Risk
6/17/2010
03:31 PM
50%
50%

Facebook Rebukes Privacy Groups

The social network argued that the steps it recently took to simplify information sharing are sufficient to protect users' privacy.

Facebook quickly responded to an open letter that a coalition of consumer privacy advocates sent Wednesday urging the online social network to take what the organizations see as critical steps to protect Facebook users' personal information.

In its rebuttal, Facebook reminded the coalition that last month it simplified procedures for controlling information sharing. The site also said it was willing to continue talking to advocacy groups and others "in a constructive dialogue about these important issues."

The coalition claims Facebook doesn't provide users with enough control over which applications on and off the site access their personal data. The group also wants Facebook to make its "instant personalization" feature an opt-in service and to use HTTPS, an Internet security protocol, for all communications by default.

Facebook's instant personalization tool shares members' profile information with third-party Web sites that are partners of Facebook. Members criticized Facebook for launching the feature without sufficient notification.

Privacy advocates contend the site should change the feature from opt-out to opt-in, meaning users should have to agree to have their information shared in advance. Facebook has rejected an opt-in strategy, focusing instead on making the procedure to block information sharing easier.

In their letter, the coalition also urged Facebook to provide users with control "over every piece of information they can share via Facebook, including their name, gender, profile picture, and networks." The group also wants Facebook users to have simple tools for taking all of their information and details of their social network off the site and to another service.

Facebook's rebuttal lists the company's steps in making it easier for users to hide information from all third-party applications and Web sites. The only information that can't be shut off is "the same information that anyone could access simply by going to a Facebook user's profile." Such information includes name, profile picture, gender, and social networks.

As to allowing users to move all personal information off the site, including details of their social networks, Facebook said that would not respect the information that others shared with that person.

"We don’t allow exporting of content that is created by others because it doesn't respect the decisions users make on Facebook about how to share their data," Facebook said. However, the site said it imposes no restrictions on people exporting content that they have posted themselves on Facebook.

The ongoing debate between Facebook and privacy advocates goes beyond a simple tit for tat. In May, 15 such organizations filed a complaint with the Federal Trade Commission and sent a letter to Congress claiming Facebook has engaged in unfair and deceptive trade practices in violation of consumer protection laws.

In addition, Congress is looking at privacy protections on Facebook and other social networks to determine whether more government regulation is necessary.

The groups signing the Wednesday letter include the ACLU of Northern California, the Center for Democracy and Technology, the Center for Digital Democracy, Consumer Action, Consumer Watchdog, the Electronic Frontier Foundation, the Electronic Privacy Information Center, Privacy Activism, Privacy Lives, and the Privacy Rights Clearinghouse.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!