Tag Archive for Privacy

| August 4, 2011
Comments Off on 10 Security Reasons to Quit Facebook

10 Security Reasons to Quit Facebook

10 Security Reasons to Quit FacebookJoan Goodchild wrote an article for CSO Online that said Baby Boomers quit Facebook faster than they join based on information from Inside Facebook. The data indicate that after a huge growth in Facebook membership among the over-55 age group that same demographic began to defect in large numbers, just months after signing up. The CSO Online article quotes Scott Wright, a security consultant based in Canada and runs the site streetwise-security-zone.com says Boomers leave Facebook because they have discretion.

10 ways Facebook does not allow discretion

Here are 10 ways that Facebook does not allow for discretion, driving Boomer permanently off of Facebook.

Facebook1. Your Privacy is History Mr. Wright recalled an academic claim that the notion of privacy differs widely among generations. “The 20-something view of privacy is basically that their parents not see what they are doing. That’s about it,” he said. Apparently, Facebook founder Mark Zuckerberg agrees. He claims that openly sharing information with many people is today’s social norm. He went on to say “We view it as our role in the system to constantly be innovating and be updating what our system is to reflect what the current social norms are.” Many have translated this to mean Facebook doesn’t think its users want much privacy, and the policies of the site show that view. “If you can’t maintain privacy online and off, then you can’t speak freely,” said Bethan Tuttle, an Washington-based independent consultant and privacy advocate. Tuttle says in the article that the massive and quick growth Facebook has experienced, coupled with a lack of privacy-centric leadership has left end-user privacy as casualty.

2. They don’t have your best interests in mind Tom Eston, creator of the website socialmediasecurity.com points out, the business model of Facebook and Twitter, is to make user information as public as possible to generate new ways to make money. Mr. Eston said in the article;

They are really startups if you think about it. They don’t have a true business model … Their philosophy is the more you share, the more information they have to make money with. With that in mind, can you really count on them to protect you?

And do you know just how much information you are sharing that can be used not only by Facebook, but by the application developers that create those fun quizzes and games? Wright says most people don’t. (I wrote about this problem here).

3. Frequent redesigns affect privacy settings Mr. Wright in the CSO Online article said,

Just when people figure out the privacy settings on Facebook, they go and change them again … It always seems like it is being done in everyone’s best interest, but if you really examine it, they have never done anything other than to try to get people to share more information.

Facebook redesigns often make public, and searchable, certain user information that was previously private, and many of the features you can make private are left public unless you go in and adjust your privacy settings. This is no small task, according to Ms. Tuttle, “I am really good online but it took me several tries to get my Facebook privacy settings where I needed them to be.”

Phishing4. Social engineering attacks are getting more targeted Most Facebook users have received messages on their wall asking “Have you seen this video?” or “Is this you in this photo?” By clicking on the link, the user runs the risk of being infected by malware. These are known as social engineering attacks, and they are becoming more sophisticated said Mr. Wright. “They are becoming very targeted. Even seasoned security professionals are falling for them,” he said. The more information you share, coupled with a decrease in privacy, only means it is even easier for cyber criminals to get information about you that can be used to trick you into clicking on a bad link.

5. You can’t trust the ads Most web users think advertisements are harmless, unfortunately, some contain malicious links. One common scenario involves a pop-up from the ad that claims your computer is infected and prompts you to download software to fix it. Instead of helpful software, you end up downloading something nasty. This is now commonly known in the security community as “scareware,” and it’s still a very effective way to snare unsuspecting users.

6. Spam Spam claiming to be from Facebook has increased according to the article. “I think it’s a security concern,” said Mr. Eston. “Mostly because spammers can use that vulnerability to make you think the message is coming from Facebook when it is not. Many users simply wonder “Why is Facebook sending me this?” and instinctively open the message and log in to what turns out to be a fake screen that steals credentials.

7. You don’t really know your friends The author cites a report from security firm Cloudmark which concluded that close to 40 percent of new Facebook profiles are fakes.  Having lots of friends is dangerous because it opens you up to more security risks. Mr. Wright said those who get targeted for hacking are the users who have lots of friends (here is an example). The more friends you have, the more reach a criminal will have when he breaks into your profile and sends out a bad link to everyone.

8. You can’t help yourself from being dumb The attention around the site pleaserobme.com brought to light the safety concerns around social networking. Pleaserobme aggregates the Twitter feeds of people who play Foursquare, a location-sharing application. The problem is while playing the game, many users are also publicly broadcasting that their home is likely unattended and a good “opportunity” (as the site terms it) for thieves. As Ms. Tuttle put it, you need to think about what you are doing and many people are not. You’re putting yourself out there in potentially dangerous ways, particularly if you don’t know all of your “friends” that well.

9. The great unknown CSO Online says there is a lot of speculation about a Facebook IPO and future business strategy. What does this mean for users? Mr. Wright said some fear it means an increase loss of privacy as the social networking site inevitably looks for ways to make money by offering up valuable user information to advertisers and developers. Mr. Wright said,

One of the things I find most interesting is that there are still many people who are scared to death of social networking sites. These are usually the people who don’t see value in them. In the end, they may be the wisest of us all.

Bill Clinton i angry at you for using social media

10. Ex’s, creeps and parents Facebook is making it possible for people to be cyber stalked, even if they aren’t friends anymore, said Mr. Eston. Although the physical and virtual connections are broken, having mutual friends makes it easier for your ex to keep tabs on you. The same goes for any creepy guy or girl you are trying to avoid. Or you may get a friend request from a parent, which Mr. Wright claims many 20-something users consider the worst thing that could ever happen in the history of social networking. “That is a big driver for quitting,” he said. “Once the parent friends some of these people they immediately think ‘I’ve got to get out of this!

What do you think?

Are you concerned about your privacy on Facebook?

View Results

Loading ... Loading ...
Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , , , , ,
| January 17, 2011
Comments Off on Mobile Apps Sending User Data

Mobile Apps Sending User Data

Mobile Apps Sending User DataThe Wall Street Journal has continued its excellent work on data privacy. The WSJ is reporting that like many Facebook applications, many popular mobile apps are sending user data from phones to third parties. They found that most of the popular apps running on Apple (AAPL) iPhone‘s and Google (GOOG) Android systems, had sent the phone’s unique device ID to other firms without asking the user’s permission.

Big Brother WatchTechEye says that the iPhone was much worse than Google’s Android, although both Apple and Google have promised not to let such practices take place. Michael Becker of the Mobile Marketing Association told TechEye there is no anonymity. Alex Deane, director for Big Brother Watch, said  “This is alarming news. Most users of these apps don’t know this is happening and many of them wouldn’t use the app if they did know,” Mr. Deane told IT PRO. “Importantly, lots of these apps are mainstream ‘normal’ apps. It’s not just shady operators doing this

The WSJ reports that mainstream mobile productivity, games, and music apps are sending user data elsewhere. The data is mostly sent to ad companies so they can tailor ads to the user’s history for better results. The paper found that 56 of the apps in the investigation sent unique information to other companies without the user knowing or agreeing to the sharing. 47 of the apps sent the mobile phone’s location to third parties, and five of the apps sent age, gender, and personal details to outsiders. Eighteen of the 51 iPhone apps sent information to Apple.

The Journal found:

  • iPhone appThe app that shares the most personal info is an iPhone app called TextPlus 4. The app sent the unique ID of the device to eight ad companies and sent the zip code, user’s age, and gender to two more firms.
  • The free and paid versions of the wildly popular Angry Birds app on an iPhone. The apps sent the phone’s UDID and location to the Chillingo unit of Electronic Arts Inc., which markets the games.
  • The popular music site Pandora was a big offender,  sending age, gender, location, and phone identifier to various ad networks.
  • Google AndroidBoth Android and iPhone versions version of Paper Toss sent the phone ID number to at least five ad companies.
  • The Android app for social networking site MySpace sent age and gender, device ID, user’s income, ethnicity, and parental status to Millennial Media, a big ad network.

Among all the mobile apps tested by the WSJ, the most widely shared detail was the unique ID number assigned to every mobilephone. It is effectively a “supercookie,” says Vishal Gurbuxani, co-founder of Mobclix Inc., an exchange for mobile advertisers. The “UDID,” or Unique Device Identifier is set by the phone makers, carriers or makers of the operating system and typically can’t be blocked or deleted.

The WSJ has released a short video explaining its investigation,

Super CookiesThe great thing about mobile is you can’t clear a UDID like you can a cookie,” Meghan O’Holleran of Traffic Marketplace told the WSJ. Traffic Marketplace which is an Internet ad network that is expanding into mobile apps uses UDID’s, “That’s how we track everything.” Ms. O’Holleran told the WSJ that Traffic Marketplace monitors smartphone users whenever it can. “We watch what apps you download, how frequently you use them, how much time you spend on them, how deep into the app you go,” she says.

According to the WSJ, Mobclix matches more than 25 ad networks with 15,000 apps seeking advertisers. The company collects mobile phone IDs, encodes them, and assigns them to interest categories based on what apps people download and how much time they spend using an app, among other factors. By tracking a phone’s location, Mobclix also makes a “best guess” of where a person lives, says Mr. Gurbuxani, the Mobclix executive. Mobclix then matches that location with spending and demographic data from Nielsen Co.

Mobclix logoMobclix uses the data to place a user in one of 150 “segments” it offers to advertisers, from “green enthusiasts” to “soccer moms “to “die-hard gamers.”  “Die-hard gamers” are 15-to-25-year-old men with more than 20 apps on their phones who use an app for more than 20 minutes at a time. “It’s about how you track people better,” Mr. Gurbuxani told the WSJ.

Google was the biggest data recipient in the WSJ tests. Its AdMob, AdSense, Analytics, and DoubleClick units collectively heard from 38 of the 101 apps. Google’s main mobile ad network, AdMob lets advertisers target phone users by location, type of device and “demographic data,” including gender or age group. Google, whose ad units work on both iPhones and Android phones, says it doesn’t mix data received by these units.

Google AdmobApple operates its iAd network only on the iPhone. Apple targets ads to phone users based largely on what it knows about them through its App Store and iTunes music service according to the WSJ article. The targeting criteria can include the types of songs, videos, and apps a person downloads, according to an Apple ad presentation reviewed by the Journal. The presentation named 103 targeting categories, including karaoke, Christian/gospel music, anime, business news, health apps, games, and horror movies.

According to the WSJ, the ad networks offer software “kits” that automatically insert ads into an app. The kits track where users spend time inside the app. A developer quoted in the WSJ article says ads targeted by location bring in two to five times as much money as untargeted ads. In its software-kit instructions, Millennial Media lists 11 types of information about users that developers may send to “help Millennials provide more relevant ads.” They include age, gender, income, ethnicity, sexual orientation, and political views.

Apple iAd networkThe WSJ also claims that most of the apps don’t have written privacy policies. Forty-five of the 101 apps didn’t offer privacy policies on their websites or inside the apps at the time of testing. Neither Apple nor Google requires app privacy policies. Both Google and Apple say that they require apps to ask permission to send information to third parties. However, many app developers skirt the rules the WSJ reports.

Apple says iPhone apps “cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.” Many apps tested by the Journal appeared to violate that rule, by sending a user’s location to ad networks, without informing users. Apple declined to discuss with the WSJ how it interprets or enforces the policy.

Millennial MediaGoogle doesn’t check the apps running on Google’s Android operating system because third parties build the phones. Google requires that before users download Android apps that the developer identifies the data sources the app intends to use. Possible sources include the phone’s camera, memory, contact list, and more than 100 others. If users don’t like what a particular app wants to access, they can choose not to install the app, Google says. Google told the WSJ that app makers “bear the responsibility for how they handle user information.” “Our focus is making sure that users have control over what apps they install, and notice of what information the app accesses,” a Google spokesperson says.

rb-

The trade in your personal information grows as technology evolves. The WSJ says that Apple has recently filed a patent for a system for placing and pricing ads based on a person’s “web history or search history” and “the contents of a media library.” For example, home-improvement advertisers might pay more to reach a person who downloaded do-it-yourself TV shows, the document says. The patent application also lists another possible way to target people with ads: the contents of a friend’s media library.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| October 24, 2010
Comments Off on Facebook Privacy Fail Again

Facebook Privacy Fail Again

Facebook Privacy Fail Again -Updated 11-01-10- Facebook has completed its internal investigation into reports from The Wall Street Journal that Facebook applications were violating its user privacy. The WSJ says FB is sharing unique user IDs with advertising agencies and data collection companies. According to the firm’s blog, some developers were sharing Facebook UIDs with data brokers for a fee, “this violation of our policy is something we take seriously,” Facebook engineer Mike Vernal wrote in the corporate response.

The Social Networker is reportedly taking action against developers who violated the Facebook policies by “instituting a 6-month full moratorium on their access to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies” according to the corporate blog.

The blog also states that Facebook has struck a deal with Rapleaf (Which I wrote about here), the data-mining firm that has tied Facebook ID information collected by Facebook applications to a database of Internet users it sold. “Rapleaf has agreed to delete all UIDs in its possession, and they have agreed not to conduct any activities on the Facebook Platform (either directly or indirectly) going forward.”

Last May Facebook was caught using “referrers” to send users’ ID information to advertising agencies every time the users click on ads. In response, the social networker changed some of the code that allowed this and issued a half-hearted apology. Now, the Wall Street Journal has found that third-party applications or “apps” on Facebook have been guilty of the same thing.  The WSJ says the privacy breach affects tens of millions of Facebook app users, including people who set their profiles to Facebook’s strictest privacy settings.

Facebook logo“Apps” are pieces of software that let Facebook’s 500 million users play games or share common interests with one another. The company says 70% of users use apps each month. The WSJ found that all the 10 most popular apps on Facebook were transmitting users’ IDs to outside companies including:

  • FarmVille,
  • Phrases,
  • Texas HoldEm,
  • FrontierVille,
  • Causes,
  • Cafe World,
  • Mafia Wars,
  • QUiz Planet,
  • Treasure Isle
  • IHeart.

The WSJ says that Zynga Game Network Inc.’s (ZNGA) FarmVille, with 59 million users has also been transmitting personal information about a user’s friends to outside companies.

The information being transmitted includes the unique “Facebook ID” number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person’s name even if that person has set all of his or her Facebook information to be private. For other users, the Facebook ID reveals information they have set to share with “everyone,” including age, residence, occupation, and photos. The apps reviewed by the WSJ were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.

The Journal found that data-gathering firm, RapLeaf Inc., (Which I wrote about earlier) had linked Facebook user ID information obtained from apps to its own database of Internet users, which it sells. RapLeaf also transmitted the Facebook IDs it obtained to a dozen other firms including Google’s Invite Media, the Journal found.  “We didn’t do it on purpose,” said Joel Jewitt, vice president of business development for RapLeaf to the WSJ.

Facebook has again issued a statement that it will look into the matter and correct the code and has in the meantime disabled thousands of applications. According to the WSJ, the applications transmitting Facebook IDs may have breached their own privacy policies. Zynga, for example, says in its privacy policy that it “does not provide any Personally Identifiable Information to third-party advertising companies.” A Zynga spokeswoman told the WSJ, “Zynga has a strict policy of not passing personally identifiable information to any third parties. We look forward to working with Facebook to refine how web technologies work to keep people in control of their information.

rb-

Mark ZuckerbergOnce again, Facebook has a user privacy breach on its hands. The social networker keeps promising to protect its customers’ personally identifiable information but never seems to get it right.

Perhaps the question Facebook users should be asking is does Facebook really want to protect their user’s privacy?

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , , , , , , ,
| October 1, 2010
2 comments

Banks & Bosses Use Social Media to Assess Risk

Updated 10-22-10 – GigaOm has a post about Rapleaf here.

If you’re among the 67% of the global online population which Nielsen Online says uses social media networks to stay in touch with friends, grow their business, or just have fun then your information is for sale to banks, insurance companies, employers, and the government. Some banks are turning to social media analytics firms to enhance their credit-check procedures.

Banks are now looking at an applicant’s social media profile, behavior, and associations on sites like Facebook (FB), Twitter, and MySpace according to a recent article on the banking industry site CreditCards.com. The banker’s theory is that people run with folks who share their values and behavior. If your Facebook friends are deadbeats, the banks theorize you are a deadbeat also. These assumptions may make it harder to get a credit card or mortgage, according to CreditCards.com.

Many banks are now outsourcing their social network data mining operations to firms such as Rapleaf. Rapleaf, is a San Francisco, CA-based company that specializes in social media monitoring. According to CreditCard.com, Rapleaf compiles everything you and your network do – including status updates, “tweets,” joining online clubs, linking a Web site or posting a comment on a blog or news Web site. These firms turn the conversations into consumer profiles called social graphs. Social graphs give companies insight into behavior patterns: what you like and dislike, want and don’t want, do well and do poorly.

Banks & Bosses Use Social Media to Assess RiskIn the article, Rapleaf characterizes its social network data mining operations as “a unique way to improve customer experience by whitelisting customers based on their social circles and friend relationships.”  Since the firm uses data to “whitelist” people, it may also very easily be used to “blacklist” people and deny them a credit card or a job. “Who you hang around with has empirical implications with how you behave,” Joel Jewitt, Rapleaf’s vice president of business development told FastCompany.

“It’s a marketing trend as opposed to a credit score trend,” says Jewitt.  Despite his assurances, Rapleaf’s Web site suggests that clients “use friend networks to enhance … credit scoring” according to FastCompany. Jesse Torres, president, and CEO of Pan American Bank in Los Angeles told CreditCards.com that online information aggregators fill a need within the banking community. “They’re able to scour the social media universe. They are constantly listening and reporting back.”

The bankers are protecting their bottom line, “credit card companies have been stung very hard during this downturn, and they’re going to work that much harder to avoid extending credit…,” Ken Clark, author of The Complete Idiot’s Guide to Boosting Your Financial IQ told CreditCards.com. Rob Garcia, senior director of product strategy at The Lending Club, a peer-to-peer lender, says his firm uses multiple sources of “social information collateral” for its decision-making processes “It’s a wealth of information about a person,” says Garcia.

Not everyone in the industry is data mining social networks. “It’s difficult to make a judgment about an individual’s credit based on the people around them,” says Gregory Meyer, community relations manager for Meriwest Credit Union in San José, CA.  Meriwest only assesses credit reports and application data to make lending decisions. “[Social media] is a great way to keep up with what my 10-year-old nephew is up to, but it doesn’t have a place in the credit process.”

What you divulge can have an unintended impact. “We’ve seen this with applicants not getting jobs and employees getting fired for their Facebook and Twitter-based escapades,” financial personality Clark told CreditCards.com, “so we shouldn’t imagine this to be any different.” There are steps to take to guard your privacy. “I think it is crucial that everyone visit the privacy notices for the sites they use, read them, and change their settings to limit who can see their information,” says Clark. “For example, on Facebook, you can change your privacy settings so that only your acknowledged friends can see the majority of your information.” You can also enable “private filtering” on your browser. Do so and your activity will be entirely out of the Web profiling system.

Scott Stevenson, president, and CEO of EliminateIDTheft.com told CreditCards.com people should:

  1. Don’t accept invitations until you check the profile out first.
  2. Be acutely aware of what you write. Don’t make public anything you don’t want public.
  3. Take an annual inventory of all your social networking sites and delete people and information that can potentially damage you in the eyes of a creditor or employer.

Rapleaf offers a service to discover your online footprint and see what others might see on your social graph. Google (GOOG) offers a similar tool, the Google Privacy Dashboard. which presents an overview of the accounts and information you are connected with through Google. Take advantage of tools like these to check your own online reputation. What you don’t know can hurt you. Rapleaf’s Jewitt reminds users that, “The custodian of the information is you.”

rb-

There is nothing illegal about social network data mining banks and firms like Rapleaf do. Facebook and the other social networks are legal commercial enterprises that openly broker user data for exactly these kinds of purposes. People freely put information on Facebook with the full knowledge that it will become permanent parts of the public Internet record. Users need to know about this kind of data mining for two reasons. First, the stakes are high. It’s about getting access to credit that might be necessary for your family or business or even getting your next job.

Second, data mining gives the lenders insights into relationships that are unknown to and often completely out of the control of the applicant. Maybe being a Facebook fan of NASCAR says something in the sum about your socioeconomic status and your creditworthiness or employability, according to some second-order derivative analysis of millions of data records.

The asymmetry in the relationship between data-driven marketers and consumers is structural and permanent. Institutions like banks (and, potentially, insurance companies, employers, and the government) will use it to gain an advantage, because that’s what they do.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , , , , , , , , , ,
| June 19, 2010
Comments Off on Supremes Rule on Sexting Case

Supremes Rule on Sexting Case

Supremes Rule on Sexting CaseOn Thursday (June 17, 2010) the U.S. Supreme Court ruled on the City of Ontario, California v. Quon case. I wrote about this sexring case earlier and its implications for corporate technology acceptable use policies (AUP).  The case involved the use of text pagers issued to officers by the city police department. The city issued the pagers for City use, under a general acceptable use policy. The officer in question consistently went over the allotted limit on messages which caused his supervisors to get stored text messages from the service provider. The City discovered that many of the messages were not work-related but were “sexting” or sexually explicit personal text messages. The officer claimed that the search violated the Fourth Amendment.

The Supreme Court ruled unanimously that the police department’s actions were reasonable, and thus did not violate the constitutional rights of the police officer. Justice Kennedy’s opinion ruled narrowly, to avoid a final definition of electronic privacy.

Prudence counsels caution before the facts, in this case, are used to establish far-reaching premises that define the existence, and extent, of privacy expectations of employees using employer-provided communication devices. Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior. At present, it is uncertain how workplace norms, and the law’s treatment of them, will evolve.

According to the Center for Democracy & Technology (CDT), the Supreme Court faced an opportunity to curtail workplace privacy (or electronic privacy generally) in this case. However, the Court applied the O’Connor v. Ortega (1987) precedent, that government employees generally retain their Fourth Amendment privacy rights, and it assumed that government employees may have a reasonable expectation of privacy even in communications they send during work hours on employer-issued devices.

The CDT says the message to government employers is that the courts will continue to scrutinize employers’ actions for reasonableness, so supervisors have to be careful. Unless a “no privacy” policy is clear and consistently applied, an employer should assume that employees have a reasonable expectation of privacy and should proceed carefully, with a good reason and a narrow search, before examining employee emails, texts, or Internet usage.

rb-
As we always try to tell our clients, make sure that there is a clear statement of no privacy in all policies and policy enforcement actions and as part of their policies, companies should discourage employees from using personal accounts to conduct company business.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
« Older Entries   Recent Entries »