Project Paper: Privacy and Security Issues in Social Networking
Dr. Brian Pankau
Submitted in Partial Fulfillment of the Requirements for EM835
Information Accountability and Web Privacy Strategies
(Winter 2011)
Abstract
Most online social networking sites share a core of features that are completely absent in their offline counterpart. The relation between privacy and a person’s social network is multi-faceted. In certain occasions we want information about ourselves to be known only by a small circle of close friends, and not by strangers. In other instances, we are willing to reveal personal information to anonymous strangers, but not to those who know us better. In this paper, I highlight the privacy issues as well as digital security problems the rapid growing online social networking sites are facing. I also put forward a set of recommendations that makes social networking safer and promote healthy web interactions.
Introduction
The online social networking goes like this, an interested individual with an internet connection visit the social site. The individual creates a profile of themselves which includes names, sex, age, and geographical location to others to peruse, with the intention of contacting or being contacted by others or to meet new friends or dates.
Gross R. et al (2005) observed that “While social networking sites share the basic purpose of online interaction and communication, specific goals and patterns of usage vary significantly across different services.
The most common model is based on the presentation of the participant’s profile and the visualization of her network of relations to others - such is the case of Friendster”. The model varies and is completely different in some social network sites like match.com, salon and others while it is absolutely compulsory to have a profile for you to interact with other members. In some, the creation of a profile is secondary for instance on Livejournal.com. Therefore the patterns of online personal information revelation are quite variable as you transverse one social networking site to another. For instance, the use of a person real name to represent an account profile is encouraged on some sites like facebook.com but is the opposite in some sites.
Social networking sites like facebook tend to connect participants’ profiles to their public identities. This has its own demerits as well as privacy problems. A site like Friendster doesn’t encourage the use of real names in fact there are filters that shield the public identity of a person and his or her online persona by making only the first name visible to others and not the last name. “Notwithstanding the different approaches to personal identity, most sites encourage the publication of personal and identifiable personal photos (such as clear shots of a person’s face” (Gross R. et al (2005). It has been reported that online social networks are vaster and have weaker ties, on the average, than the offline social networks.
Trust in and within online social networks may thus be assigned differently and could therefore have different meaning than their offline counterparts. Consequently, the degree of privacy evasion is more in online networks because of the loose relationship within such communities. In essence, trust decrease within online social network.
1. 0 Privacy implications
The privacy implications associated with online social networking in this technology age are manifolds and depends to large extent on the level of identification of the information provided, its possible recipients and uses. In a study conducted by Gross R. (2005), it was discovered that “Even social networking websites that do not openly expose their users’ identities may provide enough information to identify the profile’s owner. This may happen, for example, through face re-identification”. Identifiable information is often available to the hosting sites of some of the notable social networks. These sites may on their own use the information knowingly or sometimes revealed the information to third party thereby contradicting their own privacy or user agreements.
The easiness of joining and at the same time of extending one’s network on most of these social networking sites makes it easy for hackers to access online the community users’ data.
Newitz A. (2003) reported that “LiveJournal used to receive at least five reports if identification hijacking per day”. Some unscrupulous persons and con artists often navigate online social web sites and have been using stolen identities to commit frauds and other crimes. With stolen identities, hackers sometimes entice unsuspecting social network members in chat rooms into parting with money, peddle traditional business opportunity scams. It was reported by the Federal Trade Commission the con artists are contacting social networking site community members through email with false promises about earnings through day trading. Also hijacking unsuspecting members' modems and cramming hefty long-distance charges onto their phone bills.
Some online social networking community members do not care about the amount of information they reveal online. This is because the type of information they revealed often include such things as
■Hobbies and interests,
■ Information about current and previous schools
■ Employment history or information and name of employers
■ Private information such as drinking, smoking and drug habits
■ Sexual preferences and orientation
■ Age
■ Marriage status
■ Geographical location.
The information stolen from social networking sites and communities can be used for various purposes depending on the type of information or data retrieved. Some of the information can be somehow intimate or extensive. The risks include online and physical stalking, personal embarrassment, price discrimination and more so blackmailing. Privacy is virulently at risk but who is to blame if you realize that most information on social networking sites is freely given by member themselves. Hence privacy expectations may not be matched by privacy reality. Facebook for instance, is straightforward about the usage of personal information it collects from members even on the one unknowingly provided for example the IP address of login members. Facebook detailed its privacy policy as follows:
1. Introduction
2. Information We Receive
3. Sharing information on Facebook
4. Information You Share With Third Parties
5. How We Use Your Information
6. How We Share Information
7. How You Can Change or Remove Information
8. How We Protect Information (adapted from facebook.com/policy.php)
1.1 Embarrassing Digital Dossier
Social networking sites build a digital dossier of the information they received from participants judging from the low and decreasing costs of storing digital information nowadays. So it is possible to continuously monitor user’s profiles on these social networking sites which currently are consider insignificant but may become public information as time goes on. Views that are considered privately expressed may become an embarrassing nightmare in the future when the data currently mined are freely available. Only time will tell as technology of online networking is unbelievable dynamic.
1.2 Stalking and Cyber-Stalking
A rather dangerous side effect of privacy evasion from online social networking sites is the tendency of being stalked by online acquaintances. It is very common to socialite with online friends within same geographical areas. For example, Facebook have recently introduced a new relationship based on user location. In fact profiles on the site contain information about residence location, sometimes class schedule and location of last login. A completely derail person who has previously obtained or have a knowledge of someone location due to an online association can stalk that person. In the same token, a potential stalker can take advantage of its prey because the resident location information is available to him or her with easy.
Privacy evasion is becoming more apparent on social networking sites with instant messenger services and those that offer chat room for participants. For example, AOL instant messenger has a feature called buddies list. But unlike other messaging services, AIM allows members to add buddies to buddies list without their knowledge or confirmation. Once the attacker is a buddies list, the victim can be tracked as soon as he or her logon to the social networking site. The notoriety is called cyber-stalking.
1.3 Fake Email address for Account creation
The process of verifying a user registration on most social networking sites takes minutes, therefore a hacker can quickly join an online social site also within a couple of minutes.
The social networking site will verify the hacker as a legitimate user by sending a confirmation email to the fake email address he or she quickly created to login to the site. So the process of account creation and verification on social networking sites is an added incentive to hacker’s detective mission to steal and retrieve genuine user information.
1.4 Manipulation of Users
It has been reported that obtaining confidential information from social networking sites has taken a new dimension. Social engineering antics are now being employed to retrieve personal information from unsuspecting online socialite. According to Jump K. (2005), “thirty percent of Facebook users are willing to make all of their profile information available to a stranger and his network of friends”.
1.5 Cyber Bully
The privacy concerns have also resulted in a number of reported cases of online bully especially among young teenagers in our education systems mostly in primary and high schools. Many factors have since been identified as contributory factors to online bully on social networking sites and in order to reduce such incidents the following have been recommended.
○ Raise awareness of safety education messages and acceptable use policies on all social
networking sites frequent by kids for instance Facebook.
○ Ensure that services are age-appropriate for the intended audience.
○Empower users through tools and technology to be able to block any one that bullies from
many direct contact with them.
○ Provide easy-to-use mechanisms to report illicit conduct or improper content.
○ Promptly respond to notifications of illegal content or conduct.
○ Enable and encourage users to employ a safe approach to personal information and privacy,
○ Assess the means for reviewing illegal or prohibited content and bullying conduct.
1.6 Single sign on promotes dynamic privacy
Just recently, Facebook launched its “Facebook connect” service to try to solve a major ache of online computing especially among social networkers. According to Harris S. (2009),
“it saves visitors from having to fill out yet another tedious registration form, upload another profile picture and memorize another username and password. Instead, visitors can now sign into other sites using their existing identity on Facebook”. The Facebook connect service is helping to promote dynamic privacy by aiding profile sharing amongst various online destinations.
2.0 Security Implications
It is reasonable to expect that security issues of online social networking sites far outweigh its offline social forum.
The social network sites most likely to suffer from privacy and security issues are the popular ones. Privacy issues most often involve the unwarranted access of private information and may not be directly due to security breaches. A crafty and determined individual may through shoulder peeking watch you type your password and consequently use it to obtain confidential information from your computer at a later time.
According to Brendan Collins (2008), “a security issue occurs when a hacker gains unauthorized access to a site’s protected coding or written language” There is a clear distinction between privacy and security issues that most social networks faces due to rapid popularity and its profitable financial importance. There is a tremendous amount of information and data that most social network sites processes every day. Thus there could be lapses in security on those sites making it possible for would -be-hacker to exploit flaws in the systems.
The following features on network social sites which involve mass participation of people are targeted by hackers or site attackers:
• Chat rooms
• Messages
• Invitations
• Photos
• Open platform applications.
It has been reported that the aforementioned features are avenues to gain unprecedented access to some privacy information of unsuspecting individuals. A recent case in mind is the one that shows a devastating hole in the framework of a third party application programming interface on Facebook. This programming flaw allows hackers to gain unrestricted access to private information. The developers of those applications failed to follow sound programming techniques thereby exposing more information than necessary to run the application in the first place. This glaring consequence of over-sharing of user data is not new because security of social network sites has not been taking seriously until just recently. To mitigate against such security problems, some sites introduce users privacy controls at all levels within profiles. But such increase privacy settings does not in all ramifications guaranteed adequate privacy and security issues. Most social network sites do not have a streamline way to test third party applications where users’ data and information can be retrieved without consent. Such application flaws can allow criminal minded developers to sell users data to advertising companies for financial gains.
The online social security issues incorporated its entire offline counterpart and include risks that are growing daily. Some of these include:
●Identity Theft
● Email spamming to propagate malware
● Use of false profiles
● Social Engineering tactics to retrieve information
● Targeted attacks through botnets
● Vulnerability to Cross-site scripting e.g. MySpace. ● Source of releasing confidential or proprietary information
● Phishing Attacks
Data and Information
Gross R. et al (2005) found that “across different sites, anecdotal evidence suggests that participants are happy to disclose as much information as possible to as many people as possible. It is not unusual to find profiles on sites like Friendster or Salon Personals that list their owners’ personal email addresses (or link to their personal websites), in violation of the recommendation or requirements of the hosting service itself”.
Most internet based companies hold large volume of personal data which are unregulated and includes:
1. Processing of the data
2. Analyzing data
3. Transmitting data
4. Collection of data.
In the light of mass database in various data centers around the world, one can categorically agree with the assertion that “data processing technology and the creation of mass databases inevitably erode privacy” (Landy K., 2008).
We all know that there’s need for well-conceived privacy policies to take care of the unprecedented digital privacy issues, but leadership is lacking both in government and in private settings.
Due to the explosive use of online social networks, various notable businesses have been building applications to target such users. There are increased efforts for communicating with people using those sites and is been intensified. Most companies are using targeting marketing strategy to:
● Monitor their habits and views
● For influencing their opinions and
● Direct their spending powers
Among the menace of the social networking sites are:
○ Data safety – frequent visitors are continuously hit by identity theft and frauds.
○ Minors are expose to improper content or faces indecent exposure online
○ People entering into dangerous relationships
○ Elderly are lured in risky financial dealings.
The exponential growth in the number of users using social networking sites is not a surprise. In 2008, the total number was put at 200 Million, now the number as reported by various online Watchers put the figure roughly at 700 million users with facebook only having a total of 500 million registered users and is still growing by the hour. Hofer F. (2010) observed “Given these figures it’s definitely no surprise that companies from various industry sectors are keen on trying to develop potential business applications with a specific focus on social network
users”. The notion is online social networking users are potential customers in all indications.
In fact, social networking sites are regarded as the new business environment and a lot of
companies are building application to specifically target social-networkers using various
marketing tactics available in their arsenals.
Lack of Social network Policies:
It was observed during the international conference on data protection and improper use of private information posted by users on social networks that some golden rules be observed.
These are categorized in term of users and online service providers. Users were advised to:
• Carefully select which personal data (if any) to be posted on a social network.
• Bear in mind other individuals’ expectation to privacy when publishing information
about them.
• Always be cognizant that security of their information online is not 100 percent guaranteed.
• Users’ information can be mined and use for various marketing purpose by online marketers.
The online social networking service providers were reminded among others to (adapted from Harris S. (2009):
■ Comply with privacy standards in place and as per regulatory authorities.
■ Inform users adequately about use of posted data, possible consequences of their
publishing and security risks.
■ Favor to a maximum extent users’ control on their data and profiles.
■ Offer users privacy-friendly default settings.
■ constantly improve systems’ security in order to prevent fraudulent access.
■ Granting users’ right to access control and correct their personal data.
■ Offer suitable means for deleting personal profiles and information once membership
is terminated.
■ Enable the creation and encourage the use of pseudonyms.
■ Prevent uncontrolled third party access and practices such as spidering and bulk
harvesting.
■ Allow external crawling only on users’ informed, specific and in-advance consent.
Recommendations and Solutions to social network privacy/security issues
◊Don't share your password with anyone.
◊After you type your login credentials into the login page, make sure you uncheck box
“remember me”.
◊Always log out when you're finished using any social networking site.
◊ Try to avoid to put sensitive information on social web sites, choose what kind of information you share with the site and how much.
◊ Choose to put just the essential things, for example if you deal with hobbies (music etc.) don't add non-essential work information.
◊.Customize your privacy settings
◊ Blocking accesses and eventually report privacy violations.
◊. Limit your online social activity and online presence
◊. Don’t post anything that you are ready to divulge to a complete stranger
◊. Be sure of the identity of who you add as an acquaintance online
◊ Read the privacy disclosure of the site before you join
◊. If possible, verify that adequate privacy settings are allowed on the site
CONCLUSION:
Humans by their nature are social animals thus online social networks are genuine avenues to exercise more interactions. Social networks are not threats but they are created to offer more opportunity for social interactions universally. A common sense approach is needed to guide against unsolicited friendship and information dissemination in online social networking forum. The false of security makes people on social sites to divulge so much information about themselves. Geolocation services being offered on some sites keeps a record of where online participants visit and go. The security implication is grave and alarming because the information that is leaked online can undoubtedly used against the person divulging the information. What hitherto is considered private is no longer private. Also, constantly update profile information with your whereabouts could open a flood gate for criminals to target your house and burgled it.
To avoid identity theft, the use of secure credentials is recommended on social networking sites. A weaker password for example could compromise a participant’s account and hackers can use it to spam all your contacts. There is also need for industry regulation and policy on the social networking sites
Reference
Acquisti, A., Gritzalis, Stefanos, Lambrinoudakis, Costas, De Capitani Di Vimercati, Sabrina (2008). “Digital Privacy, Theory, Technologies, and Practices”. Auerback Publications. Taylor & Francis Group, LLC
Gross R. (2005). Re-identifying facial images. Technical report, Carnegie Mellon University, Institute for Software Research International, 2005. In preparation.
Gross R., Acquisti A. and John Heinz H. III. Information Revelation and Privacy in Online Social Networks. Retrieved 03/12/2011 from,
http://dataprivacylab.org/dataprivacy/projects/facebook/facebook1.pdf
Collins B. Privacy and Security Issues in Social Networking. Retrieved 03/12/2011 from,
http://www.fastcompany.com/articles/2008/10/social-networking-security.html
Harris S. (2009). Security Issues of Social Network Sites. Retrieved 03/12/2011 from,
http://www.informit.com/blogs/blog.aspx?uk=Security-Issues-of-Social-Network-Sites
Hofer A. F. Privacy issues in social networking: the European perspective1. Retrieved 03/15/2011 from, http://www.gala-marketlaw.com/pdfs/Privacyissuesinsocialnetworking.pdf
Jump K. (2005). A new kind of fame. Retrieved 03/15/2011 from,
http://www.columbiamissourian.com/stories/2005/09/01/a-new-kind-of-fame/
Newitz. A. (2003). Defenses lacking at social network sites. Security Focus, December 31, 2003.
Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 33-61). Beijing: O’Reilly Media
Zorz M. (2009). Social networking privacy issues. Retrieved 03/13/2011 from,
http://www.net-security.org/article.php?id=1331
Facts for Consumers. Retrieved 03/16/2011 from
http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec09.shtm
Social Networking Sites: A Parent’s Guide. Retrieved 03/16/2011
http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec13.shtm
The Facebook. Privacy policy. Retrieved 03/16/2011 from,
http://facebook.com/policy.php, August 2005.
