Yesterday, I read an article at a German news web-site about the recent security leaks found in the social network SchülerVZ. The article claims that social networks like SchülerVZ and Facebook (both are mentioned) don't have any chance to avoid crawlers accesing personal data which should be presented only to friends. Ridiculous!!!

Sorry, that is definitely nonsense!

It is very simple. You have some data which is visible only to some specific persons. You have an authorization policy, which might be expressed in the form of ACLs or XACML or whatever. Some application (the regular frontend, a crawler, an administrative application,...) tries to access data. You have done an authentication. You do the authorization by comparing the authentication information to the authorization information. You decide on whether access is allowed or not. That is done in millions of applications day-by-day. And that shouldn't work with social network sites? I don't see any real reason why!

For sure there are two reasons why at least some social networks don't do that in this way:

  • Bad software architecture: Security has to be done by design, from the very beginning. Otherwise it is hard to implement it. Unfortunately, many developers don't design security in their products but add it at the end, as something painful they have to do at the minimum level.
  • Performance considerations: For sure security will affect performance. For any access, you will have to do security checks. You will even have to provide stronger authentication features. But it can be done. Providers will probably require some more hardware to keep the performance level of their social networks. But security has its price.
But to be honest: These aren't valid reasons. Either you are able to deploy a social network in a secure way and fulfill the data protection laws. Or you should shut the entire thing down. Given that it is possible to secure social networks, the operators should be fully responsible for any security breach.

By the way: Even the databases themselves can be fully secured. That depends a little on the database chosen and the additional technologies in place, like Oracle's Database Security products (to mention one of the more advanced solutions). OK, that will again cost you some performance and some money. But again it is about "security first". If the providers of social networks can't afford the cost of security, their business model just doesn't work.