Schneier on Security
A blog covering security and security technology.
« Criminal Uses of Crowdsourcing |
| New Malware: Duqu »
October 18, 2011
Discovering What Facebook Knows About You
Things are getting interesting in Europe:
Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues. In Europe there is a requirement that entities with data about individuals make it available to them if they request it. That's how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection. ...
The logical next step was a series of 22 lucid and well-reasoned complaints that he submitted to the Irish Data Protection Commissioner (Facebook states that European users have a relationship with the Irish Facebook subsidiary).
EDITED TO ADD (11/14): The 22 complaints are here
Posted on October 18, 2011 at 6:34 AM
• 71 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
In the past few weeks, there seemed to be a a discrete ramping up of Facebook intrusions into just_about_every_freakin_website I visited. (Thankfully, not here!)
A few days ago, I became sufficiently annoyed and added www.facebook.com to my hosts file.
If you don't like Facebook's poor privacy policies, then don't use Facebook!! If you want to take the "risk" (if it can be called that as I am not sure what people are risking here besides more real event ads) then go and protect yourself by using adons like ShareMeNot (or dump the ads entirely with AdBlock).
Yes the Facebook model of linking what was normally semi-anonymous web browsing to a "real" identity is a new paradigm that has and will catch some people off guard, but just like all of the "cookie" wars of the past the market will adapt and browsers will enable users' to control their privacy more effectively. Until then either don't use the service or use the appropriate adons.
Site down...you did it again, Bruce!
People have the right to socialise in a place where the laws protecting their rights are respected - whether that's online or on the street.
No company should be allowed to pick whether they adhere to laws or not; especially one as pervasive as FB.
Follow the law or be fined... let's face it MS coughed up to the European court and FB would be foolish to think they're above the law/paying fines.
Which works fine up until one of your friends posts a picture of you and tags it with your name. Or just lists you as a friend and adds your email address.
Individual data security is all very well and good. But Facebook has pioneered cross-linking of individual data. Your friends' ability to be data-secure affects you, now...
I am conflicted as I understand the privacy issues, but it's the same thing I say with Google.
Services don't just exist in a vacuum. These things cost money. Now, you can say those who pay for ads are supplying that money, but don't you think that the cost of those ads will decrease drastically if facebook (or google) weren't giving the advantage of directing those ads (and by the way, its true in TV as well, your higher valued time slots/shows cost more for advertising -- see Super Bowl). The money has to come form somewhere. These servers don't support themselves. Could they make enough in "donations"? Don't know, but I highly doubt it. These would become pay services and their use for what people want (and they do want it) wouldn't be there. You take the good with the bad, and it's a matter of opinion.
If you are on the street, and someone walks buy you and sees you wearing a shirt for some music group, and they like them and approach you about it, are they invading your privacy?
If a friend of yours mentions to another friend that you do xyz work, and provides them with a contact address are they violating your privacy? What if that person distributes your name?
Look, I get it's about distribution capabilities and what can be done about from a technological perspective. I get that there are privacy laws and such. But facebook has settings to notify you of being tagged as well as settings for tag review. I also get the annoyances behind how these changes go.
If you don't like Facebook's poor privacy policies, then don't use Facebook!!
This used to be enough, but...
Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.
It's still good advice, in the sense that you shouldn't support a company whose policies you disagree with; unfortunately it's not good enough for those of us who don't want to be cataloged online for all eternity.
This is definitely going to be interesting to watch.
Clearly Max is a person who deserves to go far. I hope he gets enough funding to continue. It's is unfortunate that a individual has to take up this fight but I guess that in the nature of the European Data Protection Law.
"don't you think that the cost of those ads will decrease drastically if facebook (or google) weren't giving the advantage of directing those ads[?]"
If TB's business model is only profitable by breaking the law (EU privacy law, in this case), then they need to change their business model or face the consquences.
Just because an organization CAN make a profit by violating laws, doesn't mean that they SHOULD. Cf. Organized crime.
"If you are on the street, and someone walks buy you and sees you wearing a shirt for some music group, and they like them and approach you about it, are they invading your privacy?"
Bad analogy. In this case, FB is standing on the corner watching you, sees someone else wearing a similar shirt, and tells the other guy that you have something in common and tells him to go talk to you. Then sells the information about the transaction to all the stores in the neighborhood, so that every time you walk down that street, all the store owners rush out and try to sell you more t-shirts.
"If a friend of yours mentions to another friend that you do xyz work, and provides them with a contact address are they violating your privacy? What if that person distributes your name?"
Yes, that's a violation of my privacy. Friends know that they have my information FOR THEIR PRIVATE USE ONLY. If they want to give my contact info to someone, they better ask me first, otherwise they're going to get an a$$kicking next time I see them.
Maybe we should open accounts take thousands of random pictures from the web and tag them with random emails.
Oh, I really like that idea...
@AppSec, regarding: "If you are on the street, and someone walks buy you and sees you wearing a shirt for some music group, and they like them and approach you about it, are they invading your privacy?"
What's happening is more like this: A company plants devices to scan everybody on the street, does facial recognition on them and the T-shirts they wear, correlates this with the friends they hang out with, maps their routes and routines, correlates this with online data and emails, and sells this to anyone with money. They also let law enforcement and intelligence agencies get that data. They then approach the band, offer to sell them a list of their fans and contact information for direct marketing. So yes, FB absolutely is invading my privacy, whether I'm an FB user or not.
While there is the argument of "If you don't like it, don't use Facebook", there is the other side that Facebook does its very best to make users unaware of just how much information they keep on them.
When Google was accused of keeping too much information on people, they made Dashboard, which gives you a complete list of all the info Google knows about you, and lets you selectively delete information. Facebook should do the same. It would answer to all the privacy complaints, be a good PR move, and most people would never use it.
Sometimes it takes doing things "illegally" to make them legal. I am not judging it. By the sheer volume of people that continue to use Facebook and the sheer number of articles which continue bash FB's privacy policies, I'm venturing a guess that most people are finding the benefits outweighing the costs. Just like with sports teams that go on strike which annoys fans -- the only way to make a statement is to leave.
Again, this happens in public all the time. Hence the comment of distribution capabilities. Someone can follow you to your house, into stores, listen to half of your cell phone conversations, etc. There's plenty of ways to mimic this behavior in public. The difference is distribution capabilities.
A little extreme? It's not like those ads are taking over your steam any more than a build board down a highway. Heck, I'd venture to say FB are less intrusive than Google. It's certainly less intrusive than TV/Radio ads (ignoring the DVR for right now, ok).
Services have to get paid for somehow. They just don't exist in a vacuum. That's my point. Donations, taxes, ads, sales, whatever.
Max doesn't like it, he's going about his approach to get things changed. I don't disagree with it. I don't disagree with FB approach.. They are two sides of the same coin. Both can be right for certain types of people.
Hmm. I especially like the one about "personal data which is impossible to furnish or which can only be furnished after disproportionate effort". Impossible to furnish? Why would Facebook record data which it is then "impossible to furnish"? The some goes for "disproportionate effort". disproportionate to what? Usually this means that the effort necessary to retrieve data is (much) greater than its value. Again, why would Facebook record data, the retrieval of which costs far more that it's worth? Worth to whom, by the way? Clearly, providing personal data to its users will costs Facebook more than it's worth. But this goes for all data, so why make the difference? IMHO both arguments sound like logical fallacies.
I notices the problem of Facebook invasion a long time ago when I started seeing other websites greet me by name and asking me if I wanted to log in with my Facebook account. I'm no privacy freak but I don't feel that the links between Facebook and other sites I frequent are healthy.
Although by no means am I happy about facebook's tracking and sale of your web browsing habits data, I do think one should take it upon themself to protect their data.
I have a separate browser dedicated to Facebook. That browser is also set up to delete cookies when it is closed. Effectively, Facebook is limited to its own little sandbox, so to speak.
It's unfortunate fore FB that they chose Ireland to base their European Business as it has some interesting legal quirks that will byte FB hard.
But legaly this is just the start as Max can go on to make representations directly to Europe.
And there is some other non data legislation under the Human rights act that FB are almost certainly not abiding by. Then the last time I was shown (I'm not nor ever will be a FB user) they certainly did not apear to be abiding by the Eurapean laws on disability discrimination...
But I suspect a little digging will show that FB has taken European User data outside of the EU and have not abided by the "Safe Harbour" agrements. Unfortunatly nearly every US company assumes that the user data belongs to them to do with as they wish, not as is required by the EU.
Oh and I'm not sure about Irish Law but in some EU countries not meeting the 40day time limit is not excusable and will result not in civil actionbut criminal prosecution.
Oh and for the fun of it I suspect they may fall foul of some other legislation to do with "stalking" and "harassment".
I guess it all depends on how far Max and others are prepared to push it, but potentially it might force the likes of FB and Google to effectivly pull out of Europe, untill they can bribe legislators etc to change the rules of "engagment".
The problem with the "don't like it don't use it" argument is that Facebook is becoming as insidious as Google. Both provide a large number of services tied together with a single sign on. People are unwittingly giving them data. Not just users but also through the Like / +1 buttons that are sprouting up everywhere.
And even if you do use Facebook, the profiles and settings change frequently, consent is frequently assumed by default and must be opted out of, the default settings are left wide open and it has been made deliberately hard to find and modify them.
I believe that Facebook must employ people not to make parts of their service more usable but to make them more intimidating and difficult to use - burying links in non obvious parts of the screen, scattering related actions across separate pages, putting ominous sounding messages up, increasing the number of clicks and other tactics to put people off changing them.
Furthermore, I believe Mr Schrems has amply demonstrated that such tactics, do run afoul of EU data protection laws. As such, even if it is a "don't like it don't use it" service, that doesn't mean they can ride roughshod over the law. They should be compelled to change their service to come into compliance with the law or face fines.
Funny how long it took the news to reach the U.S. ^^
Re: "If a friend of yours mentions to another friend that you do xyz work, and provides them with a contact address are they violating your privacy? "
Yes, they are. The correct way to handle this situation is to for your friend to get his friends information and permission to give it to you. Then you have the option to make contact or not.
Likewise, if someone puts information on Facebook, it is so that people they give permission to can use it. Regardless of what the TOS says, there is no real permission given for Facebook to use that information in any other way. Facebook takes advantage of their position as intermediary to siphon off that information to make a profit. Most of the users are willing to overlook this because they find the service useful. However, every once in a while (about every 3 months it seems) Facebook goes over the line and gets some pushback.
The fact that it might be "legal" and even "agreed to" doesn't mean that it isn't a violation of privacy. It just means that they get away with it.
After I discovered Europe vs Facebook more than a month ago, I followed their 'manual' for requesting 'my' data, which fb had collected over the years. Now fb send me a zip-archive with all my posts/messages/etc... but without any traffic data, which would certainly much more interesting.
I guess I have to write Facebook Ireland and the irish authorities again, asking friendly also for any traffic data.
I suppose that any data usable for network diagrams are Facebooks real gold mine, i.e. graphs of relationships weighted by the number of visits, written messages and similar.
>It's unfortunate fore FB that they chose Ireland to base their European Business
They chose Ireland because you pay the least tax and since Ireland desperately needs any tax money it can get I suspect the Irish government will be very accommodating to any changes to the law needed to ensure people like FB continue doing business in Ireland.
"I have a separate browser dedicated to Facebook. That browser is also set up to delete cookies when it is closed. Effectively, Facebook is limited to its own little sandbox, so to speak. "
Great, Ben. That works for you. And probably would for me, too. If I found the time to organize it, among all the other thousand small things I should setup.
The main problem remains for a large community of users. Users that we here tend to forget about. The 'Lambda user'. This person doesn't know what a browser is. Honestly. I know a whole lot of them personally. I'm sure you do, too. Some of them doesn't know what an application is. (!!!)
This 'Lambda user' turns on his "Internet" (the computer) and waits for the Google page to show up on the screen. Then enters some keyword and off it goes. Given a complete URL, somehow, the person in question will put it in Googles search bar to find it.
We may think what we want about this user, but s/he is not alone in this behavior. IT freaks are in minority.
Let's remember that many 'Lambda users' don't want to be tracked, but are totally unable to understand even the most basic approaches to remedy the situation. (They have many other qualities, but IT is not one of them.)
Personally, I think that 'Lambda users' should be protected to the same grade as the 'Lambda car driver' who doesn't know how to brake in an urgency or how to negotiate a turn in rain.
The arguments "If you don''t like it, don't use it", "The users accepted the TOS" and "Nothing is free, so we should be happy for getting such an infrastructure just for some information" are invalid if you operate in an area where your services don't satisfy the laws and regulations.
Yes, in some cases a big amount of people is necessary to legalize something but in most cases that premise is not sufficient. Furthermore the view on benefits is relative. Europeans usually care far more about their human and (data) privacy rights thus the opposition to such entrepreneurial behavior is stronger.
In addition such a service as Facebook provides can be operate profitably without the use of any not anonymous or violating any data privacy laws. It is just the greedy/purely capitalistic way of entrepreneurship.
An alternative project could be created but it is highly difficult to counter such a huge infrastructure and attract at a tenth of Facebook users to change the platform which is the main issue for social networks.
That's a good start but more is required. View the html source of any page you know has Facebook tracking. The main tracking site (AFAIK) is connect.facebook.net. But what if 2 weeks from now they begin using js.facebook.net? Or js.facebook.com?
Solution: run your own resolver on 127.0.0.1, which is a good idea anyway, and make the following domains wholly return NXDOMAIN
You can do the same for spammy domains as well such as co.cc etc.
Result: more robust privacy.
Maybe we should start calling Facebook an Irish company.
"Likewise, if someone puts information on Facebook, it is so that people they give permission to can use it. Regardless of what the TOS says, there is no real permission given for Facebook to use that information in any other way. Facebook takes advantage of their position as intermediary to siphon off that information to make a profit."
You are correct, thank you for this point because we discussed FB in a uni module recently and what you are saying seems to escape most peoples attention.
In fact Suckerberg made a claim some time ago that:
"When a person shares something like a message with a friend, two copies of that information are created—one in the person’s sent messages box and the other in their friend’s inbox. Even if the person deactivates their account, their friend still has a copy of that message. We think this is the right way for Facebook to work"
So in other words he was saying that when you share some information with another person, that information becomes the recipients property. But as you are saying FB users are not sharing their information with FB as FB is just an intermediary.
Schonfeld, E. (2009) 'Zuckerberg On Who Owns User Data On Facebook: It's Complicated' [Online] Available at:
The fundamental problem with the FB business model is that it represents a gigantic bait and switch. User are offered services for "free" and which turn out not to be free. This is true of Google as well. We call them "privacy policies" but in fact they are more "profit limitation" policies as far as FB is concerned.
In theory, I agree with the market arguments that no one forces you to use FB etc. But the argument fails on the same point that so many other market arguments fail: users don't have access to full information so they are negotiating in the market place from a place of weakness. The law in that sense is just an attempt to even the playing field a little bit.
What did the more than 1000 pages of data consist of? What were his 22 specific complaints regarding missing data? Anyone happen to run across this info?
This is why I don't use Facebook.
"personal data which is impossible to furnish or which can only be furnished after disproportionate effort"
Untagged photographs on other people's pages which include you.
Information about you on other people's pages.
Test data or network packets logged at some low level which may contain pages about you.
Scarier, is that you don't even need to have a Facebook account for them to have a dossier on you.
All it takes is countless "friends" uploading their contact list to try to maximize friendship.
Let's all upload a contact list of many lawmakers into Facebook. Then, even if they don't login, Facebook still thinks that what we do is a reflection of our "friends".
@Mabbo: "When Google was accused of keeping too much information on people, they made Dashboard, which gives you a complete list of all the info Google knows about you, and lets you selectively delete information."
Now, Google will keep a list of people who don't like being on lists, and have asked to be taken off. I wonder who Google might sell *that* list of names to.
Sigh. I know. Just a fantasy.
"When Google was accused of keeping too much information on people, they made Dashboard, which gives you a complete list of all the info Google knows about you, and lets you selectively delete information."
hmm yea...but then how will the user actually know for sure...
A. whether the user interface actually displays ALL information Google has "accrued" about the person. For example it could display all "information containing objects" (such as search queries or emails) but not necessarily any info calculated from these.
B. whether the information that is displayed actually is deleted from the background DB or if it is just somehow tagged as "do no longer display to user"?
I would be quite sure for example that the info that the user selects to delete will not disappear from any DB backups that Google has for the data. Nor would it disappear from any data collections that Big G may have given to eg authorities.
Wonder if the U.S. "Fusion Centers" have a more direct access to these large companies data collections?
Google Dashboard shows no more of what Google knows about you than Facebook does when you login at facebook.com.
They're not going to tell you anon clicked x from y site and searched for z and has accounts at a,b,c. To get more than 1000 pages from FB they must be providing something closer to this level of granularity.
"Let's all upload a contact list of many lawmakers into Facebook. Then, even if they don't login, Facebook still thinks that what we do is a reflection of our "friends"."
If that was the case...
then it should be possible to blackmail people as follows:
1. make a fake account using some womans name, together with a sultry photo
2. include some account (eg yahoo) where contact list has email addresses to some lawmakers.
3. add a few postings of flirtacious/sexual/etc nature...
4. eventually anonymously tip some tabloid journalist
@NobodySpecial: Facebook is in Ireland because of the tax rate. And because it's where some transatlantic cables come ashore, and can have very nice ping times to the US. And because it's got essentially the ideal climate for data centres. And because it's English speaking. And because Ireland has a fairly flourishing tech industry (Havok and Daemonware being two indigenous Irish games-middleware companies, f'r instance).
The tax rate alone doesn't net Blizzard, Popcap, Activision, Microsoft, IBM, and Intel, off the top of my head.
"I believe that Facebook must employ people not to make parts of their service more usable but to make them more intimidating and difficult to use - burying links in non obvious parts of the screen, scattering related actions across separate pages, putting ominous sounding messages up, increasing the number of clicks and other tactics to put people off changing them."
Since some of FBs funding came/comes from the CIA is this a surprise?
@anonemouse - Google avoids £100m/year in UK tax by being in Ireland although 90% of it's revenue and it's R+D centre is in the UK.
Microsoft saves $500m/year on tax in the EU by being headquartered in Ireland.
HP and Dell somehow manage to make a loss in every EU country - except Ireland!
Ireland receives (or did before the crash) more than half it's corporate tax income from US companies whose EU HQ is in Ireland to avoid higher tax.
@Mike B "Yes the Facebook model of linking what was normally semi-anonymous web browsing to a "real" identity is a new paradigm that has and will catch some people off guard [...] Until then either don't use the service or use the appropriate adons.
While I've never established a facebook account, or intentionally attempted to access any facebook services, I notice that both news accounts and system logs suggest that this is insufficient to avoid their information-gathering practices. This could arguably fall under the same category as the types of concealed camera photography that's becoming illegal, or older 'peeping tom' laws (failing to completely shutter a window doesn't excuse someone peering through the cracks).
On the other hand, while it is understandable that gathering and publishing information about registered users that some of these registered users might find objectionable would result in a public outcry, it sounds a bit foolish for people to simultaneously use the service and demand it cease it's core business model.
I resisted Facebook for years, but my children wanted me to 'get with it'. Then, someone uploaded a picture that was actually an app and I can't get rid of it. It is the only 'picture' in my Photos, I didn't even put it there, and I can't get rid of it.
I tried to follow the inx in the Help files, but the thing I am supposed to click on is NOT VISIBLE where they say it is ...
Every time I log into it, all the rules and settings have changed, and they have not honored my previous settings.
What's worse, some of my trade associations host special events ONLY through FB and, in order to participate, I HAVE to have a FB account. Just found this out 2 weeks ago and now my plan just to delete the account is a no go.
I think I don't like this particular part of the 'brave new world'. I saw a cartoon about Facebook ... the bottom line reads, "If you're not paying for it, you're not the customer. You're the product being sold."
In 10 years we will all be forced to pay our monthly subscription to "Reputation Guard" or some such ... geez louise ...
@nobodyspecial: what you're describing is is the double Irish, also know as a Dutch sandwich because it involves forwarding some of that income through a holding company in the Netherlands or one of their territories. Part of the global race to the bottom that is used to dodge regulations and avoid paying taxes where you are actually doing business. The only thing I can think would help is to collect and require taxes based on where the actual assets are located and revenue is collected.
I do hope such a race to the bottom is not possible with regards to privacy laws. I would hate to see fb and google move all their data to an elbonia like nation who doesn't regulate data collection.
From the 1983 motion picture "WarGames":
[after playing out all possible outcomes for Global Thermonuclear War]
Joshua: Greetings, Professor Falken.
Stephen Falken: Hello, Joshua.
Joshua: A strange game. The only winning move is not to play. How about a nice game of chess?
However much I applaud Max Schrems' initiative, I would advise him to use caution when taking on companies like Facebook. He can rest assured that some basement team over there will be digging up every piece of dirt they can find on him and his family and in collaboration with their legal team will do everything they can to destroy their lifes and reputations. Just look at how Sony went after George Hotz and how he now works for ... Facebook. In my experience, being a lone gunman working in the open is a recipe for disaster unless at some point you're being backed up by either a well-established organisation or some dedicated underground movement supporting the exact same cause.
That said, I am pretty curious how this story will unfold, but even in a best case scenario I still have zero reason to be on a social network the CEO of which calls his own users idiots and who has publicly declared that for as far as he is concerned "privacy is over".
That creepy app Zuckerberg wrote at university so he and his creepy nerd friends could rate and stalk the "hot chicks" on campus has certainly come far...
@nobodyspecial: They chose Ireland because you pay the least tax and since Ireland desperately needs any tax money it can get I suspect the Irish government will be very accommodating to any changes to the law needed to ensure people like FB continue doing business in Ireland.
They might find it difficult to get Ireland to change this law because this is just the Irish implementation of a European directive that covers the whole of the EU. It is not within the power of the Irish government to opt out, at least while they remain a member state of the EU.
This sounds like he printed off the information from
museum of me
@Ian: They might not be able to get Irish privacy law to change due to EU directives, but I do wonder if there are any loopholes that will allow them to send it somewhere without strong privacy laws. Such as a third world nation who would love to have a datacenter open up. As you can see, the US, Europe, and probably most other nations/blocs don't regulate the flow of money across borders very well, otherwise you wouldn't see the "double Irish" tax game. (otherwise, all revenue generated from people in country A would always be taxed against the corporation in country A, instead of country B.) Does European privacy law have any loopholes that would allow the data to flow across borders without regulation?
@Gabriel: The reason that they have an Irish subsidiary is to meet the regulations for holding personal data. In this scenario the USA is "a third world nation". I work for a (UK) company that was bought out by a USA corporation. There are very strict rules about what that corporation can do with my personnel record and how that data must be protected. In essence it must be protected and used in accordance with the EU data protection directive.
There is a lot of bad press about the EU interfering in our lives and over regulation, but the data protection and product safety directives are two that are immensely beneficial to all citizens.
Thanks for posting this story. It reminded me of a similar story on Gizmodo. If you'd like to read it, I blogged about these two stories and their possible consequences here:
It will be interesting to see if Facebook is forced to change its behavior. I'm not holding my breath, but even Microsoft lost a few fights eventually.
"""An alternative project could be created"""
There is already an alternative project being created. Does nobody know about Diaspora* ? It's open source and distributed, with no central company collecting all your private data. And it is, btw, an example that these services aren't as expensive as AppSec suggests.
If you have privacy issues with Facebook, spread the word about Diaspora!
@Ian - however there is a lot of leeway between signing up for an Eu directive and actually bothering to prosecute anyone under it!
Just like the tax scams I expect a race to the bottom among countries to produce the most 'business friendly' privacy environment while not quite getting kicked out of the Eu.
Perhaps FB and the German government should join forces in collecting user info...just using a plain trojan is so last year...
Sorry I forgot FB is probably already in bed with the US government.
"The German government Trojan is already there."
What ya mean "there"? On Facebook? Do they have a lot of fans?
I think it is getting messy to connect the right crooks to their own crime.
B. Trojan horses
C. Web activity tracking
D. Vehicle tracking through hidden transmitter
E. All of the above
...that needs to be connected to correct perpetrator(s) below (this can be put on those childrens placemats in family restaurants):
1. German government
2. U.S. government
4. U.K. crooks
5. All of the above
As pointed out by several commenters, tax evasion is the one and only reason American companies have their EU headquarters in Ireland. But it can also be a mixed blessing in the sense that in some cases it becomes a business inhibitor.
The last US company I worked for technically sold its services out of Ireland. This led to a completely ridiculous situation wherein Belgian customers dealing with a Belgian based subsidiary of a US company got presented contracts from an Irish entity, drafted according to UK legislation and with courts ruling any and all disputes located in Nanterre, France. Management, as usual completely unable to grasp the flaw, at some point killed the entire services division as the model was not working as expected.
Although the EU has some strong privacy regulations like the well-known Data Protection Directive, there is a huge gap between the rules and the implementation thereof. In my experience, companies that don't have a serious business case in the form of some mandatory legal compliance really don't care too much until slapped on the wrist. In addition to that, I have noticed quite some confusion caused by differences in American and European legislation. If my understanding is correct, certain provisions in the Patriot Act today allow US government access to data of American companies even if these are located outside the US. And when push comes to shove, it wouldn't be the first time the US for all practical purposes coerces the EU to do its bidding, as shown in the Swift data transfers and passenger name records a while ago.
Regrettably, I have privacy issues with Diaspora, too.
As it currently stood last time I looked at it, it would be ridiculously easy to make a malicious pod that collected keys and therefore identity data.
-----BEGIN PGP SIGNED MESSAGE-----
Diaspora is a joke. The thing is being designed, analyzed and implemented primarily by amateurs. A truly safe social network must be designed by people with expertise in cryptography, protocol analysis, secure software design, and low-defect implementation. Throw some testing and UI people in there to boot. I like that there's people trying on this, but I wouldn't trust anything that project produces. The independent reviews we've gotten so far confirmed my suspicions.
As for secure/private social networking, I don't know if there's really a way to do it that would take off. Non-paid internet services depend mainly on ad revenue. An advantage of current social networking sites is that analysis allows targeted advertising & brings in lots of revenue. Take that away & you get very little revenue in comparison. This is a problem if you are running a secure web service with tons of cryptography in it, which takes MUCH more resources to achieve performance of something like FB.
I just don't currently see a way to do it in light of the business model. I also haven't been thinking hard about it either, so maybe there is a non-intuitive solution that evades me. Thoughts?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
"""Diaspora is a joke. The thing is being designed, analyzed and implemented primarily by amateurs. A truly safe social network must be designed by people with expertise in cryptography, protocol analysis, secure software design, and low-defect implementation."""
Windows was a joke and has evolved into something acceptable secure. The whole internet was a joke security-wise and is still being patched with TLS, DNS-sec and the like. Give them a little time to get there. We would all like secure design from the start, but the IT-Industry at large is not on our side (yet).
"""This is a problem if you are running a secure web service with tons of cryptography in it, which takes MUCH more resources to achieve performance of something like FB."""
I don't see why Diaspora needs much more resources than, say, IMAP over TLS. And you get that for free from nearly every ISP.
@ Nick P
The only viable business model I see is a FOS one supported by one or more behemoths who are making their actual money with other activities. I remember back in the days Sun Microsystems being a huge supporter of the SETI-project, contributing not only CPU cycles but hardware and competence just as well. I don't think they ever saw a dime in terms of RoI. Pretty much the same thing as the average struggling musician selling his *ss to any band/project he can make a buck off in order to continue his own rock band only few people are interested in.
@ Dirk Praet
I agree. I think it would come down to the "selfless acts of security" Bell described in his Looking Back paper. Having real security in critical services is going to cost too much to build & maintain. It won't be marketable at a rate that produces a return. Hence, certain individuals or organizations would have to do it at a loss for the greater good. (Might be able to get companies to do it for "image management" purposes.)
@Nick P: Come on: algorithms and schemes are design to prevent having to depend on experts for that. My car repairer does not need to know what my tyres are made of, neither do I. Sorry but your criticism of diaspora for being developed by amateurs amounts to nothing.
This is what engineering is about: enabling other people to do complicated things without knowing how they work.
OTOH: my car repairer may perfectly be a fool, but it has nothing to do with the problem by itself.
@ Pedro Fortuny
-----BEGIN PGP SIGNED MESSAGE-----
"Come on: algorithms and schemes are design to prevent having to depend on experts for that."
Really? There's an existing, expert-designed cryptosystem for a functional, secure social network? It must have slipped by me. Otherwise, they have to create the requirements, protocol, design (includes OS-related issues), and implementation (includes OS- & processor-related implementation issues). They must also do the correct reviews, static analysis, and testing. Any failures in the first set of things results in a security or functionality failure. The second set helps prevent that. As in, failures in that set increase the risk of a failure to deliver on things in the first set. Guess how much expertise "amateurs" have in most of these categories? Near zero.
"My car repairer does not need to know what my tyres are made of, neither do I. "
It's a poor comparison. You're car repair guy must know: how to spot problems; the limits/capabilities of parts & repair techniques; how to properly perform the repair techniques & modify the parts in the system. A person developing a secure system must understand exactly how the components work (including underlying OS), how to control the flow of sensitive information in OS/tools not designed for that, proper crypto, and more. If these people are producing a secure system, esp cryptographically secure, then they need to know that.
That they've already had basic vulnerabilities shows they don't even know secure coding principles, which is actually the easy (least specialized) part. So, their lack of security engineering skill and experience is very important to a project doing security engineering. Unlike your car mechanic & the chemistry/manufacture of tires. Yeah, he doesn't need to know that useless information.
"This is what engineering is about: enabling other people to do complicated things without knowing how they work."
No, that's what user interface design is about. Systems engineering is about applying engineering knowledge & techniques to transform a set of inputs (e.g. components, legacy software) into a desired output system. Secure systems engineering adds assurance of enforcing a security policy to that. It's pretty hard. A lot harder than the toy problems in college assignments.
A damning expert review of a Diaspora Release
Excerpt: "if you’re looking for Rails security advice, I recommend the official guide and the OWASP list of web application vulnerabilities, which would have helped catch all of these. Web application security is a very deep topic, and often involves unforeseen circumstances caused by the interaction of complicated parts which are not totally under the developers’ control. That said, nobody should be making errors like these. It hurts us as developers, it hurts our ecosystem, and it endangers our users in spite of the trust they have put in us."
Obviously, they were using a platform that's not suited for truly secure applications, but didn't even bother to follow the basic security practices in that platform's well-written security guide. Yeah, definitely can't trust these guys' work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
"I don't see why Diaspora needs much more resources than, say, IMAP over TLS. And you get that for free from nearly every ISP."
It's a fair point. It depends on if it's centralized or decentralized. If it's centralized & everyone trusts the Diaspora organization, then they can do a lot of this stuff on their servers. If it's decentralized, then it requires a ton of crypto at the level of individual items that are posted. How can you share a status with an entire group & revoke access to certain members without doing status-specific encryptions? (Not typical TLS.) How could you selectively share or revoke access to any specific item of information without a non-standard application of crypto?
"Windows was a joke and has evolved into something acceptable secure. The whole internet was a joke security-wise and is still being patched with TLS, DNS-sec and the like. Give them a little time to get there. We would all like secure design from the start, but the IT-Industry at large is not on our side (yet)."
Windows isn't a web application, so it's apples to oranges. OS's have real information flow control capabilities & can do many things web apps can't. The Internet is a bit more appropriate. The Internet's security is still a joke, after all this time. Neither of these two were initially designed with a security focus, though. All I'm saying is that a project starting with a security focus & without all the market pressure, etc. should at least be applying known security engineering principles. Ideally, they would be doing high assurance design & then an implementation with good tradeoffs.
Instead, they are using Ruby on Rails, throwing things together AFAIK & not even following basic Rails security advice that's literally all over the Internet. That's disheartening for a guy who was looking forward to something better.
Facebook Ireland is under fire for allegedly creating "shadow profiles" on both users and nonusers alike.
The startling charges against the social-networking giant come from the Irish Data Protection Commissioner (IDC), which, Fox News reports today, is launching a "comprehensive" investigation against Facebook Ireland for extracting data from current users--without their consent or knowledge--and building "extensive profiles" on people who haven't even signed on for the service.
Names, phone numbers, e-mail addresses, work information, and perhaps even more sensitive information such as sexual orientation, political affiliations, and religious beliefs are being collected and could possibly be misused, Irish authorities claim.
Interestingly, Facebook users living outside of the United States or Canada are contracted with Facebook Ireland. Facebook users living inside the United States and Canada are contracted with Facebook Inc., headquartered in California. Running afoul of privacy laws is much more likely for companies operating outside of the United States, especially in Europe, where privacy laws are much more stringent.
We often see discussion on this blog about the false choice of security vs. privacy. I think this video highlights a case where there is a legitimate security-privacy tradeoff.
Max feels astonished at a perceived privacy violation intrinsic in setting a flag "deleted: true", rather than deleting his data. This was a security choice by Facebook and it's generally-accepted common wisdom in web development: never create a service which you cannot in principle undo. The "create" service is okay, but the "alter" or "delete" services are potentially insecure in a way that the "new version" and "hide" services are not.
It's a measure of empowering audit-based security, if you like. Indeed, many flagrant security violations in real applications occur in audit logs. So I think it might be interesting if some day you could provide us with an essay analyzing the security-privacy tradeoff inherent to audit trails. :D
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.