Michael Dell 'Friends' his customers [FORTUNE]

From the BBC:

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users' friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people's security?

Facebook responded by saying that they remove applications that violate their terms of use.

'Identity' at risk on Facebook [BBC]

(Thanks, T.J.!)

Reader Chris wrote in to let us know that he was incredulous that so many people could be fans of Ticketmaster, so he did a little investigating. What he found out, and what these screenshots I took demonstrate, is that most of Ticketmaster's fans are fake profiles with names like "Hamm Beerger," "Stebe Jobs," or "Asdsd Dasdasdas." They have no profile pictures and most of them have no friends other than Ticketmaster. What we originally thought was lazy astroturfing by Ticketmaster turned out to be lazy astroturfing sponsored by Ticketmaster. In October, Ticketmaster apparently ran a promotion offering five free iTunes downloads to Facebook users who added Ticketmaster as a friend. Neither Facebook nor Ticketmaster verified anything, and now Ticketmaster is more popular than Starbucks, Marmite, and the entire sport of basketball. For the record, all of Tax Cat's fans are real.
Ticketmaster Creates Fake Facebook Profiles to Look More Popular [East Village Idiot] (Thanks to Chris and Mark!)

She's seeking class action status, with $2,500 for each violation of the statute. MediaPost says the law was passed in 1988 when a newspaper obtained the rental history of U.S. Supreme Court nominee Robert Bork.

What about you? Did Facebook tell all your friends that you rented Basic Instinct 2... again?

Blockbuster Sued For Participating In Facebook Beacon [MediaPost]

Have any of you out there read the winter issue of 2600 (the hacker quarterly)? There's a pretty good article in there called "Facebook Applications Revealed" and it just serves to point out that many people just don't know what they're getting into when they click to add an application. In my opinion, it is irresponsible of Facebook to post assurances to its users that their data is just as secure when using Platform applications as they are when they are using the first party system. Of course, the most personal data still resides on Facebook servers, and one must be authenticated to get access to it; however, poorly-written applications can have numerous security holes that enable prankster "friends" or malicious hackers to gain access to other remotely stored information, e.g. mood histories, etc.
 
At any rate, it seems Facebook turns a blind eye to these applications that don't properly authenticate users for appropriate data access (e.g. Super Wall), and it seems developers don't really care to properly protect the information they are entrusted with. I have looked plenty of places, including the official Facebook Developers Wiki, and have found no mention of a set of best practices for identity/permission verification or data security for application developers. I am researching these particular vulnerabilities in order to make them more widely known and to help establish a set of suggestions to send or make available to developers that would assist them in properly identifying the user and only allowing said user to modify his/her data, as well as to assist them in verifying that a user has permission to view another user's application data (histories, etc.). At this point, I feel that there is not enough public awareness of these vulnerabilities or their implications. Many users don't know about them, and thus don't care. This provides no incentive for developers to modify their code and make their applications more secure.
 
Quite a few application developers fail to consider implementing adequate security measures in order to verify data ownership. The article I mentioned earlier points out particular vulnerabilities in the Moods, Free Gifts, and Super Wall as examples. In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea. The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
 
In fact, someone has posted a screencast of this hack being executed in under 60 seconds, including commentary, on YouTube. See this link: http://www.youtube.com/watch?v=w65s1iyXqLo
 
ASuper Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's. Same thing with Free Gifts: you change the uid in the form before it's submitted and you can send a gift anonymously to anyone. Not only is it poor form for these developers to continue to ignore the fact that users trust them to establish and maintain a certain level of security and privacy, but in my opinion it may also be against Facebook's own Platform Application Guidelines, where it is clearly stated that "Applications may not[...] contain functionality that permits any person to impersonate a user of the Facebook Site or obtain access to the Facebook Site without authorization [or] disregard or circumvent any technical measures instituted by Facebook to ensure that the application only provides users with access to Facebook Site content that they would otherwise be able to view on the Facebook Site in accordance with any user privacy settings" (Facebook Platform Application Guidelines, Section II, Subsections 3 and 4). All three of these applications, and perhaps many more, violate the principle established by these rules by disregarding privacy settings and not properly authenticating users to view or modify certain data. I'm sure if someone had their privacy settings set to block everybody but friends from viewing their profile, they wouldn't want somebody changing their mood or spoofing a comment to them through Super Wall. In fact, Facebook's first core privacy principle is that "You should have control over your personal information" (Facebook Privacy Policy, Facebook Principles, Section 1). These applications, by not adhering to basic principles of internet security, take this control right out of the hands of users. This thread on the Facebook Developer Forum has a bit of discussion on how to properly authenticate users: http://forum.developers.facebook.com/viewtopic.php?id=11668.
 
At any rate, something needs to be done about this. I'm not sure what exactly, but I am sure that users need to know exactly what they're getting into when they add apps like this. I know at first it seems inconsequential that hackers can gain access to someone's Super Wall or Mood History, but this information could be used to mount large scale social engineering attacks if automated and coupled with other information: for example, one would tend to be much more likely to fall for a scam if he or she were depressed. The Moods application freely gives out this information to anyone wanting to take a peek. Coupled with a list of email addresses cross-referenced to user id's, such an attack could be made extremely effective with that added information. Super Wall post spoofing could be used to instigate fights between two friends or lovers. The possibilities are only limited by a social engineer's mind, and since Moods and Super Wall together boast almost two million active users, these seemingly small holes are too large for malicious minds-or those that protect us against them-to ignore. I hope you can help me get the word out.
 
Sincerely, Gregory

RELATED
"Facebook Takes Letting The Whole World See Your Private Photos Seriously"
(Door photo: roblisameehan)

"Taking it seriously" is a phrase companies use over and over again in public statements whenever they have bad PR. Our series of posts on occurrences of the phrase is our attempt to question how seriously companies are really taking these matters if every time they trot out this phrase by rote. To see more examples of how companies are "taking it seriously" click here.

(Thanks, Kim!)

PREVIOUSLY: Comcast vs Menu Foods
This is a post in our Worst Company In America 2008 series. Keep track of all the goings on at consumerist.com/tag/worst-company-in-america/

On Monday, Facebook modified its help pages to tell people that if they wanted to remove their accounts entirely, they could e-mail the company to have it done. But on Tuesday, representatives of Facebook stopped short of saying the company would introduce a one-step delete account option.

"We're always working to improve the user experience," Katie Geminder, director of user experience and design at Facebook, said in an e-mail.

"We are measuring the effects of the change we made yesterday, and if we think more needs to be done to improve the user experience for deleting an account, we'll test different implementations and measure them accordingly," she added.

The updated Facebook help page now includes the question, "How do I delete my account?" The answer reads, "If you do not think you will use Facebook again and would like your account deleted, we can take care of this for you. Keep in mind that you will not be able to reactivate your account or retrieve any of the content or information you have added."

The entry then says, "If you would like your account deleted, please contact us using the form at the bottom of the page and confirm your request in the text box."

Geminder said Facebook's policies reflected the fact that many people came back to Facebook after they had stopped using the site for a period of time. "On any given day, the number of users reactivating their accounts is roughly half of the number of users deactivating their accounts," she said.

Facebook tries to help users delete accounts [Seatlle P-I]

"It's like the Hotel California," said Nipon Das, 34, a director at a biotechnology consulting firm in Manhattan, who tried unsuccessfully to delete his account this fall. "You can check out any time you like, but you can never leave."

It took Mr. Das about two months and several e-mail exchanges with Facebook's customer service representatives to erase most of his information from the site, which finally occurred after he sent an e-mail threatening legal action. But even after that, a reporter was able to find Mr. Das's empty profile on Facebook and successfully sent him an e-mail message through the network.

Facebook's Web site does not inform departing users that they must delete information from their account in order to close it fully — meaning that they may unwittingly leave anything from e-mail addresses to credit card numbers sitting on Facebook servers.

Only people who contact Facebook's customer service department are informed that they must painstakingly delete, line by line, all of the profile information, "wall" messages and group memberships they may have created within Facebook.

"Users can also have their account completely removed by deleting all of the data associated with their account and then deactivating it," Ms. Sezak said in her message. "Users can then write to Facebook to request their account be deleted and their e-mail will be completely erased from the database."

But even users who try to delete every piece of information they have ever written, sent or received via the network have found their efforts to permanently leave stymied. Other social networking sites like MySpace and Friendster, as well as online dating sites like eHarmony.com, may require departing users to confirm their wishes several times — but in the end they offer a delete option.

Does Channel 4 News have enough time to interview everyone who wants to leave Facebook?

How Sticky Is Membership on Facebook? Just Try Breaking Free [NYT]
(Photo:Elaine Chan and Priscilla Chan)

The insurer says that eating problems are not "biologically based" and are therefore not covered. From Law.com:

In December, U.S. Magistrate Judge Patty Shwartz ordered the plaintiffs to turn over by Jan. 15 the children's e-mails, diaries and other writings about their "eating disorders or manifestations/symptoms thereof, and related health conditions" that had been "shared with others, including entries on Web sites such as 'Facebook' or 'MySpace.'"

On Tuesday, Shwartz ordered the plaintiffs to certify by Feb. 15 whether they have produced everything in their possession in response to the discovery order and what steps they have taken to comply.

Shwartz's December order narrowed the scope of an October order that was not restricted to writings shared with other people. The plaintiffs had asked Shwartz to reconsider the October order on the ground that the writings were therapy tools, not meant to be shown to others, and that their disclosure would cause anxiety and possibly even a relapse.

MySpace, Facebook Pages Called Key to Dispute Over Insurance Coverage for Eating Disorders [LAW]
(Photo:Teen Angst)

CBC News extracted this precious gem from the government department that inspects restaurants: "They say employees should not drop their pants behind the counter."

After reviewing the video, franchise owner Albert Buott exclaimed: "Good God almighty! Where's my managers? Who's allowing this to happen?" before confusedly adding: "Who's there? Where am I?"

Dairy Queen workers' hijinks on web shock owner [CBC News via BarfBlog]

Justin writes,

"While surfing Facebook today, I saw an ad for the Wii going for $99. It immediately set off my spider sense. The site was just registered to a guy out of Fayetteville, AR, but under a false name? The phone number listed is for a different Peter.

If your credit card company called you up and said, "we've been looking over your records and we see that you've been having an extramarital affair. We'd like to offer you a free coupon for VD testing..." you'd freak out, and for good reason.

If the local authorities start using what's on the corner surveillance cameras to sell you a new kind of commuter token, you'd be a little annoyed at that as well.

Seth says:

This leads us to Ask.com's new Eraser service, which promises to not remember stuff about your searching. The problem they face: most people want Google and Yahoo and Amazon to remember their searches, because it leads to better results and (so far) rarely leads to surprises.

People don't truly care about privacy [Seth Godin's Blog] (Thanks, James!)

How to Block Facebook Beacon [WikiHow]
PREVIOUSLY: Facebook Ruins Christmas?

What's even more bizarre is that the information that's now in the public eye had originally been sealed by court order during an earlier trial, and a reporter only got access to it through what appears to be an honest mistake by a records clerk. But now that it's out there, it's out there for good.

"[The reporter] said he had obtained the papers in mid-September from the First Circuit Court of Appeals in Boston, which considered a part of the case, where a clerk apparently made a mistake and let him read and copy sealed documents, along with those that were still supposed to be open to the public.

"There were a whole bunch of manila envelopes taped shut, clearly sealed, and I did not open those," he said.

Some of the pages he copied were stamped "Confidential" or "Redacted." Bom Kim, founder and editor of 02138, which is not affiliated with the university or its alumni association, said that gave him pause.

"We cleared it with our lawyers," he said, who said that any order sealing the documents would apply only to the parties to the lawsuit. "We did wonder if they were under seal. But since we had obtained them legally, we got clearance."

• Mark Zuckerberg's Harvard Application
• Mark Zuckerberg's email to Harvard's Administrative Board
• Mark Zuckerberg's testimony #1
• Mark Zuckerberg's testimony #2
• Facebook Statement of cash flows 2005
• Cameron and Tyler Winkelvoss's testimony
• Mark Zuckerberg's online diary
• Statement of damage done to La Jennifer sublet

"Poking Facebook" [02138]
"The Facebook Files" [02138]

RELATED
"The Diaries of Facebook's Founder" [Slate]
"Facebook Founder Finds He Wants Some Privacy" [New York Times]
(Photo: Associated Press)

• AllPosters.com
• Blockbuster
• Bluefly.com
• Busted Tees
• CBS Interactive (CBSSports.com & Dotspotter)
• Citysearch
• CollegeHumor
• echomusic
• ExpoTV
• Gamefly
• Hotwire
• iWon
• Joost
• Kiva
• Kongregate
• LiveJournal
• Live Nation
• Mercantila
• National Basketball Association
• NYTimes.com
• Overstock.com
• Pronto.com
• (RED)
• Redlight
• SeamlessWeb
• Sony Online Entertainment LLC
• Sony Pictures
• STA Travel
• The Knot
• TripAdvisor
• Travel Ticker
• Travelocity
• TypePad
• viagogo
• Vox
• Yelp
• WeddingChannel.com
• Zappos.com

One site points out that Redlight is a mysterious addition—"I couldn't find any site that went by that name that wasn't an adult site." We found something called Redlight Poker—maybe that's the participating company?

[Updated to include missing companies—thanks Phantomfly!]

"Leading Websites Offer Facebook Beacon for Social Distribution" [Facebook] (Thanks to Gary!)

RELATED
"41 Sites Using Facebook Beacon—Facebook to Know Your Porn Viewing?" [dcoates.com]

Late yesterday the company made an important change, saying that it would not send messages about users' Internet activities without getting explicit approval each time.

MoveOn.org Civic Action, the political group that set up the online petition, said the move was a positive one.

"Before, if you ignored their warning, they assumed they had your permission" to share information, said Adam Green, a spokesman for the group. "If Facebook were to implement a policy whereby no private purchases on other Web sites were displayed publicly on Facebook without a user's explicit permission, that would be a step in the right direction."

Facebook Retreats on Online Tracking [NYT]

Executives of the three-year-old company were in deep talks over proposed changes late into the afternoon on Nov. 28, according to a person familiar with the matter. At issue is the Beacon program, which alerts members' Facebook "friends" to purchases and other activities on third-party Web sites. A spokesperson for the company declined to discuss changes, reiterating an earlier statement: "Facebook is listening to feedback from its users and committed to evolving Beacon."

Kim Garvey, a 21-year-old junior at Chicago's DePaul University, says she found out about Beacon after friends were alerted to a restaurant review she posted on Yelp. "I didn't see the little thing that popped up, and I didn't mean to tell everyone," Garvey says."For me, that was sort of uncomfortable." She adds that she was surprised Facebook "is willing to invade people's privacy."

Facebook May Revamp Beacon [BusinessWeek]
(Photo:Photo composite—Austin Cornelio)

From MoveOn.org:

"Oh my gosh, my cousins entire christmas shopping list this week was displayed on the [Facebook News] feed. thats so messed up. This has gotta stop!" - Tasha Valdez from Michigan:

"I saw my gf bought an item i had been saying i wanted... so now part of my christmas gift has been ruined. Facebook is ruining christmas!" - Matthew Helfgott from NY

Guy We Know: man that is kinda creepy

Consumerist: apparently this is ruining people's shopping for gift-type sh*t

Guy We Know: yeah I would prefer they'd not

Guy We Know: "User privacy is extremely important to Facebook. We designed Facebook Beacon to enable effortless sharing, but we've also put in features to protect user privacy. When you send an action to Facebook, the user is immediately alerted of the story you wish to publish and will be alerted again when they sign into Facebook. The user can choose to opt out of the story in either instance, but the user doesn't need to take any action for the story to be published on Facebook."

Guy We Know: yeah that never happened

Consumerist: Ugh.

Facebook must respect privacy [MoveOn via BoingBoing]
(Photo:Boris Veldhuijzen van Zanten )

The Ghost of Wal-mart: Haunting towns and Facebook profiles near you. [Wal*Mart Watch]

Walmart doesn't have, um, the most sterling history when it comes to using the internet for marketing. Perhaps this frustrating inability to get college students to debate dorm accessories and not economics is why Walmart feels so unpopular on the internets. They should know that it's a losing battle. The cute part is that they just keep trying.

Facebook Users Hijack Wal-Mart's Roommate Style Page [Wired]

The Wall Street Journal says:

These ads would show up differently than the banner ads and boxed flyers that appear on the borders of Facebook pages, say people familiar with the plan. Instead, they would be interspersed with items on the "news feed," which is a running list of short updates on the activities of a user's Facebook friends. In addition, the ads would show up on Facebook pages that feature services provided by other companies, one person says.

Facebook Gets Personal With Ad Targeting Plan [WSJ]

"Do you blog, have lots of firends at your MySpace page, and love music?" asked the ad at entertainmentcareers.net.

Epic Records, a subsidiary of Sony BMG, "is looking for skilled, motivated interns to promote artists on social networking sites like MySpace, Purevolume, Facebook and others."

The ad has since been pulled after getting sniped by "What's Online" in the New York Times on Feb. 18th, 2005, but we've got it here, thanks to the magic of Google cache.

In return for selling out and buying in, you get college credit and a tick point for your resume, which should be very useful should you be seeking a job in the future requiring little to no integrity, like marketing. Perhaps we should send this posting to our winner of today's most pathetic barter?