Beware social network removal services

Web services that help users deactivate accounts from social networking sites have emerged, but security expert questions usefulness and warns of dangers.

Web services that help users sever their social networking site ties have appeared on the Internet. While social networks have reacted by cutting off their access, a security vendor warns that there are also dangers in using such unplugging services.

To date, there's Web 2.0 Suicide Machine which promotes "Web 2.0 suicide" and lets you "sign out forever" by deleting a user's online profile from sites such as Facebook, MySpace, LinkedIn and Twitter. Then there's Seppukoo, which "deactivates one's Facebook account".

Both services require users to enter their login details. Web 2.0 Suicide Machine changes the user's password to ensure he cannot log back on again, while Seppukoo, which is currently on hiatus, allows users to reactivate their accounts.

This prompted Facebook to block both services, and as reported by Network World, threaten legal action.

According to security expert William Tam, users should better understand what they are getting into before employing such removal services. In an e-mail interview with ZDNet Asia, the technical manager for the Asia-Pacific and Middle East at Websense warned that users will not only be unable to access their accounts after their password is changed, they also cannot verify how complete the clean-up really is.

"It is really a one-way trip," he said. "On top of that, remember that many users do use the same password for all online properties--Web mail, social networking sites, photo album, you name it.

"Surrendering one password for one social networking service may put you in a bigger risk than you intended."

A Facebook spokesperson replied ZDNet Asia that its policies prohibit the collection of login credentials by such removal services which "do not respect the decisions users make about how to share their data". "Users rely on us to protect their data and enforce the privacy decisions they make on Facebook. We take this trust seriously and work aggressively to protect it," he said.

The spokesperson said in an e-mail response that the two Web services not only are able to access the data of users who provide their login details, they can also see information belonging to the users' friends, even those who may have restricted privacy settings in place.

The Facebook spokesperson pointed out that the network already offers users the option of deactivating or deleting their accounts. "When you deactivate your account, no one can see your profile, but your information is saved in case you decide to reactivate later," he explained, adding that some users leave Facebook only temporarily and expect their information and content to be there for them when they reactivate their account.

For users who never want to use Facebook again, the spokesperson said they can delete their accounts at a page on the Facebook Help Center. "When you delete your account, it’s permanently deleted and the account can't be reactivated," he said.

Websense's Tan said users should be careful about signing up for any online service and also on what they share on the Internet. "Cybercriminals and people with malicious intent can easily collect enough information from the Internet and correlate them to build a very targeted attack," he said, adding that the success rate of such attacks will be much higher than an average mass attack.

A check of Seppukoo's Privacy page revealed that the service does not store passwords on its server. Web 2.0 Suicide Machine's Frequently Asked Questions page noted the same, adding that users nervous about giving over passwords to change these to something irrelevant before submitting for "virtual suicide".

As of today, the service noted that 1,298 users have used its service. No figures were given by Seppukoo.