41% of Facebook Users Give Personal Data to Green Plastic Frog
In a revealing test of where the true insecurities may lie in the realm of social online networking, security software company Sophos today revealed it set up a kind of sting operation on Facebook. It created a fake identity around a green plastic frog it named "Freddi Staur," and had Freddi invite 200 real Facebook users to be its friend.
"It's extremely alarming how easy it was to get users to accept Freddi," stated Sophos security analyst Ron O'Brien this morning. Of those Freddi invited, O'Brien reported, 87 responded positively, and 82 gave personal identification data to Freddi's account when asked.
Without any "hacking" whatsoever, the tub toy managed to acquire a treasure trove of personal data. About 73 people were willing to post their birthday, while others willingly included places of birth, employers' names and addresses, photographs of family and friends, work resumes, and in at least one instance, the user's mother's maiden name.
All this in response to a request from something who obviously had no real identity of its own (its name is actually an anagram for "ID Fraudster") and offered zero information -- real or imaginary -- about itself.
The Sophos survey results come in the midst of a little storm of controversy that erupted after a mis-configured Web server inadvertently revealed significant portions of Facebook's source code to ordinary users, rather than the home page that they would normally expect.
That revelation prompted New Scientist technology editor Will Knight to post to his blog yesterday, "The reason the leak is concerning is that, by studying the leaked code, a canny computer hacker might be able to figure out some critical security vulnerabilities and thus gain access to tons of personal information."
As we know now, it doesn't actually take a "canny computer hacker" to do that, but instead -- to borrow a fitting phrase from patent law -- "a person with ordinary skill in the art."
Sophos published the survey to publicize its latest publication of best practices for using Facebook. It's not recommending that people (the real kind) stop using Facebook, but rather that they take heed of the security features it actually does offer, which will hopefully make both users' lives and Sophos' business somewhat easier.
One of Sophos' tips is this: "You can choose to make people 'limited friends' who only have access to a cut-down version of your profile if you wish. This can be useful if you have associates who you do not wish to give full friend status to, or feel uncomfortable sharing personal information with." For example, associates whom you suspect may not be organic.
Of course, this part of the discussion side-steps a broader, more curious problem illuminated by the Sophos survey: While it's doubtful that a man in a frog suit walking the city streets would be able to get 37 out of every 100 people wearing regular clothes to divulge their birthdays on command, that many people were willing to spill their life's data to a meaningless on-screen avatar, just for having asked so sweetly something on the order of, "Would you be my friend?"
This begs the question: If instead of a plastic frog, Sophos had chosen to use a real photograph of a non-celebrity and a non-anagram name, would more people have responded so willingly? Or fewer?