NYU-Poly Researchers Find Weakness in Facebook’s Protections for Minors

Social media and our too-much-information online culture has brought new life to an old privacy vulnerability. The kind of privacy loophole I’m referring to has actually been around pre-Internet. This old idea is to use a few known and relatively unique personal attributes to match against other data, usually public in nature. One can with very high likelihood find your man or woman. It’s a technique not unheard of in detective work.

In the Internet epoch, these kinds of de-identification attacks have been receiving new scrutiny from regulatory agencies. In 2009, the FTC persuaded Netflix to not release an anonymized movie rating dataset for their well publicized algorithm contest. The regulators based their decision on an experiment performed by two University of Texas computer scientists who re-identified an older public dataset of Netflix movie rating–essentially long rows of 1-5 ratings–with no personal information.

The researchers succeeded: their algorithm found the complete Neflix movie ratings of several users by matching against public and self-identified movie ratings from the IMDb movie fan site.

With the publication of a new research paper, the stakes have become even higher.

Keith Ross, the Leonard J. Shustek Chair Professor in Computer Science at the Polytechnic Institute of NYU, along with colleagues Ratan Dey and Yuan Ding, were able to identify a high percentage of the student body of several US high schools using Facebook profiles. What turns this theoretical attack into a call for action is how easy it was to link under 18-year old Facebook users, whose public profiles are minimal and high school affiliations blocked, to a specific high school and graduating class.

(read more...)