I am … unhindered by talent

Apparently Facebook is collecting even more information about us than we thought:

A Computer Associates security researcher is sounding the alarm that Facebook’s controversial Beacon online ad system goes much further than anyone has imagined in tracking people’s Web activities outside the popular social networking site.

Beacon will report back to Facebook on members’ activities on third-party sites that participate in Beacon even if the users are logged off from Facebook and have declined having their activities broadcast to their Facebook friends.

I can’t say I’m surprised - the entire design of Facebook has consistently been geared to extract as much information as possible from their users, and they haven’t exactly been sneaky or subtle about it. Still, a depressing wake up call for all those folks who are blithely spilling their lives all over social networking systems.

They don’t provide much in the way of technical details. However, as the wonderful Web 2.0 world moves us farther and farther away from the web as a collection of simple text pages with HTML tags thrown in for pretties, there are more and more ways that we can be tracked and subverted. We can certainly do more (I do love Flickr, and Google Calendar is a joy), but we expose ourselves to increasingly more risk as a consequence.

Caveat emptor.

(Apparently Facebook has turned off Beacon, although my suspicion is that Beacon is just the tip of Facebook’s data collection iceberg.)

Related posts

• Your iPod broke my metaphor (0)
• What exactly is the future of radio? (5)

I suspect many of our readers will already have seen something about this, but just in case it hasn’t gotten a lot of U.S. press, Chancellor Alistair Darling (a very high ranking member of the British government) announced today in the House of Commons that 2 discs (CDs or DVDs - I’m not sure) were lost that contained highly confidential information for 25 Million Individuals. This data included names, dates of birth, insurance numbers, and (in some cases) bank account details — essentially all the toys you’d need to execute identity theft and fraud on a massive scale. The kind of stuff that an organized crime outfit would probably pay mucho top dollar for.

And the data was unencrypted.

Yup.

Unencrypted.

Makes you want to cry.

(In fairness, the discs were “password protected”, but no one seems clear on what that actually means. Given that most password systems for discs and files are child’s play to get through, without solid encryption on the other end “password protected” doesn’t offer much comfort.)

Unfortunately, as several of the talking heads pointed out, this is at some level inevitable as governments, corporations, and educational institutions move to larger and more centralized databases. Consider, for example, last year’s leak of the search histories of half a million AOL users.

The U of M at least tries to take these things seriously, but they don’t always get the stick by the right end. There’s a lot of noise, for example, about whether faculty like myself should be able to hold confidential student data (including things like homework grades) on our office computers or (far worse) on laptops or home computers. This is partly a security concern (stolen laptops are always a risk, who knows how well I’ve configured and updated my computers), and partly a data protection concern (how often do I actually backup my data). If they seriously go down this road, however, then one consequence is that all this grade data for the entire University is in one place. At the moment, if my computer gets lost or destroyed or stolen, there’s not much exposure. It would be painful and unpleasant for me and several dozen students, but the ripples would stop pretty quickly. If all that data is centralized, however, then the risk is arguably much greater, especially if it’s not managed well.

In reality, I’m not their real problem. I just don’t have access (and rightly so) to enough data to mess up very many people’s lives. There are admin and support staff, however, that have access to enormous amounts of sensitive information. Are they able to burn a couple of DVDs full of the stuff? Probably (but hopefully not easily). Are they trained on why that would be a really dumb idea? I think so.

But then I would have thought that staff at Revenue and Customs over here would have had that sort of training.

And apparently I would have been wrong.

Thanks to the fine folks at MonkeyRiverTown for the great photo.

Related posts

• Education’s an investment, not an expense! (4)
• We have to help them understand: Science matters! (1)