Social Networking Risks – Facebook and others

With the rise and rise of social networking sites, everyone is getting online and publishing more stuff about their own lives. But not everyone is fully aware of the risks that they run by putting so much information about themselves online.

The Internet never forgets

Many people don't realise that when something gets published, it is very hard to take it off the Internet. Consider this when publishing photos from the last time you had an all-night, booze-fuelled party. A number of sites offer historical archives of the web. Google offers up cached versions of web pages in its results. Historical data has caused all sorts of problems a number of companies, most recently United Airlines. Other stories keep resurfacing. The BBC and Microsoft have an ongoing issue with a story written in 2001 about Hotmail considering charging users for its e-mail service. The story (from 2006) is here.

Employers will search the web for you

Many employers will now search the web for any information they can find out about you before you get offered a job and, in some cases, will take issue with things that you post online while working for them. Here are some examples:

Policeman loses job opportunity because of his Facebook profile

Waterstones employee loses job because of blog comments

Australian man found lying about sickness through Facebook

Virgin and BA staff sacked for Facebook site criticising customers and their respective companies

And if you think you can simply delete your Facebook profile, think again. It is seemingly very difficult to actually erase yourself. While deactivating your account is simple enough, actually getting Facebook to delete your details is much harder. This has been the subject of concern by the Information Commissioner and he discusses it on this BBC page.

Watch out for the actions of others

If you do post something on your profile beware what others may do with that information. There has been a tragic case recently of a woman who was murdered by her husband, simply because she had changed her relationship status on her profile.

It's not all bad

There are ways that you can limit the risks you run by using social networking sites:

Always think about what you upload: consider what that picture of you on the drunken night out might look like to a future employer.

Don't post everything about yourself: a date of birth is essential for an identity thief – do you really need it on your profile?

Check the privacy settings: most sites, like Facebook, allow you to restrict who has access to what information.

Search online every so often to see what's published about you: it's always a good idea to see what information is available about you online.

Don't install every Facebook app: some have been found to be malicious

Only invite friends that you know: if you don't know them in person, think hard before accepting that friend request. They may be impersonating someone else.

There are sites that can help. Sophos do a really good guide to Facebook settings, there's an online video about MySpace privacy settings from SafetyClicks, and Bebo themselves have published an online safety guide.

But these settings will not protect you if you're either blogging directly, have your own website or use another service. Fundamentally, the question you have to ask yourself is: should this information be online at all.

Mobile Security – iPhones and more

Mobile devices have long been the bane of the lives of those responsible for information security. They're transitory devices, never really attached to any company infrastructure and yet hold vast amounts of corporate data. While some have tried to establish some sort of control over these devices, most people, in my experience, have decided to ignore the problem, hoping that people will implement the security controls that they have built in. It has now been demonstrated that, with the news that the PIN on Apple's iPhone can be bypassed with three button presses (http://forums.macrumors.com/showthread.php?t=551617) , this is hardly a viable way to manage these sorts of devices.

The reason that this is even a problem is the ever increasing functionality on these devices. There was a time (many moons ago) when the only data that could be extracted from a phone was the phonebook and the odd text message. Now, many phones have VPN clients, access to corporate e-mail, the web and a whole host of data. And what is a phone these days, anyway? When does it stop being a phone and actually becomes more akin to a laptop? Take a Blackberry. It works as a mobile phone, yes, but it's primary function is as a lightweight version of a laptop, having access to e-mail and storing sensitive information.

You'd think that those used to dealing with sensitive information day-to-day would be more aware of the risks of losing these devices, but apparently not: http://www.telegraph.co.uk/news/newstopics/politics/labour/2437340/Downing-Street-aide-in-Chinese-honeytrap-sting.html.

So what should we do? As individuals, we need to recognise the value of our devices, over and above that of the hardware itself. Information has value. How many of us store our entire contacts list on our phone? What would we do if that got lost? Is there any information on there that could make me or any of my contacts vulnerable to identity theft?

Think about the following:

• Always use whatever security features come with the phone, be it a PIN or whatever. It might seem a bit pointless given the above, but Apple will fix this. And there is a work around (which is strongly advised for all Apple iPhone users).
  
• Don't store people's birthdays and full addresses in your phone. Someone's date of birth is an important piece of information to an identity thief.
  
• Delete data that is sensitive. PINs, credit card numbers, passwords, they shouldn't be there.
  
• Back up your data. Make sure that you do it regularly so that if your device does get stolen, it's fairly straightforward to get back to where you were.
  
• Delete those old text messages. Or at least back them up, too.
  

If you do lose your phone, it would be worth contacting those people that you have got extended details for and let them know.

Companies have a number of options. I'll cover these in a later post.