Facebook wants to be your Internet ID Card

Facebook wants to be your Internet ID Card

Summary: Mind you, even though Facebook wants to be your Internet driver's license, the service is still insecure and it's continuing to tear at your privacy.

SHARE:

God knows I understand that going from one Web site to another with one login and password scheme after the other is a real pain-in-the-rump. After the Gawker password fiasco it's become clearer than ever that using the same brain-dead simple login and password from one system to another is clearly dumb. But, the idea of using Facebook (Facebook!?) Connect as a universal Internet login and password system makes me want to gag.

You see Facebook is insecure by design and privacy is given only a minimal amount of programming and lip-service. Sure, you can make your Facebook information safe, well safer, anyway, but who has the time to be constantly plugging in Facebook's privacy holes? Especially since Facebook keeps opening up more and more or your personal information to vendors.

For example, Facebook quietly announced just before the recent three-day weekend that they were opening up a way for third-party Facebook apps developers to get to your snail-mail addresses and phone numbers. Isn't that nice of them? I know I want the likes of Zynga, makers of FarmVille, and all their partners, to have my home address and phone number.

Facebook has back off a bit on this. While still insisting that "you need to explicitly choose to share this data before any application or website can access it, and you can not share your friends' address or mobile number with applications," Facebook also acknowledged though that they need to make "people more clearly aware of when they are granting access to this data. … [and] are making changes to help ensure you only share this information when you intend to do so. We'll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready. We look forward to re-enabling this improved feature in the next few weeks."

Fine and dandy, but I still trust Facebook about as much as I do Goldman Sachs' fouled up Facebook IPO. Regardless of that, though, hundreds of millions trust Facebook enough to keep using it. What I'm more concerned about today is that more and more Web sites are using Facebook Connect for their login and password management.

I started noticing this myself in the last few weeks as I kept stumbling over more and more sites, such as the Internet Movie Database (IMDB) and ESPN, that would let me login into them using Facebook. I was beginning to think about looking about this trend, when I found that others were already looking into it.

According to a Technology Review report, more and more Websites are essentially out-sourcing their identity systems to Facebook. The Websites get more than just an easy way to log you into their site though. Those sites also gets access to some, or all, depending on your privacy settings and whatever security blunder Facebook is currently making, of your personal data. Does ESPN need to know who my friends are? I don't think so.

Worse still, besides Facebook's privacy problems, Facebook's login and password system still has two major security holes: its use of a single user name and password and an unencrypted tracking cookie. It's that last that enables Firesheep, the easy to use network eaves-dropper program, to snoop on your Facebook sessions. And, oh yes, if you login into a site using Facebook Connect, those Web sessions as well.

So, what can you do? Well, for starters if you're going to use Facebook, lock it down using ZDNet's The Definitive Facebook Lockdown Guide and every time Facebook asks you for some new permission to share your data, just say no.

As for using Facebook to access other sites, are you crazy? It's bad enough that Facebook is such a security mess, but to trust it to be my universal Internet drivers' license? No. Just no. This is a security disaster that's just waiting to happen and I have no intention of being caught in it.

Topics: Software Development, Browser, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

41 comments
Log in or register to join the discussion
  • How is FB's solution any better than OpenID?

    How many solutions do we need?: 1

    Ultimately we should embrace two-factor authentication with our cellphones. That to me works best.

    Bueller?
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • OpenID just hasn't taken off as much as I'd hoped

      @Dietrich T. Schmitz, Your Linux Advocate
      And that is really and truly a pity. Yes, I know, you will trot out stats that show it is used by some big sites and that is true, it is. However, of the dozens of websites that I've registered a username and password for, very, very, very few of those accept OpenID. That is what I mean when I say that it hasn't taken off as much as I'd hoped. I was hoping that non OpenID sites would be the exception, not the rule. :(
      NonZealot
      • RE: Facebook wants to be your Internet ID Card

        @NonZealot

        Agreed, but I think an underlying problem is that there is nobody I would trust to look after all of my login details and passwords for free, simply because they need to cover their costs somehow. Even paying a fee isn't really ideal, because you still have all of your login data for all of your sites on a server somewhere else.

        I think best option is just to save them in your browser under some mega-heavy encryption, with a back-up somewhere else. Unfortunately Chrome inexplicably doesn't even password protect your stored passwords.
        OffsideInVancouver
      • RE: Facebook wants to be your Internet ID Card

        @OffsideInVancouver you should never let your browser handle or store passwords its the number one way users get their passwords stolen... if you can be assed to remember your strong passwords or at the very least create a notepad file with your passwords then zip it and password protect the zip file you deserve what you get.<br><br>Password laziness is about the dumbest thing you can do on the internet. cmon you learned your 10 digit phone number and remember probably at least 15 other numbers why cant we be educated into creating 8 character passwords or better yet 12 character passwords and then memorize them<br><br>Pure laziness from a world wide McDonalds drive thru mentality of "wanting it now" feck that
        KineticArtist
    • This should have been 3 poats lower

      @KineticArtist - Firefox will password-protect your saved passwords if you select the "Set Master Password" option - they use good strong encryption, too. I consider that good enough security for most passwords, though maybe not for internet banking sites. Anyone who uses the Firefox Password Manager should select that option, and set a strong master password.
      Greenknight_z
  • RE: Facebook wants to be your Internet ID Card

    No Facebook, No way, No how!!
    drf999
  • RE: Facebook wants to be your Internet ID Card

    Really, I never put my correct info out there in Internet space!
    Too, much going on to rely on facebook (or anyone else) to protect me. They sure are not going to back me up over ID theft.
    santee555
    • BINGO!

      @santee555
      :-)
      kd5auq
  • mmm...

    HELL NO!
    Tommy S.
  • RE: Facebook wants to be your Internet ID Card

    Too bad I'm not on Facebook!!! muahahahahahahaaha!
    Hasam1991
  • LOL

    Not.
    james347
  • This is like hiring Jesse James to be a bank guard.

    I don't trust Facebook to protect my identity on its own site, much less anybody else's.
    terry flores
    • RE: Facebook wants to be your Internet ID Card

      My sentiments exactly. We really could use a secure, privacy-respecting site like Facebook though. But until then ??ll avoid it like the plague because I don't trust what they?re going to do one minute from the next.
      Mythos7
  • Re: Facebook wants to be your Internet ID Card

    With Facebook's invesment backer fearing action by the US government and investment dollars rolling in from Russia and China, why wouldn't we want Facebook to be our internet ID card? Makes sense to me. Excuse me while I disconnect my computers from the net...
    dmilne@...
  • Facebook wants to be ???

    Mark Z whatisname is just another Steve Case and Facebook is another AOL; just one big bag of nothing but hype. There is no substance to facebook, it is not a product, it is pure hype. Nothing but a house of cards and mirrors. S.
    mdsmith@...
  • Ultimate in laziness

    If you cant be arsed to remember or at least set down your IDs and passwords in a text file that is protected locally and use very strong passwords <em>then you get what you deserve by using Open ID or Facebook Connect</em> using strong passwords and using a set of them, not just one for everything, may be a pain in the ass but remember this... How much of a pain in the ass will it be? when you get hacked on one system and have to go thru everywhere you have a login and change/update your passwords.<br><br>Seriously letting someone "Do it for you" is so stupid its beyond belief and the pinnacle of laziness you deserve to get hacked and taken over.
    KineticArtist
    • RE: Facebook wants to be your Internet ID Card

      @KineticArtist I agree completely. I absoulutely refuse to have facebook on my computer.
      bvonr@...
      • RE: Facebook wants to be your Internet ID Card

        @bvonr@... not to mention FB has already shown they are LESS than shady - downright dark when it comes to users information if you give over your logins for FB and all your other social sites then my god they could literally POWN you<br>login as you screw with your settings gather private data and Im sorry Mr Zuckerberg you aint getting ANY of my info
        KineticArtist
    • RE: Facebook wants to be your Internet ID Card

      @KineticArtist
      You know that you can set up your own OpenID server and not deal with passwords at all, right? wiki.openid.net/w/page/12995227/Run_your_own_identity_server - Cached
      daengbo
  • RE: Facebook wants to be your Internet ID Card

    I really wish I had a way to prevent the "facebook" integration from kicking in on every site... ("Your friends might want to know what you are reading." Well the might, but I sure as hell don't want to broadcast it to everyone.)

    One more reason to delete the facebook account and get back to real life...
    O & G IT Guy