This story was updated to provide a link to the Imperva report after it was released.
Facebook frequently takes flack for privacy invasions, but the next controversial byproduct of the social network may be cyber espionage, according to security researchers.
Status updates on Facebook posted by friends and family of government officials or the officials' own unencrypted Facebook activities can be used to gather intelligence such as U.S. troop movements, says Rob Rachwald, security strategy director for cybersecurity firm Imperva.
While data brokers profit by collating social communications for advertisers, spies and hackers on government payrolls can profit by parsing the same information. And there's a lot of it. In 2011, Max Schrems, a Vienna law student interested in the dossier Facebook's computers kept on him, filed a request for his social media records under European data protection regulations. He claims to have received a 1,222-page file of deleted messages, removed "friends" and other current and former data.
An Imperva report released on Tuesday explains hackers can analyze these records, including connections between "friended" business partners and colleagues, to map out the hierarchy of different organizations. "The organizational structure can be used for corporate espionage, foreign-government and even military intelligence," states a draft reviewed by Nextgov.
"The worst case scenario is you get admin rights to Gmail," by piecing together public or hacked intelligence from Facebook, Rachwald said in an interview. Last year, assailants apparently based in China actually did target the personal Gmail accounts of senior federal officials, according to Google.
Facebook spokesman Fred Wolens, who had not seen the report, said in response to Rachwald's concerns, "We designed Facebook to provide a safer and more trusted online environment by offering users industry leading tools to control access to their information so they can choose what they share and with whom they share it. We encourage people exercise caution when connecting with others unknown to them online or otherwise."
He added that the company has many technical systems in place to prevent "scraping," or mining the site's data, and to restrict Web search services from crawling through non-public information.
Rachwald said individuals often post status updates that unwittingly reveal their geographic locations. "Geolocation data is all together more valuable when cross-referencing it with the organizational structure. This can be very useful, say, to gain military intel on the location of the adversary's military units. In fact, last year an [Israel Defense Forces] operation was cancelled following a soldier's status update of the operation's time and location," the report states.
Government-sponsored hackers and spies may use tactics such as eavesdropping on a Facebook member's activities through unencrypted Wi-Fi connections, the paper states. Facebook uses a secure connection to read users' login credentials but all other information is sent back and forth in an unprotected format. Responding to this potential vulnerability, Facebook in January allowed users to opt into a setting that secures all Facebook activities. Imperva recommends users enable that option.
On the flipside, U.S. agencies can tap the same intelligence to ensnare spies and criminals, the report notes. Mentions of extreme weather in status updates have tipped off authorities to the locations of fugitives. And federal law enforcement officials need only a subpoena to obtain Facebook records on criminal suspects, according to the company's safety guidelines.