Facebook's New Security Update Is Bad News

This article is from the archive of our partner .

On Wednesday, Facebook unveiled new security measures to wide applause. ZDNet's Steven Vaughan-Nichols praised the social network for finally taking its security problems "seriously" while the Financial Times called the new measures a boon to "dissidents" in authoritarian countries not wanting their accounts hacked.

As Facebook explained, the new security layer aims to prevent hackers from accessing other peoples' accounts. When a suspicious user logs into your account, it will ask them to identify your friends. If they can't, they'll get booted off:

So is everyone safer? While many were hailing this as a breakthrough, David Sarno at The Los Angeles Times wasn't so sanguine. He explains why:

Couldn't a hacker or intruder just Google all six names and hope that one of them would turn up a photo of the anonymous person in the security challenge?  Not everyone has photos posted online these days, but almost everyone on Facebook does.

And for a company that has repeatedly said it is renewing its commitment to user privacy, isn't it a bit odd that Facebook is using personal information -- photos and names -- to quiz the very people whom you would least want to have that information?  Do people want their photos shown to "hackers halfway across the world" -- with a multiple-choice list of names so short that it would be fairly easy to pair a name with the face, either by guessing or by Googling?

It seems hackers bent on guessing the right name could even make a few educated guesses based on the appearance of the person pictured, allowing them to, say, move a name such as "Ivan Lucuk" to the bottom of the guess list.

His concerns were lucid enough to merit an official response from Facebook. A spokesperson responded with the following message:

We only show this small number of tagged photos to which the account owner has access after the person has provided correct login credentials for the account. Stated differently, the person has to already know your email address and password to see them. If we didn't do any kind of security check, the person would log in and have access to a much wider set of information – and information that's more sensitive in nature.

Also, we only do it some of the time, typically when we can't verify the person's identity through some other means, such as by asking for an answer to a security question (in the case that the person hasn't provided one), or by sending a code via SMS (in the case that the person hasn't registered a phone number with Facebook).

For the whole response, see here. Does this settle the matter?

This article is from the archive of our partner The Wire.