Jefferson's Wheel

Kim Hart has written an article covering Adrienne Felt’s study of privacy issues with Facebook applications: A Flashy Facebook Page, at a Cost to Privacy: Add-Ons to Online Social Profiles Expose Personal Data to Strangers, The Washington Post, 12 June 2008.

Ben Ling, director of Facebook’s platform, said that developers are not allowed to share data with advertisers but that they can use it to tailor features to users. Facebook now removes applications that abuse user data by, for example, forcing members to invite all of their friends before they can use it.

“When we find out people have violated that policy, there is swift enforcement,” he said.

But it is often difficult to tell when developers are breaking the rules by, for example, storing members’ data for more than 24 hours, said Adrienne Felt, who recently studied Facebook security at the University of Virginia.

She examined 150 of the most popular Facebook applications to find out how much data could be gathered. Her research, which was presented at a privacy conference last month, found that about 90 percent of the applications have unnecessary access to private data.

“Once the information is on a third-party server, Facebook can’t do anything about it,” she said. Developers can use it to provide targeted ads based on a member’s gender, age or relationship status.

The article also appeared in MSNBC, the Kansas City Star, the Los Angeles Times (Facebook widgets pose privacy risks:Users often give away their personal data and that of friends without knowing when they install the popular social network programs), the Austin American-Statesman (Social networking applications could become a privacy headache), and the Washington Post’s Express edition (FreeRide Lunchtime Reading: Who’s Getting in Your Facebook?).

 

Another XSS vulnerability has been discovered in Facebook, as reported by InformationWeek (George Hulme). The posting also links to Adrienne Felt’s Facebook security work.

Our paper, Privacy Protection for Social Networking Platforms by Adrienne Felt and David Evans is now available [PDF]. Adrienne Felt will present the paper at the Web 2.0 Security and Privacy 2008 (in conjunction with 2008 IEEE Symposium on Security and Privacy) in Oakland, CA on May 22, 2008.

Abstract

Social networking platforms integrate third-party content into social networking sites and give third-party developers access to user data. These open interfaces enable popular site enhancements but pose serious privacy risks by exposing user data to third-party developers. We address the privacy risks associated with social networking APIs by presenting a privacy-by-proxy design for a privacy-preserving API. Our design is motivated by an analysis of the data needs and uses of Facebook applications. We studied 150 popular Facebook applications and found that nearly all applications could maintain their functionality using a limited interface that only provides access to an anonymized social graph and placeholders for user data. Since the platform host can control the third party applications’ output, privacy-by-proxy can be accomplished by using new tags and data transformations without major changes to either the platform architecture or applications.

Full paper (8 pages): [PDF]
Project Website

[Added 25 May]: Talk slides (by Adrienne Felt): [PDF]

The Associated Press has an article by Martha Irvine, Social networking applications can pose security risks, that is based on Adrienne Felt’s analysis of Facebook platform privacy.

Still, it’s an honor system, says Adrienne Felt, a computer science major at the University of Virginia. A Facebook user herself, she decided to research the site’s applications and even created her own so she could see how it worked.

Most of the developers Felt polled said they either didn’t need or use the information available to them and, if they did, accessed it only for advertising purposes.

But, in the end, Felt says there’s really nothing stopping them from matching profile information with public records. It also could be sold or stolen. And all of that could lead to serious matters such as identity theft.

“People seem to have this idea that, when you put something on the Internet, there should be some privacy model out there — that there’s somebody out there that’s enforcing good manners. But that’s not true,” Felt says.

(Note: there wasn’t actually any “polling” of developers, just examining what applications do to determine how they appeared to use information.)

The story has been picked up by some other places including BusinessWeek, CNNMoney (From games to virtual gifts, social networking applications popular — but at what risk?), Forbes, International Herald Tribune, National Public Radio, San Jose Mercury News, Philadelphia Inquirer, Las Vegas Sun, Fort Worth Star-Telegram, Houston Chronicle, San Francisco Chronicle, Seattle Post-Intelligencer, MyFOX, and The Sydney Morning Herald.

The Colorado Daily wins the best title award for MySpace is your space (and yours, and yours…) (but its the same story).

Pantagraph (Central Illinois) has it currently as their top article and includes a picture their front page.

[Added 2 May] Yahoo! News has this slide show.

[Added 13 May] Pew Internet and American Life Project has a post on this: Securing Private Data from Network ‘Zombies’ by Mary Madden.

Chris Soghoian has a new article, Hackers target Facebook apps, March 27, 2008, that follows up his earlier article about Adrienne Felt’s analysis of privacy issues for the Facebook platform. Unsurprisingly, many Facebook applications are written without basic security protections; since they have access to private user data, flawed (but not intentionally malicious) Facebook applications can be exploited to compromise other user accounts.

Our paper on supporting untrusted content in aggregated web pages is now available:

• Adrienne Felt, Pieter Hooimeijer, David Evans, Westley Weimer. Talking to Strangers Without Taking Their Candy: Isolating Proxied Content. First International Workshop on Social Network Systems, Glasgow, Scotland, April 2008. (PDF, 6 pages)

Adrienne Felt will present the paper in Glasgow in April 1.

Abstract
Social networks are increasingly supporting external content integration with platforms such as OpenSocial and the Facebook API. These platforms let users embed third-party applications in their profiles and are a popular example of a mashup. Content integration is often accomplished by proxying the third-party content or importing third-party scripts. However, these methods introduce serious risks of user impersonation and data exposure. Modern browsers provide no mechanism to differentiate between trusted and untrusted embedded content. As a result, content providers are forced to trust third-party scripts or ensure user safety by means of server-side code sanitization. We demonstrate the difficulties of server-side code filtering — and the ramifications of its failure — with an example from the Facebook Platform. We then propose browser modifications that would distinguish between trusted and untrusted content and enforce their separation.

Full Paper

Dr. Dobb’s has an article on Adrienne Felt’s work: Privacy, Security, and Social Networking APIs

Do social networking users need to worry about privacy and security? You bet, says CS student.

Facebook, the social networking platform that has redefined communications, has millions of users. And according to University of Virginia computer science major Adrienne Felt, all of these users should be concerned about security.

… Felt’s goal is to make users more aware of how their private information is being used — and to close this privacy loophole.

She has developed a privacy-by-proxy system — a way for Facebook to hide the user’s private information, while still maintaining the applications’ functionalities. Under Felt’s system, at the point at which the Facebook server is communicating with the application developer’s server, the Facebook server would provide the outside server with a random sequence of letters instead of the user’s name (and other personal information).

CMU’s newspaper, The Tartan has an article on Adrienne Felt’s facebook platform privacy work: Study shows dangers in Facebook apps, The Tartan, 11 February 2008.

Each day, students are bombarded with requests to become a Greek god, a Disney princess, and the biggest brain — on Facebook, that is. Over 15,000 Facebook applications exist today, offering a variety of capabilities to the social networking website. However, according to a new study from the University of Virginia, users risk losing their privacy by simply rating their 10 hottest friends or discovering their ideal desperate housewife.

It even includes a comic featuring nudity!

[Added 23 Feb] Cornell’s The Ithacan also has an article: Facebook applications access personal information, February 21, 2008.

Jonathan Zittrain, Professor of Internet Governance and Regulation at the Oxford Internet Institute, has an interesting blog post about Adrienne Felt’s work on Facebook platform privacy: Should Facebook preemptively protect users against rogue apps?.

It is worth reading the whole article, but here are a few excerpts:

Enterprising UVa senior Adrienne Felt has developed an intriguing argument about privacy for Web 2.0 apps like those on the Facebook development platform. It will get lots of news coverage, much of it boiling down to reports that don’t capture the richness of the problem.
…
But there is another difference at work: partly because of technology and partly because of historical inertia, Facebook can more obviously be asked to play a gatekeeper role with its apps than an OS maker can with its desktop apps. Felt’s solution to the problem she identifies is to have Facebook run interference — serve as a proxy — between most apps and the data they presumably don’t really need. The app can say to Facebook, “Display the user’s birthday in the upper right corner of the screen,” without having to know the user’s birthday. Only in a few instances, they say, must an app really access the data in order to work.
…
Social networks are rightly recognized as powerful, even transformative. The ability for unaccredited third parties to write apps that users can run to access their data and do cool things with it further leverages their power. The wild card of the platform makers’ power over those apps creates a range of options simply not available to the OS makers that preceded Web 2.0, and being put out of business by it.

From Study Finds Privacy Lapse in Facebook Apps, The Harvard Crimson, 8 February 2008:

Playing Jetman on Facebook.com may cause you to lose more than just the game. Your private information is also at stake.

Facebook application developers—who can be anybody—are unnecessarily given full access to both users’ and their friends’ private information, according to a University of Virginia study.