Harvard researcher exposes Facebook privacy leak
This story is from the Globe archives. It originally appeared July 10, 2010.
Half a billion users expected to share intimate information with friends and family members on the vast online social network Facebook. What they didn’t expect was for Facebook to share their surfing habits with the businesses that advertise on its pages.
But that is exactly what was happening, and it was a Harvard professor who proved it.
Benjamin Edelman, an assistant professor at Harvard Business School, uncovered the Facebook privacy leak in May. His research showed how a bit of errant computer code enabled advertisers to identify anybody who clicked on an ad.
Armed with that information, the advertiser could potentially collect more personal data from Facebook that few users would want to share with complete strangers: phone numbers, home and work addresses, perhaps even the person’s likes and dislikes. Edelman’s discovery helped spawn a firestorm of protest from Facebook members, and a major overhaul of its privacy policies.
Edelman has made a practice of blowing the whistle on Internet privacy violations. In January, he published research asserting that Google Inc.’s popular browser toolbar continues to capture data from a computer even after being disabled by the user. He found that online retailer Upromise had also built browser toolbars that gave up a user’s sensitive information without permission, going so far as to reveal a user’s credit card number.
When confronted with Edelman’s research, both companies revised their software. But Edelman said the blunders reveal a persistent apathy about privacy. ``They don’t care enough to take the time to protect users’ private information,’’ he said.
Edelman believes his mission is to make them care. “The first step is to uncover these things,’’ he said, “as many as you can, as often as need be, and make sure that the word gets out.’’
Edelman, 30, has been a prominent Internet security and privacy researcher for nearly a decade. In 2002, when he was 22, he gained international fame working with Harvard law professor Jonathan Zittrain to document the extent of Internet censorship in China and Saudi Arabia.
Today, Edelman is a leading critic of Internet advertising fraud, and cocounsel in an ongoing lawsuit from 2007 that challenges Google Inc.’s online advertising methods the way the Internet search giant makes its money.
Edelman also works as a consultant on Internet advertising fraud for a host of major companies, including The New York Times Co., owner of the Globe; Wells Fargo Bank; the National Football League; and Microsoft Corp. which has an Internet search service, Bing, that competes directly with Google.
Several evenings a week, from a home office stocked with computers, Edelman logs onto the Internet, searching online services for new ways in which they might be violating the privacy of visitors. Each computer contains software that creates a video of whatever’s happening on its monitor screen. It also contains a “packet sniffer’’ program, which records every bit of data passing between the machine and the Internet.
“We test the most popular sites,’’ Edelman said. “I choose to start with the big guys, because that’s where the action is.’’
A native of Washington, D.C., he has spent most of his life at the crossroads of law, technology, and politics. Both of his parents are lawyers; his mother represents senior citizens, while his father works on behalf of labor unions. His aunt, Marian Wright Edelman, is president of the nonprofit advocacy organization Children’s Defense Fund.
“I take my most direct inspiration from my parents,’’ said Edelman, ``whose work exposing and correcting unlawful practices has motivated much of what I now do.’’
In high school, Edelman was writing software, setting up the Children’s Defense Fund’s computer network, and earning money as an independent website developer. Although he enjoyed the work, Edelman had no desire to be a computer scientist. “My goal was to do something a little bit more unusual,’’ he said. “I didn’t know quite what it would be.’’
Arriving at Harvard in 1998, Edelman wound up on the doorstep of Charles Nesson, a friend of his aunt and a Harvard law professor who founded the school’s Berkman Center for Internet & Society. Edelman “came here and lived in our house for awhile,’’ said Nesson, “and then started helping with tech at the Berkman Center.’’
The freshman became the center’s first technical director. He also helped research the allocation of Internet domain names, and the pros and cons of using filtering software to prevent children from seeing Internet pornography.
Edelman opted for a degree in economics, regarding it as the most practical discipline. With economics, he said, “you can answer almost any question, or at least try to.’’
Edelman earned his degree with highest honors in 2002, picking up a master’s in statistics shortly after. Meanwhile, he and Zittrain carried out their groundbreaking research on Internet censorship overseas. Zittrain still marvels at Edelman’s relentless work ethic. “He’s just always working,’’ he said. “The level of discipline he brings to a task is unparalleled.’’
Since then, Edelman has earned a law degree and a doctorate in economics, both at Harvard. He has authored dozens of research papers, singling out Internet based businesses that distribute software that’s insecure or that covertly captures the user’s personal information.
Edelman says the lax attitude for privacy at companies like Google and Facebook will probably result in future lapses.
Facebook, for example, lacks a dedicated team of privacy engineers to test its software, he said. “When you update your software too quickly and don’t have testers,’’ he said, “you’re running an increased chance of these kinds of defects creeping in.’’
Facebook spokesman Simon Axten disagreed.
“Giving people control over their sharing has always been a top priority for us,’’ said Axten in an emailed statement, “and any assertion to the contrary is false. We build privacy into our products from the start and test them extensively before launching to all users to maximize understanding and control.’’
But Edelman wants more. He favors laws that force Internet companies to pay damages to any user whose privacy is violated. The peruser amount could be small; as little as 50 cents. But a classaction suit could multiply the amount by millions of users. “If they knew they had to face that kind of penalty,’’ he said, “they’d be more careful.’’