Monday, October 10, 2011

License to Intrude, Part 2

There is a great deal going on in the world, and keeping up with things can be challenging. So, as I was reviewing news from the Caucasus region, I was surprised when I came across an article addressing a situation related to a topic I had previously written about. At this point, I suggest you read Part 1.

And now, we begin by reviewing an excerpt from Facebook privacy row: Social network giant admits to 'bugs', dated September 28, 2011 (boldface in original):

In its latest privacy blunder, the social networking site was forced to confirm that it has been constantly tracking its 750 million users, even when they are using other sites.

The social networking giant says the huge privacy breach was simply a mistake - that software automatically downloaded to users' computers when they logged in to Facebook 'inadvertently' sent information to the company, whether or not they were logged in at the time.

Most would assume that Facebook stops monitoring them after they leave its site, but technology bloggers discovered this was not the case.

In fact, data has been regularly sent back to the social network's servers - data that could be worth billions when creating 'targeted' advertising based on the sites users visit.

The website's practices were exposed by Australian technology blogger Nik Cubrilovic and have provoked a furious response across the internet.

In a post entitled Logging out of Facebook is not enough, from September 25, 2011, Cubrilovic begins to provide an explanation as to how Facebook monitors the online activity of its users, even after they log out of Facebook. At the end of this post, he summarizes:

Specifically the datr and lu cookies are retained after logout and on subsequent requests, and the a_user cookie, which contains your userid, is only cleared once the session is restarted. Most importantly, connection state is retained through these HTTP connections. There is never a clean break between a logged in session and a logged out session - but I will have more on that in a follow-up post.

Interestingly, Facebook - until only a few days ago - was placing cookies on computers that identified the Facebook account associated with the computer, and what other websites the computer accessed, even after the Facebook user was logged out.

This information was being sent back to Facebook.

The most important of these cookies contained the user's ID. Reportedly, this cookie is now deleted on logout. But, there were other cookies. From Facebook Fixes Logout Issue, Explains Cookies, September 27th, 2011:

The Other Cookies

This leaves a number of other cookies, and I will be explaining the purpose of each one as per information from Facebook.

The datr cookie is set when a browser first visits The purpose of it, as per Facebook, is:

We set the 'datr' cookie when a web browser accesses (except social plugin iframes), and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.

The lu cookie is also set the first time a browser visits and is used to identify the browser pre-fill the users email address in the login form. The purpose of it, as per Facebook again, is:

the 'lu' cookie helps protect people using public computers. The data it contains is used to make subtle changes to the login form, such as prefilling your email address and unchecking the "Keep me logged in" option if we detect multiple users signing in with the same browser. If you log out, this cookie does not contain your user id and Facebook will not prefill the email field.

These cookies, by the very purpose they serve, uniquely identify the browser being used - even after logout. As a user, you have to take Facebook at their word that the purpose of these cookies is only for what is being described. The previous a_user cookie that was fixed identified your user account and has been fixed, these cookies identify the browser and are not re-associated with your logged in account.

Nik Cubrilovic compiled a table showing how cookies with particular identifying data were preserved on and even added to a computer after logout from Facebook. This includes information categorized as "act". Continuing with Facebook Fixes Logout Issue, Explains Cookies:

Most of the remaining cookies are not very interesting - they set things like the language of your browser and device dimensions. The most interesting cookie, for me (after the userid, obviously), was act. The values for this cookie for the requests I logged were 1316962370811/2;, 1316972790935/11; and 1317032073811/0;. It is a timestamp for each request, in milliseconds since UNIX epoch (1st January 1970). What interested me was that not only was the timestamp accurate to milliseconds (ie. thousandths of a second) but that an additional number was being added to it. My gut instinct was that the additional number (ie. the /11, /0 and /2 in those exaples) was being added to make the timestamp unique for each and every request. Facebook confirmed this:

It is a monotonically increasing counter of actions since the start of logging. As we shared, this is for the collection of performance data -- nothing else.

I understand the technical reason for that - they can store the timestamp as a primary key in their logging backend and not have to associate benchmarking of each request back to a user. I believe Facebook here when they say that although this is a unique identifier it isn't used to link back to a user id - but it is definitely being logged and it can be linked to a user.

A lawsuit has now been filed against Facebook regarding this matter.

For further background on the situation and the lawsuit, you can review: Lawmakers seek FTC probe of Facebook post-log out tracking by Elinor Mills, September 28, 2011; Facebook sued over tracking users after logout by Elinor Mills, September 30, 2011; and Facebook Sued for Tracking Users After Log-Off; Class-Action Status Sought by Joel Rosenblatt and Sara Forden, September 30, 2011.

The judge presiding over the case is Magistrate Judge Paul Singh Grewal, who was appointed in 2010. In addition to legal experience in a wide range of subject areas, including civil rights and contract matters, Judge Grewal has his Bachelor of Science degree from MIT, and has particular experience regarding technology-related issues. Judge Grewal recently had the Google/Oracle mediation referred to him. Judging by his background, Judge Grewal would seem like an excellent presiding judge for a case of this kind.

This case is of interest. As the Electronic Privacy Information Center points out (pgs 5-6 of 14) in a September 29, 2011, letter submitted to the Federal Communications Commission regarding a Facebook feature called "Ticker" (superscripts refer to footnotes in original):

Ticker allows a user to see the Facebook posts of complete strangers — or even Facebook interactions between complete strangers — to which a friend of the user has connected. Facebook users were initially surprised by this phenomenon, prompting a host of negative comments on Facebook's blog,21 blog posts criticizing Facebook,22 advice on how to ensure the privacy of a user's post,23 advice on removing Ticker entirely,24 and even a petition to Facebook to remove Ticker.25 Frictionless sharing will amplify Ticker's problems because under the frictionless sharing model social apps will automatically post the user's activity to the ticker feeds of anyone to which the user is connected. Thus, in addition to being populated by traditional Facebook activities — "likes," comments, wall posts, picture posts, and so on—Ticker will soon be filled with detailed information about users' media consumption and lifestyle habits—the TV shows they watch, the books they read, the websites they visit, and the routes they jog, most likely without users affirmatively setting their preferences to share such information.

Users have already reported problems caused by the new availability of personal information on Ticker.26 And once social apps enter the picture, Facebook users could unknowingly share information about nearly every aspect of their lives, ranging from the embarrassing but otherwise innocuous revelation of questionable music taste ("[u]sers unaware of their Ticker broadcasts will be upset, for some time, that Ticketmaster told the world they'll be attending Boyz II Men's reunion show")27 to the potentially dangerous revelation that one is consuming the "wrong" political or religious content ("Once you are on the WP Social Reader app, everything you read within the app will automatically be shared in the following ways....").28 Indeed, the Iranian government has a history of retaliating against those who engage in politicized Facebook activity. For example, one Iranian-American graduate student who was politically active on Facebook received a threatening email that read "we know your home address in Los Angeles," and directed the user to "stop spreading lies about Iran on Facebook."29

Wow! The government of Iran is using Facebook information to target political dissidents. Aren't they one of the founding members of the "Axis of Evil"?

More background can be found in another Electronic Privacy Information Center document, entitled Complaint, Request for Investigation, Injunction, and Other Relief In the Matter of Facebook, Inc. and the Facial Identification of Users from June 10, 2011 (pgs 5-7 of 34):

21. Facial recognition systems include computer-based biometric techniques that detect and
identify human faces.18


25. The Chinese government is currently building an elaborate network infrastructure to enable the identification of people in public spaces. The "All-Seeing Eye" relies on the massive deployment of facial recognition technology.21

26. According to documents obtained by EPIC under the Freedom of Information Act, the US Department of Homeland Security is pursuing a far-reaching program to automate the identification and tagging of individuals, both citizens and non-citizens, based upon their facial images.22

27. Among other programs, DHS is promoting face recognition technology so that federal marshals can surreptitiously photograph people in airports, bus and train stations, and elsewhere leading to the creation of new capabilities for government monitoring of individuals in public spaces.23

28. Facial recognition technology and its application for mass surveillance was described by Adm. John Poindexter, the architect of "Total Information Awareness."24


30. Social networking services have played a transformative role in several regions of the world, but governments also seek access to images of political organizers to obtain actual identities and to enable investigation and prosecution.

31. In Iran, government agents have posted pictures of political activists online and used "crowd-sourcing" to identify individuals.25 There is also evidence that Iranian researchers are working on developing and improving facial recognition technology to identify political dissidents.26

32. Facebook currently grants government access to user information on merely a "good faith belief" that the disclosure is required by law or when it is necessary to protect Facebook from people it believes are violating its "Statement of Rights of Responsibilities."29

[In the original, footnotes numbered 27 and 28 are not found.]

So, it is not only the government of Iran. Information that is publicly available is being used by Communist China. And, assuming neither misconduct nor mistake on the part of Facebook executives and employees, the US government can arrive with a national security letter and have access to all this information about US citizens.

Of course, at the other end of the spectrum, a situation could develop where corruptible Facebook employees or executives might come to be working with rogue government agents, foreign powers and transnational organized crime. Possibilities include:

1) Your personal information, including biometric data, gets passed to cartels specializing in identity theft.

2) Foreign intelligence services target you for an espionage operation, because you work in a place of interest. For example, a job as mundane as that of a Facebook employee could be interesting, because of the information you can pass them on other people that they might recruit as spies.

3) Political leaders establish an "enemies" list; speak out against the policies of an administration, and you find yourself subject to enhanced searches at airports, you get an audit by the IRS, and your bank accounts get frozen because of some "mistake" that connects you to terrorism.

This is everything the Gestapo or the KGB ever wish they could have had, and more.

And, we haven't even looked at the extremely unlikely worst case scenario: where Facebook executives/employees are collaborating in activities they know to be illegal with politicians whose corruption they share.

No comments:

Post a Comment