Jefferson's Wheel

I gave a talk in cs290 (which is our weekly undergraduate seminar) on “What Every Human Should Know About Security”.
My slides are available here: [PPT (warning: 18MB)] [PDF].

CMU’s newspaper, The Tartan has an article on Adrienne Felt’s facebook platform privacy work: Study shows dangers in Facebook apps, The Tartan, 11 February 2008.

Each day, students are bombarded with requests to become a Greek god, a Disney princess, and the biggest brain — on Facebook, that is. Over 15,000 Facebook applications exist today, offering a variety of capabilities to the social networking website. However, according to a new study from the University of Virginia, users risk losing their privacy by simply rating their 10 hottest friends or discovering their ideal desperate housewife.

It even includes a comic featuring nudity!

[Added 23 Feb] Cornell’s The Ithacan also has an article: Facebook applications access personal information, February 21, 2008.

Jonathan Zittrain, Professor of Internet Governance and Regulation at the Oxford Internet Institute, has an interesting blog post about Adrienne Felt’s work on Facebook platform privacy: Should Facebook preemptively protect users against rogue apps?.

It is worth reading the whole article, but here are a few excerpts:

Enterprising UVa senior Adrienne Felt has developed an intriguing argument about privacy for Web 2.0 apps like those on the Facebook development platform. It will get lots of news coverage, much of it boiling down to reports that don’t capture the richness of the problem.
…
But there is another difference at work: partly because of technology and partly because of historical inertia, Facebook can more obviously be asked to play a gatekeeper role with its apps than an OS maker can with its desktop apps. Felt’s solution to the problem she identifies is to have Facebook run interference — serve as a proxy — between most apps and the data they presumably don’t really need. The app can say to Facebook, “Display the user’s birthday in the upper right corner of the screen,” without having to know the user’s birthday. Only in a few instances, they say, must an app really access the data in order to work.
…
Social networks are rightly recognized as powerful, even transformative. The ability for unaccredited third parties to write apps that users can run to access their data and do cool things with it further leverages their power. The wild card of the platform makers’ power over those apps creates a range of options simply not available to the OS makers that preceded Web 2.0, and being put out of business by it.

From Study Finds Privacy Lapse in Facebook Apps, The Harvard Crimson, 8 February 2008:

Playing Jetman on Facebook.com may cause you to lose more than just the game. Your private information is also at stake.

Facebook application developers—who can be anybody—are unnecessarily given full access to both users’ and their friends’ private information, according to a University of Virginia study.

Slashdot has an article on Adrienne Felt’s Facebook platform privacy work:
Facebook Sharing Too Much Personal Data With Application Developers.

Adrienne Felt was interviewed on KCPW Midday Utah:

Users of the popular social networking website called Facebook should be concerned about security, according to Adrienne Felt. As a senior in the School of Engineering and Applied Science at the University of Virginia where she specializes in computer security, her research shows that when users download a Facebook application – a program that allows the user to interact with other users – privacy is compromised.

The KCPW site has audio: http://www.kcpw.org/article/5281. Its quite an in-depth interview (about 20 minutes long).

The Chronicle of Higher Education has an article about Adrienne Felt’s Facebook privacy study: Study Raises New Privacy Concerns About Facebook, 4 February, 2008.

Another report from WINA 1070 AM:

A UVa student is examining a popular social networking site

A student at the UVa Engineering School is investigating Facebook’s information vulnerabilities. Fourth-year student Adrienne Felt is in charge of a research project dealing with privacy issues having to do with applications on the popular social networking site. Facebook allows independently developed applications to appear in user profiles; when these applications run, the developer is given access to the user’s available information, causing a potential security breach. Felt’s goal is to make users more aware of how their information can be unknowingly accessed.

From ACM TechNews, 1 February 2008: University of Virginia Engineering School Student Probes Facebook’s Vulnerabilities

University of Virginia computer science major Adrienne Felt is leading a research project focusing on privacy issues surrounding the Facebook social networking site, and is investigating the information sharing that takes place when users download a Facebook application. Although the applications add variety to a Facebook user’s profile page, they also increase the user’s vulnerability. Anyone with a Facebook account can create and distribute an application. While the applications appear to be part of Facebook’s platform, they are actually running on the developer’s server. When a user installs an application, the developer is capable of seeing everything the user can see, including names, addresses, friends’ profiles, and photos. “Since all applications receive access to private information,” Felt says, “this means that 90.7 percent of Facebook’s most popular applications unnecessarily have access to private data.” There are currently no restrictions on what applications, and their developers, can do with user information, and while Facebook’s “Terms of Use” warn developers not to abuse the data they have access to, there is no way for Facebook to enforce this rule, Felt says. “An application developer could easily acquire personal information for millions of users,” says U.Va. computer science professor David Evans. Felt’s goal is to close this privacy loophole with a privacy-by-proxy system she developed that will allow Facebook to hide user information while still maintaining the applications’ functionality.

WCAV had a story on Adrienne Felt’s work on Facebook platform privacy risks:
UVa Student Raises Facebook Security Concerns, WCAV TV 19 News, Charlottesville, VA. (Includes a video clip from the newscast)

Many use the social networking site Facebook without ever thinking about security but you could be leaving yourself vulnerable anytime you share music or play a game. Facebook applications are not necessarily from Facebook.

Here’s another article on Adrienne Felt’s work on privacy issues with the Facebook platform: 90% of Facebook Apps Have Unnecessary Access to Private Data, Dark Reading, January 31, 2008.