A rash of security bugs seem to have hit Facebook within the last several weeks, while a lot of debate continues over changes the company has made to user privacy features. So what’s going on? Is Facebook coincidentally just falling apart, all of a sudden?
Most recently, the Wall Street Journal reported on a way that Facebook and other social networks have accidentally shared identifiable user data with third-party advertising networks. Earlier this week, a researcher spotted a way to do a cross-site request forgery; and recently, a less damaging problem emerged, in that users “Favorite Quotations” sections could be accessed by anyone, regardless of privacy settings, albeit only via the iPhone app.
Some bugs are new, due the company’s many product launches and changes at the end of April. Bugs often come with new software, and so it’s no surprise to see the number of bugs have gone up with the number of changes.
But Facebook’s processes may be hurting it here. While bugs can be minimized in product launches through rigorous testing, and while Facebook does try to spot security problems, it has historically optimized for launching products early and often. The company has had various security-related problems for years, yet overall it does not appear to have a measurably worse record than other big and fast-growing web properties — especially considering its larger size, faster growth, the inherent complexity of its service, and the massive amount of private data it holds.
There may be another reason why all these new bugs are popping up: People are looking for them more than ever. Facebook’s size alone makes it an attractive place for security analysts and reporters to closely examine. Because nearly 500 million people use the service, there’s a good chance that web users will want to read a story about private information like their instant messages suddenly becoming public.
Privacy issues also makes Facebook more of a target — given how Facebook recently directed users to make more profile information public, it’s easier for people to conflate a purposeful change with an accidental security mistake (which we’ve seen starting to happen already). Perhaps the best example of this is Instant Personalization. Launched at f8, it lets a limited number of partner sites access “General Information” about users, including their profile photos and friend lists, without first asking for permission. Pandora lets you see songs that your friends like, for example.
That particular concept is controversial in and of itself. Some people don’t want Facebook sharing data without prior consent in this way, whether or not Facebook and its partners think it might be something they want. But Instant Personalization highlights the how the issues of privacy and security mix together. A researcher spotted two bugs in Yelp’s implementation recently, ways for a malicious site to harvest users email addresses and other personal information. The result is that people who don’t understand how Instant Personalization is supposed to work while maintaining security instead get the impression that the feature is fundamentally flawed.
Facebook already has many security challenges, but now more experts are trying to find problems, and more journalists are viewing any error on Facebook’s part as just more evidence of its lack of concern for user privacy.
So far, none of the bugs have resulted in widespread damage to users — the damage is instead to Facebook’s reputation as a safe place to share information. Whether or not Facebook’s existing MO has been the best approach for its users, the only way for it to ensure that it will not have any more problems would be to stop changing its products.
But many rivals are building social products, and user behavior is constantly evolving. It cannot stand still.
The choice for Facebook, now, is to innovate while not having any security problems. That’s a paradox it will likely have to solve by forcing itself to slow down on product development while increasing security testing. This move opens it up more to competitors, but the alternative looks even riskier.