Do Security And Privacy Really Matter on Facebook?

Hi. Sean Richmond here from Sophos Australia. And I have with me today Paul Ducklin, Head of Technology in Asia Pacific... Hi, Sean... S: And we thought we'd talk today about the recent Sophos Australia Facebook ID probe... P: Sean, the reason we did this is that in 2007, Sophos UK did a Facebook ID probe and invited people to be their friends. And we were very surprised at the extent to which people were prepared to befriend someone they didn't know, and to give away lots of personal information. So we desperately hoped that people would have got a lot better in the last two years. So we repeated the probe and I'm afraid to say, we were rather disappointed at the results... S: Really? I would have thought that everyone would have been up to speed, and have tightened up their security. Was this targeting Australians specifically? Because Australians are pretty good at keeping things 'schtumm'... P: The personas we created were female Australians. One was 20-something; the other was 50-something. Daisy and Dinette. Each invited 100 people in their age group. So that was our Australian focus. And we really thought that we'd do a lot better than before. But just to compare them, Freddi Staur was the name of the guy in the UK... S: That was the Green Frog guy... P: He was the plastic frog. Now, Freddi sent out 200 friend requests, and 87 people responded. So we sent out 100 each from Daisy and Dinette. So we're looking for anything less than 87 means we've got better. And very soon we had 13, and then we had 36, and so it went on. And we ended up with 87 people. Exactly the same number responding to the friend requests. But this time we got a bonus, in that eight people actually wanted to be Dinette's friend whom she hadn't even asked... S: So, just people, out of the blue, contacting this bogus character... P: She was a picture of a cat, and Daisy was a picture of a rubber duck... S: So there was nothing to indicate that this was actually someone they might have met at some stage, or in any way knew? P: No, quite the opposite. In fact, we were very careful not to give anything as a hint whether we were or were not a real person. So we didn't respond to any posts. We simply created the persona, put up the picture of the cat... S: So, what's the big deal? I mean, it's not like they give away all this information, is it? P: Well, they gave away more than I would have expected them to, and certainly more than I think is circumspect. For example, in the 20-something crowd, every single person gave away their email address. Nearly 100% gave away their date of birth. About 50% told us where they lived. That's an awful amount of information to give away to somebody who is a rubber duck... S: Does it matter? I mean, people go, "OK, you're my friend." Admittedly, I have this anachronistic view that a friend is someone you actually know... S: ...and I wouldn't call someone a friend unless I knew them. But they've subverted the word to mean someone who sends you an invite. So what? So you've got a date of birth, and definitely an email address according to these figures, and perhaps where somebody lives, what surburb, in a few cases, a phone number. Meh. Big deal. So what? Does that mean the Bad Guys can become me and take out a passport in my name, and... P: You'd really like to think, at least in Australia, that from that information only, they wouldn't be able to acquire a passport. However, if you think that somewhere around a half of the 20-somethings and about a third of the 50-somethings also gave away a whole load of information about friends and family. In other words, they gave away quite a lot about their own life, their lifestyle, the environment in which they live. And if you think about what an identity fraudster needs, well, they need something to get started. And with even a small amount of information, particularly if they can corroborate that by appearing to know the right people, and knowing where you went to school, and where you last met so-and-so, with a little bit of information, they can then 'kite' that to get alleged proof of where they live, and from that, they may be able to claim they've lost their driving licence, and renew that, and so on, and so on. And, in time, indeed they may well be able to take out a passport in your name... S: I guess, in certain circumstances, just having someone's date of birth - I know that, here in Australia, Telstra - when you call up, one of first things they ask to prove your identity is, "What's your date of birth?" P: And a lot of banks do that as well. And, of course, that's the one bit of your identity which is astonishingly hard to change. You can change your name. That costs 100-and-something dollars in New South Wales. You can move. You can get a new credit card number. But your birthday is stuck forever. And, rightly or wrongly, it's still used as an indicator that you're who you say you are, because - in general, at least - five to ten years ago - only very close friends really would know your date of birth. And the fact that many people are giving away this information willy-nilly is, indeed, in my opinion, a bad sign. So, to all the people who are saying, "Well, I've given away a bit, but it's not like I've given away enough to apply for a credit card." Well, ask yourself, the next time you get one of those blank "Hey, apply for credit now" forms, ask yourself whether you could make a good stab at filling one of those in, based on information that you, or people you know, have given away on Facebook. And I bet you could come pretty close... S: Now, having gone into all of this about what can be shared, Facebook have just revamped their privacy options and made some changes there... P: I'll read this: this is from their own privacy guidelines. It says, "Information set to 'Everyone' is publicly available information, may be accessed by everyone on the internet, including people not logged into Facebook, is subject to indexing by third party search engines, and," (this is the important bit), "may be imported and exported by us and others without privacy limitations." And that sounds a bit liberal for my tastes... S: It sounds like it's going to run foul of all sorts of people who have an interest in privacy, like the Privacy Commissioners around the world. I know that these have been issues before with - I believe it was in Canada, that the Privacy Commissioner took some exception to the liberal use of people's personal information... P: That's an interesting observation. And I wonder what the Office of the Privacy Commissioner in Australia will have to say... S: What should people do about this? Should they chuck their toys out of the cot, and say, "I'm not playing with Facebook any more, because they're being liberal with my information? P: You mean, everyone on Facebook go, "No! We need a new Facebook with stricter..." S: [Laughs] P: Firstly, I don't think people are going to want to do that. You don't need to throw out the baby with the bathwater. But it is important, whether you're a new user joining now, or whether you're migrating your old settings: be wary of just accepting the defaults. That's not a matter of whether you trust Facebook or not. It's not a matter of whether you trust friends or friends-of-friends. It's simply a matter that if you don't go through all the possible settings, then you're not thinking, in my opinion, clearly enough about who's got access to your data. And you're probably not valuing your personal information highly enough... S: Well, it is definitely worth money. I think there's enough proof out there to make that a non-argument. So, thanks for joining me, Paul, and until next time, stay secure.