Facebook offers various privacy options. You can sign up to a regional network and make your profile available only to people on that network, for example. You can be a member of up to five networks and some of them are huge – London’s network has almost 900,000 members. Within networks people can form and join up to 200 public or private groups. Here, members can share information and experiences with friends and meet new people via their profiles – or not, if they should so wish. Facebook has grown rapidly and now has more than 34 million registered users worldwide. The site depends on advertising revenue, which in 2006 amounted to $54m (about £27m). Facebook is valued at over $8bn, which spells business success in anyone’s language. Everything in Facebook’s digital garden should be rosy. But there’s a fly in the ointment. Facebook’s signup procedure asks for a fair amount of personal information, which then joins the data of other users on a server. This is meant to be secure, but recent events have planted doubt in users’ minds. Unintentional hacker In July, a UK office worker logged into his Facebook account as usual, only to find that as he clicked around he was being shown other people’s private pages – most notably, other users’ message inboxes. Further clicking revealed other areas of people’s accounts, though the important personal data entries were hidden. Facebook reacted rapidly, taking sections of the UK site offline for several days while it tackled the problem. The company claimed the error was caused by programming bugs, which caused some third-party proxy servers to cache otherwise inaccessible content and randomly display it to users. Also in July, a user discovered a cross-site scripting hole in the Facebook platform that could inject JavaScript into other people’s profiles. This could be used to import a customised content management system, which could in turn be used to violate privacy rules or create a worm. This hole took two and a half weeks to fix. Events such as this can undermine confidence, no matter how rapidly a company acts to plug the holes. And data security fears have caused some users to consider closing their Facebook accounts – except that, to their surprise, they can’t. Do not destroy The site provides no means by which an account can be permanently closed, offering only the option to deactivate an account. Personal information remains on Facebook’s servers in case the user later wishes to reactivate their account. Future security breaches could mean the disclosure of personal details from these accounts. Possibly the most disturbing story of all, however, comes from the highly respected internet security firm Sophos. Sophos set up a fake Facebook profile under the name of ‘Freddi Staur’ (an anagram of ID fraudster) and asked 200 randomly selected people to provide personal information. Freddi Staur’s profile was accompanied by an image of a small green frog, as well as some personal information about Freddi. Don’t speak to strangers Of the 82 respondents, 72 percent divulged their email address; 84 percent provided their date of birth; 87 percent provided work or educational information; 78 percent gave their address; 23 percent stated their phone number; and 26 percent gave their screen name. Many users disclosed information about their employers and their partners, while one person provided his mother’s maiden name – something very often used as a secret password to access financial account information. Very few of us would provide this type of information to someone we met in real life, but we’re quite happy to give it to a total stranger online. The security problems experienced by Facebook are serious, but they will be patched and fixed eventually. Yet the potential for identity theft is disturbing. No matter how hard social-networking sites try, they simply can’t protect people from themselves. The moral of this story is pretty straightforward and applies to everyone who uses a Facebook account. Protect your personal data as if it were a matter of life and death and don’t rely on anyone else to do it for you. You wouldn’t dream of giving your address to some bloke on the bus, so why give it to a frog on a website?
