Are your Facebook Friends “Going Romulan”?

Note to non-geeks: In Star Trek, the Romulans had cloaking technology.

Via Physorg.com:   There was an interesting presentation delivered by Shah MahmoodYvo Desmedt at  IEEE International Workshop on Security and Social Networking (SESOC 2012) on March 19.    Long story short:

  1. Users can deactivate and reactivate as many times (and as frequently) as they want to.
  2. When they are deactivated (or cloaked), you can’t defriend them (because they don’t exist).

The “attack”?   These cloaked friends can uncloak at any time and grab as much information about you and your network as they like and then deactivate (or cloak).     Facebook doesn’t have any mechanism for people being affected by this to even know they have been affected.  There’s no notification mechanism that would alert you to the fact that your friend “Cindy Hacker” has reactivated for 10 minutes every day for the past 10 days.

….and the reason Facebook doesn’t tell you about this is because this vulnerability is the other side of a phenomena known as “Super Logoff”.   Danah Boyd discussed how some particularly Facebook-obsessed teens were using this technique as way to avoid getting tagged in embarrassing photos if they happened to be logged off of the social network.  The reasoning here is that, if you are a particularly sensitive Facebook user, you don’t just log off of the social network you deactivate every time you log off.  (Ridiculous.  No really.  Who has the time?)

If you use Facebook like me, there are probably a few people you are friends with that are a little questionable.    (“Did I really go to high school with that person?”)  Imagine you befriended some contrived profile then they suddenly drop off your radar.   There’s a chance you might have granted access to a profile that can deactivate and reactivate at will, you’ll never know because Facebook will never fix this bug

(I shouldn’t be so sure), but I’d be willing to bet that Facebook will never address this particular attack because they don’t regard it as one.   There are two ways they could fix the issue:

  1. Give users a way to see who has been looking at their profile and how often – Nope.  This will never happen, can you imagine the social havoc this would create in the world? I mean Facebook is founded upon the premise that people you haven’t spoken with in years (and who you will likely never speak to again) can go walk around your life and find out everything about you.   Even though I think this would be a useful privacy feature, this will never happen, it breaks the concept of Social Networking.
  2. Force deactivating and reactivating users to rebuild a friend network – First, consider those privacy obsessed “Super-logoff” users, this would never work for them.   Second, consider the fact that, by allowing people to temporarily logoff they are really just trying to retain users.   If a user wants to deactivate, a temporary deactivation is a way for Facebook to say, “Ok, we know you want to go, but preserve the option to comeback later.  You might change your mind.”
  3. Notify users of suspicious activity related to Friend activations – I view this as a variation on #1, and I’ll put forward the statement that Facebook will never get into the business of telling people who has accessed your data.   But, it sure would be nice to know: “Your friend Cindy Hacker has deactivated 20 times in the last week, would you like to remove her as a friend?”
  4. Your Deactivated Friends should still be visible in your friend list – This would (possibly) address the problem outlined above, but it would also have the side effect of (potentially) violating the privacy of the individual that had deactivated.  If someone deactivated a Facebook profile on purpose (say because they decided that Facebook is a tiresome platform for narcissistic egomaniacs) then they may want to quietly fade into the Facebook void.

Logical Conclusion: You are constantly being surveilled by cloaked Facebook friends.  Have fun.

This extended abstract is available on arxiv.org.