New Snowden Docs Highlight “Weaknesses” In Facebook Data Security

Journalist Glenn Greenwald released a bunch of new documents from “the Snowden archive” today to coincide with the publication of his book No Place To Hide. Those documents include a presentation from Britain’s Government Communications Headquarters (GCHQ) about obtaining user data from Facebook.

The presentation is titled, “Exploiting Facebook traffic in the passive environment to obtain specific information” and, according to the book, was given at the Five Eyes conference back in 2011. It describes social networks like Facebook as “a very rich source of information on targets,” including personal details, connections, and “patterns of life.”

The challenge, GCHQ says, is the fact that many profiles aren’t public, “but passive offers the opportunity to collect this information by exploiting inherent weaknesses in Facebook’s security model.” The slides then point to the way that Facebook worked with content delivery network Akamai to serve photos, which apparently left an opening for government eavesdroppers to obtain Facebook IDs and images, as you can see in the slide above and read about in more detail on page 82 of the PDF.

Again, the presentation dates back to 2011, and it’s not clear whether anyone ever actually followed the method outlined in the slides. (I’ve emailed Facebook and Akamai for comment and will update if I hear back.) Nonetheless, it seems noteworthy for the way it illustrates government interest in social networks and in circumventing those networks’ privacy safeguards.

In a recent presentation, Facebook chief security officer Joe Sullivan said Snowden’s revelations prompted the company to be more public about its security measures.

Update: A Facebook spokesperson sent me the following statement:

We don’t have any evidence of these allegations. The slides are dated several years ago, during which time our security technology improved in many important ways. We continue to believe that governments should be more transparent about the requests they make of companies like Facebook, and that they should use established legal channels.