A couple of weeks ago, a researcher at Skull Security compiled and released (as a downloadable torrent file) information scraped from about 100 million publicly-available Facebook profiles, just to prove a point: that someone can neatly package up millions of people and distribute their personal information, along with the mechanisms used to do it.
I’m not entirely sure why grey hat hacker and security communities are so fond of these sorts of morally ambiguous actions—the act of doing something destructive simply to prove that something destructive could happen. While Skull Security did point out something destructive, they also put the tools to recreate it in the hands of anyone who wants to expand upon the original results. So my question, considering he just wrapped an exploit up like a present, is, “how is this beneficial?”
I’m not sure it actually is. It’s clearly not meant to be beneficial to Facebook. More troubling: there’s a clear disregard for the users whose information was packaged—the assumption being that they made the conscious choice to share their information. Facebook’s instructions and information architecture are both so badly designed that some of this information was likely shared by accident.
The entire act smacks of a lack of moral responsibility to people, but with a full acceptance of servitude to facts. One does not automatically benefit the other. Knowledge is not always good, but it is always power over ignorance. My question upon reading about this was, “why didn’t Skull offer the file for sale, and then donate the proceeds to an organization to benefit privacy?” If an amoral act is going to be committed in the interest of protecting un-knowledgeable users, then it must be balanced in structure to be truly morally neutral. This doesn’t feel like that was ever taken into account.
Facebook responded by issuing a press release pointing out that nothing was stolen, and nothing was compromised—the guy just did something unsavory, albeit completely legal.
Turns out there actually are people inside several very well-financed companies interested in this bundled user information—Gizmodo has a list of entities whose IP addresses have been recorded as downloading the file. That the company has downloaded the file doesn’t actually mean it’s going to be used for marketing—it could simply be some curious person downloading to see what’s there.
The message remains: don’t give anything away you don’t need to. Lock down your material only to the level of security you’re comfortable with, and assume everyone’s acting in their own best interest—not yours.