<<<
NEWS FROM THE LAB - Thursday, October 7, 2010
>>>
 

 
Facebook: Giving You More Control? Posted by Sean @ 13:43 GMT

Facebook CEO, Mark Zuckerberg, has announced on their blog that the site will soon be offering new features and controls. The features include New Facebook Groups, a Dashboard for Applications, and the ability to Download Your Information.

#1 — Why the "new" Groups? According to Zuckerberg, people frequently tell them:

"I'd share this thing, but I don't want to bother 250 people. Or my grandmother. Or my boss."

Now we thought that's what Friends Lists are for… but then, even Zuckerberg has admitted that Friends Lists are too difficult for most people to effectively manage. So this "completely overhauled, brand new version of Groups" is really mostly the same old Groups that we've been using since early 2009, with some PR spin.

While we kind of like the idea of simplified Groups, we don't expect they'll be any easier to manage.

#2 — Dashboard for Applications. This looks promising. We look forward to testing it out. The application settings has been needing a dashboard for quite some time.

#3 — Download Your Information. Privacy advocates have been asking for this feature for a long time. They want Facebook users to have the power to migrate if they choose to do so.

But there is one significant concern in our minds… the verification process.

Step 1 is to request the download from your Account Settings:

Download Your Information

You'll get an e-mail when the information has been collected:

Download Your Information

There will be a verification link in the e-mail notification:

Download Your Information

And the verification link opens a page that prompts for your Facebook password

Download Your Information

So, what's our concern?

PHISHING

Far too many people reuse passwords on multiple sites. If their e-mail accounts are phished, the attacker might just as well try logging onto Facebook with the same credentials.

Facebook isn't to blame. People want this feature. In fact, many, such as the EFF, have been demanding data potability for quite some time.

Before anybody goes all chicken little and starts crying about identity theft… stop. The real problem here is much closer to home. This feature is most likely to be abused by your spouse! (And you know why. She wants to use it against you in court.)

So it seems to us that Facebook should provide the option for SMS notification each time a Download Your Information request is made. And log details. If Facebook is providing an Dashboard for Applications, shouldn't they provide one for their own applications?

We think so.

Updated to add on October 13th: We've now tested the Download Your Information feature.

The e-mail is only notification of availability and adds nothing to the verification process. Returning to the download request page after waiting a sufficient amount of time also results in a password prompt. The zip file can be downloaded multiple times.

Only the Facebook account password is required and there's no additional e-mail notification generated for subsequent downloads.

Facebook's Help Center provides no details on the zip file's length of availability or how often the file is recompiled.