Has the IT security model been broken by Web 2.0?

A subpoena against Facebook which accuses the social networking site of not keeping young users safe is the result of a dysfunctional IT security model dogging Web 2.0, according to privacy advocates and security analysts.

Following weeks of undercover work by New York state investigators, Facebook has been subpoenaed by New York State Attorney General Andrew Cuomo for failing to provide adequate safeguards from sexual predators for young people using the site.

Cuomo said that, contrary to Facebook's claims it is safe for young people, the site has not done enough to warn younger users of the dangers of online paedophiles.

While Facebook may be responsible for warning users of the potential privacy risks when using its network, David Vaile, executive director of UNSW's Cyberspace Law and Policy Centre, said it is symptomatic of a more widespread issue related to popular Web 2.0 technologies: a broken IT security model.

"One of the foundations of [the IT security model] is that users understand the choices they're being offered -- that is, whether the user-interface is clearly understandable, whether users have a good enough technical understanding and an awareness of the business model [of the service provider or vendor]," Vaile told ZDNet Australia.

He added that while user privacy is the broader issue at stake, the real problem is the business model employed by social networking sites, which are unfettered by security practices applicable to older software heavyweights like Microsoft.

"In the last couple of years, Microsoft has had a security makeover and now generally sets [security] defaults in a safe way, but you throw that away with social networking," he said.

"[Social networking sites] have encouraged users to accept non-essential tracking and data aggregation technologies, which is the price you pay for free services. The concern is that it's very hard -- without a detailed understanding of their global business model, business partners and IT security issues -- for ordinary people to make an informed assessment of the value of that trade-off," said Vaile.

Intelligent Business Research Services security analyst James Turner agreed that a conflicted business model is at the heart of the issue, but said users are willing to put themselves at risk for free technology.

"You have to look at the economic model driving the vendors -- are they getting money from protecting the end user or getting money from collecting information on them? There is an inherent conflict between those points. But people just want to get on and do their stuff. When you have products out there like Gmail, Google Web Accelerator and Picasa, for example, they're easy to use, generally pretty good, and free. Why wouldn't an end-user grab that sort of thing?"

However, social networking sites are not entirely to blame for making users vulnerable to exploitation. Social networking in general has tapped a basic human desire -- which people are willing to feed -- to elevate their social status by having as many friends as their peers, UNSW's Vaile said.

"IT security threats are often a combination of emerging technologies and social engineering built on a sophisticated understanding of what people want and they only work because they successfully exploit social or psychological needs.

"There's a concept that you can measure your esteem by the number of contacts you have, so there's a drive towards accepting to connect. So, [the logic is] 'I'd better get more friends than the next person'," he said.