Facebook's 'man in the middle' attack on our data

Is Facebook secretly using your data for nefarious purposes? Privacy advocate Eben Moglen says yes.


I presented [that information] there as a rapid illustration of the underlying principle that Facebook causes people to do *ecological* harm by collaboratively destroying one another's privacy.  The point is that by sharing with our actual friends through a web intermediary who can store and mine everything, we *harm* people by destroying their privacy *for* them. It's not the sharing that's bad, it's the technological design of giving it all to someone in the middle. That is at once outstandingly stupid and overwhelmingly dangerous.

Moglen likens Facebook to a hacker who launches a “man in the middle” (MITM) attack -- intercepting an apparently private communication between two parties and using that information for his own nefarious purposes.

For example: Let’s say you have an insecure WiFi connection. You log onto your bank and decide to transfer money between your checking and savings account. Unbeknownst to you, an attacker is sitting in an unmarked van outside your house sniffing your WiFi traffic. He could then redirect you to a site he controls that looks just like your bank’s Web site, and act like an invisible phone operator – capture your log ins, access your account at the bank, perform the transactions you request, and relay back information that your transaction has been completed.

As far as you and the bank know, everything went as it should. But now Mr. MITM has all of your information and can log back in later to drain your account.

Moglen is saying that this is essentially how Facebook operates. But is it really? I have a few problems with this metaphor. For starters:

* A true MITM attack happens without either party knowing about it. When’s the last time you used Facebook without knowing about it, or been forced to use it against your will?

* The attacker has a nefarious purpose in mind for your data. Moglen may argue that Facebook’s purposes are nefarious, but to me they’re pretty clear: They want to monetize your data by sending you targeted ads. Not quite the same as draining your bank account. 

* You have no control over the data the MITM attacker collects. You have some controls over what Facebook collects.

Where Moglen and I agree is when he talks about how other people can do you harm by sharing too much about you on Facebook. The clearest example is indiscriminate photo tagging, which ties into the whole face recognition question.

The fact is, anybody can add your name to a photo on Facebook and there’s nothing you can do about it. All you can do is keep these pictures off your own personal timeline and tell Facebook to not “suggest” that your friends tag you when it recognizes your mugshot.

Join us:






Ask a Question