Chris Almond, the administrator of a Facebook group called the Rogue Facebook Apps Early Warning Group just got kicked off the social network. Why did this happen? Did Facebook not like how he was posting details about Facebook malware, hacks, and attacks? Attacks like this recent one that exposed private Facebook profile information just by clicking on a link?Looking for a good conspiracy theory today? Well here's one:
Or was Facebook simply following through on a TOS violation because Chris had accidentally sent out duplicate messages to group members, thereby getting flagged as a spammer and subsequently booted from the network?
First Rule of Facebook: Don't Talk about Hacks on Facebook!
On Monday, the anonymous blogger over on Social Hacking posted a link that demonstrated a gaping hole in Facebook which revealed private profile data upon clicking. The hack worked (I tried it at the time) although now the hole has been closed. He later revealed the technical details of this hack on his blog.
However, even before those technical explanations were posted, Chris Almond was spreading the word via the Rogue Facebook Apps Early Warning Group, a group whose members like to stay informed about the latest and greatest threats happening on the social network. All he was doing was publicizing the information - he was not involved in the hack's creation in any way.
Shortly after sharing the information with the group, Chris found his account was disabled.
And because it was disabled, Chris's collection of links and articles he had posted since the group's creation in 2009 as well as all the discussions he had with other group members were gone, too. The group's archive was emptied out.
Does that sound suspicious to you? TheHarmonyGuy (aka Mr. Anonymous from Social Hacking) thinks so. He writes, "While I hope I'm wrong (and I very well could be), it appears that at least part of the reason for the account shutdown was that this user was spreading word about my Facebook attack. It saddens me that other people are having to suffer on my account..."
Flip Side: Just a Simple TOS Violation?
Of course, there are always two sides to any story and this story is no exception. In Facebook's defense, Chris Almond was guilty of a TOS (Terms of Service) violation. You see, Chris had decided to send out personal emails to group members with information about the hack and to invite them to a group event. Unfortunately, he accidentally sent out duplicate emails to some of the group's members.
This triggered Facebook's spam detection feature - most likely an automated system that detects such behavior on the part of group admins. Chris received the warning and realized his mistake. Though accidentally, he had in fact violated Facebook's TOS. He stopped sending any further messages after receiving the message.
But apparently, it was too late for contrition because Facebook soon thereafter disabled his account.
At the moment, Chris is busy pleading for reinstatement. He has sent Facebook the following emails to state his case:
My Facebook account, registered with this email account [EMAIL ADDRESS REMOVED] has been disabled.
Please allow me to explain my activity that led to the disabling. I am admin of a group called Rogue Facebook Apps Early Warning Group. I wished to send an invite to members to a group event I'd created in which information about facebook security issues was shared, containing links to a site that after personal contact with the author I am satisfied is legitimate and non-threatening.
Here is the link I shared: http://theharmonyguy.com/2009/06/22/illustrating-facebook-privacy-problems/
Due to the size of the group, it was impossible to send a group invite, so I decided to personally message members of the group who had posted on the wall. My reasoning was that they were voluntary members of the group and so this was probably an acceptable course of action. Obviously I was wrong about that.
I have been corresponding recently with Ryan Merket of Facebook platform team about the group. Hopefully he will be able to vouch for my good intentions.
I assume that somebody to whom I sent a message has reported my activity as spam. I can certainly see, in light of what has happened, that it could be construed as such but my intention was to share information about Facebook security awareness, and absolutely not to trouble anyone at all.
Please reinstate my account. I run a small business, promoting music in my local area, and my business will suffer if I can't use facebook for that purpose.
I wrote the other day about how I'd shared a link with members of the Facebook group I co-administrate, and how that action has led to the disabling of my Facebook account registered with [EMAIL ADDRESS REMOVED]
I don't know if the manner in which I distributed the message or its contents were the main transgressions in your opinion. I accept that by duplicating a message I triggered an automatic spam alert, and I sincerely regret that particular course of action. Please note, I stopped sending the messages as soon as the first warning appeared.
The link itself was to a hack, described here by its author http://theharmonyguy.com/2009/06/24/facebook-attack-technical-details/
The purpose of the Facebook group I help to run, Rogue Facebook Apps Early Warning Group, is to spread awareness about the weaknesses in Facebook platform that allow unscrupulous Facebook app developers to access users' private information without their explicit authorisation. I am not a hacker, nor particularly technically informed in that area, but I am somebody who is concerned by the implications of such weaknesses. Neither am I, as my group co-admin erroneously stated in an email to you yesterday, working with theharmonyguy. I merely follow his work and believe that the kind of activism he engages in is an honorable, and practical way, of encouraging greater security on Facebook.
A hallmark of my personal experience of Facebook is the worrying amount of applications that find their way onto my account without my permission. Error Check System, the notorious app attack of February 2009 that led to the formation of our group, was merely one of the most aggressive, visible, and widely remarked-upon.
I don't publish sensitive personal info on my account, but many do, and I believe it is legitimate behavior to be proactive in spreading awareness of the issue.
I am not a spammer. I have never, before this incident, done anything that could be viewed as spamming. I accept that I was naïve in the way I went about promoting the activities of my group. I do not think that what I did warrants permanent expulsion from the Facebook community, and I hope you will agree.
What Do You Think?
So is this a clear-cut case of a Facebook TOS violation being acted upon? Or was Facebook just looking for an excuse to shut this group down? Surely they couldn't have liked the fact that Facebook users were using their very own platform to share news and links about ways to attack Facebook! Still, there wasn't anything Facebook could do about it...unless somebody crossed the line, of course.
Luckily for us, Facebook has not yet succeeded in completely destroying this group. The Rogue Apps Early Warning group itself lives on thanks to co-admin, Stuart Forbes, who is now in charge of the group's activities. Chris's account is currently still suspended.
UPDATE:After this article was published, Facebook reactivated Chris's account.