Monday, 24 September 2007

Facebook's Privacy Policy

A Facebook enthusiast recently asked me why I "hated" Facebook so much, well I don't hate Facebook at all, I have never posted or said such a thing, however I have to say I am not mad keen on the idea of the site and where it might be heading. Lets take Facebook's privacy policy for instance, it is over 3,500 words length and has the little caveat of “We reserve the right to change our Privacy Policy and our Terms of Use at any time.” Given that statement, you have to ask yourself whether you can trust Facebook with your private data? Their policy is well worth a read if you are a user of the site.

http://www.facebook.com/policy.php

So there are no restrictions or guarantees on how Facebook can use the huge amount of user personal data it has built up in recent times, some might say most of the company’s high value is based on the market-ability of this data.

Then there is the old fundamental flaw of all social network sites, in that there isn’t any identify validation, so anyone can pretty much pretend to be anyone. Just how many people have huge and unmanagable lists of “friends”, “friends” they just don’t know or have ever met? Putting aside the issue of your personal information being available to complete strangers, in July spammers successfully used Facebook to create realistic profiles like ordinary users, and persuaded people to accept them as a friend, and hit their inboxes with spam. I understand Facebook internal spam is on the rise at the moment.

I’m not saying social networking sites are all doom and gloom, they have the use and a place in the business and social worlds, but just be careful how you use them, especially who you accept as a “friend”, and what you post up about yourself, as it could come back to haunt you!

2 comments:

Tyler Reguly said...

Seriously Dave... again?

How about the portion of the privacy policy that you left out?

"If we make changes, we will post them and will indicate at the top of this page the policy's new effective date. If we make material changes to this policy, we will notify you here, by email, or through notice on our home page."

How about Microsoft's Privacy Policy?

"We will occasionally update this privacy statement to reflect changes in our services and customer feedback. When we post changes to this Statement, we will revise the "last updated" date at the top of this statement. If there are material changes to this statement or in how Microsoft will use your personal information, we will notify you either by prominently posting a notice of such changes prior to implementing the change or by directly sending you a notification."

Or Google's

"Please note that this Privacy Policy may change from time to time. We will not reduce your rights under this Policy without your explicit consent, and we expect most such changes will be minor. Regardless, we will post any Policy changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Policy changes)."

Wow... you mean privacy policies are fairly common across the board? Who'd have thunk it...

Seriously, I don't know what you're trying to accomplish... You label me a "Fanboy" (which I'm anything but)... I just dislike seeing FUD spread... You've pointed out nothing here except that every major online entity has a similar privacy policy.

Dave Whitelegg CISSP said...

In response to Comments:
1. Yes again (and again) ;)

2. I posted a link to the whole policy to be fair, it's good they notify you, but what if you forget about your account and change your Email, it does happen. I still don't think it's right they can just change their minds on the fly and use all the private information collected for anything they want, and I think it's right people should be aware of that policy, ideally I love to see some sort of protection against ever disclosing private user information.

3. To be fair I’ve blogged about Google's and Microsoft’s poor privacy in the past, the fact is Microsoft and Google have come foul of European Privacy laws. I’m not talking all that anti-trust stuff, but privacy, I remember the “Microsoft Passport” privacy issue several years back, the EU basically made M$ make change it due to privacy concerns, while Google recently had to change their policy on their data retention within the EU from 2 years to 18 months, there was a fairly big fuss about that, and still is. EU Privacy law stuff...

http://www.edri.org/issues/privacy

I don’t know why you are so against what I’m saying, perhaps it’s just a culture thing, I don’t know, but I do know a lot of security people in the industry I speak with, tend to agree with what I’m saying and are equally concerned.

Listen if really you want to have a go at someone over privacy and propergating "FUD" on net etc, (if you think my point of view is bad), check this guy’s blog out,

www.spy.org.uk/spyblog

he's has vastly more followers than this site, and would probably be a better target, and perhaps offer a deeper discussion on the priacy topic than here, I really don't want to drill too deep into privacy over next few days but focus on identity theft more.

4. I don't recall labelling anyone as a "Fanboy", I really try hard to avoid ever to "have a go" at individuals.

5. Trying to accomplish? It's at the top of the blog "...providing general Information Security advice & help in securing the home PC & home computer user". Listen if what I say it's not your cup of tea and really bothers, just don't subscribe or if you are looking for someone to challenge your privacy views, try the spyblog, however I am always thankful for any comments by readers, whether I like/agree with them or not, it's only right all points of view should be considered, hence why I have the options of comments on all my blog postings.