Group 1:

Group
Team Anything Will Do

Members
David Krauss, Muna Haji, Sarah Wong, Kellen Eyre

Initial Research Statement
Our project deals with the issue of security on Facebook and will answer the vital question, "How secure is your personal information on Facebook?" We will offer background information on the development of Facebook and then discuss the basic features on Facebook, what improvements can be made to those features to protect the users more, how intruders can access your personal information, and the possibility of online identity theft.

Introduction


Launched in February 2004, Facebook has become a global phenomenon. Revolutionizing social interaction on the internet, Facebook has today garnered a population of over 120 million members globally, and reportedly grows each day by 100,000 people.[1] Despite the advantages Facebook has made to communication and social interaction, it has also exasperated and added to issues of internet privacy. Thousands are affected by identity theft every year and the boom in social internet sites has made it easier than ever for fraudsters to gather information on those on the other side of the world. The online identity theft industry is continually growing in worth, therefore, hackers are likewise becoming more aggressive in their pursuit of people's personal and credit information. However, despite this rapid rise in online identity theft, recent surveys have found that many people are still giving out valuable personal information freely.[2] With Facebook's rise in prominence, naturally the number of fraudulance cases related to the site has also risen, with numerous examples evident in the last few years. [3] So with the rise in attacks on Facebook rising, how do we know that personal information is only accessed by those permitted to see it? What are Facebook’s privacy settings? How can these settings be improved to insure users information remains secured? And what happens if your information is stolen?

What Are The Current Privacy Settings on Facebook?


From its launch in 2004, Facebook has been built around the core principals of allowing the user to have control over their personal information, and allowing users access to the information others want to share.[4] It places great priority on managing and controlling access to private information while maintaining the ease of use to users and accepted visitors. While these principals are noble in effect, how exactly are these principals upheld through Facebook’s built in privacy settings? Facebook’s privacy settings are built around 4 main components:


 * 1) Controlling who can see the user's profile.
 * 2) Who can search for the user.
 * 3) What news feeds are published about the user.
 * 4) What information is available to the applications the user uses.

Profile
Facebook’s central privacy pillar is the Friends feature. By deciding who can be classified as a Friend, the user has control over who can visit his/her profile page.

However, other settings for the access of information can also be set from the Privacy Settings page. From this page in the privacy settings the user can change the access allowed to visitors to their profile page. This includes all personal and work related information, including pictures, wall posts, and friends. The user can select from a list including Friends, Friends of Friends, or My Network & Friends.

Recommended - For the user’s profile, experts recommend limiting access to your profile to only your Friends. This is because Networks normally have thousands of people, so allowing access to My Network & Friends automatically leaves you venerable to many potential identity thieves. [5]

Search
In this section of the privacy settings, the user can set who can find them through search, and alter what information people can see about them from the search section.

Recommended – For user search, experts recommend that you disable many of the features. By responding to non-friends who message and poke you allow them to view your profile page for a limited time, yet time enough for an identity thief to steal personal information. They also recommend caution on the enabling non-friends to view your profile picture. Users should only enable this feature if they are unconcerned of the nature of the picture and would not negatively affect the user’s employment.[5]

News Feeds
The user can select, in this section, what actions are reported in friends’ news feeds and wall.

Recommended – Generally, experts recommend that users should restrict this feature completely unless the user specifically wants their friends to view the latest news about themselves. [5]

Applications
From this part of the privacy settings the user can select what information they want to be allowed to be seen by friends through their Applications.

Recommended – Users should exercise caution with the applications they add as personal information can be used by these applications. It is recommended that users also restrict the applications to only show information/photos to Friends Only.[5]

Friends
Within all the subtopics, you have the option to choose who can see your information. You can choose which of your friends are able to see parts of your profile, either only your friends, friends of friends, or some friends – you pick which friends are able to view your information. To keep yourself as safe as possible, all settings should be set to only friends, or even, where applicable only yourself being able to view the information. On the main Privacy page, you can also block someone, and doing so will break all Facebook ties you have with that person at the time they are blocked, they will also not be able to find you by doing a search, they won’t be able to see your profile or interact in any way with you through any Facebook channels[11]. This is an important improvement because you can block someone from being able to have any interactions with you if their account has been potentially hacked, or for various other circumstances.

Networks
You can also choose which of your network(s) can see your information, either all your networks, some of your networks, or none of your networks. If your network is a school related one, you can then choose which of the people within that network are able to view your profile, for example, undergrads, grads, faculty, alumni or staff. The network options as to who sees your information was added in a response to news reports that reported joining a network opens up your profile and information to all the users within that network even though many of them are not directly your friends or even friends of friends[12].

Profile
You can improve your privacy by changing your settings to either Only Me, or Only Friends. If you have friends that you think may have had their profiles compromised in any way, you have the option within many of the subtopics to block a friend from being able to view the information that you put into your profile. There is also an option to choose the friends you would like to share certain pictures, videos, etc with.

Search
It is Facebook’s policy that your friends will always be able to find you[13]. This is the most private setting within this section. This seems reasonable as you shouldn't accept anyone as a friend that you do not know. However, you should be able to block a friend from being able to search you if you suspect that their account has been hacked. (Note: Not too sure if you block a friend within the profile section, if that affects this part.) Once you are searched, you have the control to set which part of your profile is visible to the person that searched you. The checkboxes are your profile picture, friend list, links to add you as a friend, a link to send you a message, and pages you are a fan of [13]. You can also decide if you want to be able to be searched outside of Facebook. Facebook has a policy in effect that minors cannot have their own public search listing[13], which obviously protects them from being visible to various online predators. Facebook could ensure that no minors can be searched if they required all who sign up and are over the age of 18 to provide proof of age, much like online alcohol sponsored contests. If a person cannot provide proof of age, even if they are over the age of 18, their profile should be restricted until proof of age is verified. This would add another layer of security for Facebook.

News Feeds
The third main topic is your ability to control what actions within your news feed and wall are visible to people. You have the option to set which actions are visible to your friends relating to removing profile information, writing on a friends wall, comments on notes, photos, videos and posted items, posts on discussion boards, adding friends, relationship status, and leaving a network[14]. You can change these settings by clicking on the checkboxes beside each of the options. Whether you want people to be able to see stories in chat mode or times things you do can be changed by clicking the respective check boxes. You may also select the applications that have stories published on the right hand side of the screen. To ensure the greatest amount of privacy, you can deselect all the checkboxes so that nobody knows what kinds of things you observe or what people’s walls you write on directly. The Social Ads tab in this section is whether you want to be paired with advertisements with relevant social actions from a users friend’s to create Social Ads[15]. You have control over whether or not you want to be linked by selecting your choice from the dropdown menu. You can improve your privacy by choosing not to be linked to the Social Ads, this will restrict the amount of third-party interaction that your account is susceptible to.

Applications
The settings tab of the Applications section controls what other users see via the Facebook platform. This controls which information is accessible to your friends through using applications[16]. There are numerous check boxes within this section to control what kinds of information is available. On this page, you can also restrict and block applications, and restrict which of your friends is able to send you application invites.

How Do Intruders Access Your Personal Information?
Unwanted people can access your personal information in many different ways without you realizing it.



Applications
When you add one of the various applications available on Facebook, you grant the developers (companies and individuals) access to your personal information. That is because before the user is allowed to use the particular application, it requires the user to agree to a set of terms. Thus, this agreement of terms permits the application program to know who you are and beable to access private information.

The information developers can obtain includes: ''". . . your name, your profile picture, your birthday, your hometown location, your current location, your political views, your activities, your interests, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, copies of photos in your Facebook Site photo albums, and a list of user IDs mapped to your Facebook friends." '' [31]

As well, hackers have the ability to infiltrate and misuse the information the developers have gathered. Currently, it is known that one can compromise three popular Facebook applications (Moods, Superwall, and Free Gifts).

Beacon
The Facebook Beacon is a marketing initiative that allows websites and companies to promote their products through ads that appear on profiles. While it is considered an application, it differs from the rest as this 'add-on' is automatically part of your Facebook account and you cannot fully remove beacon or your participation in it.

Unauthorized access to your personal information is a big reason why the beacon is so useful to websites and companies. That is because it tracks the user's activities on more than 40 other websites other than Facebook to see the effect their ads have on the users. Also, these off-Facebook activities can then be reported to your Facebook friends. The activities that can be broadcasted includes purchasing an item, adding an item to your wish list, and signing up for a service. It is clear from the above description that an invasion of your private information is key for this marketing initiative to function well.



Data Mining
Facebook has been used as a means of data mining in the past. In 2005, two MIT students were able to download around 70 000 Facebook profiles using an automated shell script from four different schools. As well, in 2008, BBC's technology program was able to prove that the personal information of Facebook users and their friends could be stolen by submitting an data mining program into an application.

What Happens If Your Personal Info Is Stolen?
Identity Theft is a huge business with many ID thieves using social networks to steal personal information [24]. On Facebook, 10 percent of users display their address, 25 percent give out their job titles, and 60% indicate their full birthday [24]. This kind of information makes it easier for criminals to access other various things. Personal information such as your birthday, name, or address can allow others to open up or access credit card accounts, create a new cell phone service, rent cars, or stay in hotels at your expense [27]. The result of identity theft would be bad credit, debt, and possible charges [27].

Online Identity Theft
Facebook makes it possible for hackers to easily access your online accounts. By making your personal information viewable, it is easier for theft to occur. In the University of Tennessee, a student was arrested for identity theft through the use of Facebook [3]. Joseph Baker was able to purchase 3 iPod players for $1,1,46 using another student's credit card [3]. Baker found the victim's birthday on Facebook and utilized it alter her password to buy the three music players [3]. Also, hackers use this information to obtain government documents such as driver's licenses and Social Insurance Numbers (SIN) [30]. The newest method of identity theft is medical identity theft. This is where identity thieves would use personal information and create new documents where they can impersonate others in order to obtain medical benefits [30].



Credit Card Fraud


The use of social networking can be used to obtain your personal information. These criminals then go and create new credit card accounts on your behalf and have the credit card sent to their address (29). This type of credit card fraud is called Fraudulent Use of Account and it made up for 4% of all credit card frauds in Canada (28). Even though, this is a small number, this percentage increases every year. In 2007, around 12,170,208 dollars was stolen by the use of personal information (28).

As more people provide their addresses, phone numbers, job titles, and birthday on social networks; identity thieves can easily assess this data and use it to their advantage. Also, phony identification has been used to obtain government assistance, personal loans, unemployment insurance benefits and for other schemes victimizing governments, individuals, and corporate bodies(28). Since the identity thief has written his address when he applied for the credit card. He can make a lot of purchases, but the victim will never receive the bill. Therefore, the victim will not be notified about the charges on these accounts. The victim, however, maybe be discover that fraud was occurred when the collector pays them a visit, when they are denied a loan, or if they pull out their credit report and discover these activities(29). By then, it may be too late and the victim will have to face many hassles such as charges and clearing their name.

Conclusion
Though Facebook is a hugely popular social networking website with many attractive features, its security concerns remain a major issue. Third parties are easily able to access the personal information of users through many different loopholes in the system, especially through applications, without agreement from the users. As well, identity theft and credit card fraud through Facebook has been a common occurance since its launch. Facebook has not fully solved these issues yet and thus, the security of Facebook is lacking and the personal information of users are not too secured.