Friday, October 26, 2007

Social network security

Recently the person finder WieOWie (Who Oh Who) was launched. It is a search engine, looking for data on a person. It looks in Google, LinkedIn, YouTube and two social networks Schoolbank (comparable to Classmates) and Hyves. It looks for tags, distils telephone numbers and identifies word and PDF documents. In one search the search engine bring together an awful amount of data about a person.

I have tried the search engine by ego searching. I typed in my name and found the right e-mail address and a lot of documents. As I am not in the social networks of Schoolbank and Hyves, nor in YouTube, it found 21.800 hits in Google and 10 Word and PDF documents and 2 references in LinkedIn. I wonder about the 10 Word and PDF documents which seem to be an ad-random collection of documents. But as a starting point for personal details the WoW search engine is okay.

The search engine does not work with cache. So the results of a search question are not kept in cache and will not be re-generated at a later point in time. And that is what I found out, when I started my second ego search some days later. The e-mail address did not come up the second time; this while it is in many documents. The third time delivered three e-mail addresses of which two were accurate, This time also an eclectic collection of 82 tags. It clearly does not search in blogs as I more than 200 tags/links in this blog.

As I said it is an awful tool. In a few seconds it produces data about a person. However you do not know how much of the total personal data collection this is on internet. The fact that the search is not cached and the search actions bring up different results indicates two things: search questions and found data are not stored, but on the other hand the searcher gets an unreliable impression as the search results differ.

The WoW search engine can be a helpful tool. But of course on the other hand it also shows how much people tell of themselves. In networks like Xing and LinkedIn they tell about themselves having in mind the professional purpose of these networks. But in social networks like Facebook and MySpace this is different. Especially youngsters go all the way in revealing data and daily actions.

The European Network and Information Security Agency (ENISA) published yesterday a position paper on this subject entitled, Security Issues and Recommendations for Online Social Networks. Since the commercial success of an SNS depends heavily on the number of users it attracts, there is pressure on SNS providers to encourage design and behaviour which increase the number of users and their connections. Sociologically, the natural human desire to connect with others, combined with the multiplying effects of Social Network (SN) technology, can make users less discriminating in accepting ‘friend requests’.
Users are often not aware of the size or nature of the audience accessing their profile data and the sense of intimacy created by being among digital ‘friends’ often leads to disclosures which are not appropriate to a public forum. Such commercial and social pressures have led to a number of privacy and security risks for SN members.

ENISA emphasises the many benefits of Social Networking but identifies 15 important threats. This leads to 19 recommendations on how Social Networking can be made safer.:

Threats
1 Digital dossier aggregation;
2 Secondary data collection;
3 Face recognition
4 Content-based Image Retrieval (CBIR);
5 Linkability from image metadata;
6 Difficulty of complete account deletion;
7 Social Network Sites (SNS) spam;
8 Cross site scripting (XSS), viruses and worms;
9 SN aggregators;
10 Spear phishing using SNSs and SN-specific phishing;
11 Infiltration of networks;
12 Profile-squatting and reputation slander through ID theft;
13 Stalking;
14 Bullying;
15 Corporate espionage;

Recommendations
1 Encourage awarenessraising and educational campaigns;
2 Review and reinterpret the regulatory framework;
3 Increase transparency of data handling practices;
4 Discourage the banning of SNSs in schools;
5 Promote stronger authentication and access-control where appropriate;
6 Implement countermeasures against corporate espionage;
7 Maximise possibilities for abuse reporting and detection;
8 Set appropriate defaults;
9 Providers should offer convenient means to delete data completely;
10 Encourage the use of reputation techniques;
11 Build in automated filters;
12 Require consent from data subjects to include profile tags in images;
13 Restrict spidering and bulk downloads;
14 Pay attention to search results;
15 SNS spam;
16 SNS Phishing;
17 Promote and research image-anonymisation techniques and best practices;
18 Promote portable Social Networks;
19 on research into emerging trends in SNS.

Blog Posting Number: 906

Tags: ,

No comments: