Will security become Facebook's Achilles' heel?

It's hard to go anywhere--to work, to the store, to the movies, really anywhere--without hearing about Facebook.

Its popularity is nearly unprecedented, making it a success to be envied in the eyes of many businesspeople, and in particular, software developers. Yet one area that Facebook has arguably not been successful in is that of protecting its users' privacy.

Although the issue has been raised time and again by users of the site, first with the introduction of the news feed and again with the introduction of its Beacon ad targeting technology, the company seems to be perpetually fumbling the ball. One starts to wonder: what's so difficult about keeping information private?

It's not that it was meant to be; the concept of Web-based social networking was never preordained as a privacy nightmare waiting to happen. Nothing is written into the precepts of graph theory dictating that civil liberties must be violated. Facebook was originally successful in part because it restricted the flow of information between students at different schools. No, what has manifested itself in Facebook today is directly the result of its leadership's conscious decision to put privacy on the back burner.

The key turning point in Facebook's history came in September 2006 when the site switched from being a closed community of students to a global destination for everyone on the Internet. To maintain its high growth rate, the company decided that it had to widen its scope, and in doing so, it tossed user authentication out the window.

At that point, any hope of having a site that respected user privacy was completely lost. The point of authentication, after all, is to prevent people from lying about their identity, and it goes to follow that when that measure is no longer in place, lying can and will happen.

Still, even if you are who you say you are, it's still incredibly easy to share too much. Facebook encourages it, of course. Chief Executive Mark Zuckerberg has a mantra about supporting the "free flow of information," as if openness is a panacea for inefficiency.

There's a reason for this. The more information that's accessible, the more people who want to access it. The more people who come, the more dollars that flow. (Profit, of course, has no bearing on this model.) So long as you sign up, click your mouse, and thereby yield as many advertising banner impressions as possible, you are doing your share in the grand scheme of multi-hundred-million-dollar advertising deals among Google, News Corp., Facebook, and Microsoft that are keeping these sites afloat.

Simply put, there's no way that social networks will put security and privacy first when their very business model gives them incentive to do just the opposite. Just as "the common good" became a rallying cry in the Soviet Union of decades past, only to yield a bifurcated society of poor and super-wealthy, so too has "the free flow of information" divided us into those who hire top-dollar lawyers to keep our information private, as Facebook's CEO did when a magazine ran an article he didn't like, and those of us who don't even have the right to close an account.

Add to that Facebook's spotty history regarding matters of security. It was in March 2005 that I found my first security flaw in Facebook. The site let you download the names, home addresses, birth dates, and other vital facts about thousands of its members without authorization. I alerted the company of the problem immediately. When it ignored my repeated requests for weeks on end, not knowing what else to do, I took it to the press. Only then did the company actually take the issue seriously.

Today, there doesn't even need to be a technical problem in Facebook's software for people to download the same information. The flaw is not just part of the system; the flaw is the system, as illustrated by three separate but equally alarming examples.

First, Facebook application developers (essentially, anyone) can download any member's personal data, regardless of whether those members have expressed interest in their applications.

Second, despite an uproar in the technical community, Facebook's Beacon ad service--aside from being foolish by informing members of their impending surprise gifts, disingenuous by frequently turning real friends into cheap marketing hacks, and Orwellian by peeking at others' thoughts through the eyes of retailers--still to this day tracks Facebook members' movements on the Internet, even when they aren't even signed in.

Third, when I refused to provide Facebook with my date of birth due to the above privacy concerns, not to mention a sense of fundamental injustice, the company suspended my account indefinitely.

Sadly, as the standard of success remains an index of how much one can steal from friends--whether software features or personal data--Facebook should do just fine. In the meantime, it couldn't hurt to have an alternative, privacy-conscious site ready for the day that millions of college graduates realize that they need to find--and keep--a job.