Earlier this week, a student in my class pointed us to this story, describing a security vulnerability in Myspace that allowed private pictures to be viewed by anyone. It’s not the first time Myspace has been exploited in this manner, but it was certainly creepy. A followup story reveals the staggering impact of the vulnerability. Wired’s Kevin Poulsen writes:
A 17-gigabyte file purporting to contain more than half a million images lifted from private MySpace profiles has shown up on BitTorrent, potentially making it the biggest privacy breach yet on the top social networking site.
…
By then, DMaul, a denizen of the online forum TribalWar.com who declined to reveal his name, used an automated script to run nearly 44,000 MySpace user profiles through one of the ad-supported sites, MySpacePrivateProfile.com — a process he says took about 94 hours. He rolled those images into a single file and seeded it to The Pirate Bay, a popular BitTorrent tracking site, on Sunday, advertising it as “pictures taken exclusively from private profiles.”
The scope of this breach is staggering, especially when one considers the method of distribution. Like in other data breaches, once the data hits a torrent network, there’s simply no way to recover or erase the leakage. Individuals who had their data compromised can hope for security through obscurity, but they can never hope to reclaim their images from the hard drives they now inhabit.
This episode is frightening on a number of levels. As a system can’t be hacker-proof, there will always be individuals seeking to exploit and gain access to private information. In this attack, we see a basic crawling/caching – but what if it had been deployed as an open proxy, where individuals interested in seeing private pictures fed the system with id’s, and the proxy simply cached and shared everything? Social network sites seem especially vulnerable to the proxy attack, and I shudder to think what might have happened if this attack was the work of more than one determined individual.
This also reinforces the false, trivial nature of privacy on these sites (as Valleywag says, “your privacy is an illusion”). The only thing separating one’s private content from public content is an if/else loop, and if it fails once, that’s enough for a massive incident. Of course, this doesn’t apply only to social network sites – think of anywhere you’ve stored mass amounts of private information: your web-based email, your friends-only journal, your photo-sharing account. Any and all of it may be public one day, all it takes is a vulnerability and determined screen-scraper.
And so it seems the only option is to disappear from the grid, or to adopt Hasan Ali’s radically transparent approach. If it were only that simple. It seems that a critical new literacy is audience control – being able to understand the population to which you are projecting, as well as the costs and benefits of data leaks. This is not as simple as it seems, and it certainly takes some a joy out of the seemingly boundary-less web. At the same time, it is hard to discount the triviality of these attacks; in 19 hours, 500,000 pictures were collected and seeded to torrent networks. That is a harsh reality.
Update: Terrell posts his informed opinion here.
Update 2: Privacy expert Michael Zimmer shares his opinion.
Tags: myspace, privacy, social networks
Fred Stutzman is a doctoral student, researcher and teaching fellow at the University of North Carolina at Chapel Hill's School of Information and Library Science. He studies how people use social media.
