How cybercrooks could cash in on your Facebook data

The gargantuan amount of high-quality user data on Facebook is causing everyone–from marketers to hackers–to salivate like dogs gazing at a steak. They all want a piece of you.

Thanks to Facebook’s Open Graph API (which simplifies the development of third-party applications that interoperate with the social networking site) and social plug-ins (which essentially splash Facebook’s “Like” button all over the Internet), people who are interested in your data are getting a chance at a much choicer cut of it.

Additionally, Facebook’s Instant Personalization Pilot Program, which the social network introduced this spring, was the wake-up call for many users who had been ignoring the concerns of privacy watchdogs. In response, Facebook updated its privacy settings in late May, to some praise–and confusion.

Read on to see who’s getting a look at what you do on Facebook. You’re sharing more than you think–and you might be surprised at what your data is worth.

Facebook Itself

It goes without saying that Facebook has unrestricted access to everything you do relating to its site, and its growing collection of profile data, preferences, and connections is prompting some experts to estimate the value of the site beyond the GDP of some countries.

For instance, a Mashable article reported that SharesPost, a marketplace for shares in privately owned companies, suggested an $11.5 billion value for Facebook, versus a $1.4 billion value for Twitter and a $1.3 billion value for LinkedIn.

“You’ve filled out the biggest survey in the world for Facebook, and you didn’t even know it,” says Cappy Popp, founder and principal of Thought Labs, whose Doorbell application is one of the top 100 most-used apps on Facebook. “You can’t put a price on it because there’s never been anything like it,” Popp says of the user data that Facebook could accumulate over the next few years.

Everyone Else

Facebook status update displayed on
If you don’t choose your permissions correctly, your Facebook status updates may be available for the world to see.

A quick look through the Website Openbook, which allows users to search for embarrassing Facebook status updates that anyone can view, shows the volume of people whose accounts are set to broadcast “” target=”_blank”>health benefits reinstated by her employer’s insurance company. The Canadian woman was being treated for depression, but Manulife Financial questioned her health claim after seeing Facebook photos of Blanchard enjoying herself at a party and on the beach.

Facebook’s Instant Personalization Partners's use of Facebook's Instant Personalization can allow   you to see what artists your Facebook friends are enjoying.
One day in April, registered users of Pandora and Facebook launched their favorite online radio station on Pandora’s site and discovered that they could now see which of their Facebook friends liked the artists and songs they were hearing.

For that to happen, the users either purposely or accidentally passed by the opt-out bar for Facebook’s Instant Personalization Pilot Program, for which Pandora, Yelp, and Microsoft were launch partners. The same thing happened to readers of MSNBC, who were surprised to find information on stories recommended by their Facebook friends pop up on the news Website.

Instant Personalization allows selected Facebook partner Websites to access your data and tailor content to your tastes. With Instant Personalization activated, your Facebook information is available for access the moment you arrive on partner sites. When the program launched in April, Facebook automatically activated it for all users. However, a privacy uproar forced the company to revise its policy, and Instant Personalization is now optional for users.

“A number of people have reported to me that this feels a little weird to them,” says Kurt Opsahl, senior staff attorney for the Electronic Frontier Foundation, about Pandora’s Instant Personalization implementation. Pandora declined to be interviewed for this story.

How Instant Personalization Works

The implications of Instant Personalization are more serious than your discovering your boss’s love for ’80s boy bands. Partner sites can work with Facebook to learn a whole more about you than what you may have told them directly.

According to Peter Eckersley, senior staff technologist for the Electronic Frontier Foundation, the Instant Personalization partner sites use JavaScript code and Ajax calls to get personally identifying information about you from Facebook. So if you already had an account on the Instant Personalization partner site, that site can now see your Facebook information and your existing account information at the same time.

“[The Facebook partner sites] would see the usual cookie that they set in your browser, and the one that Facebook’s API constructs using Ajax, simultaneously,” says Eckersley. “The design of the Facebook API clearly anticipates that the Website will do this.”

Application Developers

Zynga's FarmVille is one of Facebook's most popular applications.

Facebook applications are fun. According to All Facebook, which calls itself the “Unofficial Facebook Resource,” the site’s Facebook Application Leaderboard of applications with the highest monthly users shows that a variety of games–including Zynga’s FarmVille, Texas HoldEm Poker, and Café World–make up more than half of the top 20 applications.
However, fun comes at the cost of privacy.

Once you accept an application on Facebook, it gets an all-access pass to your profile data. The application runs through an iframe (inline frame), a widely used HTML element that lets a site embed its content onto Facebook’s site.

As a result, you’re sending data directly to the third-party application’s servers. Previously that server was required to refresh its Facebook data every 24 hours, but as of the April F8 conference, Facebook did away with that requirement. As a result, the outside parties can store user data for longer periods before refreshing it.

“You’ve authorized that application to do whatever it wants to do,” says Thought Labs’ Popp.

The info accessible through your friends settings
Use these settings in Facebook to control what information you share with others.

And even if you don’t use Facebook applications, your friends do.

Unless you’ve gone into the ‘info accessible though your friends’ portion of Facebook’s Applications, Games, and Websites privacy settings, your friends are taking your profile information with them on their farming and gambling adventures–without your knowledge, but in most cases with your tacit consent.

Game applications are big business. For instance, FarmVille maker Zynga is reportedly valued at as much as $4 billion. Plus, Facebook just revamped its Insights dashboard, which page owners and application developers can use to obtain data and graphic visualizations about social plug-ins and integrated site content to better understand their return on investment for using Facebook.

Hackers and Worms

Right now it’s hard to know the worth of user data shared through Facebook’s Instant Personalization since the program is so new, but in the wrong hands such information could represent a large chunk of change.
A May article on TechCrunch reported a proof-of-concept exploit on Yelp that took advantage of cross-site scripting to grab Facebook addresses and other information. The exploit’s author was a security consultant looking to prove a point. Yelp, which declined to be interviewed for this story, patched the vulnerability. No user data was stolen.

But other, genuine security threats are thriving on Facebook. The Koobface worm has been lurking on Facebook since 2008, growing more sophisticated with its ability to create an account, friend strangers, and join groups.

And on Memorial Day weekend, hundreds of thousands of Facebook users encountered a clickjacking worm that duped them into “liking” pages that led to the installation of malware for perpetuating the worm’s spread.

“The biggest danger that I can see is that they get your log-in credentials,” says Beth Jones, senior threat researcher at Sophos Labs. The intruders can gain access to information such as mobile phone numbers, partial credit card numbers, and billing addresses stored in the Payments section of Facebook’s account settings.

“That’s where some of the true value of stealing these log-in details comes in,” says Jones. “[Attackers] can start pulling off some really decent identity theft.”

Identity theft can also occur when a snoop looks through Facebook profile data that privacy settings haven’t locked down. “Unfortunately a lot of password-reset questions are answered in your profile,” says the Electronic Frontier Foundation’s Opsahl.

So how much is your Facebook identity worth?

Researchers at VeriSign’s iDefense recently reported that a hacker named Kirllos claimed he had 1.5 million Facebook accounts for sale for a price of $20 to $45 per 1000 accounts, depending on the number of contacts. According to a New York Times story, Facebook said that its own investigation did not find the claim credible. Facebook did not answer an interview request for this article.

Marketers and Advertisers

Facebook advertisers pay good money to target their ads to your   profile characteristics.
Companies selling everything from online dating services to lattes are thrilled that they can direct their advertising to Facebook’s 400 million users through nine key demographic and psychographic filters.
“It offers the kind of targeting that marketers have been looking for for years,” says Debra Aho Williamson, senior analyst for eMarketer.

In January, Einstein Bros. Bagels ran a highly successful Facebook promotional campaign, offering new fans of its Facebook page a digital coupon for a free bagel and schmear. The company grew its fanbase from 7000 to 613,063 (as of this writing). In exchange for free food, Facebook users gave Einstein Bros. feedback on food preferences, stores, and who they are.

Reggie Bradford, CEO of social media management company Vitrue, calls Facebook pages a great way to get to know your fans. “There are features like polls, quizzes, or coupons; through those vehicles, you can collect all kinds of market research,” says Bradford.

Vitrue's Social Page Evaluator
Vitrue’s Social Page Evaluator attempts to quantify the value of a Facebook page.

But how much are people like those rabid bagel eaters worth?

To answer that question, Vitrue created the Social Page Evaluator tool, which attempts to quantify the return on investment for a Facebook page. The tool places a $3,227,020 value on the Einstein Bros. Bagels page based on the number of fans, the posted content on the page, and the interaction between the two. (Note: The dollar amount doesn’t correlate to real-world dollars, but instead serves mostly as a way to compare the “value” between pages. You can evaluate your own Facebook page.)

You could also say that Facebook users are worth the $605 million that eMarketer expects marketers to spend on worldwide Facebook advertising by the end of 2010. That’s up from $435 million in 2009. (eMarketer defines advertising as display, video, search, and other forms of advertising appearing within social network environments.)

“Quantifying the value of a Facebook fan is something we’re going to see a lot more of in the next year,” says eMarketer’s Williamson.

Despite waves of privacy backlash, Facebook continues to thrive and to look for new ways to make money for itself and its partners. To do that, Facebook will continue to leverage its biggest asset: you.
“Facebook is a business. I don’t think they have any ill will toward anyone, but they’re going to do anything they can as a corporation to be successful,” says Popp. “The onus of privacy is on the person using the Web.”


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs