Blogger identifies privacy flaw in Facebook Places

The Facebook Places application has been accused of falling short when it comes to protecting its user's' locational privacy.

Information security blogger and assistant professor at the School of Information Studies at the University of Wisconsin, Michael Zimmer, claimed that Facebook Places falls short on privacy as non-authorised check-ins by friends are visible.

He claimed that Facebook has tried to do a better job addressing privacy with Places compared to some previous launches of new ‘features' within the site. However, Zimmer claimed to have uncovered a problem with Facebook's assertion that no one can be checked in to a location without their explicit permission".

He said: “While Places is largely an opt-in service — one needs to install and use it on a mobile device — anyone can be ‘checked-in' to any place by a friend. This can happen regardless of whether you use the service yourself. If you get checked into a place by someone, and you haven't already authorised the service or these kinds of check-ins, you'll receive an email asking if you want to allow check-ins by friends.”

He said that his wife had been ‘checked in' despite not authorising use of the feature. If any of his friends looks at his Facebook feed, they will see the status update of his check-in at the store, with his wife's name there. Her name also appears with his check-in on the location's page which is automatically generated by the places service.

He said: “So, where does this leave us? My wife has not authorised me (or anyone) to check her into places. She doesn't use the service. In fact, she wasn't even at the liquor store at all. Yet I was able to tag her in my check-in, and all my friends now see her name linked with my check-in as if she was there. Granted, the check-in does not show up in her news feed, but it is there in mine, and I suspect if I had my privacy settings set to ‘everyone', then everyone would see my wife's name as being checked into the liquor store.

“My wife did not explicitly choose to become part of location sharing. She did not give any explicit permission to be associated with this location. Yet there her name is, and anyone viewing my feed can now associate her with being at this location. It is unknown whether this association between her name/account and this location is logged within Facebook's databanks, and thereby available to be shared with marketers, handed over to law enforcement, etc.”

He claimed that this is a serious problem, and called on Facebook to listen to its own rhetoric and make the necessary changes to protect user's locational privacy.

“I should not be allowed to tag someone in a check-in unless they've taken the positive step of authorising check-ins from friends. Locational privacy needs to be fully opt-in, not opt-out,” he said.

Kurt Opsahl, a senior staff attorney with the Electronic Frontier Foundation, said: “Places is Facebook's most significant product launch since the controversial introduction of Connections and Instant Personalisation. We had a number of constructive conversations with Facebook leading up to this launch, and appreciated the opportunity to provide feedback. Not everything resulted in changes, but overall it was a positive process.

“While the product is not perfect and could use some important changes, as noted above, the privacy settings and defaults represent a substantial improvement over those earlier launches.
However, the settings are only good if users understand them intuitively and use them effectively. As the product rolls out to millions of Facebook users, we will be looking closely at its implementation and effects on locational privacy.”

See original article on scmagazineus.com