What "they" say..

The headline news for much of a cloudy day a few or so ago was that a list of names of people on Facebook had been published. This was billed has a massive “leak” and a display of Facebook’s “privacy problems” yet this actually showed an impressive miss-understanding and drastic over-reporting of a news snippet.

The truth...

Facebook is a directory of people – same as the BT Phone book. Except, you have to Opt-in to Facebook (by actively signing up). By default you are added to the Phone book when you have a phone line and then you have to ask for yourself to be removed. Facebook only displays your name and maybe your profile image (depending on your settings). The phone book displays your home number, the area you live (area code) and your full name. So which provides more information?

The real worry...

There are two real worries associated with Facebook and the data it contains. Firstly is the reason this list of names was compiled in the first place; hacking into other sites. When you have to create a username online you normally use your name or some part of it. If you are trying to gain access to your username then you need to guess usernames. If you have a massive list of peoples real names (100 million+) then you are able to generate a list of possible common usernames. So now all you need to guess is passwords – you are half way through to hacking into someone’s account. So this threat isn’t from Facebook, it is purely the availability of such a large source of real data which can be used to increase how successful a hacking campaign is.

The second concern is the information people freely allow to share without thinking about its consequences. Banks, credit card companies, government agencies use information such as place of birth, date of birth and mother’s maiden name to make sure they are talking to the correct person – it is meant to be information everyone has but only that person is likely to know. Facebook allows you to add all of this information to your profile. While most of it is locked down, permissions on each account can be completely customised. In some instances a friend of one of your friends can see all of your information on Facebook. So someone you don’t know can get your mother’s maiden name, your DOB and place of birth along with current address etc. Even if you don’t put your date of birth on Facebook, if a friend posts on your wall “Happy 30^th Brthday!” then it doesn’t take a genius to work it out.

You are responsible but developers need to be aware.

Often developers are targeted when there are privacy questions. But in this case, and many others, is it not actually the developers who are to blame. It is the way people use the site. If your friends post “Happy birthday” on your Facebook wall then whose fault is it that someone else knows your date of birth? Facebook didn’t ask them to provide that information – you are the person who signed up to Facebook and allowed people to contact you online and you left the happy birthday message on your public wall. Ultimately users need to take responsibility for their own information.

If you wrote your PIN on your credit card and dropped it in the street then you wouldn’t blame the bank when someone used it would you?

Why do I care?

These media scares affect the average visitor’s view of websites and information you collect via your website. Visitors are often happy to provide information where they can see its use but they are becoming more and more aware of what information they provide, who they provide it to and what it will be used for. An example would be; do you need to collect someone’s date of birth or just their age, or even just they day and month of birth? Collecting just the small part of information you actually need means you avoid collecting the sensitive date of birth and this could save you a lot of negative attention in the future.

Ultimately make sure your website is created by a responsible development team and hosted on secure systems to minimise the risk to your reputation.

Contact juicy straight away if you have any concerns over your current development team or hosting provider and we’ll happily talk you through how to improve the situation or provide you a full security review.