Facebook voter registration app asks for SSN without SSL

[Update] This matter has been resolved.

Despite the facts that the machines are rigged, the counts are rigged, the electoral college is rigged, that Washington itself is rigged, and that our energy could be far better spent on direct action, far be it from my desire to raise hackles with Facebook for encouraging young people to vote. If you want to delude yourself into thinking you have a say in the outcome of the 2008 Presidential race, be my guest.

Rather, what has my proverbial panties in a bunch and what I cannot abide is the fact that Facebook’s Rock The Vote voter registration app, sponsored by Credo (formerly Working Assets), asks you for either your Social Security number or driver’s license number over an insecure, unencrypted connection.

Click to enlarge

Do you see a lock anywhere in that browser window? Do you see an ’s’ trailing that ‘http’?

Never mind that you should probably never give out your Social Security number over the Internet ever. To do so without even the most minimal protection of a secure, encrypted connection is downright retardulous.

Every year, millions of Americans have their identities stolen and their bank accounts emptied by crafty MFers who need only a name, a date of birth, and a Social Security number to take someone for everything they’ve got. Facebook’s Rock the Vote app asks for all of the above without even feigning security. All one needs to do is intercept that transmission — which is downright easy in the age of wireless network communications — and you’re done for.

Which actually raises another question: What kind of weak ass privacy statement is this? Does Rock the Vote keep your SSN on file — yes or no? And if so, does it share it with anyone? And if so, who? Does Working Assets get access to it as part of the deal for facilitating this service? Does Facebook — a CIA-backed operation — archive that information and associate it with your profile? How ’bout providing a little more of an explanation than your spurious and self-fellating remarks about your commitment to my privacy?

Again, not that I want to rain on Facebook’s electoral parade, but the only responsible thing here for Facebook to do is to take this application offline until it is operating with a verifiably secure connection and a more explicit privacy statement.

In light of the above, I think you’re better off downloading the voter registration form and using a friggin’ pencil.

[Update] As a couple of comments have suggested, “just because you don’t see a lock on the page that collects the information, doesn’t mean that it doesn’t post through an https connection.” This may be correct. Here is the code of the form. It does, in fact, appear to invoke an API that rests on a secure server, but with my limited JavaScript skills, I cannot be certain that the form data is being encrypted. If someone with a little more expertise would be willing to chime in, I’d much appreciate it. If I turn out to be wrong, my humblest apologies for much ado about nothing. Though I suppose it would be nice if the form offered some sort of visible assurance of security.

[Update 2] See Dustin’s comment. By his account, the form submission appears to be secure. Sorry for the false alarm, but again, when it comes to insuring the security of your personal information, one should be ever-vigilant. My thanks to the Digg and Reddit communities for their sleuthing.

[Update 3] Becky Bond from Credo writes:

this is becky bond from working assets / credo mobile. we created the API and widget.

dustin is right. thanks for your explanation. i just saw this story on digg.

the form posts via https to a secure site. nothing is submitted that’s not encrypted.

it’s secure.

however, this discussion makes me think that in the absence of the pages that host the ajax layer being an https page (which it almost never is) maybe we need a way for people to see reveal an explanation of the security on the form itself.

and by the way, we don’t store the ID field in the interest of security. it populates the .pdf form but we don’t keep it in our database.

Thanks for the clarification and sorry for being a prick about it.

[Update 1/11] Facebook responds!

Hi Daniel,

We apologize for the delayed response. Facebook is working with Rock the Vote and Credo to ensure that all of the information provided by users remains private and secure in accordance with the site’s Privacy Policy and Credo’s own Privacy Policy, (which you can access at the bottom of the Voter Registration page). We appreciate you bringing this matter to our attention, and the social security field has been removed. Please let us know if you have any further issues or questions.

Thanks,

Olivia
Developer Operations and Support
Facebook