In Facebook We Don’t Trust

Another day, another Facebook privacy issue shows up in the news.  Yesterday The Wall Street Journal reported that Facebook has been transmitting user information to advertising and Internet tracking companies through its popular applications.  Facebook claims that they did not do this intentionally, but that it was a function of how browsers pass credentials.

This issue affects millions of users who are using Facebook apps.  If you ever played FarmVille, Mafia Wars or used any of the thousands of other apps, your user ID and other information could be compromised.  Even if you set your profile to the strictest privacy settings available.  So once again Facebook is violating their own rules.  Facebook says it’s taking steps to “dramatically limit” the exposure of users’ personal information, but should anyone trust them?

“A Facebook user ID may be inadvertently shared by a user’s Internet browser or by an application,”  a Facebook spokesman said.  Knowledge of an ID “does not permit access to anyone’s private information on Facebook,” he said.  Yet somehow companies are linking the IDs to other activities on the Internet.  Facebook is planning to introduce new technology to contain the problem identified by The Wall Street Journal.  This all sounds great, but is this another example of Facebook’s lack of understanding of security and privacy or is it just an honest mistake? 

At issue is your and my ability to control what information we share on the Internet.  If I go to a site through my browser, certain information is passed to the site through my browser’s header.  That information is gathered to understand who is accessing the site.  This is how Google Analytics works and is very valuable for marketing purposes.  Here is an example of some of some of the information a site can see about my browser – check out to see what your browser shows.


This shows I’m running Windows Vista and using a Firefox browser.  It also picks up my IP address and a time/date stamp so it can tell what country or state I’m browsing from.  The rest of the information identifies the technologies my browser supports.  Websites use this information to present me with the best user experience based on the technology available on the platform I’m using.  This is also how a website can present your mobile device with an optimized experience.

But no user information is passed to the website.  That can only happen if an application passes it through the URL or another posting method.  The Facebook apps were using an HTTP referer, which passes the address of the last page viewed when a user clicks on a link.  This is a common method to ensure authenticity of referring sites, but can also be a privacy issue if credentials are passed along.  Many sites that pass user credentials use HTTPS to encrypt the data or strip out the referring site and associated information all together.  That prevents unintended people and sites from reading it and possibly exploiting it. 

So why are Facebook credentials being passed around to sites?  This seems like basic Internet security.  If an application has to pass my Facebook ID, it should be encrypted.  If I buy something at Amazon or a thousand other websites, my login, password and other credentials are encrypted.  My credentials are kept private and in my control.  It’s a different story if I choose to deliberately share an ID or other user information.  The issue with Facebook is their policies say my information is private unless I choose to share it.  I didn’t choose to share it and now my information may be public.

It’s hard to say if Facebook is just the tip of the iceberg or they are unique.  A company with over 500 million active users needs to look at their entire ecosystem and provide the secure environment they claim.  Are they alone or do many other companies have the same issues?  They are getting the spotlight because of their popularity, much like Microsoft has for the past 20 years.  In Microsoft’s case, the spotlight forced them to improve their browser and application security.  Hopefully all these privacy and security problems with Facebook will have the same outcome.  They need to learn faster and actually deliver what they promise.


Photo credit stars alive

Book a meeting