Tuesday, June 26, 2007

Go Fish: Is Facebook Violating European Data Protection Rules?

Update: Facebook has fixed the problem. More here


Executive Summary

Using nothing more complex than an advanced search on Facebook's website, an interested person can learn extremely private pieces of information (sexuality, political leanings, religion) that are stored within another user's private Facebook profile.

Users of Facebook can modify the privacy settings for their profile. This will restrict the public viewing and only permit a person's immediate friends to view their profile. While Facebook does allow users to control their profile's existence in search queries, this second preference is not automatically set when a user makes their profile private - and thus many users do not know to do so.

Users cannot be expected to know that the contents of their private profiles can be mined via searches, and thus, very few do set the search permissions associated with their profile.

It is clear however that users intend for their profiles to not be public. A large number of users have gone to the effort to restrict who can view their profiles, but many, unfortunately, remain exposed to a trivial attack.



The Attack

The attack is very simple. For a specific target, one must simply issue an advanced query for the user's name, and any attribute of the profile that one wishes to search.

For example, I've created a new profile in the name of "Chris Privacy Soghoian", who is socially conservative, a Catholic and lives in London, England. His profile privacy has been set so that only his friends may see his profile. Random strangers should not be able to learn anything about the profile - they cannot click on it or view the profile's information.

By issuing an advanced search request for Name: "Chris Privacy Soghoian" and Religion: "Christian - Catholic", one can learn if the profile for that user has listed Catholicism as his religion. Note: To be able to find this profile, you need to be signed in to a facebook account that is a member of the London, UK network. Anyone can join this and other geography based networks, but you must do so first before searching.

If a profile is returned for the search terms requested, one can be sure that the user in question has the relevant information in his profile. It is also easy to see that the profile has been set to private, as the user's name is in black un-clickable text.



Likewise, a similar search for Chris Privacy Soghoian/Buddhist would come back with no results.



This shows how easy it is to learn confidential information that users believe that random strangers cannot learn when they have set their profile to be private/friends-only.

This attack is very similar to the children's game Go Fish. It won't tell you the contents of a profile, but it will provide you with positive or negative confirmation if you know what you're looking for.




So What's The Big Deal?

I originally wrote about this attack in September of last year. I was mainly focused then with finding out the names of students who admitted (in their private profiles) to working at the local strip clubs, and of those students under the age of 21 who listed beer and alcohol in their hobbies.

Stripping and alcohol are interesting enough - and they prove to be fantastic examples when I use them as a demo of "why you need to be careful on Facebook" when lecturing students in my department. However, in focusing on things that would amuse and scare undergrads, I completely missed the hot potato: Sexuality and Religion.

I attended the Privacy Enhancing Technologies workshop last week. While there, I mentioned the Facebook attack to several attendees. A couple of the Europeans were shocked, and told me that Facebook was almost certainly running afoul of a number of European data protection rules.

Privacy is not something that the US government really cares too much - unless of course, you are a politician or supreme court nominee - in which case, they'll pass watertight legislation to protect your ahem "adult" movie rental records.

The Europeans do care about privacy. Sexuality and Religion are bits of information that they consider to be highly sensitive.. and thus, my little go fish attack is now suddenly a lot more important than it was before. Facebook's default search privacy policies may violate European Data Protection rules.



Sample Queries

The following searches will only work if you are signed in to facebook. It is easy to create an account - anyone can make one, and all that you need is a valid email address.

The queries will search everyone within all of your networks - which will include any university/school/employer that you select, as well as a geographic group. There is no proof required of your current location, and so if you wish to search for everyone in France, it's trivial to make a new account/profile located there.

All women interested in women.
All men interested in men.
All Christian men interested in other men.
All Hindu men interested in other men.
All Muslim men interested in other men.
All Jewish men interested in other men.
All Christian women interested in other women.
All Hindu women interested in other women.
All Muslim women interested in other women.
All Jewish women interested in other women.

Clicking on any one of these - at least when you've joined a decent sized network - will return a large group of people - a fairly significant number of whom have profiles that are marked private, which you cannot click on or learn more about. However, by merely appearing in the list of returned profiles, you can be sure that the person's private profile contains information that matches the search terms. This is a problem.



Fixing The Problem

Facebook's privacy policy essentially states that Facebook is not responsible in any case where a user is able to obtain private information about someone else: Although we allow you to set privacy options that limit access to your pages, please be aware that no security measures are perfect or impenetrable... Therefore, we cannot and do not guarantee that User Content you post on the Site will not be viewed by unauthorized persons. We are not responsible for circumvention of any privacy settings or security measures contained on the Site.

Facebook should be commended for the fact that they have implemented a simple technical solution to the problem. Users can control their search privacy settings - and thus control who can see their profile when searches are issued on the facebook site. This feature did not exist when I first described the vulnerability last year.

The problem is that users must opt-in to this more restrictive privacy setting. Users who have gone to the effort of marking their profiles as private (so that others cannot view them) are not clearly warned that other users may be able to learn bits of information by issuing highly specific search queries. Users should not be expected to know or even understand this.

Facebook should change their defaults, and automatically restrict the profile search settings for any user who makes their profile private. Those users who wished to permit strangers to find them in a search could opt in and modify this setting themselves.



Disclosure

Normally, for something like this, I would follow the norms of responsible disclosure (as I did last month with Firefox/Google) and give Facebook advanced notice of my planned release. However, since I first announced this attack on my blog last September, it doesn't really make sense to try and keep it secret. This post doesn't announce anything new - it merely restates the previously described attack in clearer language, provides a couple screenshots and some sample queries that people can click on.

11 comments:

Sid Stamm said...

So could you brute-force someone's entire profile? :)

mitmwatcher said...

I was working on a similar attack vector like how to extract the private info which can be used to compromise the victims other online accounts :
Just create a survey or chain mail embed the privacy questions in it :
What is your favorite colour?
Where were you born?
Where was your mom born?
Where was your dad born?
Who is your best friend now?
Who was your best friend when you were 8?
Who was your best friend when you were 14?
What was your first pet?
What was it's name?
What school did you go to?
What was your favorite lesson?
If history (like me) who was the most rad person you learned about?
Who was your best teacher?
What do you do for a living?
What does your dad do for a living?
What does HIS dad do for a living?
How many people on your top friends have you kissed?
Have you ever been arrested?

Some of the Secret Questions of password protected sites :
Mother's birthplace
Best childhood friend
Name of first pet
Favorite teacher
Favorite historical person
Grandfathers occupation

-Mitmwatcher

mistergrow said...

I also recently learned that a Friend of mine can send a message to ALL of my Friends, regardless of whether they are Friends with him or not.

not good.

Rodney said...

This is a non-issue. On the privacy page, right under "profile" is "search". There you can choose to make private any of these things you are talking about. It's clear, simple, easy to find and powerful.

Anonymous said...

this is awesome! Thanks!

A great tool in discussions with students.

Brandee said...

Facebook offers sophisticated search and privacy controls and is constantly making improvements based on feedback from our users. We have since updated the advanced search function so that profile information that has been made private by a user, such as gender, religion, and sexual orientation, will not return a result.

Thanks,

Brandee Barker
Director, Corporate Communications
Facebook

Anonymous said...

Facebook was founded by the CIA.

http://digg.com/security/Facebook_s_CIA_ties

Anonymous said...

Is it possible to see who has been searching you on facebook? I have a private profile which only my friends can see but am worried that an ex has been looking me up and seeing who i am friends with etc.

Anonymous said...

no, but that' a bit paranoid isn't it? Who cares who sees whos friends on which site?

xenchan said...

Gee, if you weren't doing anything to be ashamed of, this wouldn't be a problem, would it?

I also believe that under religion one can put "Other" and under sexuality there's a type of "prefer not to say." If you're still in the freaking closet, why put your sexuality in your profile? And if you're not, why are you freaking about people knowing your sexuality? Unless you think it's something shameful...

This is a bunch of crap. Facebook does all it can to protect it's users. There has to be some time at which we say, "Okay, now they could have clicked that..."

Data Protection said...

I totally agree with people's comments that facebook is a fun and safe system that has one of the best data protection methods around. On Twitter there is NO data protection. I can go on right now and choose to follow Brook Burke. Is Brooke Burke going to complain that she never added me as a friend? Well, it probably isn't even Brooke typing her own feeds, but you get the point! You can follow just about anyone whether you are friends with them or not. Even the so-called spam on Facebook, which includes group invites, random events, and notifications stems from friends you “confirmed” and groups you joined!