Friday, May 21, 2010

Facebook and privacy issues





Privacy in social networking sites is a hot topic these days but it is my opinion that it is only among privacy professionals and a section of general public. Even though there has been a spurt in people looking for "how to delete Facebook account" in Google, most of the social networking users love the way it is setup, its ability to connect to people, the ability to share, and the sheer amount of access it provides. Needless to say that such users are putting themselves at risk by doing so but privacy by definition does not exist if the users does not seek it. A recent study by consumer reports found that about 40% users posted their date of birth on social networking sites. The study also found that the user base almost doubled from 2009. This is one of the major reasons why it is also popular with criminals, where they indulge in a variety of nefarious activities including identity theft, marketing illegal products, spreading malware, stealing credentials, etc.

While all these are going on, what are the providers of such social networking sites doing? They are most definitely coming up with new ways to setup privacy controls but sites like Facebook are bringing changes far too often, creating far too many options (Facebook has over 50 settings) confusing the users and making them not use it at all. While it is important for people to understand the privacy issues so that they can make informed choices, it is also the responsibility of the providers to help users make these choices.

There has been an increased concern on privacy primarily due to increasing privacy related incidents. The increased concern has also been due to the media coverage it is getting, the latest being the WSJ article. New York Times also got involved and had Elliot Schrage, vice president for public policy at Facebook answer some of the user's concerns regarding Facebook's privacy settings, complete coverage is available here. Time magazine also had coverage on this topic, check here.

As far as Facebook is concerned, there have been many changes to the privacy settings over the years. For example, in the beginning, user's personal information was visible only to their friends and their network, which is not the case now (with the default settings). Rather than spending time on what changed over the years, I recommend readers to head over to Matt's site, where he has a visual depiction of changes over the years, great stuff.

The recent change that further complicated the privacy settings involved their decision to partner with Microsoft Docs and Yelp and share any publicly available information with those partners. If you don't want to do this, you have to manually opt-out of this feature for each individual partners. The data shared with these partners include name, picture, friends list, city, gender, and fan pages. We are not yet sure what these companies will do with this data but they are definitely getting more data than a typical advertising companies get when users click on an ad. 

In Facebook, if you want to put the privacy setting back, there are some easy methods available.

  • A personal firewall vendor, Untangle announced the availability of a new bookmark utility to enable Facebook users to restore their privacy settings. Called SaveFace, it puts back the privacy settings to "friends only", it available from their site http://www3.untangle.com/saveface
  • Brian Kerbs announced in his blog yesterday, the availability of a new tool from Reclaimprivacy.org. This open source tool can help Facebook users very quickly determine what type of information they are sharing with the rest of the world.

More than privacy settings, I strongly believe that user education is equally important, especially educating kids on various privacy issues. Users should be aware of newer threats affecting social networking sites and act responsibly that will not endanger their own privacy and the privacy of the organization they represent.


Update***


We now have a recommended settings option and users need to click one button (“Everyone,” “Friends of Friends” or “Friends Only”) to restrict or open all their information to those groups. 
EFF has a detailed instruction on the new settings.

Sunday, May 9, 2010

What's up with Wordpress?

If you are not familiar with Wordpress, it is the most popular blog software, used by both corporations and individual bloggers. It became very popular mainly due to its powerful customization features. Even though  it is based on PHP and MySQL, one can modify the look and feel without fiddling much with PHP.

Unfortunately, off late, it bas become popular with hackers as well resulting in identifying more vulnerabilities and incidents, check herehere and the latest incident here. If you are hosting a Wordpress blog site, check the discussions on the Wordpress support site and the ways to clean-up the site.

On the long run, here are some ways to monitor your site, these are what Wordpress calls "plugins"


This plugin performs hardening of the default installation.This plugin acts as a file integrity monitor and notifies the administrator of changes.
This plugin monitors failed login attempts.
This plugin can be used as a specialized Wordpress scanner, it can identify vulnerabilities and recommend actions.

Saturday, May 8, 2010

More on regulations

Since we are on the topic of new regulations, a new draft legislation was introduced in US Congress last week. This legislation is meant to protect the privacy of personal information on the Internet. This will have significant impact on E-commerce business and how they collect information, both via logs and cookies. As information security practitioners, it will be another legislation to worry about and comply with.


So, what does it say?


The legislation applies to what they call as "covered entity," which refers to a company involved in e-commerce that collects "covered information". "Covered information" includes , first name or initial and last name, a postal address, a telephone number, SSN, financial account number, or an email address. So, what are these e-commerce organizations expected to do?
  • Provide an individual with a privacy notice and an opportunity to opt-out before they may collect, use, or disclose covered information from or about that individual
  • Obtain the opt-in consent of individuals before collecting sensitive information such as medical or financial records
  • Obtain the opt-in consent of individuals before sharing covered information with unaffiliated parties and
  • establish, implement, and maintain appropriate administrative, technical, and physical safeguards to protect covered information.

If you are interested in knowing more about this draft legislation, see below
http://www.boucher.house.gov/images/stories/Privacy_Draft_5-10.pdf

Saturday, May 1, 2010

Do we need more legislations around social networking sites?

Absolutely, I have been very critical of social networking sites and Facebook in particular, check here, here and here.


Now, California becomes the first state in US to come up with such a legislation. The Senate passed a bill recently, that prohibits social networking websites from displaying, "the home address or telephone number of a registered user who identifies himself or herself as being under 18 years of age" to the public or to other registered users. Social networking websites that "knowingly and willfully" violate the provision can be fined up to $10,000 for each violation.


Concerns are building up at the US federal level also. Last week, four U.S. Senators wrote a letter to Facebook's CEO expressing "concern regarding recent changes to the Facebook privacy policy and the use of personal data on third party websites." The letter urged Facebook to provide opt-in mechanisms for users, as opposed to lengthy opt-out processes.


We can expect more in this regard in the coming months and it is good for privacy.