 |
Press Releases
Facebook's loophole places personal profile data at risk – BBC investigation
|
Facebook users are often unknowingly revealing their profile data and that of their friends by agreeing to download seemingly innocuous Facebook applications, according to a BBC investigation.
Click, the BBC's flagship technology programme, has found that although privacy settings related to personal information can be changed by users to hide information on their profile, by simply using an application their profile data can be accessed by the creator.
Protecting users' profile information once these applications have been added can only be done by changing the application's privacy settings, three pages of clicks inside the site, regardless of how users have set their profile privacy settings.
Click developed an application for Facebook which they used to discover details of users and their friends which they may have felt was inaccessible to people they did not know.
Taking less than three hours to write, Click's application was then added to four Facebook users' accounts. As a result, they could access details of those four people and all their friends on Facebook even though many had chosen to hide those details on their public profile.
This means that there is the potential for criminals to "skim" user data, via a rogue application.
Data can also be given away by a Facebook friend who innocently adds an application to his Facebook account.
At the moment it appears the only completely sure and safe way to stop such data being shared is to remove all applications and not use them.
Facebook has Terms and Conditions for creators of applications but criminals (or investigators) wanting to gain access to personal information do not necessarily consider these when they attempt to steal personal details.
It cannot be determined how many applications may be using this method to steal data, indeed, if there are any at all, but the ease with which the BBC team put together its rogue application has raised concern.
Interviewed for this week's Click programme, Paul Docherty, Technical Director of Portcullis Computer Security, said he believed that Facebook's Terms and Conditions stated on the site meant that Facebook had legally covered itself from any liability.
But he added: "Morally, Facebook has acted naively."
He said: "Facebook needs to change its default settings and tighten up security."
But he also believes it would be difficult to secure the current system because so many third party applications are now in circulation.
This comes in the month that competitor MySpace opened up its platform for applications to users.
But it is currently using a different method – allowing the company to keep a close eye on what the applications do and vet their authors.
The Click team was unable to create a similar threat to users' security using the MySpace system.
MySpace told the BBC: "All applications run on MySpace servers and the code is checked to verify security."
Facebook told the BBC: "All third-party developers building on Facebook Platform are subject to technical and policy restrictions that strictly limit their collection, use and storage of profile information.
"When a user adds an application, they agree to the Facebook Platform Application Terms of Use, which allows the developer to make requests for access to the information in the user's profile, excluding contact information.
"Users are strongly encouraged to report any suspected misuse of information to Facebook.
"Additionally, users can block individual applications from accessing any of their data, block all applications, or block individual types of information.
"We have sophisticated technology and a dedicated team to address inappropriate activity by applications.
"Access by applications to Facebook user data is strictly regulated and if we find that an application is in violation of our terms and policies, we take appropriate action to bring it into compliance or remove it entirely.
"Facebook is committed to user safety and security and, to that end, its Terms of Service for developers explicitly state that applications may not use adware, spyware, or other deceptive techniques.
"Users should employ the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop."
Notes to Editors
 This was a controlled experiment to prove what was possible with the full agreement of those involved. No information from the experiment has been retained.
Click is shown on BBC One, the BBC News Channel, BBC World News and is available online – see programme times.
CC3
|
Printable version
