Stalking on Facebook Is Easier Than You Think

When your friends use Facebook apps, they compromise your privacy, too

Loading the podcast player...

Steven Cherry: Hi, this is Steven Cherry for IEEE Spectrum’s “Techwise Conversations.”

A few weeks ago we did a show about how Facebook creates shadow accounts for people who aren’t on Facebook. So even if you’ve been staying clear of it to protect your privacy, you’re not really able to. If enough people around you are on Facebook, it starts to collect information about you.

It turns out the Facebook privacy problem is even worse than we thought. For people on the network, there’s a similar issue. If you’ve been avoiding the apps, whether it’s Farmville or the Huffington Post, because the apps want access to all of your information, it turns out that staying clear of them isn’t enough.

If your friends have signed up for them, the apps not only compromise your friends’ privacy but yours as well. And because you have no control over how your friends use their accounts, you have no real control over your own. For example, here are the terms of service for the Huffington Post: “By clicking ‘Visit website’ above, this app will receive: your basic info, your profile info, description, birthday, interests and likes. This app may post on your behalf, including articles you read and more.”

To prove how serious the privacy problem is, at a recent hackathon sponsored by the website TechCrunch, a software developer by the name of Oliver Yeh built and demoed an app that should scare the dickens out of just about any Facebook user. It’s called Stalkbook, and as the name suggests, it facilitates stalking.

Oliver Yeh is an MIT graduate; he’s a developer at the new start-up Appboy, based in New York; and he’s my guest today. Oliver, welcome to the podcast.

Oliver Yeh: Thank you very much.

Steven Cherry: You haven’t released Stalkbook, but you’ve got an online demo of the principle behind it: It shows how an app could let people see the photos of people they’re not friends with even if the photos are supposed to be seen only by friends. So that’s a milder form of the stalking you found to be possible. Tell us how the photo version works and how much worse it could have been.

Oliver Yeh: So, the photo version works by whenever a person signs on to the application; not only does he reveal his or her own information but he also compromises all of his or her friends’ information too. So for example, if I sign on to the site, then my friend Trevor would also be signed on to the site because I’m friends with Trevor. And because with my credentials, I can see Trevor’s information. Now, everyone on the Internet can also see Trevor’s information by using my credentials. And as more people sign up to Stalkbook, you get this network effect, in which you only need perhaps 10 percent of Facebook to join to compromise 80 to 90 percent of Facebook.

Steven Cherry: So, what exactly is Stalkbook doing? How does it use my credentials to get access to my friends’ profiles?

Oliver Yeh: So, with Facebook API—which is software that Facebook developed so that third-party developers can access Facebook’s information—so with this API, I can have access to my friend Trevor’s information. And what Stalkbook does is it goes through all of a user’s information and all of the friends of the user’s information and stores a cache copy on the website, so that when somebody else visits Stalkbook, they now have access to a cache version of Facebook’s data, even though they don’t have permission to access Trevor’s information.

Steven Cherry: So, you’re not going to take Stalkbook live, I guess; it’s just too creepy. And I guess you might get sued, even if it’s legal. So you created a spin-off; it’s called Statsbook. What does it do?

Oliver Yeh: So, Statsbook is an application in which people sign on to it, and they can get cool and interesting analytics about their Facebook data. So for example, right now I have three main features. The first one is a world location of all your friends. So you’ll see a map, and you’ll see where all your friends are located. And when you hover over each spot on the map, you can see, like, “Oh, I didn’t know I had a friend in Anchorage in Alaska,” and you hover over it, and it’s, like, “Oh, my friend Jenna who works at Schlumberger works there.” So it’s a cool way to visualize your friends’ locations. And my second feature is “friend strength.” So basically, it visualizes the amount of interactions your friends have with each other. You can see how your friends are clustered: These are my college friends, and these are my high school friends, and these are my friends and family. And you can see your college friends mostly interact with each other, and you can see a strong clustering of your friends by their interactions with each other. When my friend Trevor posts on my friend Jenna’s Wall, then the friendship strength increases for both of them, and afterwards the result you get is a giant matrix of all of your friends and how they’re related to each other. The lighter the particular square, it means that the less interactions they have; and the darker the square, it means they have a lot of interactions with each other.

Steven Cherry: So, I’d be able to see the shocking number of messages that go between, say, my mother and some old girlfriend of mine.

Oliver Yeh: So, I don’t want to access private messages because again it’s getting into the privacy aspect. I just only access the public posts and the comments and the likes. The third feature is “friends activate over time.” So basically, I collect all the post information—your likes, your photo tags, and your status updates—and I try to graph or relate your Facebook activity over time. So what I found with my demo was that you can see every year a spike, and it’s at the same time every year, and that’s from people’s birthdays. Because when it’s someone’s birthday, everyone posts on their Wall. And also you can see when most of your friends joined Facebook, because before they joined Facebook it’s flat, and then they slowly start using Facebook and then they get more friends, and the activity creeps up. And you can also see how people’s activities change over time, like for example, I’m seeing for some of my friends that after they graduated from college, their Facebook activity drops off to a much lower level. And I have no idea why that is, but it’s very interesting to see how each of your friends is using Facebook and how that compares to all of your other friends.

Steven Cherry: So in the real world, before the Internet there were things that were sort of public but in practice limited to our work colleagues or our family or some other limited circle. And then there were some things that were truly public: a birth, a wedding, an award. I guess what’s new is that that middle ground doesn’t really exist any more, right?

Oliver Yeh: Yeah. Basically, whatever you post on Facebook, you should just assume that the public can see it, because even though Facebook tries to put in protections and permissions and privacy controls, there’s really no way to guarantee that only your friends can see your data. Like even if your friend is just sitting in the dorm room and somebody else crosses the computer, then he has access to your information.

Steven Cherry: And to take your example of the friend in Alaska, that might not be information that they wanted public or thought was public.

Oliver Yeh: Yes. So with Statsbook, I’m limiting it so that only you can see your friends’ information instead of being available to everyone else.

Steven Cherry: But an evil version of Oliver could set that app up so that the whole world sees it.

Oliver Yeh: Yeah. Yes. I was thinking about having public profiles where you can see, like, “Hey, this is my friend location graph; hey, this is my friend activity graph.” But I have to see how people react to it—if they’re okay with their information being posted.

Steven Cherry: So, you have a pretty interesting background, Oliver. Back in MIT, you made some headlines with a $150 weather balloon. Can you tell us a little bit about it?

Oliver Yeh: Yeah. So, in college I wanted to see how different buildings looked from different angles, and most of the time you’re restricted by where you are physically; you can’t get up 10 to 20 feet in the air to look at a building unless you’re at a neighboring building. So I decided to use a balloon and attach a small camera to it, and I would float it up and attach a kite string to it and take some pictures. And then I would reel it back in and see what kind of pictures turned up. And there were some extraordinary pictures, and I wanted to go higher afterwards, so I was thinking, like, “How high can I go?” So, I started ordering weather balloons, and I attached bigger cameras with better quality to it, and I attached a GPS receiver to it so I could keep track of the location. So in the fall of 2009 I let one of those balloons go, and it went up 95,000 feet and came up with some great pictures. I recovered it about 30 miles away from where I’d launched it, and it was a very exciting weekend project.

Steven Cherry: Other than finding unusual views of something—in the one case, buildings and so forth, and in the other, Facebook—is there any connection between these two hacks?

Oliver Yeh: I wouldn’t say there’s something that, like, triggered both. I am just always in search of cool and new interesting projects to spend my weekends on. And those are just the two projects that I selected in those weekends.

Steven Cherry: So tell us about the start-up you’re involved in.

Oliver Yeh: So, basically I’m working at a start-up called Appboy, which is a customer relationship management platform for iPhone developers. So, that’s, like, a mouthful, but basically we help iPhone developers manage and attract users on their application, and we provide insight into their users so they can better develop a product. We allow users of a particular app to be able to leave feedback within the app because right now with the iTunes store, it’s a one-way communication. A user leaves feedback—maybe positive, maybe negative—on an application, and the app developer has no way of telling him, like, “Thank you so much for the compliment” or “I’m sorry the app didn’t work out for you; this is a fix that I would suggest you to do.” It’s just, like, a very one-way communication, and app developers are sometimes at a loss because they really want to help someone out but they have no way of reaching the person because there’s no way to reply back to a feedback. And what we’re trying to do is facilitate that process so an app developer can receive feedback and also be able to respond back to it. And they can respond to, like, feature suggestions and have useful dialogue with a particular user about where the product direction should go.

Steven Cherry: So, this is a problem basically created by the fact that Apple is in the middle of the process, right?

Oliver Yeh: Yes.

Steven Cherry: People put their apps in the app store, and everybody is sort of dealing with Apple instead of one another.

Oliver Yeh: Yes.

Steven Cherry: Well, Oliver, I guess we can be glad that you’ve turned your talents toward good and not evil, and I wish you luck with it.

Oliver Yeh: Thank you very much.

Steven Cherry: We’ve been speaking with Oliver Yeh about how we have even less privacy on Facebook than we thought—this time, through the apps our friends sign up for.

For IEEE Spectrum’s “Techwise Conversations,” I’m Steven Cherry.

Announcer: “Techwise Conversations” is sponsored by National Instruments.

This interview was recorded 12 July 2012.
Segment producer: Celia Gorman; audio engineer: Francesco Ferorelli
Read more Techwise Conversations or follow us on Twitter.

NOTE: Transcripts are created for the convenience of our readers and listeners and may not perfectly match their associated interviews and narratives. The authoritative record of IEEE Spectrum’s audio programming is the audio version.