Facebook is suing a Canadian company and 17 individuals for using bots to harvest members' personal data. In a lawsuit amended in California this month, Facebook alleges that Istra Holdings and others used programs to access Facebook's computers 200,000 times in a two-week period in June.
"Each of these requests sought to direct Facebook's computers to send information on other Facebook users back to (the defendant's Internet) address," the complaint alleges.
Facebook said the defendants were making "unauthorized attempts to access and harvest proprietary information" and that "the defendants knowingly and without permission took, copied, or made use of data from Facebook's proprietary computers and computer network."
Safety vs. Connection
The complaint, originally filed in June, was amended this month after Facebook identified the alleged perpetrators. Facebook is requesting a jury trial in the case and is seeking damages and an injunction against the defendants. Istra Holdings owns a popular site called SlickCash, which pays Web sites for referring users to its portfolio of porn sites.
The case raises questions about the consolidation of so much personal data in the hands of a few social-networking providers like Facebook, MySpace, and LinkedIn. While individuals and business users find great benefits in being connected to others and in providing the information to allow others to find them, this also means people are exposing more personal details than ever before -- exactly at the time when spammers, hackers, and criminals are abusing such information.
It's not even clear that the defendants in this case did anything wrong, said Andrew Storms, director of security operations for nCircle Network Security. "Did the porn site break the information security barriers of Facebook or did they just act like a normal user but in a quicker, automated fashion?" he asked. "If Istra Holdings had broken the law, then why aren't police authorities knocking down doors instead of Facebook filing a lawsuit?"
Acceptable Use Violations
Storms said he'd "put money on a bet that this automated data capturing happens more often than is reported." The only thing blocking an average user who "friends a ton of people," collects their data, and resells it is Facebook's "acceptable use policy," he said.
The publicity around this lawsuit shows that Facebook "may have a problem dealing with people spidering their data," Storms said. It's not the first time Facebook has used legal action against companies spidering their data. Earlier this year, Facebook successfully sued ConnectU for "harvesting user information," Eric Goldman, director of the cyberlaw program at Santa Clara University Law School, said in an e-mail.
"This is a classic clash between data security and productivity," Storms said. "The more data security tools are implemented, the fewer value-adds Facebook can offer," Storms said. The situation should remind users about the risks they take when they use those services, he added.
"Users should always think twice about what data they choose to share with
any Web site. Be aware that while you may believe you maintain control of that data, the fact is you really don't," he concluded. "You as an individual need to understand the risk-reward equation and decide for yourself if the information you choose to share is worth the potential reward in light of the risk taken."