Facebook Messages: The Security Fall-Out

Facebook Messages was the big story last week, but it turned out to be less – or perhaps more – than at first appeared.

Commentators confidently predicted a full-blown Webmail client, which would take on Google’s Gmail.  Instead we got an extension of Facebook’s existing messaging system, giving Facebook users an external email address where others can contact them, and letting Facebook messages reach other email addresses and – by SMS – phone numbers.

The end of email?

There are limitations. There’s no subject line, maybe because it’s all about the conversation – or maybe because there are no subject lines in chat systems such as Facebook, or in SMS messages

And there have been security worries.  These have been best set out in Sophos’ FAQ on the subject, but could probably be summed up by saying “We’ve always been sceptical of Facebook’s privacy stance, do we really want to sign up our whole online life to it?”

There are, of course, plenty of people who already do that. Many teens prefer to speak to their friends through Facebook, because that is where their friends “are”, and they slip easily into Facebook chat.

For some people, who came late to “real” email, Facebook is email.

Sophos warns that a public email from Facebook would be easy to deduce and therefore easy to target with spam, as well as all the spam that already circulates within Facebook itself. “The new features do increase the attack surface of the Facebook platform,” says Sophos.

The service is supposed to filter these, as well as anything not from existing friends into a folder marked  “Other”, so it looks from some directions a lot like an email “whitelisting” service, in which your Facebook friends assume the role of your whitelist.

Walled garden

The system could also pose a bigger risk, particularly for naive people who buy into it too enthusiastically – the difficulty of the exit strategy.

All too many people circulate the addresses provided by ISPs or other services (even including Gmail), creating a big barrier to moving away from that service in future.

In Facebook Messages, the risk is even greater, because Facebook does the sharing for you.

Facebook creates an enticing walled garden, which is in some ways reminiscent of the walled gardens that services like Compuserve and AOL tried to construct amid the first wave of email awareness in the 1990s.

Their efforts ultimately failed, because users preferred the big world provided by the “real” Internet.

This time round, with 500 million keen users, there is a risk that Facebook could succeed in creating an  attractive enough world to make that a reality. Tim Berners-Lee has warned against this in a Scientific American article, and we think that the threat could be real.