ACM TechNews: University of Virginia Engineering School Student Probes Facebook’s Vulnerabilities
2 February 2008From ACM TechNews, 1 February 2008: University of Virginia Engineering School Student Probes Facebook’s Vulnerabilities
University of Virginia computer science major Adrienne Felt is leading a research project focusing on privacy issues surrounding the Facebook social networking site, and is investigating the information sharing that takes place when users download a Facebook application. Although the applications add variety to a Facebook user’s profile page, they also increase the user’s vulnerability. Anyone with a Facebook account can create and distribute an application. While the applications appear to be part of Facebook’s platform, they are actually running on the developer’s server. When a user installs an application, the developer is capable of seeing everything the user can see, including names, addresses, friends’ profiles, and photos. “Since all applications receive access to private information,” Felt says, “this means that 90.7 percent of Facebook’s most popular applications unnecessarily have access to private data.” There are currently no restrictions on what applications, and their developers, can do with user information, and while Facebook’s “Terms of Use” warn developers not to abuse the data they have access to, there is no way for Facebook to enforce this rule, Felt says. “An application developer could easily acquire personal information for millions of users,” says U.Va. computer science professor David Evans. Felt’s goal is to close this privacy loophole with a privacy-by-proxy system she developed that will allow Facebook to hide user information while still maintaining the applications’ functionality.