For my first post here, I decided to go
with a rather simple topic that has been exhausted numerous times
before. It’s time for another one of those blog posts describing the
tracking mechanisms employed by social networks. For an added twist,
consider the number of social widgets which are present on this site and
realize that if you are not careful, your actions here can be linked
back to your real identity.
Few
of the groups which track users online have gained as much notoriety as
Facebook has. Facebook Inc. has been widely criticized for the lack of
privacy settings within its social network. Every status update and
every post you like within Facebook contributes to a massive stash of
information which is collected about you detailing everything from your
location to your preferences (a treasure trove for advertisers and governments).
A quick look at the Wikipedia page “Use of social networks in investigations”
will turn up numerous cases where data from social networks was used
against the people who posted it. Here are some highlights:
- In December 2006, campus police at the University of North Carolina at Wilmington were investigating the theft of two PlayStation consoles, which had been stolen by the two perpetrators of a beating and robbery on campus. They planned to raid the rented house of Peyton Strickland, an 18-year-old student at nearby Cape Fear Community College. They discovered that the other alleged robber, Ryan Mills, had posted photographs of himself on Facebook in which he posed with guns. Expecting “heavily armed resistance” at Strickland’s house, the officers called in a SWAT team for backup to raid Strickland’s house. When they arrived at the residence, which three students rented, they were not immediately let in. As one officer began to break down the door with a battering ram, another officer mistook the sound of the battering ram for gunshots and shot through the glass door multiple times, killing the unarmed Strickland and his dog.
- In response to the monitoring [of Facebook], some students have begun to submit “red herring” party listings. In one case at George Washington University, students advertised their party and were raided by campus police. The police found only cake, no alcohol, and later claimed the dorm raid had been triggered by a noise complaint.
- In October 2005, sophomore Cameron Walker was expelled from Fisher College in Boston for comments about a campus police officer made on Facebook. These comments, including the statement that the officer “loves to antagonize students…and needs to be eliminated,” were judged to be in violation of the college’s code of conduct.
It is also worth your time to review Facebook’s laughable policy on law enforcement. The EFF has a better (and objective) report on social networks and law enforcement (PDF)
which describes the policy of Facebook as well as Twitter, MySpace,
MSN, Yahoo, Craigslist, PayPal, and some other, less popular websites.
Even
this blog does not escape the peering eyes of Facebook. Don’t believe
me? Look at this pages source code! At the time I wrote this, a Facebook
iframe element is included in the page. The src attribute for the
iframe sets it to load content from facebook.com over an unencrypted,
HTTP connection. The scary part is that the URL set on the iframe also
includes some other data to facilitate the “like” function which lies at
the core Facebook’s business model. The URL contains the exact address
of the page which was read on this blog and the same is true for a vast
number of pages across the internet.
But
the tracking does not stop there. Social widgets are into websites that
many people visit every day. News articles, blogs, software websites,
and the list goes on… As we continue to experience the expansion of this
data collection, it is vital that we ask ourselves what data these
tracking and advertisement platforms really need to know. What would
happen if the government in your country decided that news articles
which were critical of the dictator should not be read? Would they be
able to find out who accessed these articles by asking Facebook? This
action is blatantly unacceptable, but it could happen.
Here
at the ProjectX Blog we must also consider the security implications of
this tracking. What would happen if Facebook was hacked? Do you want
all the data Facebook has on you to become available to anyone with the
technical know-how to run Metasploit? I would like to think that
Facebook is more secure than that, but what about the increasing risk of
governments in the cyber realm? Although we are far from “cyber
warfare,” it is likely that governments both foreign and domestic have
the power to infiltrate the systems of these social networks. And
finally, what about spying operations enacted by agencies such as the
NSA? At the time I wrote this, the Facebook widget on this blog is still
using an unencrypted connection which would allow for trivial
interception by the government or even by Tor exits which might be
monitoring traffic.
Do not despair. There is action which can be taken to prevent yourself from these all-knowing corporations.
Protecting Yourself
- The first and most important rule is to be wary of everything you post on Facebook. Think about the privacy implications it might have if it would fall into the wrong hands.
- Tools such as HTTPS Everywhere and NoScript are available. HTTPS Everywhere will make sure that requests to Facebook are sent using SSL (preventing government surveillance). NoScript prevents unauthorized scripts from running on your computer. Scripts allow for increased data collection such as the length of your visit on each page, information about your browser which can be used to identify you again at a later time (even if you delete cookies).
- Even with NoScript, you can still be tracked. Many trackers include fall-backs options which might load a 1×1 pixel image off a tracking server. When your browser makes this request, information such as your IP address, browser version, and time of visit may be collected. Ghostery might be able to help with this (and it can take out those nasty cookies). This add-on is also available for Google Chrome.
- Tor is another great tool to prevent your IP address and location from being leaked to other websites. However, Tor cannot do much to protect you if you provide your name and address to Facebook willingly.
- Depending on your browser, you might have the option to send a “Do not track” header on your requests. The EFF has been tracking the evolution of this technology and online advertisers are attempting to work out a standard for this technology. If you operate your own website, you should take a look at Mozilla’s Do Not Track guidelines. You can check if a visitor has Do Not Track enabled by looking for the “DNT” HTTP header.
Other Links
- Criticism of Facebook (Wikipedia)
- Government monitoring of social networks (EFF)
- Identity Companies: Paid to know about you (New York Times)
Source
0 comments:
Post a Comment