Every time you think Facebook has calmed the privacy storms, it conjures up a fresh hurricane. Security firm Symantec reported that a long-standing apps bug gave advertisers and analytic platforms access to Facebook user account details. That includes profiles, photographs, and chat. The companies would have been able to post messages and mine person information.
What really shows the state of privacy in high tech is the fact that this Facebook story elicited little more than a yawn -- another note of "oh, look, it happened again" in the constant background hum of privacy violations:
- Google (GOOG) and Apple appear before Congress -- again.
- Hackers get private data from a corporation (Fox Broadcasting, this time) -- again.
Or will they? There are some indications that users are increasingly disturbed by privacy issues -- and that one way or another, these problems will end up costing the industry a lot of money.
Poor tech companies get confused
The latest Facebook uproar happened because older authentication mechanisms used by many apps -- though not by Facebook itself -- leak access tokens, which allow a third party to act as though it were the user. Symantec says these are akin to spare keys to a door. Different tokens are tied to different permissions, so one might let a third party read a friend's profile while another would allow someone to write to your wall.
As it turns out, the actual privacy violation here might have been minimized by the fact that advertisers and analytic firms may not have realized that they had access to all this data. But it's small comfort when ignorance of an open door passes for security, especially given that many access tokens continue to hang about in databases and remain valid until users change their Facebook passwords.
In this round of Facebook privacy fire drill, the company tripped over complexity. Facebook depends not just on its own technology, but on that used by app providers and the advertising industry. Sadly, Facebook may have more control than many other companies do.
Oops, our bad
Look at Sony's (SNE) massive security snafu, in which attackers may have stolen tens of thousands of user credit-card and bank-account numbers. Not recent enough for you? A hacking group called Lulz Security snagged a database of 300 Fox Broadcasting (NWS) employee email addresses and passwords and then publicly posted them. That's just part of the information the group got from Fox, and it plans additional weekly releases.
Such incidents are usually the result of known security weaknesses in fairly standard hardware and software that companies never get around to addressing. But the biggest privacy weakness remains the drooling avarice of companies such as Google (GOOG) and Apple (AAPL), which are so set on vacuuming up customer data to please advertisers that they repeatedly become the targets of investigations.
The response these companies usually make to investigators always sounds the same: Users can opt out and data is anonymized. But users have to first realize what is being collected and what companies do with the information, and none of these companies usually make that clear in a way that anyone who isn't a lawyer or a technologist can understand. Anyway, when all data is tied to unique device IDs, as is true in mobile, claims of anonymity are basically crap to begin with.
Tell it to the privacy hand
Companies have already begun to feel the sting. Apple had to trot out the the Steve Jobs reality distortion field in its attempt to explain away why iPhones kept constant track of location data. (Get this: It's a "bug" for which Apple actually filed a patent.) Apple and two app vendors are targets of a class action filing.
The issue has become broad enough that Consumer Reports just ran a digital privacy cover story. (Its survey suggests that privacy risk is disturbingly pervasive and as many as 7.5 million children under 13 may have illegal Facebook accounts.) Continued Congressional and regulatory interest is another indirect indicator of consumer concern. More direct? Privacy is consumers' top concern when using mobile apps.
Right now, only two conditions allow tech companies to do as they want regarding privacy: a lack of practical repercussions and no alternative service choices for consumers. That's been the case for years, and maybe the companies are right -- no one really cares, and they'll never have to change their ways.
But maybe they're not. There's a new breeze blowing here in terms of the attention privacy is gettomg that suggests business as usual is about to take a sharp change in direction.
- Apple Activates the Reality Distortion Field: The iPhone Isn't Tracking You. Really!
- Sony Plays Its Chump Card: Lack of Security Makes the Xbox Look Good
- Facts, Schmacts: Apple and Google Build Creepware, but Won't Fess Up
- Facebook and the Behavioral Marketing Scam
- "At Dropbox, Even We Can't See Your Datâ€" Er, Nevermind"
- Yahoo: Screw Consumer Trust; We Need the Money
- Sony's Security Snafu: How Other Companies Can Make Hay of Its Total Cock-Up