Facebook's cookie monster is unstoppable

The social networking site this week was pulled into yet another privacy scandal that should surprise absolutely nobody

Interesting revelations invariably emerge when a high-profile entity is scrutinised, intensely and unforgivingly, by those who are convinced it's too good to be true. Case in point: Julia Gillard. The NBN. Miley Cyrus. And Facebook, of course, which this week was pulled into yet another privacy scandal that should surprise absolutely nobody – and offer yet another reason why CSOs should be very, very careful when it comes to use of social media within their company's four walls.

The nature of the issue, which involved Facebook being rather too enthusiastic in its use of cookies to track which sites users visit, was a perfect storm of functional misunderstanding paired with poor design on Facebook's part and the hysteria of a mass media that's never slow to jump onto the latest technology-compromises-personal security story.

Facebook knows this, which is why it rushed to respond and resolve the issue. Yet while Nik Cubrilovic's discovery raises real questions about privacy online, furious commentators arguing Facebook should delete all cookies when users log out and offering paranoid users tips for deleting all their cookies, are simply misinformed. The whole point of cookies is to create a stateful Internet in which Web sites can store information about users that stays around even after they have logged out, so it will be there the next time they come back. Deleting them when you log out would be like putting nametags on your child's school bag while he's at home, then removing the nametags when he goes to school.

The problem wasn't with cookies, although it quickly became a cookies scandal; the problem was that Facebook's design made no effort to check whether users were logged in before using cookies to track their activities. Log out of Facebook, the reasoning goes, and you should be able to visit the Justin Bieber fan page on Facebook without suffering the indignity of the site adding that information to its persistent profile of you.

Embarrassment aside, people hate to feel a particular site is tracking them online – particularly when so many people wrap themselves in the warm and cozy world that is Facebook and allow it to shape their entire Internet experience.

The thing is: the entire Internet has evolved this way. If you think half the Web sites you visit, the links you click in emails, and the Web searches you run aren't being tracked, collated and analysed by marketers eager to get their greasy hands into your wallet – well, you haven't been online very long at all. Indeed, Facebook's entire existence is due to its ability to profile its users and sell their information to advertisers; Web behemoths need to pay the rent, too.

Most end users accept this sort of information tit-for-tat as the price you pay for free access to a previously unimaginable world of information. But once they stop considering the implications of their actions, the implications for the CSO are more significant indeed – especially since, as it was put so clearly this week at a VMinformer business security roundtable, businesses suffer from a "culture of trust" in social media that's opening them up to all sorts of potential nastiness.

VMinformer CTO John Reeman blamed the huge popularity of sites like Facebook, the trust they engender among users, and their poor and inherently insecure coding for the privacy travesties unleashed on the Internet world. And while Facebook's denials and rapid response suggest the issue might have been bad coding rather than some grand scheme to expose your Bieberness unless you click on a certain number of targeted advertisements, the current furore fuels greater concerns that the ubiquity of social media is providing dangerous shortcuts around corporate security controls.

Even consumer-focused features such as automatic face tagging in photos can become security issues by automatically identifying and linking groups of people, or picking up staff members whose names and affiliations might normally not be public information. If your CEO is photographed lunching with the CEO of a smaller company while discussing takeover terms, for example, the implications are significant.

The role of human error in compromising corporate security is nothing new, but the ease with which peoples' lack of security nous can potentially expose a corporate network to social media's dark side, is. For executive boards that are held by some to be "too cocky" when it comes to security, the potential for security problems due to pedestrian reasons like Facebook is humbling indeed. Remember that these breaches don't necessarily have to involve malicious code, although they could; in many cases, they will simply be the product of a massively relaxed approach to online privacy that's inconsistent with the tight controls imposed to control the internal flow of information.

There are technological protections, of course, such as apps designed to protect users from malicious Facebook links. Yet whether Facebook's current ignominy was intentional or not, it has reinforced the ways that valuable and well-intentioned features like cookies can result in unintentional compromises of company data. If a script on Facebook or other social-media site were in fact tracking an employee's every move, for example, and they stayed logged in while navigating your internal network structure, they could easily reveal far too much information to all the wrong people.

These are the compromises inherent in the balancing act that is an unavoidable part of doing business online. But since Facebook is hardly going away, the key security imperative here is for CSOs to avoid falling into the same culture of trust as their users; only in this way can the privacy-compromising hordes be kept outside the gate.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysocial networkingsocial networking securitysocial mediaprivacyFacebook

More about etworkFacebookVMinformer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place