New Facebook Connect: Federated Identity Or Privacy Nightmare?

New service carries Facebook profile to other Websites

Dark Reading Staff, Dark Reading

December 5, 2008

3 Min Read

Social networking giant Facebook this week quietly launched its new Connect service -- a feature that lets members use their Facebook identity and profile to reach other Websites.

The idea is to provide Facebook users a seamless connection between their Facebook accounts and information on Websites that participate in Connect. Among those sites so far are CBS, the Discovery Channel, Digg, Twitter, Evite, Socialthing, StumbleUpon, the San Francisco Chronicle, and Geni.

If successful, Connect could represent the first large-scale implementation of a federated identity model, security experts say. "That's what it comes down to," says Michael Argast, a security analyst with Sophos. "There has been a big push over the past three or four years for identity 2.0. Microsoft made a big push with Passport, but it never took off...Nobody has been successful [in federated identity]."

But if Connect takes off, it could represent a great, big federated identity experiment. Facebook has more than 120 million users, he notes. "If it catches on, it will be big. The downside is that Facebook's [approach] is proprietary," he says.

Connect lets Facebook users bring their real identity information with them around the Web, including their profile and photo, name, friends, photos, events, groups, etc. They basically "take" their friends with them. But spreading profile information outside of Facebook also raises some privacy concerns, experts say -- although Facebook lets users set controls for what those sites linked via Connect can see.

Amanda Lenhart, senior research specialist at the Pew Internet & American Life Project, blogged that Connect, like similar tools from MySpace and Google, doesn't address the separation between users' online and offline identities. "In the offline world, we don't present ourselves in the same way to all people in our lives. We show different sides of ourselves to our mothers, our friends, our employers," Lenhart wrote. "Is it OK for my co-worker or professional colleague to know that I was watching a video yesterday? Or that I shopped at the Discovery Kids Website? Do I want them to know that about me? And what about my child who uses these services?"

And because Facebook doesn't provide nonrepudiation of a user's identity, it leaves the door open for imposters and other malicious activity across the sites, according to Jon Brody, vice president of marketing for TriCipher. "Facebook takes no pains to see you are who you say you are," he says. "A user isn't really well-vetted, so there's really very little value in their identity, per se."

The good news is that Facebook isn't technically using the same username and password of its users for Connect, Sophos' Argast notes. "They create a unique username and password to the site you're connecting with...they are not sharing your username and password," he says. This is all invisible to the user, he adds.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights