Every few months I delete my Facebook account citing lack of ethics in their business model and the way it's being executed. The FTC agrees with me, Austrians and Germans agree with me, and the Privacy Commissioner of Canada agrees with me. Facebook consistently seeks to undermine the illusion of privacy they present to us, and to violate laws and the rights of its users to perpetually maintain a "social graph" that contains mind-bogglingly detailed information about each and every person on the service including what websites you visit (that have a like or connect button installed), and what actions you do and personal information you share on many of these sites. I then inevitably sign up again to access their API in order to stay current as a developer where clients need to access people, and if their target audience is on Facebook; the client needs to be on Facebook too, and I better know how to give them that access.

What does Facebook have to do with identity? There's a new feature in Facebook's account settings that allows you to link your Facebook account with what are considered other identity providers (ie: Google, Yahoo) using OpenID. This means you can log into Facebook with credentials from these other services; and/or if you happen to log out of Facebook and into say Google a Like button on someone's blog would still recognize you as logged into Facebook. So what's in a username when a username is only weakly linked to your identity?

An email address is strongly linked to your identity; I can send you an email, but because email addresses are easy to spoof I cannot be sure an email is really from you without extra layers of security that aren't for the average user, or a really good Turing test which is unfeasible especially in the age of social networks where relationships are just as easy for anyone to discover and spoof. An email address is analogous to a driver's licence. Underage people create accounts with fake birthdays to get around COPPA just as they get a fake licence to buy beer. It's unfeasible for the average person to create fake driver's licenses as it is for them to hack into someone's email account; but fairly trivial for people to acquire the knowledge to use both technologies for identity theft or spoofing.

In the real world your identity is a culmination of the information that resides in other people's brains and in 'the system' about you. You are the impact you have on the world. In a court of law where identifying you can mean the death penalty or not, the only thing more convincing than DNA is DNA plus photo evidence plus eye-witness testimony plus a trail of other evidence. It is fairly trivial to plant some DNA as it is to hack into someone's online accounts; it's easy to brute force, phish, or Firesheep an account and gain access to credentials. In a digital world gaining access to and duping the bits used as a digital passport is easy, it's hard to post a thousand status updates, photos, and blog posts over a period of years as someone else while over those years interacting with other real people in that person's life. Because identity is a culmination of the impact you have.

People get upset when they can't access the first of their ten thousand tweets; no matter how trivial it was; because it's perceived as a part of their identity. Our history and our breadcrumbs are our identity. Our interaction with the world is accumulated validation that we are who we unconsciously present ourselves to be. When logging into online banking or anything else that requires extra security we set up secret questions and answers about our identity; and symbiotically depending on what parts of my life history is exposed to a given observer the nature of their perception of my identity is accordingly changed —Yet I wouldn't go so far as to say that we have multiple identities because of it. If two people are looking at the same sculpture from two different angles, then there are not two sculptures; only two representations of the same sculpture. There are no two people in my life who have the exact same account and there is no person including me who has the full account of my identity. The vast majority of our lives are forgotten or not known even to us. For example if someone found an old journal that belonged to your great great great great grandfather, reading it would add to your knowledge of your identity; it would uncover a part of your identity. There is no reason why a computer program could not be one of the mediums to store and retrieve parts of your identity, but your identity follows and remains attached to you.

Your family impacts your identity and so does your social interaction, as well as your knowledge and experience acquired. Identity rubs off and is transient. I am who I am because of who everyone else is. It's not just attached to my consciousness or my physical body, but both, and everything else those two things have together or individually interacted with either physically, digitally, or vicariously. Identity is a culmination of the impact you have on the world. Any website where you make an account wether strongly or weakly tied to your identity is merely a representation and thus an extension of it.

There are no social networks. There are only tools and services with social features. Google+, Facebook, and Twitter are all broadcasting and link discovery tools, and they are all ways to waste time. Forget about the motives and business models of the companies and their inherent overlap. Google+ gives you more finely tuned and personal search results, Twitter allows for trends to be easily sparked and monitored, and Facebook exposes your breadcrumbs to help you find people and discover parts of their identity that would otherwise be hidden to you. None of these things are inherently good or bad in theory and none of them are a complete picture of you.

The idea of only using one social network, or only having one ultimate online identity is not only silly (because they are all merely representations of your identity), but it leaves you vulnerable to exploitation. You should have many online accounts and many places where you publicly aggregate and maintain a list and links to those accounts so that if one goes out of business you still have breadcrumbs, and so that if one gets hacked you can mention it on all the others. You should use different login credentials so that it's totally unfeasible for anyone to gain access to the majority of them, and so that the patterned imprint of your identity on the web becomes easy to tell apart from what a given hacker would do with your account if they gained access to one of them. You should treat everything you post as public because it ultimately is and consider it to be public domain. The notion that these companies respect what's in their TOS is a marketing gimmick, although you can still use tools given to differentiate these public parts of your identity it is and should be seen merely as a form of curation rather than any form of security; and you should seek to maintain aspects of your identity privately, offline, and between close relatives and friends.

After waiting patiently since Wednesday afteroon for my invite to work(It's 4:30am Friday right now) It finally did.

Foot in the door

The first thing you're asked is if you'd like to enable +1 on non-Google sites. Right off the bat, compared to Facebook, the explanation of where and how my content will appear on non-Google sites if I enable this feature is very clear. I'm enabling it for now but there are some security/privacy risks which I'll get into in a future post.

Privacy

You also get a link to the Privacy Policy before signup. Google's Privacy Policy incorporates their Google-wide policy — which if you have a Google account you've already agreed to (~1660 words), and if you use the mobile version of G+ it instead incorporates their mobile specific policy (~1070 words). If you upload a photo to Google+ you're also agreeing to the Picasa Privacy Policy (~795 words). If you use the +1 button you're agreeing to the +1 Privacy Policy (~420 words). The Google+ (Plus) specific policy adds (~1035 words) of amendments so it totals around 3500 words, as Google already had hundreds of millions of users who'd already agreed to their sitewide policy and Picasa's there's only around 1500 words of new policy for their social layer. Contrast this with Facebook's Privacy Policy (~5850 words), which you have to click through from an overview page describing privacy controls (~1260 words), an expansive Privacy FAQ, 25 external privacy information links, 8 minutes of video explaining Privacy on Facebook, as well as the Privacy Policy of every app you use on the Facebook platform. In addition to Google being an order of magnitude more concise, the Google+ Privacy Policy is also written in much clearer wording. Look forward to my deconstruction of the Google+ Privacy Policy in a future post. What stands out is:

• that participants added to any group conversation may be able to see the entire history of the conversation. Since anyone in a conversation can essentially add anyone else, consider everything you post to Google+ public.
• If you use a third-party app like TweetDeck to post to Google+ the developer of the app has access to all the information you have access to. So consider everything you post to Google+ public as anyone of your contacts may use a third party app giving that developer access to all your posts.
• During the next step in the signup process you're shown a window requiring that you connect Picasa Web Albums to your Google+ account, so your photos are available to you. Your albums' visibility settings aren't changed, but people they are shared with can now share them with anyone else. So consider photos you share on Google+ public.

While these last three points may change the way you use Google+ at least they're upfront about how little control you have of a post once you post it online. Other social networks would prefer you not realize this.

Experience

annnnd I'm in.

It looks incredible, very clear and fresh. The interface is snappy and responsive and shows me little messages the first time I do something telling me what's about to happen.

No ads to be seen anywhere, hard to say at this point if that's because it's a "limited field test" or as competitive advantage. It would be great if when I'm looking at my social timeline I'm not bombarded with ads as apposed to Facebook where the ads mention my friends' names and is awkward and uncomfortable. Better targeted ads on other Google properties, and a clean social experience.

Hangouts are awesome, and simple to use.. Can't wait to try it out with some people when invites go live again. You'll need to download the Google Talk plugin. Google Talk is also integrated with G+, you get the same chat widget that's been around in GMail for a while except there's no dialpad and it's integrated with circles.

Photos looks really good, instead of a gallery of evenly sized thumbnails you have a dynamic spread of recent photos with a little bubble showing the number of comments each one has, clicking on a photo opens a better looking lightbox where you can see photo metadata, fly through the entire album, and photo comments are on the side so I can scroll through comments and leave one while still looking at the photo.

Your account settings are very clear, easy to understand, and well organized. There aren't many settings you need to configure. The first panel "Account overview" lets you manage your account and provides two links at the bottom to Delete your profile and remove associated social features, and to Close account and delete all services and info associated with it. They've also devoted a section of your account settings to Data liberation which is a simple set of 6 links to download all your data.

Things you can keep private —like who you're friends with, are very simple to control. Deciding "who gets to see what" is ingrained in the way you post and use the site, and it's clear that Circles are about managing who you're sending posts to, not creating an air-tight controlled network where your data is 100% private. This is a good thing, Google's not obfuscating the ultimate lack of control a given person on the internet has over their content once it's posted online, they're instead making it clear that it's up to the people you choose to trust and share with to respect your privacy —which is in fact the case on other social networks and anywhere else on the web; including email, despite what those sites would lead you to believe through branding or convoluted privacy policies and UI.

Google makes it very easy to:

• See what data they have
• Download your data to your computer
• Remove your data from Google's servers

Issues

There's a little option arrow on each post that let's you disable comments/resharing, but if I'm not looking at the Stream when I post then I don't have those options. There also doesn't seem to be a global way to disable resharing.

Yeah it's a field test and no one's using it yet, but when G+ does go live, I'd expect there to be a better way to find interesting people to follow. I'm talking your Scott Siglers, Leo Laportes, Gina Trapanis, and Keith Malleys. Right now (and rightly so) it's more geared towards finding your friends and family.

Invites

It looks like any computer in my house can now signup for Google+, but people are still getting a "capacity exceeded" message. Invites have also been temporarily disabled, but if you want an invite just email me your gmail address or post it in the comments below, and I'll invite you when I can.

I recently started using Facebook and Buzz along with Twitter as public publishing tools. Facebook still sells itself as being for your friends and people you know, which is still completely false. Everything you post on Facebook is public-regardless of your privacy settings, and permanent-regardless of whether you delete it from your wall, but that's besides the point.

The issue I'm writing about today is one where Facebook allows any website to post to your wall as you without your consent (ie: identity theft), as long as you're signed into Facebook. Most people are permanently signed in even when all Facebook tabs and windows are closed by means of a session cookie your browser saves for weeks. Today in my newsfeed there was a link to a video of the tsunami in Japan.

When you click on the link you get taken to a fake youtube page, and are told to verify your age to watch the video. Clicking on the "Verify my age" link takes you to an annoying ad for a malware toolbar, while secretly using your Facebook account to post the link to your own wall and like it. Clicking anywhere else takes you to other sites that infect your computer with viruses and malware.

This malware spreading site happens to be using a live analytics service called amung.us and if you look at the ping response you can see that there are constantly around 10,000 people on the site over the five minutes I kept hitting refresh.

The fake youtube site isn't hacking Facebook or your account, it's simply taking advantage of a gaping security hole in Facebook's API. Any website can embed a hidden Like button, and if you happen to be logged into Facebook on that computer that website can post anything to your wall.

How does it work?

A website loads a hidden Like button on their page, which is just an iframe calling http://www.facebook.com/plugins/like.php with some GET variables. The website uses Javascript to trigger the click action of the Like button posting anything they feel like to your profile without your consent or knowledge. Your friends see the link, trust you, click on it and begin spreading it themselves.

How can Facebook easily prevent it?

Liking a 3rd party webpage should popup a little box that asks for your pin number. Your pin number should be set in your Facebook account settings and be a 4 digit number separate from your password that you're prompted to change every month. This way posting content is a conscious effort on your part, and 3rd parties can't use hidden Like buttons to post to your wall.

There's not much to say about it. I've read some other posts from really reputable blogs and for whatever reason they're all padded with nonsense. Facebook Mail is an extension of their messaging system that incorporates email, has a kind of priority inbox, and is all based on people rather than threads based on subject. Facebook is aggregating all the ways you communicate to better simulate a conversation as though you were standing next to the person.

It's a very specific style of communication that speaks directly to teenagers and the way they communicate. While teenagers could and should use a communication method that caters to them, and the new Facebook Messages does that really well, it's not for grown ups, or business, or anyone with any depth or complexity. It's advanced IM(instant messaging).

Grown ups need threads by subject - whether they choose to organize their inbox as individual messages or threaded, the subjects still differentiate the content of an email or conversation. I may do a lot of work for a client, the absolute last thing I would ever want is to scroll down a bit too far in the conversation and see specs for an old project and incorporate it accidentally in the new one. Or for the client to pitch an idea for a new project, which get's muddled with the current project, or requires a paragraph explaining that it's a different idea and just a pitch and has nothing to do with the current project. One of many examples where subject based organization is a far simpler paradigm.

Of course we all have a adolescent side - some more than others, and it's that same aspect of ourselves that Facebook appeals to when see what old friends are doing with their lives. It's that same part of our brains, that couples with short sightedness, that makes some people think that peer pressure is more important than preventing access to your personal online life from random third party applications. Why else would anyone do those stupid Facebook Quizzes? It explains why some people believe there's enough value in completing a quiz to give up the keys to their personal life to some shady app developer. Or at least the same short sightedness that becomes so overwhelmed by the social pressures of Facebook that they've never read the TOS or Privacy Policy. Never mind Facebook's but of the third party quizzing application who can do whatever they want with your data.

The two other issues with integrating Facebook Messages with your email is lack of respect and trust. Giving someone your Facebook email address is an immediate indicator that you don't want communication with that person (or company) to be too complex. You're saying, "Here's my Facebook Email, I'd prefer it if everything we say to each other from now on was part of the same conversation cause DUuuueah I lack the ability for context". As for trust there are two main categories of people. Those who trust Facebook (unfamiliar with their history, never read the Terms, unaware of the frequent privacy control resets, etc.) and those who don't trust Facebook (people with common sense, people who don't live in a bubble, people who can read).

While I've recently had to reactivate my Facebook account after two years so I could access their developer API for work (I got out during a significant Intelectual Property and Privacy blowup in 2008), I refuse to put any information on it that isn't already public. Why, because I don't trust them. Facebook has done a lot of things in their past that are notably untrustworthy. Their whole approach is based on peer pressure and pushing people around how they see fit, their privacy controls are only meaningful until they decide they're not - which happens frequently enough, and they don't appropriately abstract apps or themselves from your personal data.

Why would I trust a free service like Google with email and documents and stuff, but not Facebook? Well for one I know that Google has serious restrictions dictating which of their employees have access to my data, even those few select people are meticulously logged and audited, and any violations result in firing and tighter security. On Facebook I have no idea which of their employees can access my data, and I know that at their whim a mere Privacy Policy update could result in all my controls being reset and my private information entering the public domain forever. If the controls are meaningless, and access is ambiguous then there's no trust.

For a simple analogy; Google is run as a republic. Microsoft is run as a corporation, Apple is run as a dictatorship, Facebook is run by a young dictator.

Feel free to skip down to The Good Stuff.

And when you're done here think about reading about the Boycott Facebook movement.

I left Facebook more than a year ago and it went like this. Unfortunately the final straw causing me to want to finally leave, was the same reason I couldn't. Deleting my Facebook account on that day under that TOS(Terms of Service) would mean Facebook had the right to use my identity, content, and likeness forever, in any context, for any reason. So I deleted all my content on Facebook instead, changed my profile to explain to all my friends what a giant scam and shady organization Facebook was. I hoped and waited for the day that Facebook changed their TOS to back to something less permanent, or at least forgot my old profile data/content.. which was unlikely to happen. The next day a few Facebook groups had already sprung up outraged at the new TOS and petitioning to reverse the horrific changes, they were all rapidly growing in support and I had a little hope.

A few days later Facebook responded, and temporarily reversed the changes to their TOS while they, to paraphrase, worked with users on a Facebook Bill of Rights. While the old TOS was still shady and demented the permanent ownership of YOU and right to sell/share YOU with any 3rd party(multi-teared) for any reason was lifted. Realizing Facebook's Bill of Rights Bologne was an obvious sham I deleted my account as fast as I could.

I've spent the last year trying to explain to people what a nightmare Facebook is, and what they're becoming - and not only was I right about the direction they were going in, but nobody listened or cared about (see: Understood) a word I was saying.

The Good Stuff - 15 Good Reasons to Ditch Facebook

1. Ever Changing Terms

Every time Facebook updates their TOS - which is quite often, it becomes more frightening, harder to leave Facebook, Facebook's rights to your identity, and right to share your private personal messages, images, and everything you put on Facebook gets more invasive and pervasive.

2. Auto-Resetting Privacy Controls

With every TOS update they kindly reset all your "privacy" controls to public for you, and it remains as such until you manually set it back to your preferred level of privacy.

You're required to race to Facebook when this happens and change them back before your parents and boss see the photos from that crazy kegger you were at last weekend, and before Google indexes your now public life letting it show up in people's Google searches.

3. Confusingly Complex Privacy Controls

Facebook's privacy controls are far too complex and convoluted for anyone to understand, and require an afternoon just to configure all of them. There's absolutely no reason for this other than to coax people into not setting them.

4. Irrelevant Privacy Controls

Facebook's privacy controls are irrelevant because the Facebook TOS allows Facebook to share all your activity and content with anyone in the world, regardless of your privacy settings. It doesn't matter if your boss can't log into Facebook and see embarrassing photos of you, when your boss can just call Facebook and ask them to send over all the photos you've ever posted, even private ones, even ones your friends posted and tagged you in.

5. Facebook Applications Can See Everything

Before I left Facebook I had made a small Facebook application. While I never used it for this purpose it shocked me to find out that even back then I, a 3rd party developer who had to provide no ID of any kind to Facebook, could access ALL OF THE PRIVATE INFORMATION AND CONTENT of anyone that added my application to their profile and ALL OF THEIR FRIENDS', AND FRIENDS OF FRIENDS' PRIVATE INFORMATION AND CONTENT. I could access everything, and I could do whatever I wanted with that information. I could visit your mother's house and hand her a printed out copy of an embarrassing photo of you. I could start a website where I just published all your personal information.

6. The new Facebook API - Social Graph

An API is when a website let's 3rd party programmers access their content from their 3rd party website or app. So the Twitter API let's TweetDeck login to Twitter for you and fetch your friends/updates/etc. so that you can see and interact with Twitter in TweetDeck.

At their recent developer conference, Facebook unveiled their new API which is currently available for use. It let's any website log into your Facebook and is Opt-Out. Which means you have to deliberately decide not to use it.

Every porn site, joke site, self-help site will soon have a small chunk of code added which automatically logs you into your Facebook account and gives the random site near total control of your Facebook profile.

Which means not only does ilikedonkeyshahahowdoistop.com know exactly who you are, who your friends are, and who their friends are, can post to your wall which videos you're watching, questions you're asking, pictures you're looking at. They can also create a Facebook group and make you a member of it, they can email your mother and tell her what you did on their site, they can Facebook message all your Friends and tell them how much you love their unique brand of porn, and that's only the tip of the iceberg.

Aside from ilikedonkeyshahahowdoistop.com being able to know and do all that and more without any real consent(that's now, soon you won't have to give any consent), Facebook also has all this data. Facebook knows your browsing habits, they know the content of every page you visit. EVEN if there's a mild warning that says "Would you like to let this site use your Facebook?" which there are many ways for the shady site to hide and obfuscate, even if you see that warning and click "No", that Alert/question comes from Facebook who knows exactly where you are on the web, exactly what the content of the page you're on is and can watch what you're doing there. So even if you stay on top of every setting Facebook gives you and opt out of everything, Facebook still knows everything you do on the internet and can and will share that information to ANYONE THEY WANT, ANY TIME IN THE FUTURE, and the 3rd parties they share it with are also allowed to share the data with anyone they want forever.

7. Beacon

Beacon was an ad program a while back, that sort of came back on and off, where Facebook would advertise to your friends - without your consent - in your name. For example, Facebook could show your friend Jenny a message saying that "you really like Bacon Slather -a revolutionary new product where you bath in grease, and that last Tuesday when you used it, you had an orgasm and called out her name." They would be able to do this, and did, regardless of whether you had even heard of Bacon Slather.

They would also turn things you did actually post into an ad. So if you posted an status update saying "Fred is a total douche" Facebook would not only be able to re-word your update, but they would turn the word douche into a link that took any of your friends who clicked on it to a porn site specializing in videos of women douching. The new Facebook API is the latest evolution of Beacon.

8. Facebook's Revenue

Facebook makes money, and is setting up greater infrastructure to make money, by selling your private(regardless of privacy settings) information and content to anyone who'll buy it (advertisers, scammers, spammers, the government, the media, a thief, a murderer, your mother, your boss, anyone). Putting anything on Facebook gives Facebook the right to do that forever, so don't think about changing your mind 5, 10, or 5000 years down the line. They keep everything you've ever posted.

9. Facebook Intends to be a Publicly Traded Company (as in the stock market)

Aside from the manipulative, convoluted and outright morally wrong behaviour Facebook has and continues to exhibit in the name of exploiting its users for profit. When they go public they will have a legal obligation to its shareholders to maximize profit. Everything bad about Facebook has increased in severity by a factor of 10 since I left a year ago, and will drastically increase as they move towards and begin offering their first stocks.

10. Facebook Continues to Exploit You After You Die

Usually when a person dies, their bereaved family sends proof of your death to the various websites you belonged to so that they delete your account, and/or let your family save some of the pictures and memories you stored in the cloud.

When Facebook get's someone's death certificate the first thing they do is lock the deceased person's account. So even if your husband/girlfiend/whatever knows your password and wants to delete your Facebook profile, they're blocked from logging in. Then the account is given special dead person status, so every one of the dead person's Facebook Friends now knows they're dead. In addition and perhaps most shocking, Facebook then lets any of the dead person's Facebook friends - regardless of privacy settings - comment on the dead person's wall and photos. Often your Facebook friends are not people you really know, friends of friends and complete strangers. There is no way for the grieving family to remove, edit, or otherwise hide obsene, disgusting, and offensive comments, photos, and links posted to the dead person's wall. They just have to watch as the memory of their loved one is tainted and destroyed - and public.

Facebook will keep a dead person's profile in this locked down public state for about 60 days after the last person visits the page. Because every visit is a chance for you to click on one of the diet ads on the side. So 60 days after everyone forget's about your dead loved one Facebook will take the page down because it no longer generates profit for them.

11. Facebook is You

When you use Facebook, you agree to give them equal rights to your identity and likeness. One of the sick things they do with those rights is take control of your Profile.

Recently they began perpetuating people's profiles after they delete their Facebook account. So you decide you want to leave Facebook today, you delete your account, but your friends can still invite you to events, send you friend requests and pokes, and tag you in photos. Searching for your Facebook account still turns it up - like you never left.

So deleting your profile and canceling your Facebook account doesn't actually do that, instead what you're doing is going from joint ownership and control of your Facebook account and profile, to giving Facebook complete control.

It's only a matter of time before Facebook uses your "deleted" account to carry on conversations with your friends in your name, and resurrects random historical profile data, or simply generates new information based on what you've typed in before to make it look like you're still on Facebook.

If you delete your Facebook account today, you may get a phone call next week from your friend Jenny wondering why you told her you hate her and why you posted a photoshopped image of her profile picture were you replaced her head with a cow's. You'll try explain to her that Facebook is now controlling your profile and it was them and not you, but she won't believe you and you'll have to join Facebook again just so that you can jointly control your profile with Facebook and be dragged back into the site again.

This also means that some of the people you're interacting with on Facebook - or stalking - aren't really them. It's just Facebook pretending to be them, not that such a thing makes your Facebook relationships any more hollow.

12. Facebook is Inherently Insecure

As I explained here aside from the myriad of reasons Facebook is insecure, it contains a very public (regardless of "privacy" settings) list of all your social connections, where you go, and what you do. This information is now being used by spammers and hackers to manipulate you into opening virus laden emails you normally wouldn't by posing as your friends and sending you links to viruses that can't be detected by anti-virus software that's in a social context which you trust. They're scamming people out of money, pretending to be a friend stuck in another country who just needs $900 to get home where they'll pay you back. And also as a resource for answering your secret questions. A lot of sites, including some banks and email providers, let you pick a secret question and answer in the event you forget and/or need to reset your password. One look at yourFacebook data and anyone can reset your accounts locking you out and letting them in.

13. Tech People in the Media are Leaving Facebook

The people that stand to lose the most from leaving a social network are finally pulling the plug. These are people that live in the public eye, so they're a lot more comfortable with Facebook's loose privacy, and their leaving Facebook affects their fan base who friended them on the network. About a week ago Leo Laporte deleted his Facebook account citing impossible to understand privacy settings, and the lack of ethics of the company. Leo Laporte for those who don't know is a tech god and hugely trusting, when he has a beef with something or someone it's so justified you'd have to be a turnip not to follow suit.

14. South Park

South Park and other comedy shows are starting to point out the hilarity of Facebook's TOS and "privacy" settings.

15. None of This is a Surprise

Facebook's founder and creator Mark Zuckerberg stole much of the code, and concept for Facebook from his school friends before he dropped out. They sued him and because Facebook was taking off he was able to settle out of court. He has a history of unethical behaviour, so it's no surprise his creation operates in a completely unethical malicious way.

What Do We Do Now?

First of all stop using Facebook immediately. Don't post another real status update, picture, comment, nothing.

Quite frankly unless you live in a country that enforces your rights and freedoms on the internet, of privacy, and prevents you from being obligated to unreasonable contracts you're totally and royally screwed.

If you're lucky enough to live in such a country first remove all your Facebook content and data, set all your privacy settings to the maximum privacy (to show intent in case you have to prove in court one day you wanted private) then completely delete and remove your Facebook account and profile. This is an intentionally long, confusing, misleading process and one more way Facebook has decided to abuse you. Document the process with screenshots, and email yourself the evidence so it's timestamped.

If you live in a country that doesn't care that you foolishly sold your soul to the devil, or the above doesn't work and you find your profile is still active and interacting with its Facebook friends without you, you'll need to opt for plan B.

Plan B involves keeping, or reactivating your Facebook account, making sure the only content associated with your account is about what an evil entity Facebook is, and have your "privacy" settings set to public. The best thing you can do in that situation is help create awareness and spread the word. Friend people on Facebook, and friend them with a message about why you're not able to delete your account. Start and join groups about it. Get the word out.

If enough people do this they may temporarily change their TOS to reflect a non-permanent contract which will allow you to actually delete your profile instead of just giving Facebook full control over it.

I've talked a lot about their unpleasantly ghostly Privacy Policy and Myspace-esk TOS, you know the ones that sign away equal rights and entitlement to your identity indefinitely just by using their site. But I haven't talked about the intrinsic insecurity of a social network like Facebook.

Fact: A significant amount of computer users exhibit insecure behaviour online. They don't use strong passwords, they don't opt for https://, they don't work on virus/keylogger free computers, and they answer spam emails(shocking I know).

Fact: Facebook contains not just a list of all your friends, but all your friends' friends, and a record of your interactions with them. Your social network and scene.

Think about it like this: If someone gains access to your email account, they can see your contact list, and they can see how you talk to your contacts. If they have a lot of time on their hands they can read huge volumes of emails and piece together your relationships.

On Facebook, they can see your list of friends, family, your communication with them, but more importantly their communication with each other. A schematic of your social life heavy with descriptions of how you know each person. Assuming you've toggled your privacy settings back so only your friends can see your stuff, and did so before google indexed your profile and friends list. Every one of your Facebook friends is an attack vector for all the personal info you've posted and that your friends and family have posted that doesn't even relate to you. More clearly A is an attack vector for B, A<->B, C, and B<->C.

In addition 3rd party Facebook app developers also have access to your social circle and information. Your Buddy wants to try an app from some developer he doesn't know? Well they just grabbed your entire social network and know a LOT about you and all your friends.

On Facebook, you are not the only one responsible for keeping your information safe. Anyone you friend is. Would you trust your Facebook friends with your Facebook username and password?

It's given birth to a new breed of highly personalized spam. Imagine getting an email from someone you don't know offering you cheap Viagra and even using your first name. Sounds like a scam right? Sounds like if you clicked on the link you'd probably get a virus or some kind of malware installed on your system right? Right.

Now imagine getting an email from Sarah your old girlfriend, where she talks about something you did the other night at a party (which you posted a photo of on Facebook being careful to only let your friends see) and then telling you she wants you to see a funny youtube video. You click on the link and guess what? It wasn't Sarah at all! "What?!", you say? How's that possible?

The Spammer, we'll call him Spammer, gains access to Jim(your buddy)'s Facebook account because a) he accidentally typed in FaceBack.com without realizing it and tried to login. His credentials were phished and the Spammer was in his account within 30 seconds, or b) Jim(same Jim) adds an application where the 3rd party developer wrote a bunch of code that scrapes all of Jim's and your information and emails it to him(the Spammer) as a .zip file when it's done. The Spammer goes ahead and looks through Jim's friends list, then through yours. Looks through your photos and descriptions of each of your contacts. Looks at Sarah's profile and write's down her email address, attaches the photo to an email, the email spoofs Sarah's email address(this is astoundingly easy without her login credentials from any computer connected to the internet) and adds an html link that looks like this in code:

<a href="http://sitewithavirus/silentkeylogger"> http://youtube.com/v=harmlessvideo</a>

and to you looks like this:

http://youtube.com/v=harmlessvideo

Clicking on the link will obviously take you to the virus and not to youtube and if you use Internet Explorer, or the Spammer is using a zero-day exploit for one of the other browsers, you're fucked due to arbitrary code execution.

A site that gives anyone other than you access to a super detailed schematic of your social circle is inherently insecure. Facebook should not expose your real life social circle to anyone even other people in that circle. But they do and will because a large part of their user retention plays on social needs for acceptance/approval/jealousy/etc. which requires exposing that information to people you normally wouldn't and in a permanent public manner that you normally wouldn't.