Facebook: 200 million members…or potential targets?

April 9, 2009 - By Justin E. Gehrke

By Justin E. Gehrke, CISSP, CIWSP, MCSA, CompTIA Project+/Security+/A+ 

     Okay, I’m beginning to feel like the lone skeptic. Am I the only one left who still sees more dangers than benefits to social networking? As a security-focused, IT professional, I remember Facebook’s birth in 2004. As I reviewed it, I also remember wondering if it was a tool that cyber-criminals or malicious users would embrace, to further their arduous (if not truly evil) efforts. Though I recognized it as a technical innovation with a good degree of potential, no one could have imagined the size to which it would grow in such a short time. As it grew, third-party developers were able to create add-ins, to increase the scope of its use. As could be expected, users embraced the ability to chat, post messages, share photographs and video, and much more…all in one place.

    On April 8, 2009, Facebook, Inc. announced the arrival of its 200,000,000th citizen. In his celebratory blog regarding the impending arrival of Facebook’s 200 millionth member, Mark Zuckerberg, Facebook CEO, wrote, “At Facebook, we want to build the best service in the world for people to connect with and share everything that is important to them, whether day-to-day or world-changing.” In a sense, one can say that they have succeeded. Lets put it in perspective. A visit to and quick query within the U.S. Census Bureau’s website shows Indonesia as the world’s fourth most populated country, with its estimated 240,271,522 citizens. Brazil follows as the fifth most populated country, with an estimated 198,739,269 citizens. Why is this important? To truly understand the scope of what Facebook has grown into, one could theoretically say that, if Facebook were a country, it would have pushed Brazil to number six. While one cannot be certain how Brazil would feel about this, both the IT Community and the regular users alike recognize this as astronomically, impressive growth.

So what has really been accomplished with Facebook? Let’s go down the list:

Social networking capability?

Check!

Instant communications capability from computers, PDA’s, and Mobile Phones?

Check!

Reconnection to long-lost friends?

Check!

Sharing of photographs?

Check!

    Wait…put a brake on the cyber-exuberance. Let’s take a closer look that “photograph” checklist item. As is the case with all good things, though, someone will find a way to complicate success. I admit that I use several websites to privately share photographs with family and friends. It is a fact that Facebook allows one to control what information, photographs, etc. Why should Facebook users beware of something as simple as a photograph? Recently, there was a well-publicized incident where a Facebook account was created, by one vengeful employee, posing as another employee whom they disliked. The motive? Revenge! The impostor created an entire profile with likes/dislikes, added friends (who thought their friend was really in Facebook), photographs, etc. Then, the impostor used that forum to post derogatory comments about the person’s employer. The end result was that the information was provided (by whom I wonder?) to the employer, who promptly proceeded to terminate the employee. Of course the media failed to follow through on whether or not this horrible scheme succeeded. What is important here, though, is discerning what the average user can learn from the situation. In a case such as this, how does one prove their innocence, if Facebook has no method to verify the identity of someone registering in the website? For obvious privacy reasons, there is no request to provide personally identifiable information (e.g. SSN) to Facebook when registering.

    The second scenario posed herein is, to the best of my knowledge, a hypothetical one. Company X, a vendor of religious publications, has a group of new salespersons that are in training. After working hours, the group of trainees, some of whom are still wearing their company badges, meet in a local bar. During the course of their celebration, photographs are taken to remember the good time. Within the next several days, the photographs are posted to a Facebook profile with a title “Company X Knows How to Party”. A Facebook “Friend” who was not in attendance sees the published photographs. This person saves the photograph to their hard drive and emails it to a friend who works in the same company, who in turn passes it on to management. Appalled at the thought that these photographs could hurt their company’s image and sales, the trainees are terminated. Were the employees within their legal rights to drink at a bar? Of course! Should they have been wearing company badges or posted the photographs with the company’s name? Definitely not! Did their action constitute a violation of company ethics? That is a moral dilemma, better left to the reader to ponder. The bottom line is that the company has a right to act to ensure its reputation remains intact.

    There are two important points here. The first is that any photographs you publish may find their way to a third or fourth party, without your knowledge. The second is that the people in the photographs sometimes have no idea that their likeness was posted to Facebook. If they are aware, can they have it removed? The easy way would be to ask the person who posted it to remove it. What if they refuse? Is there any administrative resource to request it through Facebook? Even it is removed, is it really gone? Someone may have already downloaded the photograph and posted it elsewhere on the web. Couple the above scenarios with the numerous instances of malicious use (e.g. the Facebook, online Scrabble malicious attack, the proliferation of “maladvertisements”, the inundation of Facebook inboxes with links to worm-laden websites, etc.) and one is again reminded that users of Facebook, Twitter, and other social networking sites must remain constantly aware of their cyber-environment. While malicious code, infected links, and other cyber-dangers are not exclusive to Facebook, the sense of community often creates a false sense of security among users. Couple this with the fact that many users still do not apply regular operating system updates or maintain up-to-date antivirus and firewall applications on their home computers, and you have a situation that puts users at significant risk.

    In the end, don’t misinterpret the message. This article is no about bashing Facebook. I recognize its attractiveness, popularity, and entertainment value. I do, however, question its true value to the lives of its members. Ultimately, this article is not intended to advise users on how to configure Facebook to ensure their security is enhanced. It is also not intended to advise users on how to react to unauthorized posting of photographs with your likeness in them. The intent herein is to raise user awareness, for the purpose of protecting both the user and his or her family. As the number of Facebook users continues to soar, one is brought back to the question initially posed. What is the value added to one’s life through the use of social networking sites? Does one become smarter or better informed? Does it really increase the bonds of friendship and family? Alternatively, does the negative outweigh the positive? Is the random posting of personal likes/dislikes, photographs, and activities simply a source for criminals or personal enemies to profile, stalk, gain financially, or simply plot to ruin the life of another? It is up to each individual user to determine if the benefits of social networking outweigh the potential negatives. As the number of social networking websites and users increases, these questions and many more will be raised. Hopefully, the evolution of common sense will keep up with rate of technological change! In the end, only time will tell.

Justin E. Gehrke is the founder of Geek Shui Living and an admitted obsessive-techno-compulsive who loves all things Geek. As a right and left-brained, packet-based being, he is available for independent consulting in the areas of IT and Network Security planning and testing, as well as web development and creative design. Feedback is always welcome, so feel free to send him your packets via the Geek Shui Living Contact page.