Facebook's phishing clean-up: A tad heavy-handed?
In poker, you never touch anyone else's cards. Why? Because they're not your cards. Likewise, when you sit down at a restaurant and there's a tip on the table from the previous patron, you don't touch it. Simple reason: It's not your money.
I had a similar reaction this morning when Facebook reached its fingers into my inbox and deleted two messages without asking me. Granted, they were both phishing messages -- malicious spam, essentially -- from today's attack. For many unsuspecting people, the mere presence of these messages would constitute a security threat, so Facebook's eradicate-first-ask-questions-last approach is understandable. Nuke the virus before it causes more damage. But still, those messages had already been in my mailbox for hours. I had opened and examined them. They were my mail.
It's true that I had a professional interest in retaining copies of the messages, since I'd written about them earlier. And it's also true that most people probably wouldn't mind having toxic spam removed without their permission. Who would want to keep it?
Still, it's the principle. Facebook has made a policy of deleting e-mail it deems malicious, even after I've received, opened and read it. They get to decide when it's appropriate to do that, not me. And while it's clear that they're taking these actions to protect users, they're also protecting themselves, which means there's a subjective element to this. And as is well-known, people don't always agree with the decisions Facebook makes about content policing.
Hypothetical: What if I get suckered into a phishing scam and have my identity stolen? Do you think I'd want to have a copy of the original Facebook e-mail, including the text it contained and the time of receipt?
On the other side, this rather blunt nuclear option also catches some innocent fish. I sent several messages to myself that contained the phrase "151.im" in various contexts, including this one:
This message and all the others that mentioned "151.im" were rejected by Facebook's mail system:
Again, no reason to fault Facebook for trying to protect its users. But I'm not sure mentioning the name of the bad site should drop the red hammer of doom on my messages, especially if they're warnings. If the same principle were applied to Twitter, none of the hundreds of messages warning about the spread of the virus would've gotten out.
The detection and prevention of spam and scams should ideally happen before the mail gets to users, not after. But if Facebook gets hit by another worm, maybe they can add a warning band (like the one above) to iffy messages or even move them to a spam folder like Gmail or Hotmail might. That way, instead of the evidence disappearing without a trace, users could learn what malicious e-mail looks like -- the better to avoid getting burned next time.
-- David Sarno
This is deeply disturbing to me. I don't like the notion that anyone, and I do mean anyone, can decide what email I'm allowed to have. First Facebook informed us that they had the right to do whatever they wished with our personal info, and now they've helped themselves to our inboxes. What's next?
This is just one more result of so many people being unwilling to take responsibility for their own inboxes, choosing instead to blame ISP's, software creators, or anyone they could for spam, etc. Rather than taking the time to educate themselves, they have perpetuated this victimized, blame game mindset, causing the Facebooks and Microsofts of the world to try to please the masses by doing for them what they should be doing for themselves. As a result, we are becoming, more and more, controlled and censored. Sadly, most of these people would probably never be willing to admit, or even attempt to consider the fact, that their demands for others to take full responsibility for their "security", is one of the core reasons all of our security and privacy is slowly eroding. Expectations of instant gratification, and attitudes of entitlement, are killing us all.
Posted by: Celeste | May 15, 2009 at 08:20 PM
It's the circularity and unhelpfulness of the Facebook "Help" Pages that gets me. To get log in help you must first log in. To get them to "revalidate" your login email you must have a valid login email. Phone Palo Alto, press 1 for Phone Support, and a robotic voice tells you there is no phone support and hangs you up. They tell you can press O for an operator, but then you are informed there is no operator. The "Support Team" is unsupportive. This is the worldwide corporation that has trademarked "friend" as a verb. They seem unfriendly. Don't get me wrong, I love Facebook, but right now I feel sorry for them. They appear to be overwhelmed.
Posted by: Eric Hanson | May 17, 2009 at 08:55 AM
Facebook has completely lost control, and yes, they are heavy-handed. My friend's account was disabled on Memorial Day, and he still has received no explanation why. He has (had?) more than 1,500 friends, so perhaps his account was hacked and used for spam? They will not tell him, nor reinstate his access.
They will indeed go the way of MySpace if this continues to grow.
Posted by: John | May 27, 2009 at 09:31 AM