Accompanying the announcement that more than 150 million people are active on Facebook last week (and even more amazing, that half of them login daily) is a new series of security and legal issues surrounding its use. When exactly is your account compromised by a piece of software that may not be acting in your best interests? Or could it be something that is more sinister, or just human error?
Don’t you pine for those simple days when the line between software and malware was pretty easy to delineate? Consider these news items:
- Last week, Facebook sued the Brazilian site Power.com, claiming that its automated login process violated their terms of service. According to the LA Times, Power has agreed to use Facebook Connect, but the suit brings up all sorts of issues that aren’t so clear cut: is Power providing a service for its users, by consolidating several social networking logins? Or is it doing something that it shouldn’t, by storing these credentials? How is that different from any number of sites that allow me to cross-post messages to different video or blog sites?
- Last December, we saw the Koobface trojan that spreads through social network news feed messages, prompting users to download what they think is an update to the Adobe Flash player but is really malware.
- This was similar to a Brazilian-based attack that plagued Twitter last summer.
- Earlier last fall over in Russia, we saw email/SMS pitches for people to download a Java applet to their cell phones that was spread via the Russian social network Vkontakte. Once on their phones, the app would automatically text several premium numbers that would be charged back to the user.
The trouble is that as these attacks proliferate, it gets harder to differentiate them with legit situations where people are just making dumb mistakes. Consider the situation where a new social networking user doesn’t understand the very optional step when he or she signs up and is asked whether or not to send email invitations to their entire address book. In just a few seconds, a simple task of joining the network has turned into an annoying one sending out hundreds of unwanted emails. Sometimes this step isn’t explained well in the sign-up process, or sometimes people aren’t paying attention. Either way, it isn’t malevolent; it is just a stupid user error.
Or take instant messaging, which seems so quaint now that there are lots of other networks out there. Yes, there are malware programs that propagate through IM, and there are security products that protect IM networks too. But nothing can stop human stupidity in how these IM networks are used, particularly if you store your IM login credentials on a family computer that is shared by several people. One of my colleagues has been having IM conversations with the wrong people – some that have gone on for ten or 15 minutes, before he realized he was talking to the intended’s spouse or kids. Why anyone leave his or her IM account wide open in this way is hard to understand. But it points out that just because someone is signed into IM, doesn’t mean that they are there. Remember, on the Internet no one knows that your dog hasn’t logged instead of you.
Then there are sites like omgxd.com that use your login information for IM networks, supposedly to make it easier to connect but in reality spam all of your contacts on your buddy list. Heyxd.com is another one. I have tried to find out whether these two sites are legit or have some sinister purpose. I can’t really tell, but I would recommend steering clear of both of them.
So the next time you get an email or IM or text message asking you to download a greeting card, update your Flash player, or do something else, take a moment to stop and think whether this is a request that you should just hit the delete key and move on. You don’t need to be the latest victim of a new social networking disease.
One reader writes:
I submit that this is not mere user error. I suspect that the promoters of the social networks with this sign-on process expect (and hope) that newbies will naively click YES and send the annoying message to all the people in their address books. The better to hook in a bunch more people. They don’t call it viral marketing for nothing, after all. If the social network designers did not want this side effect of new-user naïveté or inattention, they would clarify the step or eliminate it because it is so often mistakenly used. I nearly fell for it myself once in the last six months, mostly because I couldn’t believe that the friend who “invited” me could have fallen for something so stupid. Her name on the invitation lulled me into a fall sense of security. That’s what the marketing folks count on…it’s just this side of spam, IMHO. No, it’s that side of spam, but it looks as if it’s not because it arrives in your mailbox with a friend’s name in the return address.