Article by Steve McMaster
I've gotten in a lot of arguments lately about one of the latest "hot topics" in the end-user side of technology - privacy.
With some of the biggest names in Social Media doing a really bad job of it (and I'm not even just talking about leaked passwords), it's something that's throwing itself in the face of many average, day-to-day computer users.
Many in the security industry already know most of the things people are discovering, and have screamed warnings from the mountaintops to the folks below. Alas, this is the woe of being a security engineer. But here's my gripe for you.
Facebook has, as of April 2012, 901 million active members (according to Wikipedia). If Facebook were a country, it would be ranked 3rd in the world by population. And it seems every week, they're in the news again, someone ranting about their privacy on Facebook. My favorite came a few weeks ago, just after Facebook went public. It was a post spreading around Facebook like wildfire, and it went something like this:
For those of you who do not understand the reasoning behind this posting, Facebook is now a publicly traded entity. Unless you state otherwise, anyone can infringe on your right to privacy once you post to this site. It is recommended that you and other members post a similar notice as this, or you may copy and paste this version. If you do not post such a statement once, then you are indirectly allowing public use of items such as your photos and the information contained in your status updates:
PRIVACY NOTICE: Warning - any person and/or institution and/or Agent and/or Agency of any governmental structure including but not limited to the United States Federal Government also using or monitoring/using this website or any of its associated websites, you do NOT have my permission to utilize any of my profile information nor any of the content contained herein including, but not limited to my photos, and/or the comments made about my photos or any other "picture" art posted on my profile.
You are hereby notified that you are strictly prohibited from disclosing, copying, distributing, disseminating, or taking any other action against me with regard to this profile and the contents herein.
The foregoing prohibitions also apply to your employee, agent, student or any personnel under your direction or control. The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law.
UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE
But my argument here isn't that you're falling for a silly chain letter. My argument is that a) you're posting something on Facebook, a SOCIAL NETWORKING site, whose goal is to let you connect and share with friends, that you don't want people to "take any action against you" using, and b) that, if that's the case, you didn't already use Facebook's built in privacy stuff to hide it. Facebook has privacy controls. They're REALLY not complicated. There's no reason not to use them. But too many people don't.
The scarier part of all of this comes from other websites where people, for whatever reason (probably a lack of privacy settings in general, and a different environment that promotes public sharing a little more) have no regard for the privacy at all.
The best example I could ever hope to have presented itself last week in the form of a Twitter account. This Twitter account is not associated with any particular person. Instead, it is associated with a purpose. The account does nothing except retweet other users who have posted pictures of the debit/credit cards.
WHAT ARE WE COMING TO? Do people really not understand the implications of posting a picture of their debit card online? Pretending Twitter had your debit card number for a minute, if they tweeted it to your followers once, you'd be pretty upset wouldn't you? So why, in the name of all that is good and wholesome, would you post it yourself!?
People seem to want someone else to protect their info for them. They want to be able to throw all of their information out in the open, and let someone else police it and protect it. Not only that, but they want that person to do it for free. The Internet is supposed to be free, I should just get everything I want for free, right?
This problem is two fold: People don't want to pay for a service like Facebook (or Twitter, etc), but they expect it to but running 24/7, be absolutely perfect, and have every feature THEY want, even if they're only part of a small group (even a million is less than 1% of Facebook's userbase) who wants it.
"But Facebook is ad-supported", you say. Well that's great. So they're going to collect information about what pages you like, what games you play, what you post pictures of, and use that to target the ads that they show you. That way, they can show you ads that you're more likely to click on.
HOLD THE PHONE. They're going to do what with my information? UNACCEPTABLE. My information is for me and my friends, they have to keep their dirty, capitalist, money hungry fingers off of it.
My friends, my co-workers, my acquaintances, and people I've never met who are just bored and reading this blog post. I implore you. Do yourself a favor and stop and think the next time you post something on Facebook. Are you okay with it possibly being public? If not, please go change your privacy settings so it isn't. Are you okay with them harvesting information from it to show you better ads?
If not, please don't post it. Because Facebook is well within their moral and ethical rights, let alone their legal ones, to use that information that way, as long as they have "removed from it anything that personally identifies you or combined it with other information so that it no longer personally identifies you".
So please, stop complaining about Facebook/Twitter/Foursquare/LinkedIn/MySpace/WhateverNextSocialSiteComesBy, and start taking responsibility for your data yourself.
Want to learn more about protecting your company, your employees and yourself in social media? Hurricane Labs offers a Social Media Security Awareness Course: What Employers and Employees Need to Know. Have a question? Reach out to us on our Education page.