A few years ago I was reading this in the news: “A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent.”
How did they get famous? This firm stores data on its AWS S3 bucket with public access(ouch).
i.e. it was accessible to anyone ~ 1 terabyte of data…
Today I want to talk about the improper use of user profiles by third parties and how it affects users. This is probably the most serious potential risk with regard to personal data contained in user profiles of social networks.
Depending on the default configuration provided with respect to privacy and the use or not of this configuration by users, as well as the level of security offered by the service, the information contained in the profile (including images, which can portray both the individual interested party and other subjects) become accessible, in the worst case, to the entire community of users.
At the same time, there are very few safeguards available today with respect to copying the data contained in the user profiles and using them to build personal profiles and/or republish such data outside the specific social network service.
However, even the "normal" use of the data contained in the user profiles can have an impact on the informative self-determination of users and, for example, seriously affect their career opportunities.
An example that has aroused widespread interest concerning the habit of personnel managers of individual companies to consult the user profiles of candidates for recruitment and/or employees.
According to press articles, already today two-thirds of executives admit to using data obtained from social networks, for example, to verify and/or complete the curricula of candidates. Other subjects who can profit from these sources of information are the police and the secret services (even those of less democratic countries with a low level of privacy protection).
Furthermore, some social networks provide third parties with user data via application programming interfaces, and the data, therefore, end up being managed by the third parties in question.
Experts have particular concerns regarding the further risk of identity theft caused by the widespread availability of personal data contained in the user profiles and by the abuse of these profiles by unauthorized third parties.
Use of an infrastructure whose security, unfortunately, leaves much to be desired. Much has been said about the (non) security of networks and computer systems, including web services.
Recent cases in this regard concern well-known service providers such as Facebook, Orkut, and StudiVZ. It is true that service providers have taken steps to enhance the security of their systems, but much remains to be done.
At the same time, it is likely that new security holes in these systems will emerge in the future, while it is very unlikely that the goal of total security will ever be achieved - given the complexity of software applications.
The still unsolved problems regarding the security of Internet services constitute an additional risk connected to the use of social network services and, in some cases, increase the overall level of risk, or involve specific "nuances" of risk of this type of services.
In a recent document drawn up by ENISA (European Network and Information Security Agency), among other things, spam, scripting between different sites, viruses and "worms", targeted phishing (spear-phishing).
Forms of phishing are mentioned specific social media, the infiltration of networks, the abusive use of user profiles (profile-squatting), and reputational attacks based on identity theft.
According to ENISA, a further security risk is represented by "aggregation factors linked to social networks".
The introduction of interoperability standards and application programming interfaces (API: for example, the "open social" standard introduced by Google in November 2007), in order to allow the technical interoperability of typically different social network services, involves a whole series of additional risks.
In fact, it made possible an automatic evaluation of all social network sites that use the chosen standard. Through the API it is in practice the entire range of system functions that can be automatically evaluated through the web interface.
Applications potentially capable of interfering with the privacy of users (and perhaps also with the privacy of individuals who are not users, but whose data is part of a user-profile) include, for example, the overall analysis of professional relationships and individuals entertained by the individual user, who can certainly cross the "boundaries" of the individual social networks. Also, interoperability can further facilitate the reuse by third parties of the information and images contained in the user profiles, as well as the creation of fake profiles.
My conclusion is simple: the protection of consumers’ rights and privacy is paramount.
This article was created in collaboration with David Cajilig from Privasim. Privasim is helping educators teach data privacy to students easily through game-based learning.