Sophos Australia Facebook ID probe 2009

Filed Under: Data loss, Facebook, Privacy, Social networks

Just over two years ago, Sophos UK conducted a Facebook ID Probe to see how willingly social networkers give out their personal data. 43% of those in the probe accepted an invitation to be friends with Freddi Staur – allegedly a 20-something from London, but in reality a green plastic frog.

That was in 2007, and in England. What about 2009, in Australia?

With an additional two years' worth of well-publicised warnings from security companies, the media, the cops and from Facebook itself, and with Aussies generally backing themselves to be better at almost everything than the English, surely things would show an improvement? We decided to find out.

This time we created two female Australian Facebook users, Daisy Feletin (21, single) and Dinette Stonily (56, married). Each sent a friend request to 100 randomly-selected contacts in their age group, and waited two weeks to see who would respond.

The results were even worse than in the London experiment of 2007. It seems that social networkers still haven't learned to be circumspect with their personal information:

Information Daisy Feletin Dinette Stonily
Friends accepting 46% 41%
Total friends gained 46 49
Full d.o.b. (D/M/Y) 89% 57%
Partial d.o.b. (D/M) 9% 35%
Email address 100% 88%
College or workplace 74% 22%
Town or suburb 50% 43%
Full address 4% 6%
Phone number 7% 23%
IM screen name 13% 18%
Family and friend data 46% 31%
Average no. of friends 220 932

Interestingly, although fewer of the 50-something crowd – 41% to 46% – blindly accepted our friend request, cat-loving Dinette ended up with more friends overall – 49 to 46 – thanks to eight Facebookers who volunteered to befriend Dinette of their own accord. This willingness to make friends without waiting for an invitation helps explain why the older users have more than four times as many Facebook friends on average than the youngsters.

The youngsters were more liberal with their workplace (or school/college if they weren't yet working); both groups were very liberal with their email addresses and with their birthdays. This is worrying because these details make an excellent starting point for scammers and social engineers. Nearly half of the youngsters, and nearly one-third of the 50-somethings, also offered up details about friends and family – again, information which scammers and identity fraudsters can exploit to build up an accurate and abusable profile of you and your lifestyle.

Ten years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate.

Be careful when getting into social networking. In particular:

  • Don't blindly accept friends. Treat a friend as the dictionary does, namely "someone whom you know, like and trust." A friend is not merely a button you click on. You don't need, and can't realistically claim to have, 932 true friends.
  • Learn the privacy system of any social networking site you join. Use restrictive settings by default. You can open up to true friends later. Don't give away too much too soon.
  • Assume that everything you reveal on a social networking site will be visible on the internet for ever. Once it has been searched, and indexed, and cached, it may later turn up on-line no matter what steps you take to delete it.

Facebook will soon be updating its privacy system, and when it does, we'll update our best-practice guidelines to cover the new look-and-feel. In the meantime, the founder of Facebook himself has sent out an open letter urging all users – including Daisy and Dinette – to "consider who you're sharing with online".

Sounds rather obvious, doesn't it? So tell your friends, real and on-line!

, , , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog