Home

PDF Ebook Facebook: Threats to Privacy

Submitted by antoq on Sat, 06/27/2009 - 02:30

Facebook 1 (www.facebook.com) is one of the foremost social networking websites, with over 8 million users spanning 2,000 college campuses. [4] With this much detailed information arranged uniformly and aggregated into one place, there are bound to be risks to privacy. University administrators or police officers may search the site for evidence of students breaking their school’s regulations. Users may submit their data without being aware that it may be shared with advertisers. Third parties may build a database of Facebook data to sell. Intruders may steal passwords, or entire databases, from Facebook. We undertook several steps to investigate these privacy risks. Our goal was to first analyze the extent of disclosure of data, then to analyze the steps that the system took to protect that data. Finally, we conducted a “threat model” analysis to investigate ways in which these factors could produce unwanted disclosure of private data. Our analysis found that Facebook was firmly entrenched in college students’ lives, but users had not restricted who had access to this portion of their life. We discovered questionable information practices with Facebook, and found that third parties were actively seeking out information.

To analyze the extent of user disclosure, we constructed a spider that “crawls” and indexes Facebook, attempting to download every single profile at a given school. Using this tool, we indexed the entire Facebook accessible to a typical user at Massachusetts Institute of Technology (MIT), Harvard, New York University (NYU), and the University of Oklahoma. To supplement this data, we surveyed the MIT student body to ascertain the level of use of certain Facebook features. Our study found that upwards of 80% of matriculating freshmen join Facebook before even arriving for Orientation, and that these users share significant amounts of personal information. We also found that Facebook’s privacy measures are not utilized by the majority of college students. To analyze the Facebook system we investigated the facets of the website, and of the terms of use and compared them against the current standards of “Fair Information Practices” s defined by the Federal Trade Commission, as well as the standards set by competing sites.

Although many Facebook features empower users to control their private information, there are still significant shortcomings. Finally, we took the perspective of a third party acting in a self-interested manner, looking either for financial gain or for assistance in the enforcement of university policy. We surveyed news articles on the consequences of Facebook information disclosure, and interviewed students that harvested data, as well as students who were punished for disclosing too much. Given the existing threats to security, we constructed a threat model that attempted to address all possible categories of privacy failures. From a systems perspective, there are a number of changes that can be made, both to give the user a reasonable perception of the level of privacy protection available, and to protect against disclosure to intruders. For each threat, we make recommendations for Facebook, its users, and college administrators. These include eliminating the consecutive profile IDs, using SSL for login, extending “My Privacy” to cover photos, and educating end-users about privacy concerns.

Contents
1 Introduction
2 Background

    2.1 Social Networking and Facebook
    2.2 Information that Facebook stores

3 Previous Work
4 Principles and Methods of Research

    4.1 Usage patterns of interest
    4.2 User surveys
    4.3 Direct data collection
    4.4 Obscuring personal data
    4.5 A brief technical description of Facebook from a user perspective
    4.6 Statistical significance

5 End-Users’ Interaction with Facebook

    5.1 Major trends
    5.2 Facebook is ubiquitous
    5.3 Users put time and effort into profiles
    5.4 Students join Facebook before arriving on campus
    5.5 A substantial proportion of students share identifiable information
    5.6 The most active users disclose the most
    5.7 Undergraduates share the most, and classes keep sharing more
    5.8 Differences among universities
    5.9 Even more students share commercially valuable information
    5.10 Users are not guarded about who sees their information
    5.11 Users Are Not Fully Informed About Privacy
    5.12 As Facebook Expands, More Risks Are Presented
    5.13 Women self-censor their data
    5.14 Men talk less about themselves
    5.15 General Conclusions

6 Facebook and “Fair Information Practices”

    6.1 Overview
    6.2 Notice
    6.3 Choice
    6.4 Access
    6.5 Security
    6.6 Redress

7 Threat Model

    7.1 Security Breach
    7.2 Commercial Datamining
    7.3 Database Reverse-Engineering
    7.4 Password Interception
    7.5 Incomplete Access Controls
    7.6 University Surveillance
    7.7 Disclosure to Advertisers
    7.8 Lack of User Control of Information
    7.9 Summary and Conclusion

8 Conclusion

    8.1 Postscript: What the Facebook does right
    8.2 Final Thoughts
    8.3 College Newspaper Articles

9 Acknowledgements

    9.1 Interview subjects

A Facebook Privacy Policy
B Facebook Terms Of Service
C Facebook “Spider” Code: Acquisition and Processing

    C.1 Data Downloading BASH Shell Script
    C.2 Facebook Profile to Tab Separated Variable Python Script
    C.3 Data Analysis Scripts

D Supplemental Data
E Selected Survey Comments

    E.1 User Feedback

F Paper Survey

Download
PDF Ebook Facebook: Threats to Privacy

»

Posted in :