There’s a screenshot that’s been sitting on my desktop for a rather long time now, and it’s as scary as it is interesting.
Facebook recently conducted a poll which showed up on the homepage newsfeed, and asked Facebook members just how exactly did they think Facebook’s “friend finder” worked when it prompted them for their email address & password in order to get a list of contacts. The numbers pretty much speak for themselves, here’s what they looked like near the end of the campaign:
Now ignore the dark blue bar: it’s a red herring and doesn’t contain any interesting info. The real juicy bit is the “Yes” option, and its 20% response.
20% of Facebook’s 80 Million active users (give or take) believe that the passwords for their email addresses are being stored when they use the Friend Finder…. and that doesn’t bother them in the least. That’s sixteen million people who don't give a damn about their privacy, the contents of their email, or who has control of their entire online personas.
This is a subject that's been chewed half to death already countless times by people far more in the know than myself; Jeff Atwood’s excellent article on the topic covers the dangers of sites asking for users’ email addresses & passwords, and – far more importantly – presents several more secure alternatives for web application developers looking to expand their social networks.
To put things in perspective, take a look at this downright horrifying tale on ReadWriteWeb about software that prompted users for their email addresses & passwords, then proceeded to save them for malicious use... then realize that 16 million Facebook users out there don’t care if this happens to them. Think about all the private, sensitive, confidential information available on your email account and just how truly terrible it would be for that info to fall in the wrong hands.
Of course all this begs the question: who’s to blame for this bout of end-user stupidity (for lack of a more politically-correct term)? Is it naïveté/trust in the goodwill of others that gets users to give out such sensitive data to people (Facebook has 500 employees!) they don’t know from Adam? Or is it that they just don’t get how dangerous it can be (see the ReadWriteWeb article for proof)? Or is it, maybe, that they’ve simply gotten accustomed to being asked for their email address and corresponding password by “trusted” sites they love to visit, too caught up in the “gather as many friends as you can” game to give a second thought to identity theft and fraud?
Personally, I can recall a time when most “normal people” I know would refuse flat-out to share such sensitive data with a site (phishing, tech support, etc. obviously excluded); but in the wake of “Web 2.0” it’s become so normal to ask for email addresses and passwords that no one ever gives it a second thought.
And it’s not just Facebook. To be totally frank, even if Facebook were to store end users’ passwords in their database, the access to that info would probably be very highly guarded… but when every new social network on the block is suddenly doing the same thing – you can get a good picture of just how easy it would be to steal users’ passwords.
MQ’s 3 Steps for World Domination
- Send out an email purporting to be from “the hottest new social network around” informing the recipient that their “friends” want them to join: “Click here to show Peter you’re a real friend!”
- Get the user to register a new account – make the procedure as pain-free and simple as possible… and right then and there on the registration page ask for the user’s email address and password so as to “make it easy to tell all your friends you care and get popular really fast...”
- Profit.
As soon as it's OK for one person to do it, it'll be OK for everyone to... and then we'll be in too deep to do anything about it.
So why does Facebook - after polling their end users and seeing just how dire the situation is - continue to use the same flawed mechanism of harvesting email addresses... especially when better, safer alternatives exist?
Disturbing, yes, but surprising, no. Given what people reveal on blogs and other sites open to public view, I am not surprised that they are willing to provide a password.
I was talking to a local computer store employee (in his 20's) and he told me that he gave his debit card to a friend so that the friend could go and buy them some snacks. Presumably he had to tell him the PIN associated with the card. I was dumbfounded.
Something similar... I did some capturing while using Windows Live Writer and noticed that my username and password was being sent in the clear. Turns out the MetaWeblog API standard has your username and password sent (in the clear) each time your client talks to the blog provider. Quite disturbing to me.
http://www.dscoduc.com/post/2008/03/14/Insecure-blogging.aspx
Those same 20% of people might have refused to run the "e-mail friend finder" bit. Or at least a largish proportion of them.
I also find it disturbing that 38% of people don't understand the question. If they don't understand the question, do they understand the implications of giving their passwords out?
Uhm yea, if you think each and every one of the 80 Million active users votes on the poll..
Of course not, fridge.
But it's a common scientific technique to take and analyze data from a portion of a large set, then extrapolate those results to the whole.
Basically, we're assuming the pattern of those that replied holds true for all those on Facebook.
This is very unneeded. The poll wasn't saying that 20% are willing to give up their email & password. Its asking if the friend finder function worked. So if they aren't friends, they can see who they missed. The passwords are obviously safe and secure, it isn't like you see facebook selling passwords by the 100's on eBay.
Look,this is all very disturbing thats so true. But its up to each individual person to be responsible
DJustice, although Facebook may not be handing out passwrods on ebay, that does not take away possible risks that giving your email password away creates.
People should be more consious (SP) of what they are doing online, and I agree that 38% of people not knowing what the question was even asking at all is scary in itself.
Does it really matter? Everyone should know email is not private anyways. You don't write anything in an email that you wouldn't want someone to see if they were looking for it.
Carlo - of course it matters. If someone knows your email password they can impersonate you. That is, they can send emails that look like they come from you. Just the first step on the road to identity theft.
Facebook is okay. I don't think that they had that option when starting up... But new social networks, yes, that's quite a bad start :(
Isn't the email address (Facebook logon ID) and password, in this case, simply the email address you used to create your account and the Facebook account password? Hopefully people at least used a password for Facebook that was different than the password for the email address that they signed up with.