So I downloaded all[1] my data from Facebook, and as part of the security theatre for the download process it asked me to identify the people in a number of photographs of friends; it required something like 5 positive matches with 2 skip/denial/dunnos.

It gave me one photo which contained nobody identifiable – fie upon you if you don’t know all your facebook friends that well – and then another set of photos containing no faces.

By the third set of faceless photos I was prepared and did a screengrab: (mildly edited for names)

…and this was now a case of “you’ve used up your lifeline and have to get this one correct, or else we’ll swallow your zipfile of personal data bwahahahahahahahahah“.

Fortunately I looked at the hands and decided “From the options provided I only know one person that skinny and married”, and I was right.

Good security, right? No, not really. They’re doing for downloads what a human-being could more-or-less access with the right token or session highjack, so it’s non-orthogonal. What is sauce for the download is not sauce for the interactive session; they send you an e-mail with the link for heaven’s sake. The law of diminishing returns applies, especially when your solution verges upon the unusable.

So what they’re actually doing is staving-off the privacy nutcases who’d otherwise take them to the tabloids, Or they’re scared that it might be exploited by XSS somehow…

In short: this is a face-saving exercise (arf!) and it’s a bloody nuisance.

Also we can work out that Facebook expect you to know at least 71% (ie: 5/7) of your Facebook Friends by Face. Probably untrue for a bunch of people I know.

[1] “All” meaning “Except for your Wall which we only dump up to year 2006”

Updates:

1230h – it looks like the link is reusable. Wheeeee!

1238h – maths bug fixed