What are targeted attacks?

Targeted attacks against specific organizations or individuals in those organizations leverage some of the elements associated with social networking. These attacks often come as a legitimate email or some other electronic object. Email filtering tools often allow such messages to pass, since they don’t violate filtering rules.

An example of a simple targeted attack involves a PDF file that appears to be a research report. Opening this PDF causes malware to install, facilitating the collection of information from the user’s machine. It’s important to focus on the approach of this attack. Not unlike Trojans, targeted attacks can seem very real and relevant to their victims.

Degree of Relevance

The efficacy of targeted attacks is largely based on their relevance to victims, who are most often involved in senior management, or other key operations. Attackers might spend months investigating companies, in order to determine:

• Individuals in the target organization who would likely have access to the desired data
• Major projects in process
• Common business partners, vendors, etc.
• Names and email addresses of individuals who regularly send mail to target users

It’s becoming much more common to see a greater level of research by attackers regarding their potential targets. While this may require a higher level of human interaction, there are some methods to automate certain steps in to process of data gathering.

With this information, attackers are able to create relevant emails with spoofed source addresses. This will make the messages appear to come from a business or individual with whom the attack victims already regularly communicate.

The attacker’s objective is to be able to collect as much information as possible from the target victim. This means the malware needs to be hidden (e.g. in a rootkit) and the transfer of information must be disguised as normal network traffic. Since each attack is unique, it can be difficult for security teams to identify targeted attacks simply by using anti-malware or IPS/IDS solutions.

Who is being targeted?

It’s unlikely that most internet users will become victims of targeted attacks. Most targeted attacks aim for senior management, including C-level executives and department heads. What makes things worse is that the computers used by these individuals are often the least protected.

It’s common in many organizations to have a double standard when it comes to security control implementation. Many executives believe that they are able to avoid malware attacks, or they would prefer not to have to deal with the same restrictions imposed on the rest of the workforce.

Other potential targets include employees who process sensitive information. Such individuals have the level of access on their local workstations necessary for deploying data-collecting malware.

Another notable group being targeted are human rights organizations. For instance, on March 18, 2010, attackers sent a number of organizations and individuals a targeted malware attack that appeared to be from Sharon Horn, the Executive Director of Human Rights in China (HRIC). Attackers used the recognition of HRIC to lead victims to a compromised website containing malicious code that allowed the attackers to eventually take full control of the visitor’s computer. Civil society organizations are facing the growing threat of targeted malware attacks.

Where are the attacks coming from?

According to Symantec’s March 2010 MessageLabs Intelligence Report, analysis on the origins of targeted attacks originate:

• China (28.2%)
• Romania (21.1%)
• United States (13.8%)

According to MessageLabs Intelligence Senior Analyst Paul Wood:

“When considering the true location of the sender rather than the location of the email server, fewer attacks are actually sent from North America than it would at first seem. A large proportion of targeted attacks are sent from legitimate webmail accounts which are located in the US and therefore, the IP address of the sending mail server is not a useful indicator of the true origin of the attack. Analysis of the sender’s IP address, rather than the IP address of the email server reveals the true source of these targeted attacks.”

Summary

This article discusses targeted malware attacks, which are becoming more and more common, targeting anyone from executives, to civil society organizations to medium-sized businesses that lack significant intellectual property. Targeted malware attacks require a more granular approach to security controls. The article examines the double standard that is present in enterprise security control implementation.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Concerns: Organizational Practices (II.A.b.)
• Social Networking Services (VI.C.)

In a statement on its Developer Blog, Facebook said:

“Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so. We’ll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready.”

Data-Sharing Decision & Responses

The original decision to share user information came on Friday, January 14 2011. Facebook pointed out that the new feature would allow a user to “easily share your address and mobile phone with a shopping site to streamline the checkout process, or sign up for up-to-the-minute alerts on special deals directly to your mobile phone.”

The surprising decision triggered public backlash against Facebook’s privacy practices. Although app developers could only gather contact information if users had allowed them to do so, observers pointed out users are often confronted with too many apps that are deceptive about allowing access.

It is also commonly known that many users will click through permission dialogue boxes without pausing to read their contents. As a result of being inundated with too many permissions requests, users will respond to constant dialog boxes by agreeing to everything without considering potential negative consequences.

Critics responded strongly to Facebook’s new data-sharing practices. The marketing and media site The Drum commented:

“[This] raises questions as to how an organization, which ought to have been sensitive to privacy concerns following previous controversies, could have launched such an unheralded change, on a Friday evening, without fully thinking through the consequences.”

Graham Cluley, a technology consultant with the IT security firm Sophos called the new practices a “recipe for disaster,” pointing to the array of scam applications that have overrun the social network.

Suggested alternatives

Commenters suggested that Facebook ought to pre-approve developers before they are able to gain access to users’ information. The suggested approval process would be similar to the compulsory verification system for iPhone apps. According to a recent Sophos poll, over 95% of respondents supported the idea of Facebook verification of all apps before they are released to users. Currently, Facebook app developers only need to verify their accounts by confirming their mobile number or credit card information. After this process, they can write and release any application they like.

While Facebook does not currently offer this feature, many recommend that the network check applications written for its platform to ensure that they are not malicious. As this verification is not done, it is common to see many “rogue applications” appear across the social network. Such apps include revenue-generating survey scams, redirection of users’ browsers to malicious sites, spamming from a user’s account or stealing personal information.

Others suggested that users’ contact information could only be accessed if it was necessary for the purposes of the application. At the very least, the application should specifically request users’ permission before gathering their information. Facebook’s announcement on Friday evening led to many users removing their home address and mobile number from their profiles, as an immediate measure.

Summary

This article takes a look at Facebook’s January 14, 2011 decision to share user data with its applications developers. In the face of negative media coverage and public outcry, the social networking site was forced to reverse the changes only three days later. Many users and critics were uncomfortable with the fact that developers were able to access personal information such as their home address and mobile numbers. This article also looks at why this practice is especially problematic, especially in light of Facebook’s developer and applications policies.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Concerns – Organizational Practices (II.A.b.)
• Privacy Expectations – Prominent Notice & Opt-In Consent (II.B.b.)
• Social Networking Services – System Designs (VI.C.i.)
• Social Networking Services – Privacy Controls (VI.C.ii.)

This article examines social networking services from a privacy standpoint, looking at key issues such as access, control, limitations and trust. Websites’ privacy policies and their weaknesses are also examined, by using the well-known social networking service Facebook as an example of how these services can compromise users’ security.

Gaining Access

The virtual communities of social networking websites have rapidly developed in recent years. For instance, facebook.com ranks second on US Quantcast rankings, with over 130 million visitors per month from the US alone. Other social networking sites, such as MySpace, Twitter and LinkedIn rank within the top fifty most visited websites in the US.

Upon joining a social networking site, users provide personal information to create a profile, which may include their name or username; birth date; photos and videos; hometown; location; religious beliefs; ethnicity; personal interests and other identifying information. Through their profile, users make links with other people on the site, whether they are existing friends and family, or new acquaintances. While some users create their profiles to communicate with their circle of friends, information on social networking sites can all to easily be accessible to the public, employers, the press, academic staff, law enforcement and more.

Many social networking websites have restrictions for membership, which limit who can have access to users’ information. MySpace requires users to be at least thirteen years old, while Facebook is open to anyone. Sites like LinkedIn require users to be invited to the network, in order to show that they are part of a professional community. Despite these membership restrictions, social networking sites facilitate the sharing of digital information at a large scale. Distribution of information may be done by members within the network, or by the website itself. Sharing member information with third party advertisers is a common practice for many social networking sites.

Limiting Control

Once users put their information online, they relegate much of their control over it. Information is transmitted much faster through an online social network than through a “real” or offline network. Even though people in the real world do not all have the same access to an individual’s personal information, on a social networking site, every “friend” has access to whatever the user may choose to put online.

There are various reasons for a user to limit the access to their personal information. Since digital information is shared amongst a group of people, it could be collected and stored for an undefined period of time. This may be harmful to the individual if the information is in the possession of someone for whom it was not intended.

Many social networking sites maintain files of users that try to reflect his/her identity as accurately as possible. Content is contributed by the user along with other members of the website. Users may have problems with how much control they actually have over their own online identity. Some social networking sites also have access to the user’s personal information from other websites.

Most social networking sites are free of charge; however, they depend on third-party affiliates to generate income. Many social networking sites collect and sell user information in the form of marketing profiles. One example of this is the targeted ads used by Facebook. With this program, third party advertisers use information from a users’ profile to create personalized advertising content. Currently, Facebook does not allow users to opt out of receiving such content.

Limited user control of information could lead to dangerous outcomes. Combined with loose access limitations, it may become difficult to prevent information-based harm. For instance, users of social networking services may unwittingly be putting themselves at risk for identity theft. Studies have shown that it is easier than one might imagine to guess a social security number. With knowledge of one’s address and current employer, a burglar may know when a house is empty. With lax restrictions on information collection, information processing and information dissemination, users of social networking services may be poorly protected from such harmful outcomes.

Privacy Safeguards

From a privacy standpoint, trust is a key concept for social networking sites, among other online interactions. Trust is closely linked to information disclosure and social exchange. If users believe that the disclosure of information will be beneficial to them, then they are more likely to enter into a relationship with the social networking service.

However, researchers believe that the level and basis of this trust is not well understood. Despite numerous incidents, millions of users continue to join and participate in social networking sites, adding more and more personal information to their profiles. Unfortunately, the type of privacy expected and provided by social networking services is often undefined or inadequately defined.

Default privacy settings on many social networking sites do not offer a high level of privacy protection. They often allow a large amount of personal information to be accessible to any viewer. This may include blogs, comments, profile photos or videos.

Many social networking sites have privacy policies that appear as disclaimers that a user must accept to continue using the service. Through his/her acceptance of the terms and conditions, the user waives some privacy rights and other privileges over his/her personal information. Critics have pointed out that many of these privacy policies suffer from:

• Lack of visibility: Many privacy policies are mentioned once in the “terms of use,” which users must accept in order to continue. As these privacy policies are constantly changing to accommodate new features, services or demands, updated versions should be made visible on the website.
• Provide inadequate information for users: Users are largely unaware of any changes to the social networking service, or the results that may occur from these changes. Users are also kept in the dark regarding any third party service providers the site may share information with.
• Lack of independent review: The majority of social networking sites lack an independent monitoring system.

Example: Facebook

Due to its great popularity, Facebook has received much attention for its actions regarding user privacy. Since 2006, Facebook has made numerous changes to its privacy policy, which has been problematic for privacy watchdogs and users alike. A number of its significant changes and privacy breaches are outlined below:

• 2006: User information started to be shared with the public as well as third-party application developers. Facebook users were misled to reveal personal information that had once been protected.
• 2007: Facebook’s Beacon program disclosed users’ personal information without their knowledge or consent. This was a violation of a number of federal and state laws, including the Video Privacy Protection Act; California’s Computer Crime Law; the Electronic Communications Privacy Act; and the Computer Fraud and Abuse Act.
• 2009: Facebook made significant changes to its Terms of Service, declaring that it retained broad and even retroactive rights to users’ information, even after their accounts had been deleted. In the face of public outcry, Facebook was forced to overturn the changes.
• 2009: The Privacy Commissioner’s Office of Canada found Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA).
• Currently, publicly available information on Facebook includes: names; profile photos; list of friends; pages that members are fans of; gender; geographic regions; and networks that members belong to.

Summary

This article introduces key privacy and security concepts surrounding social networking sites. While such sites have seen incredible popularity in recent years, they are also potentially dangerous tools, as they provide almost unrestricted access to the personal information of hundreds of millions of people worldwide. The article looks at issues of access to such information, how access is limited and how privacy and trust affect users of social networking sites. The article also explores some shortcomings and potential privacy risks, through a brief examination of Facebook’s privacy policies and their changes over time.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy by policy, notice and choice (III.A.a.)
• Social networking services (VI.C.)

Beliefs & Behaviors

Online environments often raise issues of youth privacy and awareness. Studies have documented that many young Canadians frequently reveal personal information online without thinking of the potential consequences. According to the Media Awareness Network, 80% of youth use the Internet alone. A 2008 Kids Help Line study revealed that 40% of youth were willing to give personal information to someone they only knew online.

A federal Privacy Commissioner’s survey found that almost half of Canadian youth admit that they do not read privacy policies on websites. The majority of youth believe that if a website has a privacy policy, users are assured that the information they provide will not be shared with third parties. Many are unaware that online services may be used to monitor their behavior, or that personal information can be stored and sold to third parties. Although the Commissioner’s study found that many young Canadians do not agree with increased censorship or surveillance, they do want the ability to make more informed decisions about the sites they visit and their online activities.

Privacy Issues: Facebook

In July 2009, the federal Privacy Commissioner completed an investigation of the popular social networking site, Facebook. The investigation was prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC), which identified serious privacy gaps and violations of Canadian privacy legislation. This was an overarching concern for the Commissioner, especially since 12 million Canadians are registered on Facebook, many of them youth.

The Commissioner issued a report identifying a number of key privacy issues with Facebook:

• Third-party application developers (of which there are almost 1 million worldwide) have access to personal information beyond what was necessary to run an application. Developers are also allowed to retain users’ personal information even after the user deletes the application.

• The option of account deletion was inaccessible to users, which means that Facebook could still retain information in user profiles. Many users confuse account deactivation with account deletion. In situations of account deactivation, Facebook does not inform users that their information is being retained for future use.

• Facebook does not obtain the consent of non-users before uploading their personal information to the site (e.g. through photos, videos and wall posts). Non-users are not notified if their personal information is provided to Facebook. When users send invitations to non-users, Facebook collects and retains the email addresses of the non-user indefinitely, without knowledge and consent from the individual.

• Users do not have the ability to opt-out of posthumous displays of their profile. Relatives of a deceased user are unable to remove their family member’s profile. Facebook does not clearly explain that user profiles are kept active after death, in order to allow friends to post comments and memorialize the individual.

As a result of the Commissioner’s report, Facebook agreed to make significant technological and policy changes to help its users better understand how their personal information is used and to make more informed decisions about sharing the information. The Commissioner felt that Facebook’s response was a positive step and agreed with its one-year timetable for implementing changes. The Facebook investigation sets expectations for the privacy practices of other social networking sites.

Privacy Issues: Nexopia

A privacy complaint was filed against the Canadian social networking site Nexopia in January 2010. The Public Interest Advocacy Centre (PIAC), an Ottawa-based consumer advocacy group brought the attention to the federal Privacy Commissioner in a 35-page complaint, which identified six violations of the PIPEDA by Nexopia privacy practices. Under the PIPEDA, the Privacy Commissioner has one year to investigate the complaint and deliver findings. The six violations are outlined below:

• User profiles and personal information are disclosed to the general public. Non-member visitors can easily access sensitive information, including personal information, comments, blogs, messages and photos. Even with the highest privacy-protective setting on Nexopia, some person information (i.e. username, age, sex and location) will always be available to the public.

• Members cannot opt-out of being searchable; the “visible to all” default setting is beyond reasonable expectations and violates the PIPEDA.

• Without providing Nexopia with personal information (i.e. username, email address, birth date, sex and location), a user cannot join the Nexopia community. Users are not directed to the Privacy Policy and are not made aware of the ways in which their personal information can be used or disclosed.

• While Nexopia uses targeted advertising to generate income, it does not adequately explain its advertising practices. Users do not have meaningful consent as to how their personal information will be used or disclosed. Users do not have the ability to opt-out of the targeted advertising program. According to the Canadian Marketing Association’s (CMA) Code of Ethics, collecting contact information from teens aged 13 to 16 requires opt-in consent. Nexopia fails to incorporate this practice into its information collecting procedures.

• Current Nexopia practices regarding the transferring and sharing of personal information with third parties is not transparent.

• Nexopia’s information retention policies violate the PIPEDA. For instance, if Nexopia members send email invitations to their non-member friends, Nexopia stores the email addresses the members provide for future use, although the non-members have not given consent to the collection and use of their email addresses. They also do not have the option to unsubscribe from Nexopia invitations or emails. Further, Nexopia reserves the right to retain members’ personal information indefinitely.

Nexopia’s extremely advanced search function presents additional privacy concerns. The PIAC noted that the member search engine is a worrisome tool, as it permits a fine-grained search of its members. For example, the advanced search can allow an individual to search for females between the ages of 13 and 16 who live in a particular city, or attend a specific school and have certain interests. It is clear that the search tool does not respect youth privacy.

Joint Resolution

In response to child and youth privacy concerns, the federal Privacy Commissioner and provincial privacy oversight officials issued a joint resolution, expressing commitment to improving online privacy standards for children and youth. The resolution, released on June 4, 2008, reinforced children’s rights to privacy and described the actions that the Privacy Commissioner and provincial ombudsmen would take. The Offices advocated an education-based approach that would be upheld by partnerships between commissioners, governments, industry and organizations. Some of the steps to be taken included:

• Collaboration between Commissioners and ombudsmen on public education activities.
• Recommendations on privacy education tools to governments, industry, child/youth advocates, parents and teachers.
• Increase stringency of private sector privacy laws regarding online environments for youth/children.
• Websites for children/youth to offer privacy policies and user agreements that are clear, simple and easy to understand.
• Industry guidance for better privacy practices.
• Commissioners and ombudsmen should be accessible to children/youth to lodge a complaint and seek the appropriate resolution.
• Collaboration with privacy protection regulators worldwide.

On the same day the resolution was released, the Office of the Privacy Commissioner launched Youth Privacy, an interactive website that offers resources to youth to protect their personal information and their online activities.

Summary

This article introduces the issue of child and youth privacy in Canada. It presents a background of youth beliefs regarding online privacy and their privacy protecting behaviors. The article explores two online social networking sites that compromise youth privacy – Facebook and Nexopia. Finally, the article discusses the federal Privacy Commissioner’s and provincial ombudsmen’s responses to issues of youth privacy protection.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Personal Information Protection and Electronic Documents Act of Canada: PIPEDA (III.A.a.)
• Canadian Private Sector Laws & Practices: privacy incidents (III.B.g.)
• Online Privacy: online data collection (V.B.C.)
• Children’s online privacy: parental consent, age restrictions (V.B.f.)

Introducing Google Buzz

Google launched what it expected would be the Twitter/Facebook competitor, Google Buzz on February 9, 2010. It was advertised as “a new way to share updates, photos, videos and more, and start conversations about the things you find interesting.” Buzz was designed to integrate with Gmail – which already had over 146 million users at the time of the launch – and other interface interaction elements with other Google products, such as Google Reader.

The service can also be accessed through supported mobile devices. The mobile version of Buzz is integrated with Google Maps, in order to let users know their location and identify other users who are around them.

Buzz was received with great interest. In the first two days after its launch, tens of millions of users created over nine million posts and comments. On average, there were over 200 posts per minute through mobile phones worldwide.

Responses

However, not all responses to Buzz were positive. Immediately after its introduction, privacy-minded users noticed that Buzz automatically set them up with followers and people to follow. This group of followers is chosen based on the contacts the user emails and chats with the most.

Another issue of concern was that the people a user follows and the people that follow the user are made public to anyone viewing the user’s profile. This is the default setting, which allows anyone who views a profile to see the people who a user chats with or emails most. The implications of this setting were worrisome to some users. For instance, a boss may discover that a subordinate has frequent email contact with executives at a competing firm.

What was distressing to most critics was that Google did not openly explain how the publicly viewable follower lists were determined. Buzz’s unclear opt-out approach put many users in the position of unknowingly sharing personal information. It is clear that Google’s choice to design the lists to show publicly by default was a strategic decision to get as many people using Buzz as quickly as possible. While it may be a helpful setting for some users, others may not feel comfortable with sharing with the world who they email or chat with most.

This glaring privacy flaw was brought to the spotlight two days after Buzz was launched, when Harriet Jacobs saw her personal information revealed to her ex-husband and his abusive friends. Unfortunately, Google automatically allowed her most frequent contacts to view her Google Reader, all the comments on her Reader, as well as her current location, workplace and other sensitive information. Her most frequent email contacts happened to be her ex-husband, his friends and other hostile blog commenters. She was unable to block these users as she never created a Google profile or Buzz profile, which left her unable to prevent them from following her.

Making Changes

Within three days of launching Buzz, Google issued a public apology and made some changes to the program in response to the widely-publicized consumer privacy concerns. It added a more visible opt-out selection to allow users to choose not to show their connections or followers on their profile. This was a rapid response to user concerns, especially when compared to Facebook’s Beacon privacy problems in 2007, which took over a month to resolve.

Although the changes were a positive step in terms of supporting user privacy rights, critics pointed out that Google did not go far enough to address immediate concerns. For instance, the selection box for sharing followers was checked by default. Since this is an option for sharing private or sensitive information, many argued that the box should be unchecked. Given its nature, it would be best to leave that as an opt-in feature.

Furthermore, the opt-out selection did not give users an adequate explanation as to what they were allowing Buzz to publish. Users were not informed that Buzz would publish the list of people they email and chat with most. Although the privacy settings could be adjusted, the problem was that most users do not know how to change these settings. The majority of users simply click “save and continue” until the application is fully set-up, unfortunately reading little of the information contained in the dialog boxes. This made it clear that Google’s changes were an inadequate response to the scope and implication of user’s concerns.

In April 2010, privacy officials from Canada, Germany, France, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the UK raised privacy concerns regarding Google Buzz, as well as other Google services. The letter pointed out that even months after its launch, Buzz was still disregarding its user’s privacy rights, despite Google’s promises to the contrary.

Opt-In vs. Opt-Out

Opt-out mechanisms give users the opportunity to express non-agreement to a specific purpose. Unless the user takes action to opt-out, the organization assumes consent and proceeds. The organization should clearly inform the users that failing to opt-out means that the user consents to the use or disclosure of information. For instance, the Google Buzz box presented users with the opt-out choice with a pre-checked box that read, “Show the list of people I’m following and the list of people following me on my public profile.”

Opt-in consent is often referred to as “express consent.” With opt-in consent, the organization presents the users with the opportunity to express positive agreement to a stated purpose. Only with the user’s action will the organization assume consent. Opt-in consent is considered the strongest form of consent. The Privacy Commissioner of Canada encourages organizations to use this form of consent wherever it is appropriate, as it is least likely to result in misunderstandings and complaints.

In the Google Buzz case, an effective opt-in statement for new users might have been a checkbox reading “Show the list of people I’m following and the list of people following me on my public profile. Right now, the list is made up of people you email and chat with most.”

Recommendations

Jennifer Stoddart, the federal Privacy Commissioner of Canada expressed her unease over how such a problematic application like Buzz was launched for public use in the first place. Stoddart did not support the decision to release Buzz in its “beta” form, as it should have demonstrated compliance with fair information principles before it was introduced. She felt it was unacceptable to launch a product that had such significant privacy issues, with the intention of addressing those problems only as they arise. This was also not the first time Google made a glaring privacy error, as Google Street View was launched earlier, without consideration of privacy, data protection laws or cultural norms.

Stoddart and the Privacy Commissioner’s Office sent Google a number of recommendations that would enable it to integrate fundamental privacy principles into its online services. The recommendations included:

• Collecting and processing only the minimum amount of personal information that is necessary for achieving the purpose of the product or service.
• Providing clear, unambiguous information regarding the use of personal information.
• Allowing users to provide informed consent.
• Creating privacy-protective default settings.
• Ensuring that privacy control settings are clear and easy to use.
• Ensuring that all personal data is adequately protected.
• Giving users simple procedures for account deletion.
• Honoring user requests in a timely manner.

Summary

This article examines privacy issues raised through the launch of the social networking program Google Buzz. It outlines some critical responses to the privacy settings and risks that the application exposes users to. The article also explores opt-in and opt-out consent mechanisms. Finally, the article takes a look at the Canadian Privacy Commissioner’s response and recommendations to Google Buzz.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Online privacy, online data collection (V.B.c.)
• End user expectations (V.C.c.a.i.)
• End user preferences, opt-in vs. opt-out (V.C.c.a.ii.)

Computer & Network Security Professional
Greater Los Angeles Area | Computer & Network Security
Experience:
Sales
Northrop Grumman
Computer & Network Security Industry
1985 – Present (21 years)
Business Development Manager
Lockheed
Computer & Network Security Industry
1995 – 2006 (11 years)
Business Development Manager
Boeing
Computer & Network Security Industry
1995 – 2006 (11 years)
Business Development Manager
Northrop
Computer & Network Security Industry
1985 – 2006 (21 years)
Business Development Manager
Blue Lance
Computer & Network Security Industry
1995 – 2006 (11 years)
Sales
Decision One
Computer & Network Security Industry
1995 – 2005 (10 years)
Business Development Manager
Pacific Bell
Computer & Network Security Industry
1995 – 2005 (10 years)
Business Development Manager
DecisionOne
Computer & Network Security Industry
1995 – 2005 (10 years)
Business Development Manager
SBC
Computer & Network Security Industry
1995 – 2005 (10 years)

I received this yesterday as a “Colleague” connect request. If your years at a specific company or school overlap with someone else, a feature within the site allows a bypass mechanism. Your message is automatically sent without any outside broker (introducer/friend) or previous knowledge (an email address). It appears that this gentleman was a very rich, and very busy boy. In fact, since 1985, he “worked” at 7 major companies simultaneously. The only people I know afforded that sort of leeway are consultants, and they aren’t business development managers (the SEC frowns on this, something about overlapping strategies and oligopolies). All of his employers are in the Computer & Network Security Industry, and security’s a hot market, so my guess is, he’s a head hunter, or maybe a mass marketer selling niche email lists. Or maybe, he’s a corporate spy. Probably not, but that’s the security guy in me.

I bring this up for user education. I personally found several University classmates I hadn’t talked to in over 10 years through this same feature. And there is a temptation for networking with this guy; it appears over 177 people accepted his invitation. The only question really is how many of them he actually knows. Thankfully, you still have to choose to link with your contacts. Linked-In gives you the option of reporting the user for agreement violation. Just think before you click. If it doesn’t look right, it probably isn’t. What’s a social network if there’s no value in who you’re connected with?

So recently, in the midst of finishing my graduate studies and a shakeup within my current company, I thought it might be a good idea to clean up my resume. I’ve written a few papers, passed a couple of certifications, and spent time with a few companies. When I do a vanity search, I come up with a half dozen hits. Not bad, but those hits don’t cover most of my work. In the wake of my recent schooling on the importance of marketing, I decided I should begin building my personal “brand”. That’s about the time I received an invitation to join “Linked-In” from a former colleague, and I started examining the networking sites. What a way to rediscover my contacts! Linked-In claims 6 Million users. The US has a population of roughly 240 M. And think who actually joins these networking sites: Information Technology or other well heeled white collar workers. I went through my stack of business cards, and found 100 or so people I’d met, be them vendors, University contacts, or colleagues. Each person that joined added a couple more names I recognized, and everything kept growing.

Now for the funny part. Remember about the size of the IA industry. The major players were already on the site. I sent them invitations, and received word back from most of them. Until Northcutt. I found him on the site, and posted the invite, expecting a quick note back saying hello. Instead Stephen Northcutt writes: “For real, I am not a member of LinkedIn, that is weird.”

I sent him a copy of “his” profile, to which I received: “That is awesome, and that was my job title back in 2004. Anyway, I promise I am not a linked inner”. I started thinking about what could actually happen with irresponsible/malicious use of these sites. What could branding theft hurt? I could see networking impersonation benefits, people sending invites based on your status/reputation… They put together a huge email list of the best/brightest of your contacts, those that are the most “linked-in”. What happens when they ask for introductions, based on your title and prestige, to other top connections. Think about “you” asking Spaf or Marty for introductions to their 600 or 1000+ contacts. Or better still, a VC evaluator, someone like Becky Bace, another IA heavy weight. Your contacts happily oblige the introductions. It’s no longer a cold call for the imposter.

The reason I bring this up is simple. These are security experts. Stephen has a list of accomplishments that most people dream of for an industry reputation. I mean, he started an Information Security training institute. How would he ever know he’d been duped? And how would it be corrected? If the security experts miss this, what about you?