From the desk of Warren Axelrod: Researchers at the Helsinki Institute for Information Technology (HIIT) determined that there are a number of ways in which users manage privacy on Facebook and other social networking sites.
Are you following these best practices?
· Avoid updating your status with information that you don’t want everybody to see
· Choose to exchange private messages rather than writing on public walls
· Keep messages within closed groups
· Approve only a limited number of people as friends
· Define groups of friends more precisely
· Avoid publishing information that others might find negative or troublesome
But what about Facebook and the others – what should they be doing to provide privacy management systems that are easy to use? What problems aren’t addressed?
One problem is that it can take an extraordinary amount of effort to manage all the various groups and members of groups that you have assigned and then remember all the participants and their relationships. Inevitably memory will fail and mistakes will be made.
Second, you can’t be sure that when you share, the person you intend to share with won’t share with someone that you would not choose to have your pictures or stories. You could avoid sharing information that, in the wrong hands, could have a negative impact. While you may choose to avoid publishing certain information it does not preclude revealing information that may, over time, become important to protect. This dynamic aspect of information privacy is extremely difficult, if not impossible, to anticipate.
The dynamic aspect of privacy is further emphasized in a New York Times article “Career Couch: The Online Divide Between Work and Play,” by Matt Villano. He discusses, in a Q & A format, a number of privacy issues pertaining to social networking sites, such as LinkedIn, Facebook, MySpace and Twitter. Mr. Villano reports on his discussion with Nick O’Neill of “All Facebook” blog fame. Mr. O’Neill has recently posted a guide to mastering Facebook’s new privacy settings. O’Neill reports that “Most Facebook users don’t even know these [privacy] features are options. I can’t tell you how many people sign up and don’t ever think about privacy again.”
Security professionals know that privacy protection is not static and is therefore more difficult to manage. I wrote about this in ISACA’s IS Control Journal in an article “The Dynamics of Privacy Risk”. Facebook and Twitter are new – privacy concerns are not. Consideration of how to avoid and protect against disclosure of private information is very similar to designing for and using secure Web 2.0 applications. When combining applications and data, one may not be fully aware of their “pedigrees” and in fact may be confronted with systems and data from highly questionable sources.
The tradeoff in managing privacy is between trust and avoidance. If you aren’t absolutely sure about origin, source and destination, then avoidance might be a better strategy, even if it results in many fewer capabilities. Trust is a two-edged sword. By establishing trusted relationships, one can share more information and benefit from that sharing. However, if a trusted relationship is subsequently compromised, then the losses can be that much greater.
Since it is so difficult to determine current trustworthiness and forecast future trustworthiness, it is perhaps better to stick to the avoidance strategy or, in security jargon, “default deny.” You should only relax privacy when you are very sure of the trustworthiness of the applications and individuals. You need to maintain constant vigilance in keeping such knowledge current. Once a system breach occurs, or information is inadvertently disclosed over a social network, it is too late to reel the data back in – there are no “re-do’s”. While avoidance is a viable alternative, it can put critical processes in jeopardy. A prudent approach is gradual, controlled increase in access and use; evaluating at every step along the way.
See you on Facebook – maybe!
