Privacy Notes: Your Online Life Antisocial Networking
Be careful what you sign up for. Some day your Facebook info might be staring you (and anyone else who wants it) in the face.
A few weeks ago during my morning e-mail check, I got an interesting notification from a Web site called "Rapleaf." According to the mail, someone "researched my reputation" on the site to learn about me for "business or personal reasons."
"You now have the opportunity to take control of your information and privacy online," the mail finished, instructing me to visit the site and "make all or some of the information about [me] private."
Rapleaf is one of a new breed of Web sites that aggregate information about Internet users based on social networking sites, Amazon wishlists, user-contributed content and other Web services, such as Yahoo's photo-sharing site, flickr. A recent roundup of "people search engines" at Web Worker Daily compared four such sites and found that few of them delivered much that was more useful than a Google search might net anyhow.
Operations like Rapleaf have two faces. The consumer-facing face is plain enough: They enable people to ego surf, rate other people, look up long-lost high school buddies and all the other stuff social networking sites are used for.
The other side of people search, though, is where the sites get their motivation to aggregate all the information they do. Some of them license access to their databases to marketing firms intent on filling out demographic profiles. Rapleaf, for instance, charges to provide a programmatic interface to its database that marketers can bounce their mailing lists off of to look for aggregate demographic data, which is invaluable to marketers. That business model is what drives investor interest in social networking sites, and it's what drives numerous methods the sites deploy to get more and more users in their databases.
One such method, for instance, is available on a number of sites: Users are given a chance to upload their address books from Web-based mail services like Yahoo! and Gmail or applications such as Outlook or Apple's Mail program. The sites, in turn, offer to look for friends the user might have who also use the service, or invite people it finds in the address book. Sometimes, those friendly offers of assistance have unintended consequences.
As I blogged over on Open Networks Today last week, a man was arrested and thrown in jail after mistakenly inviting his ex-wife to join Facebook through its address book upload feature. By doing so, he violated a restraining order preventing him from making contact with her.
And just one day prior, a nationally syndicated columnist accidentally spammed his entire address book when a form on another social networking site re-checked a box he'd unchecked: Nearly 9,000 people.
Recorking the Genie
The results I got from Rapleaf were mildly interesting, to the extent they painted a picture of someone who has probably accepted invitations from friends on every social networking site of note in the last four years, and who keeps an Amazon wish-list of stuff he stopped wanting for Christmas in 2001. And as much as I resented the alarmist tone of the notification mail, I didn't mind seeing all those site affiliations spread out on one page. I promptly closed out my accounts on all but one I still use at least once a week.
Why the quick purge? Well, as I wrote last month, the more widely you spread your identity on the Internet, the easier it might be for a malicious person to piece together what they needed to compromise your e-mail account or something equally sensitive. Worse, the privacy and disclosure policies on many social networking sites are a moving target, placing the onus on users to periodically check in and make sure the kind of information the service makes public, or the information it will share with so-called "partners" hasn't changed. An account you signed up for three years ago may be revealing significantly more than it once was.
Sarah Turner at the Blog Security weblog provided additional information worth noting on how your information is handled at social networking sites. She did an informal survey of eight social networking sites attempting to learn how they respond to routine profile management tasks, such as deleting a profile or getting a password reminder. Her results were troubling for anyone who has woken up from the social networking party with a mild hangover and some regrets:
Six of the eight sites wouldn't completely remove all her information. A few used obfuscating language in their privacy policies to allow users to come to misleading conclusions. Only two would respond to followup inquiries about the state of her deleted profiles, and Microsoft flatly told her that it couldn't tell her what information it retained after she had her Windows Live Spaces account closed.
On the password reminder side, two of the eight sites she asked for a password reminder e-mailed it to her registered password in the clear. Four provided a link to a password reset form that required no further identity verification. Only two asked for some sort of identity verification before resetting her password.
Even if you take the time to do your due diligence with a social networking site and decide you can live with the information it might or might not share, or how it might or might not remove information you'd like taken down, you have one more factor to consider: Data breaches are a growing problem as Internet crime grows increasingly sophisticated and the criminals grow more aggressive.
The Privacy Rights Clearinghouse maintains a chronology of data breaches going back to January of 2005. Since then, the clearinghouse reports, 167,308,738 records containing sensitive personal information have been involved in security breaches. The clearinghouse also notes that its numbers are low, since there are cases where nobody's sure how many records were compromised. The list of breaches involves hospitals, state tax agencies, universities, financial organizations, major corporations like AT&T or Pfizer, and many others.
Analysis of the 2006 figures from the clearinghouse chronology shows that the private sector (vs. government, higher education or medical organizations) suffered 126 data breaches, and that 30 percent of them were the result of "insider malfeasance" or "human/software incompetence."
There's always a temptation to respond to a security threat with too much zeal. People who write about security are partially responsible for fostering an absolutist mentality, and some privacy advocates are alarmists. But even if social networking sites have commercial motives that might drive bad policy, they obviously provide some utility to their millions of users.
The question isn't whether to abandon them out of fear that your online identity will be hijacked or misused: There is no service that operates over the Internet or stores information in a server somewhere that can ever completely rule out the risk of a data breach. There are going to be few privacy policies moving forward that won't attempt some sort of balance between your absolute privacy and the commercial imperatives that drove building those sites in the first place.
So don't panic. Instead, ask two simple questions each time you're asked for a bit of information, invited to join a group, offered the chance to provide an e-mail address or IM identity or asked to add a widget that sucks your calendar data from another site into your profile:
Acting in accord with the answers to those questions might make ego-surfing on the latest people search site less unpleasantly surprising.
Michael Hall has been using, maintaining and writing about networks for nearly 15 years. He's the managing editor of Enterprise Networking Planet and he blogs about Internet privacy and security at Open Networks Today. Add to del.icio.us | DiggThis
For more help, don't forget to try one of our PracticallyNetworked Forums.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|