2013, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Adobe, CERN, cryptolocker, data breach, Defacement, Google, Google Glass, Internet Worm, ISS, lost lake, morris, morris worm, PRISM, Privacy, ransomware, review, street view, surveillance, ubuntu forums
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ojsbvfRzTsQ/
Do you think Facebook is trustworthy?
Do you even have a clue what that’s supposed to mean?
No? Neither do we!
Like, say, does it pertain to trusting the company with your real, actual birthdate, instead of lying through your teeth because you’re careful with your privacy and you assume that the company could accidentally leak everyone’s date of birth (it’s happened!)?
Maybe Facebook wants to know if you trust it to keep your data out of the hands of the National Security Agency (NSA), as the Washington Post’s Brian Fung guesses, or whether you trust it to show you only the Farmville updates that truly matter.
Facebook isn’t explaining, but it is asking.
As Fung reports, Facebook asked him and others recently to take a “quick and painless” survey on user experience, in multiple-choice form.
What it asks: how happy you are with Facebook, whether the service is easy to use, if it’s reliable or not, and whether you think it is trustworthy.
Now, obviously, Facebook isn’t the first entity to ask users whether they trust it or not. Plenty of others have done the same (and then gone on to actually share the results).
Fung cites a few polls, including a AP/CNBC survey from last year that found that 59% of respondents said they had “little or no trust” that Facebook will keep their personal information private. (Note that users said they don’t trust Facebook, but they aren’t giving it up, either.)
Another poll, this one done by Reason and published in September, found that respondents deemed both the NSA and the Internal Revenue Service (IRS) more trustworthy than Facebook (or Google).
But wait! There’s more!
To top off this mushy trust cupcake with the most sublime cherry of them all, when Naked Security polled users in October 2012 about whether one should trust accurate, truthful information to sites such as Facebook, exactly 92.92% of respondents as of 2 January 2014 had said that the prospect looked like a nice, tall glass of NOPE (all hail the Oatmeal!).
So yes, there’s plenty of data out there on how little faith Facebook users place in the service, however you define “trust”.
But Facebook won’t be adding to that data set, given that it’s declined to share the results of its own polling.
A spokesman told Fung that Facebook does doesn’t share the data it collects from the survey, though it’s happy to get the feedback.
We are constantly working to improve our service, and getting regular feedback from the people who use it is an invaluable part of the process.
That’s nice. But we still want to know the results.
I did the due diligence of asking Facebook if it wanted to elaborate on that statement, but I hadn’t heard back by the time this was published. I will update this article once I get a reply.
At any rate, since Facebook is keeping the results to itself, maybe Naked Security could poll the same question. (You’ll have to decide exactly what “trustworthy” means to you on this one).
Here goes:
Image of handshake courtesy of Shutterstock.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EwSUSSHxvSk/
Social networking giant Facebook is being sued in California by two users who allege that the company intercepts “content of …users’ communications.”
According to the class action lawsuit, instigated by Matthew Campbell and Michael Hurley, Facebook has allegedly violated the Electronic Communications Privacy Act in addition to several California state laws.
The basis of the plaintiffs’ complaint is that Facebook’s use of the word “private” is misleading when applied to its own internal messaging system.
Campbell and Hurley claim that the company scans private messages in order to detect any URLs within them. The plaintiffs further claim that the company follows links that it discovers as part of the crawling process, which is something it has not explicitly disclosed to users of its service.
If Facebook discovers a ‘Like’ button on one of these pages then the system will record the private message itself as a ‘Like’ on that website, and increase the Like count by one, thereby making a public declaration out of a private communication. As point #5 of the complaint says:
Contrary to its representations, “private” Facebook messages are systematically intercepted by the Company in an effort to learn the contents of the users’ communications. In the course of the last year, independent security researchers discovered that Facebook reviews the contents of its users’ private Facebook messages for purposes unrelated to the facilitation of message transmission. When a user composes a Facebook message and includes a link to a third party website (a “URL”), the Company scans the content of the Facebook message, follows the enclosed link, and searches for information to profile the message-sender’s web activity.
The lawsuit claims that Facebook does this in order to mine data and make money from it by sharing information with third parties such as advertisers, marketers and data brokers.
While the plaintiffs do acknowledge the fact that Facebook has a data usage policy that discloses how the company receives information when users interact with the site, they argue that its wording does not make it clear that Facebook “scans, mines, and manipulates the content of its users’ private messages… in direct conflict with the assurances it provides to its users regarding the privacy and control they should expect.”
As part of their claim the plaintiffs are seeking compensation of $100 for each day of violation or $10,000 per class member, or damages of either $5,000 per class member, or three times the actual amount of damages, whichever result is greater, as well as the cost of their legal fees.
We previously wrote about the topic of Facebook scanning private messages back in October 2012. At the time, the company said:
Absolutely no private information has been exposed and Facebook is not automatically Liking any Facebook Pages on a user’s behalf.
Many websites that use Facebook’s ‘Like’, ‘Recommend’, or ‘Share’ buttons also carry a counter next to them. This counter reflects the number of times people have clicked those buttons and also the number of times people have shared that page’s link on Facebook. When the count is increased via shares over private messages, no user information is exchanged, and privacy settings of content are unaffected. Links shared through messages do not affect the Like count on Facebook Pages.
It will be interesting to see how things pan out.
For now, it may be worth remembering that Facebook, among a great number of other large corporations, places a value on your personal data so think carefully about what you share wherever you are on the web.
Follow @Security_FAQs
Follow @NakedSecurity
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_xDMDmxxG1I/
OpenSSL, the widely-used open source cryptographic library, has been all over the news lately.
At the end of 2013, the project announced a flaw – actually, an unreconstructed bug – that caused a formally-approved part of the software not to work at all.
Normally, that would cause the wringing of hands, and perhaps even the gnashing of teeth.
But on this occasion, the dysfunctional algorithm was one that is now widely considered to be tainted by the machinations of the NSA, which allegedly tried to weaken it on purpose, for its own cryptanalytic advantage.
So this ended up as a “good bug” that attracted a lot of interest, ultimately leading to a curious paradox.
The main page of the OpenSSL website was hacked and defaced – by cybervandals who left an oxymoronic message of support:
TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _
This, of course, immediately raised the question, “Did the crooks get at the official repository of the OpenSSL source code?”
The answer is, almost without doubt, “No.”
There are many copies of the OpenSSL source tree scattered liberally around the internet, not least because the project makes use of a distributed source code control sytem.
So any anomalies inamongst the source code in the project’s official repository would, almost without doubt, be obvious.
But how did a high-profile web site like OpenSSL’s get hacked at all?
That’s where the story gets confusing.
Unfortunately, with 6/6 hindight, it seems that OpenSSL didn’t choose its words terribly wisely over New Year, when it said:
Tthe attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration.
A hypervisor is a software component that allows multiple VMs (virtual machines – software computers, if you like) to coexist and be managed on a single physical computer.
Each VM runs not merely as a separate operating system process, but almost as if it were a separate server.
You don’t just run an application inside a VM – you boot it up like a real server and install a fresh operating system of your choice, followed by the software you plan to use.
A service provider can use a hypervisor to split a physical server between several customers, with the hypervisor taking care of the configuration and management of each VM, or “guest.”
A “attack via hypervisor,” then, could be something as simple as a fault in the management interface causing it to report the status of a VM incorrectly.
Or it could be something as potentially catastrophic as a security hole allowing one VM to access and manipulate reources – memory contents, processes and files, for example – belonging to another.
Many news sources chose the latter explanation – it makes a better story, to be sure! – with a raft of credulous headlines trumpeting “facts” that turned out to be misleading at best, and untrue at worst.
Ars Technica’s Dan Goodin, for example, led with:
OpenSSL site defacement involving hypervisor hack rattles nerves
Crowdsourced techie newsfest Slashdot offered:
OpenSSL.org site defaced – subverted hypervisor suspected
Reddit had the accurate but only slightly less dramatic:
OpenSSL website hack was conducted via hypervisor
The overarching implication in all of these was that the defacement was due to an exploitable vulnerability in the hypervisor, allowing some sort of “VM escape.”
That’s where a guest VM is able to trick the hypervisor into letting it meddle in another guest VM on the same hardware, or to meddle with the hypervisor, or even to subvert the so-called host operating system that controls the physical hardware and runs the hypervisor itself.
A bug like that would be serious, because it might be an exploit that could affect thousands, or even millions, of virtual servers around the world.
Good news.
Stand down from puce alert.
OpenSSL has now adapted its notification slightly, offering a clearer explanation:
Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server.
The joys of cloud computing, eh?
And the woes of poor password hygiene.
As I suspect my colleague Chester Wisniewski would say, “Where was the two-factor authentication?“
Interested in how two-factor authentication could have helped?
(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jYqFcTyoRhU/
2014 predictions: Top technology trends
Mobile image-sharer Snapchat has issued an update to its service intended to seal off a security hole which allowed hackers to harvest the account details of some 4.6 million users.
The company said that its update will allow users to opt out of the Find Friends system and prevent others from looking up their account information through address books. In doing so, users will no longer appear in results when others seek to match their address book numbers with potential Snapchat friends.
“When we first built Snapchat, we had a difficult time finding other friends that were using the service,” Snapchat told users. “We wanted a way to find friends in our address book that were also using Snapchat – so we created Find Friends.”
The move looks to close a security hole in the Snapchat service which left users subject to a “brute force” hacking process in which an attacker could build a database of contact information by uploading an archive of phone numbers to the service and saving those which returned links for Snapchat users.
Such methods were described by researchers at security firm Gibson Security, who claim to have notified Snapchat of the flaw several months ago. The company said that by exploiting flaws in the Snapchat API, the process of searching and collecting account information for mobile spam and other services could be largely automated.
Though initially dismissed by Snapchat as a “theoretical” flaw, the vulnerability was soon seized upon to build a partially secured archive of 4.6 million user names and phone numbers.
Snapchat said that in addition to implementing an opt-out for Find Friends, the company is updating its systems to help prevent automated brute force attacks or exploits.
According to security vendor AdaptiveMobile, the leaked numbers are largely concentrated to California and New York, with the two states accounting for some 2.3 million accounts. Other regions impacted include Illinois, Colorado, and Florida.
Leaked accounts are largely confined to the coasts (source: AdaptiveMobile – click to enlarge)
Snapchat noted that no other personal data or user photos were collected in the attack, and CEO Evan Spiegel stopped short of issuing a mea culpa for the incident when speaking with The Today Show.
“I believe at the time we thought we had done enough,” he said, “but in a business like this that is moving so quickly, if you spend your time looking backwards, you’re just going to kill yourself.” ®
5 ways to reduce advertising network latency
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/04/snapchat_issues_update_in_wake_of_46_million_user_data_breach/
While so much time in network security is spent discussing the discovery of anomalies that can indicate attack, one thing that sometimes gets forgotten in the mix how fundamental it is to first understand what ‘normal’ looks like. According to many experts, establishing baseline data for normal traffic activity and standard configuration for network devices can go a long way to helping security analysts spot potential problems.
“There are so many distinct activities in today’s networks with a high amount of variance that it is extremely difficult to discover security issues without understanding what normal looks like,” says Seth Goldhammer, director of product management for LogRhythm.
Wolfgang Kandek, CTO of Qualys, agrees, stating that when IT organizations establish baseline data, it makes it easier to track deviations from that baseline.
“For example, if one knows that the use of dynamic DNS services is at a low 0.5% of normal DNS traffic, an increase to 5% is an anomaly that should be investigated and might well lead to the detection of a malware infection,” Kandek says.
[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]
But according to Goldhammer, simply understanding normal can be a challeng in its own right. A he explains, baselining activities can mean tracking many different attributes across multiple dimensions, which means understanding normal host behavior, network behavior, user behavior, and application behavior, along with other internal information like the function of the host and vulnerability state of the host. Additionally, external context—such as reputation of IP—play a factor.
“For example, on any given host that means understanding which processes and services are running, which users access the host, how often, what files, databases, and/or applications do these users access,” he says. “On the network, which hosts communicate to which other hosts, what application traffic is generated, and how much traffic is generated.”
It’s a hard slog and, unfortunately, the open nature of Internet traffic and diverging user behavior makes it hard to come up with cookie-cutter baseline recommendations for any organization, experts say.
“Networks, in essence, serve the needs of their users. Users are unique individuals and express their different tastes, preferences and work styles in the way they interact with the network,” says Andrew Brandt, director of threat research for the Advanced Threat Protection Group for Blue Coat Systems. “The collection of metadata about those preferences can act like a fingerprint of that network. And each network fingerprint is going to be as unique as its users who generate the traffic.”
Another added dimension to developing baseline is time. The time range for sampling data for establishment of a benchmark will often depend upon what kind of abnormality the organization hopes to eventually discover.
” For example, if I am interested in detecting abnormal file access I would want a longer benchmark period building a histogram of file accesses per user over the previous week to compare to current week, whereas if I want to monitor the number of authentication successes and failures to production systems, I may only need to benchmark the previous day compare to the current day,” Goldhammer says.
While baselines can be useful for detecting deviations, TK Keanini of Lancope warns that it may actually be useful to think in terms of pattern contrasts rather than ‘normal’ and ‘abnormal.’
“The term anomaly is used a lot because people think of pattern A as Normal and patterns not A as the anomaly but I prefer just thinking about it as a contrast between patterns,” says Keanini, CTO of Lancope. “Especially as we develop advanced analytics for big data, the general function of ‘data contrasts’ deliver emergent insights.”
This kind of analysis also makes it less easy to fall prey to adversaries that understand how baselines can be used to track deviations. Instead of a single, static baseline, advanced organizations will constantly tracking patterns and looking for contrasts across time.
“The adversary will always try to understand the target norms because this allows them to evade detection,” he says. “Think about how hard you make it for the adversary when you establish your own enterprise wide norms and change them on a regular basis.”
However it is done, when a contrast of patterns does flag those tell-tale anomalies, Kandek recommends that immediate analytical response should be organized.
“To deal with network anomalies IT departments can lean on a scaled down version their incident response process,” he says. “Have a team in place to investigate the anomalies, document the findings and take the appropriate actions, including adapting the baselines or escalating to a full blown incident response action plan.”
Foremost in that immediate action is information sharing, Brandt recommends.
“When you identify the appropriate parameters needed to classify traffic from the “unknown” to the “known bad” column, it’s important to share that information, first internally to lock down your own network, and then more widely, so others might learn how they can detect anything similar on their own networks,” he says.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.
Article source: http://www.darkreading.com/perimeter/network-baseline-information-important-f/240165124
The gaming world has been just about squashed flat before, during and after New Year’s Eve, with multiple distributed denial-of-service (DDoS) attacks.
According to the Guardian, two Twitter users, @chFtheCat and @LARCENY_, have claimed responsibility for attacking the digital gaming service Steam, which was down for over an hour on Friday.
Battle.net, the login system used by World of Warcraft and other games produced by Blizzard, was hit by a similar attack, the news outlet reported.
A parallel set of attacks, launched by an entity that calls itself @DerpTrolling and which defines itself as a group of hackers, involved the DDoSing of scores of gaming servers in the days leading up to Friday’s separate attack on Steam, et al.
According to #DramaAlert [YouTube video] – a channel that covers “all the drama” in the gaming world – the gaming servers that were knocked offline included World of Tanks, RuneScape, Battlefield 3 and 4, EverQuest and EverQuest2, Club Penguin, Fifa Soccer 13 and 14, League of Legends, Minecraft, the Sony Playstation Network, Electronic Arts (EA), and even the North Korea’s state-run news agency, kcna.kp.
@chFtheCat said in one tweet that the reason s/he/they “hit Steam off” is because @DerpTrolling hit off servers for the EA game Origin.
The Guardian reports that Origin was on-again, off-again for a period of almost 24 hours as a result of that attack.
The proposed motivations for the Steam attacks are all over the map, with the purported hackers chirping back and forth about more attacks to come and being too broke to afford more botnets to run the attacks.
PlayStation.net reports that for its part, DerpTrolling tweeted about deciding to follow PhantomL0rd, a popular streamer on the Twitch gamer community, and to crash every game he was in.
GameInformer.com reports that PhantomL0rd, whose real name is James Vargas, egged on the DDoSers during the assaults on League of Legends, Dota 2, and other games.
GameInformer’s Mike Futter writes:
At one point, Varga is egging on the DDoSers. ‘I’ll put it this way,’ he says. ‘If my team is winning, we’ll keep going. If my team starts to lose, Derp Bros, take this s*** down!’ When DerpTrolling accepts the deal, Varga begins laughing loudly.
An entity identifying itself as DerpTrolling engaged in a conversation with #DramaAlert in which he/she/they said that the group simply attacks sites based on requests from people who tweet suggested targets.
In other words, it’s all just a game, and it’s all for the lulz.
I have a smidgen of pity for the gamers who were deprived of fun and pleaded with the assault squads to knock it off, “for the love of humanity”, but only a smidgen, given the blizzard and frozen pipes I’m dealing with in the real world.
Gamers, are you back up and running? Did this spur you to do something else with your time, like maybe shovel an elderly neighbor out from a blizzard?
Is there a game where you get to shovel out elderly neighbors from blizzards and unfreeze frozen pipes?
I want to play that one!
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KEgZB2tVW6s/
OpenSSL, the widely-used open source cryptographic library, has been all over the news lately.
At the end of 2013, the project announced a flaw – actually, an unreconstructed bug – that caused a formally-approved part of the software not to work at all.
Normally, that would cause the wringing of hands, and perhaps even the gnashing of teeth.
But on this occasion, the dysfunctional algorithm was one that is now widely considered to be tainted by the machinations of the NSA, which allegedly tried to weaken it on purpose, for its own cryptanalytic advantage.
So this ended up as a “good bug” that attracted a lot of interest, ultimately leading to a curious paradox.
The main page of the OpenSSL website was hacked and defaced – by cybervandals who left an oxymoronic message of support:
TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _
This, of course, immediately raised the question, “Did the crooks get at the official repository of the OpenSSL source code?”
The answer is, almost without doubt, “No.”
There are many copies of the OpenSSL source tree scattered liberally around the internet, not least because the project makes use of a distributed source code control sytem.
So any anomalies inamongst the source code in the project’s official repository would, almost without doubt, be obvious.
But how did a high-profile web site like OpenSSL’s get hacked at all?
That’s where the story gets confusing.
Unfortunately, with 6/6 hindight, it seems that OpenSSL didn’t choose its words terribly wisely over New Year, when it said:
Tthe attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration.
A hypervisor is a software component that allows multiple VMs (virtual machines – software computers, if you like) to coexist and be managed on a single physical computer.
Each VM runs not merely as a separate operating system process, but almost as if it were a separate server.
You don’t just run an application inside a VM – you boot it up like a real server and install a fresh operating system of your choice, followed by the software you plan to use.
A service provider can use a hypervisor to split a physical server between several customers, with the hypervisor taking care of the configuration and management of each VM, or “guest.”
A “attack via hypervisor,” then, could be something as simple as a fault in the management interface causing it to report the status of a VM incorrectly.
Or it could be something as potentially catastrophic as a security hole allowing one VM to access and manipulate reources – memory contents, processes and files, for example – belonging to another.
Many news sources chose the latter explanation – it makes a better story, to be sure! – with a raft of credulous headlines trumpeting “facts” that turned out to be misleading at best, and untrue at worst.
Ars Technica’s Dan Goodin, for example, led with:
OpenSSL site defacement involving hypervisor hack rattles nerves
Crowdsourced techie newsfest Slashdot offered:
OpenSSL.org site defaced – subverted hypervisor suspected
Reddit had the accurate but only slightly less dramatic:
OpenSSL website hack was conducted via hypervisor
The overarching implication in all of these was that the defacement was due to an exploitable vulnerability in the hypervisor, allowing some sort of “VM escape.”
That’s where a guest VM is able to trick the hypervisor into letting it meddle in another guest VM on the same hardware, or to meddle with the hypervisor, or even to subvert the so-called host operating system that controls the physical hardware and runs the hypervisor itself.
A bug like that would be serious, because it might be an exploit that could affect thousands, or even millions, of virtual servers around the world.
Good news.
Stand down from puce alert.
OpenSSL has now adapted its notification slightly, offering a clearer explanation:
Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server.
The joys of cloud computing, eh?
And the woes of poor password hygiene.
As I suspect my colleague Chester Wisniewski would say, “Where was the two-factor authentication?“
Interested in how two-factor authentication could have helped?
(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2CMfKkaTR8Q/
2014 predictions: Top technology trends
The latest document stash from whistle-blower Edward Snowden shows that the NSA has budgeted $79.7m for the development of a quantum computer capable of “owning the net.”
“The Owning the Net (OTN) Project provides the technological means for NSA/CSS to gain access to and securely return high value target communications,” one document provided to the Washington Post states.
“By concentrating on the means of communication, the network itself, and network links rather than end systems, OTN research manipulates equipment hardware and software to control an adversary’s network. Research is conducted at the Laboratory for Telecommunications Sciences in College Park, MD, and supports the evolving NSA/CSS internal information infrastructure and the larger IC.”
The goal behind this effort is to build a system that has been discussed for decades: a computer capable of carrying out the massive amount of processing needed to break traditional encryption systems. Unsurprisingly, this is just the kind of thing the NSA wants.
“The application of quantum technologies to encryption algorithms threatens to dramatically impact the US government’s ability to both protect its communications and eavesdrop on the communications of foreign governments,” according to an internal document provided by Snowden.
The documents note that while the US had been leading in research into quantum computing, other nations are catching up. The EU and Switzerland are both mentioned as competitors that have new caught up with the current rate of quantum computing developments.
That’s a bit of a poke in the eye for the Canadian company that is already selling quantum computing systems to Google and NASA: D-Wave Systems. D-Wave acknowledges that they are not selling fully functioning quantum computers capable of decryption, but president Vern Brownell told The Register that the firm was able to perform quantum-speed calculations for a variety of computing tasks.
The (in)famous Shor’s algorithm, originally posited in 1994 as a method of using quantum factorization, would be able to break most modern encryption systems. Shor is “a friend of ours,” Brownell told us, but added that the company wasn’t looking into decryption.
“Folks say to us ‘you can’t do Shor’s algorithm,’ but we don’t want to do Shor’s algorithm,” Brownell said. “You can’t build a business around decrypting.”
The NSA certainly does want to do this, but based on the Snowden documents the agency is a long way from being able to manage it. The millions in research funding mentioned is being used to try and see if a Shor-based system can be built, and there’s no mention of anything like a working quantum decrypter. ®
5 ways to reduce advertising network latency
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/03/snowden_docs_show_nsa_building_encryptioncracking_quantum_system/
Social networking giant Facebook is being sued in California by two users who allege that the company intercepts “content of …users’ communications.”
According to the class action lawsuit, instigated by Matthew Campbell and Michael Hurley, Facebook has allegedly violated the Electronic Communications Privacy Act in addition to several California state laws.
The basis of the plaintiffs’ complaint is that Facebook’s use of the word “private” is misleading when applied to its own internal messaging system.
Campbell and Hurley claim that the company scans private messages in order to detect any URLs within them. The plaintiffs further claim that the company follows links that it discovers as part of the crawling process, which is something it has not explicitly disclosed to users of its service.
If Facebook discovers a ‘Like’ button on one of these pages then the system will record the private message itself as a ‘Like’ on that website, and increase the Like count by one, thereby making a public declaration out of a private communication. As point #5 of the complaint says:
Contrary to its representations, “private” Facebook messages are systematically intercepted by the Company in an effort to learn the contents of the users’ communications. In the course of the last year, independent security researchers discovered that Facebook reviews the contents of its users’ private Facebook messages for purposes unrelated to the facilitation of message transmission. When a user composes a Facebook message and includes a link to a third party website (a “URL”), the Company scans the content of the Facebook message, follows the enclosed link, and searches for information to profile the message-sender’s web activity.
The lawsuit claims that Facebook does this in order to mine data and make money from it by sharing information with third parties such as advertisers, marketers and data brokers.
While the plaintiffs do acknowledge the fact that Facebook has a data usage policy that discloses how the company receives information when users interact with the site, they argue that its wording does not make it clear that Facebook “scans, mines, and manipulates the content of its users’ private messages… in direct conflict with the assurances it provides to its users regarding the privacy and control they should expect.”
As part of their claim the plaintiffs are seeking compensation of $100 for each day of violation or $10,000 per class member, or damages of either $5,000 per class member, or three times the actual amount of damages, whichever result is greater, as well as the cost of their legal fees.
We previously wrote about the topic of Facebook scanning private messages back in October 2012. At the time, the company said:
Absolutely no private information has been exposed and Facebook is not automatically Liking any Facebook Pages on a user’s behalf.
Many websites that use Facebook’s ‘Like’, ‘Recommend’, or ‘Share’ buttons also carry a counter next to them. This counter reflects the number of times people have clicked those buttons and also the number of times people have shared that page’s link on Facebook. When the count is increased via shares over private messages, no user information is exchanged, and privacy settings of content are unaffected. Links shared through messages do not affect the Like count on Facebook Pages.
It will be interesting to see how things pan out.
For now, it may be worth remembering that Facebook, among a great number of other large corporations, places a value on your personal data so think carefully about what you share wherever you are on the web.
Follow @Security_FAQs
Follow @NakedSecurity
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dGS3k0mMckI/