Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

41% of Facebook Users Give Personal Data to Green Plastic Frog

By Scott M. Fulton, III, BetaNews

August 14, 2007, 2:27 PM

In a revealing test of where the true insecurities may lie in the realm of social online networking, security software company Sophos today revealed it set up a kind of sting operation on Facebook. It created a fake identity around a green plastic frog it named "Freddi Staur," and had Freddi invite 200 real Facebook users to be its friend.

"It's extremely alarming how easy it was to get users to accept Freddi," stated Sophos security analyst Ron O'Brien this morning. Of those Freddi invited, O'Brien reported, 87 responded positively, and 82 gave personal identification data to Freddi's account when asked.

Without any "hacking" whatsoever, the tub toy managed to acquire a treasure trove of personal data. About 73 people were willing to post their birthday, while others willingly included places of birth, employers' names and addresses, photographs of family and friends, work resumes, and in at least one instance, the user's mother's maiden name.

All this in response to a request from something who obviously had no real identity of its own (its name is actually an anagram for "ID Fraudster") and offered zero information -- real or imaginary -- about itself.

Would you give your personal data to this guy?The Sophos survey results come in the midst of a little storm of controversy that erupted after a mis-configured Web server inadvertently revealed significant portions of Facebook's source code to ordinary users, rather than the home page that they would normally expect.

That revelation prompted New Scientist technology editor Will Knight to post to his blog yesterday, "The reason the leak is concerning is that, by studying the leaked code, a canny computer hacker might be able to figure out some critical security vulnerabilities and thus gain access to tons of personal information."

As we know now, it doesn't actually take a "canny computer hacker" to do that, but instead -- to borrow a fitting phrase from patent law -- "a person with ordinary skill in the art."

Sophos published the survey to publicize its latest publication of best practices for using Facebook. It's not recommending that people (the real kind) stop using Facebook, but rather that they take heed of the security features it actually does offer, which will hopefully make both users' lives and Sophos' business somewhat easier.

One of Sophos' tips is this: "You can choose to make people 'limited friends' who only have access to a cut-down version of your profile if you wish. This can be useful if you have associates who you do not wish to give full friend status to, or feel uncomfortable sharing personal information with." For example, associates whom you suspect may not be organic.

Of course, this part of the discussion side-steps a broader, more curious problem illuminated by the Sophos survey: While it's doubtful that a man in a frog suit walking the city streets would be able to get 37 out of every 100 people wearing regular clothes to divulge their birthdays on command, that many people were willing to spill their life's data to a meaningless on-screen avatar, just for having asked so sweetly something on the order of, "Would you be my friend?"

This begs the question: If instead of a plastic frog, Sophos had chosen to use a real photograph of a non-celebrity and a non-anagram name, would more people have responded so willingly? Or fewer?

Add a Comment (33 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By sacaripasa

posted Aug 15, 2007 - 8:55 PM

Lesson to be learn here. Between employers checking out your frat parties and your personal info being sent around...DON'T USE SITES LIKE THIS. People are a way bit too liberal in sharing themselves on the internet and not having a more unrecognizable persona.

Score: 0

By Neoprimal

posted Aug 15, 2007 - 2:13 PM

People don't understand that Facebook is not = to myspace. Facebook potential shares very personal information....information that you input, but still information that CAN be used incorrectly. The name and address aren't a big deal, as this stuff comes on your mail anyway. But detailed information, where you go/went to school, where you/have worked, your phone numbers, this is all information that thieves can use to their advantage.

As a rule of thumb, the people on your friends list on facebook had better REALLY be your friend and know your real name and phone number anyway ie: co-workers/school friends etc. So, don't accept requests from names you don't know first and foremost. Those names you do know, make sure you have some dialogue before you add them or accept requests, and a photo would be good also. Nothing beats the dialogue though, that's how you know the person on the other end is 'really' the person you know since most other stuff can be 'copied'.

Score: 0

By Meth

posted Aug 15, 2007 - 10:49 AM

This is stupid paranoid B.S. There is nothing wrong with giving out your name, birthday, employer's name and address, photographs of friends and family, and work resumes. If someone asked me in a bar what my birthday was I wouldn't consider it an invasion of privacy. Heck often in restaurants the staffs sings to people on their birthday and maybe gives them a dessert or coupon or something... OOH NO THE RESTAURANT is advertising your birthday to the world!!!!

Don't ask my NAME, that's a VERY personal question... simply refer to me as "He who should not be named"! As for your resume people tend to pass those around to whoever will take them, they typically include your name, and the name and address of your current and former employers.

Now the idiot who gave out their mothers maiden name is the only real risky behavior here. But out of 200 invites if only "at least one" person gave out that information I don't think it's too bad.

Personally I keep my street address and phone numbers hidden (though I tend to give out my city, state, and zip info so you could find my phone number and address in a phone book if you're so inclined... OMFG... THE PHONE BOOK IS A HUGE PRIVACY ISSUE... it has names, addressess and phone numbers in it... it's the END OF THE WORLD.

You people who think this is a big deal are a bunch of paranoid idiots in my book but hey don't worry about it, just crawl back in your vaults and hide from all the millions of big bad identity thieves who are after you. Oh and Sophos who performed the study I'm sure would be happy to sell you stuff to protect you from this HUGE threat. Stupid sheep.

Score: 0

By sacaripasa

posted Aug 15, 2007 - 8:57 PM

"There is nothing wrong with giving out your name, birthday, employer's name and address photographs of friends and family"
Except maybe the stalker ex!

Score: 0

By Scary Guy

edited Aug 15, 2007 - 10:14 AM

What makes this scary is companies no longer need to mine for your information, you're giving it to them freely. This problem also extends far beyond facebook as well.

Then again I'm completely plugged in. Apathy is a huge factor in this too I guess.

Score: 0

By ZenWarrior

posted Aug 15, 2007 - 5:53 PM

Actually, we have been giving it to them for years. We should have cried foul long ago. Instead, many of us have been conditioned to just hand it over.

For example, take that little "cents-off" plastic tab on your keyring which is used by grocery stores. As a college professor (marketing), I was screaming about people so freely giving up even that information years ago.

In fact, I could always make a point regarding privacy by having a student simply walk into the grocery store, demonstrate a "sincere" desire to be helpful to some stranger, show a set of keys that were "found," and ask for the information to return them to their owner.

Performing that exercise across many years, only once did a grocery store refuse to give the requesting student the requested and supposedly private information (i.e., owner's address, phone number).

Meanwhile, my dentist got a tad upset just a couple of days ago when I refused to give him my SSN, which he uses to file his patients' records. In other words, there's still a lot of educating the public yet to be done.

Score: 0

By ZenWarrior

posted Aug 15, 2007 - 8:03 AM

In other words, 41% of Facebook users are completely clueless dumb-asses.

Score: 0

By arossetti

posted Aug 15, 2007 - 8:59 AM

Actually, I'd wager that 41% is on the low side...

Score: 0

By GordieT

posted Aug 15, 2007 - 7:44 AM

People like this keep me employed.

Score: 0

By Cold Hand

posted Aug 15, 2007 - 4:46 AM

So ? What's the big deal ? I don't see the problem... People can get your name / age /sex ? Wahou ! Scares to death........ :-...

Score: 0

By meb

posted Aug 15, 2007 - 1:08 AM

And the 00's will be remembered for the so called 'social' networking experiment... so social it makes people stay in the bedrooms and talk to people instead of walking out their front door. :-P

Like the 'e-90s', I suspect come the '10s, social networking will appear nothing like it is now... and have grown up... E-commerce isn't a fad now and much more stable then the fly-by-nighters of the ninties.. lets hope the same happens with social networking.

Score: 0

By ahoier

edited Aug 14, 2007 - 3:50 PM

This is a twist.....Im sure these people didn't directly come out and say, "my past employer was Proctor and Gamble, in New Hampshire"....

But due to the way Facebook's "priviledges" are set up, you can input Addresses, businesses, employer information, etc....and then set security level of WHO can access that information.

This is part of the reason why you gotta be careful on these networks....If you are going to input your real street address into Facebook, and go about adding Bands, comic characters, and bath toys, who knows who may have access to those accounts...

That's part of the reason why I have inputed my address, set the security so only "Friends" can view it, and I only accept invitations who I've met previously.

Score: 0

By arossetti

posted Aug 14, 2007 - 8:20 PM

And this is further proof that there are tens of millions of folks who just shouldn't even have a computer, let alone access to the internet.

Yes, I've become an internet snob since taking on my new position as an IT Security and Compliance guru... Actually, I already was one, I just have an excuse now.

Score: 0

By JonathanD

posted Aug 14, 2007 - 6:29 PM

Hmmm to do list.

1.Buy plastic frog/locate picture of plastic frog online....
2.Set up fake facebook account.
3.Steal peoples identities and blame it on plastic frog !!!
4.Profit !!!

Just kidding :)
hmmmm I wonder if a GI Joe action figure would have got more information...
I dont trust Barbie....

Score: 0

By PC_Tool

posted Aug 14, 2007 - 6:48 PM

I would have used a monkey. Everyone loves monkeys. :p

Score: 0

By Comit

posted Aug 14, 2007 - 7:06 PM

Or owls. Everyone loves poofy owls.

Score: 0

By mjm01010101

posted Aug 14, 2007 - 6:25 PM

Oh man I totally thought this was my ex girlfriend. Mybad. yo, please don't give my soc security, member size, or OS of choice to the masses! PLEASE! I BEG YOU!

Score: 0

By horsecharles

posted Aug 14, 2007 - 3:44 PM

1 Suckah is born every minute....

Score: 0

By arossetti

posted Aug 14, 2007 - 8:17 PM

Just one?

Score: 0

By horsecharles

posted Aug 15, 2007 - 3:08 AM

Quanti?

Score: 0

By PC_Tool

posted Aug 14, 2007 - 3:24 PM

This begs the question:

Gahh!

*runs away*

Score: 0

By Tene

edited Aug 14, 2007 - 5:52 PM

If instead of a plastic frog, Sophos had chosen to use a real photograph of a non-celebrity and a non-anagram name, would more people have responded so willingly? Or fewer?

Evidently, it follows that

If instead of a plastic frog, Sophos had chosen to use a real photograph of a non-celebrity and a non-anagram name, would more people have responded so willingly? Or fewer?

Since, afterall

If instead of a plastic frog, Sophos had chosen to use a real photograph of a non-celebrity and a non-anagram name, would more people have responded so willingly? Or fewer?

It requires no thought whatsoever.

Score: 0

By PC_Tool

posted Aug 14, 2007 - 6:47 PM

Bzzzt.

The "Or Fewer" kills it.

It should have been "raises the question".

*runs away again*

Sorry. Pet peeve. Seem to have a lot of them lately.

Not really a biggie, it's become pretty standard to interchange the two, so I guess language just evolved. Even if it's in a direction I dislike.

/me tilting at windmills.

Score: 0

By Tene

posted Aug 14, 2007 - 8:12 PM

You do realise I was being quite ironic.

I am familiar with what begging the question means. ;)

Score: 0

By PC_Tool

posted Aug 15, 2007 - 9:02 AM

Wasn't sure. Missed the /sarcasm tag. It was an "interesting" night...

Score: 0

By Second Shadow

posted Aug 14, 2007 - 7:46 PM

Mind if I root for the windmills ...? :P

Score: 0

By xyzcb1

posted Aug 14, 2007 - 3:17 PM

I honestly don't understand why these people give out personal information. My real friends know my information. Those who don't know my information, I don't care about them.

Score: 0

By gcluley

edited Aug 14, 2007 - 2:52 PM

Hey Scott. Interesting point you make at the end there. When we were setting up the experiment we did actually consider using the picture of an attractive woman (we thought most guys wouldn't be able to resist!), but then thought it would be more interesting to use something utterly inanimate who no-one could claim was really a friend -- and who clearly had a nonsensical name.

My guess is that people will real malicious intentions would set up their fake id to appeal most to their intended target victim.

By the way, one particularly alarming thing about the way Facebook works is how, by default , it will share your profile details with people in the same networks. The London network, for example, has over 800,000 members... which means the majority of them are - perhaps unknowingly - sharing private data with 799,999 others.

I would recommend people read our best practise tips on the Sophos website, and apply more common sense about what information they feel comfortable posting online.

Regards, Graham Cluley, Sophos

Score: 2

By SMFulton3

posted Aug 14, 2007 - 5:29 PM

Hi, Graham!

Thanks for the comment. I hope you don't mind that I tried to see past the obvious conclusion of your survey and point to what I think is a deeper problem: There appears to be an innate need among the users that Facebook targets to be more open about oneself than one would rationally be. If you'd used a pretty face rather than a plastic frog, I think it might have been too easy for naysayers to jump to the wrong conclusion. The fact is, it's not sex appeal that compels people to reveal their vital data - it's another need entirely.

-SF3

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue