Privacy Plug-In Fakes out Facebook

R.A. Hettinga rah at shipwright.com
Thu Sep 10 07:33:31 EDT 2009



Begin forwarded message:

From: Eugen Leitl <eugen at leitl.org>
Date: September 10, 2009 5:49:20 AM GMT-04:00
To: cypherpunks at al-qaeda.net, info at postbiota.org
Subject: Privacy Plug-In Fakes out Facebook

http://www.technologyreview.com/printer_friendly_article.aspx?id=23405&channel=web&section=

Wednesday, September 09, 2009

Privacy Plug-In Fakes out Facebook

FaceCloak lets users hide sensitive updates from prying eyes, including
Facebook's.

By Robert Lemos

Social networks are rife with examples of users failing to understand  
the
privacy implications of posting sensitive information online.

In February, for example, school officials in Wisconsin suspended a  
teacher
who posted on Facebook a picture of herself pointing a gun at the  
camera. In
April, the Swiss insurance company Nationale Suisse fired an employee  
after
she called in sick and then posted updates on the same site. Others have
raised concerns about users handing so much personal information to
social-networking companies themselves.

Now, researchers at the University of Waterloo in Ontario have  
developed a
browser plug-in to help users keep their information private from  
prying eyes
and from social-network providers as well. Urs Hengartner, an assistant
professor of computer science, and his colleagues say the plug-in  
replaces
sensitive information in a user's profile and news feed with  
meaningless text
that can only be unscrambled by trusted friends or contacts. Dubbed
FaceCloak, the tool assures its users that sensitive data stays private,
Hengartner says. "If you have a particular illness, you might want to  
allow
only your friends to see that," he says. "This leaves it up to the  
user to
decide what information to keep away from Facebook."

The tool is the latest shot in a battle between social networks and
privacy-conscious users. Most users of Facebook, MySpace, and other  
social
networks remain unaware of the privacy implications of posting personal
information to such sites, says Alessandro Acquisti, an associate  
professor
of information systems and public policy at Carnegie Mellon University.

In 2005, Acquisti and fellow CMU researcher Ralph Gross showed that  
nearly 80
percent of Facebook users revealed their birthday publicly and the  
majority
provided public access to their real-world addresses--information that  
could
be used to commit identity theft. "You feel like you are talking to a  
friend
casually in a conversation, but in reality you are publicizing  
information in
a forum where it will stay for a long time," Acquisti says. "Privacy  
is not
the first thing you think of when you use a social network."

Nowadays more people appear to be privacy conscious. In a more recent  
study,
Acquisti's group found that 30 to 40 percent of users change the default
privacy settings to take greater control of their information. But  
social
networks themselves have not been good protectors of privacy, Acquisti  
says,
because monetizing personal information is a potential gold mine. This  
is
demonstrated by Facebook's Beacon advertising service, which allows
affiliates to tailor advertising according to users' activities on  
Facebook
and beyond.

FaceCloak, implemented as a plug-in for Mozilla's Firefox browser,  
allows a
user to designate--using two "at" signs ("@@"), by default--what  
information
should be encrypted and only made available to friends. A FaceCloak user
holds a secret access key but also sends two other keys to her  
friends. Those
keys are then used to access the real information, which is held on a
separate server. While the same concept could be used on other social
networks--such as Twitter and MySpace--Hengartner and his colleagues  
focused
on the largest provider.

Similar tools are being developed by other academic teams to address the
privacy issues plaguing social networks. A group of researchers from  
Cornell
University created another Firefox plug-in, called None of Your Business
(NOYB), that encrypts profile information so that it can only be read  
by a
small group of friends. And two researchers from the University of  
Illinois
at Urbana-Champaign have developed a Facebook application called  
flyByNight
that encrypts users' data.

Unlike those projects, however, FaceCloak works with any number of  
contacts
and does not rely on the cooperation of the social-network provider. The
University of Waterloo researchers attempt to hide which users are  
encrypting
their data with FaceCloak by replacing the hidden data with arbitrary  
text
taken from sources on the Internet. "Users who submit encrypted  
information
stand out, both to Facebook and to other users who can see the  
profiles, and
therefore might raise suspicion," Hengartner says. "By using fake
information, we can avoid this problem."

There are still some major issues, however. Images are not yet  
supported by
FaceCloak and the third-party hosting server used could potentially be
compromised. Moreover, a FaceCloak user still has to be careful,  
Hengartner
says. "The same problem arises in real life," he says. "When you tell a
friend some personal information about you, you need to trust your  
friend to
deal with this information responsibly. If she misbehaves, you can't  
erase
the information from her brain."

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list