Facebook Grants Developers Access To Home Addresses … Trouble Waiting To Happen?

Facebook has put in a lot of effort to getting users to enter their mobile numbers. But now the social network is giving developers access to numbers in addition to home addresses with a single click. Is this just trouble waiting to happen?

The timing of the post couldn’t have been more questionable — just as most people were leaving work on the west coast and Facebook employees were beginning their weekly happy hour at Cafe 6. Granted, the company’s job is to make this post appear as though it’s just another day at the social network, in an effort to play down the significance of this new functionality. Over the weekend a number of publications began discussing the issue, the most sensational of which comes from Sophos, which writes “Rogue Facebook apps can now access your home address and mobile phone number.”

It’s true. Facebook’s new permissions gives those developers with bad intentions access to a greater amount of personal information. The flip side is that this isn’t exactly credit card information. However, as developers gain access to more information, the question arises: Is the company doing enough to protect our personal data? The answer is most definitely not clear cut.

The Consumer Perspective

All Facebook’s Editor, Jackie Cohen, provided us with the consumer’s perspective earlier this morning, pointing out that “most people will click ‘allow’ without noticing the permission window now includes the words ‘current address and mobile phone number.’ …Unfortunately, the developers plying the user graph objects include rogue applications, such as spamware, malware and deceptive schemes that security staff seems to have a hard time keeping up with. This category of n’er-do-wells can now gain access to people’s mobile phone numbers and street addresses. So we really hope the social network devises a way to bar the rogues from using this set of code, and if that’s not possible, then perhaps get rid of the entire thing before any damage could be done.”

It’s a legitimate perspective, which is why we’ve already seen a lot of people, including Sophos, criticize Facebook for the move. As one commenter told us, “I’m deleting all my personal info now. ugh!!!!!” This is probably the most rational response, in addition to being the best way to protect your personal information.

Facebook As An Identity Authenticator

On the flip side, Facebook is trying to legitimately provide users with a valuable tool to make surfing the web a whole lot easier. By serving as a centralized identity provider, the social network makes registering for new sites as easy as a couple of clicks. It’s a problem that has existed on the web for a long time now: You visit a new website and have to fill out a long form that typically includes the same information: email, first name, last name, password, and potentially additional data such as your age, gender, phone number and so on.

Rather than having to fill out the information over and over with each new application that you install, the social network enables users to accomplish the exact same thing in a matter of clicks. It’s a clear value add, and it’s exactly why the company says, ”every month, more than 250 million people engage with Facebook on external websites.”

Facebook’s Questionable Communication

While the value proposition is clear, Facebook has used a questionable communication strategy. As previously mentioned, why would the company choose to post such a significant article at a time when most users are done with the week and now moving on to weekend activities? We can only see this as a deliberate effort to push the issue under the radar. This is exactly the type of communication that we don’t want from one of the most powerful identity providers in the world. Instead we want transparency from a company that expects its own users to be completely transparent.

Why not write an occasional blog post addressing the issues surrounding privacy and identity that are ever present in the media? With Facebook recently coming under attack over the sharing of user data on their platform by developers, it seems odd that the company would just push forward as though nothing happened. While such a policy is only expected based on past behavior, increasing transparency is something that would possibly bring comfort to users.

We can only sit and wait for the next Rapleaf to emerge, next time with much more personal user information, thanks to the increasing amount of data granted to developers. What’s most obvious is that we now live in a world of decreasing privacy, and Facebook is taking the lead in pushing us forward into this new age. As the leader though, it would be great to see Facebook take a much more proactive approach in communicating the company’s position. Then again, they’ve gotten this far with a less-than-transparent communications strategy, why stop now?

Do you agree or disagree with Facebook’s decision to grant developers access to additional user data? What additional information would you like to hear from Facebook that they aren’t providing now?

Facebook Grants Developers Access To Home Addresses … Trouble Waiting To Happen?

Facebook has put in a lot of effort to getting users to enter their mobile numbers. But now the social network is giving developers access to numbers in addition to home addresses with a single click. Is this just trouble waiting to happen?

The timing of the post couldn’t have been more questionable — just as most people were leaving work on the west coast and Facebook employees were beginning their weekly happy hour at Cafe 6. Granted, the company’s job is to make this post appear as though it’s just another day at the social network, in an effort to play down the significance of this new functionality. Over the weekend a number of publications began discussing the issue, the most sensational of which comes from Sophos, which writes “Rogue Facebook apps can now access your home address and mobile phone number.”

It’s true. Facebook’s new permissions gives those developers with bad intentions access to a greater amount of personal information. The flip side is that this isn’t exactly credit card information. However, as developers gain access to more information, the question arises: Is the company doing enough to protect our personal data? The answer is most definitely not clear cut.

The Consumer Perspective

All Facebook’s Editor, Jackie Cohen, provided us with the consumer’s perspective earlier this morning, pointing out that “most people will click ‘allow’ without noticing the permission window now includes the words ‘current address and mobile phone number.’ …Unfortunately, the developers plying the user graph objects include rogue applications, such as spamware, malware and deceptive schemes that security staff seems to have a hard time keeping up with. This category of n’er-do-wells can now gain access to people’s mobile phone numbers and street addresses. So we really hope the social network devises a way to bar the rogues from using this set of code, and if that’s not possible, then perhaps get rid of the entire thing before any damage could be done.”

It’s a legitimate perspective, which is why we’ve already seen a lot of people, including Sophos, criticize Facebook for the move. As one commenter told us, “I’m deleting all my personal info now. ugh!!!!!” This is probably the most rational response, in addition to being the best way to protect your personal information.

Facebook As An Identity Authenticator

On the flip side, Facebook is trying to legitimately provide users with a valuable tool to make surfing the web a whole lot easier. By serving as a centralized identity provider, the social network makes registering for new sites as easy as a couple of clicks. It’s a problem that has existed on the web for a long time now: You visit a new website and have to fill out a long form that typically includes the same information: email, first name, last name, password, and potentially additional data such as your age, gender, phone number and so on.

Rather than having to fill out the information over and over with each new application that you install, the social network enables users to accomplish the exact same thing in a matter of clicks. It’s a clear value add, and it’s exactly why the company says, ”every month, more than 250 million people engage with Facebook on external websites.”

Facebook’s Questionable Communication

While the value proposition is clear, Facebook has used a questionable communication strategy. As previously mentioned, why would the company choose to post such a significant article at a time when most users are done with the week and now moving on to weekend activities? We can only see this as a deliberate effort to push the issue under the radar. This is exactly the type of communication that we don’t want from one of the most powerful identity providers in the world. Instead we want transparency from a company that expects its own users to be completely transparent.

Why not write an occasional blog post addressing the issues surrounding privacy and identity that are ever present in the media? With Facebook recently coming under attack over the sharing of user data on their platform by developers, it seems odd that the company would just push forward as though nothing happened. While such a policy is only expected based on past behavior, increasing transparency is something that would possibly bring comfort to users.

We can only sit and wait for the next Rapleaf to emerge, next time with much more personal user information, thanks to the increasing amount of data granted to developers. What’s most obvious is that we now live in a world of decreasing privacy, and Facebook is taking the lead in pushing us forward into this new age. As the leader though, it would be great to see Facebook take a much more proactive approach in communicating the company’s position. Then again, they’ve gotten this far with a less-than-transparent communications strategy, why stop now?

Do you agree or disagree with Facebook’s decision to grant developers access to additional user data? What additional information would you like to hear from Facebook that they aren’t providing now?

Man stole nude photos from women's e-mail accounts

A California man has pleaded guilty to charges that he broke into the e-mail accounts of thousands of women, scouring them for nude photos that he then posted to the Internet.

George Bronk pleaded guilty Thusday to charges that he hacked into more than 3,200 email accounts looking for nude or compromising photos. He then posted many of these photos to his victims' Facebook pages.
Image credit: Office of the Attorney General of California

George Bronk, 23, was arrested in late October after police found evidence that he'd hacked into more than 3,200 e-mail accounts. He used the same technique that Sarah Palin hacker David Kernell used to break into the former U.S. vice presidential candidate's Yahoo account: He scoured his victims' Facebook accounts for answers to the security questions used by Web-based e-mail services such as Gmail and Yahoo Mail.

Then, posing as his victim, he would claim to have forgotten the account's password and try to answer the security questions that would let him back in. Often, the security questions are easy to guess. The questions Bronk faced asked him things like, "What is your high school mascot?" and "What is your father's middle name?"

Once in, he would change the account password -- locking out his victim -- and search for any racy photographs. If he found any, he posted them to the victim's Facebook profile.

Of the 3,200 accounts he broke into, Bronk found nude or semi-nude photos in 172 of them, prosecutors said.

In one case he persuaded a victim to send him even more explicit photographs by threatening to post the ones he'd stolen if she didn't.

Bronk faces six years in prison on felony hacking, child pornography and identity theft charges. He entered his plea Thursday in Sacramento Superior Court.

"This case highlights the fact that anyone with an email account is vulnerable to identity theft,"California Attorney General Kamala Harris said in a statement.

Man stole nude photos from women's e-mail accounts

A California man has pleaded guilty to charges that he broke into the e-mail accounts of thousands of women, scouring them for nude photos that he then posted to the Internet.

George Bronk pleaded guilty Thusday to charges that he hacked into more than 3,200 email accounts looking for nude or compromising photos. He then posted many of these photos to his victims' Facebook pages.
Image credit: Office of the Attorney General of California

George Bronk, 23, was arrested in late October after police found evidence that he'd hacked into more than 3,200 e-mail accounts. He used the same technique that Sarah Palin hacker David Kernell used to break into the former U.S. vice presidential candidate's Yahoo account: He scoured his victims' Facebook accounts for answers to the security questions used by Web-based e-mail services such as Gmail and Yahoo Mail.

Then, posing as his victim, he would claim to have forgotten the account's password and try to answer the security questions that would let him back in. Often, the security questions are easy to guess. The questions Bronk faced asked him things like, "What is your high school mascot?" and "What is your father's middle name?"

Once in, he would change the account password -- locking out his victim -- and search for any racy photographs. If he found any, he posted them to the victim's Facebook profile.

Of the 3,200 accounts he broke into, Bronk found nude or semi-nude photos in 172 of them, prosecutors said.

In one case he persuaded a victim to send him even more explicit photographs by threatening to post the ones he'd stolen if she didn't.

Bronk faces six years in prison on felony hacking, child pornography and identity theft charges. He entered his plea Thursday in Sacramento Superior Court.

"This case highlights the fact that anyone with an email account is vulnerable to identity theft,"California Attorney General Kamala Harris said in a statement.

As we've seen in Iran and Tunisia, social networking tools have given activists in authoritarian regimes a powerful voice, which can be heard well bey

Abstract:
The objective of this work is to analyse Chapter II of Royal Decree 424/2005, dated 15th April, by which a procedure is regulated to tap electronic communications with the aim of verifying if this practice affects the conditions that limit the essential content of article 18.3 CE. It is concluded that these regulations do not affect article 18.3 CE as refers to the enumeration it includes of the types of data associated to electronic communications that can be legally intervened together with the content thereof. It does, however, mutilate the essential content of article 18.3 CE as refers to the obligation of the judge to determine at least some of such data in the legal tapping order. Inasmuch as the secret of communications is a formal right that limits its content to the possibility of intervene communications by means of a previous judicial resolution detailing the causes thereof, the associated data obtained as a consequence of such an intervention are not protected by article 18.3 CE, but in any case by articles 18.1 and 18.4 CE. This means that once the judicial organ has explicated in its judicial intervention order the objective suspicions of an alleged serious crime as well as the inexistence of other means to prove such a crime that would clarify the alleged criminal conduct that is being investigated, the data obtained as a consequence of such an interception would be protected by article 18.1 CE if that information is revealed to third parties, or by article 18.4 CE if the information is used for other purposes that are different from those for which the tapping was authorised. As a derivation of this, it is also not necessary that organic legislators regulate what data associated to the communications the judges are to mention, as it is necessary to leave a margin of action for the judicial authorities to determine if they believe it is convenient to gather certain associated data mentioned in the regulations, or if a generalised judicial opening of electronic communications is necessary that gathers both the content of the communication as well as data that are associated thereto.

Note: Downloadable document is in Spanish.

Keywords: Secrecy in communications, Intimacy, Protection of personal data, Objective suspicions, Serious crimes.

Accepted Paper Series

As we've seen in Iran and Tunisia, social networking tools have given activists in authoritarian regimes a powerful voice, which can be heard well bey

Abstract:
The objective of this work is to analyse Chapter II of Royal Decree 424/2005, dated 15th April, by which a procedure is regulated to tap electronic communications with the aim of verifying if this practice affects the conditions that limit the essential content of article 18.3 CE. It is concluded that these regulations do not affect article 18.3 CE as refers to the enumeration it includes of the types of data associated to electronic communications that can be legally intervened together with the content thereof. It does, however, mutilate the essential content of article 18.3 CE as refers to the obligation of the judge to determine at least some of such data in the legal tapping order. Inasmuch as the secret of communications is a formal right that limits its content to the possibility of intervene communications by means of a previous judicial resolution detailing the causes thereof, the associated data obtained as a consequence of such an intervention are not protected by article 18.3 CE, but in any case by articles 18.1 and 18.4 CE. This means that once the judicial organ has explicated in its judicial intervention order the objective suspicions of an alleged serious crime as well as the inexistence of other means to prove such a crime that would clarify the alleged criminal conduct that is being investigated, the data obtained as a consequence of such an interception would be protected by article 18.1 CE if that information is revealed to third parties, or by article 18.4 CE if the information is used for other purposes that are different from those for which the tapping was authorised. As a derivation of this, it is also not necessary that organic legislators regulate what data associated to the communications the judges are to mention, as it is necessary to leave a margin of action for the judicial authorities to determine if they believe it is convenient to gather certain associated data mentioned in the regulations, or if a generalised judicial opening of electronic communications is necessary that gathers both the content of the communication as well as data that are associated thereto.

Note: Downloadable document is in Spanish.

Keywords: Secrecy in communications, Intimacy, Protection of personal data, Objective suspicions, Serious crimes.

Accepted Paper Series

Internet Security Savvy is Critical as Egyptian Government Blocks Websites, Arrests Activists in Response to Continued Protest

As we've seen in Iran and Tunisia, social networking tools have given activists in authoritarian regimes a powerful voice, which can be heard well beyond their own country. But the use of social networking tools has also given their governments ways to identify and retaliate against them. This week we are watching the same dynamic play out in Egypt. This is why it is critical that all activists —in Egypt and elsewhere—take precautions to protect their anonymity and freedom of expression. The protests in Egypt this week also highlight another important point: authoritarian governments can block access to social media websites, but determined, tech-savvy activists are likely to find ways to circumvent censorship to communicate with the rest of the world.

In an attempt to clamp down on Egyptian protesters, Egyptian President Hosni Mubarak’s government is intermittently blocking websites and arresting bloggers, journalists, and dissidents. Like the Tunisians, Egyptian protesters have made heavy use of social media websites to share information about the protests with the outside world and with each other. In spite of the Egyptian government’s blocking of Twitter, tweets from the Egyptian protests in Suez and Cairo provided up-to-the-minute reports about protest activity, the movements of police, deaths and injuries, links to photos on Twitpic, and videos on YouTube. Cooperation amongst protesting citizens has kept communications resilient so far. When protestors in Cario's Tahir Square experienced an outage in cell phone data service, nearby residents reportedly opened their home Wi-Fii networks to allow protesters to get online.

On the first day of protests, the Egyptian government blocked several websites, including Twitter and Bambuser, a Swedish website which allows users to stream live video from their cell phones. By the second day, the government's blocking of Twitter was sparse and intermittent, but there were reports of blocking Facebook and YouTube. It is unclear whether or not the Egyptian government will continue to expand its list of blocked sites in the coming days. Even the US Secretary of State Hillary Clinton, who was conspicuously silent during the protests leading up to the Tunisian revolution, has called on the Mubarak government to respect freedom of expression and urged them “not to…block communications, including on social media sites.”

The other dangerous aspect of the Mubarak government’s shameful campaign of silence and censorship has been the arrest and detention of bloggers, journalists, and activists. The Committee to Protect Journalists has reported that the Egyptian government has shut down at least two independent news websites: Al-Dustour and El-Badil. Police beat Al-Jazeera correspondent Mustafa Kafifi and Guardian reporter Jack Shenker, who posted an audio recording of the incident. Policemen have attacked and arrested cameramen covering the protests and onlookers recording the protests with cell phones.

Egypt is no stranger to the arrest of bloggers. Egyptian blogger Kareem Amer was sentenced to four years in prison for “disparaging religion” and “defaming the president” in 2007. In 2009, web forum founder Karim Al-Bukheiri was arrested, tortured, and subject to constant government surveillance. Just last year, the Islamic Human Rights Foundation reported that Egyptian Security Forces arrested “at least 29 activists, including bloggers, lawyers, and human rights activists.” The concern here is clear—if the street protests subside, the Mubarak government could initiate a campaign of retaliation and oppression, arresting and harassing the very bloggers and activists who have been chronicling the protests online. Some countries have gone even further. In Iran two opposition activists were hanged this week for taking pictures and video of the Green Revolution protests and posting them online.

Given the potential dangers, it is absolutely critical that Egyptian protesters take precautions when communicating online. To reiterate, social networking tools have given activists a powerful voice, which can be heard well beyond Egypt, but activists should also remember that the Egyptian government could use these same tools to identify and retaliate against them. We recommend that political activists look at our Surveillance Self Defense International report for information on how to use technology defensively to better protect their anonymity and freedom of expression in Egypt and other authoritarian regimes.