Schneier on Security
A blog covering security and security technology.
« Software Monoculture |
| Brian Snow Sows Cyber Fears »
December 1, 2010
Risk Reduction Strategies on Social Networking Sites
By two teenagers:
Mikalah uses Facebook but when she goes to log out, she deactivates her Facebook account. She knows that this doesn’t delete the account that’s the point. She knows that when she logs back in, she’ll be able to reactivate the account and have all of her friend connections back. But when she’s not logged in, no one can post messages on her wall or send her messages privately or browse her content. But when she’s logged in, they can do all of that. And she can delete anything that she doesn’t like. Michael Ducker calls this practice “super-logoff” when he noticed a group of gay male adults doing the exact same thing.
Shamika doesn’t deactivate her Facebook profile but she does delete every wall message, status update, and Like shortly after it’s posted. She’ll post a status update and leave it there until she’s ready to post the next one or until she’s done with it. Then she’ll delete it from her profile. When she’s done reading a friend’s comment on her page, she’ll delete it. She’ll leave a Like up for a few days for her friends to see and then delete it.
I've heard this practice called wall scrubbing.
In any reasonably competitive market economy, sites would offer these as options to better serve their customers. But in the give-it-away user-as-product economy we so often have on the Internet, the social networking sites have a different agenda.
Posted on December 1, 2010 at 1:27 PM
• 51 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
just more rearranging of deck chairs on the titanic.
when will people get it? the facebook privacy problem has zero to do with which other users can see which of your profile fields.
for as long as your personally identifying information and personal & professional affiliations are stored on a server that's in the chain of command of someone like mark zuckerberg, your privacy is actively violated.
They should just go ahead and CC: the Feds a copy while they are at it if they use Facebook or Google. Save the boys in the back room some time.
Anonymous Prime, you're incorrect. The biggest danger most people actually face (rather than fantasize about on security and privacy blogs) is the non-ephemeral nature of these posts. If you post that you're robbing a bank, you expect it to be sent to the police. But you don't expect drunken party pics to be viewable by your grandchildren.
I don't care (too much) about Facebook having the information unless I have a need for secrecy (as opposed to merely privacy). For example, public figures need to act as if things are secrets when for the rest of us merely private is sufficient. I count on the fact that Facebook cannot too egregiously violate users' expectations without harming their business.
"But in the give-it-away user-as-product economy we so often have on the Internet, the social networking sites have a different agenda."
Don't like it? Don't use it.
Why has fb or whoever need to "have an agenda" instead of just being *simply* lazy or abusive?
What is so hard about simply managing one's Facebook as a tool of positive promotion. I mean yes one can be paranoid about what might get posted to one's wall, and if you have untrustworthy friends or engage in risky behavior that is probably a good bet, but for the majority of people who are careful with their information there is no harm on using Facebook to promote the version of yourself that you, the user, wish to promote.
I actually switched to using Facebook when I realized that nobody was reading anything I was posting in my old Live Journal account. Most of my posts involved links to interesting articles (including quite a few from this page) and because Facebook is all too happy to broadcast your info all over the place it is a better avenue get the word out.
If a service on the web is free, you are not the customer, you are the product.
The FTC released it's online privacy report today:
Protecting Consumer Privacy in an Era of Rapid Change
From Remarks of Chairman Jon Leibowitz:
"Our report and law enforcement action send a clear message to industry:
despite some good actors, self-regulation of privacy has not worked adequately
and is not working adequately for Americans. Consumers deserve far better from
the companies they entrust their data to, and industry, as a whole, must do better."
I guess the question is: Will the bark will be accompanied by bite? Or maybe, who will be biting whom and who will bite harder? The attack dog lobbyists of Facebook, Google, etc. or the FTC?
Maybe Congress will get religion in the post Wikileaks era. Or maybe nothing will happen until some VIPs get "video Borked".
"In any reasonably competitive market economy, sites would offer these as options to better serve their customers. "
Mark Zuckerberg become richer by selling people to marketers than Steve Jobs be selling an image to yuppies.
He must be doing something to make his PAYING customers happy.
that's an interesting set of strategies... I usually just go for the "lurk, but don't say much" option, being very careful about the few things I do say... So far, it works pretty well, and I don't have to worry about whether the delete actually does anything...
I bet that Facebook doesn't _actually_ delete anything, but merely marks it as deleted (and therefore doesn't display it).
All of that info would be available to snoops later on.
@Kevin Peterson "But you don't expect drunken party pics to be viewable by your grandchildren."
Soon to be an all-too-common statement: "That's my ... grandma ... doing ... THAT!?!"
It is strange being in meetings with coworkers when you've had very intimate views of their behavior.
To me, that defeats the best part of Facebook... the conversation. But I'm old already and don't mind if my future grandkids see something goofy I said.
Privacy on the internet is like privacy in a small town. We're going to have to learn how to live with each other. We can't do it through anonymity any more and it's really time we figured out something better.
Sounds like tracking the activated/deactivated status would be a *wonderful* way to keep tabs on these kids.
The first method, of deactivating a profile, makes little sense as many of the useful updates from your friends and family happen when you are not online at the same time. It essentially nullifies most of the usefulness of Facebook.
The second method really is a child's attempt at reducing risk and ineffectual: you have to assume if content is out there once, it's out there forever. Plus, I've personally got an email copy of every facebook notification I've ever received, so feasibly could reconstruct a fair amount of my friends data even if deleted.
I sort of believe in the Zuck's mission to abolish the need to have privacy at all. I firmly believe the world would be a better place if nobody had secrets.
The devils in the details - I have no problems having my secrets exposed, but that needs to apply to the Queen, to Obama, to Pelosi - to everyone.
Until then, I don't cotton to his message - powerful people can abuse things people have done against them.
I don't get it. How does being online actually protect any of your information? While the girls are logged into facebook, freaks will still be able to see it all. I guess it works as well as only navigating the web one day of the week will protect you from worms. Just reduce the exposure time hoping that it reduces the probability through magic...
And the side effects are... excellent.
I don't say a lot on FB and I never say anything incriminating or post anything embarrassing so I'm not worried about people reading what I've said. But I like FB because it helps me stay in touch with some friends and relations. I know that you can go overboard there but I don't.
I want to add that I've been caught by two drive-by trojans and one of those happened very close to the time on was on this site.
This is all it takes law enforcement to get everything you ever placed, clicked, or liked on FB http://cryptome.org/isp-spy/facebook-spy.pdf
Do you actually think law enforcement officials will not come up with some lame "probable cause" that a judge will sign without reading?
Remember, if you talk to law enforcement and they catch you making any wrong statement, they can often use that as a source of "probable cause". Example: No officer, I wasn't home then...oh really, we show you logged in at XX:XX from IP XXX.XX.XX.XX which meant you could have easily passed by XXXX on your way home...you had accessibility and opportunity... Get it?
If those options were easilly aviable on facebook, it wouldn't be the huge success that it is now.
TLDR: NEVER use your real name online!
One of the most important risk reduction strategies in using social media is to reduce the amount of information linking your online identity and legal identity. I find that this provides a fair balance between usability and security, and makes it much easier to repudiate association to anything you've posted online.
The most apparent (and arguably most important) aspect is "Name", followed by profile data such as "Current City" and "Hometown". Obviously, one should never, ever use this kind of legal identity information online, except in connection with "IRL BZNS". However, keep in mind that even seemingly benign information such as your friends and "likes" can also leak information that can be used to correlate profiles (see sources below).
Separating your online identity provides a unique chance to reinvent yourself, and in the process, greatly reduce your exposure to slander, harassment, stalking, snooping and civil/criminal actions. You have full control over elements that normally aren't easily "editable" in real life, such as name, birthdate, hometown, residential neighborhood, heritage, ethnicity, relationship status, even gender. Remember: on the Internet, nobody knows you're a dog.
Even without identifying data in the profile, users are not completely relieved of patrolling pages for private data. I did have to untag myself in a photo on Facebook once someone posted a picture with me sitting in the background.
One of the most critical pieces is reducing the availability of your facial biometric recognition template, also known as "personal photo". These are ripe for abuse. For many users, this takes a lot of the fun out of using Facebook, as a major point of their online existence is sharing photos of themselves with friends and family. However, a no-public-photos approach is also a blessing for those without attractive features. I don't particularly like how I look in real life, so I uploaded a photo of my cat, which looks much better.
Information is power. Information about you, held by others, is power over you held by someone else, power that they can ultimately use against you. Allowing your personal information to be available to just about everyone is dangerously foolish.
Eckersley, P. - Useful insight on the number of bits to require a unique individual.
Narayanan, et al. on identifying Netflix, and later, Twitter users based on anonymized data
Boyd, D. (danah boyd) - on child naming and name uniqueness
"In any reasonably competitive market economy, sites would offer these as options to better serve their customers"
Ah, good point. I'd like to delete my comment from this blog. Where do I find that option? Oh, hey, wait a minute. What's your agenda Bruce?
If you don't open account on your name on some SN site you have security risk of someone malicious opening up account with your name on the same site. Every option have a trade-off. Also, non-US users don't care about US rules (social or legal) and could make that as a pure prank, so if you presume that you can be more secure by using alias or cat pic and sue if somebody "steals your identity" you could be suprised. The "damage" in most cases could be better described with "embarassment".
The point of online security is that you are in control of your online data (not in a way you can delete it later, but what you will post) and have reasonable comfort with how it is intended to be used and by who. This kind of behaviour described in article is that "reasonable comfort" in action by those persons doing it.
Deleting one's entries merely raises the bar. It defeats those who are using the FaceBook www site directly. Similarly, deactivating the profile only affects futures views of the data.
One of the challenges is the existence of "feeds". Once information has been exported to such a feed, it is effectively out of the user's control.
All it takes is a "friend" who is sophisticated enough to use the feed to integrate updates over time. This is not particularly difficult. Additionally, there are www sites that work off of FaceBook feeds, as well as geo-location service feeds. Information can then be cross-referenced, even if it has been deleted from the original source.
The question of what "deleted" means is wholly separate issue. Do audit trails exist? Can the data be "undeleted". In either case, the data may be retrievable in one way or another, and thus subject to future disclosure.
These approaches may be somewhat effective against teenage classmates. However, they definitely have limitations, and I would not trust them significantly.
How one appears online is an interesting question in and of itself. Indeed, it is possible to project whatever image one wants online. However, this is not new. It has been a classic electronic warfare technique. I discussed this particular issue in "Micro-Blogging and Personal Self-Surveillance" (at http://rlgsc.com/r/20090625.html) in "Ruminations - An IT Blog".
A lot of people wrote some good stuff here.
1. If it was online once, it will be out there forever.
2. To deactivate the account can't be a solution for everything. (what is left: an email or chat service?)
I think the key is not only what people write about me, but also what I tell about other people. I don't have to post everything on facebook / the internet. Not about me and not about others.
"We" have / "The user" has to learn that the internet is not anonym because life is not anonym. That in "real" life words are easy said and fast forgotten, won't be forgotten in a recording and logging environment.
We have to banish libel and slander, and we should not believe everything we read about people we know.
We should demand evidence before we judge.
We should be able to keep private things private, and don't force people into the public.
I'm not on facebook. Not because I think it is usless, but I don't need it. The people I know are able to contact me without that service. And even if I would be at facebook, that would be no need for me to tell everybody who I know, whom I friends with, and what I did last summer, etc. etc. (at least not in a public environment.)
Don't use your real name on Facebook!
"If a service on the web is free, you are not the customer, you are the product."
The word overkill comes to mind. As pointed out, "delete" doesn't necessarily mean deleted. Any good system designer knows to use an "active" flag.
With regards to FB and other Social media - I was on, deactivated my account (at which point a friend asked me: why did you de-friend me?), then reactivated when I realized while people can get in touch with me in other ways a lot of times they'd rather use facebook (and list of friends since yo you can set those up) than have to deal with sending e-mails or individual calls.
Is this less personal? Maybe. But is it any different than sending out a mass e-mail? Not really at all.
I also know people who use FB to publiciize their business, announce blog updates (besides Bruce), and other worthwhile tasks. It turned out not being on FB was actually not as worthwhile as I had originally thought.
It's still sitting on a server somewhere. The best strategy is to avoid publishing as much as you can regardless of "privacy" settings.
Facebook presents a new set of risks and opportunities.
One of the opportunities I've appreciated is reconnecting with old friends, which is only possible because I keep my identity public. Just because I lost track of somebody twenty years ago doesn't mean I wouldn't like to know what's going on with them today.
One of the risks is what other people put on their walls. What's worse than having embarrassing pictures on Facebook with your name on them? Having them out there and not knowing about them. Having your Facebook account at least increases the chance that you can find out about them, and if you can talk the poster into deleting them it at least reduces the chance a potential employer will see them.
I'm constantly amazed at how many people post their date of birth and place of birth on fb and elsewhere... don't people ever make the connection when they're accessing online accounts that these are the most popular questions banks and cc companies ask us when establishing who we are?
@Arne Jensen: "Don't use your real name on Facebook!"
I don't use it, but isn't finding and connecting to friends the point of this whole "social networking thing"?
How would you do that if everybody uses non-linkable pseudonyms?
Don't use your real name...
but something like an email address you have to give to the service and due to connections with friends and address books your name is in the "system".
and what use has a service where you want to find people when everybody is using false names etc.?
I actually maintain 2 facebook accounts. One, in my real name, shows my family, closest friends, and work related issues. It is kept professional. The only pictures posted are those that are appropriate for all audiences and innoculous.
The second, in another name, with an email registered under that name, is for my internet related activities and online persona. The 2 are not connected and have no people in common. This account never posts any pictures that include faces of myself, friends, or family.
"I don't use it, but isn't finding and connecting to friends the point of this whole "social networking thing"?
How would you do that if everybody uses non-linkable pseudonyms?"
If they're your friend, call them up and ask them, "Hey, what's your Facebook name?"
If you don't have their non-Facebook contact info, or if you're not close enough to them to feel comfortable asking that question, then that person isn't your 'friend.'
I like it.
I don't believe in a "right" or "wrong" way to use a facebook account (or lj, or twitter, or next year's hot thing). They are to be used by each user for their own purposes in their own way.
One of my overall takes on the web/internet is "It's earlier than you think." We're all still making this stuff up as we go along, and since the web opened the gates to almost the entire population of the world, the tide of creativity hasn't stopped rising, and these bits, from naive civilians, are wonderful. How will they be using all this in 10 or 30 years, when both the systems and their sophistication have kept growing?
Don't use facebook at all. even if you put a fake name you can be easily identified. (your contacts can put your real name in their address book, photographs, videos, gps location even your pet name)...
"Ah, good point. I'd like to delete my comment from this blog. Where do I find that option? Oh, hey, wait a minute. What's your agenda Bruce?"
Hey wait a minute, YOUR site flyingpenguin dot com, doesn't let us delete comments either (not that there are too many there..)
AND it sets third-party cookies as well for davi dot poetry dot com... Naughty naughty!!
thats one way to handle SN, or the first step to a split personality.
Amusingly, this inspired me to go check FB and invest some time in "wall cleaning". After getting a few screens into it (yes, I was very bored) I paused to do real stuff, and when I came back to continue, suddenly FB reported "no more posts".
Clearly, FB has some algorithm that says something like "if they guy has deleted 'x' amount of his previous postings & comments, then just delete them all". Of course, I have no idea if the stuff actually *is* deleted, but it is at least gone from my perspective as an account owner.
actually the cookies are for davi dot poetry dot org
nice try though
Even the ultimate solution here - not having any social networking accounts ever - doesn't solve the privacy problem because other people will post about you.
In fact, you could argue that in order to have more privacy, you *need* to have a social networking account. That way, when someone tags you in a photo or some other online post, you can go in and delete that tag or otherwise modify the privacy settings.
Lack of privacy has nothing to do with your own actions because the online world has evolved. When everybody shares everything, your information will be ensnared in there somewhere. Think Wikileaks but in social networking context.
What I find interesting is that these are fairly intelligent security strategies that work only on a centralized site like facebook, and cannot be implemented on a diaspora or oStatus style distributed social net.
"I count on the fact that Facebook cannot too egregiously violate users' expectations without harming their [facebook's/zerk's] business.'
depending on one's definition of egregious...
It seems fb members like the abuse, since fb itself is otherwise bland and mediocre. I haven't detected any appeal of facebook (Russian Roulette?). people can post text and images on multiple photo member sites. though upload sites are almost as convenient.
fb = geocities 1.0 + css layout + identity theft.
tip: if you land on an apparently blank fb page (despite nonblank search synopsis), turnoff js, reload page to see the 'content'.
Obviously, one should never, ever use this kind of legal identity information online, except in connection with "IRL BZNS".
Agreed, except IRL BZNS continues to merge w/ the net. You''ll be castout for not joining the herd. This problem existed before fb. Recall the resume site scams? creditscore scam clauses in employment contracts?
block url pattern of feeds?
i block various subdomains, but only the fw can block ipa (no domain name). i've noticed some nonsense 3rdparty outgoing tcp on 443. most are paypal, some amazon. i'd install something like protowall if i could find a nearly automated ipfilter editor. (popup, hover further info (whois?) then choose "yes" or "no")
the majority of users have never been sophisticated.
a lot of people have never changed a flat tire, diagnosed a kaput switch, yadda.
btw, do hnwi ("hi net worth individuals") contract "enterprise" services? hnwi can afford to, and certainly can't manage themselves (enjoy the bonus double entendre).
i TOLD paris hilton not to tape our fun, but she just had to...
"paul is dead!"
no ip address in common? separate isps and modems?
relay to random wifi w/MACsnuff? ;-)
just use a proxy or a public network type access or dont use a static ip address etc or some kind of connection that doesnt reqquire you to make a contract (thereby not giving youre id) like payg dial up or payg mobile or public wifi/ someone elses wifi!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.