If you’ve ever been curious as to what exactly constitutes Facebook’s security department and strategy, this is a very insightful article. I’ve found a lot of great, easy to understand articles on CNET. Fortunately, I’m making a career out of technology, so I tend to understand the technical a little more than most, but I’ve never run into an article on CNET that the ordinary computer user couldn’t understand.
- At Facebook, defense is offense (CNET news article published January 31, 2011)
Facebook has made history in its $873 million judgment in one case alone. In Facebook’s security department, there is an entire wall dedicated to a collection of photocopied checks from settlements, mug shots of child predators caught on Facebook, pictures of spammers, and other wins for the company. How does Facebook do it? Joe Sullivan, chief security officer for Facebook, says that “filing lawsuits is not a PR statement” but rather a way to deter more cyber criminals from attempting to prey on the social-networking site.
And on a sidenote, Sullivan’s credentials speak volumes: his resume includes work at PayPal, eBay, and the U.S. Department of Justice. Sullivan was the first federal prosecutor working full-time on technological crime cases in a U.S. attorney’s office. He also is a founding member of Silicon Valley’s Computer Hacking and Intellectual Property Unit. I venture to say that Sullivan is one of the best suited men for the job.
Just some of the things that Facebook has coming for us users in terms of security:
- Integration of McAfee Clean and Repair- computer directs users who have hacked accounts to this tool to user immediately
- “Social authentication”: used to verify new devices, causes users attempting to log in on new devices to retrieve a code to enter into the site log in, and used in order to have users prove identity by correctly tagging friends and identifying people in photographs on Facebook
- Pulling the cord on third party applications, also known as apps, that are misleading or malicious
As for “apps,” I know I have fallen for them. Who spent several weeks on Farmville? This girl. Even though I was a total Farmville boss, I also allowed the app to have certain access to my personal information, past the confines of what Facebook deems basic and necessary for third party applications to function. Sullivan says of Facebook’s offensive defense in terms of apps, “We have a dedicated team and dedicated processes. What people sometimes misinterpret is that it is not an upfront gatekeeper approach. It’s a risk-based approach.”
In order for an app to get access to data beyond what Facebook considers basic information needed for people to search, the application must get permission from user. Facebook is still working on giving user the ability to pick and choose the access rights, which would make the choice even more clear as to what an application is doing with a user’s personal information.
Sadly, that means the Facebook team isn’t watching out for every single app, but rather just those apps with what they call “high velocity.” So users need to still use caution when signing up for that new game their friend from the bus in junior high sent them. It could still be malicious, and Facebook just hasn’t gotten to it yet.
Ultimately, it comes down to a sensitive balance: what Facebook does to keep growing the platform by attracting developers and ad revenue, and what users are willing to accept as business decisions when their personal information is involved.
Andrew Walls, a research director at a well-known security firm, assesses that: “[Facebook is] doing a fair job of exploring the space between privacy expectations of consumers, the business needs of Facebook, and what society at large wants to see happen down the road.”