Facebook wants to be your new security haven

Go ahead. Have a good laugh. I certainly did, after I first learned about Facebook's plan to partner with security provider McAfee to boost end-user security on the often-attacked social media platform.

Under the terms of the deal, Facebook's 350 million (and growing) users will get a free six-month subscription to McAfee's Internet Security Suite, after which they'll be eligible for ongoing discounts. The partnership also means McAfee is now Facebook's exclusive consumer security software provider for the next year -- something which will doubtless come in handy whenever a Facebook user's account gets hacked. If this all-too-common event happens to you, you'll be locked out of Facebook entirely until a McAfee tool scans your computer and declares it free of malware.

Is it too catty to say this is too little, too late? Is it also less-than-kind to say Facebook's attempts to boost end-user security would be better focused on finalizing (and sticking with) a privacy policy that doesn't confuse and anger the majority of folks who take the time to learn about it?

When behaviors trump solutions

Is it similarly mean-spirited of me when I conclude this will have as much impact on end-user security as "Don't Drink and Drive" messages have had on the average drunk driver. We can implement all the DUI laws we want, after all, and we can install breathalysers on anything that moves, but we'll still be cleaning up alcohol-fuelled wrecks and putting up roadside memorials to their victims.

No technology in the world will save people from themselves, and that truth is the one thing Facebook doesn't seem to get.

Carmi Levy: Wide Angle Zoom (200 px)That doesn't mean that Facebook won't try to toss more technology at the malware issue. The geek's solution to a problem, after all, is to always buy another box or install another layer of code. Yet the reality that Facebook currently faces is infinitely too complex for a mere tool, rooted much more in who we are and what we do rather than what we buy. It should be obvious to just about everyone (except somehow, perhaps by virtue of its size, Facebook) that end users refuse to self-educate on best practices for online security. But there's a deeper cause here that may be a little harder for Facebook to swallow because to do so might require the company to admit it's (gasp!) deficient in some way -- that it simply isn't structured to meet the security challenge head-on.

Privacy = security (T | F)

Those deficiencies have played out in stark relief in recent months. After a Canadian public policy group complained about Facebook's porous-as-Swiss-cheese privacy policies, Canadian Privacy Commissioner Jennifer Stoddart launched an investigation. Her findings were released in July 2009. Assistant Commissioner Elizabeth Denham and other officials in her Office, including Colin McKay, Director of Research, Education and Outreach, met with Facebook's leaders, hovering over the shoulders of the company's developers as they supposedly improved their privacy infrastructure. After several months of this, late last year, Facebook rolled out its new global policy.

Declaring this new policy a dud is all too easy, like kicking your younger brother after you've already immobilized him with the big pillow from the sofa. Instead of making it simpler for users to manage the list of individuals and companies and faceless entities that have access to their personal information, Facebook made it simpler for users to realize that everything was open by default. Accounts that had been shut tight became free-flowing spigots of data, some of it confidential. Users suddenly found their formerly "private" data being broadcast to any stranger with the wherewithal to look at their profile page -- or worse, to people who weren't even registered Facebook users. (Or people who weren't even people.) Walls around the world lit up with complaints from users desperately trying to reset their settings before their parents found out about their new tattoos or secret girl/boyfriends.

So what does Facebook's privacy competency have to do with its effectiveness in ensuring a secure environment for its users? Everything, because privacy is little more than a personal application of security. And unfortunately Facebook's track record in privacy isn't stellar. Even with the prodding of a major government agency, Facebook hasn't been able to make privacy work, either to its advantage or that of its users. Yet we're now supposed to trust that the company's newfound friendship with McAfee will make it easy for users to trust that it can keep the baddies at bay.

Um, not so much. First we're fooling ourselves if we think some fancy new Web-integrated security tools will magically fix things. To borrow Sarah Palin's metaphor, it's like putting lipstick on a pig -- and in this case, the pig has a little leakage problem on the other end. From badly designed third-party applications that compromise the security of unaware users to poorly designed administrative interfaces that intimidate even advanced users, the Facebook platform itself is a nightmare of security. Couple that with an organizational culture that has raised inciting mass-scale privacy revolts to a high art, and you have the basis for a perfect storm of security nastiness.

Towards an insecure future

Over the next few weeks, countless Facebook users will gain access to these new features. Emboldened by their newfound security, they'll doubtless continue to click on hinky come-ons and sign away their first-borns' confidential data in exchange for Farmville credits, Mafia Wars weapons, and a lifetime supply of astrology predictions.

Facebook would like us to believe that its deal with McAfee protects us from the countless stranger/malcontents who want to attack us from the outside. The company fails to realize -- or maybe it does and simply won't admit it -- that the real threat comes from the legions of end users who simply won't take the time to learn even the basics of online security.

More ominously, Facebook fails to realize -- or admit -- that its own inadequate organizational structure and technology architecture will continue to put those same legions of ignorant users at risk long after they install their new toys from McAfee and dive into another round of Farmville. It's that false sense of security that scares me most, and provides the first glimpse of the ingredients for an eventual flattening out of the Facebook growth curve.