Wednesday, January 16, 2013

Risks of Social Media


Before you read, please remind yourself that I'm paid to be paranoid and to know about things that would make you paranoid. I'm trained to see vulnerabilities, gaps, weaknesses, things that could be used in ways other than intended, and specifically to find how things can be abused. Knowing all that might help lighten the tone a little. Yeah, I'm overly paranoid...but that's my job.

That being said, I hope to share with you some words of caution as you use social media applications and websites like Facebook, LinkedIN, Instagram, Twitter, and whatever else fulfills your self-glorifying needs. Sorry for the thinly veiled dig...but you know what I mean. This post is dedicated to the perils of social media from a risk perspective. A follow-up post will come soon about how to use social media safely (as much as you can).

There is No Internet Privacy
Once it's online it's forever online so be careful what you post

If you send it or post it assume you have released ownership.

Everything you do online is logged. It's recorded by something and saved somewhere outside of your control. The privacy controls given to you are intended to limit access via authorized channels from other users like you, but the fact remains that the information (text, pictures etc) is no longer in your possession and someone else has control of it. Most providers use data about your Internet activities for advertising purposes. Others track your Internet associations for statistical analysis. Still others resell your information. Ever notice that you suddenly get inundated with website advertisements for topics you just Googled or for a product you just bought off That's a simple example. What you do is logged, recorded, and used.

The announcement today by Facebook and their new search utility is a great example. Now you can perform analytic searches in Facebook for things like "places my friends have been to" and get a list of places, pictures, and videos from your friends and all the places they've been. They advertise a few other examples like searching for people who like trail running or road trips or dancing or people from your company who like to ski. To do that, Facebook had to review, analyze, categorize, catalog, group and query your stuff. This one frightens me. How about the news media or government doing a search for "people who like the NRA." Yikes. In response, I removed some content from my Facebook page today that could be used in these sorts of searches and received a warning that my content would still be included in Facebook Graph search results. That means they've already tagged it and stored it somewhere else and will continue to make it available.

Now think about everything you've done on Facebook or Twitter. Everything, content you added or have "removed" or "deleted" is stored somewhere. Every message, tweet, status update, like, comment, picture, literally everything is stored by the social media provider, it's being analyzed, cataloged, and used for something other than to let your friends know what's happening in your life. That's how they make it available to others to view; the data is stored on their servers. To provide continuity of operations and ensure that experience is always available, that data is moved around, backed-up, transported to other servers etc. all behind the scenes. They also use this data to feed you personalized advertisements or recommendations for content, peers, pages etc. Now, you would think that when you delete or remove something, it's deleted off the social media provider's servers, but in the case of Facebook and others, this is not so. They simply mark that content as unavailable from your page via normal users like you...but it's still there in their databases and it has already been summarized, trended, analyzed, and used.

I know you're thinking, "I don't do or say anything wrong so I'm safe," or perhaps, "well that's ok, the stuff I don't want public, I'll delete so it's unavailable and I have nothing to worry about." Ok, what happens when Facebook changes their policy, or get's hacked, or get's a subpoena to provide relevant content in court, or snip-its of information is leaked out-of-context, or in the future that benign information may become socially unacceptable? Is it really benign forever? What if someone wants to perform a historical search of everyone who visited a location on a given day? Or let's say a rogue employee is bribed into selling your information to an advertising firm or identity theft ring. Or let's say the government wants to know everyone who is opposed to gun control legislation. The possibilities for leakage and abuse abound and aren't just limited to the social media provider. The implication is whatever you post can and likely will become public at a later date.

In a recent example, Instagram announced a change in their content use policy that said all the pictures users have uploaded are free for them to use or sell however they wish. Your pictures being sold by them to whomever and for whatever. Wouldn't that be funny if you suddenly see one of your pictures in a magazine advertisement? Maybe not. What about a picture of your family or your kids. Yeah, not so cool. Instagram has backed off due to public response, but what they are doing with your pictures still isn't clear.

News organizations have been accused of infiltrating social circles by paying off friends of people associated with newsworthy individuals. Ever wonder how your local news organization gets information from a suspect's Facebook page? They find friends and offer them cash for information (allegedly of course).

In another really dumb example, an 18 year old posted to his Facebook page an apology for the hit-and-run he just caused saying he was driving home drunk. Bad idea because some of his "friends" clearly didn't appreciate his behavior and reported him to the police. Think of a more benign example, like let's say you post out of frustration that you've spanked your kid 5 times today and they just aren't correcting their behavior and you need advice on some other methods of behavior correction. A "friend" might consider this abusive and might report your actions to CPS. Do you really know all your friends and their perspective? Would you share that post with everyone you know and people you don't know?

Email and messages (including SMS or text messages) are even more dangerous as shown recently by the leaking of General Petraeus' personal email which was later used to oust him from his role as CIA director. Once you click send, you've released ownership of that information. It's out there and you have no control. The recipient has it and it's been copied and logged along the way. Now the recipient has ownership and control. Whom they choose to forward the message to is completely unknown to you. Who is logging those emails as they traverse the Internet is unknown, but you can bet intelligence organizations are watching.

Ironically, European governments and privacy groups have already figured this out and are hitting social media giants with regulatory controls. In the UK for example, Facebook has been required to provide users upon request, an archive of all the information Facebook has about the individual. Researchers, advocates, and regular users were shocked to find data they thought they had deleted, still held by Facebook.

While figuring this out, researchers also discovered that Facebook is proactively building social connections from your information to provide predictive capabilities for current and potential users. Ever notice that people who create new Facebook pages are instantly inundated with recommended social connections? That's because Facebook is quietly building shadow profiles for potential future users. When you enter someone's name in a post, Facebook performs a lookup of that name in their database to see if that person has an account so they can be tagged. If they don't yet have an account, then Facebook creates one for them. These "ghost" accounts are there in case the individual happens to create an account in the future. Scary stuff really.

The point remains - once you post, send, like, or upload, the data is no longer under your control and is being used for reasons beyond your intention. Ask yourself, "do I want this on the Internet forever with no ability to explain or provide context or control?"

Location Services Like GPS and Checking In Reveal More Than You Realize

This one above all the social media privacy concerns annoys me the most. I cringe whenever I see "Joe Mama is at Victoria's Secret with Matt Johnston." Ok, that's a joke, but you get the point. Call me old fashioned, but I really don't want my whereabouts broadcast on the Internet. If I want someone to know where I am, I'll let them know. Again, you never know who is sitting behind the data and what they could be looking for. It makes me feel special that you like people to know you're with me, but how about a little privacy? So most of these GPS or location related updates aren't embarrassing but in my world knowing someone's locations is a huge personal and virtual security risk. When we travel, we try not to broadcast to others that we're away from home. Again, call me old fashioned but I don't want to advertise that my house is empty for the next 5 days or whatever. I think I can trust that none of my true friends would rob my house, but again, I don't know who their friends are or what their Facebook sharing settings are set to. Let's say I checkin from Hawaii and you post a comment that says "have fun on vacation" and you're sharing with public or one of our friends that information is public. I know it sounds over paranoid, but yes, people are trying to befriend you to get closer to others. You do it too. Let's say you're trying to get into a social circle and you friend someone in that you're in and you get visibility into that group. I'm not speaking of Google circles but rather general social groups. So while I'm just trying to brag about my vacation, I'm also letting people I don't know that my house is empty.

Besides annoying and having physical security implications, there's also the risk of data mining and targeting. Again, let's say someone wants to know everyone who attended an event or location...for whatever reason. You've enabled them to track that. In light of this gun debate in the country, let's say someone wants to know everyone who attended an NRA event or a gun show or a gun range etc. If you've checked-in, you've been tracked and you have no control over how that information is going to be used nor by whom. That might seem like an extreme example, but remember there are people out there with all sorts of criminal, social, and political motivations that you can't possibly account for.

Invasion of Privacy: Image Tagging

This one is similar to checking in with GPS location enabled, but it's worse because it's imposed on you by someone else. Ever done something or been somewhere you wouldn't share with all of your social associations or if taken out of context could be really bad? Here's a scenario I found myself in. As I mentioned before, I don't like broadcasting that I'm away from home. I also don't like Las Vegas. I don't like what it represents, and I don't like what goes on there. It's assumed when you tell someone you were in Las Vegas that you were there doing something bad. Because after all, that's why people go right? I also consider my life a morally respectable one (in whole). I also happen to serve in leadership roles at my local church body. While I strive for transparency since we're all on this journey of life together, I'm also careful about to whom I share what with because again, context is everything. So I find myself on a business trip to Las Vegas at the Hard Rock Hotel and Casino standing next to Billy Idol in the green-room at a private concert co-sponsored by my company. I put a picture of Billy and I up on social media. The responses I got were really interesting. Some included shorts like "cool!" I got a few "likes." I also got a "wow, I didn't know you were such a wild child." Hrm...hadn't thought that image would lead to that conclusion. While at this experience, Las Vegas was on full tilt. You can assume away.

So now let's speculate a little. If you knew little to nothing about me, but saw this picture and heard from one of your friends who may have also been there that the concert was wild and the night ended early AM involving any sort of Las Vegas endings, you might assume that I participated or endorsed said activities. This is an extreme example, but I'm sure you get the picture. That mere image could be used to communicate anything you want and I don't have any control over the context or story behind it. I have no way of telling others who may have seen the image why I was there or that it was a company event and hanging out with Billy was a company function. This one was my choice...but may times image tagging isn't your choice. Let's say someone else snapped that picture from their smartphone, tagged me, and posted it, but I intended to keep that image and event private for personal reasons. Too bad. Insert yourself into any physical location or event you don't want to broadcast your presence at and someone you know there happens to snap a picture, post it, and tag you in it. You see my point.

Unintended Associations: Invitations and what they say about you

Another notification I cringe when I see on my wall: "Joe Schmoe has invited you to the event 'Free Tattoos'." Or better yet, "Jane Smith has invited you to the event 'How to recover from bankruptcy.'" Ok, so what if I didn't want everyone knowing I am getting a tattoo or going through financial trouble? These are made up examples, but I've seen some invitations as jokes, some totally benign, and some quite embarrassing. Let's say a friend wants to invite you to a political event. And of course when you click on the event, you see the list of everyone else invited, so now you know who else is getting tats or going through tough financial times. Do us all a favor and pick up the phone or shoot an email. If you choose email, BCC everyone to help protect the reputation and dignity of everyone.

Unintended Visibility: Friends of Friends

This one happens all the time. I see a comment regarding someone I know nothing about and whom isn't one of my friends. In this scenario, a friend of mine (Joe) has a friend (Jane) who posts something. Let's say Jane says "just cooked eggs for breakfast" and Joe posts a comment saying "wish I was there!" Now I know some lady named Jane had eggs for breakfast. Yeah, that's benign, but again think of other scenarios like if Jane posts something personal which she only intended for her "friends."


Social media sites are great tools for espionage and information theft. I already cited examples of how someone can track you using the GPS check-in and tagging features of social media. Well what about the personal information you enter which seems benign or would help potential friends identify you. Now think in context of what information is needed by your bank to validate your identity over the phone. Name, mother's maiden name, date-of-birth, personal question (dog's name, city you were born in, best friend etc.). That's stuff people post to social media all the time. Just by monitoring your Facebook account I could probably call your bank, throw information at them, and get them to think I am you. Now think about all the information you put about your career on LinkedIN. There are groups out there trying to use you to infiltrate the organization or company you belong to. The more they can gather about you online, the more potential points for blackmail they have.

Kids and Their Future

On one hand, it's cool to be able to share pictures and videos of all the cute things your kids do. It's a great medium to share that fun part of life with friends and family. But think about your children in 10...20...30...40 years. Will they want that remark or picture or embarrassing moment documented on the Internet? Could that image or post be used against them? Give them an honest chance.

Moving Target

Above all the greatest risk with social media is that it's a moving target. Today the rules and privacy controls are defined, but as Instagram and Facebook have shown us recently, those rules are subject to change at any moment and especially if it gives them a competitive advantage. We have no idea who or what will have access to the information we post through social media.

Be safe out there!

No comments:

Post a Comment