Sophos Cloud Optix
Facebook at Work.
Sounds like the start of an IT policy document that probably continues with the words, “Not allowed.”
Or, if the Financial Times (FT) is to be believed [registration required], it’s the name of an all-new but secret product that aims to rewrite the corporate rulebooks.
And the FT seems pretty sure of its facts, with nary a “might,” “could” or “should” in the article.
According to the FT, the new service will:
allow users to chat with colleagues, connect with professional contacts and collaborate over documents, competing with Google Drive and Microsoft Office, according to people familiar with the matter.
At first, you might dismiss this as an absurd idea, especially if you are an IT policy maker who has already weighed up the risks of Facebook, and the things people typically use it for, and have kept it at arm’s length (or further) in the office.
Open source intelligence
After all, building up a profile of a company or an employee piece-by-piece from information that’s already openly published even has a name: OSINT, or open source intelligence.
OSINT is easy to collect; it avoids any of the contentious and dangerous aspects of intelligence gathering, such as surveillance and undercover work; and, best of all, it’s free.
The US Marine Corps famously banned what it referred to as SNSes, or Social Networking Sites, on its enterprise network back in 2009:
The order explained, in ALL CAPS, that:
THESE INTERNET SITES IN GENERAL ARE A PROVEN HAVEN FOR MALICIOUS ACTORS AND CONTENT AND ARE PARTICULARLY HIGH RISK DUE TO INFORMATION EXPOSURE, USER GENERATED CONTENT AND TARGETING BY ADVERSARIES. THE VERY NATURE OF SNS CREATES A LARGER ATTACK AND EXPLOITATION WINDOW, EXPOSES UNNECESSARY INFORMATION TO ADVERSARIES AND PROVIDES AN EASY CONDUIT FOR INFORMATION LEAKAGE THAT PUTS OPSEC, COMSEC, PERSONNEL AND THE MCEN AT AN ELEVATED RISK OF COMPROMISE. EXAMPLES OF INTERNET SNS SITES INCLUDE FACEBOOK, MYSPACE, AND TWITTER.
What this means, in the language of the business battlefield, is that Facebook is the kind of place where people haplessly share too much information with strangers, at least some of whom are adversaries quite deliberately out to learn more than they ought to be told.
On second thoughts, however, maybe a separate Facebook at Work isn’t such a bad idea, after all.
Most companies already have some sort of official SNS presence and many employees already use sites like LinkedIn to share job-related information, which inevitably gives away useful OSINT about the company or companies they work for anyway.
The US Marines official website, for example, shown above, has numerous SNS links, even though use of those SNSes is understandably forbidden on the Marines’ enterprise network.
Facebook and security
For all that Facebook has a chequered history when it comes to its attitude to privacy, that’s a matter of Terms and Conditions more than technology.
But Facebook has done surprisingly well over the past few years when it comes to general security.
Even if it hasn’t used the information it collected from you as circumspectly as you might like, the company – ironically, if you like – has collected it circumspectly.
Naked Security, and others, urged Facebook to make HTTPS (secure web page access) the default for all traffic; it took a while, but the company bit the bullet back in 2012.
Facebook hasn’t had a password breach, as far as were aware, even of password hashes that still needed to be cracked offline. (LinkedIn had a password breach in 2012; more than 60% of the 6 million badly-hashed passwords were cracked in short order.)
Facebook adopted forward secrecy, a way of using HTTPS that generates a throwaway public-private keypair for every browsing session, so that stealing the server’s own keys doesn’t let you decrypt traffic from the past.
And Facebook CEO Mark Zuckerberg famously called up US President Barack Obama to take issue with government-sanctioned internet snooping:
The US government should be the champion for the internet, not a threat. They need to be much more transparent about what they're doing, or otherwise people will believe the worst.
I've called President Obama to express my frustration over the damage the government is creating for all of our future. Unfortunately, it seems like it will take a very long time for true full reform.
In short, Facebook will probably collect information about you securely, and guard it well, albeit for its own commercial use.
What next?
So the real question, for Facebook at Work, is whether IT managers think that Facebook’s own “reforms” in how it makes commercial use of your data are true and full enough for the service to win the trust of businesses.
Would you use it?
Gee, sounds like a yammer like plan. Facebook does not have a bright future. The demographic is really needs is rapidly leaving. Ask anyone 18-25 if they have a facebook account and what they use it for if they do.
Also, I’m supposed to throw out everything I have in favor another monthly fee? Not that easy in a 10,000 user environment.
what fee?
I’m among the ‘No’ camp, but my concerns are not those expressed in the article, concerns which seem to place the priorities on protecting the corporation; I’d be rather more afraid of the corporation itself invading the privacy of its own employees, a policy already far too rampantly abused.
E-mail is good enough. And also easier to manage for large amounts of work-related messages, most of which can be easily trashed after reading, but some of which must be kept around and tagged for future action.
Our IT department was discussing this on our Yammer site we’ve very successfully rolled out. The start consensus was we absolutely would not touch a “Facebook for Business” product with a 20 foot pole and a hazmat suit.
Clearly, we’re not against the idea of a social platform for knowledge sharing in the business. It’s make discussions across offices or even floors of offices much, much easier. Email’s shortfall is that it’s centered more around individuals than it is around groups, and at the end of the day those people come and go, but the group needs to be resilient and have a sense of it’s history. (We also explicitly state it should be used for knowledge sharing and work discussions and should not include personal discussions.)
But Facebook’s poor record on privacy is what we’re reacting to. That information is what we make money off of and if Facebook thinks we’re paying to abuse a slice of our pie then they’re sorely mistaken. Just follow the money. Facebook makes money off advertizing, Microsoft makes money off selling software to corporations. One of those is naturally going to be more trusted by corporations.
Don’t have it at home, definitely don’t want it at work…(sarcasm)
Facebook is all about data collection. So the chat between different people collaborating on different projects will now been collected by facebook. How can a business even consider that?
I’ll never use Facebook for Work. They can claim all they want that the pro version is completely separate from the consumer one but the company is still run by Creep McCreeperson, Mark Zuckerberg… I don’t trust anything he is behind.