Could businesses lose face over Facebook?

15 Oct 2007

Social networking sites like Facebook have exploded in use in Ireland recently, but IT experts are warning of privacy concerns.

It’s a familiar routine. No sooner does a development on the internet become commonplace than a security threat follows swiftly behind. In this case, Facebook is the latest to fall victim, so to speak.

The social networking site is one of the most popular destinations on the internet, with an estimated 100,000 people signing up as members every day. The total number of users is somewhere north of 34 million worldwide.

At the time of writing, more than 46,000 people were signed up to the Ireland network on Facebook, but this is a conservative figure. The real amount could well be far higher because there are many Irish-based people registered with the site who haven’t attached themselves to a network.

The site’s explosive growth is a story in itself, but scratch beneath the surface and concerns quickly become apparent. Registered users of Facebook are currently being asked whether they are willing to have their profiles made publicly available through searches.

This would mean that anyone can look for Facebook pages without needing to register with the site. For example, a generic Google search for a person’s name would return their Facebook listing.

In this, Facebook is not actually breaking radical new ground. The business networking site LinkedIn already makes its listings available through Google searches. But Facebook’s massive and growing popularity has added extra urgency to the story.

Experts argue these developments could make stalking or tracking people that much easier. They also believe that making personal information readily available on the internet is a standing invitation to identity thieves and phishers.

ENISA, the European Network and Information Security Agency, has cautioned that social networking sites such as Facebook, Twitter and MySpace may not be as safe as they appear.

“Thousands of young people are revealing the most intimate details of their personal lives for everyone to see,” says Alain Esterle, head of the technical department with ENISA.

“Social networking sites create a sense of being among friends — but often a potential employer might be interested in the fact that you were arrested or which drugs you took yesterday. Added to this, new technologies such as online face recognition and internet archives make it very difficult to hide or remove such information once it is posted online.”

To prove some of the privacy concerns, the software firm Sophos conducted a variation on the IT security social experiment that asked people whether they would give up their passwords in return for chocolate (many would). Sophos set up an experimental Facebook page with a profile for a friendly looking green plastic frog named Freddi Staur (pictured) — actually an anagram for ID fraudster.

Although Sophos didn’t comment directly on this aspect of the test, it’s worth pointing out that, as with so many things on the internet, creating a fake identity is easy. Facebook does not ask anyone registering for any proof of ‘real world’ ID.

The site works on the principle of requesting people as friends — usually, though not always, these are people we already know through school, work or socially. ‘Freddi’ sent out 200 friend requests at random. The aim of the research was to see how many people would respond and how much personal details they would divulge.

Two out of five people (41pc) gave some personal information to Freddi, ranging from email addresses (72pc) to date of birth (84pc), location of school or workplace (87pc), current address (78pc) and phone number (23pc).

In most cases, Freddi was able to gain access to respondents’ photos of family and friends, information about their likes and dislikes, hobbies, employer details and other personal facts.

Others disclosed the names of their spouses or partners and some included complete CVs. One user even divulged his mother’s maiden name — exactly the kind of information many websites ask for as a supposed extra layer of security.

Graham Cluley, senior technology consultant at Sophos, has this to say about the experiment: “What’s worrying is how easy it was for Freddi to go about his business. He now has enough information to create phishing emails or malware specifically targeted at individual users or businesses, to guess users’ passwords, impersonate them or even stalk them.

“While accepting friend requests is unlikely to result directly in theft, it is an enabler, giving cyber-criminals many of the building blocks they need to spoof identities, to gain access to online user accounts, or potentially, to infiltrate their employers’ computer networks.”

Many organisations have taken measures to ban Facebook use in the workplace. A recent survey by employment law firm Peninsula estimated that 233 million hours are lost every month in the UK as a result of employees using social networking sites.

But Facebook, like Bebo, MySpace and others, is unlikely to go away so security concerns still need to be addressed rather than ignored. ENISA plans to publish a position paper on social networking next month. According to Andrea Pirotti, ENISA’s executive director, the aim is to benefit both users and providers of social media by encouraging a safer environment on social networking sites.

There are some positive signs. Netlog, a Belgian social networking site with 25 million users, does not allow its users to reveal contact information such as zip codes — anyone doing so will be banned.

The site also places abuse-reporting buttons on almost every item. Rareface, a London-based social networking company, also uses moderation tools.

Unlike many other social networking sites, Facebook has adjustable privacy settings. For example, the ‘profile’ and ‘search’ settings allow registered users to control what information others see and to decide who can find their page through searches.

The onus is on the user to implement these settings and to take more care about who they let into their trusted circle of friends: This, of course, is good advice regardless of whether on the internet or in the real world.

By Gordon Smith