Social Media: The Privacy and Security Repercussions

More and more people are using social media sites to get the latest news and connect with others. The more comfortable we become with these sites, the more apt we are to share personal details about ourselves and let our guard down as we interact with others.

Are we sharing too much private information? Is what we share — both deliberately and inadvertently — and what we click putting our privacy and security at risk?

Our Widespread — And Growing — Use of Social Networks

Growing numbers of people around the world are embracing social networks. Facebook has recently taken the lead as the most visited website in the United States — and is popular all over the globe, with over 400 million users worldwide. On the same note, Twitter is said to have more than 100 million users worldwide, and — a testament to its worldwide user base — 60 percent of registered accounts are from outside of the U.S.

Yet, looked at from a privacy and security angle, it’s impossible not to also see the potential toll of this widespread sharing and openness.

Just How Risky is Our Online Behavior?

The facts tell us that the majority of social media users post risky information online, without giving due diligence to privacy and security concerns. At the same time, cyber criminals are targeting social network sites with increasing amounts of malware and online scams, honing in on this growing user base.

According to Consumer Reports’ 2010 State of the Net analysis more than half of social network users share private information about themselves online, opening themselves up to a variety of online dangers. The key findings of the report include the following:

  • 25 percent of households with a Facebook account don’t use the site’s privacy controls or weren’t aware of them.
  • 40 percent of social network users posted their full date of birth online, opening themselves up to identity theft.
  • 9 percent of social network users dealt with a form of abuse within the past year (e.g., malware, online scams, identity theft or harassment).

Social Media: ‘A Perfect Storm of Social Engineering and Bad Programming’

The values at the core of networking sites – openess, connecting, and sharing with others – unfortunately are the very aspects which allow cyber criminals to use these sites as a vector for for various kinds of bad online behavior. In fact, reports of malware and spam rose an astounding 70 percent on social networks in 2009, according to an industry report from security firm Sophos.

“Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there’s a lot of return-on-investment in going after them,” said security analyst Shawn Moyer, aptly describing the climate as a perfect storm of social engineering and bad programming.

The notoriety of Facebook and Twitter make these social media sites a focal point for privacy discussions and a prime target for malicious activity. Let’s take a more in-depth look at recent leading privacy and security issues.

‘Privacy Loophole’ Due to Referrer Headers

Referrer headers, according to Lavasoft Malware Labs security analysts, are commonly used to distribute malware in SEO poisoning campaigns. For example, when you search for a particular piece of news being used in a SEO poisoning campaign — let’s call this a “malicious page” — your search engine — let’s say Google — may return a booby-trapped page in the list of results. When you click on the link for the malicious page, it may check the referrer header of the request to decide whether to deliver its malicious payload.

In this case, you were referred to that page by Google. If the booby-trapped page is designed to activate when you arrive at the page via a Google search, it will release its payload. However, if you typed the URL directly into your browser, there would be no referrer and the malicious page’s payload wouldn’t activate.

Lately, referrer headers have been making headlines for an entirely different reason: leaking private information on social media sites. The Wall Street Journal, citing an AT&T Labs and Worcester Polytechnic Institute paper, reported that a “privacy loophole” found on social networking sites, including Facebook and MySpace, allowed for data to be shared with advertisers through referrer headers sent by browser software — data that could potentially be used to identify users in spite of promises from the companies that user information isn’t shared without specific consent.

“Merely clicking an advertiser’s ad reveals to the advertiser the user’s Facebook username or user ID,” explained security researcher Ben Edelman. “With default privacy settings, the advertiser can then see almost all of a user’s activity on Facebook, including name, photos, friends, and more.”

This information was leaked to the advertisers because Facebook embeds usernames and user IDs in URLs which are transmitted to advertisers through HTTP referrer headers. Facebook responded with a message on “Protecting Privacy with Referrers,” saying it quickly fixed the issue, which it called a “potential” problem.

Edelman contends, “I found that a user’s username/ID is sent with each and every click in the affected circumstances. So the problem was substantial, real, and immediate. Facebook errs in suggesting the contrary.”

Facebook’s Privacy Settings: Controversy and Criticism

You almost need a timeline to keep up with the ongoing critiques that Facebook has faced in recent months due to its attitude towards users’ privacy. In mid-April, criticism was prompted by changes to the networking site’s privacy settings; concern was so great that the Facebook privacy debate caught the attention of legislators, government officials, as well as privacy groups — who criticized Facebook for not doing enough to protect the privacy of its users. Then, in the end of May, came Facebook CEO Mark Zuckerberg’s response to the controversy, acknowledging that missteps had been made and reaffirming that the site would simplify its privacy controls.

It still remains to be seen whether the new privacy controls that rolled out in late May will satisfy privacy pundits and cautious users.

A Wave of ‘Likejacking’ — And the Endless Malware Issues

Privacy issues aside, the world’s favorite social media sites have also seen more than their fair share of outright malicious activity, including the spread of viruses, phishing attempts, and other social engineering ploys aimed at exploiting users’ trust.

The latest major wave of attacks — a form of clickjacking dubbed “likejacking” — was seen threatening Facebook users early on in June. According to security reports, hundreds of thousands of Facebook users began falling for these attacks, where the victim is tricked into clicking a link that then recommends the site on Facebook — even when they didn’t actively choose to “like” the site. The ploy isn’t part of an active malware or phishing attempt, but it certainly has the potential to be used by hackers to get into your system.

And, Facebook clearly isn’t alone in the malware battle. Twitter has faced issues related to its shortened URLs and the spread of viruses — and we can be sure that both of these popular social media sites will remain prime targets for cyber thieves.

Understand the Risks of Social Networks

With this plethora of privacy and security issues in mind — and the strong likelihood that they will continue to unfold and develop — are we ready to give up on social networks? Not likely. Case in point: “Quit Facebook Day,” established by a backlash of privacy and security conscious Facebook users, only garnered support from a mere 34,000 of the site’s 400 million members.

While social networks like Facebook and Twitter may be too ingrained in our daily lives to give up, we need to understand the risks and take steps to change the way we interact on the Web. After all, our privacy and security on these sites — in terms of how much we share with others and what we consume — is ultimately up to each of us.

Next Saturday, we’ll look at nine ways to control your privacy on social network sites.

.jsk-CommentFormButton {display: none}.js-singleCommentReplyable {display: none}.jsk-CommentFormSurface {display: none}.js-commentControl {display: none}#echo-submit-form {display:none}.sew-echoComments {display:none}

Related reading

webinar marketing