For my Privacy, Security and Cryptography class, we studied a set of 13 principles for secure systems:

1. Security is Economics
2. Least Privilege
3. Use Fail-Safe Defaults
4. Separation of Responsibility
5. Defense in Depth
6. Psychological Acceptability
7. Usability
8. Ensure Complete Mediation
9. Least Common Mechanism
10. Detect if You Cannot Prevent
11. Orthogonal Security
12. Don’t Rely on Security Through Obscurity
13. Design Security in, From the Start

For our midterm, we were asked to analyze how Facebook exemplifies or does not follow these principles. It was an interesting assignment, which finally forced me to think more thoroughly about Facebook's security policies, and I'm happy to attach my findings here.

For some people these may be rather run of the mill notes. For others, you may be surprised at poor security of the world's biggest photo and social networking site.

Enjoy.

Update, 2010-03-08:Added an image at drop.io
Update, 2010-01-28: Added an image at Orkut.com
Update 2, 2010-01-28: At the FTC round table today, Facebook's director of public policy, Tim Sparapani, claimed that information deleted from Facebook cannot be retrieved even by Facebook staff, because it is almost instantly deleted. I informed him this was not true in the case of pictures, and he said he would look into it. Will update this post when/if I hear more.

Imagine an embarrassing photo of you is placed online by one of your friends. You ask them to take it down, and they do. Now, imagine that your enemy had gotten a link to that photo, and had posted it to their blog. You'd hope that your friend taking the photo down would in fact delete the photo, but I'm sorry to say that isn't always the case.

Inspired by Jacqui Cheng's article, I decided to test some of the more popular online services for photo hosting to see what happens when you "delete" a photo from their site. On November 14^th, 2009, I uploaded and then deleted the following image of a black box with white text to Facebook, Flickr, Picasa, MySpace, Photobucket, Shutterfly, Twitpic and WalMart:

When you look below, if you can see the black box for a site, that means that it was not truly deleted and is still live. You can verify this by clicking on the image. This is checked each time this page is loaded, so the information is constantly verified. If the image has been deleted, you will see the date that it was deleted.

There are a number of reasons why photo services might be lazy about properly removing images from their site, but until they have proper deletion mechanisms, we should all think twice about what we upload.

If there's a service that is not shown here that you'd like to see, please let me know. And now, without further ado, I present, the ongoing results of the test:

Facebook:

This file was properly deleted from their server as of at least May 27, 2010.

Flickr:

ED: Flickr began showing the following message approximately an hour after the image was "deleted."

Picasa:

This file was properly deleted from their server as of at least 15 November 2009.

MySpace:

Photobucket:

This file was properly deleted from their server as of at least 14 November 2009.

Shutterfly:

Twitpic:

This file was properly deleted from their server as of at least 14 November 2009.

Walmart:

Google Orkut (added 2010-01-28 - disregard the date in the image itself)

Drop.io (added 08 March 2010)

This file was properly deleted from their server as of at least 8 March 2010.

Ars Technica has an article today outlining some excellent techniques for safeguarding your privacy while using Facebook. One of the best methods explained in the article is to cordon off your friends into different groups of people, and to then set different permissions for those groups. Thus, the common technique is to put your ex-partners into one group, your friends into another, family into another, and thus down the line.

But in practice this technique is nigh on impossible. I have family members (such as cousins) that are close friends, and so-called friends that, really, I haven't talked to since high school. Beyond this, managing the groups is a problem too since over time, some of your friends become closer and others more distant.

Thinking through this problem, I have come up with a better, and perhaps more obvious solution: Simply organize your Facebook friends into groups based on how much you want those people to know about you. In practice I found this to be fairly simple with only three groups: Loose Privacy, Standard Privacy, and Strict Privacy. Bosses, ex-partners and distant friends go into the Strict category, close friends and current partners go into the Loose category, and everybody else goes into the Medium category.

Admittedly, this dumbs down the power that Facebook gives you to categorize your friends into groups, but in practice, it's much easier to maintain, since there are only three lists, and it's clear who belongs in which.

A second group of settings that people are likely unaware of are those that "limit what types of information your friends can see about you through applications." These are important and creepy because by default, when your friends install an application, that application can see and aggregate an incredible quantity of information about you, even without your or your friend's permission or knowledge. As part of its dotrights campaign, the ACLU is currently working on an application that demonstrates this loophole, but for the moment, it's probably wise to adjust these settings.

To adjust these settings so third-party applications can see as little information as possible (without your friends simply not using them), go to Settings > Privacy > Applications, and then click on the "Other" tab (this link should also work, if you're logged in). Once on that page, uncheck all of the boxes in the first section, and save your settings.

I upgraded the site a bit today by adding my Twitter/Facebook feed to left-hand sidebar. To a teenager in Colorado I am indebted for this script. Jeez, they just get younger and younger.

Let me know if you catch any bugginess.