180 likes | 324 Views
Privacy on Facebook. Does it exist?. Chris Waltrip CS 400: SFS Seminar 31 October 2013. Roadmap. Definitions Who is affected? What is the issue? “But I’ve got nothing to hide!” Specific Issues FTC Lawsuit Shadow Profiles DYI Tool Activity Log Eye tracking? What can be done?
E N D
Privacy on Facebook Does it exist? Chris WaltripCS 400: SFS Seminar31 October 2013
Roadmap • Definitions • Who is affected? • What is the issue? • “But I’ve got nothing to hide!” • Specific Issues • FTC Lawsuit • Shadow Profiles • DYI Tool • Activity Log • Eye tracking? • What can be done? • Conclusion • References
Definitions • FTC – Federal Trade Commission • EPIC – Electronic Privacy Information Center • PAI – Publicly Available Information • DYI Tool – Download Your Information Tool
Who is affected? • Two completely different viewpoints • Facebook, its partners, affiliates and shareholders • The users of Facebook • This presentation focuses on the Users (consumers) of Facebook
What is the issue? • Expectation of Privacy vs. Right to Privacy • FTC Lawsuit • Software Defects • Shadow Profiles • DYI Tool+ Activity Log • Information that is stored
“But I’ve got nothing to hide!” • Quotes • “Can I see your credit card bills for the last year?” • I don’t have anything to hide. But I don’t have anything I feel like showing you, either. • If you have nothing to hide, then you don’t have a life. • Show me yours and I’ll show you mine. • Employers asking for Facebook credentials
FTC Lawsuit • Case 092 3184 • Filed in 2010 in regards to complaints filed by EPIC in 2009 and 2010 • Enumerated 8 Charges • Deceptive/unfair practices • False/misleading information • Settled in November 2011
FTC Lawsuit continued • In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance. • Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need. • Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used. • Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't. • Facebook promised users that it would not share their personal information with advertisers. It did. • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts. • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
FTC Lawsuit continued • Under the settlement, Facebook is: • Barred from making misrepresentations • Required to obtain permission before changing privacy settings • Required to prevent anyone from accessing data 30 days after account deletion • Required to establish and maintain a privacy program • Required to be audited every 2 years for the next 20 years
Shadow Profiles • Profiles that contain cross-referenced information about a user were available to other users • The bug itself was fixed quickly • Facebook will not give a user control over the data tied to their own account • The user does not own their personally identifiable information
Shadow Profiles continuedProof of Concept • Dan has an account with Facebook and has registered with dan@freemail.xy • Alice uploads her contact information to Facebook. In it there is an entry for Dan with phone numbers 408-555-1212, 408-555-3433, and email addresses dan@freemail.xy and dan@datingsite.xy • Bob uploads his contact information to Facebook. In it there is an entry for Dan with phone number 408-555-9999 and email addresses dan@freemail.xyand dan@danswork.xy • Eve pulls Dan's dan@freemail.xy email address off of his blog, adds it to a vcf file, and uploads it to Facebook. She then downloads her expanded dataset. The addressbook.html file would now contain an entry for Dan with phone numbers 408-555-1212, 408-555-3433, 408-555-9999 and email addresses dan@freemail.xy, dan@datingsite.xy, and dan@danswork.xy.
DYI Tool • Download Your Information Tool allows a user to download an archive of their information • Personal Information • Photos • Videos • Friends (present, past and pending) • Settings and Security • Ads • See example
Activity Log • Log of almost all activities since account creation • Wall posts • Comments • Tags • Friend events • Searches • See example
What can be done? • Deleting a profile takes approximately one month • Backups are kept for an additional 90 days • Shadow profiles? Not much • Pay attention to the “Data Use” policy and changes to it • Keep on top of privacy settings • Facebook itself can still see everything • Slowly corrupt your information
References • http://epic.org/privacy/facebook/ • http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565& • http://www.ftc.gov/opa/2011/11/privacysettlement.shtm • http://ftc.gov/os/caselist/0923184/111129facebookagree.pdf • http://www.ftc.gov/os/caselist/0923184/index.shtm • http://www.ftc.gov/os/caselist/0923184/111129facebookcmpt.pdf • http://www.ftc.gov/os/caselist/0923184/111129facebookanal.pdf • http://packetstormsecurity.com/files/122110/Packet-Storm-Advisory-2013-0621-Facebook-Information-Disclosure.html • http://en.wikipedia.org/wiki/Criticism_of_Facebook • http://www.nytimes.com/2013/09/12/technology/personaltech/ftc-looking-into-facebook-privacy-policy.html?_r=1&