10-03-08

Privacy and Security Issues in Social Networking

By: Brendan Collins
Given the rising popularity of social networks, it’s little surprise that there have been several
high-profile breaches of security on sites as huge as MySpace and Facebook. With over 350 million
members combined, all it takes is one single person to cause a major damage. Learn how the networks
are dealing with the breaches — and how to protect yourself.

When it comes to privacy and security issues on social networks, “the sites most likely to suffer
from issues are the most popular ones,” Graham Cluley, Chief Technology Officer at UK tech security
firm Sophos says. But security issues and privacy issues are entirely two different beasts. A security issue
occurs when a hacker gains unauthorized access to a site’s protected coding or written language. Privacy
issues, those involving the unwarranted access of private information, don’t necessarily have to involve
security breaches. Someone can gain access to confidential information by simply watching you type
your password. But both types of breaches are often intertwined on social networks, especially since
anyone who breaches a site’s security network opens the door to easy access to private information
belonging to any user. But the potential harm to an individual user really boils down to how much a user
engages in a social networking site, as well as the amount of information they’re willing to share. In
other words, the Facebook user with 900 friends and 60 group memberships is a lot more likely to be
harmed by a breach than someone who barely uses the site.

Security lapses on social networks don’t necessarily involve the exploitation of a user’s private
information. Take, for example, the infamous “Samy” MySpace XSS worm that effectively shut the site
down for a few days in October 2005. The “Samy” virus (named after the virus’ creator) was fairly
harmless, and the malware snarkily added the words “Samy Is My Hero” to the top of every affected
user’s MySpace profile page. A colossal inconvenience, naturally, but nobody’s identity was stolen and
no private information was leaked. In the end, the problem galvanized the MySpace team to roll up their
sleeves and seriously tighten the site’s security. Result: no major break-ins since. Unfortunately, these
kinds of breaches, purely for sport in “Samy’s” case, are rare.

The reason social network security and privacy lapses exist results simply from the astronomical
amounts of information the sites process each and every day that end up making it that much easier to
exploit a single flaw in the system. Features that invite user participation — messages, invitations,
photos, open platform applications, etc. — are often the avenues used to gain access to private
information, especially in the case of Facebook. Adrienne Felt, a Ph.D. candidate at Berkeley, made small
headlines last year when she exposed a potentially devastating hole in the framework of Facebook’s
third-party application programming interface (API) which allows for easy theft of private information.
Felt and her co-researchers found that third-party platform applications for Facebook gave developers
access to far more information (addresses, pictures, interests, etc.) than needed to run the app.

This potential privacy breach is actually built into the systematic framework of Facebook, and
unfortunately the flaw renders the system almost indefensible. “The question for social networks is
resolving the difference between mistakes in implementation and what the design of the application
platform is intended to allow,” David Evans, Assistant Professor of Computer Science at the University of
Virginia, says. There’s also the question of whom we should hold responsible for the over-sharing of user
data? That resolution isn’t likely to come anytime soon, says Evans, because a new, more regulated API
would require Facebook “to break a lot of applications, and a lot of companies are trying to make money
off applications now.” Felt agrees, noting that now “there are marketing businesses built on top of the
idea that third parties can get access to data on Facebook.”

The problems plaguing social network security and privacy issues, for now, can only be resolved
if users take a more careful approach to what they share and how much. With the growth of social
networks, it’s becoming harder to effectively monitor and protect site users and their activity because
the tasks of security programmers becomes increasingly spread out. Imagine if a prison whose inmate
count jumped from a few dozen to 250 million in less than five years only employed 300 guards (in the
case of MySpace). In response to the potential threats that users are expose to, most of the major
networks now enable users to set privacy controls for who has the ability to view their information. But,
considering the application loophole in Facebook, increased privacy settings don’t always guarantee
privacy. But even when the flawed API was publicly exposed, “Facebook changed the wording of the
user agreement a little bit, but nothing technically to solve the problem,” says Evans. That means if a
nefarious application developer wanted to sell the personal info of people who used his app to
advertising companies, he or she could.

Yet users still post tons of personal data on social networks without batting an eye. It’s only
natural. Anonymity and the fact that you’re communicating with a machine instead of an actual person
(or people in the case of social networking) makes sharing a lot easier. “People should just exercise
common sense online, but the problem with common sense is that it’s not very common. If you
wouldn’t invite these people into your house to see your cat, you certainly wouldn’t let them see
pictures from holiday,” says Cluley.

In the end, the only tried and true solution to social network privacy and security issues is to
limit your presence altogether. Don’t post anything you wouldn’t mind telling a complete stranger,
because in reality that’s the potential for access. Be careful who you add as a “friend,” because there’s
simply no way of verifying a user’s actual identity online. Cluley compares it to a rep from your
company’s IT department calling to ask for your login password — “Most people will give it over” with
no proof of the IT rep actually existing. The caller might be your IT rep, or she might not. “This kind of
scam happens all the time,” says Cluley. Friends on social networks should know that real friends should
know personal information already, negating the need to post it online.

Will there ever be a security breach-free social network? Probably not. “Any complex system has
vulnerabilities in it. It’s just the nature of building something above a certain level of complexity,” says
Professor Evans. According to Felt, the best idea is a completely private social network. “It simply
requires that there’s no gossip in the circle, by which I mean one person who sets their privacy settings
so low that third parties can use them to get to their friends.”

“Social networks are great fun, and can be advantageous but people really need to understand
that it’s complicated world and you need to step wisely,” Cluley says.When it comes to privacy and
security issues on social networks, “the sites most likely to suffer from issues are the most popular
ones,” Graham Cluley, Chief Technology Officer at UK tech security firm Sophos says. But security issues
and privacy issues are entirely two different beasts. A security issue occurs when a hacker gains
unauthorized access to a site’s protected coding or written language. Privacy issues, those involving the
unwarranted access of private information, don’t necessarily have to involve security breaches.
Someone can gain access to confidential information by simply watching you type your password. But
both types of breaches are often intertwined on social networks, especially since anyone who breaches
a site’s security network opens the door to easy access to private information belonging to any user. But
the potential harm to an individual user really boils down to how much a user engages in a social
networking site, as well as the amount of information they’re willing to share. In other words, the
Facebook user with 900 friends and 60 group memberships is a lot more likely to be harmed by a breach
than someone who barely uses the site.

Security lapses on social networks don’t necessarily involve the exploitation of a user’s private
information. Take, for example, the infamous “Samy” MySpace XSS worm that effectively shut the site
down for a few days in October 2005. The “Samy” virus (named after the virus’ creator) was fairly
harmless, and the malware snarkily added the words “Samy Is My Hero” to the top of every affected
user’s MySpace profile page. A colossal inconvenience, naturally, but nobody’s identity was stolen and
no private information was leaked. In the end, the problem galvanized the MySpace team to roll up their
sleeves and seriously tighten the site’s security. Result: no major break-ins since. Unfortunately, these
kinds of breaches, purely for sport in “Samy’s” case, are rare.

The reason social network security and privacy lapses exist results simply from the astronomical
amounts of information the sites process each and every day that end up making it that much easier to
exploit a single flaw in the system. Features that invite user participation — messages, invitations,
photos, open platform applications, etc. — are often the avenues used to gain access to private
information, especially in the case of Facebook. Adrienne Felt, a Ph.D. candidate at Berkeley, made small
headlines last year when she exposed a potentially devastating hole in the framework of Facebook’s
third-party application programming interface (API) which allows for easy theft of private information.
Felt and her co-researchers found that third-party platform applications for Facebook gave developers
access to far more information (addresses, pictures, interests, etc.) than needed to run the app.

This potential privacy breach is actually built into the systematic framework of Facebook, and
unfortunately the flaw renders the system almost indefensible. “The question for social networks is
resolving the difference between mistakes in implementation and what the design of the application
platform is intended to allow,” David Evans, Assistant Professor of Computer Science at the University of
Virginia, says. There’s also the question of whom we should hold responsible for the over-sharing of user
data? That resolution isn’t likely to come anytime soon, says Evans, because a new, more regulated API
would require Facebook “to break a lot of applications, and a lot of companies are trying to make money
off applications now.” Felt agrees, noting that now “there are marketing businesses built on top of the
idea that third parties can get access to data on Facebook.”

The problems plaguing social network security and privacy issues, for now, can only be resolved
if users take a more careful approach to what they share and how much. With the growth of social
networks, it’s becoming harder to effectively monitor and protect site users and their activity because
the tasks of security programmers becomes increasingly spread out. Imagine if a prison whose inmate
count jumped from a few dozen to 250 million in less than five years only employed 300 guards (in the
case of MySpace). In response to the potential threats that users are expose to, most of the major
networks now enable users to set privacy controls for who has the ability to view their information. But,
considering the application loophole in Facebook, increased privacy settings don’t always guarantee
privacy. But even when the flawed API was publicly exposed, “Facebook changed the wording of the
user agreement a little bit, but nothing technically to solve the problem,” says Evans. That means if a
nefarious application developer wanted to sell the personal info of people who used his app to
advertising companies, he or she could.

Yet users still post tons of personal data on social networks without batting an eye. It’s only
natural. Anonymity and the fact that you’re communicating with a machine instead of an actual person
(or people in the case of social networking) makes sharing a lot easier. “People should just exercise
common sense online, but the problem with common sense is that it’s not very common. If you
wouldn’t invite these people into your house to see your cat, you certainly wouldn’t let them see
pictures from holiday,” says Cluley.

In the end, the only tried and true solution to social network privacy and security issues is to
limit your presence altogether. Don’t post anything you wouldn’t mind telling a complete stranger,
because in reality that’s the potential for access. Be careful who you add as a “friend,” because there’s
simply no way of verifying a user’s actual identity online. Cluley compares it to a rep from your
company’s IT department calling to ask for your login password — “Most people will give it over” with
no proof of the IT rep actually existing. The caller might be your IT rep, or she might not. “This kind of
scam happens all the time,” says Cluley. Friends on social networks should know that real friends should
know personal information already, negating the need to post it online.

Will there ever be a security breach-free social network? Probably not. “Any complex system has
vulnerabilities in it. It’s just the nature of building something above a certain level of complexity,” says
Professor Evans. According to Felt, the best idea is a completely private social network. “It simply
requires that there’s no gossip in the circle, by which I mean one person who sets their privacy settings
so low that third parties can use them to get to their friends.”

“Social networks are great fun, and can be advantageous but people really need to understand
that it’s complicated world and you need to step wisely,” Cluley says.