Websense explains how Facebook users are so often victims — they are targeted by the huge growth in inexperienced attackers due to inexpensive malware app builders.

You don’t have to be a developer, but a mere $25 can buy you a Facebook viral application toolkit and unleash all the unwanted content you want onto Facebook.

As an example, let’s look at a very similar fraudulent application that “can” allow Facebook users to know who “creeps” at their profile, called “Facebook Profile Creeper Tracker Pro”. The application asks for some permissions, shows an online survey/advertisements and tells the user at the end of the process that he/she is the one that looks at his/her own profile the most. In other words, this application should be revoked according to the terms and conditions of Facebook.

Should be revoked?

There appears to be no Facebook barrier to entry for attackers. The $25 is a nominal amount and easily recovered; victims generate revenue of at least $.20 — only 125 are needed to cover the initial expense and then it’s all profit. And that cost model is for attackers with no experience.

The burning question for regulators should be how a user can protect themselves against a Facebook scam like this permanently. In other words, why does Facebook continuously fail to provide reasonable privacy options, or offer users permanent protection?

The answer may be found in Facebook’s recent trickery with network privacy.

Two weeks ago, the social networking site proudly announced a new “secure browsing” option located under the Account Security menu which would allow people to enable HTTPS for all future visits.

However, at the moment, third-party apps don’t not work via HTTPS, because they load external content into the page.

This content cannot be signed by Facebook, therefore, the secure connection is broken each time an HTTPS client opens such an app.

Facebook prevents this from happening automatically via a dialog that reads “Sorry! We can’t display this content while you’re viewing Facebook over a secure connection (https). To use this app, you’ll need to switch to a regular connection (http).”

Pressing the continue button, however, doesn’t just remove HTTPS for that session, but clears the checkbox from the persistent “secure browsing” setting without any indication of doing so.

They take a one-time decision and turn it into a permanently insecure setting without notifying you.

Just in case you still have any doubt: Storing private information on Facebook is like putting your finances in a bank that offers partnerships to grand theft felons. You might really like working with the bank and their customers, but you need to be very wary of their business practices.

I strongly recommend to everyone they immediately delete all personal and valuable information from their account or at least only use fictitious information on Facebook including fake photos.

Even the founder himself has turned to the government to protect against Facebook-based attackers.

The British Press Complaints Commission (PCC) has decided in favor of the press regarding a newspaper’s report on a civil servant’s tweets.

Ms Sarah Baskerville complained to the Press Complaints Commission that an article headlined “Oh please, stop this twit from Tweeting, someone”, published in the Daily Mail on 13 November 2010, intruded into her privacy in breach of Clause 3 (Privacy) and was misleading in breach of Clause 1 (Accuracy) of the Editors’ Code of Practice.

The complaint was not upheld.

Baskerville made the argument that, although her Twitter, blog and Flickr accounts were configured as open and available to anyone on the Internet, she held a “reasonable expectation that my messages…would be published only to my followers”.

If she knowingly set an account to be open and available to anyone, and she operated it under her real name, then her expectation of privacy is curious. Hoping that someone does not look at your tweets is not equivalent to restricted access.

As a result of the newspaper’s article, she had taken the decision – reluctantly – to lock her Twitter stream so it could not be viewed by anybody apart from her followers.

The change in access shows that she realized a distinction can be made between the public and a subscriber; but the risk of re-tweets and forwarding by 700 followers still poses a challenge to any expectation of privacy.

The questions in front of the PCC thus boiled down to whether Baskerville could claim her open tweets as private and whether they were an inaccurate representation of her. It is as if she claimed that yelling a comment to 700 people in a public area is private communication and not an accurate representation of her. It seems fairly obvious why they dismissed the complaint.