It’s likely not illegal, and it may not even be improper, but the fact that security consultant Ron Bowes gathered and aggregated the information from about 100 million Facebook profiles has created quite a stir. Bowes created his data torrent to aid the development of a password-cracking-protection tool, he has said in interviews with a number of media outlets. To do that, he needed the names of many thousands of individuals and the user names they likely would have on an account.
However, Bowes has also made the compiled data file publicly available, and it has been replicated on many sites across the Internet, including The Pirate Bay. It contains the user name, real name, and publicly accessible information from all the users who have, knowingly or not, allowed this information to appear in the publicly searchable directory on Facebook.
For anyone who now has what was thought to be private information floating around in cyberspace, this is a very bad thing. However, it is not such a bad thing in general, Jennifer Golbeck, assistant professor of information studies at the University of Maryland, told the E-Commerce Times.
“There has to be something to spur people to be concerned about their privacy settings on Facebook,” she said. Perhaps this will be it.
Online vs. Real Worlds
The issue is that users of social networking services still fail to apply the same care they have about private information in the real world to the online world, explained Golbeck.
To be sure, there is a core of Facebook users who first created their accounts as college undergraduates five years ago. Their current counterparts tend to understand much more about online common sense, Golbeck noted.
Unfortunately, many of them learned it by having pictures of themselves drunk at parties viewed by prospective employers, she added.
However, Facebook’s rapid expansion into populations other than its original core means that people much less savvy about online privacy are now added to the mix. These people — retirees, soccer moms, mid-career professionals — have not yet taken their lumps on Facebook and thus may be naive about the potential for problems.
Our Fault, Facebook’s Fault
There seems to be a consensus that Bowes did nothing particularly untoward in gathering this information, although Facebook has asserted that it has a policy against automated gathering of directory and profile information, and it appears that he did indeed step across that line.
Likewise, “Facebook did nothing improper,” noted Greg Sterling, founder and principal of Sterling Market Intelligence.
Still, there is much fault to be found on both sides of the privacy equation.
The service still needs to “play a significant role in educating users about privacy and giving them tools to control who can access their information,” Sterling told the E-Commerce Times.
The tools currently available are difficult to use and can be confusing, stressed Golbeck.
For example, the change in groups the service made several months ago created automated “Like” links in such information as a person’s college or employer. Thus, a user appears as a friend of each group that either appears in a profile or which has been checked with the “Like” button.
This change was made largely without user knowledge, said Golbeck. In fact, as an information services professor, she still had to dig to find the information and adjust her own privacy settings to her preference.
Also at fault, of course, are members of social networks who fail to take their online privacy and security seriously enough to take the time to understand and use the privacy settings provided.
Although no protected information was released in Bowes’ torrent, “many people will still be disturbed by the implications of this event — that data can be harvested and distributed across the Internet so easily,” noted Sterling.
What are those implications? Well, one is the fact that the bad guys are armed with more data.
“With this kind of information, an attacker can better appear to be someone you trust and send you links that you shouldn’t click on,” Rob Enderle, founder and principal of Enderle Group, told the E-Commerce Times.
In addition, “they can better impersonate you and attack others and do questionable things and have those things track back to you and not them,” he added.