Facebook users pretty willing to add strangers as ‘friends’

Facebook users pretty willing to add strangers as ‘friends’

August 13, 2007 9:15 PM PDT

Posted by
Caroline McCarthy

This post was updated at 7:30 AM PT on August 14 to include a statement from Facebook.

Recently we’ve seen a fair amount of scrutiny in the direction of Facebook,
Silicon Valley’s tabloid target of the moment, due to the
social-networking site’s potential for identity theft and security
breaches. A few recent security glitches haven’t helped. Now, IT
security firm Sophos
has released the results of its Facebook ID Probe, a test to see just
how many users of the site–which claims more than 100,000 new users
per day–are willing to divulge highly personal information to
potential identity thieves. The results, to say the least, show that
more than a few Facebook members might not be taking their privacy
seriously enough.

created a fake Facebook profile, under the name ‘Freddi Staur’ (‘ID
Fraudster’ with the letters rearranged), and randomly requested 200
members to be friends with ‘Freddi.’ Out of those 200, 87 accepted the
friend request and 82 of those gave ‘Freddi’ access to "personal
information" such as e-mail addresses, dates of birth, addresses and
phone numbers, and school or work data. Presumably, the other five had
restricted ‘Freddi’ to limited profile access, which many users select
for bosses, parents, or people they don’t know in real life.

What it all boils down to, ultimately, is who you consider a
"friend" on Facebook. On the upside, more than half of those polled
didn’t even accept ‘Freddi’ as a friend–indeed, many Facebook members
accept friend requests only from people they know in real life, a far
cry from the MySpace friends lists that reach up into the four and five
digits. But out of the 41 percent of those surveyed who divulged
personal information to ‘Freddi,’ 72 percent provided at least one
e-mail address, 84 percent gave their full date of birth, and 78
percent gave a current location (whether an address or just a city).
More alarmingly, 23 percent provided a phone number and 26 percent
provided an instant messaging screen name.

"It"s extremely alarming how easy it was to get users to accept
Freddi," said Ron O’Brien, a senior security analyst at Sophos. "While
it’s unlikely this will result directly in theft, it provides many of
the essential elements needed to gain access to people’s personal
accounts. Additionally, it reveals specific user interests, enabling
hackers to design targeted malware or phishing emails that they know
the user is more likely to open."

Facebook responded on Tuesday morning with a statement from
corporate communications director Brandee Barker regarding the
research: "We are glad that the survey recognizes that Facebook’s
privacy features are ‘far more advanced’ than other sites," the
statement read. "Facebook has long deployed technology that limits the
availability of personal information and welcomes every opportunity to
educate users about how to protect their data online."

The Sophos survey only reached 200 Facebook members, a tiny sliver
of the rapidly growing social network. But it’s nevertheless telling;
Facebook started off as a set of small, restricted social networks for
select colleges. Many of its most loyal users have been on the site
since the early days, but haven’t changed their behavior since the only
people who could see their profiles were classmates. In light of all
the recent security stories, they might want to reconsider that–and
while they’re at it, maybe remove a few of those Spring Break
Caddyshack-Margaritaville-’80s Night photos from back in ’05.


Leave a Reply