There, now that I’ve said that, lets talk for a second about facebook. Facebook has been the golden child of social networks for a short while and looked poised to stay in that position. I was so excited when they opened it up to select companies and I was able to create a profile. Then they opened it up to everybody but somehow avoided the spammy problems that plague other networks. Woot! The addition of the newsfeed? At first kind of scary but then they fixed it and it was a useful tool for keeping up with what your friends were up to. Enter facebook apps. Great idea in theory. In practice? Hi, if I get bitten by a vampire or superpoked again, I think I’ll have a coronary. Okay, that may be a bit much but a lot of those apps were super annoying and did some really shady, spammy stuff. Thankfully facebook cleaned that up and was the great social network it started out as. Whats the recurring idea here? Facebook fixes what it breaks for the better.

Recently facebook introducted a new ad platform that included a “feature” called the facebook beacon. Another great idea in theory, but in practice? Well, not so much. A brief description of how the beacon works: a company puts a small javascript snippet on their website. This small bit of code will tell facebook what you’re doing on the companies site. “In theory,” you can choose whether or not these updates will appear in your facebook newsfeed. In practice? Again not so much. Some people have reported that the notification about the update only appears briefly then disappears. Some people report not seeing the notification at all. Mind you this is not a yes or no prompt, it informs you about the transmission of your data then asks you if you’d like to opt-out. If you miss the prompt because you look away/switch tabs/etc, there are your activities displayed in your facebook newsfeed. This wouldn’t be such a big deal if only one or two sites were beta testing this feature to work out the bugs. Unfortunately there is a long list of big name websites participating in the facebook ad network. Try on Yelp, Epicurious, and Zappos for size. A partial list of participating sites is as follows according to this facebook press release:

AllPosters.com
Blockbuster
Bluefly.com
CBS Interactive (CBSSports.com & Dotspotter)
ExpoTV
Gamefly
Hotwire
Joost
Kiva
Kongregate
LiveJournal (people with secret LJ accounts, watch out!)
Live Nation
Mercantila
National Basketball Association
NYTimes.com
Overstock.com
(RED)
Redlight
SeamlessWeb
Sony Online Entertainment LLC
Sony Pictures
STA Travel
The Knot
TripAdvisor
Travel Ticker
TypePad
viagogo
Vox,
Yelp
WeddingChannel.com
Zappos.com

This list will continue to grow as facebook has made it super-easy for any site to add the beacon. It’s done well to broadcast your whole life thus far though, yes? What you eat, what you wear, what you buy, what you blog, where you travel, etc, etc, etc.

As I said before, facebook has a tendency to fix things they’ve broken. Right now they seem to think there is nothing wrong with the beacon. I won’t go far as to say they’re blowing it off because I want to believe a company thats done such awesome things in the past wouldn’t blow off member privacy concerns. What can they do to fix it? Make the beacon updates an opt-in instead of an opt-out. That way unwanted updates won’t accidentally appear in ones newsfeed. Maybe even add an option in the privacy settings to globally opt-out of all beacon updates (which was apparently included in the beta versions?). In any case, make it so that I completely control the information about me that gets shared, both with facebook and my facebook friends.

What can you do to avoid the beacon until facebook fixes it? If you’re a Firefox user, go to this helpful post written by Nate Weiner for instructions on how to block the beacon. If you’re an Internet Explorer user, stop whatever you’re doing, install Firefox, then go to the site referenced in the previous sentence. Also never use Internet Explorer again, you’ll be better off for it.

Speaking of personal privacy and security, I was thinking about something the other day that I’m sure many people have pontificated about; account security questions. I was transferring a vBulletin license to someone and the Jelsoft staff asked me to answer my security question: What is my mothers maiden name? It made me think of exactly how many sites use this question as a way of authenticating people when they’ve forgotten their passwords. Imagine, if you will, someone has used a some analytical skills mixed with a bit of game theory. They search your name online and find out your mom and dads name. They search for your parents names on Ancestry.com and instantly they know not only when your parents got married, but also your mothers maiden name, both of their middle names, their anniversary date, if and when they divorced and even the dates they remarried. All public record, all up for the asking. So is your information really REALLY secure? Go back and check the security question on your accounts and make sure the answers can’t be easily searched.

Hey, we landed while I was writing so now I’m at home. Though I thought I’d never say this, I’m glad to be back in New York. My  Thanksgiving vacation in Florida was marvelous but my family stresses me out (I still love you family). I got some relaxation in by going to the beach a couple times and also taking some pics with the DIY $10 macro studio. That was so much fun I’m going to set it up again here it at home. Before I do that, I need to go find some food since I haven’t eaten all day. Someone pester me to write again in 2 weeks.

What was the name of your high school?
What was your high school mascot?
What is your favorite color?
Where were you born?
Whats your favorite sports team?

If you have a MySpace profile, a Xanga account, even an e-mail address in some cases, you probably recognize these as questions from surveys you may have received. Now how a look at this:

Those are the security question options from a major financial website. The similarity of the questions to common survey questions is alarming to me. If its not already happening, I’m sure its only a matter of time before some unsavory phisher and/or scam artist hops on MySpace (or any other social network), creates an account, and begins collecting friends and sending out surveys. In a matter of hours, the scammer would have information good enough for authentication about many of the “friends”.

It seems as though social networking can easily cross the line into social engineering. Sure people know not to share their passwords and social security numbers but what about the other identifying information? How much information is too much information? The line between social networking and social engineering seems to be really fine and really fuzzy. Here’s hoping some education for companies (because the example given above is really piss poor) and individuals will help to make this line a little more broad and definitely more clear.

No related posts.