the RSA conference.
2. Anonymous responded in force and compromised the entire infrastructure of HBGary and HBGary Federal (HGF). They obtained confidential data, erased files, and defaced both companies’ websites.
3. Anonymous subsequently released  4TB worth of confidential company emails. In the emails that have been disclosed to date, Barr was seen engaging in discussions with a major US bank (believed to be Bank of America) to use HGF’s offensive attack tactics to launch a cyber attack against Wikileaks. The rumor mill at RSA had it that the said US bank was going to pay HB Gary $600,000 a month to carry out this attack campaign.

Whola, what seemed like a classic white-vs-black hat story just turned interesting. What’s more interesting is that prior to this whole incident, WikiLeaks had been making noise that they were about to publish data from a major US financial institution (What? Interesting, you say?)  What apparently was also discussed in those emails was that Barr would use, among other techniques, exclusive zero-days for the attack against Wikileaks. This will make the attack extremely dangerous.

No one came off this looking pretty. Not only HBGary, a company that claims malware analysis their business, was unable to properly secure their infrastructure, the “victim” turns out is plotting a cyber war itself. HBGary is now claiming that the leaked data had been tampered with, implying that the discussion between BofA and Barr isn’t authentic, while Anonymous (and other security researchers) is saying that Barr’s initial research (which you can read here in PDF) was flawed in that some of the identities of the individuals that he claimed to be part of Anonymous group had nothing to do with the group. Anonymous argued that if Barr’s research was allowed to continue, it may put innocent individuals in jail (as Barr was supposedly working with the FBI).

At RSA last week, HB Gary was noticeably absent from the conference, their booth instead displayed a sign that reads: “A group of aggressive hackers known as “Anonymous” illegally broke into computer systems and stole proprietary and confidential information from HBGary, Inc. …. In addition to the data theft, HBGary individuals have received numerous threats of violence including threats at our tradeshow booth…”.  

This event ignited an Internet debate storm; is it ethical for security companies to engage in offensive tactics? Traditionally, security’s role is to defend, not offend. But as modern warfare migrates from physical battlefields to the digital frontier, more and more nation states and companies engage in offensive campaigns. Persons with deep security expertise are hot commodities in this game—it can be an extremely lucrative undertaking. But as you go down this road, is there really a difference between the black and the whitehats anymore?

This is where the link to Openness (or the lack of it) comes in: as we all know, and the execs at BofA and HGF reinforce, that zero-days can be powerful weapons. Exclusive knowledge of zero-days gives the possessor incredible power, and in cases such as these, almost always lead to corruption and misuse. It can be argued that we are better off as an industry if openness is employed as a means of elevating collective knowledge and also as a way to enforce checks and balances, so that no one company or individual is significantly more powerful in its knowledge and expertise than others. In such an industry, cyber offense is only a distant possibility as you will be on a level playing ground as your adversaries.

Creating such an open culture for the security community requires a shift in thinking, because this is an industry that thrives on secrecy and obscurity. It requires that we recognize that secrecy, obscurity, and the act to restrict information can ultimately do more harm than good. It requires that we promote open research and build an ecosystem that rewards openness.

How to achieving this open culture is the question on the table. Let’s discuss one specific example how some form of openness is achieved–a bug bounty program. I was a skeptic, in the beginning, of the merits of such bounty programs, but I have come around. Indeed, I’ve come to realize that economic incentives maybe one way we can achieve openness–in a bug bounty program, the researcher is encouraged to share his/her findings, through economic incentives, with the software vendor and ultimately with the entire community.

Economic incentives alone don’t always work, as that is one card the dark side can play as well. Other means, such as increasing collaboration, technological transparency, and … must be explored. But the steps we take today to promote an open culture will shape the course of the industry and help to determine whether we head towards a scenario of digital apocalypse (as Eddie Schwartz of Netwitness calls it on a recent RSA panel) or a more responsible, democratic, and open model for computer security.  

Other sources of note:

-          Jamais Cascio’s Open the future website

-          Threat Post’s Paul Roberts wrote several excellent articles on the HBGary story.

HP misses opportunity with Watercooler

Michael Brzozowski, the creator of Watercooler, the internal social media system for HP, recently left HP for Google.

Talents move around all the time, especially in the bay area where the industry is rife with interesting opportunities. However, in this case, the departure of Mr. Brzozowski has put the fate of the Watercooler system in question.

To understand why this is worth blogging, we need to first understand what the Watercooler system is about. Many of you may not know this, but Watercooler is a social media system that currently has 100,000 users! Brzozowski originally started Watercooler aggregate RSS feeds from across the company. Overtime, it has morphed into a social media aggregation platform that aggregates content from  HP’s internal wikis, microblogs, various discussion forums, and social bookmarks. The system has a documented set of open APIs and supports a powerful and expressive set of content filters across different social media systems. It is also integrated with HP’s user directories.   

Brzozowski wrote a nice paper on a study he conducted with Watercooler data. Published in Group 2009, the study revealed some interesting facts about social media usage inside HP. Perhaps one of the most concrete statistic to date arguing for the value of enterprise social networks, Brzozowski’s paper, points out that 69% of all Watercooler blog users subscribe to content generated by someone outside their business unit. This kind of cross-company instant collaboration is a huge benefit social media system provides its user community.  

Unfortunately, though Watercooler can be considered a success from HP labs, it has not generated the kind of support from HP proper. Brzozowski has been trying for the last 2 years to get the system out of HP labs and into the hands of HP operations. But his efforts proved futile – HP operations were not interested, or at least not interested enough to take actions. After Brzozowsi’s departure, another researcher from HP labs took over the system. But this person is only doing it on a volunteer basis — he’s got his other core tasks. As we all know, researchers are not great maintaining production systems, especially one that requires such scale and performance. Now you might ask why HP would ignore a social media system that’s already got such a large user base? Do you know how many social media start ups would kill to have 100,000 users? Well, perhaps only HP can answer this question.  

This whole thing came to its head a few weeks ago when some of HP’s executives were meeting with SalesForce. The latter mentioned Chatter, the new Social media system SFDC is launching at DreamForce this week. Chatter is a cool system, but is not nearly as developed or as widely used as Watercooler. Especially when you consider Watercooler had supported a documented API for users to modify for their own purposes, pro

The HP executives, after meeting with Salesforce, said about Chatter: “Hmm, that’s a good idea, we should have something like that.” [obviously this is a mock conversation, not the dude’s actual words]. Finally someone in HP said, “Well, we do have something like it, it’s called Watercooler”. The executive then said: “Really? Well, let’s take a look at that. Maybe we can make something out of it”.

As if on cue, Watercooler stopped working because the whole system had been running on one server (what? One server? You asked. Yep. You heard right, one server to support 100,00 users. That’s how Research Labs typically work). The researcher who had been supporting it after Brzozowski left was unable to get it up running again quickly.

HP labs had many top industry talents, but these people are now leaving the organization, for the reason that their work has not been properly respected and utilized. Last year, they lost one of their HP fellows, John Wilkes, to Google. In addition to the recent departure of Michael Brzozowski and Kevin Lai, a game theory specialist, Joe Pato, a noted Computer Security expert, though ostensibly still an HP person, has been spending most of his time at MIT. HP has come a long ways since the garage company days of Hewlett and Packard, but it seems like the company has lost some of its innovative spirit along the way. Yes, it’s difficult to remain innovative when you’ve got 30,000 employees. But people are the greatest asset of any organization, if you lose them, you lose the future of the company. This is why Google recently implemented measures of 10% payraise and bonuses to retain talents against the new-kids-on-the-block competitors like Facebook. Companies like HP should take notice. Innovations like Watercooler should have flourished instead of being left to flounder.

Forrester Security Forum 2010

Many of you may know that Forrester’s US Security Forum 2010 is coming up in September. This year our theme is “Building a high performance IT security organization.” Indeed, as the global economy begins to recover, Security & Risk professionals must transform from a reactive silo of technical security expertise to a true partner of the business and an enabler of forward thinking business strategies.

This forum is all about technical, tactical, and strategic information to increase the maturity and performance of your IT security organization in this fast-changing economic climate. In the two-day forum, we will explore the principles of:

• Aligning your objectives and measures of success with the business;
• Giving business the tools to perform risk management;
• Preparing for the adoption of cloud services, the consumerization of IT, the proliferation of social technologies, and an ever-changing threat landscape.

I will be running three sessions at the forum this year.

• A keynote panel on cloud security and privacy.
• Security for empowered organization
• How to build a mature application security program

My keynote panel, which I will be moderating, is called “The Practical Cloud – Getting Past The Fear Mongering.”  On this panel, we’ll bring together a cloud user, a cloud vendor, and a legal expert, to talk about how real enterprises leverage the cloud to deliver real business benefits, and how user organizations and cloud operators manage the responsibility to protect users, their data, and their privacy. I’m especially excited about this panel, because we will have one of the biggest cloud vendor companies, director of security from a sophisticated cloud user company, and a legal expert specializing in cloud computing’s legal ramifications.

In “Security for Empowered Organization,” I will be co-presenting with Ted Schadler, our resident expert on “Empowered organizations.” We will explore why businesses want to empower their employees with social, mobile, multi-media, and cloud technologies. More importantly, we will discuss how IT professionals can help businesses achieving these objectives without compromising the organization’s security and privacy requirements.

In “How to Build a Mature Application Security Program,” I will explore the concept of an organizational application security program, comprised of intelligent use of tools and technologies, good accountability and incentive structure, and most of all meaningful processes to realize software security across development, infosec, and operations department. A typical organization today has a plethora of security applications, from in-house developed to outsourced, from open source to off-the-shelf software.  Different applications need a different set of processes and technologies to ensure software security. I will present an application security maturity model, with specific steps required to go from one maturity level to the next, and discuss the different types of application security measures for different application types.

This is shaping up to be a very exciting forum, I look forward to seeing all of you in Boson on September 16 -17th.

New Forrester WAVE evaluation: Vulnerability Management Products

Forrester has just completed a comprehensive assessment of vulnerability management products. The Forrester Vulnerability Management WAVE report is now live. If you are subscriber, please see http://bit.ly/cemRAO for the full report.

In Forrester’s 53-criteria evaluation of vulnerability management vendors, we found that the market is rife with mature products. In particular, we found that Qualys leads, with Rapid7, McAfee, nCircle, and Lumension following as Leaders.

Qualys showed itself to be the leader of the pack in this evaluation.  Qualys pioneered the SaaS hybrid delivery model of vulnerability management, combining fully-managed scanner applications with a security console hosted in the Qualys cloud.  Once considered radical, this service model is now used by some of the largest organizations in the world.  Qualys delivers vulnerability assessment, application-level scanning, and configuration compliance auditing. It’s worth noting that their offering provides concrete mappings from a wide list of regulations to actual IT controls.

We found several other vendors offering competitive solutions.  Rapid7 is the up-and-comer, with an impressive 50%-plus year-over-year growth over the last two years.  In addition to its solid technology, it is the only vendor in this evaluation whose application-scanning capabilities can handle Ajax and Web 2.0 technologies. Rapid7 recently signed OEM deals with two of the largest security and service vendors in the industry, which should give them a boost in the market. nCircle was another strong vendor.  While its technology struggles with integration and complexity issues, nCircle’s configuration compliance product is among the most sophisticated on the market today. nCircle would be a good choice for enterprises that have advanced compliance and risk analytics needs.  Established vulnerability management vendor McAfee delivers strong risk management capabilities, including one of the most UI-conscious interface designs, and solid support for translating vulnerability knowledge into meaningful risk metrics.  McAfee’s application scanning capability is relatively weak at the time of the evaluation. But upcoming releases may remedy this situation. Finally, Lumension distinguished itself with its unique product portfolio, being the only vendor in this evaluation that has its own endpoint patch management functionality, PatchLink, and its own GRC product.  Lumension’s strategy is to deliver a consolidated platform to manage the life cycle of vulnerabilities — from discovery to analytics to remediation. Because of the expanse of its product portfolio, Lumension has the potential to challenge the top players in the vulnerability management market.

These leaders were followed by several vendors at the “Strong Performers” level.  Tenable Network Security, while lacking enterprise support features such as executive reporting, advanced risk analytics, and integration with related products, nevertheless offers strong vulnerability assessment capabilities for the technology-minded buyer.  eEye’s vulnerability assessment product, Retina, has many desirable features, such as wireless scanning, diverse scan templates, and an extremely flexible reporting portal, and is attractively priced. Despite going through some growing pains as new management overhauls its products, government clients and value-conscious organizations will find it a compelling option.  Critical Watch, a relative newcomer to the market, offers several distinct and innovative features, including a CEM structure that provides a flexible yet powerful organizational framework for managing scans, reports, and analysis.

This market is evolving to meet the maturing needs of clients.  Once concerned only with pure network vulnerability assessment functionality, the market is shifting to include adjacent technology areas, such as risk management and remediation. Today, both vulnerability assessments and endpoint configuration compliance are considered core functionality.  Application-level scanning, targeting Web applications and databases, is quickly becoming a must-have item.  And as buyers start to shift from assessment-only capabilities to advanced risk-based analytics and remediation management, those functionalities are fast becoming the newest differentiators.

An IT security organization should follow these strategies with respect to vulnerability management: a) Consider vulnerability management an essential IT functionality; b) Combine vulnerability assessment with remediation and active protection; and c) Treat Vulnerability Management as part of your greater IT GRC strategy.

iPad infrastructure hacked – iPad owners’ email addresses leaked

On Tuesday, popular tech gossip site Valleywag reported a hack targeting AT&T’s infrastructure that led to the accidental disclosure of 100,000 iPad owners’ email addresses.

As far as we can gather at this point, this is most likely a parameter tampering attack. The hackers attacked AT&T’s iPad support web application, traversed through a range of ICCIDs (Integrated Circuit Card identifiers), and were able to eventually obtain valid iPad owners’ email addresses without proper authentication.

If this is indeed true, AT&T has done a poor job designing their web applications.  Being able to guard against automated parameter traversal attacks is one of the first things you do to secure your web apps. An automatic parameter traversal attack can be launched fairly easily these days – it does not require sophisticated technology or advanced reconnaissance on the victim web application.

Included in the email addresses disclosed were several prominent celebrities, politicians, and high-profile industry figures, including Rahm Emanuel and Michael Bloomberg.

This attack apparently only affects iPad 3G users, not the Wifi-only iPads. AT&T has stated that this particular flaw on their web application has now been remediated.

Upgrade to MS Office 2010 now to avoid critical vulnerabilities

Microsoft today released 10 security bulletins, three rated “critical” and seven rated “important,” to address 34 software vulnerabilities. Of these bulletin items, users should prioritize these four:

• MS10-033: Critical on all supported versions of Windows. This update addresses a Windows media file vulnerability that could potentially enable drive-by downloads.
• MS10-034: Addresses an ActiveX vulnerability.
• MS10-035: A cumulative update for Internet Explorer.
• MS10-038: Addresses critical vulnerabilities in Excel.

It’s important to note that MS10-038 addresses 14 CVE vulnerabilities, all related to Excel. Many of these vulnerabilities have a “critical” rating. Of the 14 vulnerabilities, 11 only affect Office 2002. Office 2010 is not impacted by any of these.

If you are still running MS Office 2002, it is time to upgrade! In addition to the newly announced vulnerabilities, Microsoft is ceasing support to Office 2002 next month. All the more reason to upgrade!

Users can be protected by installing the upgrade released with the bulletin. If you have Windows auto-update enabled, you are good to go. Otherwise, please go to this link (http://www.microsoft.com/technet/security/current.aspx) to download the updates.

An important item to note: In addition to Office 2002, Microsoft will cease support for Windows XP service pack 2 and Windows 2000.  Users should upgrade to a later version of Windows XP service pack 3.

Are you rethinking Facebook?

Facebook is currently the world’s most popular social media site, with
over 400 million users. Long plagued by accusations of security leaks
and lackluster privacy practices, the corporation is currently defending itself against
a barrage of new criticism. CEO Mark Zuckerberg gave an interview
earlier this year arguing that privacy is no longer a “social norm.”
Facebook privacy policies have been rapidly shifting to reflect this
position.

The latest firestorm centers around a new feature called “instant
personalization,” a targeted advertising service that supplies
personal user data to advertising partners like Pandora and Microsoft
Docs. All Facebook accounts were included in this service when it was
rolled out, and opting out is a convoluted, multi-step process. In a
move that some users are calling deliberately deceptive, simply
clicking an “opt out” check box does not protect your user data from
being shared.

So far, the beta service is limited to three corporate partners — all
of whom have promised not to behave inappropriately with the shared
user data — but the feature is slated to be expanded over time. This
puts millions of user accounts and their personal information at the
mercy not just of Facebook, but of the ethics of every company who
becomes an instant personalization partner in the future.

Other unintentional security breaches are also making headlines. A Russian
hacker who calls himself “kirllos” recently claimed to possess the
logins and passwords to 1.5 million Facebook user accounts — and he
is putting them up for sale, cheap. Though no one has officially verified whether these user credentials are real or fake, kirllos has already sold off around 700,000 of them.

If true, this incident puts another crack into Facebook’s already-besieged reputation. Account compromises not only leaks a user’s private information, including photos, status updates, and private messages sent between users, but can also lead to increased phishing risks – imagine a trusted Facebook friend sending you a message with a malicious embedded link, once clicked, can direct you to a malware laden site.

What does this mean for corporate users? Opening up your company to Facebook access could lead to increased phishing and malware threats, which could further cause data breaches and other more serious forms of security incidents within your corporate network. Given the soaring popularity of Facebook as a casual communication tool, the usual acceptable usage recommendations — urging employees to use discretion and avoid discussing sensitive information via Facebook – is far from sufficient.

Social media can be a corporate asset. Facebook provides a high-profile tool for company exposure and branding, and the wide reach of such a social platform can facilitate business networking. But if you had known that the media giant would be
riddled with security holes, while at the same time deliberately taking on a cavalier attitude toward user privacy — would you have allowed your users access to Facebook?

Facebook’s new privacy settings

Last week, Facebook just upgraded its privacy settings. I am sure by now many of you have gone through the new privacy setting wizard. But do you know all the ins and outs of the new settings and how to navigate them?

In general, the new Facebook privacy setting menu is easy to use and straightforward. Some of the new options Facebook provides are positive changes. For instance, you can now hide a wall post to specific individuals (or make them visible to specific individuals). This level of fine-grained control was not available before, which is a welcome change.

However, in the course of migrating to the new privacy settings, Facebook has made several categories of information visible by default to “Everyone”. If you didn’t actively manage your privacy settings through this new migration, some of your information, such as Family and Relationship, Education and work, and your posts will be left visible to everyone, regardless of what your previous privacy settings were.

Another puzzling thing is that Facebook apparently does not think the ability to control who can see your “Friends list” belongs in privacy settings. Moreover, they’ve made everybody’s Friends list visible to the world by default. To turn that off, you have to go to your profile page and click the little crayon icon next to your friends list to unselect the “Show Friend List to everyone” option. If you have previously hidden your Friend list from public view, they are now free for all to see unless you did the little trick with the crayon icon! Even worse, your Friend list will now show up in search engine results.

Speaking of indexing by search engines, Facebook’s privacy settings do provide an option via which you can prevent search engines from indexing your public Facebook information, which is information that you’ve elected to be viewable by everyone (or is it?). Despite the fact that I had strenuously set and checked all my privacy settings, including uncheck the “Show Friend List to everyone” option, Facebook is still showing a sample of my friends to search engines! And we know that once a search engine has indexed and cached your information, it’s virtually impossible to purge the info completely. 

The specific options and settings aside, this concept of PAI, short for publicly available information, is one that worth a bit of ink. Everyone has a different idea of what their PAI should be. However, Facebook has decided that certain categories of information, such as your profile picture, family and relationship info, education and work info, interest and activities, and group memberships, etc. should be PAI, and they’ve gone ahead and made these categories visible to everyone by default. You have to go through the entire privacy menu to change that.

In this age of search engines, content caching, and near-ubiquitous connectivity, have you really thought about what you should place (and not place) in your PAI? Do you really understand all the consequences of putting a specific piece of information in PAI? Do you know how long the information will be available long after Facebook has become yesterday’s news? Most of us don’t internalize the fact that every time you label something public, this “thing” will probably live in the public domain forever in some way, shape and form. Is this something you can live with? Will you still write that paragraph of “About me” and make it viewable by “Everyone”, if you know 50 years from now people can still find that? This is of course independent of Facebook or any social networking platforms in general, it is about fundamentally what information, as an individual, you want to expose to the world. Once we have a good grasp of PAI, we can then look at specific social networking or social media tools and demand them to give us the flexibility and controls to manage our PAI.