The disclosure follows an investigation carried out by BBC Click who created a malicious programme that masqueraded as an application, and tested it on a fictional profile. The results showed that despite high privacy settings, sufficient personal data could be harvested in order to carry out ID fraud.
Applications on the social networking site run from third-party servers and consequently cannot always be strictly monitored by Facebook themselves. When an application is downloaded, the user is given the option to prevent it from accessing their personal details, however many applications require permission in order to function.
Facebook is legally covered through a disclaimer in its ‘Terms and Conditions’, but the question still hangs of how liable the company should be.
“People are predisposed to sharing information” remarks David Emm, senior technology consultant at Kaspersky Lab, who cites password proliferation as a major problem in personal security. “It is difficult to see how Facebook are liable, but it seems that social networking sites should hold some degree of responsibility.”
Mark Murtagh, technical director of Websense, believes that the developments are ‘inevitable’. He observes that “Web 2.0 technologies such as Facebook are not only being used by employees for keeping in touch with their friends, but are rapidly being adopted by business as people use these technologies to build business contacts” adding that “companies understand that allowing access to these tools in a safe environment is what is needed.”
A spokesperson for Facebook responded to the investigation, maintaining that “We regularly evaluate and adjust the security settings for third party applications to ensure that Facebook's terms of service are not violated” and advising that users “employ the same precautions while downloading software from Facebook applications that they use when downloading software onto their desktop”.