Facebook is an @sshole, but Google is an even bigger @sshole
Facebook’s Tracking Scandal Is Mushrooming
The month is off to a bad start for Facebook. The social network is fighting a new class action suit over its non-logout logout. And now it’s been busted for bringing back a cookie that tracks people who don’t even use Facebook.
Facebook has resumed distribution of the “datr” cookie, which is set by those ubiquitous Facebook “like” widgets all over the web and thus can follow you from site to site. The Wall Street Journal reported on the cookie in May, noting that it follows all web browsers, whether logged in to Facebook or not. Facebook removed the cookie shortly after publication of the article, and after a formal bug was filed with its programmers. Some time between then and now the cookie returned, as entrepreneur and de facto privacy researcher Nik Cubrilovic reveals. The cookie was set by every widget-carrying website Cubrilovic tested.
What does the cookie do? For starters, it is used to associate your account with other people who use your computer, Cubrilovic believes, which is why your Facebook dossier includes a list of “associated users.” It also indicates that Facebook was incorrect — knowingly or unknowingly — when it claimed last week that the cookie was set only “when a web browser accesses facebook.com (except social plugin iframes),” since it is in fact set from social plugin iframes. Its re-emergence also means Facebook quietly re-enabled — purposely or accidentally — a privacy bug they supposedly closed last May. And finally it means that Facebook collects raw data it could use to track big chunks of your surfing history, even though Facebook said last may that its intent was not to use the cookies for such a purpose.
News of “datr’s” return comes after the chairmen of a Congressional privacy committee, plus 10 public interest groups, pushed the FTC to investigate all of Facebook’s clingy cookies, which remain even after a user “logs out.” It should only add to the pressure on Facebook, and to the evidence in a suit an Illinois law firm filed against Facebook in San Jose federal court Friday night. The suit, which is seeking class action status, accuses Facebook of misleading users about the meaning of “log off.” Facebook promised to fight the suit “vigorously,” which means the company thinks it can find someone somewhere who actually had a correct understanding of what actually happens when you “sign off” of Facebook. Sounds like a very expensive manhunt.
Facebook’s cookie monster is unstoppable
The social networking site this week was pulled into yet another privacy scandal that should surprise absolutely nobody
Interesting revelations invariably emerge when a high-profile entity is scrutinised, intensely and unforgivingly, by those who are convinced it’s too good to be true. Case in point: Julia Gillard. The NBN. Miley Cyrus. And Facebook, of course, which this week was pulled into yet another privacy scandal that should surprise absolutely nobody – and offer yet another reason why CSOs should be very, very careful when it comes to use of social media within their company’s four walls.
Facebook knows this, which is why it rushed to respond and resolve the issue. Yet while Nik Cubrilovic’s discovery raises real questions about privacy online, furious commentators arguing Facebook should delete all cookies when users log out and offering paranoid users tips for deleting all their cookies, are simply misinformed. The whole point of cookies is to create a stateful Internet in which Web sites can store information about users that stays around even after they have logged out, so it will be there the next time they come back. Deleting them when you log out would be like putting nametags on your child’s school bag while he’s at home, then removing the nametags when he goes to school.
The problem wasn’t with cookies, although it quickly became a cookies scandal; the problem was that Facebook’s design made no effort to check whether users were logged in before using cookies to track their activities. Log out of Facebook, the reasoning goes, and you should be able to visit the Justin Bieber fan page on Facebook without suffering the indignity of the site adding that information to its persistent profile of you.
Embarrassment aside, people hate to feel a particular site is tracking them online – particularly when so many people wrap themselves in the warm and cozy world that is Facebook and allow it to shape their entire Internet experience.
The thing is: the entire Internet has evolved this way. If you think half the Web sites you visit, the links you click in emails, and the Web searches you run aren’t being tracked, collated and analysed by marketers eager to get their greasy hands into your wallet – well, you haven’t been online very long at all. Indeed, Facebook’s entire existence is due to its ability to profile its users and sell their information to advertisers; Web behemoths need to pay the rent, too.
Most end users accept this sort of information tit-for-tat as the price you pay for free access to a previously unimaginable world of information. But once they stop considering the implications of their actions, the implications for the CSO are more significant indeed – especially since, as it was put so clearly this week at a VMinformer business security roundtable, businesses suffer from a “culture of trust” in social media that’s opening them up to all sorts of potential nastiness.
VMinformer CTO John Reeman blamed the huge popularity of sites like Facebook, the trust they engender among users, and their poor and inherently insecure coding for the privacy travesties unleashed on the Internet world. And while Facebook’s denials and rapid response suggest the issue might have been bad coding rather than some grand scheme to expose your Bieberness unless you click on a certain number of targeted advertisements, the current furore fuels greater concerns that the ubiquity of social media is providing dangerous shortcuts around corporate security controls.
Even consumer-focused features such as automatic face tagging in photos can become security issues by automatically identifying and linking groups of people, or picking up staff members whose names and affiliations might normally not be public information. If your CEO is photographed lunching with the CEO of a smaller company while discussing takeover terms, for example, the implications are significant.
The role of human error in compromising corporate security is nothing new, but the ease with which peoples’ lack of security nous can potentially expose a corporate network to social media’s dark side, is. For executive boards that are held by some to be “too cocky” when it comes to security, the potential for security problems due to pedestrian reasons like Facebook is humbling indeed. Remember that these breaches don’t necessarily have to involve malicious code, although they could; in many cases, they will simply be the product of a massively relaxed approach to online privacy that’s inconsistent with the tight controls imposed to control the internal flow of information.
There are technological protections, of course, such as apps designed to protect users from malicious Facebook links. Yet whether Facebook’s current ignominy was intentional or not, it has reinforced the ways that valuable and well-intentioned features like cookies can result in unintentional compromises of company data. If a script on Facebook or other social-media site were in fact tracking an employee’s every move, for example, and they stayed logged in while navigating your internal network structure, they could easily reveal far too much information to all the wrong people.
These are the compromises inherent in the balancing act that is an unavoidable part of doing business online. But since Facebook is hardly going away, the key security imperative here is for CSOs to avoid falling into the same culture of trust as their users; only in this way can the privacy-compromising hordes be kept outside the gate.