Q&A: Social networking privacy issues

Brian Honan is the founder of BH Consulting and head of Ireland’s first CERT team. As a speaker at RSA Conference Europe 2009 he discussed the danger of social networks and showed how he was able to discover detailed information about a person. In this interview, he outlines the privacy issues of social networking, online anonymity and more.

In your opinion, is it possible to achieve a reasonable level of privacy while still using social networks?
Yes it is. Humans are social animals by our nature and social networks are just one other outlet for humans to interact. We should not look at social networks are threats but as opportunities for us to interact with people globally. I myself am an active user of social networks and have made many friends and business contacts online that I would otherwise not have had the same level of opportunity or interaction.  

However, unlike other human social interactions which are transient, e.g. talking to friends over lunch, the Internet keeps a permanent record of what we say to each other. If you are having an online conversation with your friend(s) then you should be aware that conversation can be seen by countless others and that a record of that conversation will be kept somewhere on the Internet. Indeed, now with some social networks introducing geolocation services a record of where we go and how long we spend there will also be maintained.  

Users obviously shouldn’t share sensitive information like social security numbers, but where is the fine line between personal and safe to be published? What information do people share thinking it’s safe, and then it comes back to hurt them?
People need to be aware of the environment within which they are communicating to others. If you are discussing things in a public forum then all that information is available to everyone else in that forum. Therefore hey should take a common sense approach to what they should and should not discuss. In the real world we only talk about sensitive issues when we are in private and with people we trust. I think though that when people are online they can fall into a false sense of security because there are physically in a secure place using their computer either in their office or their home which results in them divulging information they should not.

What information is safe and what could come back to hurt you is hard to identify as that could be different for each individual. It also depends on whether you could become a target for someone. In my project I was looking at a specific person for a specific reason, to steal her identity. How likely would it be that you would be targeted in the same way? Probably very unlikely.

But I think people need to be wary that the information they leak online could be used against them. Certain information could be used in cyber bullying and/or cyber stalking. There is also the threat posed in the real world from your activities online, for example updating your social network profile that you are on vacation for two weeks could be used by criminals to target empty houses to be burgled, especially if you have your home address published on the site and regularly update people on the latest electronic gadget that you have purchased.

Also most people still do not use secure passwords and base them on items typically close to them like names of family members, date of birth etc. That information could be used by criminals to guess your password and compromise your social network account to spam your contacts. If you use the same password across all your systems such as banking and email then they could be compromised too.

Finally we need to be aware that the sites we are using are owned and managed by private corporations. Some of this have better privacy policies than others and treat the data of their users differently. People should be aware of the privacy policies and terms of use for the social networks they use and be cognisant of how those companies will treat their private information.  

In summary, if you do not want your boss, your mother or a stranger to know what you are doing or thinking then don’t post it onto the Internet.

Should we all start using software solutions like Tor that help with anonymity?
Anonymity to me does not necessarily equate to privacy. If people are anonymous on these social networks then the value of them is severely undermined. How can I take someone’s opinion or recommendations on board if they are anonymous? Unless you have other reasons to be anonymous, e.g. accessing sites from within a totalitarian regime, then I do not think using software solutions to help with anonymity is the answer.

Do you think there’s a big marketplace for user-friendly newbie-accessible software solutions that conceal our online activities?
I think there is always a market for various solutions, but as mentioned already user-friendly newbie-accessible software solutions that conceal our online activities is not the answer to privacy. I think though that user friendly tools that people could use to see what personal information they, or their online friends, are leaking would be useful so they could take appropriate actions.

One of the tools you use for work is the open source intelligence and forensics application Maltego. What are your favorite Maltego features?
Maltego is a great tool. I had to complete my challenge in a manual fashion. When I use Maltego to do the same searches it reduces the time and effort significantly. I especially like the way you can map relationships to different items and quickly identify how each piece of information relates to another. It has become one of my favourite tools when researching information on a client’s company when I am testing their security.

Social networking security emerged as one of the most important topics at this year’s RSA Conference. For more information listen to our podcast with Dr. Herbert Thompson where he talks about the dangers of exposing information on social networking sites.