X

Facebook users pretty willing to add strangers as 'friends'

A survey by Sophos finds 41 percent of those surveyed were willing to approve a random friend request and provide personal information in the process.

Caroline McCarthy Former Staff writer, CNET News
Caroline McCarthy, a CNET News staff writer, is a downtown Manhattanite happily addicted to social-media tools and restaurant blogs. Her pre-CNET resume includes interning at an IT security firm and brewing cappuccinos.
Caroline McCarthy
3 min read

This post was updated at 7:30 AM PT on August 14 to include a statement from Facebook.

Recently we've seen a fair amount of scrutiny in the direction of Facebook, Silicon Valley's tabloid target of the moment, due to the social-networking site's potential for identity theft and security breaches. A few recent security glitches haven't helped. Now, IT security firm Sophos has released the results of its Facebook ID Probe, a test to see just how many users of the site--which claims more than 100,000 new users per day--are willing to divulge highly personal information to potential identity thieves. The results, to say the least, show that more than a few Facebook members might not be taking their privacy seriously enough.

Sophos created a fake Facebook profile, under the name 'Freddi Staur' ('ID Fraudster' with the letters rearranged), and randomly requested 200 members to be friends with 'Freddi.' Out of those 200, 87 accepted the friend request and 82 of those gave 'Freddi' access to "personal information" such as e-mail addresses, dates of birth, addresses and phone numbers, and school or work data. Presumably, the other five had restricted 'Freddi' to limited profile access, which many users select for bosses, parents, or people they don't know in real life.

What it all boils down to, ultimately, is who you consider a "friend" on Facebook. On the upside, more than half of those polled didn't even accept 'Freddi' as a friend--indeed, many Facebook members accept friend requests only from people they know in real life, a far cry from the MySpace friends lists that reach up into the four and five digits. But out of the 41 percent of those surveyed who divulged personal information to 'Freddi,' 72 percent provided at least one e-mail address, 84 percent gave their full date of birth, and 78 percent gave a current location (whether an address or just a city). More alarmingly, 23 percent provided a phone number and 26 percent provided an instant messaging screen name.

"It"s extremely alarming how easy it was to get users to accept Freddi," said Ron O'Brien, a senior security analyst at Sophos. "While it's unlikely this will result directly in theft, it provides many of the essential elements needed to gain access to people's personal accounts. Additionally, it reveals specific user interests, enabling hackers to design targeted malware or phishing e-mails that they know the user is more likely to open."

At the same time, O'Brien did note, "Facebook's privacy features are far more advanced than competing social networking sites; however, there is still human factor that must be taken into account."

Facebook responded on Tuesday morning with a statement from corporate communications director Brandee Barker regarding the research: "We are glad that the survey recognizes that Facebook's privacy features are 'far more advanced' than other sites," the statement read. "Facebook has long deployed technology that limits the availability of personal information and welcomes every opportunity to educate users about how to protect their data online."

The Sophos survey only reached 200 Facebook members, a tiny sliver of the rapidly growing social network. But it's nevertheless telling; Facebook started off as a set of small, restricted social networks for select colleges. Many of its most loyal users have been on the site since the early days, but haven't changed their behavior since the only people who could see their profiles were classmates. In light of all the recent security stories, they might want to reconsider that--and while they're at it, maybe remove a few of those Spring Break Caddyshack-Margaritaville-'80s Night photos from back in '05.