[Originally published in PC Plus. Some of the privacy options mentioned in this article, particularly for Facebook, have changed since this piece was originally published – Gary]
Never mind ID cards: social networking sites are creating a data mine governments would kill for. As Gary Marshall discovers, the devil’s in the details.
In July, US security services’ plans to harvest massive amounts of information about air travellers caused an outcry. “That’s terrible,” everybody cried, before handing over their most sensitive personal data to a plastic frog.
The frog was on Facebook, the social networking site where more than 30 million people share all kinds of information from their educational and career histories to their sexual orientation. As security firm Sophos discovered, while many of us worry about ID cards, government databases and anti-terror watch lists, 41% of Facebook users will happily share their secrets with Freddi the Frog – and thanks to social search engines and database diggers, privacy is increasingly looking like a thing of the past.
In 2002, the US government’s plans for its Total Information Awareness programme terrified privacy activists everywhere. With its remit to know everything about everyone on the planet in the name of anti-terrorism, TIA would keep information about people’s online activities, purchase histories, travel destinations, medical records, educational transcripts, friends, family and associates, and anything else that could be of interest. TIA was shut down in 2003, but many people believe it still exists – and some of them think it’s called Facebook.
The idea of Facebook as a US government project makes a good conspiracy theory (see box “Facebook and the Feds” for details), but you don’t need a tinfoil hat to realise that its 30-plus million users are storing huge amounts of data on the service. If you use it to its full potential you can share details not just of your interests, but your employment, your educational history, your sexual orientation, your friends and family and even your day-to-day activities, and if you don’t change the default privacy settings you could be sharing that information not just with people you know but with entire cities or even countries. For example, if you join the London network, your profile information is visible to every other member of that network. At the time of writing that’s 924,921 people.
The easiest way to prevent that data from being shared is to make it friends-only, but that only works if you’re selective about the people you accept as Facebook friends. It seems that many people aren’t. In August, Sophos set up a fake profile featuring Freddi the Frog, and sent friend requests to 200 randomly selected users. 41% of those approached made the frog their friend and leaked their personal information.
Carole Theriault is senior security consultant with Sophos (www.sophos.com). “With everyone talking about Facebook, people were jumping on the bandwagon and putting together profiles of themselves – but we were concerned that they weren’t thinking about the security aspect,” she says. “Basically we were worried that people were treating it as an online diary and resume – and sometimes, you don’t really want your boss, mother or significant other to see what you post. People often think of making information available to the people they want to show it to, but don’t think about those they might want to hide it from.”
Fiddling with Facebook
Facebook has improved some of its privacy features – until recently, private information still turned up in Facebook search results – but the default settings emphasise sharing rather than privacy. Sophos has published a guide to Facebook’s privacy settings (http://www.sophos.com/security/best-practice/facebook.html), and while it may appear to state the obvious – “think carefully about who you allow to become your friend”, “disable options and then open them one by one” – it’s clear that many users don’t take even the simplest precautions.
Something in the air
Even if you do fiddle with sites’ privacy options, it’s better not to keep sensitive personal information online at all – especially if you connect via public Wi-Fi hotspots in order to access or edit it. As Rick Farina, wireless security researcher with AirTight Networks (www.airtight.com) notes, Wi-Fi is fundamentally insecure. “Any radio wave transmission such as Wi-Fi can be observed in the air in the same way TV or radio can be. This monitoring can be done easily using software freely available over the internet.” While he’s quick to point out that US hotspot operators provide software to keep your data transmissions secure, in the UK Wi-Fi is generally unencrypted – so for example public Wi-Fi services on trains are wide open and easily intercepted.
Niall Murphy is chief strategy office with The Cloud (www.thecloud.net), one of the UK’s leading providers of Wi-Fi hotspots. “The Cloud does configure its network in a way that protects users from each other, and every usage event on the network is authenticated,” he says. However, while the network uses authentication to make sure only legitimate customers can log in, “it does not provide ‘over-the-air’ encryption, as this is the responsibility of the user. Users should ensure they are using a VPN, running a firewall and [that they] use passwords or PINs to secure their data,” he says. T-Mobile is the same: while US users can download software to secure their connection, the UK site says “HotSpot provides an open connection to the internet in the same way as other access services such as DSL and cable. We recommend you use whatever additional security measures you have available, including virtual private networks, encryption and personal firewalls to ensure peace of mind.”
You should also worry about fake hotspots, as Farina explains. “The name/SSID [of a Wi-Fi hotspot] is normally how people determine what Access Point they are connected to. However, this can easily be copied by an attacker.” If you connect to a fake hotspot and then login to a social network site (or any other site using personal data), you’re handing over the keys to your personal information.
Then again, you don’t need to be an elite hacker to get hold of people’s personal data. “It is amazing how people get worked up about Google caching their searches for 18 months and then turn around and put their entire life in a blog on MySpace,” Farina says.
We’ll publish all kinds of things online, and we’ll happily tell companies our life stories in exchange for Clubcard points or the chance to win a holiday. “I don’t think many people realise how valuable their data is,” says Theriault. “How often do people buy something on the high street only to be asked what their postcode is? How many people ask what information is stored on their store cards, or more importantly how it is used? Businesses might take advantage of this lack of concern on our part. Life is a bit like a game of poker where the stakes are unknown. Keep your cards close to your chest.”
Aggregating data from multiple sources is a particular threat to privacy. People share photos on Flickr, post on MySpace, publish lists on Amazon, comment on blogs, network on LinkedIn and so on – and a new generation of search engines hope to collate and aggregate that data. Both Spock.com and Pipl.com search the “deep web” and present the results in a single page. If you’re listed on multiple sites, the amount of information could be alarming.
Until recently, amassing all that information was difficult. As new search engine Pipl notes, there is “a vast repository of underlying content, such as documents in online databases that general purpose web crawlers cannot reach. The deep web content is estimated at 500 times that of the surface web, yet has remained mostly untapped due to the limitations of traditional search engines.”
No more. Pipl.com – and similar startups such as Spock.com and Wink.com – search multiple social networking sites and databases to build a complete picture of an individual. As we discovered in last month’s Insight section, such aggregation can be very powerful: combining the personal information from someone’s Facebook profile with their employment history on LinkedIn and public documents (such as the electoral roll) via 192.com quickly uncovers more than enough data to clone someone’s identity.
Services such as Pipl.com are still in their infancy and their results are patchy, but it isn’t hard to imagine concerned parents using future versions of such sites to check out their daughter’s new boyfriend, or to envisage employers running quick checks on potential employees. The more information you upload, the more detailed – and potentially, damning – the search results will be.
“The information that you put up on Facebook is not necessarily all the information that’s out there about you,” says Guy Herbert, general secretary of No2ID (www.no2id.net). “When you put up lots of information about yourself the bad guy [can] take that and combine it with other information about you.”
Drowning in data
The amount of personal data that’s publicly available is staggering. For example, 192.com can search directory enquiry files (including ex-directory flags), birth and marriage certificates, house price data, Companies House records and several years of electoral roll entries, show you a satellite photo of someone’s house and tell you who their neighbours are. It’s hardly surprising that councils, financial institutions, forensic accountants, lawyers and government departments use the service to trace people. In the US, Pipl searches similar databases – plus blogs, Google Groups, peer-reviewed publications, LinkedIn, Flickr, Amazon.com and good old-fashioned web pages.
The government’s love of databases could conceivably make things worse. “The classic example of what happens when you use modern technology without thinking is the Land Registry,” says Herbert. “That’s now completely online, and that data along with online details of planning applications can tell people a huge amount of information about your house.” As he points out, the Land Registry simply puts scanned information online. “They’re basically bunging the forms up on the web, so you can get somebody’s signature and details of their mortgage… that obviously makes sense if you’re buying a bit of land, but if you are looking into somebody with a view to defrauding them then finding out financial details becomes very, very tempting when it can be done very cheaply and with automated searches. This is something the government has deliberately – deliberately and stupidly – done, without thinking that the consequence of making people’s lives easier has vastly more ramifications than simply doing things faster.”
There are of course many benefits to online services and social networking, but there are dangers too. “What’s happening with the creation of massive data sharing and online facilities to get at that data – either public or semi-public – is that it becomes possible for massive amounts of information on massive amounts of people to be gathered by a few,” says Herbert. “That data can be used in ways that were not intended either by the constructors of the system or the people whose information it is.”
Of course, you can always close your accounts and hope that nobody has copied your sensitive data. Or can you? If you attempt to shut down a Facebook account you’ll discover that while you can deactivate your account, you can’t delete it.
Unless you tick an opt-out box you’ll still receive messages from friends, and your account remains on Facebook so that you can reactivate it if you change your mind in the future. Everything you’ve posted on the service – messages, photo comments, status updates and so on – remains online unless you manually delete it, and if you’ve been sociable that could be a major undertaking.
It seems that Facebook is the Internet’s Hotel California: you can check out any time you like, but you can never leave.
So should we just accept that privacy is dead and get over it? “No!” says Theriault. “The roll over and die is rarely a good option, but I don’t think people should get overly paranoid either. Common sense will save the day.”
As Theriault points out, the problem is that people often provide information that isn’t necessary. Given that social networking sites enable you to send messages to your friends, “do you really need to offer up your mobile number, instant messaging information and email address?” When you’re connecting with people you already know, “Do you need your full date of birth? Do you need to give away your entire work and education history?”
Theriault’s message to social network users is simple: “Ask yourself – should I be posting this information?” When you consider all the possible ways in which your personal data can be combined with other data and used against you – from ID fraud to social embarrassment or even the loss of a lucrative job offer – and the possibility it may hang around forever, more often than not the answer should be no.
Facebook and the Feds
Is Facebook a front for US intelligence agencies?
The CIA openly uses Facebook to attract new recruits, but some people think Facebook’s links with the US intelligence services go much deeper. Could Facebook be a US government project?
The conspiracy theory goes something like this. The first round of Facebook funding came from venture capitalist Peter Thiel, who is on the board of right-wing thinktank VanguardPAC. More funding came via Accel partners, whose head James Breyer used to chair the National Venture Capital Association. The board of NVCA included the CEO of In-Q-Tel, a firm established by the CIA whose activities include data mining technology. Breyer was also a board member of BBN Technologies, who helped develop ARPANET, and BBN’s board also includes Doctor Anita Jones, former Director of Defense Research and Engineering for the US government’s Department of Defense.
We’re not finished yet. Jones’ DoD remit included the Defense Advanced Research Projects Agency (DARPA), which was the government agency behind the abandoned Total Information Awareness project. As Josh Smith notes (http://qwstnevrythg.blog-city.com/was_facebook_started_by_the_cia.htm), one of the technologies Total Information Awareness intended to use was “human network analysis and behaviour model building engines” which, he says, is “a surprising echo of the social network mapping that Facebook does using SVG visualisations.”
So is it true? Facebook declined our interview requests, but the site has gone on the record to flatly deny the conspiracy theory. According to Facebook, its staff and systems don’t mine user data for the CIA, FBI or any other government agency. But then, they would say that, wouldn’t they?