Facebook users are often unknowingly revealing their profile data and that of their friends by agreeing to download seemingly innocuous Facebook applications, according to a BBC investigation.
Click, the BBC’s flagship technology programme, has found that although privacy settings related to personal information can be changed by users to hide information on their profile, by simply using an application their profile data can be accessed by the creator.
Protecting users’ profile information once these applications have been added can only be done by changing the application’s privacy settings, three pages of clicks inside the site, regardless of how users have set their profile privacy settings.
Interviewed for this week’s Click programme, Paul Docherty, Technical Director of Portcullis Computer Security, said he believed that Facebook’s Terms and Conditions stated on the site meant that Facebook had legally covered itself from any liability.
“Morally, Facebook has acted naively.Facebook needs to change its default settings and tighten up security.But he also believes it would be difficult to secure the current system because so many third party applications are now in circulation.This comes in the month that competitor MySpace opened up its platform for applications to users. But it is currently using a different method – allowing the company to keep a close eye on what the applications do and vet their authors. The Click team was unable to create a similar threat to users’ security using the MySpace system ,” Paul Docherty, Technical Director of Portcullis Computer Security said.
Click developed an application for Facebook which they used to discover details of users and their friends which they may have felt was inaccessible to people they did not know.
Taking less than three hours to write, Click’s application was then added to four Facebook users’ accounts. As a result, they could access details of those four people and all their friends on Facebook even though many had chosen to hide those details on their public profile.
This means that there is the potential for criminals to “skim” user data, via a rogue application. Data can also be given away by a Facebook friend who innocently adds an application to his Facebook account. At the moment it appears the only completely sure and safe way to stop such data being shared is to remove all applications and not use them.
Facebook has Terms and Conditions for creators of applications but criminals (or investigators) wanting to gain access to personal information do not necessarily consider these when they attempt to steal personal details.
It cannot be determined how many applications may be using this method to steal data, indeed, if there are any at all, but the ease with which the BBC team put together its rogue application has raised concern.