Facebook's cookie monster is unstoppable

Interesting revelations invariably emerge when a high-profile entity is scrutinised, intensely and unforgivingly, by those who are convinced it's too good to be true. Case in point: Julia Gillard. The NBN. Miley Cyrus. And Facebook, of course, which this week was pulled into yet another privacy scandal that should surprise absolutely nobody – and offer yet another reason why CSOs should be very, very careful when it comes to use of social media within their company's four walls.

The nature of the issue, which involved Facebook being rather too enthusiastic in its use of cookies to track which sites users visit, was a perfect storm of functional misunderstanding paired with poor design on Facebook's part and the hysteria of a mass media that's never slow to jump onto the latest technology-compromises-personal security story.

Facebook knows this, which is why it rushed to respond and resolve the issue. Yet while Nik Cubrilovic's discovery raises real questions about privacy online, furious commentators arguing Facebook should delete all cookies when users log out and offering paranoid users tips for deleting all their cookies, are simply misinformed. The whole point of cookies is to create a stateful Internet in which Web sites can store information about users that stays around even after they have logged out, so it will be there the next time they come back. Deleting them when you log out would be like putting nametags on your child's school bag while he's at home, then removing the nametags when he goes to school.

The problem wasn't with cookies, although it quickly became a cookies scandal; the problem was that Facebook's design made no effort to check whether users were logged in before using cookies to track their activities. Log out of Facebook, the reasoning goes, and you should be able to visit the Justin Bieber fan page on Facebook without suffering the indignity of the site adding that information to its persistent profile of you.

Embarrassment aside, people hate to feel a particular site is tracking them online – particularly when so many people wrap themselves in the warm and cozy world that is Facebook and allow it to shape their entire Internet experience.

The thing is: the entire Internet has evolved this way. If you think half the Web sites you visit, the links you click in emails, and the Web searches you run aren't being tracked, collated and analysed by marketers eager to get their greasy hands into your wallet – well, you haven't been online very long at all. Indeed, Facebook's entire existence is due to its ability to profile its users and sell their information to advertisers; Web behemoths need to pay the rent, too.

Most end users accept this sort of information tit-for-tat as the price you pay for free access to a previously unimaginable world of information. But once they stop considering the implications of their actions, the implications for the CSO are more significant indeed – especially since, as it was put so clearly this week at a VMinformer business security roundtable, businesses suffer from a "culture of trust" in social media that's opening them up to all sorts of potential nastiness.

VMinformer CTO John Reeman blamed the huge popularity of sites like Facebook, the trust they engender among users, and their poor and inherently insecure coding for the privacy travesties unleashed on the Internet world. And while Facebook's denials and rapid response suggest the issue might have been bad coding rather than some grand scheme to expose your Bieberness unless you click on a certain number of targeted advertisements, the current furore fuels greater concerns that the ubiquity of social media is providing dangerous shortcuts around corporate security controls.

Even consumer-focused features such as automatic face tagging in photos can become security issues by automatically identifying and linking groups of people, or picking up staff members whose names and affiliations might normally not be public information. If your CEO is photographed lunching with the CEO of a smaller company while discussing takeover terms, for example, the implications are significant.

The role of human error in compromising corporate security is nothing new, but the ease with which peoples' lack of security nous can potentially expose a corporate network to social media's dark side, is. For executive boards that are held by some to be "too cocky" when it comes to security, the potential for security problems due to pedestrian reasons like Facebook is humbling indeed. Remember that these breaches don't necessarily have to involve malicious code, although they could; in many cases, they will simply be the product of a massively relaxed approach to online privacy that's inconsistent with the tight controls imposed to control the internal flow of information.

There are technological protections, of course, such as apps designed to protect users from malicious Facebook links. Yet whether Facebook's current ignominy was intentional or not, it has reinforced the ways that valuable and well-intentioned features like cookies can result in unintentional compromises of company data. If a script on Facebook or other social-media site were in fact tracking an employee's every move, for example, and they stayed logged in while navigating your internal network structure, they could easily reveal far too much information to all the wrong people.

These are the compromises inherent in the balancing act that is an unavoidable part of doing business online. But since Facebook is hardly going away, the key security imperative here is for CSOs to avoid falling into the same culture of trust as their users; only in this way can the privacy-compromising hordes be kept outside the gate.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet