The real Facebook burglaries story

I did a little reporting to get the real story behind the reports of a Facebook burglary spree that supposedly used the service — right after its launch of Places — to find victims who were away on vacation. I emailed Nashua, NH detective Dan Archambault, who told me that only two of the cases involved Facebook and in each case, “one or two of the suspects were Facebook friends with the respective homeowners. They basically had access to the walls and could read that the families were away on vacation. The information was only available to friends and the Facebook Places feature was NOT a part of this. And finally my advice to Facebook users is carefully pick your friends and watch what you post.”

And my advice is don’t believe everything you read. So this was not a case of a criminal using Facebook to find any old random victim. The implication of the coverage is that we were all — all 500 million of us — at risk for being so foolish to make ourselves public on Facebook and make ourselves vulnerable to every criminal out there. No, it’s foolish to make the wrong friends. Always has been. Still is.

I also contacted Facebook, and a PR person there sent back suggestions for how to wisely use the service: “I would recommend creating friend lists to separate people you really trust from others. Then, use the publisher privacy control to
send status updates to appropriate groups (and only them). I actually think it may make sense to tell people you really trust that you are gone through Facebook just as you would in person. Then, they can watch your place for you, feed your cat, etc… As for everyone else, if you wouldn’t tell them in person you were leaving town, you probably shouldn’t use Facebook to tell them. As always, we also recommend people only accept friend requests from others they actually know.”

All sensible.

If only things were so simple for Google, where, according to Gawker, an engineer used his high-level access to the company’s data bases to stalk teenagers. Google fired him. But the damage is done. We spoke about the case on today’s This Week in Google and as Leo Laporte and Gina Trapani said, to keep systems running, someone will always have access to data. Of course, that someone should be trusted. But as this case reveals, you never know whom to trust. So the company must come up with systems to assure trust. Should there be teams that must operate together in failsafe mode to get access to data? You tell me what would work.

The bottom line for both companies is that trust is essential and cases such as these can ruin trust and eventually ruin companies if we cannot depend on them. In the first case, media blew up a story for effect. In the second case, a dangerous vulnerability is revealed.

: AND: Being a journalism professor, I suppose I should point out the journalistic lesson here about reporting.

When this story first came out, it was marked by sloppy reporting that was only repeated and diluted. I read a number of the reports and backed up the line to the Nashua paper trying to find answers to basic questions. Nothing.

For anyone who knows the slightest thing about Facebook — that is, any reporter who uses it — the reporting raised obvious questions. So I contacted Facebook, who gave me the email of the detective, and I asked him: How did the accused use Facebook? In how many cases? Were they friends — that is, connected on Facebook — with any of the victims? Facebook tells me that its Places feature was not involved; true? Finally, what advice do you have for people using Facebook? Plus a few, more-detailed questions about the specifics of how these victims used Facebook.

The detective said this is an ongoing investigation, so he was limited in what he could tell me. But, as you can see, he answered the essential and obvious questions reporters and editors should have asked before. And if they didn’t have answers, they should have said so. I say lately that the key skill of journalists is going to be less saying what we know than saying what we don’t know. That is the essential skill in process journalism.

But all along the chain, nobody wanted to ruin a good story: USE FACEBOOK AND YOU’LL BE ROBBED! Much more fun, isn’t it? Reporting takes all the fun out of it.

  • Marcotte

    “Should there be teams that must operate together in failsafe mode to get access to data? You tell me what would work.”
    This isn’t a new problem for Internet companies, nor for companies with databases of sensitive information. The US and Soviet militaries have been dealing with this since the 1950s, and others more knowledgeable about history could likely point out other examples (Roman Triumvirate?). In fact, the basic idea of command control is enshrined in the US Constitution through the 3 branches of government and the bicameral legislature.

  • http://stinginthetail.wordpress.com Sheila (@stinginthetail)

    Twitter is full now of people who used to just be on Facebook – and they want followers/friends no matter what. They all think they are celebs, lol. They follow back everyone, no matter what kind of spammer it is, and think everyone is their fan. Then they post their full daily schedule every day on 4Square, so we all know their home, work, and everywhere they go. Break ins are made easy, as is stalking someone – as would be a personal attack if one was that way inclined.

    You can’t protect the truly stupid, they will find a way to mess themselves up, but honestly, i don’t think 4Square or tweeting your location is something the world had to have. As for me, posting a lot of location tweets is a good way to make me unfollow.

  • http://privacycamp.wordpress.com/ Shaun Dakin

    Thanks Jeff,

    I’m a privacy activist (voter privacy in particular) and am the founder of Privacy Camp (@PrivacyCamp) with the Center for Democracy and Technology.

    It wasn’t until this past Spring that I fully understood Facebook lists and how to implement them. (Great article here about this > http://tinyurl.com/2dc4wmd )

    Now I know who is on which list and I am very particular about who sees what.

    Facebook gives users very specific tools that you can use to fine tune your privacy settings.

    The tools are very cool.

    Only no one uses them. (few at least).

    The tools are simply too complex for the average user to implement or to understand. And that is a shame.

    Regards,

    Shaun Dakin
    Founder – Privacy Camp (@PrivacyCamp)
    Founder – The National Political Do Not Contact Registry – StopPoliticalCalls.org and @EndTheRoboCalls

  • http://www.ericgauvin.com Eric Gauvin

    I tried using sit-on-my-facebook for about a month and couldn’t stand it. Log in to facebook — log out of privacy. I can’t believe anybody likes it. Depressing.

    My prediction: twitter and facebook will fizzle out sometime within the next 3-5 years–especially twitter.

    • Cassie

      Eric, I hope so. Wow, I hope so. I am so sick of this site getting so much news coverage. Articles from The New York Times to The WallStreet Journal have been written to inform what you should not share and yet people continue to post the most assine things. Today, it was reported that two people in Florida were arrested by the Florida wildlife because tow idiots posted pictures of possession of illegally taken wildlife after deer season.

      This site is just making people even more stupid – that is possible.

      So, Eric I am hoping the same thing.

  • Pingback: The Facebook Burglaries Story is BS | Media and Tech

  • ahabicher

    The kind of loser criminal who would base his exploits on facebook updates or google street view won’t last long in his chosen line of profession. There’s a lot more to successful burglaring than to know if someone is at Yellowstone or at work at the moment, wouldn’t you think? Otherwise burglars could even just see you drive away from your home and go for it instantly.

  • Ben G.

    It’s so heartening to see these kinds of posts. As a developer on the Facebook Places team, I know we worked really hard to make a flexible and powerful privacy model for this feature, and it really stinks when the media reports without fact-checking — or even understanding the privacy model behind the feature they’re blaming for violating privacy!

    Thank you so much for taking the time to investigate the real story behind this sensational article.

  • Ian McDowall

    WRT the mention of the stalking Google engineer; please be aware that all web sites have to store the data in some form of back-end database (relational, proprietary or whatever) and admin /maintenance engineers have to have access to the databases. This is just a fact of life of running a computer system; it is not a breach of security.

    The organisations that own the web sites and databases then set up controls to restrict access but they can never be 100% foolproof. There were stories earlier this year of Facebook sacking engineers for a similar offence. Users should be reassured that the organisations have checks and will sack misbehaving engineers.

    • http://www.buzzmachine.com Jeff Jarvis

      Right, Ian, but this unfortunately illustrates that the controls can’t be good enough but have to be better.

      • Pete M

        Unless you are running an IBM/Lotus Notes/Domino system. Then you can actually have completely encrypted mail that even an admin can’t access and still run the system, well.

        –Pete

    • Robert Sullivan

      Ian, that’s just the point, Google did *not* have the proper checks and balances, they were informed by the parents! This is security 101, as someone pointed out in a comment above, this is not a new concept, the U.S. Constitution is built around the idea of separation of duties. With software, there can be additional controls, both preventative as stated and auditing and monitoring controls.

      It should be of concern, and illuminating, that as people and companies are moving their information to the cloud, that Google was significantly lacking in the area of security. This indicates a general lack of security governance at the corporation.

  • http://www.subhub.com Evan Rudowski

    The Google vulnerability was hardly “revealed.” As others have mentioned, it’s a known and largely unavoidable vulnerability. Some humans at any company that stores user data must have access to that data.

    Which is why it is reasonable for consumers to have a high level of control over how their information is used, and why it is sometimes necessary for regulators to ensure that companies are adhering to a reasonable standard.

    I agree with those who have called for Google to do more than just fire the individuals but to refer the case to law enforcement. It’s in Google’s own interest to maintain customer confidence, and to send a message to other potential rogue employees, by relentlessly enforcing privacy protections.

    • Robert Sullivan

      It’s a known vulnerability, but it’s hardly unavoidable. Companies with good security controls do not have this issue, it’s the (probably) many companies like Google, rounding out the bottom tier preparedness as far as security, that have problems like this.

  • Pingback: links for 2010-09-16 | Lloyd Shepherd @work

  • http://npharder.wordpress.com Ken Ellis

    Gumshoe reporting, excellent! The CIA, IRS, my bank, my doctor, Facebook, and Google all have to manage private data. But I have different expectations from each, and each has their own priorities in that area. So I think consumers are in the process of telling Google and Facebook that the priority is increasing, and hopefully they will respond by putting more resources into it. This story reinforces my feeling that the lapses are minimal, but the potential for serious breaches is there. How many people can read my Google docs and gmail? Dozens of people, hundreds, or thousands? I’d like a number. Audits and technical measures sound nice, but I suspect safeguarding information is largely a matter of controlling that number.

  • http://avc.com fred wilson

    it is also foolish to use location based services inside social networks where we have been promiscuous with our friending. as my daughter emily said about places, “i have facebook friends i’ve met once. i don’t want them to know i am here!”

    i reblogged this on fredwilson.vc

  • http://virtualeconomics.typepad.com Seamus McCauley

    Normally in my house – a few hundred quid’s worth of heavy, immobile gadgets with limited resale potential. Normally on my person – a few grand’s worth of extremely portable gadgets anyone could fence in minutes. I’m very disappointed in criminals whose best idea for abusing location tools is to work out where I’m not.

  • Pingback: Quick Links | A Blog Around The Clock

  • http://arnoldwaldstein.com Arnold Waldstein

    Jeff…important post.

    I’ve been following and thinking and blogging on this whole privacy mishigas since the initial F8 Facebook announcements and backlash.

    Honestly, common sense and smart human behavior with intelligent social poise preceded Facebook and should be moved to the online space.

    My thinking ‘way back’ in the early spring on this I think still holds.

    -”Facebook…can’t love it but can’t leave it” http://bt.io/G0rs

    -“The best way to protect your privacy is to understand that you live in public. And act… http://bt.io/G0rt

    I chronicle my thoughts on the social web and its effects on life and business @ http://arnoldwaldstein.com

    Thanks.

  • http://www.techlicious.com Josh Kirschner

    Thanks, Jeff, for following up to get the real story. I was suspicious of the facts, as well, when I first read about it.

    While there valid concerns with Facebook privacy, including Facebook Places, threats – whether physical, economic, or reputational – are much more likely to come from someone you know, rather than a stranger. But like child abuse, abductions, and murder, our fear of strangers has been grossly inflated by how these issues are covered in the media.

    Hey, it’s what sells.

  • Pingback: links for 2010-09-16 « Numeracy in the Newsroom

  • http://www.cicadasecurity.com Ryk Edelstein

    How about this… if you don’t want it read… don’t write it.
    If you don’t want it heard… don’t say it.

    Let’s all do our part to save the term ‘CIRCUMSPECT’ and the concept of privacy from extinction…. Always be careful what you say, and what you write.

  • Pingback: How Developers Can Help Prevent “Social Burglaries”

  • Pingback: CTM CLOTHING PROMO Fall 2k10!!! | Mountain Biking Gear

  • Pingback: SearchCap: The Day In Search, September 16, 2010

  • http://www.baxie404.com Ashley Baxter

    I appreciate your time in taking due diligence and finding out the real facts behind the story. Today it’s too often that journalist lean towards making stories dramatic in order to catch attention. The news is supposed to be the news and that should include the facts and honesty.

    • cm

      You’re being an idealist.

      Once any journalist gets into the industry they’re hounded by editors etc to make dramatic stories to attract ears and eyeballs. Idealistic journalists get fired pretty smartly.

      This desire to hunt down a story really irks me when it comes to covering disasters.

      The people impacted by the disaster are in desperate need of quality information and the journalists are just out for drama. Apart from not informing the people, the drama further distresses people who are already in shock or experiencing great anguish.

      While I’ve always felt this passively, it recently became personal for me. I live in the area impacted by the recent earthquake in New Zealand.

      We were thrown out of bed at 4:30 am, got ourselves reasonably organised. At 6am we thought we’d try to find out what was happening by listening to the radio. Instead of providing useful civil defence information, the station was switching from reporter to reporter each trying to out-dramatise the other. Terms like “war-zone”, “city reduced to rubble”,… were both alarming and highly inaccurate.

      We don’t have TV, but others tell me the TV reporting was about the same with reporters trying to find the best pile of bricks and best camera angle to make for gripping footage.

      Later the press media were no better. Like the radio and TV news they’d headline with statements that 100,000 houses were damaged. Only on the third paragraph would they mention that less than 1000 houses were badly damaged and that most damage was trivial.

      It would be comforting for the rest of the world to just blame NZ media but that would not be fair. UK papers headlined with “New Zealand under curfew” when in fact only a small part of one city was cordoned and put under curfew”.

      Civil engineers waiting for helicopter time to assess damage found that the media had got there first and snatched up helicopters for their stories.

      What happened during Katrina? Bloody media fly into an area with stretched resources adding people that don’t need to be there. They fly around filming people on roof tops etc. Those helicopters should have been out rescuing people and providing essential services.

      Same for Haiti and others… People hoping a chopper might be bringing them water and food must be seriously disappointed when it disgorges our intrepid journo.

      Even if the news channel owns the helicopter, you’d hope they’d have the humanity to make them available to perform rescue work rather than just chase another story and more footage.

      Twitter and other gossipy feeds are useless for news. There is just too much rumour repetition and swamping the stream with narcissistic crap. Journalists have training to gather the facts and express them clearly. They have skills and resources that could actually help disseminate information coherently if used effectively. But no, the drama is what is reported.

      If an industry cannot serve people during a time of need but instead feed on the misery and anguish of others then we are better off without them.

      Putting sales and viewer share above humanity is immoral.

      I can swear fluently in three languages, have spent 4 years at university and over two years in the military. I still find I lack the profanities required to express my loathing and disgust.

      I hope a few journalists read this and think about their role in society and consider whether they are doing a positive thing for the world. Is your picture and story worth more than a human life? If you think that then I feel very sad for you.

  • Pingback: links for 2010-09-16 « Michael B. Duff

  • Pingback: Facebook Burglaries and Journalism | Royce Hamano

  • Pingback: Facebook Places checks in | SCOT NETWORK

  • Pingback: Facebook Places checks in | World News

  • http://www.grout.org.uk/ Grout

    The point of communication is as it gets faster the stuff that happens is going to get closer. Good and evil will meet at a singularity

  • http://www.shanescode.com Shane Burgess

    I think most people, even “tech” people, are so naive about how programs and program security work. If you choose to use a program, you choose to let the program and it’s administrators see all of the data that you input into it. Whether it is Google or Facebook, I don’t think that you should even have a right to complain about their security.

    If you dont feel comfortable, dont use it. It is that simple.

    Sometimes people act like we are forced to use Facebook and Google and the fact is that we are not and we can choose to stop using them at anytime that we want. We can even stop using the internet anytime we want.

    The internet is not a right nor is it a privilege, it is just something that we can by and use for education and entertainment just like cable.

    I love Google and somewhat enjoy Facebook so I will use them with the understanding that they have access to all of the data that I give them and I could care less.

    So if you find yourself feeling nervous about your security, you need to just stop using a computer all together and go live in a bank vault somewhere that you don’t even know the combination to, then you will be very secure and less annoying.

    • cm

      “If you choose to use a program, you choose to let the program and it’s administrators see all of the data that you input into it.”

      Not necessarily. It depends on how the applications are constructed.

      It is possible to encrypt data so that back-end servers can only store the data and not read it, with the decryption/encryption happening in the browser or other application.

      Although this could restrict the types of application that can be feasibly constructed, it should be possible to, for example, only pass keys to your friends.

      Like the keys to your car, any security measures break if you end up giving the keys to the wrong people.

  • http://www.idguardian.com Tee Morris

    Hello, Jeff.

    On reading your column about the Facebook burglaries and its accompanying comments, I am reminded of how our society is so distracted by technology, technology (and to an extent, a methodology) that it does not understand. Regardless if it is a house that’s robbed, a job that is lost, or a relationship that is abruptly ended, it is usually Facebook, Twitter, or your Social Media outlet-of-choice depicted as the villain. In fact, the responsibility of Social Media can always be traced back to its users who tend to leap before looking. As some have commented here, a wise approach to Social Media is “If you are not comfortable in saying something in a crowded room of complete strangers, it may be best not to tweet it, update it as a status, or check in.” The Social Media movement is all about sharing, but some things go better left unsaid.

    As for myself, I manage a blog dedicated to identity theft protection. I have also written two books on Twitter and co-written two books on podcasting; and I believe that while these outlets are wonderful forums for having your voice heard, you have to approach these outlets with an understanding that privacy is defined by you. If you want to live your life on display then do so, but you cannot cry “Foul” if others exploit that information for their own means. I believe in Social Media and I do share, update, and check in; but I do not do it carelessly. I keep certain aspects of my life close to the vest, and maintain privacy to the best of my abilities. Additionally, while I was away overseas, I had friends and family checking on my property at random times, something everyone should do when leaving their property unattended for a prolonged period of time. These safeguards and practices of common sense give me a peace-of-mind when working in Social Media; and that is really the hard truth of these incredible outlets we have at our disposal. Take a moment to consider what you’re about to post, and ask yourself “Should I?”

    Taking just a moment can safeguard you from Social Media backfiring on you. As users, we need to shoulder more responsibility for our words, be they spoken or tweeted.

  • Pingback: Facebook Places Launches In The UK | O-I Newswire

  • Pingback: Facebook Roundup: Microsoft, Google, Politics, Diaspora, Photos, Data Center, Mobile, Places and Much More

  • http://www.isabelleroughol.com Isabelle Roughol

    http://www.google.com/hostednews/afp/article/ALeqM5ionrXbcbP_jFT3zi7_z2Hbjxc5kA
    I saw this story on the wire last night : inmates inside a Paraguayan prison running a pedophile pornography ring using Facebook and Google Earth to locate and harass victims.
    I don’t know more about it, so take it as is, but I thought you might be interested. Had those sites not existed, those criminals would probably have found other ways to hurt those children. But it does speak to the danger of social networks to children who use them without understanding all features and consequences.

  • http://jimmysblough.blogspot.com Jim Muccio

    Thanks for looking into the true story behind the FaceBook burglaries…coming to an Urban Legend near you. Don’t tell people on FaceBook you are on vacation, don’t blink your high beams at another car, and don’t eat the candy on Halloween. When I first heard this story I told my wife the criminals were friends, not random perpetrators. How do you make a boring B&E interesting? Mention something popular. I’m not sure why FaceBook was even mentioned other than to bash the internet (which I doubt was their intention) or to fan publicity for the news story that evening…other than that who cares? Right the legions of individuals in the security business that make it their job to create our insecurities so we will spend money on their products. Now Jarvis must rise to defend something that cannot be defended…millions of FaceBook users, two burglaries. With those odds I’m going to keep my FaceBook and continue to lock my doors and windows when I’m away from home. But I bet there is a business waiting out there somewhere for someone to sell some sort of social network badge that says, “I’m Out of Town But My Home is Protected by ADT”, “Beware of Dog”, or my favorite, “Member- NRA”.

  • http://www.shanescode.com/shotindex Shane Burgess

    “… it does speak to the danger of social networks to children who use them without understanding all features and consequences.”

    It speaks more about the bad consequences of bad parenting than anything else.

    Many parents are a disgrace these days and would blame Facebook for their child being harmed while using it, but they would never thank Facebook or Google for their kid getting an A by using them to do research.

  • http://www.shanescode.com/shotindex Shane Burgess

    Why Getting Robbed Because Of Oversharing Could Be A Good Thing http://www.shanescode.com/why-getting-robbed-because-of-oversharing-could-be-a-good-thing

  • Pingback: Facebook Roundup: Microsoft, Google, Politics, Diaspora, Photos, Data Center, Mobile, Places and Much More at Facebroke

  • Pingback: Twitter redesigned, reinvented

  • Pingback: President Clinton takes your questions on YouTube

  • Pingback: Foursquare vs. Gowalla « Allesblog

  • Pingback: Avanza Diaspora, la red social que protege la privacidadEnter.co | Enter.co

  • Andy Freeman

    > For anyone who knows the slightest thing about Facebook — that is, any reporter who uses it — the reporting raised obvious questions. So I contacted Facebook, who gave me the email of the detective, and I asked him: How did the accused use Facebook?

    That’s too kind. It doesn’t take any knowledge about or experience with Facebook to know that reasonable reporting starts at the source.

    The fact that professional journalists didn’t bother in this case is not the exception – it’s the rule.

    That’s why no one cares when they say “you’ll miss us when we’re gone”.

    Good journalism is valuable. However, what we’ve got isn’t.

  • http://www.femme-amour-seduction-homme.fr/facebook/ facebook

    facebook is going to disapear compare to google

  • http://www.frontpointsecurity.com Peter Rogers

    You are right – it was a “friends” issue, plain and simple. Here is a link to my blog post on what to share (and what not to share) on social media. We are happy to provide this service to the wider on-line community. Thought we specialize in 100% wireless home security with interactive features, it’s best when you don’t need it in the first place.

    http://blog.frontpointsecurity.com/2010/08/03/twitter-tmi-tips-from-frontpoint-security-on-what-not-to-share-on-social-media/

  • Pingback: Wired, we love it when you make up words. But stop!

  • Greg Link

    Kudos Jeff on calling out the distinction of real reporting. Spinning the facts destroys trust. Interesting that Facebook acknowledged the difference of high trust relationships as a higher level of trust than “friends” Unfortunately users tend to blur that line.

  • Pingback: Bookmarks for September 16th through December 7th : Lloyd Shepherd @work

  • Pingback: Facebook Places checks in to UK

  • Pingback: Facebook Places checks in to UK | Richard Hartley

  • http://www.facebook.com/notes/transformers/hot-xmas-special-recommended-transformers-movie-2-gravity-bots-green-eco-car/323972864288542?ref=nf Transformers Movie 2 Gravity Bots Green Eco

    Hey, I searched for this blog on Bing and just wished to say thanks for the outstanding read. I would have to consent with it, say thanks to you again!

  • Pingback: Smartphone Privacy Risks - wafflesatnoon.com