This article examines social networking services from a privacy standpoint, looking at key issues such as access, control, limitations and trust. Websites’ privacy policies and their weaknesses are also examined, by using the well-known social networking service Facebook as an example of how these services can compromise users’ security.

Gaining Access

The virtual communities of social networking websites have rapidly developed in recent years. For instance, facebook.com ranks second on US Quantcast rankings, with over 130 million visitors per month from the US alone. Other social networking sites, such as MySpace, Twitter and LinkedIn rank within the top fifty most visited websites in the US.

Upon joining a social networking site, users provide personal information to create a profile, which may include their name or username; birth date; photos and videos; hometown; location; religious beliefs; ethnicity; personal interests and other identifying information. Through their profile, users make links with other people on the site, whether they are existing friends and family, or new acquaintances. While some users create their profiles to communicate with their circle of friends, information on social networking sites can all to easily be accessible to the public, employers, the press, academic staff, law enforcement and more.

Many social networking websites have restrictions for membership, which limit who can have access to users’ information. MySpace requires users to be at least thirteen years old, while Facebook is open to anyone. Sites like LinkedIn require users to be invited to the network, in order to show that they are part of a professional community. Despite these membership restrictions, social networking sites facilitate the sharing of digital information at a large scale. Distribution of information may be done by members within the network, or by the website itself. Sharing member information with third party advertisers is a common practice for many social networking sites.

Limiting Control

Once users put their information online, they relegate much of their control over it. Information is transmitted much faster through an online social network than through a “real” or offline network. Even though people in the real world do not all have the same access to an individual’s personal information, on a social networking site, every “friend” has access to whatever the user may choose to put online.

There are various reasons for a user to limit the access to their personal information. Since digital information is shared amongst a group of people, it could be collected and stored for an undefined period of time. This may be harmful to the individual if the information is in the possession of someone for whom it was not intended.

Many social networking sites maintain files of users that try to reflect his/her identity as accurately as possible. Content is contributed by the user along with other members of the website. Users may have problems with how much control they actually have over their own online identity. Some social networking sites also have access to the user’s personal information from other websites.

Most social networking sites are free of charge; however, they depend on third-party affiliates to generate income. Many social networking sites collect and sell user information in the form of marketing profiles. One example of this is the targeted ads used by Facebook. With this program, third party advertisers use information from a users’ profile to create personalized advertising content. Currently, Facebook does not allow users to opt out of receiving such content.

Limited user control of information could lead to dangerous outcomes. Combined with loose access limitations, it may become difficult to prevent information-based harm. For instance, users of social networking services may unwittingly be putting themselves at risk for identity theft. Studies have shown that it is easier than one might imagine to guess a social security number. With knowledge of one’s address and current employer, a burglar may know when a house is empty. With lax restrictions on information collection, information processing and information dissemination, users of social networking services may be poorly protected from such harmful outcomes.

Privacy Safeguards

From a privacy standpoint, trust is a key concept for social networking sites, among other online interactions. Trust is closely linked to information disclosure and social exchange. If users believe that the disclosure of information will be beneficial to them, then they are more likely to enter into a relationship with the social networking service.

However, researchers believe that the level and basis of this trust is not well understood. Despite numerous incidents, millions of users continue to join and participate in social networking sites, adding more and more personal information to their profiles. Unfortunately, the type of privacy expected and provided by social networking services is often undefined or inadequately defined.

Default privacy settings on many social networking sites do not offer a high level of privacy protection. They often allow a large amount of personal information to be accessible to any viewer. This may include blogs, comments, profile photos or videos.

Many social networking sites have privacy policies that appear as disclaimers that a user must accept to continue using the service. Through his/her acceptance of the terms and conditions, the user waives some privacy rights and other privileges over his/her personal information. Critics have pointed out that many of these privacy policies suffer from:

• Lack of visibility: Many privacy policies are mentioned once in the “terms of use,” which users must accept in order to continue. As these privacy policies are constantly changing to accommodate new features, services or demands, updated versions should be made visible on the website.
• Provide inadequate information for users: Users are largely unaware of any changes to the social networking service, or the results that may occur from these changes. Users are also kept in the dark regarding any third party service providers the site may share information with.
• Lack of independent review: The majority of social networking sites lack an independent monitoring system.

Example: Facebook

Due to its great popularity, Facebook has received much attention for its actions regarding user privacy. Since 2006, Facebook has made numerous changes to its privacy policy, which has been problematic for privacy watchdogs and users alike. A number of its significant changes and privacy breaches are outlined below:

• 2006: User information started to be shared with the public as well as third-party application developers. Facebook users were misled to reveal personal information that had once been protected.
• 2007: Facebook’s Beacon program disclosed users’ personal information without their knowledge or consent. This was a violation of a number of federal and state laws, including the Video Privacy Protection Act; California’s Computer Crime Law; the Electronic Communications Privacy Act; and the Computer Fraud and Abuse Act.
• 2009: Facebook made significant changes to its Terms of Service, declaring that it retained broad and even retroactive rights to users’ information, even after their accounts had been deleted. In the face of public outcry, Facebook was forced to overturn the changes.
• 2009: The Privacy Commissioner’s Office of Canada found Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA).
• Currently, publicly available information on Facebook includes: names; profile photos; list of friends; pages that members are fans of; gender; geographic regions; and networks that members belong to.

Summary

This article introduces key privacy and security concepts surrounding social networking sites. While such sites have seen incredible popularity in recent years, they are also potentially dangerous tools, as they provide almost unrestricted access to the personal information of hundreds of millions of people worldwide. The article looks at issues of access to such information, how access is limited and how privacy and trust affect users of social networking sites. The article also explores some shortcomings and potential privacy risks, through a brief examination of Facebook’s privacy policies and their changes over time.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy by policy, notice and choice (III.A.a.)
• Social networking services (VI.C.)

http://twitter.com/link_click_count?url=http%3A%2F%2Fbit.ly%2F3omd6p&linkType=web&tweetId=3541772256&userId=12798452.

If you look at this link, it turns out that twitter is redirecting to bit.ly.  Apparently, these links previously were completely handled by bit.ly.  bit.ly is a “simple link shortener”, that “offers URL redirection service with real-time link tracking”.  In addition, it includes a complete history of links shortened. Why would Twitter look to track links when they have a perfectly working relationship with their URL redirection provider?

At 140 characters, tweets don’t provide much past commentary.  While you may update your location or time of arrival in such a small space, you won’t be writing War and Peace or unveiling details of the latest scientific finding.  You do use it to add a bit of social commentary to a YouTube video – “check this out, it’s funny”, or “shhh, don’t tell wifey” while sending a picture.

Tracking links fits in to the company’s long term goals, where Twitter will provide business services including market research and customer prospecting.   Information analysis only works when you hold the data. In order to provide some of the analytical services, such as which marketing tweets are promoting customer interest, Twitter will need to pull the bit.ly services in house.

Is collecting this information, and better still providing it to a third party outside a violation of a customer’s privacy?  We are not going to have the agreement between Twitter and bit.ly – they simply don’t publish those things.  However, we can examine selected passages from Twitter’s privacy policy to glean the types and uses of information they collect, and a bit of what they may transfer to 3rd parties including bit.ly.

Let’s delve a little deeper into Twitter’s privacy policy…

Selections from Twitter’s privacy policy

By using our Site you are consenting to our processing of your information as set forth in this Privacy Policy now and as amended by us. “Processing” means using cookies on a computer or using or touching information in any way, including, but not limited to, collecting, storing, deleting, using, combining and disclosing information,

Twitter may slice, dice and distribute any information you put into their system to anyone, anywhere.

all of which activities will take place in the United States. If you reside outside the U.S. your personally identifiable information will be transferred to the U.S., and processed and stored there under U.S. privacy standards. By visiting our Site and providing information to us, you consent to such transfer to, and processing in, the US.

Twitter is very clear that all information collected and processed occurs in the United States.  This allows citizens of the European Union and other like minded countries notice that they are opting in to monitoring and marketing – the protections afforded by local EU Data Protection Directive style laws will not apply.

Information Collection and Use

Our primary goals in collecting personally identifiable information are to provide you with the product and services made available through the Site, including, but not limited, to the Service, to communicate with you, and to manage your registered user account, if you have one.

“The Service” is quite broad, and likely includes provisions for third party tracking and marketing (i.e. bit.ly).  Obviously, when Twitter introduces their own business services, this will extend “the Service” definition.

Information Collected Upon Registration. If you desire to have access to certain restricted sections of the Site, you will be required to become a registered user, and to submit certain personally identifiable information to Twitter. This happens in a number of instances, such as when you sign up for the Service, or if you desire to receive marketing materials and information. Personally identifiable information that we may collect in such instances may include your IP address, full user name, password, email address, city, time zone, telephone number, and other information that you decide to provide us with, or that you decide to include in your public profile.

This section does imply that you must opt-in to receive marketing materials.  Obviously, anything placed on a public profile is not longer private, but apparently information it will not be disclosed.  Your user ID is not considered PII.

Additional Information Your full user name and your photo, if you decide to upload one … you may provide additional information in the profile section, including but not limited to your bio, your location, as well as your personal web site, if you have one. Providing additional information beyond what is required at registration is entirely optional, but enables you to better identify yourself and find new friends and opportunities in the Twitter system. If you activate the mobile phone options per the Terms of Service at www.twitter.com/tos, we will collect your cellular phone number account information. … If you contact us by email through the Site, we may keep a record of your contact information and correspondence, and may use your email address, and any information that you provide to us in your message, to respond to you.

Again, anything provided past the required registration username is optional, but will be recorded and associated with the non-identifiable information Twitter collects.

Use of Contact Information In addition, we may use your contact information to market to you, and provide you with information about, our products and services, including but not limited to our Service. If you decide at any time that you no longer wish to receive such information or communications from us, please follow the unsubscribe instructions provided in any of the communications.

This suggests an opt-out for marketing and additional product information.  This seems like it may be in conflict with the earlier opt-in statement.

Log Data When you visit the Site, our servers automatically record information that your browser sends whenever you visit a website (“Log Data” ). This Log Data may include information such as your IP address, browser type or the domain from which you are visiting, the web-pages you visit, the search terms you use, and any advertisements on which you click. For most users accessing the Internet from an Internet service provider the IP address will be different every time you log on. We use Log Data to monitor the use of the Site and of our Service, and for the Site”™s technical administration. We do not associate your IP address with any other personally identifiable information to identify you personally, except in case of violation of the Terms of Service

Here’s the part directly affecting bit.ly and the new click redirect service.  You do not own the clicks – Twitter will record your Log Data, and although not directly associated with your PII, your IP address could be put together with your user ID, which does not constitute PII.

Cookies

Like many websites, we also use “cookie” technology to collect additional website usage data and to improve the Site and our service…

Google recently faced scrutiny regarding their behavioral advertising using cookies, and Facebook’s Beacon program, which used a more nefarious technique, caused quite a stir late in 2008.

Information Sharing and Disclosure

Service Providers We engage certain trusted third parties to perform functions and provide services to us, including, without limitation, hosting and maintenance, customer relationship, database storage and management, and direct marketing campaigns. We will share your personally identifiable information with these third parties, but only to the extent necessary to perform these functions and provide such services, and only pursuant to binding contractual obligations requiring such third parties to maintain the privacy and security of your data.

This is where bit.ly (for now) comes in.   PII will be transferred, and the information updates will likely flow down to these third parties.  It does not mention anything regarding third parties updating Twitter’s information.

Business Transfers Twitter may sell, transfer or otherwise share some or all of its assets, including your personally identifiable information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy. You will have the opportunity to opt out of any such transfer if the new entity’s planned processing of your information differs materially from that set forth in this Privacy Policy.

This is a big one.  The registered traveler program that allowed people to move through a special, faster line at the airports, hosted by the company Clear, went bankrupt. They want to sell the information they collected on users to the original parent company, Verified Identity Pass, or possibly a third party.  They are being fought tooth and nail by the users, for the simple fact that this is not just a user name, password and IP address or phone number.  Clear collected information such as Social Security Numbers, and even biometric info, like fingerprints and iris scans.  These data allowed Clear to perform such risk mitigation strategies as background investigations, criminal history checks and government watch list comparisons.  It is unclear what will happen to the data for users of Clear, but according to their privacy policy, the information may only be used for a similar registered traveler program.

Our Policy Towards Children

The Site is not directed to persons under 13. If a parent or guardian becomes aware that his or her child has provided us with personally identifiable information without their consent, he or she should contact us at privacy at twitter dot com. We do not knowingly collect personally identifiable information from children under 13. If we become aware that a child under 13 has provided us with personal identifiable Information, we will delete such information from our files.

Twitter, as well as any other online business, must follow the Federal Trade Commission’s COPPA, the Children’s Online Privacy Protection Act.  The idea being children will easily share much more information than necessary, potentially placing themselves in danger.

In all, Twitter’s well within their privacy policy and terms of service when sharing information.  Now, it’s just a question of how many people actually read it, or just skip it because it’s cool to be on Twitter.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  Privacy as a factor in business risk management (Foundations: I.C.a.i.2),  Elements of Effective Privacy Management (Foundations: I.G.b.i) and Threats & Vulnerabilities
• Online Privacy:  Cookies (III.B.g.i) and Web Beacons (III.B.g.ii)

A Wired Magazine correspondent documented the inadvertent disclosures through the use of GPS embedded into many of today’s cell phones.  The NSA went through the trouble of securing the BarackBerry not only because he is the boss, but after hearing the vulnerabilities and mitigations, the residual risks were understood.  I’m sure the Agency guys didn’t need to explain to him about leaving his phone in an adversary’s hands or randomly text messaging his buddies about hitting the bar later that night.

That’s why I’m puzzled by this weekend’s actions of Congressman Peter Hoekstra – former Chairman, and ranking member of the House Intelligence Committee.  This is the guy supporting the warrant-less wiretapping, so that Al-Qaeda wouldn’t know US Intelligence was watching them.  During what was supposed to be a secret congressional trip to Iraq, Hoekstra Twitters the details of the weekend trip.  I understand a minor slip, those are planned for and around.  From the Congressman’s tweets, it seems like he was trying to cause an incident, discussing travel coordination and locations with timestamps:

On the way to Andrews Air Force base.12 hour flight to mid east Be back on Mon instead of tues….3:28 PM Feb 4th

Just landed in Baghdad…..9:41 PM Feb 5th

Moved into green zone by helicopter Iraqi flag now over palace.Headed to new US embassy….11:56 PM Feb 5th 

Talk about a lapse in responsibility.  This isn’t even a judgement call – Hoekstra jeopardized all of his fellow travellers.  Thankfully everyone returned safely home, at least according to Hoekstra’s last tweet:

Headed home!Situation in Iraq improves significantly.Afghanistan poses challenges!Lots of stuff to talk about when I get home Monday late pm

Even with the best policies and practices in place, everything hinges on the end user.  Their understanding of each action that takes place and their role in the ultimate security/privacy of the whole is paramount to the success of the mission.