Facebook Places raises red flags

Facebook places has launched in the UK today to much fanfare. But what sort of implications could location based services being integrated into one of the biggest social networks in the world mean for security and privacyTechEye talked to Rik Ferguson, senior security adviser at Trend Micro, to get the skinny.

We’ve heard some PR piggybacking and reports from insurance firms who suggest that it will drive house prices up and there’s a risk of burglary. Yes, that’s possible – yes, it’s happened before with other services. But there are more realistic dangers everyone should be aware of. 

Burglary shouldn’t be on the forefront of our mind. As a possibility it’s real but we’re not going to go ahead and say it’s the most likely instance. 

Willingly, or unwillingly with the default settings, a friend can tag you in a Places post. The post doesn’t have to be true. They can tag you however and wherever they like, possibly with implications that might not do you a world of favours. You can go ahead and tag someone as being in a hotel with you if you like, as Ferguson shows in his Trend Micro blog post

Facebook says its Places feature is just like a status update saying you’re off out for coffee. In a sense it is, but the user holds control over that. The default settings for both Places and Facebook in general leave your privacy wide open.

Add a malicious person with an agenda into the mix and theoretically, with the convergence of the online space and the physical, real world, stalking could be taken to the next level.

Alex Deane, director of Big Brother Watch told TechEye: “Social networking is great – if used properly, and provided responsibly. Facebook Places fails both tests and leaves most Facebook users vulnerable to harassment and stalking. Just when Facebook had made it easier for intrusive marketers to target you regardless of privacy concerns, they go one step further – and let people see where you’re stepping, too. 

“Account-holders should bear in mind that accepting so-called “friends” on Facebook can now allow your cyber-stalker to come and find you in real life.”

With a bit of easy as pie social engineering that anyone with half a brain and a sprinkling of malicious or mischievous intent, there’s a way into your network, and if there’s a way into your network, there’s a way to get to you. And if there’s a way to get to you – whether it’s through your friends or you’ve been duped – with default settings turned on you are willingly or unwillingly letting everyone know where you are. We’re not about to provide a step by step guide but you don’t have to be a genius to put two and two together. 

The six degrees of seperation theory – that everyone is linked to everyone else by just six people, in oversimplified laymens terms – is worth thinking about.

Remember when Facebook rolled out the “Like” button all over the World Wide Wibble? Wearers of tinfoil hats raised legitimate concerns about data farming and market research submitted willingly by users. That also goes to the next level with Facebook Places. In theory with default settings enabled it would be simple for a marketer to data farm feedback on establishments and events.

The existence of Your Open Book proves that there are tons of people with their networks completely opened for the world to see.

It’s almost too easy to shout from the rooftops about Places, and Ferguson agrees. There’s so much to pick at from a security perspective and the aim of this article is not to sensationalise.

The simple answer is to check your settings. This service is opt-out and not opt-in – that means you’re automatically subscribed to it by default. We’re not saying you’re about to get stalked or harassed, or about to be burgled, but the fact is there are some real privacy issues here that need addressing by anyone with an account – active or inactive. 

As Ferguson rights in his blog: “Clearly this system represents a massive risk to individual privacy. If Facebook persist in allowing check-ins by third parties then they need to ensure that the information is not made public until it has been agreed to by all people identified. Facebook should also ensure that any privacy settings are either fully respected or that the implications of your actions are made crystal clear.

“Otherwise it means that anyone with an interest in the location of their potential burglary victims, friends, colleagues, partners, even ex-partners simply needs to become a friend of a friend or just frequent the same places and Facebook will do all the espionage for them.”