Facebook traffic for AT&T customers was routed through Chinese and Korean servers for some unspecified amount of time, raising privacy concerns.
A number of Facebook users
may have made a detour to China recently on their way to connect with friends.
Some of the network traffic
heading to Facebook's servers in Palo Alto, Calif., was re-routed to first pass
through Chinese and Korean servers, according to Barrett
, a network security expert who flagged the incident on March 22. Lyon suggested
in a blog post that it was probably an accident.
"This happens all the time-the
Internet is just not a trusted network," Lyon said.
A similar incident surfaced
almost exactly a year ago on April 8, 2010, when a Chinese ISP incorrectly
published a set of BGP (Border
) instructions that could have potentially affected 37,000
networks. The incident lasted only 18 minutes, and China Telecom, the country's
largest ISP, denied trying to hijack Internet traffic. Experts speculated it
was an accident because of how quickly it was fixed.
Lyon's analysis was for
AT&T customers only. As customers browsed through Facebook, the network
traffic first went to Chinanet, one of the largest ISPs in China, and then to
SK Broadband in South Korea, before reaching Facebook's ISP, Lyon said.
Usually, traffic from these customers would have gone over the AT&T network
directly to Facebook's network provider.
Lyon used the trace-route
tool to discover which network providers the traffic hopped through on its way
to Facebook. It's unclear how long this routing was in place, or whether it
affected other ISPs.
While this kind of re-routing
can happen "all the time" as network operators can easily make mistakes working
with BGP and routing tables, Lyon was still concerned about the incident in
light of China's censorship activities.
"I prefer to know that
when I am on AT&T's network, going to U.S.-located sites, my packets are
not accidentally leaving the country and being subject to another nation's
China aggressively censors
the Internet and activists have worried about the government snooping on their
citizens' online activities. As the government exercises tremendous control
over the ISPs, the government can see personal information, intercept email and
view online activity.
"What could have
happened with your data?" Lyon wrote. "Most likely absolutely
Lyon said that "it's
possible" Facebook data, such as session ID information, personal data,
messages, photos, chat conversations, and relationship information to "friends"
could have been revealed, but noted it was only speculation at this time.
Users who have already
on their Facebook
accounts can breathe a little easily, as their
information would have been encrypted during this side jaunt through China. The
Secure Sockets Layer means Chinanet could see there was traffic going to
Facebook, but would not be able to see the contents of the traffic. Lyon
criticized Facebook for rolling this feature out as an optional one, instead of
enabling it for all users by default.
also recently rolled out HTTPS, but it's also optional. Google
uses it by default for its mail.
High-profile sites should
also not be allowed to route to non-authenticated networks, he said.
Facebook or AT&T should
have notified customers of the problem, Lyon said. Facebook did not respond to
requests for comment.