Facebook says user privacy is 'extremely important', but no

Facebook's response to criticism of their lookup-by-phone-number feature was empty corporate spin. So much for taking privacy seriously.
Written by Stilgherrian , Contributor

Who was it, exactly, that decided that we should start compiling vast repositories of personal and business data, publish much of it on the public internet, and protect what's left with shoddy security controls written in that rush between startup foundation and IPO? Because I have a complaint.

One of the latest examples of the potential risks is the discovery by Reza Moaiandin that you can plug a phone number into Facebook's API and get back that person's profile -- name, photographs, locations, and more.

As renown information security journal the Daily Mail reported: "Reza Moaiandin, technical director of Salt.agency, used a coding script to generate every possible number combination in the UK, US and Canada. He then sent millions of numbers to Facebook's app-building program (API) in bulk. In return, he received millions of unobstructed personal profiles."

Fiendishly powerful, these "coding scripts".

Now, this isn't a see-everything kind of hack. Looking up Facebook users by their phone number is a feature, not a bug, unless that user has said otherwise in their "Who can look me up?" privacy setting -- and even then you only get what the user has set to be public information. But seriously, what kind of human being understands the meaning of Facebook's myriad privacy settings, let alone how they might interact?

Facebook's response is the usual corporate spin: "The privacy of people who use Facebook is extremely important to us," it begins. Of course it does. Yet "Who can look me up?" isn't set to "no-one" by default.

"We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products," Facebook's statement continues.

Yet these industry-leading tools that failed to detect Moaiandin's "coding script" accessing millions of profiles in bulk. "Strict rules" mean nothing if they aren't effectively enforced.

Facebook has said that rate throttling is in place for this sort of API usage, but it wasn't up to the task of stopping Moaiandin's megatrawl.

I doubt that Facebook will fix this problem, however, and no-one should be surprised. The very idea of user privacy is in direct conflict with the company's business goal of monetising people's profiles and social graph. The same, broadly speaking, goes for that hacker's delight, the social-engineering motherlode called LinkedIn. The same goes for every other internet service whose business model is about monetising personal data.

The privacy risks of compiling massive publicly-accessible databases of personal information should be obvious to anyone who's actually thought about privacy. This warning should be as obvious as saying "Hey guys, maybe stop piling up all those cans of gasoline next to the open fireplace?" But no, we've built an entire industry on this risky practice.

As I wrote in 2012, the Facebook experiment has begun transforming society, and it'll be a generation before we discoiver how it turns out. But already, we've seen some hints of what might happen.

Take the example of a psychiatrist who organises patient appointments on their smartphone. If their address book gets uploaded to a social networking site, either legitimately or clandestinely, patient confidentially may well be breached. If Alice and Bob both see that psychiatrist, they might get a find-friends recommendation, "Hey Bob, you should meet Alice, you both know Dr Smith". Once the fact that someone is seeing a psychologist is out there, that can't be reversed.

Facebook may have already killed the undercover cop. By the time someone decides to become a police officer, so much evidence of their real identity is splattered across the internet that their cover story won't hold up. They'll end up splattered across a dark alleyway.

So I was "amused" to hear that the Australian Senate will soon pass legislation to establish a biometric data collection regime -- but that the opposition's amendment to add data breach notification requirements was rejected. I was even more "amused" to hear that the Privacy Impact Assessment was only released at the end of the second-reading debate, not earlier in the policy development process.

Admittedly, this isn't a publicly accessible database. But it seems that the Australian government, just like Facebook, thinks your privacy is "extremely important". And because this biometric data is about the fight against terrorism, your privacy is way down the priority list. As too, apparently, is thinking about it.

Editorial standards