SOCIAL NETWORKING AND THE OVERLOOKED ISSUE OF SECURITY

Transcription

1 SOCIAL NETWORKING AND THE OVERLOOKED ISSUE OF SECURITY Social networking by definition focuses on building and reflecting personal and social relations among people who share common interests, causes or goals. A social networking site is a on-line service that attracts a community of users and provides such users with a variety of tools for posting personal data and creating user-generated content directed to a given user s interest and personal life, and provides a means for users to socially interact over the internet, through , instant messaging or otherwise. In so doing, social networking sites allow users to share ideas, activities, recommendations, personal information and interests within their individual networks, as opposed to an online community that is group rather than individual-focused. As of June 2010, twenty-two percent of all time spent on-line is social, i.e., messaging, commenting, blogging and sharing. 1 For the first time ever, social network or blog sites are visited by three quarters of global consumers who go on-line. 2 In the U.S. alone, the total minutes spent on social networking sites has increased eighty-three percent year-over-year. 3 These results are astounding for such a new media: e.g., Mark Zuckerberg launched Facebook, currently the most popular social networking site worldwide, only in February Upward trends in user membership, corporate marketing and other metrics with respect to social networking sites are expected to continue. 4 The issue of information security on social networks is paramount, but has largely been tabled by social networking sites in favor of emphasizing user growth and brand marketing. Achieving information security within the Web 2.0 arena of social networking, though, is difficult and complicated, as users tend to overlook security risks, businesses downplay the gravity of the security issues, and owners of social networking sites are somewhat conflicted by financial incentives that run contrary to privacy and security concerns. A. The Overlooked Issue of Security Id article/202333/take_advantage_of_increased_time_spent_on_social_networking.html 1

2 By definition, social networks regardless of whether they are informal networks (e.g., Facebook or Twitter) or professional networks (e.g., LinkedIn or Martindale- Hubbell Connected) are community-based forums where the free trade of ideas and information is encouraged. From an informational security standpoint, therefore, the pivotal weakness with social networking sites is conversely their strength: social networks encourage open interaction among both known users and loosely-connected users and, as a result, the normal social barriers against interacting with near strangers are lowered. Juxtapose this openness against the rampant increase in cyber crime and identity theft worldwide, 5 and therein lies a potential privacy epidemic. Unsurprisingly, there have been countless reports of cyber criminals phishing for personal information on social networking sites. 6 In fact, data suggest that an increasing volume of cyber crime is being directed to internet users on social networking sites. 7 At risk is not only the personal information of the user, but presumably also that of the user s employer. The tools of the trade for cyber criminals are clever and devious, such as (i) creating fake profiles of friends, which is known as social engineering, (ii) hacking into friends profiles and sending messages that look-and-feel to be from a friend, and (iii) ing hostile computer code known as malware, usually from an account of a friend that becomes activated when unwitting recipients click on the infected, internet links. Unsuspecting users on these sites run the risk of compromising sensitive information, including bank and financial data, highly personal information such as relationship, health and well-being and employment information, and similar sensitive information of family and/or friends. Up to this point, social networking sites, at least informal sites, have been somewhat obtuse to the issue of information security: In January 2010, Mark Zuckerberg, the CEO of Facebook, stated at a technology conference that privacy is no longer a social norm, as users have adapted to sharing information online over blogs and other social media and, in turn, the /10/identity-theft-on-the-rise-survey/ news/security/cybercrime/showarticle.jhtml?articleid= ; -Marian/Social-Network-Members-Increasingly-Vulnerable-to-Phishing/ba-p/

3 company has structured its privacy settings accordingly. 8 Roughly six months later, a hacker has created a program that has legally harvested and published highly-personal data from over 100 million Facebook users who failed to change their privacy settings to make their profile pages unavailable to search engines. 9 In February 2010, Google, shortly upon the release of its own social networking site, Google Buzz, was slapped with a class-action lawsuit in a federal court in California and at the Federal Trade Commission based on claims that Google automatically activated and generated publically accessible lists of followers gleaned from users Gmail accounts and Gtalk conversations. 10 In June 2010, Twitter, the other major operator as of now in the social media landscape, agreed to settle charges by the U.S. Federal Trade Commission that it deceived consumers and put their privacy at risk by failing to safeguard their personal information. 11 B. Managing Security Risks At this time, information security on social networks is fundamentally a behavioral issue, not a technology issue. Because of this, users as opposed to the sites themselves appear best suited to manage security risks, as it is the users who have full control and discretion as to what is published, posted, tweeted or otherwise disclosed over the sites and who are invited into circles of friends. Simple measures such as refraining from publishing financial and sensitive information, using strong and unique passwords, not assuming privacy on a social networking sites and selecting social media friends with caution greatly contribute to information security over social networking sites. For businesses, managing security risks via its employees can be more challenging, but is necessary, as potential risks include inadvertent disclosure of sensitive enterprise information such as financial data, corporate intellectual property and IT infrastructures. At a minimum, businesses should implement policies to ensure that employees are made aware of the threats online to themselves and the enterprise through the disclosure of

4 sensitive information and establish a security policy including the use of social networking sites. Even though social networking sites have deemphasized informational security in the past, social networking sites are not totally apathetic to users security and privacy concerns. Social networking sites, for example, have privacy and security safeguards on their respective sites, including procedures to permit users to adjust how others access their personal information. 12 The default settings for these functions though as discussed above in the case of Facebook tend to be quite permissive and users must configure the settings to take the advantage of the potential protections available, and to control the searchability of the posted information. Recently, there also has been increased intensity relating to information security by both public agencies and private watchdogs, 13 such as the Electronic Privacy Information Center, the entity that filed the complaint against Google in February 2010 relating to Google Buzz. Collectively, these entities have scrutinized the social networking sites policies relating to, among other things, information security on their respective sites. In response, the sites have reassessed security measures in the face of potential legal calamity, monetary damages and loss of user membership. At this time, however, information security on social networking sites remains fundamentally a behavioral issue, not a technology issue. In turn, therefore, it is naive for users and businesses to disregard security risks and outsource security to social networking sites, where there is no uniformity with respect to security safeguards at each site, there are constant reports of security leaks and breaches of users profiles (e.g., President Obama s Twitter account) 14 and where the relevant legal landscape is in its infancy Shtm; Gina Stevens, Federal Information Security and Data Breach Notification Laws, Congressional Research Service, January 28, 2010 ***The sources for much of the information in this article are electronic equivalent of news articles, i.e., websites and blogs, because of the current dearth of reported cases and scholarly works with respect to security and social media issues. Such resources and jurisprudence can be expected to become available 4

5 C. Conclusion Social networking has become fully engrained in our societal fabric in a very short time span. This new media is in its infancy and, many questions such as legal issues regarding informational security, remain largely unsettled. Indeed, uniform legal standards for security on these sites whether case driven or by statute are non-existent as of today. Government action is on the horizon and is inevitable in response to a growing public awareness of the security risks, but no one can accurately predict what, when and to what degree such action will be. At this time, therefore, the burden of security will be carried more by the users. Prudent behavioral choices by users, and the businesses that employ them, offer the best safeguards against cyber crime and disclosures of sensitive information. over the ensuing years during the continued expansion of social networking sites and the onset of governmental legislation addressing privacy and informational security safeguards for these sites. 5