Facebook at Work.
Sounds like the start of an IT policy document that probably continues with the words, “Not allowed.”
Or, if the Financial Times (FT) is to be believed [registration required], it’s the name of an all-new but secret product that aims to rewrite the corporate rulebooks.
And the FT seems pretty sure of its facts, with nary a “might,” “could” or “should” in the article.
According to the FT, the new service will:
allow users to chat with colleagues, connect with professional contacts and collaborate over documents, competing with Google Drive and Microsoft Office, according to people familiar with the matter.
At first, you might dismiss this as an absurd idea, especially if you are an IT policy maker who has already weighed up the risks of Facebook, and the things people typically use it for, and have kept it at arm’s length (or further) in the office.
Open source intelligence
After all, building up a profile of a company or an employee piece-by-piece from information that’s already openly published even has a name: OSINT, or open source intelligence.
OSINT is easy to collect; it avoids any of the contentious and dangerous aspects of intelligence gathering, such as surveillance and undercover work; and, best of all, it’s free.
The order explained, in ALL CAPS, that:
THESE INTERNET SITES IN GENERAL ARE A PROVEN HAVEN FOR MALICIOUS ACTORS AND CONTENT AND ARE PARTICULARLY HIGH RISK DUE TO INFORMATION EXPOSURE, USER GENERATED CONTENT AND TARGETING BY ADVERSARIES. THE VERY NATURE OF SNS CREATES A LARGER ATTACK AND EXPLOITATION WINDOW, EXPOSES UNNECESSARY INFORMATION TO ADVERSARIES AND PROVIDES AN EASY CONDUIT FOR INFORMATION LEAKAGE THAT PUTS OPSEC, COMSEC, PERSONNEL AND THE MCEN AT AN ELEVATED RISK OF COMPROMISE. EXAMPLES OF INTERNET SNS SITES INCLUDE FACEBOOK, MYSPACE, AND TWITTER.
What this means, in the language of the business battlefield, is that Facebook is the kind of place where people haplessly share too much information with strangers, at least some of whom are adversaries quite deliberately out to learn more than they ought to be told.
On second thoughts, however, maybe a separate Facebook at Work isn’t such a bad idea, after all.
Most companies already have some sort of official SNS presence and many employees already use sites like LinkedIn to share job-related information, which inevitably gives away useful OSINT about the company or companies they work for anyway.
The US Marines official website, for example, shown above, has numerous SNS links, even though use of those SNSes is understandably forbidden on the Marines’ enterprise network.
Facebook and security
For all that Facebook has a chequered history when it comes to its attitude to privacy, that’s a matter of Terms and Conditions more than technology.
But Facebook has done surprisingly well over the past few years when it comes to general security.
Even if it hasn’t used the information it collected from you as circumspectly as you might like, the company – ironically, if you like – has collected it circumspectly.
Facebook hasn’t had a password breach, as far as were aware, even of password hashes that still needed to be cracked offline. (LinkedIn had a password breach in 2012; more than 60% of the 6 million badly-hashed passwords were cracked in short order.)
Facebook adopted forward secrecy, a way of using HTTPS that generates a throwaway public-private keypair for every browsing session, so that stealing the server’s own keys doesn’t let you decrypt traffic from the past.
And Facebook CEO Mark Zuckerberg famously called up US President Barack Obama to take issue with government-sanctioned internet snooping:
The US government should be the champion for the internet, not a threat. They need to be much more transparent about what they're doing, or otherwise people will believe the worst.
I've called President Obama to express my frustration over the damage the government is creating for all of our future. Unfortunately, it seems like it will take a very long time for true full reform.
In short, Facebook will probably collect information about you securely, and guard it well, albeit for its own commercial use.
So the real question, for Facebook at Work, is whether IT managers think that Facebook’s own “reforms” in how it makes commercial use of your data are true and full enough for the service to win the trust of businesses.
Would you use it?