£15bn for Government snoop network? Just use Facebook

 

Gallery

By Stuart Turton

Posted on 3 Apr 2009 at 11:04

Cambridge University researchers have revealed how the profile information Facebook releases to search engines could be exploited by spammers or even governments.

Public listings allow search engines to crawl a limited version of your Facebook profile, displaying your name, photo, and eight people you're friends with. A limited selection of fan listings and affiliations are also displayed.

In a paper entitled Eight Friends Are Enough the team from Cambridge's Computer Security Group, reveal how they developed a programme capable of sifting through thousands of these public profiles.

This information was then used to map out a person's network of friends. The paper's authors claim this is valuable information that could be easily exploited by spammers and governments.

"In our own experiments, we were able to download over 250,000 public listings per day using a desktop PC and a fairly crude Python script," says Joseph Bonneau on the Light Blue Touchpaper blog. "For a serious data aggregator getting every user's listing is no sweat."

Fellow author Ross Anderson draws comparisons to the proposed Cental Communications Database, noting that security services really want knowledge of who is contacting who, not necessarily what is said. Here that data is available for free and with relatively effort.

"The Government wants to spend £15 billion on the IMP (Intercept Modernisation Programme) database of all traffic data - email headers, itemised phone bills, and the like - so that they can track the UK social graph. This paper shows that you don't need to spend all that money - you can get the social graph just by scraping the public data from Facebook," says Anderson.

Facebook wasn't available for comment at the time of publication.