Facebook’s Instant Personalization: An Analysis of Fundamental Privacy Flaws

September 28, 2010 at 3:21 pm 6 comments

Facebook has begun to accelerate the web-wide roll-out of the Instant Personalization program. The number of partner websites recently jumped from three to five, and a partnership with early stage venture firm YCombinator is set to greatly expand that number in the coming months.[1]

Instant Personalization allows a partner website to automatically learn the identity of a visitor (as well as some data about them) without any explicit user action, provided that the visitor is a logged-in Facebook user. It is probably the most privacy-intrusive change introduced by the company this year, and could lead to a profound change in how the web works and is perceived.

Facebook’s superficially reassuring line is that only data that is already public is shared with partner sites. Even ignoring the fact that it is hard for users to figure out exactly what data is public, and is only getting harder, I find the official explanation to be a red herring. In this article I will examine the various fundamental flaws of Instant Personalization.

1. Sneakiness. All the information transmitted via Instant Personalization is available via Facebook connect; the sole purpose of Instant Personalization is to eliminate the element of user authorization from the process. Thus, I find the very raison d’etre to be questionable. If a user declines to use Facebook connect, perhaps they had a good reason for doing so. Think about a porn site — I don’t think I need to elaborate.

2. Identity. To me, what is much more worrisome than third parties getting your data is third parties getting your identity when you browse. The idea that a website knows who you are as soon as you land on it is inherently creepy because it violates users’ mental model of how the web works. The cumulative effect is worse — people are intensely uncomfortable when they feel they are being “followed around” as they browse the web.

From a technical perspective, an Instant Personalization partner could itself turn around and become an Instant Personalization provider, and so could any website that this partner provided Instant Personalization services for, ad infinitum. This is because any number of tracking devices (invisible iframes) can be nested within a page.

Implementation bugs on partner sites also have the effect of leaking your identity to other parties. In my ubercookies series, I documented a series of bugs that can be exploited by an arbitrary website to learn the visitor’s identity. All of these apply to Instant Personalization, i.e., if any one of the partner websites has such a bug, that can be exploited by an arbitrary attacker to instantly de-anonymize a visitor to his site. Security researcher theharmonyguy has a great post on cross-site scripting vulnerabilities on both Rotten Tomatoes and Scribd that compromise Instant Personalization in this fashion.[2]

3. Facebook gets your clickstream. Instant Personalization is a two way street: while the partner site gets access to the user’s identity, Facebook learns the URLs of the pages the user visits. In a world where Instant Personalization is widely deployed, Facebook will be able to monitor a large fraction, perhaps the majority, of clicks that you make around the web.

While troubling, this is not unprecedented: the Faceook like button constitutes a very similar privacy problem — Facebook sees you whenever you visit any page with the like button (or another social plugin) installed, even if you don’t click the like button.[3] Facebook bowed to pressure from privacy advocates and agreed to delete the logs from social plugins after 90 days; I would like to see the same policy applied to Instant Personalization logs as well.

4. Third parties could get your clickstream. Normally, an Instant Personalization partner can only see your clicks on their own site. However, think of an Instant Personalization partner whose product is a social widget or an analytics plugin that is intended to be installed on many client sites. From a technical perspective, loading a page or widget in an iframe is not fundamentally different from visiting the site directly. That means it is feasible for an Instant Personalization partner with a social widget to monitor your clicks — tied to your real identity, of course — on all sites with the widget installed.[4]

5. Lack of enforcement. So far I have described the lack of technological barriers to various types of misuse and abuse of Instant Personalization. However, Facebook contractually prohibits partners from misusing the data. The natural question is whether this is effective.

It is too early to tell yet, because there are currently only five partners. To predict how things will turn out once numerous startups — without the resources or incentive for security testing and privacy compliance — get on board, we can look to the track-record of Facebook’s third party application platform. As you may recall, this has been rather poor, with enforcement of Terms of Service violations being haphazard at best.

Mitigation. In my opinion these flaws are inherent, and I don’t think Instant Personalization will turn out well from a security and privacy perspective. User expectations are not malleable, cross-site scripting bugs will always exist, there will soon be too many partner sites to monitor closely, and some of them will look for ways to push the boundaries of what they can do.

However, there are two things Facebook can do to mitigate the extent of the damage. The first is to make public both the technical specification and the Terms of Use of the Instant Personalization program, so that there can be some independent monitoring of bugs and policy violations. The second is to commit resources to ToS enforcement — Facebook needs to signal that their enforcement efforts have some teeth, and that there will be penalties for partners with buggy sites or noncompliant data use practices.

Footnotes.
[1] YCombinator-funded companies will get “priority access” to various Facebook technologies including “Facebook Credits, Instant Personalization and upcoming beta features”. Interestingly, Instant Personalization seems to be the feature that YCombinator is most interested in.

[2] Yelp.com was also found vulnerable to a cross-site scripting bug soon after Instant Personalization launch. This means the majority of partner sites — 3 out of 5 — have had vulnerabilities that compromise Instant Personalization.

[3] In Instant Personalization, Facebook and the partner site communicate invisibly in the background each time the user visits a page on the partner site; in this way the mechanism is different from social widgets.

[4] Large-scale clickstream data is prone to misuse in various ways: government coercion, hacking, or being purchased as part of bankruptcy settlements (expecially when we’re talking about startups).

Thanks to Kevin Bankston for pointing me to Facebook’s log rentention policy for social plugins.

To stay on top of future posts, subscribe to the RSS feed or follow me on Twitter.

Entry filed under: Uncategorized. Tags: , , , , , .

“Do Not Track” Explained Adversarial Thinking Considered Harmful (Sometimes)

6 Comments Add your own

  • 1. asdqwe  |  September 29, 2010 at 1:27 am

    . Facebook gets your clickstream.

    It already gets your clickstream – every Facebook Connect box allows facebook to know where you were (since the box has a key that facebook can map to owner of the site iirc). So even if you don’t click connect, facebook already gets your clickstream

    Reply
    • 2. Arvind  |  September 29, 2010 at 1:32 am

      That’s true. However, most sites put the Facebook connect box in a ‘login’ page, or at least only on the home page. On the other hand, I presume Instant Personalization will be enabled on all or most pages.

      Social plugins are a bigger source of clickstream data (currently) than either Connect or Instant Personalization. As I mentioned in the article, Facebook getting your clickstream is not a new danger; I merely want to see them adhere to the same log retention policy for Instant Personalization as they do for social plugins.

      Reply
      • 3. danimal  |  October 4, 2010 at 3:41 pm

        Isn’t the same also true for the like button? Presumably FB could record every page you see with a like button (whilst you have a logged in FB session).

        Reply
        • 4. Arvind  |  October 4, 2010 at 5:23 pm

          That’s what I was talking about as well. The like button is one of the social plugins.

          Reply
  • 5. Wendy B  |  October 4, 2010 at 10:50 pm

    Previously when they launched this, they had a “How do I block individual sites in the instant personalization pilot program from accessing my public information my friends share?”
    I had to jump through many hoops to finally understand that I had to individually block each app to prevent information sharing.

    With the addition of the 2 new sites, I wanted to do the same, but I see now that the above FAQ option has been replaced with “How do I opt-out of viewing social plugins?
    No data is shared about you with the website when you see a social plu…
    No data is shared about you with the website when you see a social plugin on an external website. For information about what Facebook receives, see here.

    You can choose to use social plugins when you click the “Like” or “Recommend” button on a piece of content you want to share. These actions are similar to public comments or reviews you might write on a website and are shared back to your Facebook profile. You can choose who can see the things you like in your privacy settings. If you would not like to see what your friends recommend or have shared on a website, simply log out of Facebook.”

    So basically, unless I log out of FB, I no longer have an “opt out” option at all? Is that what I’m to understand?

    Reply
    • 6. Arvind  |  October 4, 2010 at 11:14 pm

      Wendy,

      Social plugins are different from Instant Personalization. You can opt out of Instant Personalization by going to Account → Privacy Settings → Applications and Websites (at the bottom) → Instant Personalization. This will prevent sharing information when you visit other websites. I don’t know whether this will prevent your friends from sharing your public data through Instant Personalization.

      Apologies for not discussing the opt-out procedure in the article. I left it out because it changes every once in a while.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


About 33bits.org

I'm an assistant professor of computer science at Princeton. I research (and teach) information privacy and security, and moonlight in technology policy.

This is a blog about my research on breaking data anonymization, and more broadly about information privacy, law and policy.

For an explanation of the blog title and more info, see the About page.

Me, elsewhere

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 255 other followers