Skip to main content
June 27, 2013

Patching The Ethical Bypass Flaw

eithics-information-securityIn the weeks since journalist Glen Greenwald at The Guardian first wrote about PRISM, the world has learned more and more concerning details of the program – how widespread was the data collection; how guidelines were written to allow communications and Internet activity to be tracked and stored when any doubt existed as to the location or nationality of those being spied on.

As I see it, though, the hubbub over PRISM only serves to obscure the more widespread surveillance of Americans - and citizens of every nation- by private firms. The extent of that kind of lawful activity was brought into sharp contrast this week by the security firm Packet Storm Security, who highlighted Facebook’s habit of assembling online dossiers of contact information on users and non-users alike, using data from contacts freely submitted by users.

Posts on the Packet Storm blog disclosed the problem as well as a bug in Facebook’s Download Your Information (DYI) feature that allowed users to harvest this “ghost account” data. As Packet Storm explained, the bug gave identity thieves, hackers or run of the mill obsessive stalkers a potentially powerful tool for uncovering non-public information on any of the billion-plus, Facebook users, or anyone in their network of personal and professional contacts. Users who submitted a contact to Facebook with a publicly listed work e-mail and telephone could, through the magic of DYI, get back a flushed out contact containing that information, plus private e-mail, cell phone and even address information, all gleaned from other contacts submitted by other Facebook users.

In the wake of the revelation, Facebook repaired the flaw and said it was “embarrassed” by the mistake. However, the company was more circumspect about the practice of collecting personal and, in many cases, non-public data on members and non-members alike. While the company has promised to regulators that it will not use the “ghost account” data to target non-members with advertisements, it demurred when asked directly by Packet Storm whether it would delete the data altogether, or give users the option of saying which of their information they want to be allowed to be accessed by Facebook or its massive user base.

To be clear: there’s nothing illegal about what Facebook is doing. And there are technical reasons why the company might want to collate contact information that its users willingly provide. But there are almost certainly ethical issues at play here that transcend the merely legal question of whether Facebook has a right to collect and store this data.

Specifically: as citizens around the world come to rely more on technology to perform even the most quotidian of tasks, the issue of data ownership and privacy come to the fore.

We see this in the U.S. Congress, where Representatives Mike Capuano (D-MA) and Jim Sensenbrenner (R-WI) recently filed the "Black Box Privacy Protection Act" to give vehicle owners more control over the information collected through a car or motorcycle electronic data recorders (EDRs). The legislation would establish, for the first time, that data generated by an automobile belongs to the owner of that vehicle – a principle that car manufacturers currently do no recognize. The Black Box Protection Act would require manufacturers to notify consumers if an EDR is installed in their vehicle, to disclose its data collection capabilities, and provide information on how data collected may be used.

Similarly, six countries including Canada, Australia, New Zealand, Mexico, Israel, and Switzerland have joined the EU in questioning Google over the privacy implications for its Google Glass product, which has features that can easily record everything you see without notifying them of the act.

As Facebook’s “ghost accounts” illustrate, the problem of data privacy becomes infinitely complicated when the technology in question is also coupled to cloud based resources and The Internet. What is Facebook doing, after all, but compiling small bits of information shared – separately – with billions of individuals. The problem is that, when you compile all those billions of pieces of information you end up knowing almost everything about everybody. And it's important to remember that some of these ghost accounts (specifically the non-Facebook users) are individuals who ostensibly don’t want Facebook to know anything about them. What was their crime? Making the acquaintance of someone who was a Facebook user, or the friend of a Facebook user?

Eric Bruno, a blogger over at Dr. Dobbs, makes a very similar argument in a blog post this week. Writing about the emergent “Internet of Things” (IoT) in which even the most basic appliances and devices will carry an IP address and networking stack, Bruno observes that the IoT poses immediate trade-offs that enterprises and individuals haven’t yet figured out how to handle: quality of life versus individual privacy and anonymity; new conveniences versus their “unanticipated side effects,” and new economic models versus personal security risks.

But tough new privacy protections may not be enough to settle these issues. “Potentially the largest risk to consumers in the IoT is ethics,” he writes. “Even after security and privacy measures as built-in, there's a level of trust that users give outside entities. How this data is used may be secure, legal, and otherwise reasonable, but potentially unethical.”

So it looks like even with changes to privacy- and data protection laws we might be left short – in need of an ethical patch for the kinds of ubiquitous data harvesting and analysis that currently goes on almost unchecked. And that may be hard to pull off.

Related Content

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe,, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.