Pages

Sunday, March 28, 2010

Why I Dislike Facebook and Foursquare

No, it has nothing to do with them starting with the letter F. In fact, there are two completely different reasons I am now hesitant to frequent both Facebook and Foursquare, but both have to do with the apparent incompetency of the companies to deal with their users in a secure manner. Security and privacy are some of the most important values to consider when creating an online social community. Furthermore, as you will see in this specific example, a site must use these in both the social and technical aspect. Anyway, let's start from the bottom. Why is Foursquare putting your life at risk?

Mainly because I hate to make false accusations, somebody please immediately tell me if this is wrong. But I am pretty sure that FourSquare does not use HTTPS. For those who do not know, HTTP stands for HyperText Tranfer Protocol Secure. It is essentially an encrypted session between you and the website, where the website and your browser can both verify each other's identities. This is important, because without an encrypted, secure connection, you as the user have no idea whether the website you are viewing in your browser actually is the website you are on. Meaning a cracker could have hacked in a replacement website somewhere between you and the website, or even just listened in and stole your password. In fact, it is this very danger that Google decided to make HTTPS in Gmail the default, and why Google, Facebook, and pretty much every other website on the Internet use HTTPS on their login pages. Just to summarize what this all means: when you register and log in to FourSquare, your username and password are being sent in plain text, visible to the world, across the Internet. Unfortunately, Wikipedia has done the same exact thing, except at least they have an alternative secure server that you can use.

While FourSquare and Wikipedia are examples of low-level privacy issues, Facebook has been screwing up lately too. Take Google for example: after the privacy nightmare of Buzz, developers worked endlessly for forty-eight hours to fix the issues, and chances are it will never happen again. Ironically, it was probably Facebook, the very company with privacy issues itself, that was putting pressure on Google to push Buzz out so fast, since Google wants to take on the social networking market before they lose the chance. Anyway, Facebook has had two issues in the past month or two. First is the default "Everybody" privacy option. Facebook recently set users' privacy settings on a default Everybody setting, meaning the entire world can see all of your data...unless you opt out. This is the exact same thing Google did with Buzz, and look what happened there. Facebook brags that 35% of users have already changed those settings, but do the math, and that means 325 million users have still not changed their settings. With almost a quarter of all eight-to-twelve year olds in the UK on Facebook, do you think all of those people really want everybody to see everything they do on Facebook? (By the way, for those math geeks, that's five percent of the entire world population.)

In addition to this blunder, rumors are spreading that Facebook is now looking to give your information away. Specifically, individual website contracted by Facebook will be able to detect that you have gone on Facebook and, without you even knowing, take all your information and pretty much use it for whatever they want. Most people barely want their bosses and coworkers to see what they do on Facebook, let alone the world. Even in my own high school, there are students who idiotically post pictures of themselves drinking and smoking online. Sure they should probably not be posting those photos, but does Facebook really have the right to give this away, simply by tricking users into agreeing to yet another privacy policy change? (Especially after their last attempt at a change in privacy policy, where they attempted to take control of all your data.)

Anyway, the moral of the story is that even for those people who could care less about privacy (even I do not care for privacy, as I really do not have much to hide), not respecting your customers' security cannot and is not good business practice. You will get nowhere without respecting your users, and with privacy being all the rage lately, it is the last thing you want to take away from your users. FourSquare, put some encryption up there, and Facebook, wake up, MySpace had millions of users too until they messed up, and you don't want to become a repeat.

7 comments:

  1. Thanks very much for your thoughts! :)

    ReplyDelete
  2. There are so many better reasons for people to want privacy than having a deep dark secret. See:
    http://www.danah.org/papers/talks/2010/SXSW2010.html
    http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565
    http://www.wired.com/politics/security/commentary/securitymatters/2006/05/70886

    ReplyDelete
  3. The lack of HTTPS on Foursquare is only an issue when you're dealing with unsecure wifi connections. Over a 3G, secure wifi, or hardline internet connection, the fact that it's not HTTPS is really moot. Yeah, in theory it could be an issue, but if you've got someone trying to intercept your network traffic, something tells me you'll have bigger problems than your Foursquare user info to worry about.

    ReplyDelete
  4. Man-in-the-middle attacks happen often enough for you to be worried about. If you traceroute your connection to FourSquare, there are about 10 or so different routers to pass through, sometimes in different states. Do you really want to risk your login data on that when the website can just use HTTPS and be over with it? (Especially since most users use the same password for every service they use, so compromising FourSquare means compromising every other website they use.)

    ReplyDelete
  5. Great info, very interesting. Thanks.

    ReplyDelete
  6. It is so easy to ignore HTTPS because most users would think that if there is a login page with username & password, then it must be safe.
    Even Gowalla does not have HTTPS at the moment.

    ReplyDelete
  7. True, and that is exactly why it is that much more dangerous.

    ReplyDelete