Risk
6/17/2010
03:31 PM
50%
50%

Facebook Rebukes Privacy Groups

The social network argued that the steps it recently took to simplify information sharing are sufficient to protect users' privacy.

Facebook quickly responded to an open letter that a coalition of consumer privacy advocates sent Wednesday urging the online social network to take what the organizations see as critical steps to protect Facebook users' personal information.

In its rebuttal, Facebook reminded the coalition that last month it simplified procedures for controlling information sharing. The site also said it was willing to continue talking to advocacy groups and others "in a constructive dialogue about these important issues."

The coalition claims Facebook doesn't provide users with enough control over which applications on and off the site access their personal data. The group also wants Facebook to make its "instant personalization" feature an opt-in service and to use HTTPS, an Internet security protocol, for all communications by default.

Facebook's instant personalization tool shares members' profile information with third-party Web sites that are partners of Facebook. Members criticized Facebook for launching the feature without sufficient notification.

Privacy advocates contend the site should change the feature from opt-out to opt-in, meaning users should have to agree to have their information shared in advance. Facebook has rejected an opt-in strategy, focusing instead on making the procedure to block information sharing easier.

In their letter, the coalition also urged Facebook to provide users with control "over every piece of information they can share via Facebook, including their name, gender, profile picture, and networks." The group also wants Facebook users to have simple tools for taking all of their information and details of their social network off the site and to another service.

Facebook's rebuttal lists the company's steps in making it easier for users to hide information from all third-party applications and Web sites. The only information that can't be shut off is "the same information that anyone could access simply by going to a Facebook user's profile." Such information includes name, profile picture, gender, and social networks.

As to allowing users to move all personal information off the site, including details of their social networks, Facebook said that would not respect the information that others shared with that person.

"We don’t allow exporting of content that is created by others because it doesn't respect the decisions users make on Facebook about how to share their data," Facebook said. However, the site said it imposes no restrictions on people exporting content that they have posted themselves on Facebook.

The ongoing debate between Facebook and privacy advocates goes beyond a simple tit for tat. In May, 15 such organizations filed a complaint with the Federal Trade Commission and sent a letter to Congress claiming Facebook has engaged in unfair and deceptive trade practices in violation of consumer protection laws.

In addition, Congress is looking at privacy protections on Facebook and other social networks to determine whether more government regulation is necessary.

The groups signing the Wednesday letter include the ACLU of Northern California, the Center for Democracy and Technology, the Center for Digital Democracy, Consumer Action, Consumer Watchdog, the Electronic Frontier Foundation, the Electronic Privacy Information Center, Privacy Activism, Privacy Lives, and the Privacy Rights Clearinghouse.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8148
Published: 2015-01-26
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

CVE-2014-8157
Published: 2015-01-26
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

CVE-2014-8158
Published: 2015-01-26
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

CVE-2014-9571
Published: 2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

CVE-2014-9572
Published: 2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.