Monday, 5 May 2008

Facebook applications and you

I don't think anyone needs to be told what Facebook is. If you're one of the lucky few who's never heard of it, just skip this post and move on. The feature that I'm looking at right now is the myriad applications that you can install; in fact, anyone can write such an application, without very much trouble. And that's the problem - anyone can write a malicious piece of code, wrap it up inside an application, and start pushing it.

When you add an application that wasn't created by Facebook's own programmers, you get a prompt asking if you want to let the application access blah blah blah. Since you can't use the app without doing so, people will just say "Okay, let it have access". This security measure is really just a waste of bandwidth, because it's so completely normal. If you had an "Are you sure" prompt every time you tried to use Google, you wouldn't take much notice of it; and then if you got the same prompt trying to visit a site that downloads spyware to your computer, you'd probably click OK to it without taking any notice. So the confirmation is of very limited value.

The BBC did a bit of a test in which they published a rogue application and leeched enormous amounts of data away. Few details are shown, naturally, but I have no doubt that it's all completely accurate.

http://news.bbc.co.uk/1/hi/technology/7376738.stm

They collected personal information, not only from the person who actually added the app, but also from all that person's friends - without anyone's knowledge. If this code were part of some trojan horse application (such as a game - it seems that there are a LOT of people who install a LOT of game applications), it wouldn't take long before large amounts of data could be collected. The BBC report states that the information cannot directly be used for identity theft, but when you consider the amount of information that people post on their Myspace/Facebook profiles, it's obvious that an identity thief could put it to pretty good use.

So what's to be done? It's not possible to 100% trust all applications unless you read through their source code in great detail; and I don't think the Facebook people have the time to do that. Certainly this responsibility cannot be dumped on the app users; there's no way Joe and Jenny Average are going to go checking out someone's source code. What can be done to mitigate the problem?

Solution 1: Make several different levels of access. Most apps won't need access to much, so just let them read really basic information like your name. Then the next level could be access to all your profile, but not to any information about your friends. Only a very few applications would need to know your friends' interests and personal details. When you add an application, it should ask you to confirm, and the page presented should look VERY different for the different levels.

Solution 2: Abandon Facebook. Get cheap web hosting to put your photo album on, and just don't use social networking sites.

I guess that puts this in the category of rants - nobody wants to take either/any solution offered, because none is really satisfactory. Unless, of course, you're like me, and don't care that much about Facebook anyway.

No comments: