Network News

X My Profile
View More Activity

Facebook, Google privacy 'breaches' that aren't

By Rob Pegoraro

Facebook and Google have been in the news for all the wrong reasons in recent weeks--the social network for the misuse of some users' data by applications they'd installed on their pages, the Web-services giant for collecting data from people's wireless networks.

Both of these episodes show we need to upgrade how we think about privacy online--starting with the vocabulary we use.

The Facebook and Google issues have both been called "breaches." But they're not. The information at stake in each case was already public by any meaningful definition. It would have remained public no matter how good or evil the two companies had been.

In Facebook's case, the data consisted of the basic parameters of each person's account: Their name, picture, gender and networks, all of which Facebook makes public to all of the 500-million-plus users on the site. Unless you change its default settings, that information is also visible to anybody on the Internet.

Facebook's own rules prohibit applications from using this data for their own purposes, and the Palo Alto, Calif., company has since cracked down on app developers and banned one data broker from doing business on the site. But if you're on Facebook, your basic identity is just as visible to everybody else on the site as before--in the same way the White Pages broadcast your identity to anybody who still gets the phone book.

(Disclaimer: Post Co. chairman Donald E. Graham may appreciate these words, as he sits on Facebook's board of directors. You may also see this item get promoted on Facebook by the Post, as the paper markets itself extensively on the site.)

In Google's case, the problem began with people leaving their wireless networks unencrypted. People have been neglecting to take this simple step since the arrival of consumer-grade WiFi routers, either because they're confused about its necessity (see the puzzled questions about it in this 2004 chat transcript) or the typically hideous configuration interfaces of most routers make it too difficult to do so.

For example, this summer, Wired noted that House Intelligence Committee member Rep. Jane Harman (D.-Calif.), chair of the House Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment, had left her District residence's wireless networks open.

But if your WiFi is open, anybody can read your traffic at will. That's why Google itself began encrypting the logins of Gmail users years ago, a measure that ensures an eavesdropper will pick up only useless gibberish.

The Google Street View engineers--who wanted to build a database of WiFi hotspots that Google's mobile services could use for location-finding purposes that would replace Skyhook Wireless's service--didn't show the same level of foresight as Gmail's developers. As Google explains it, they simply forgot to scrub the data collected by the Mountain View, Calif., firm's Street View cars of anything beyond a wireless network's name and hardware address.

That's a dumb mistake, and the company is right to pronounce itself "mortified" by its conduct. But if you think that your unsecured WiFi's privacy issues ended with Google's surrender, you are a fool. The people you need to worry about don't drive around neighborhoods in cars equipped with massive camera rigs on their roofs, and they won't apologize for eavesdropping because they'll be too busy logging into your accounts.

Don't get mad at Google in that scenario--save your anger for WiFi vendors who can't be bothered to make it easy and obvious to encrypt your network and for Web operators who don't encrypt your login by default.

I'm not saying that nobody has any privacy anymore or that I place unlimited trust in Facebook, Google and their ilk. I don't. But when Congress is considering possible legislation, we need to focus on actual problems.

A real privacy breach doesn't involve a remix or collection of data that's already out there for anybody to see. It exposes information that nobody else should know, in ways that lead to the loss of money or security or otherwise fairly earn the adjective "Orwellian." If you, like my wife, have ever received one of those letters from a credit bureau offering a year of free credit monitoring to make up for a leak of your financial data, you know what I'm talking about.

At the same time, information about ourselves is the currency we spend to get free services. We don't have to do that--you need not spend more than $50 a year to get an ad-free Web-mail service--but few of us bother, even if that earns us extra marketing attention later on. That's how things happen offline as well; we open credit-card accounts and join store membership programs and don't pretend to be surprised by the additional junk mail that shows up afterwards.

This is the business we have chosen, and we might as well get good at it.

There are decent odds that you just read a draft of Sunday's column. What arguments am I missing? Am I going too easy on the likes of Facebook and Google? Your chance to be my editor awaits in the comments.

(11/12/10, 5:04 p.m. Corrected Harman's job description.)

By Rob Pegoraro  | November 11, 2010; 9:45 AM ET
Categories:  Privacy, Security, The business we have chosen  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: CEA launches 'Tech Enthusiast' membership
Next: Newest Twitter annoyance: iTunes Ping updates?


I think you hit the nail on the head. People are tech-averse, and rightfully so in many cases, but if you want to drive a car on the highway, or fly a plane, you better know how to drive or fly first. The tech-averseness probably hurts you, or someone you know, every day in some way.

Since the tea party would not stand for a mandatory,national "tech education" plan, people need to pay attention and learn for their own sake.

If you adjust your Facebook settings, make sure your PC has the latest software updates, have an anti-virus program installed with up-to-date definitions, and pay attention, you might not do too bad.

But most people who are not geeks, don't want to go there. It's going to get worse before it gets better.

So far as those notices from your credit card company about a free year of monitoring because of a leak, I've had several notices, no real problems, but it's scary to think about the possibilities.

Finally, yes you are too easy on Facebook. Mandatory adjustments of the default security and account settings should either be the first thing that happens after you register, or the settings should be very restrictive by default, with no opt-out at all. Only opt-in.

Posted by: tojo45 | November 11, 2010 1:29 PM | Report abuse

Either you believe a person has a right to a measure of privacy, private life, or your don't.

Either you uphold the 4th Amendment, in all of its modern manifestations, which means it applies to Google, which coordinates it's information gathering activities with the NSA, or you don't uphold the Constitution.

Personally, the violations of law seem so common, so pervasive amongst the tech giants, guerrilla disinformation as a means of preserving one's privacy would seem a logical response.

If you say everything, you've said nothing.

Posted by: inojk | November 11, 2010 2:09 PM | Report abuse

There are decent odds that you just read a draft of Sunday's column. What arguments am I missing? Am I going too easy on the likes of Facebook and Google? Your chance to be my editor awaits in the comments.
The argument you are missing is that the Web has a bad case of never calibrated.

Fingerprints have never been calibrated either - there is no master list with names and phone numbers (oh how the advertisers would love to get their hands on that!). But fingerprints are useful as long as you remember that 9 points of comparison are different from 9 people with 1 point of comparison. A Google search will find all 9 offenders, um, sorry, potential buyers.

This is as offensive an idea as any eugenics ever was. The hazard of "Enumerating Badness" has long been known to people who design firewalls. What is not generally recognized is that commerce carries the same hazard, and always has - Business defines "Good" as high income and a Consumer defines "Good" as useful tools, but in essence both are designing their decisions around Enumerating Badness.

Posted by: gannon_dick | November 11, 2010 2:42 PM | Report abuse

Google performed a valuable public service by pointing out -- in its own "mortified" way -- how pervasive unsecured wireless networks are. The warXers already know and are hard at work exploiting them.

Google’s inadvertent interception of data from such unsecured networks, while regrettable as a matter of policy, is no more a violation of the Fourth Amendment than listening to your neighbors arguing in their front yard. If they were intent on covert spying, they would not have publicized the situation.

The main problem with Facebook, on the other hand, is (1) general technical incompetence, and (2) absence of a viable social networking alternative.

Posted by: 54Stratocaster | November 11, 2010 2:45 PM | Report abuse

Wow. Two interesting comments (and answers) from that 6 year old column:

Ashburn, Va.: I've started hearing about a new standard emerging called 802.16 or "Wi-Max". I understand this is an extremely large coverage version of wi-fi (something like 30 miles) and sounds very promising. How does this tie into my home wireless network (if at all) and if not, will this be something that might someday replace my cable modem and (hopefully) give us true broadband internet access in my car/cell phone, etc?

Rob Pegoraro: Yes, WiMax looks extremely promising. Unfortunately, it's not quite here yet--it's too soon to worry about buying hardware with an eye to WiMax compatibility. But if I could bet money on the future of Internet access, I'd put a fair amount of cash on the odds of this and other next-gen wireless technology seriously challenging cable and DSL.


South Riding, Va.: If WiFi is a standard that's become a generic service name, then what's the common name for the "wireless broadband" services such as EvDo?

Rob Pegoraro: Uh, wireless broadband? There really isn't a settled brand name for them, mainly because only two services worthy of the name exist.

end blockquote

WiMax is just now being rolled out locally (ClearWire) and there are now, what, 3 "broadband" class wireless systems?

Posted by: wiredog | November 12, 2010 8:04 AM | Report abuse

Let us not forget that we have choices. As a wise man once said, 'not to choose is to choose.'

People must understand what they are doing. We don't require people to have a certificate before becoming parents (though many think we should). Non-tech people get by doing their best. They certainly should not be outcasts because they don't want to take the time to learn tech. They will, however, pay the price by releasing personal information without knowing it.

Luckily, everyone has options. We all have access to free software like TrulyMail which will encrypt our email; like TOR which will encrypt our browsing; like TrueCrypt which will encrypt our hard drives.

Yes, some people won't take the time to learn the tools, and that is their choice. However, they will have only themselves to blame when their public information comes back to haunt them.

Posted by: Thomas25 | November 12, 2010 2:07 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.

characters remaining

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company