The F, A, C, E, B, O, and K keys on my keyboard are becoming well worn. The Wall Street Journal is reporting another major privacy gaffe by Facebook and a few other social networking sites. This time, counter to its own privacy commitments, the site leaked information that identified individual users to third-party advertisers.
Some of the other sites named leaked unique IDs related to users, but the case with Facebook is more concerning. Facebook requires everyone to use their real identities, and since December 2009 has forced users to share a lot more personally identifiable information with the world.
To date, Facebook insists it has not intentionally released this information and has made changes to prevent this data leakage. My personal view is that this relates to a cultural issue inherent at Facebook and other social media companies.
Designing applications and systems that are entrusted with people's personal data requires an embedded sense of responsibility. We at Sophos live that value every day, making sure we put "best protection" ahead of all other business goals. By choosing our solutions, you have placed your trust in us, and we have an obligation to do our best to deliver that promise.
Mark Zuckerberg has demonstrated that this is not the goal of Facebook. Only when others do audits and raise a media fuss does Facebook consider the impact and make changes. It is not part of their culture to defend their customers' privacy. When your business is focused on collecting private data, you have a responsibility to protect information.
It's been a bad month for Facebook and I hope this is a wake up call for those who make decisions regarding our security and privacy. Facebook should first commit to a full audit of its systems to make sure it complies with its own policies, and then spend some time listening to its customers' feedback.
Creative Commons image courtesy of xkcd.com.