I've talked a lot about their unpleasantly ghostly Privacy Policy and Myspace-esk TOS, you know the ones that sign away equal rights and entitlement to your identity indefinitely just by using their site. But I haven't talked about the intrinsic insecurity of a social network like Facebook.

Fact: A significant amount of computer users exhibit insecure behaviour online. They don't use strong passwords, they don't opt for https://, they don't work on virus/keylogger free computers, and they answer spam emails(shocking I know).

Fact: Facebook contains not just a list of all your friends, but all your friends' friends, and a record of your interactions with them. Your social network and scene.

Think about it like this: If someone gains access to your email account, they can see your contact list, and they can see how you talk to your contacts. If they have a lot of time on their hands they can read huge volumes of emails and piece together your relationships.

On Facebook, they can see your list of friends, family, your communication with them, but more importantly their communication with each other. A schematic of your social life heavy with descriptions of how you know each person. Assuming you've toggled your privacy settings back so only your friends can see your stuff, and did so before google indexed your profile and friends list. Every one of your Facebook friends is an attack vector for all the personal info you've posted and that your friends and family have posted that doesn't even relate to you. More clearly A is an attack vector for B, A<->B, C, and B<->C.

In addition 3rd party Facebook app developers also have access to your social circle and information. Your Buddy wants to try an app from some developer he doesn't know? Well they just grabbed your entire social network and know a LOT about you and all your friends.

On Facebook, you are not the only one responsible for keeping your information safe. Anyone you friend is. Would you trust your Facebook friends with your Facebook username and password?

It's given birth to a new breed of highly personalized spam. Imagine getting an email from someone you don't know offering you cheap Viagra and even using your first name. Sounds like a scam right? Sounds like if you clicked on the link you'd probably get a virus or some kind of malware installed on your system right? Right.

Now imagine getting an email from Sarah your old girlfriend, where she talks about something you did the other night at a party (which you posted a photo of on Facebook being careful to only let your friends see) and then telling you she wants you to see a funny youtube video. You click on the link and guess what? It wasn't Sarah at all! "What?!", you say? How's that possible?

The Spammer, we'll call him Spammer, gains access to Jim(your buddy)'s Facebook account because a) he accidentally typed in FaceBack.com without realizing it and tried to login. His credentials were phished and the Spammer was in his account within 30 seconds, or b) Jim(same Jim) adds an application where the 3rd party developer wrote a bunch of code that scrapes all of Jim's and your information and emails it to him(the Spammer) as a .zip file when it's done. The Spammer goes ahead and looks through Jim's friends list, then through yours. Looks through your photos and descriptions of each of your contacts. Looks at Sarah's profile and write's down her email address, attaches the photo to an email, the email spoofs Sarah's email address(this is astoundingly easy without her login credentials from any computer connected to the internet) and adds an html link that looks like this in code:

<a href="http://sitewithavirus/silentkeylogger"> http://youtube.com/v=harmlessvideo</a>

and to you looks like this:

http://youtube.com/v=harmlessvideo

Clicking on the link will obviously take you to the virus and not to youtube and if you use Internet Explorer, or the Spammer is using a zero-day exploit for one of the other browsers, you're fucked due to arbitrary code execution.

A site that gives anyone other than you access to a super detailed schematic of your social circle is inherently insecure. Facebook should not expose your real life social circle to anyone even other people in that circle. But they do and will because a large part of their user retention plays on social needs for acceptance/approval/jealousy/etc. which requires exposing that information to people you normally wouldn't and in a permanent public manner that you normally wouldn't.