Vassar Technology Today | Who is looking at your profile? You might not know

Matthew Leung Columnist

Can you see who viewed which Facebook user’s profile, when, from what location, and how many times? “I wish,” Facebook addicts are sighing. However, while Facebook claimed at its inception it would never disclose that information, several recent attempts to exploit vulnerabilities in Facebook have proved that such information can indeed be obtained.

In July 2007, Adrienne Felt, a University of Virginia student, discovered that through some simple programming, you could gather information about each unique viewer of a profile. Through exploiting a vulnerability that allowed JavaScript to be added to a profile page, the scripts—that is, the programming instructions for the Web browser—could then be used to see who was looking at the profile.

Commercial social networking sites such as Facebook and MySpace share many vulnerabilities, in part because they have such a wide range of computing functions in need of protection.
MySpace and Facebook, the top two social network corporations, cover about 80 percent and 10 percent of the market, respectively. More than 20 other competitors trail behind, with each covering one percent or less of the market. In all these sites, however, users are at the corporations’ mercy regarding security. Users trust corporate programmers to stay ahead in the cat-and-mouse game of Internet security.

On Jan. 26, MySpace lost that game. A hacker known as “DMaul” exploited a hole in MySpace to gain unauthorized access to more than 500,000 private photos from nearly 44,000 user profiles. DMaul aggregated the photos to a 17-gigabyte file and uploaded it to BitTorrent for the public to download. Hackers identified the security hole and published information online about hacking profiles in Fall 2007. MySpace did not patch the hole until after DMaul had stunned the press.

When social networks are secure, the profile pages are supposed to be more private than personal Web pages and e-mails. Authors of Web pages and e-mails each control how content is formatted and sent, such that they can track when and where the content is viewed through the use of scripts. So, for example, when you keep looking at your ex’s blog, he or she might be able to tell.

Facebook and MySpace, on the other hand, restrict users from running these dynamic scripts (sophisticated codes that allow you to see viewer information) on their profile pages. Nevertheless, it is still possible for users to run a more elementary script called HTML (HyperText Markup Language) to track viewers.

Though they may claim to, neither network provides a space free of covert tracking and logging. On Facebook, HTML can be inserted in the “notes” and “posted items” area to log the date and time of individual viewers. On MySpace, HTML can be inserted in most areas of the profile (including the front page) to log the date and time of each hit as well as each viewer’s IP (Internet Protocol) address, and with it their geographical location and Internet provider.

Another feature that makes social networks even more worrisome than Web pages is the ambiguous border between what is private and what is not. When an individual creates a Web page, they know exactly which sections are private and which are public. But in social networking sites, what you thought was private content can quickly become public. Facebook and MySpace create public links to private content that users can send to others at their own discretion, such as the public links to private photo albums that you can send to family members or others who don’t happen have profiles. Once you send the link to others, you have no control over who can see the link’s content. Anyone in possession of the link has access to it.

This risk applies to status updates as well. Facebook users can subscribe to receive private status updates of all their friends through something called an RSS feed. The RSS feed is, in effect, a public link to private information, just like the case of the photo albums. And it can be exploited in the same way.
And those are just the risks of giving out your info to your friends and family.

As major social networks expand, it is becoming apparent that profit and privacy are incompatible ends. Facebook and MySpace package information is provided by users in countless ways. The more times personal information is repackaged and delivered to other users, the more page views will occur, allowing for more displays of advertisements. For example, a user’s status update in Facebook results in updates sent out to all of that user’s friend via News Feed, Mini News Feed, RSS feed and Recently Updated. The Network Statistics section of each network also shows that filling out a profile is in effect filling out a survey.

For most users, social networks appear both socially and technically benign. But that perception is what makes those users most vulnerable.

—Matthew Leung ’09 is a junior Philosophy and Chinese major. This semester he’s writing on all things technological.