Facebook is Dangerous

I ran into this article where Eben describes Facebook as analgous to a "man in the middle" attack that a hacker might employ to intercept apparently private communication for nefarious purposes. I think Eben's analogy is spot on: this isn't a technical hack, this is a social hack, and it amazes me how oblivious we are to the increasing damage Facebook is inflicting on our privacy and the danger it can pose to people who are deemed "criminals" wanted by law enforcement.

At the end of the article, the author Dan Tynan challenges Eben's metaphor. I disagree with Tynan, and I want to quickly respond to his points.

Dan Tynan: A true MITM attack happens without either party knowing about it. When’s the last time you used Facebook without knowing about it, or been forced to use it against your will?
Every day. Every mainstream news website, most blogs, and virtually all shopping websites have Facebook "Like" buttons which can be used to track your activity on that site even if you don't touch the "Like" button. You can't go anywhere on the internet without accessing Facebook's servers, whether or not you even have a Facebook account.

Dan Tynan: You have no control over the data the MITM attacker collects. You have some controls over what Facebook collects.
No, you have the illusion of control. Just because you can turn off what you 'share' on your account doesn't mean that Facebook isn't collecting the data and turning it over to anyone who requests it without a warrant.

Action

I think Facebook is garbage. I didn't have an account for years because of the concern I had for my (and others') privacy. The problem is that our colleagues at the law school send out invitations to events only on Facebook. If you don't have a Facebook account, you miss out on invitations to sweet parties.

One way we can start to solve this problem is by refusing to use Facebook to send out event invitations. Can the Student Senate can create a policy that their events will not be publicized on Facebook? Are there Senators in this class that can make this happen? Let's take action to reduce the utility of Facebook on our campus and make it easier for people to deactivate their accounts.

If you think that you can just deactivate your own account and everything will be fine, you are wrong: the scariest part about what Facebook is becoming is their "Photo DNA" which identifies people by pictures that are uploaded of you even if you are not tagged and even if you don't have a Facebook account. That's why it's important to get everyone to deactivate their accounts or at the very least stop uploading pictures to Facebook.

Maybe you don't care if Facebook or law enforcement can track where you are at any given moment. But if the world someday becomes a place where you do care, by then it might be too late to do anything about it.

-- HarryKhanna - 07 Feb 2012

I may be in the minority on this, but I've always felt the Facebook coverage was a bit sensationalistic. If you have privacy concerns, yes, the best move is to get off Facebook, deactivate (and try to delete) your account, and convince everyone you know to stop using it. The problem is that most of these privacy issues aren't relegated to Facebook. They permeate almost all of the web as we know it. I will concede that Facebook does a particularly (and perhaps intentionally) poor job at offering clear, easy-to-use privacy settings.

First, this is in the realm of "truth vs. accuracy," but it feels relevant to note that Photo DNA (by Microsoft) is not the same as facial recognition (which Facebook also has). Photo DNA allows Facebook to track versions of the same photo, not people. As deployed now, it finds and tracks known images of child pornography when posted on Facebook. Obviously, Facebook does have facial recognition software that raises privacy concerns - you see it every time you tag a photo and it suggests your friends for you - but I'm not aware of any evidence that it is being used for a nefarious purpose (or to aid law enforcement). It may have been, I'm just not aware of it.

Second, Facebook is hardly the only data privacy problem on the web. To free yourself of similar risks, you'd pretty much need to change the way you interact with the Internet altogether. For one, the majority of us use free hosted email (Gmail, predominantly, I'd imagine). I'd venture to guess that more private, relevant data is exchanged through email than through Facebook, especially given that most people see Gmail as a completely private place and Facebook as at least a somewhat public place. Outside of running your own email server (which isn't feasible for a sizable segment of users), there's little way to prevent email providers from doing the same things with your data that Facebook could. Even if you did, you'd still likely be emailing people who have Gmail or Yahoo mail accounts, and your data would still end up on their servers.

I'm running a bit late for school today, so I'll stop here and try to finish this this afternoon, but the general point is that getting off Facebook doesn't seem to cure any real privacy issues. Is it better? Sure. Is it a solution? Not really.

I think this analysis is largely correct, though I think, for reasons I will be discussing in my other course in coming weeks, the Facebook coverage has been anemic and uninformative in the extreme, and your relative indifference to this among other privacy problems is misplaced. Your point, however, that Facebook is merely part of a larger failure in the Net to be robust against attacks on privacy and freedom is surely correct. Hence I agree with you that solving the Facebook problem is one necessary rather than the sufficient condition for remediation of the problem overall. For my diagnosis of the problem overall, and the beginning of my working through a possible solution, see my Freedom in the Cloud.

-- SanjayMurti - 08 Feb 2012