Facebook's 'man in the middle' attack on our data
Is Facebook secretly using your data for nefarious purposes? Privacy advocate Eben Moglen says yes.
A few days ago I wrote a post asking whether Facebook was actively helping law enforcement track down bad guys using facial recognition technology. (The answer: Not really.)
I had to publish it before I got a response from Eben Moglen, the Columbia law professor and privacy advocate who inspired the post in the first place by telling New York Observer reporter Adrianne Jeffries that Facebook’s PhotoDNA technology was used “to find people for whom any law enforcement agency in the world is looking.”
Two things. First, I misspelled Moglen’s name (with an i instead of an e). So that’s embarrassing. Second: Moglen did get back to me after my post appeared and offered the following statement as a response.
I presented [that information] there as a rapid illustration of the underlying principle that Facebook causes people to do *ecological* harm by collaboratively destroying one another's privacy. The point is that by sharing with our actual friends through a web intermediary who can store and mine everything, we *harm* people by destroying their privacy *for* them. It's not the sharing that's bad, it's the technological design of giving it all to someone in the middle. That is at once outstandingly stupid and overwhelmingly dangerous.
Moglen likens Facebook to a hacker who launches a “man in the middle” (MITM) attack -- intercepting an apparently private communication between two parties and using that information for his own nefarious purposes.
For example: Let’s say you have an insecure WiFi connection. You log onto your bank and decide to transfer money between your checking and savings account. Unbeknownst to you, an attacker is sitting in an unmarked van outside your house sniffing your WiFi traffic. He could then redirect you to a site he controls that looks just like your bank’s Web site, and act like an invisible phone operator – capture your log ins, access your account at the bank, perform the transactions you request, and relay back information that your transaction has been completed.
As far as you and the bank know, everything went as it should. But now Mr. MITM has all of your information and can log back in later to drain your account.
Moglen is saying that this is essentially how Facebook operates. But is it really? I have a few problems with this metaphor. For starters:
* A true MITM attack happens without either party knowing about it. When’s the last time you used Facebook without knowing about it, or been forced to use it against your will?
* The attacker has a nefarious purpose in mind for your data. Moglen may argue that Facebook’s purposes are nefarious, but to me they’re pretty clear: They want to monetize your data by sending you targeted ads. Not quite the same as draining your bank account.
* You have no control over the data the MITM attacker collects. You have some controls over what Facebook collects.
Where Moglen and I agree is when he talks about how other people can do you harm by sharing too much about you on Facebook. The clearest example is indiscriminate photo tagging, which ties into the whole face recognition question.
The fact is, anybody can add your name to a photo on Facebook and there’s nothing you can do about it. All you can do is keep these pictures off your own personal timeline and tell Facebook to not “suggest” that your friends tag you when it recognizes your mugshot.
Is this quite the same as cooperating with the secret police or acting as a Man in the Middle? Not hardly. But it’s something Facebook needs to fix.
Got a question about privacy and/or social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter:@tynan_on_tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.