Begin forwarded message:
From: Eugen Leitl <eu...@leitl.org>
Date: September 10, 2009 5:49:20 AM GMT-04:00
To: cypherpu...@al-qaeda.net, i...@postbiota.org
Subject: Privacy Plug-In Fakes out Facebook
http://www.technologyreview.com/printer_friendly_article.aspx?id=23405&channel=web§ion=
Wednesday, September 09, 2009
Privacy Plug-In Fakes out Facebook
FaceCloak lets users hide sensitive updates from prying eyes, including
Facebook's.
By Robert Lemos
Social networks are rife with examples of users failing to understand
the
privacy implications of posting sensitive information online.
In February, for example, school officials in Wisconsin suspended a
teacher
who posted on Facebook a picture of herself pointing a gun at the
camera. In
April, the Swiss insurance company Nationale Suisse fired an employee
after
she called in sick and then posted updates on the same site. Others have
raised concerns about users handing so much personal information to
social-networking companies themselves.
Now, researchers at the University of Waterloo in Ontario have
developed a
browser plug-in to help users keep their information private from
prying eyes
and from social-network providers as well. Urs Hengartner, an assistant
professor of computer science, and his colleagues say the plug-in
replaces
sensitive information in a user's profile and news feed with
meaningless text
that can only be unscrambled by trusted friends or contacts. Dubbed
FaceCloak, the tool assures its users that sensitive data stays private,
Hengartner says. "If you have a particular illness, you might want to
allow
only your friends to see that," he says. "This leaves it up to the
user to
decide what information to keep away from Facebook."
The tool is the latest shot in a battle between social networks and
privacy-conscious users. Most users of Facebook, MySpace, and other
social
networks remain unaware of the privacy implications of posting personal
information to such sites, says Alessandro Acquisti, an associate
professor
of information systems and public policy at Carnegie Mellon University.
In 2005, Acquisti and fellow CMU researcher Ralph Gross showed that
nearly 80
percent of Facebook users revealed their birthday publicly and the
majority
provided public access to their real-world addresses--information that
could
be used to commit identity theft. "You feel like you are talking to a
friend
casually in a conversation, but in reality you are publicizing
information in
a forum where it will stay for a long time," Acquisti says. "Privacy
is not
the first thing you think of when you use a social network."
Nowadays more people appear to be privacy conscious. In a more recent
study,
Acquisti's group found that 30 to 40 percent of users change the default
privacy settings to take greater control of their information. But
social
networks themselves have not been good protectors of privacy, Acquisti
says,
because monetizing personal information is a potential gold mine. This
is
demonstrated by Facebook's Beacon advertising service, which allows
affiliates to tailor advertising according to users' activities on
Facebook
and beyond.
FaceCloak, implemented as a plug-in for Mozilla's Firefox browser,
allows a
user to designate--using two "at" signs ("@@"), by default--what
information
should be encrypted and only made available to friends. A FaceCloak user
holds a secret access key but also sends two other keys to her
friends. Those
keys are then used to access the real information, which is held on a
separate server. While the same concept could be used on other social
networks--such as Twitter and MySpace--Hengartner and his colleagues
focused
on the largest provider.
Similar tools are being developed by other academic teams to address the
privacy issues plaguing social networks. A group of researchers from
Cornell
University created another Firefox plug-in, called None of Your Business
(NOYB), that encrypts profile information so that it can only be read
by a
small group of friends. And two researchers from the University of
Illinois
at Urbana-Champaign have developed a Facebook application called
flyByNight
that encrypts users' data.
Unlike those projects, however, FaceCloak works with any number of
contacts
and does not rely on the cooperation of the social-network provider. The
University of Waterloo researchers attempt to hide which users are
encrypting
their data with FaceCloak by replacing the hidden data with arbitrary
text
taken from sources on the Internet. "Users who submit encrypted
information
stand out, both to Facebook and to other users who can see the
profiles, and
therefore might raise suspicion," Hengartner says. "By using fake
information, we can avoid this problem."
There are still some major issues, however. Images are not yet
supported by
FaceCloak and the third-party hosting server used could potentially be
compromised. Moreover, a FaceCloak user still has to be careful,
Hengartner
says. "The same problem arises in real life," he says. "When you tell a
friend some personal information about you, you need to trust your
friend to
deal with this information responsibly. If she misbehaves, you can't
erase
the information from her brain."
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com