Sunday, July 1, 2007

Student Paper: Facebook: Threats to Privacy

Facebook: Threats to Privacy
Harvey Jones, Jose Hiram Soltren
December 14, 2005

An exemplary paper by students who enrolled and completed
MIT 6.805/STS085: Ethics and Law on the Electronic Frontier
Fall 2005
[http://www-swiss.ai.mit.edu/6.805/student-papers/fall05-papers/student-papers.html]

Abstract
End-users share a wide variety of information on Facebook, but a discussion of the privacy implications of doing so has yet to emerge. We examined how Facebook affects privacy, and found serious flaws in the system. Privacy on Facebook is undermined by three principal factors: users disclose too much, Facebook does not take adequate steps to protect user privacy, and third parties are actively seeking out end-user information using Facebook. We based our end-user findings on a survey of MIT students and statistical analysis of Facebook data from MIT, Harvard, NYU, and the University of Oklahoma. We analyzed the Facebook system in terms of Fair Information Practices as recommended by the Federal Trade Commission.

In light of the information available and the system that protects it, we used a threat model to analyze special privacy risks. Specifically, university administrators are using Facebook for disciplinary purposes, firms are using it for marketing purposes, and intruders are exploiting security holes. For each threat, we analyze the efficacy of the current protection, and where solutions are inadequate, we make recommendations on how to address the issue.

Contents
1 Introduction ..... 4

2 Background ..... 5

2.1 Social Networking and Facebook . . . . . 5
2.2 Information that Facebook stores . . . . . 5

3 Previous Work . . . . . . 6

4 Principles and Methods of Research . . . . . 7
4.1 Usage patterns of interest . . . . . 7
4.2 User surveys . . . . . 9
4.3 Direct data collection . . . . . 9
4.4 Obscuring personal data . . . . . 9
4.5 A brief technical description of Facebook from a user perspective . . . . . 10
4.6 Statistical significance . . . . . 12

5 End-Users' Interaction with Facebook . . . . . 13
5.1 Major trends . . . . . 13
5.2 Facebook is ubiquitous . . . . . 14
5.3 Users put time and effort into profiles . . . . . 15
5.4 Students join Facebook before arriving on campus . . . . . 15
5.5 A substantial proportion of students share identi able information . . . . . 16
5.6 The most active users disclose the most . . . . . 16
5.7 Undergraduates share the most, and classes keep sharing more . . . . . 18
5.8 Differences among universities . . . . . 18
5.9 Even more students share commercially valuable information . . . . . 20
5.10 Users are not guarded about who sees their information . . . . . 20
5.11 Users Are Not Fully Informed About Privacy . . . . . 20
5.12 As Facebook Expands, More Risks Are Presented . . . . . 21
5.13 Women self-censor their data . . . . . 21
5.14 Men talk less about themselves . . . . . 22
5.15 General Conclusions . . . . . 22

6 Facebook and "Fair Information Practices" . . . . . 22
6.1 Overview . . . . . 22
6.2 Notice . . . . . 22
6.3 Choice . . . . . 23
6.4 Access . . . . . 24
6.5 Security . . . . . 24
6.6 Redress . . . . . 25

7 Threat Model . . . . . 25
7.1 Security Breach . . . . . 25
7.2 Commercial Datamining . . . . . 26
7.3 Database Reverse-Engineering . . . . . 27
7.4 Password Interception . . . . . 28
7.5 Incomplete Access Controls . . . . . 28
7.6 University Surveillance . . . . . 29
7.7 Disclosure to Advertisers . . . . . 32
7.8 Lack of User Control of Information . . . . . 33
7.9 Summary and Conclusion . . . . . 34

8 Conclusion . . . . . 34
8.1 Postscript: What the Facebook does right . . . . . 34
8.2 Final Thoughts . . . . . 35
8.3 College Newspaper Articles . . . . . 37

9 Acknowledgements . . . . . 38
9.1 Interview subjects . . . . . 38

[Appendixes]
A Facebook Privacy Policy . . . . . 39
B Facebook Terms Of Service . . . . . 41
C Facebook "Spider" Code: Acquisition and Processing . . . . . 45
C.1 Data Downloading BASH Shell Script . . . . . 46
C.2 Facebook Profile to Tab Separated Variable Python Script . . . . . 46
C.3 Data Analysis Scripts . . . . . 48
D Supplemental Data . . . . . 56
E Selected Survey Comments . . . . . 73
E.1 User Feedback . . . . . 73
F Paper Survey . . . . . 75

Source
[http://www-swiss.ai.mit.edu/6805/student-papers/fall05-papers/facebook.pdf]

No comments: