Sunday, 1 August 2010

IT Team Confirms Facebook "Leak" Not Much of a Story

Facebook has put a lot of people on edge about privacy in recent months, and while some of it may be legitimate concern, a lot of the discussion is simply getting blown out of proportion.

You've probably read about the infamous "leaked" list of user names this week, that a security researcher shared in a torrent. A bunch of companies have reportedly been downloading the info leading to some unnecessary paranoia. Our own IT department took a look at that torrent, and there's really nothing to get freaked out about. It just contains data that's already public (170,879,858 URLs by our count), as the "leaker" Ron Bowes told BBC News.

The biggest file is called facebook-urls.txt. The top of the file looks like this (with "xxxxx" representing the unique number associated with the accounts):

Eventually, once you get past the dashes, they start looking like this (where the "xxxx" represents people's names):

"So you could figure out somebody's name from the profile URL, but that's really about it,” our IT manager says. "Anything else, you'd have to actually go to the URL and crawl it."

And of course, these people are already in the Facebook Directory anyway, as Bowes noted. There's no other information.

From the README file included in the torrent, here are the list of all the files:

Filname Description


facebook.rb The script used to generate these files (v1)

facebook.nse The script that will be used for the second pass (v2)

facebook-urls The full URLs to every profile

facebook-names-original All names, including duplicates

facebook-names-unique All names, no duplicates

facebook-names-withcount All names, no duplicates but with a count

facebook-firstnames-withcount All first names (with count)

facebook-lastnames-withcount All last names (with count)

facebook-f.last-withcount All first initial last name (with count)

facebook-first.l-withcount All first name last initial (with count)

Bowes said that collecting the data was in no way irresponsible and likened it to a telephone directory. On top of that, there's not any info to distinguish people with the same names apart from one another.

Facebook has also confirmed that the info in the list was already freely available online, and that "no private data is available or has been compromised."

This article from the Telegraph claims that the torrent contains info like profile pictures, lists of friends, etc. Our team says that's not true and that you'd have to re-crawl the profile URL in order to get that data.

The bottom line is that the info in the torrent is public info, just like any other personal info that is published publicly on the web that's out there for Google, Yahoo, Bing, or any other crawler to index. Essentially, all that's really in the torrent is big list of URLs. Whoa!

The companies downloading the torrent for whatever purposes they have in mind, would probably be better served to just look at the directory. Facebook has a lot more users than 170,879,858.

No comments:

Post a Comment