Does Privacy Exist in the Age of Social Networking?
Click here to access full December issue of the ISSA Journal
Comments? Questions? Connect HERE
By Mark Kadrich – ISSA member, Silicon Valley, USA Chapter
There’s an increasing breakdown of the traditional boundaries between personal and public information, and in the age of Facebook and Twitter, it is a time of cultural shift that is going to take a while to stabilize itself and shake out.
Abstract
Privacy in the Internet age is an emerging and evolving right, and with the rapid breakdown of the traditional boundaries between personal and public information, it is a time of cultural shift that will take a while to stabilize. What you do to adjust can help you ride the wave or crash into the sand. The following article looks at different privacy issues arising in our society today and offers recommendations on how to keep you and your company floating somewhat peacefully through the changes.
Privacy – an emerging and evolving right
According to an essay by Ronald B. Standler,[1] privacy is “the expectation that confidential personal information disclosed in a private place will not be disclosed to third parties when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities.” The online FreeDictionary[2] defines privacy as “the state of being free from unsanctioned intrusion, and, the state of being concealed; secrecy.”
Both are good definitions that allow us to discuss the subject in as broad or as narrow terms as we would like. But there are other privacy issues, some technical and some philosophical, that need to be addressed as well. The first is the concept that our idea of privacy is an emerging and evolving right.[3] There’s an increasing breakdown of the traditional boundaries between personal and public information, and in the age of Facebook and Twitter, it is a time of cultural shift that is going to take a while to stabilize itself and shake out.
But let’s start this discussion from the philosophical viewpoint that privacy as we know it is gone and we should just learn to live with it. The genie is out of the bottle – the cat is out of the bag. But who is giving us that advice and why should we listen to it? In fact, a better way to look at it may be “how do we close the door now that the cows have already escaped.” This topic requires us to open our minds a bit.
First of all, how are we defining “loss of privacy?” Is it just someone else having our personal information? Or could the loss of privacy be considered to be the information about who we are, such as the kind of foods that we buy or where we shop? Or could it be that where we physically are and what we are doing is what we’d like to keep private? The answer to this question completely depends upon your personal perspective. For example, Angelina Jolie clearly has no privacy, but it is because an army of paparazzi is following her around, publishing every little fact about her. And why? Because there is a demand for it! The same can be said for our information: people make money by using our personal information, thus creating the demand for better and more accurate information.
The double-edge sword of privacy loss
We talk about our loss of privacy, but what does that really mean? Does it mean more intrusive adverts that target our fears and concerns, or does it mean better recommendations when we are shopping? It is clearly a double-edged sword when it comes to the potential benefits and detriments. But, like any weapon, it can be used to protect and defend or to attack. The tools that are used to collect, correlate, and share our information can be used both ways: to improve our lives or, in the wrong hands, to create hardship and loss.
Take social networking services as an example. There are court cases that have used information taken from social networking sites to determine punishment,[4] such as the case with Jessica Binkerd. In that case, Santa Barbara Superior Court Judge Joseph Lodge ruled that Binkerd should serve a five-year sentence because the pictures on her MySpace page taken after a fatal car accident indicated that she had no remorse.
Or, in a case that would have been impossible even five years ago, bad-girl rocker Courtney Love is being sued for libel by a fashion designer for allegedly slamming the woman on Twitter. Love disagreed with what she should pay Dawn Simorangkir for the clothes she designed, so Love posted derogatory comments about the designer on Twitter, including the fact that the designer “allegedly” had a history of dealing cocaine.
Or, consider the case of Amanda Bonnen and her former landlord. Bonnen, an Illinois resident, is accused of using Twitter to tell another user: “Who said sleeping in a moldy apartment was bad for you? Horizon Realty thinks it’s okay.” Horizon Group Management LLC, the company that owned the apartment in question, sued Bonnen for libel over the alleged tweet. Horizon is seeking $50,000 in damages.
So, how should a libel case be handled when it comes to social media? How can society balance accountability with free speech? And if information – from private thoughts to public data – is so readily available, once again, how do we define what constitutes privacy?
Be aware of what your employees are doing online
One thing is clear: when it comes to privacy and corporate America, today’s companies must be aware of what their employees are doing online, especially when people are being sued for what they post on social-networking sites for everything from privacy, defamation, and content ownership. Today’s laws are at least five years behind technology as it is developing, so do not look at the courts to protect privacy.
So, the first recommended step to take:
Establish a policy regarding corporate privacy protection and online employee behavior: what is acceptable and what is not. Some organizations have a code of conduct regarding online behavior that is enforceable.
We also have to look at hiring practices and how some organizations make use of social networking sites as part of a background check. In an article published last February, Tom Ahearn[5] discussed the issues that employers may face if they use information regarding medical or disability information found on social networking sites. In fact, employers may find themselves facing a discrimination lawsuit if they are not careful.
But what about insurance companies? Could this information be used to determine if you are a high risk because of the things you have posted on Facebook or MySpace? The answer is yes,[6] and here is where it can get really scary: you may be risking more than you know – like your benefits, or even worse, your job.
For example, Nathalie Blanchard, a 29-year-old woman in Montreal, Canada, was stripped of her disability insurance after her insurance company saw pictures she uploaded to Facebook. She had been on disability leave from her job at IBM for nearly two years after being diagnosed with major depression. Her doctor, as well as the company’s insurance psychiatrist, ordered her to go on disability, and that is what she had been living on until they cut her off. Her insurance company saw photos on her Facebook profile showing her smiling and having a good time, and determined that she was okay to return to work since she did not appear to be depressed in the photos. In fact, insurance companies make no secret that Facebook has become a tool for investigation.
Then there is the other side of the coin where an employer terminated an employee for posting nude pictures of herself on Flickr. An Austin, Texas, high school art teacher, Tamara Hoover, was let go because the school district felt that those pictures were pornographic and students would be able to access them. She appealed and lost.[7] The school district cited a clause that stated that teachers were prohibited from such behavior. Unfortunately, Hoover is not an isolated case. In fact, there are numerous references on the Internet regarding employees having been terminated due to this kind of “inappropriate behavior.”
Then there’s Ashley Payne, a former 9th and 10th grade literature teacher at Apalachee High School, who was forced to resign because she mentioned an event called “Bitch Bingo” and had also posted photographs on the page depicting herself with alcohol. At the time, the school district had no policy governing social networking sites – although such a policy is now being discussed by the Board of Education.
This brings us to our next recommendation:
Establish a review program that periodically examines employee social networking pages; this will at least encourage employees to restrict access to their “friends.”
Personal extortion online
The unfortunate part of the new social networking regime is the personal extortion possibilities it can create. For example, many social networking sites offer additional applications that allow you to play games with all of your “friends” or do a variety of other things. One such application asks you to make comments about your friends and their lifestyle, including such sensitive topics as sexual orientation. Then, that application sends a message to that friend, letting him or her know comments have been made, but not what those comments are. In order to see what has been said about you, you have to join the application, and in order to join the application, you have to give the application access to your profile information, photos, your friends’ info, and other content that it requires to work. The application request never goes into detail regarding what “additional” content the application requires to run, but if you do not give the application access to your profile information, you never get to see what was said about you and by whom. This is a strong-arm user adoption technique that in my opinion, clearly oversteps the line of propriety, amounting to privacy extortion.
To avoid these kinds of situations: Consider adding an extortion awareness plan to your Employee Assistance Program. People do strange things, and knowing that they can get help may prevent a security breach.
To take it a step further, a clever attacker can discover private information that can be held over an employees’ head, forcing him or her to do something like steal critical corporate data in order to prevent the exposure of this information. Unfortunately, this kind of industrial espionage is nothing new, but what is taking shape in the underground Internet age is as distinctive as it is worrisome, and social networking just expands the possibilities to implement this nasty method. In fact, data thieves are harvesting as much corporate data as they can in anticipation of rising demand, and they have begun to target corporate employees who use free Web tools, such as instant messaging, web-based email and group chats on social networking sites.
The most fertile turf would be AOL, Yahoo, MSN instant messaging, YahooMail, HotMail, Gmail, MySpace, and FaceBook – the free tools that on any given day you will find open on millions of workplace PCs. The most coveted loot? Email address books, instant-messaging buddy lists, PowerPoint slide presentations, engineering drawings, partnership agreements, price lists, bid proposals, supply contracts, executive email exchanges, and the like. One set of stolen data – for instance, a senior manager’s user name and password – is often used to get deeper access to key databases, and each infected PC then becomes a beachhead to breach other PCs and harvest more data. Researchers at RSA, the security division of tech systems supplier EMC, have been monitoring deals on criminal message boards. One recent solicitation came from a buyer offering $50 each for email addresses for top executives at U.S. corporations.[8] Corporations make it all too easy because, although many firms block access to YouTube and other popular websites on work computers, most organizations pay little heed to how employees use free web programs.
How we lose our privacy
So, how do we lose our privacy? There are three ways:
- We can voluntarily give up information and have it aggregated in ways that allow people to predict personal things about us
- We can be tricked into giving it up through various means both technical and social
- It can be ripped away from us by the government
In an effort to keep this article to a manageable length, I will only discuss the first two.
In the voluntary method, social networking sites are clearly the largest challenge to security professionals today. Users voluntarily provide information that can be used to create personal profiles, offering anyone who wants to do the work a very focused and effective method of targeting critical people in an organization. Although the government is prohibited from profiling, there is no such prohibition in the business world. It is also very difficult to police.
Another way we voluntarily give up information is through retailer discount cards. The retailers claim that the information is not used – but it is collected. Knowing about databases, I assumed that there are ways to correlate the information and make some pretty accurate assumptions about people. I was curious about this so I asked a friend of mine that ran a database group for a major food chain before he retired. His response confirmed for me that not only is the data there, it is not at all difficult to massage this data to extract the marketing materials wanted by the retailers. If you are comfortable with your buying habits being available to anyone on the Internet, then this is probably not an issue. In fact, I conducted an informal poll of 30 of my neighbors, friends, and family and the responses were startling. Most did not care! So, THIS seems to be the crux of the problem – people do not understand when their privacy is being invaded.
Develop an action plan classifying privacy breaches that could adversely affect your company and your employees. Include privacy training in your recurring security-training programs to educate employees to understand when their privacy is being compromised.
Getting tricked into giving up your privacy is being done by thieves creating tempting offers through email and websites – sometimes a combination of the two – which entice users to click on something they should not click on. Combine some social networking site reconnaissance with that, and it suddenly becomes very clear how an effective attack can be crafted. I have personal experience with this: when I worked in the aerospace industry in the 1980s, I was cautioned not to frequent a bar that was located across the street from my employer. I was told that spies would frequent the bar, make friends with you, learn about you, and figure out ways to exploit that information for the purposes of extortion. Same motive, different method.
How to protect your company
So, the question we need to pose now is “how will the loss of personal privacy affect my company and what can I do about it?” Throughout the history of the Internet, as threats have evolved they have become more targeted and have grown in scope. Take phishing for example. It started out as a broad way to get clueless users to give up information. Once people started to get wise to the threat, the attackers changed their tactics and spear phishing was born. Who was the target in these attacks? The enterprise. So, given this history of threat evolution, it is pretty obvious that the next target is going to be groups of people. Information is going to get aggregated and some enterprising attacker is going to figure out how to leverage it against a group. Those groups are very likely going to be our enterprises.
Perform regular searches on your company name to see what is being said about your company, including what your employees are saying about your company.
Consider this scenario: an attacker decides he wants to extort money from an organization. He has not decided which organization to target yet but has happened across your internal phone list. Using that list as a reference, he could scrape information from social networking sites, adult networking sites, photo sites, hacker credit card “resources,” and various other online resources to create a corporate threat profile.
The extortion may take the form of a threat to disclose personal and private information about your employees, or it may be a threat to target them in fraud or identity theft activities. “Send me $2M or I start emptying your employee’s bank accounts” or “I’ll publish embarrassing information about your employees unless you pay me.” It could even take the form of a threat to send information to your insurance provider in order to create employee stress. It may just be a concerted attack on individuals in order to leverage their access to critical information. It may or may not be credible, but not having an action plan or understanding how to react can create doubt on the part of your employees as well as any investors or stock holders that the company may have. I recently spoke with a CISO who said that reputation management was a major concern for her.
Discuss the impacts of social networking security breaches with the HR and legal departments, and establish an action plan. Your attorneys understand how “cease and desist” and “take down” orders work, when to employ them, and when not to. Compromising information CAN be removed from the Internet.
Conclusion
Forewarned is forearmed. Knowing that there is a potential threat and understanding that you must be prepared is the first step. As security professionals, part of our mandate is to attempt to get in front of problems before they cripple our enterprises. Addressing an issue early in its evolution has many advantages such as cost and energy expended. You may be dealing with privacy and reputation issues even as you read this or you may not. But not acknowledging that the problem exists, and that it will continue to get worse, is not the way to success. Follow these simple recommendations, generate an action plan, and be ready when the inevitable occurs.
About the Author
With 20 years of security experience, Mark Kadrich, CISSP and president of the Silicon Valley ISSA Chapter, serves as CEO of The Security Consortium, whose mission it is to provide better security product knowledge to customers. Kadrich authored Endpoint Security, which introduces a breakthrough strategy to protecting endpoint devices. Kadrich’s career includes senior positions at Symantec, Sygate Technologies, and Conxion Corporation, and he holds degrees in Information Systems Management, Computer Engineering, and Electrical Engineering. Kadrich can be reached at mark.kadrich@thesecurityconsortium.net.
________________________________
[1] R. B. Standler, “Privacy Law in the USA, 1997” – http://www.rbs2.com/privacy.htm#anchor222222.
[2] The Free Dictionary by Farlex – www.thefreedictionary.com/privacy.
[3] R. B. Standler, “Privacy Law in the USA, 1997” – http://www.rbs2.com/privacy.htm#anchor222222.
[4] Evan Wagstaff, “Court Case Decision Reveals Dangers of Networking Sites,” Daily Nexus, 02/28/09 – http://www.dailynexus.com/article.php?a=13440.
[5] Tom Ahearn, “Background Checks and Social Networking Sites,” 02/24/09, Pre-Employ.com.
[6] ABC’s Tom Shine reports from Washington – http://forums.myspace.com/p/4637613/65323861.aspx?fuseaction=forums.viewpost.
[7] Raven L. Hill, American-Statesman staff, Tuesday, June 13, 2006.
[8] Byron Acohido, “Internet thieves make big money stealing corporate info,” USA Today, 11/14/2008 – http://www.usatoday.com/money/industries/technology/2008-11-11-thieves-cyber-corporate-data_N.htm