There’s a story going around today that a “white hat” (the good kind, sort of) hacker pulled data from 100 million Facebook profiles and posted them online. The hacker, a “security consultant” by the name of Ron Bowles, collected user IDs, names, URLs, and all kinds of other data from those profiles, and made it all available as one massive torrent file. Sounds bad, right? It isn’t.
The BBC, among others, is painting this as a terrifying hack of Facebook. But the thing is, all of the data that was snatched up by Bowles was publicly available. When you create a Facebook profile, you’re given tons of options as to what is available to the public at large–everything, nothing, or something in between. Many users choose the “nothing” option–and their data was not grabbed by Bowles. But data that was made or left public can be found by anyone. That’s what public means.
By default, some things, like your name, are public. That can be changed at any time, but if it’s not, anybody can find that information by searching in Google or any other search engine.
Bowles simply gathered information that can be found elsewhere, and bundled it into one torrent file. He says he was trying to highlight privacy issues, which might have been valid. Maybe some people weren’t aware you could find their names or Facebook profile by searching Google–people who have never Googled themselves, evidently, because they’d have noticed their profiles fairly high up in the search results. Yes, Facebook privacy settings can be confusing (though not as confusing as they used to be), but Facebook is taking steps to change that, and it’s really not that hard to understand.
There are alarmists, like “privacy watchdog” Simon Davies, who was interviewed by the BBC and who would like you to think this is an “attack,” or that it reveals some flaw in Facebook’s security. “Facebook should have anticipated this attack and put measures in place to prevent it,” says Davies. Well, no, because it’s not an attack, and the whole idea of making something public is that it should be able to be found publicly.
For those worried about a hacker stealing their data–don’t be. There was no hack, there is no security risk. If you want your information to be private, make it private. But if it’s public, people can and will find it. That’s not a flaw. That’s a choice.