Facebook’s 10 years of security & privacy thrills ‘n spills

Facebook's 10 years of security & privacy thrills 'n spills

Candles, courtesy of Shutterstock. Facebook logo creative commonsPrinceton University: Based on epidemiological modeling, Facebook will shrivel up and mostly die by 2017 (PDF), in much the same way as an infectious disease might.

Facebook: Princeton University will disappear by 2021, followed by the evaporation of all air by 2060.

Naked Security: Happy Year 10 of the Zuckerbergian invasion of planet Earth!

Some will tell you that the young’ns aren’t into Facebook, preferring as they do to Chat Snappily and Gram Instantly, but for the rest of us, the billion or so hanging in there, Entertainment Weekly’s end-of-decade “best-of” list from 2009 still resonates.

To wit:

How on earth did we stalk our exes, remember our co-workers' birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?

Exactly, how indeed? So without further ado, Happy Birthday Facebook: here are the greatest hits of your past 10 years, with a particular focus on how privacy and security have fared.

The early years: handing out a master password like candy.

Ah, those were the days, before all this “privacy” and “information security” stuff. A description of that halcyon time, from Mark Zuckerberg’s former speechwriter, Katherine Losse, heartwarmingly known as “Facebook employee No. 51”, from her 2012 book The Boy Kings:

Jake introduced us to the hanky application through which users' e-mails to Facebook flowed. Once we learned how the software worked, Jake taught us, without batting an eyelid, the master password by which we could log in as any Facebook user and access all their messages and data... I experienced a brief moment of stunned disbelief: They just hand over the password with no background check to make sure I am not a crazed stalker?

December 2009: Facebook thinks we’re all being too cagey and changes our privacy settings.

In one of its first big privacy settings change, Facebook recommends that users adopt settings that would reveal personal data to anyone on the internet – data that millions of people had previously considered to be restricted to only their Facebook friends.

The changes set the default privacy setting for certain types of posted information to “Everyone”.

Sure, you could change your privacy setting, and yes, you could delete content set to “Everyone”, making it blip out of existence on Facebook, but outside of Facebook, you were on your own. The new settings meant that such content would translate not only into “Everyone” but also “Forever”.

December 2012: Facebook privacy control overhaul nixed ability to limit who can find us.

Another round of changes to privacy settings carried some good tidings, including Privacy shortcuts from the main page drop-down menu, plus a new Request Removal tool for getting untagged (and telling the tagger why) in multiple photos. But it was also a story of missed opportunities and privacy features being taken away.

August 2013: Mark Zuckerberg’s own Facebook timeline hacked by Palestinian researcher.

Ouch! This security researcher thought that Facebook wasn’t taking his vulnerability report seriously and decided that the best way to get Facebook to listen was to go right to the top guy.

Responsible disclosure it was not but it certainly got the researcher the attention he was after.

August 2013: Facebook gets secure browsing by default.

Happy ubiquitous HTTPS day! It wasn’t easy, but after a load of blood, sweat and programming tears, Facebook made a big commitment to users’ security and made it an awful lot more difficult for people in the same coffee shop as you to hijack your account.

October 2013: Facebook Graph Search gains ability to paw through your posts and status updates.

All public Facebook posts ever made since the dawn of Facebook time became searchable.

Great gusts of wind went up from the interweb as anybody who hadn’t yet cleaned up their embarrassing tracks lunged for the Activity Log.

November 2013: Facebook reveals friends list even when it’s set to private.

For those who don’t want the entire Facebook-using and -abusing population to see their friends list, there’s always the option to change the setting to private. That setting, oddly enough, is labeled “only me”, chosen in response to the “who can see your friends list?” setting. Fat lot of good it will do you, though.

Irene Abezgauz, a vice president of product management at the security software company Quotium, discovered a way for any casual visitor, stranger, stalker or troll to see friend lists that Facebookers had set to be private, and that includes any friends who’ve also set their lists to be private.

To access anybody’s friend list, all someone has to do is to create a fake Facebook account and send a friend request to his or her target.

So really, the setting should be labeled “only me plus anybody who creates a fake Facebook account etc. etc.”.

November 2013: Facebook locks users in a closet for using same passwords/emails on Adobe.

Facebook does something so flat-out crazy beautiful in the world of security, there’s still afterglow.

And no, Facebook’s mining of breached Adobe customer records and quarantining of irresponsible, password-reusing users was absolutely not Big Brother-ish at all: the company didn’t have to store passwords in clear text or pull any other boneheaded security move to know just which users were in danger. Bravo!

November 2013: Facebook plans to put Report Abuse button at the fingertips of bullying victims.

The Report button is just one tool in Facebook’s new Bullying Prevention Hub. It puts help at victims’ fingertips at the moment they need it most.

It was a fine move, Facebook. We hope that the button helps to curb the horrible tide of cyberbullying.

October 2013: Facebook admits that it scans private messages.

This is all about inflating pages’ Likes count, and in short order it will result in…

January 2014: Facebook gets sued for scanning private messages.

A class action suit is claiming that Facebook scans private messages in order to detect any URLs within and that it follows the links it finds as part of a crawling process – something it hasn’t explicitly disclosed to users.

Then, if Facebook discovers a Like button on one of the pages, the system will record the private message itself as a Like on that website, thereby making a public declaration out of a private communication.

The plaintiffs have acknowledged that Facebook’s data usage policy discloses how the company receives information when users interact with the site.

Still, they say, the wording doesn’t make it clear that Facebook “scans, mines, and manipulates the content of its users’ private messages… in direct conflict with the assurances it provides to its users regarding the privacy and control they should expect.”

Facebook thumbs up, CCI’m going to stop here, not because I’ve run out of greatest hits.

There are plenty more highlights, both positive and negative – how about when Graham Cluley gave up his Facebook page? Big highlight! Then too there was Naked Security’s open letter to Facebook, and far more changes to the service’s privacy policy and settings than I included here – but this was supposed to be a happy birthday listicle, not an encyclopedia. Feel free to contribute your personal favourites in the comments below if I’ve missed them out.

Readers hungry for more of Naked Security’s Facebook coverage will be pleased to know we have an entire category devoted to the social media giant. We suggest you pay particular attention to our 5 tips to make your Facebook account safer and Another 5 tips to help keep you safe on Facebook.

And, of course, don’t forget you can stay up to date with all the latest news, opinion, advice and research from Naked Security by following our very own Facebook page.

Image of candles courtesy of Shutterstock. Other images licensed under Creative Commons.