As reported by SMH, Facebook privacy vulnerability testing demonstrated how privacy protected Facebook photos can be accessed without being a Facebook user’s friend.
Christian Heinrich, a security expert, demonstrated how he had gained access to privacy-protected Facebook photos.
The purpose of the conference given to a small gathering of about 20 people, was to show not everything posted to social networks was secure as the sites would have us believe.
Facebook often give users assurances that they will be safe as long as they have their privacy settings set correctly.
However the demo showed that even if one activated privacy settings at the highest level one’s facebook photos were still not safe.
The security expert believes that Facebook and similar sites have an obligation to inform users they have no reasonable expectation of privacy.
Because Facebook and similar social networking sites use Content Delivery Network (CDN) which operates outside a social network’s own servers to deliver content quickly and see serves all around the globe, when a user tries to access a photo on Facebook, it is retrieved from the closest computer server.
The presentation showed how over a period of days privacy-protected Facebook photos could be extracted via Facebook’s CDN.
A program was run to guess the URL of a photo, using a Friend ID and X, a value which the computer guessed over a period of days.
It is arguable that the name of a URL, because it involves random characters is a form of security. However, looked at another way an html server is designed to accept any anonymous request. The owners of the server configured it in such a way that it presents content to anyone requests it, without a URL or password or restrictions on their IP address.
The system architecture is unsecured. The TCP/IP network, the www network, within the system is unsecured content. A person is able to simply type in the URL, IP address it correlates to.
Accusing the demonstrator of circumvention under these circumstances is analogous to somebody transmitting what they want to protect on free to air television and claiming that is circumvention of copyright protection mechanisms, because they didn’t advertise when the program was going to be on, and the ‘circumventer’ told all their friends what time it was going to be broadcast once they figured it out. Public html is by it’s nature ‘public’.
The owners of the server could put password restrictions on it or send back responses ‘access denied’ to persons but don’t make any effort to secure it.
It hasn’t identified itself in anyway as being secure, either in the URL or on the server. There is nothing in the transaction which identifies it as secure, so the person who ‘takes’ it is arguably innocent.
Something that is available through a URL without any protection is arguably taking what is a public publication. Maybe on the first guess when the person guesses incorrectly the system should send back a message warning persons that they are trying to circumvent copyright protection and to desist.
If the law deems this to be a form of circumvention technique this argument should be legally tested. For if that kind of prosecution holds up, then potentially it means everyone who discovers a URL by some means is liable for circumvention. Any person who discovers a ‘secret’ URL” is engaging in circumvention.
Whenever people type in different strings with the intent to try to guess people’s file names to obtain access to their files this is more clear.
However html access is unencrypted by design. To have an obscure URL arguably couldn’t be accurately described as a ‘security technique’. Perhaps people think of it this way but the system architecture would say that it isnt.
It isn’t legally defined as a true protection technique. It may be that they URL owner hasn’t advertised the location of the URL very well but their intention was that it was to be widely viewed.
In any event people aren’t constructively on notice that it is supposed to be ‘secret’.
Law enforcement officials are debating whether s380 Crimes Act applies which appears to require the impairment of access by legitimate users. Being engaged in unauthorised modification of data is an important distinction, as even if the conduct involves impairment the section seems to be targeted at intent to cause impairment through alteration. It would be hard for a person to do this accidentally through html service modification which is a one way thing.
The only thing that differentiates what a user would do and what was done here is that a program was involved over a fairly extended period of seven days, which is more akin to a DOS attack.