Facebook: About as dangerous as Solitaire

Security vendors' claims about the dangers posed by social networking website Facebook are overblown at best, alarmist at worst, argues Patrick Gray.

"War is too important to be left to politicians. They have neither the time, the training, nor the inclination for strategic thought. I can no longer sit back and allow Communist infiltration, Communist indoctrination, Communist subversion and the international Communist conspiracy to sap and impurify all of our precious bodily fluids," -- General Jack D. Ripper, Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb.

If Jack D. Ripper were around today, he'd have almost certainly launched a nuclear strike on Facebook's data centres by now. For, you see, Facebook... is... pure evil. According to SurfControl, Facebook now accounts for productivity losses of $5 billion to the Australian economy. "According to SurfControl figures, if just one employee spent an hour a day on Facebook, it could cost their business AU$6,200 a year," AAP reported. "With 800,000 businesses in Australia, these figures translate to AU$5 billion a year."

The piece goes on to quote the company's mouthpiece Dr. Richard Cullen. Funny, isn't it, that a business that makes software designed to restrict what people can access online would suggest certain Web-sites are responsible for productivity losses. It's so counterintuitive.

Then came the bandwagon-hopping by Sophos. After SurfControl's big press hit with the productivity story, the company's research team coincidentally found 50 percent of employers are blocking access to the social networking site altogether. Sophos even suggests Facebook could pose a security risk because some profiles contain details that could be used in conjunction with other stolen corporate information in an attack. It seems a stretch.

Sophos, by the way, will sell you a solution which can block employee access to Facebook. You know, like 50 percent of companies are doing already.

If employees are willfully disclosing corporate information on their Facebook profiles surely that's a staff training issue, not "smoking gun" proof of Facebook's contribution to the downfall of corporate security. Don't forget this claim has been made about iPods (pod slurping) e-mails (the smuggling of corporate data; this one works with USB drives too), blogs (accidental or willful disclosure) and everything else to hit the Intertubes in the last 10 years.

As for a direct risk to the corporate network, Facebook is no more dangerous than any other Web-site. It's true that profile information is valuable to ID thieves, and Facebook users who choose to publish their full birthday certainly shouldn't (thank God there's no field for "mother's maiden name") but all in all, Facebook poses a threat to its users, not their employers.

As for SurfControl, Cullen's analysis is deeply flawed: employees of the world -- myself included -- always find a way to slack off. The technology merely provides the workers of the world with more slacking off options.

When it first came along e-mail was regarded as counter-productive. Why would you give your employees unfettered access to a technology which was obviously such a time waster? Writing "electronic letters" to their friends hardly seemed a good use of company time.

Eventually, sanity prevailed and e-mail is, well, everywhere. It's not always used for work purposes, but everyone has it.

Then along came instant messenger. It's a great way to slack off, but it also has legitimate business uses. Perhaps most useful for asking quick questions of co-workers or superiors, IM is slowly becoming accepted as a business tool. Again, it's not always used for work purposes, but it sure is handy.

People have been slacking off since work was invented. Before the Internet was a fun place to hang out for the average person, they'd actually play Solitaire for hours on end to avoid finishing their work.

Before Solitaire, they'd stare into middle distance, "zoning out" for periods of up to two hours. "Yeah, I just stare at my desk, but it looks like I'm working," says Peter Gibbons, the main character in the celebrated geek cult movie Office Space. "I do that for probably another hour after lunch, too. I'd say in a given week I probably only do about fifteen minutes of real, actual, work."

Cavemen probably learned to sleep with their eyes open when they were supposed to be guarding against attacks from wolf packs. So on, so forth.

The cut and thrust of my argument here is that people always find a way to slack off. To use a security term, Facebook is just one more laziness vector, but believe it or not, it's come in handy for me a couple of times in a professional capacity.

By changing my status to include the city I happen to be in at a given time, public relations professionals know which events and press conferences to invite me to. That is useful. And blocking sites employees love is a great way to make workers dislike their employer -- especially when said Web-site is a must-use Gen Y social tool affording the young folk the opportunity to express their ironically uniform individuality -- and that's significant security risk.

Read more on Web application security