User vs Corporate Understandings of ‘Security’

A really interesting paper on social authentication has just been released that looks at how facial identification ‘works’ to secure social networks from unauthorized access to profiles/records. The authors note that users of social networks are most concerned in keeping their interactions private from those who know the users. Specifically, from the abstract:

Most people want privacy only from those close to them; if you’re having an affair then you want your partner to not find out but you don’t care if someone in Mongolia learns about it. And if your partner finds out and becomes your ex, then you don’t want them to be able to cause havoc on your account. Celebrities are similar, except that everyone is their friend (and potentially their enemy).

Moreover, a targeted effort to identify a users’ friends on a social network – and examine their photos – will let an attacker penetrate the social authentication mechanisms. While many users would consider this a design flaw Facebook, which uses this system, doesn’t necessarily agree because:

[Facebook] told us that the social captcha mechanism was used to solve the problem of large-scale phishing attacks. They knew it was not very effective against friends, and especially not against a jilted former lover. For that, they maintain that the local police and courts are an effective solution. They also claim that although small-scale face recognition is doable, their scraping protection prevents it being used at large scales.

What Facebook is doing isn’t wrong: they simply has a particular attacker-type in mind with regards to social authentication and have deployed a defence mechanism to combat that attacker. Most users, however, are unlikely to consider that the company has a different attack scenario in mind than its end-users, leading to anger and concern when the defence for wide-scale attacks fails to protect against targeted attackers. While I don’t see this as a security or policy failure, it is suggestive that companies would be well advised to explain to their users how different security inconveniences actually interact with different hack/attack scenarios. Beyond educating users as to what they can expect from the various defence mechanisms, it might serve to raise some awareness about the different kinds of attackers that companies have to defend against. In an ideal world, this might serve as a beginning point in educating users to become more critical of the security models that are imposed upon them by corporations, governments, and other parties they deal with.