Friday, November 16, 2007

.

More on social networking sites

I’ve noted before, in these pages, that social networking sites can present issues of privacy and accountability that their users aren’t always aware of. In addition, though, to the now-obvious concerns about how the information users place there can be used to evaluate or attack them, we’ve a few other problems as well.

This past summer, my colleague Aaron Zinman, along with his advisor, Judith Donath, presented a paper about how social networking blurs the line between spam and non-spam, making it difficult to tell which is which. (PDF here.) The considerations that they look at are on top of the point that there are entire spam identities on the social networking sites, and that when you do see an identity that looks legitimate, you don’t know whether it really is.

More recently, the New York Times points out a couple more issues. In one, we see them as a delivery vector for malware:

When visitors click almost anywhere on these infected site, they are directed to co8vd.cn/s, which appears to be a Chinese malware site. The visitors then see a box on their screen telling them they need to install a special codec to view the video – a legitimate possibility on any site rich in media. But if the visitor clicks ‘yes’, the site installs software that appears to be a rootkit and DNS changer. This would allow the hackers to take over what you see on your browser and what you download onto your computer.

“They are going to catch a lot of people with this one,” said Roger Thompson, chief technology officer of Exploit Prevent Labs. “This is a a very rich media page, as are most MySpace pages. There is every expectation you are going to see a video… It’s not at all unreasonable to think you might have to install something.”

The point here is that the attacker gets you to visit a social-networking page, and the page — either a hacked legitimate one or a bogus one that you think is legit — tells you that you need to install software in order to get the proper experience. And here’s the key: the rich-media nature of these pages has made many users used to installing software routinely. That it’s difficult to tell when the software is being installed by MySpace and when it’s coming from an external, less trustworthy source makes this particularly nasty.

In the other Times item, the question is raised of whether it violates New York state law to present advertisements that use the Facebook identities of your “friends”:

Mark Zuckerberg promised no less than a revolution with his idea that ads you see on Facebook will be attached to the names and photos of your friends who like the products being advertised.

There is at least one problem with this idea: It may be illegal under a 100-year-old New York privacy law. The statute says that “any person whose name, portrait, picture, or voice is used within this state for advertising purposes or for the purposes of trade without the written consent first obtained” can sue for damages. Moreover, such a use is also a criminal misdemeanor.

Facebook’s rebuttal, though, may be scary for another reason:

Chris Kelly, the chief privacy officer of Facebook, called to present a number of reasons why he thinks this law doesn’t apply to the new Social Ads. He said Mr. McGeveran’s interpretation of the law was too broad.

Mr. Kelly said the advertisements are simply a “representation” of the action users have taken: choosing to link themselves to a product. He added that in many states, consenting to something online is now seen as the equivalent of written consent.

What does “consenting to something online” mean? Hm, have you ever read the various user agreements that are presented to you with all-too-convenient and friendly "I Accept!" buttons below them, and long scroll-bars to their right? Do you know what you’ve consented to? Would it surprise you to learn in court just what those things are?

1 comment:

Anonymous said...

Hm, have you ever read the various user agreements that are presented to you with all-too-convenient and friendly "I Accept!" buttons below them, and long scroll-bars to their right?

Like pretty much everyone else... no.

Do you know what you’ve consented to?

Like pretty much everyone else... no.

It seems to me that these long, rambling, incoherent (to most normal people) screeds ought themselves to be subject to a "plain-speaking" law, whereby the writers of such things are required to list, in plain language, the most salient points to which you are agreeing. They know what they're hiding, and they know that 99% of the people pressing the Agree button will not have read it. Just like those radio commercials where the 'fine print' turns into 'rapid speak'.