Saturday, March 26, 2011

Hey AT&T customers: Your Facebook data went to China and S. Korea this morning…

From Barrett Lyons's Blog,

Quietly this morning customers of AT&T browsing Facebook did so by way of China then Korea. Typically AT&T customers’ data would have routed over the AT&T network directly to Facebook’s network provider but due to a routing mistake their private data went first to Chinanet then via Chinanet to SK Broadband in South Korea, then to Facebook. This means that anything you looked at via Facebook without encryption was exposed to anyone operating Chinanet, which has a very suspect Modus operandi.
This morning’s route to Facebook from AT&T:

route-server>show ip bgp 69.171.224.13 (Facebook's www IP address)
BGP routing table entry for 69.171.224.0/20, version 32605349
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 4134 9318 32934 32934 32934

The AS path (routing path) translates to this:

1. AT&T (AS7018)
2. Chinanet (Data in China AS4134)
3. SK Broadband (Data in South Korea AS9318)
4. Facebook (Data back to US 32934)

Current route to Facebook via AT&T:

route-server>sho ip bgp 69.171.224.0/20
BGP routing table entry for 69.171.224.0/20, version 32743195
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 3356 32934 32934, (received & used)

Translated: Your data goes from AT&T’s network to US based Level3 Communications to Facebook’s servers.

What could have happened with your data? Most likely absolutely nothing. Yet, China is well known for it’s harmful networking practices by limiting network functionality and spying on its users, and when your data is flowing over their network, your data could be treated as any Chineese citizens’. Does that include capturing your session ID information, personal information, emails, photos, chat conversations, mappings to your friends and family, etc? One could only speculate, however it’s possible.

This brings up a lot of questions:


  • Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?
  • Should Facebook enable SSL on all accounts by default?
  • Was this actually a privacy breach or just the way the Internet functions?
  • Does Facebook have an ethical responsibility to buy additional IP connectivity to major broadband and mobile networks to prevent routing mishaps?
  • Is it time to focus on new options within BGP to prevent high profile sites from routing to non-authenticated networks?


This happens all the time — the Internet is just not a trusted network. Yet, I prefer to know that when I am on AT&T’s network, going to US located sites, my packets are not accidentally leaving the country and being subject to another nation’s policies. I guess that’s why you should not use Facebook in “bareback” mode and use HTTPS (SSL) any time you can.

Food for thought.

13 comments:

Katharina said...

 Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?

Ideally Facebook should notify their users of such issues. However, we must understand that Facebook is a business and thus, does not want to risk losing any costumers. If Facebook informed its users that their data might have gotten into foreign hands, this would create an outrage among Facebook users and privacy advocates. Additionally, this could prompt users to stop using Facebook and discourage others from joining Facebook.

 Should Facebook enable SSL on all accounts by default?

Yes. Similar to Google which recently made HTTPS non-optional for all Gmail users, Facebook should enable SSL on all accounts by default.
Currently, Facebook users must manually select the option to use HTTPS. Many Facebook users are don’t understand Facebook’s privacy settings and are unaware how important it is to protect their online activities from tools like Firesheep and other packet sniffers. If SSL is enabled as a default, this will automatically secure all communications between browsers and Facebook Serves and thus, will help avoid further privacy breaches.

 Was this actually a privacy breach or just the way the Internet functions?

While this could be considered a privacy breach, it is important to understand that the internet is not a trusted network. Facebook users communications can be easily intercepted by anyone, not just Chinanet or AT&T. In addition, Facebook’s privacy policies underline the fact that Facebook cannot guarantee that user data is kept private. Hence, Facebook users should not assume that their data is secure.

 Does Facebook have an ethical responsibility to buy additional IP connectivity to major broadband and mobile networks to prevent routing mishaps?

Ideally Facebook should buy additional IP connectivity to major broadband and mobile networks. However, the cost of implementing this probably outweighs Facebook’s concern for ethical responsibility.

 Is it time to focus on new options within BGP to prevent high profile sites from routing to non-authenticated networks?

Finally, security options are avoided by Facebook mainly because, "Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS.” (see Alex Rice http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=229100364) Yet, if Facebook correctly implements the protocol, there should be only minor slowdowns for their users.
Clearly, Facebook can and should do more to strengthen its security settings. And Facebook should take into consideration that it will only continue to flourish and grow, if its users can trust their services and security policies.

Margot Dale said...

 Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?

Although I agree with Katharina's point, Facebook also, as a business, has a responsibility to its users. Facebook didn't notify their customers and thus, the customer's information was being spread all over the world. If they would have notified the customers as soon as they were aware of the problem, some of this information could have been salvaged. Its obvious now that people are aware of what went on, so I believe it is more beneficial to be upfront about privacy issues. If things like this are happening with such a huge company like Facebook, as a business, Facebook should try to build a trust between themselves and their customers. Sure, privacy advocates would have been outraged to learn that their information was being spread. But now that they know about the rerouting, don't we think they would be more upset that some information spread could have been prevented?

 Was this actually a privacy breach or just the way the Internet functions?

As Katharina mentioned, Facebook is a function of the internet. Nobody was ever told that the internet is safe. Thus, anyone who chooses to use a Facebook profile needs to be aware that Facebook is not perfect nor is it completely safe. Although this event was definitely detrimental to internet users' privacy, the blame can not be put completely on Facebook or AT&T. We, as internet and Facebook users, accept the fact that the internet is a dangerous place and that whatever information we put on the internet is truly not private.

 Does Facebook have an ethical responsibility to buy additional IP connectivity to major broadband and mobile networks to prevent routing mishaps?

While I would like to say that Facebook does have this responsibility, I imagine the cost of doing so would be fairly large. With this being said, Facebook has been functioning for years without this additional IP connectivity and has attracted millions of users. As the largest social networking site in the world, Facebook realistically wont be rivaled by any other networking site in the near future. Thus, I don't think people would be willing to abandon their Facebook profiles because of an event like this. Facebook really has no need to further protect their users if their users aren't terribly concerned with their own privacy. Ethically, it would be nice to say that Facebook would feel the need to better protect their users. However, I don't think it is realistic.

Mary T. said...

As businesses, Facebook and AT&T should inform their customers that their personal information was flowing over an untrusted network. Their customers signed up for AT&T's services under the assumption that their information would be protected. When a consumer buys a car, he expects it to be safe. If there is an issue with the engine, the car company informs their customers that the product is compromised. AT&T and Facebook's products were compromised, and, from an ethical standpoint, they should inform their users that their information was at risk.

Diana said...

First of all, A&T should not allow this happen to their customers. I know there is a contract we agree to when making a Facebook account, stating we agree to have our information sent out to other companies. I do not understand something like this can happen by a mistake. I understand that nothing can happen to these people's data but you cannot trust anyone. Now these people's personal information is going around China and lord knows what can happen to them. In the reading it says it is possible for someone's, personal information, emails, photos, chat conversations can be captured. Luckily, I am not an A&T customer; if I was I will be very upset. This shows that you are not safe anywhere in the Internet even your personal phone. Did A&T notify their customers about the situation? Well I hope they did.

Holly said...

• Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?

In order to minimize damage and maintain the trust of their clients, I think both Facebook and AT&T should have notified their customers of the breach. Unfortunately, while I believe that this ethical obligation exists, many companies would decline to draw attention to the issue in order to avoid any public fallout. Therefore, I believe that there should be a legal obligation to inform your customers of such breaches. They should have the freedom to decide to stop using the service or demand greater privacy protection if they so choose. You cannot keep people in the dark solely because you are afraid of losing their business.

• Should Facebook enable SSL on all accounts by default?

As a service that is vastly popular and widely used by the public, Facebook should follow companies like Google and enable SSL on all accounts. I think one of the reasons they are able to get away without doing so right now is because people are oblivious to the privacy harms that Facebook perpetuates. I doubt many people actually read the terms of their agreement with Facebook and know what they are giving up or take the time to adjust their privacy settings. Moreover, Facebook’s popularity is largely based on the ability of its users to see up to date and personal information about others. If privacy protections were emphasized to a greater extent, Facebook’s popularity might suffer.

• Was this actually a privacy breach or just the way the Internet functions?

Without more information, it’s hard to say for sure one way or the other, but it’s very likely that this breach occurred solely because of the way the Internet functions. This demonstrates the point made in class today that data flies through so many public networks before it gets to its destination that it’s hard to control entirely. For this reason, action should be taken to try to minimize the chances of this occurring. The problem is that save a large scale attack or a huge fallout with the public, companies usually lack enough incentive to take on the cost of buying additional IP connectivity or providing additional protection for their servers.

Catherine said...

I think that Facebook absolutely should have notified their users that their information was traveling in a potentially harmful network. Part of being a good business is being honest with your customers - it's better to be open than to have customer find out through other means that their information was at risk. Most Facebook users consider their pages to be private, so I think that Facebook should enable SSL on all accounts automatically. Part of Facebook's business model is their claim that they make their site as private as it can be (for those who want their page to be private) - so they should really be doing that. I don't have the internet knowledge to know how private my page really is. Before this class, I didn't even know what HTTPS was. But I trust the people who work at Facebook that they are doing the best they can to keep my information private (understanding that everything on the internet is at some risk), and they would lose my business if I found out they weren't. If Facebook isn't going to educate users about the risks to their privacy, they are morally obligated to hold their promises to their users. Judging by the ignorance of most Facebook users, I would say that Facebook is not educating their users, so I do think they have a responsibility to buy IP connectivity to keep privacy as secure as they possibly can.

Logan said...

While it is scary realizing that our information on the internet is not safe, it never has been. People make assumptions all the time thinking that because they have a password there information cannot be stolen or forged. This is clearly not the case. AT&T should have told its users that this has happened after the case not so much because AT&T did anything wrong (this is just how the internet works) but because their users should be more aware that missed routing like this can happen and does. I do not believe that social networking sites, like Facebook, need to ensure privacy because its users should always assume there privacy is not being protected. However, Facebook should put a similar disclaimer when events like this happen, like AT&T. Not because either did anything wrong but to promote awareness that it can happen.

Chris Heller said...

In response to Margot: "We, as internet and Facebook users, accept the fact that the internet is a dangerous place and that whatever information we put on the internet is truly not private."

I think this idea is key to deciding whether it was a privacy breach or a normal internet function. However, do we really "accept" -- with full understanding -- the dangers of the service? There's a huge gap between understanding and using the internet. (I, for one, have scrolled and clicked through countless EULAs without reading them.)

I think the line between breach and function is especially blurry in this case. When you go online, your privacy is always threatened. But, does that suggest that a network's reputation -- fair or otherwise -- is more important than we've considered?

Jen said...

At&T should have absolutely notified their customers of this. It was only a few weeks ago that several large companies had a security breach of their customer’s email addresses, and almost every company notified every company that their email address might have been given out. It isn’t as if the fact that this happened is a secret. As a company, it’s in your interest to appear honest and forthcoming when it is very likely that your customers are going to find out anyway. To me that seems like a no-brainer, it’s a good business decision. That’s not even considering the ethical factor of what a company should do to treat its customers well. Furthermore, how did this even happen? Is it common? Was it intentional? As for Facebook, they should also have notified their users. It seems that Facebook tries to provide procedures for their users to protect their privacy. And while Facebook may not always be up front about their security settings, this is a security breach that users should not reasonably expect, and therefore Facebook has an obligation inform them of the incident.

Elizabeth B said...

• Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?
o Facebook and AT&T should definitely have notified their customers that their personal information was flowing over a network that they may not trust. There are millions of Facebook and AT&T users who must have been using when this happened and chances are that 99% of them had no idea that their information could have been compromised. Many of these people do not understand the importance of practicing safe internet use and have way too much personal information on their Facebook pages. If Facebook and AT&T sent out an email telling their users about the dangers that they may encounter, these people would become not only aware, but also educated about these dangers and hopefully would be able to take the right precautions to protect themselves.
• Should Facebook enable SSL on all accounts by default?
o I believe that Facebook should enable the SSL on all accounts by default. The only reason why I personally know about the SSL is because of this class, which I am very thankful for. Even though the SSL makes Facebook slower and you cannot play certain games while browsing on it, it is important to use it to protect your information. Facebook is a business and ethically, they should be concerned with protecting their customers. They can easily do this by mandating that all people must use the SSL connection by default.
• Was this actually a privacy breach or just the way the Internet functions?
o I think that this was not necessarily a privacy breach because people need to understand that the internet is not a completely secure place. Anything that you put on the internet is very vulnerable and can be placed in the wrong hands. That is why people need to be very careful when they are choosing what information they chose to share about themselves.
• Does Facebook have an ethical responsibility to buy additional IP connectivity to major broadband and mobile networks to prevent routing mishaps?
o I definitely think that Facebook does have this ethical responsibility. Facebook is one of the most successful companies currently, with billions of users. They should be taking every measure possible to ensure that their users are as secure as possible. One way of doing this would be to prevent future routing mishaps. I would be in full support of this change.
• Is it time to focus on new options within BGP to prevent high profile sites from routing to non-authenticated networks?
o I believe that in the interest of privacy, it is time to focus on new option within BGP to prevent high profile sites from routing to non-authenticated networks. According to Moore’s law, the capability of computers is growing exponentially every day. It is important to develop new technologies in the future that will help protect internet users.

Kirsten said...

Should Facebook and/or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?

I believe that both Facebook and AT&T have an ethical obligation to inform their customers about the breach, but I would like to see mandatory disclosure of potential privacy violations as a regulatory requirement so that an “educated” consumer can make the best decisions for himself or herself.

Darion Parker said...

before taking this class i probably would have felt betrayed by facebook for not revealing pertinent information to me. however, i now know that we are not promised any level of security unless the lock appears near the url. therefore, this type of thing is subject to happen. it has always been my belief that facebook users should refrain from using the internet as a personal journal ---- leaving behind too much information. however, because most people do not share my belief or atleast don't practice it. social networking sites should especially try to work on secure sites to protect the interest of their devoted users.

James Farley said...

Like the issue with the illegitimate certificates, I find it amazing that Facebook and AT&T did not notify their users about what occurred. Personally, it's not the worst thing in the world. Information that I willingly post on my Facebook is not private. I do not post anything private or incriminating on Facebook or the internet because I know everything can be found and almost nothing can be deleted. However, some people do post things that they consider private and it is scary that people can use this against them.

Facebook allows for HTTPS, which will obviously create a more secure environment. However, many users do not know what HTTPS is. Facebook doesn't make it a point of letting it's users know that HTTPS is available or even what it is. Another problem with HTTPS is that it's even slower than the already slow HTTP. The users who do know what HTTPS is and that Facebook allows it will most likely opt to not use it because it is so sluggish. In my opinion, Facebook should make a point of notifying it's users about HTTPS.

To address the ethical responsibility question on whether or not Facebook should buy additional IP connectivity, I don't think it is relevant. However, I do believe that Facebook like any other company is interested in self preservation and prosperity. If users knew the true instability of the internet and how much more Facebook could do to protect them, I believe many of them would discontinue using Facebook. However, Facebook is such a large company with such a huge following that it is most likely blinded by it's size. As a company I do not think it needs to worry about losing customers because they have hundreds of millions. Like the internet, the business world is a rough place and I think companies are more worried about themselves than truly providing users with the best product possible.