The popularity of social networking sites has increased at astonishing levels. Social Networking websites such as Facebook, Twitter, MySpace and LinkedIn have been growing rapidly within the past few years with now over two billions users. Almost every computer literate person has at least one social network account, and they spend a large amount of their time on social networks each day.
Social networks can be described as web applications. People may use social networking services for different reasons: to network with new contacts, reconnect with former friends, maintain current relationships, build or promote a business or project, participate in discussions about a certain topic, or just have fun meeting and interacting with other users. Some services, such as Facebook and Twitter, have a broad range of users, while others cater to specific interests. For example, LinkedIn has positioned itself as a professional networking site—profiles include resume information, and groups are created to share questions and ideas with peers in similar fields. On the other hand, MySpace is known for its emphasis on music and other entertainment. There are also social networking services that have been designed specifically to reconnect former classmates.
Most people join social networks to share their information and keep in contact with people they know. The main feature of social networks is a friend finder that allows social network users to search for people that they know and then build up their own online community. Most social network users share a large amount of their private information in their social network space. This information ranges from demographic information, contact information, comments, images, videos, etc. Many users publish their information publicly without careful consideration. Hence, social networks have become a large pool of sensitive data. Moreover, social network users tend to have a high level of trust toward other social network users. They tend to accept friend requests easily, and trust items that friends send to them. Because of social networks large population and information base, and its simple accessibility, social networking websites have become new targets that attract cyber criminals.
With these social network characteristics and the more aggressiveness of attacker’s methods, privacy and security issues in social networks has become a critical issue in the cyber world. Therefore, this paper will present a survey on privacy and security issues that occur in online social networks. The next section of the paper will present different privacy and security issues in online social networks. The issues include privacy issues, identity theft issues, spam issues, malware issues, and physical threats issues.
There are many types of social networks available. Most social networks combine elements of more than one of these types of networks, and the focus of a social network may change over time. Many of the security and privacy recommendations are applicable to other types of networks.
- Personal networks. These networks allow users to create detailed online profiles and connect with other users, with an emphasis on social relationships such as friendship. For example, Facebook, Friendster and MySpace are platforms for communicating with contacts. These networks often involve users sharing information with other approved users, such as one’s gender, age, interests, educational background and employment, as well as files and links to music, photos and videos. These platforms may also share selected information with individuals and applications that are not authorized contacts.
- Status update networks. These types of social networks are designed to allow users to post short status updates in order to communicate with other users quickly. For example, Twitter focuses its services on providing instantaneous, short updates. These networks are designed to broadcast information quickly and publicly, though there may be privacy settings to restrict access to status updates.
- Location networks. With the advent of GPS-enabled cellular phones, location networks are growing in popularity. These networks are designed to broadcast one’s real-time location, either as public information or as an update viewable to authorized contacts. Many of these networks are built to interact with other social networks, so that an update made to a location network could (with proper authorization) post to one’s other social networks. Some examples of location networks include Brightkite, Foursquare, Loopt and Google Latitude.
- Content-sharing networks. These networks are designed as platforms for sharing content, such as music, photographs and videos. When these websites introduce the ability to create personal profiles, establish contacts and interact with other users through comments, they become social networks as well as content hubs. Some popular content sharing networks include thesixtyone, YouTube and Flickr.
What Information is Public?
- Shared-interest networks. Some social networks are built around a common interest or geared to a specific group of people. These networks incorporate features from other types of social networks but are slanted toward a subset of individuals, such as those with similar hobbies, educational backgrounds, political affiliations, ethnic backgrounds, religious views, sexual orientations or other defining interests. Examples of such networks include deviantART, LinkedIn, Black Planet, and Goodreads.
There are two kinds of information that can be gathered about a user from a social network: information that is shared and information gathered through electronic tracking.
- Information a User Shares
Information a user shares may include:
- Photos and other media.
- Age and gender.
- Biographical information (education, employment history, hometown, etc.).
- Status updates (also known as posts).
- Geographical location.
This information becomes public in a variety of ways:
- A user may choose to post information as “public” (without restricting access via available privacy settings).
- Certain information may be publicly visible by default. In some situations, a user may be able to change the privacy settings to make the information “private” -- so that only approved users can view it. Other information must remain public; the user does not have an option to restrict access to it.
- Approved contacts may copy and repost information – including photos – without a user’s permission, potentially bypassing privacy settings.
- Third-party applications that have been granted access may be able to view information that a user or a user’s contacts post privately.
Social networks themselves do not necessarily guarantee the security of the information that has been uploaded to a profile, even when those posts are set to be private. This was demonstrated in one May 2010 incident during which unauthorized users were able to see the private chat logs of their contacts on Facebook. While this and other similar bugs are usually quickly fixed, there is great potential for taking advantage of leaked information.
Information Gathered Through Electronic Tracking
Information may also be gathered from a user’s actions online using “cookies” (short strings of text stored on one’s hard drive). Some of the purposes of cookies may include:
- Tracking which websites a user has viewed.
- Storing information associated with specific websites (such as items in a shopping cart).
- Tracking movement from one website to another.
- Building a profile around a user.
In fact, a 2009 study conducted by AT&T Labs and Worcester Polytechnic Institute found that the unique identifying code assigned to users by social networks can be matched with behavior tracked by cookies. This means that advertisers and others are able to use information gleaned from social networks to build a profile of a user’s life, including linking browsing habits to one’s true identity.
- Who Can Access Information?
When posting information to a social network, a user probably expects authorized contacts to be able to view it. But who else can see it, and what exactly is visible?
Entities that collect personal information for legal purposes include:
- Advertisers interested in personal information so they can better target their ads to those most likely to be interested in the product
- Third-party software developers who incorporate information to personalize applications, such as an online games that interact with the social network
Entities that collect personal information for illegal purposes include:
- Identity thieves who obtain personal information either based on information a user posts or that others post about the user.
- Other online criminals, such as people planning to scam or harass individuals, or infect computers with malware (malicious software placed on a computer without the knowledge of the owner).
Criminals may use social networks to connect with potential victims. This section discusses some of the typical scams and devices used to defraud consumers on social networks. Fraud may involve more than one of the techniques described below.
Identity thieves use an individual’s personal information to pretend to be them – often for financial gain. The information users post about themselves on social networks may make it possible for an identity thief to gather enough information to steal an identity. In 2009, researchers at Carnegie University Mellon published a study showing that it is possible to predict most and sometimes all of an individual’s 9-digit Social Security number using information gleaned from social networks and online databases.
Information often targeted by identity thieves includes:
- Bank account information
- Credit card numbers
- Information stored on a user’s computer such as contacts
- Access to the user’s computer without his or her consent (for example, through malware)
- Social Security numbers. Remember that the key to identity theft is the Social Security number. Never provide a Social Security number through a social networking service.
Some fraud techniques to watch out for include:
- Illegitimate third-party applications. These rogue applications may appear similar to other third-party applications but are designed specifically to gather information. This information may be sold to marketers but could also be useful in committing identity theft. These applications may appear as games, quizzes or questionnaires in the format of “What Kind of Famous Person Are You?”
- False connection requests. Scammers may create fake accounts on social networks and then solicit others to connect with them. These fake accounts may use the names of real people, including acquaintances, or may be entirely imaginary. Once the connection request is accepted, a scammer may be able to see restricted and private information on a user’s profile.
Malware (malicious software) is a term that describes a wide range of programs that install on a user’s computer often through the use of trickery. Malware can spread quickly on a social network, infecting the computer of a user and then spreading to his or her contacts. This is because the malware may appear to come from a trusted contact, and thus users are more likely to click on links and/or download malicious programs.
Some common techniques used in spreading malware include:
- Shortened URLs, particularly on status update networks or newsfeeds. These may lead the user to download a virus or visit a website that will attempt to load malware on a user’s computer.
- Messages that appear to be from trusted contacts that encourage a user to click on a link, view a video or download a file.
- An email appearing to be from the social network itself, asking for information or requesting a user click on a link.
- Third-party applications that infect computers with malicious software and spread it to contacts.
- Fake security alerts – applications that pose as virus protection software and inform the user that his or her security software is out-of-date or a threat has been detected.
There are a variety of social engineering scamming techniques which trick users into entering sensitive information. This section describes a few of the well-known techniques.
- Phishing attacks are when emails, instant messages or other messages claiming to be from a trusted source ask for information. For example, an email may appear to be from a bank and could direct a user to enter a password at a fake login page, or tell a user to call a phone number or risk having their account closed. Some Internet browsers, such as recent versions of Mozilla Firefox and Internet Explorer, have taken steps to help identify fake websites.
- Spear phishing is a type of phishing attack that appears to be from a colleague, employer or friend and includes a link or something to download. (This is often the result of account hijacking.) These links or downloads can be malicious, such as viruses or fake websites that solicit personal information.
- Misleading solicitations. A social network might use social engineering to make people feel obligated to join. This often occurs when one person joins and (often inadvertently) provides the social network with access to his or her contact list. The social network then sends out emails to all of his or her contacts, often implying they are from the individual who joined. For example, it has been reported that Tagged.com solicits contacts of users with emails claiming the recipient has been “tagged.” These emails state: “Is <user name> your friend? Please respond or <user name> may think you said no :( ” or “<user name> sent you photos on Tagged.” The recipient may believe this is a personal invitation from the user and feel obligated to join the network, giving out his or her information and perhaps perpetuating the solicitations.
- Hijacked accounts. A legitimate account may be taken over by an identity thief or malware for the purpose of fraud such as posting spam, sending out malware, stealing the private data of contacts or even soliciting contacts to send money. One typical scenario is when a hijacked account sends out messages stating that the account owner is overseas and in desperate straits. Contacts are urged to immediately wire money. A user may not realize his or her account has been hijacked for quite some time. An attack could also be in the form of a chat conversation.
- Anonymity on Social Networks
Many users of social networks choose to mask their real identities. This may be done via anonymity (providing no name at all) or pseudonymity (providing a false name).
Some people who may prefer an anonymous or pseudonymous persona include, but are not limited to:
- Individuals with medical conditions who want to discuss symptoms and treatment without creating a public record of their condition
- Bloggers and activists engaging in political discourse, especially on controversial issues
- Teachers and childcare workers
- Medical professionals, including mental health professionals
- Law enforcement agents, prosecutors, parole and probation officers, judges, and other court employees
- Victims of stalking, sexual assault, and domestic violence
- Children and youth
In fact, anonymity is a useful tool for anyone who prefers to keep a strict separation between an online persona and an off-line identity. It can also be abused by individuals trying to shield their identities while engaging in illegal activities.
Typically, users who prefer to engage in social networks without divulging their true identity will create profiles using a false name as well as a false email address. If you are considering a pseudonymous profile, refer to the terms of service for the social networking site. Providing false or incomplete information violates the terms of service of some social networking sites. Users should consider using software that masks IP addresses, such as TOR. Users should also remember to delete all cookies after visiting a social networking site.
Bear in mind that it is difficult to truly separate online and off-line identities. It is possible to divulge identifying information through status updates, group memberships, photographs, friend networks and other indicators. In fact, numerous studies have shown that anonymized data can often still be linked to specific individuals.
- Tips to Stay Safe, Private and Secure
There are many ways that information on social networks can be used for purposes other than what the user intended. Below are some practical tips to help users minimize the privacy risks when using social networks. Be aware that these tips are not 100% effective. Any time you choose to engage with social networking sites, you are taking certain risks. Common sense, caution and skepticism are some of the strongest tools you have to protect yourself.
Registering an Account
- Use a strong password different from the passwords you use to access other sites.
- Never provide a work-associated email to a social network, especially when signing up. Consider creating a new email address strictly to connect with your social networking profile(s).
- Consider not using your real name, especially your last name. Be aware that this may violate the terms of service of some social networks.
- Be sure to keep strong antivirus and spyware protection on your computer.
- Provide only information that is necessary or that you feel comfortable providing. When in doubt, err on the side of providing less information. Remember, you can always provide more information to a social network, but you can’t always remove information once it’s been posted.
- During the registration process, social networks often solicit a new user to provide an email account password so the social network can access the user’s email address book. The social network promises to connect the new user with others they may already know on the network. To be safe, don’t provide this information at all. There are some social networks that capture all of a user’s email contacts and then solicit them – often repeatedly – to join. These messages may even appear to be from the original user. If you consider providing an email address and account password to a social network, read all agreements very carefully before clicking on them.
General Tips for Using Social Networks
- Become familiar with the privacy settings available on any social network you use. On Facebook, make sure that your default privacy setting is "Friends Only". Alternatively, use the "Custom" setting and configure the setting to achieve maximum privacy.
- Be careful when you click on shortened links. Consider using a URL expander (as an application added to your browser or a website you visit) to examine short URLs before clicking on them. Example of URL expanders include LongURL, Clybs URL Expander and Long URL Please (Privacy Rights Clearinghouse does not endorse one URL expander over another.)
- Be very cautious of pop-up windows, especially any that state your security software is out of date or that security threats and/or viruses have been detected on your computer. Use your task manager to navigate away from these without clicking on them, then run your spyware and virus protection software.
- Delete cookies, including flash cookies, every time you leave a social networking site.
- Remember that whatever goes on a network might eventually be seen by people not in the intended audience. Think about whether you would want a stranger, your mother or a potential boss to see certain information or pictures. Unless they are glowing, don't post opinions about your company, clients, products and services. Be especially cautious about photos of you on social networks, even if someone else placed them there. Don’t be afraid to untag photos of yourself and ask to have content removed.
- Don’t publicize vacation plans, especially the dates you’ll be traveling. Burglars can use this information to rob your house while you are out of town.
- If you use a location-aware social network, don’t make public where your home is because people will know when you are not there. In fact, you should be careful when posting any sort of location or using geotagging features because criminals may use it to secretly track your location. For the same reason, be careful not to share your daily routine. Posting about walking to work, where you go on your lunch break, or when you head home is risky because it may allow a criminal to track you.
- Be aware that your full birth date, especially the year, may be useful to identity thieves. Don’t post it, or at a minimum restrict who has access to it.
- Don’t post your address, phone number or email address on a social network. Remember scam artists as well as marketing companies may be looking for this kind of information. If you do choose to post any portion of this, use privacy settings to restrict it to approved contacts.
- If you receive a request to connect with someone and recognize the name, verify the account holder’s identity before accepting the request. Consider calling the individual, sending an email to his or her personal account or even asking a question only your contact would be able to answer.
- If you receive a connection request from a stranger, the safest thing to do is to reject the request. If you decide to accept the request, use privacy settings to limit what information is viewable to the stranger and be cautious of posting personal information to your account, such as your current location as well as personally identifiable information.
- Be wary of requests for money, even if they are from contacts you know and trust. If a contact’s account is compromised, a scam artist may use his or her name and account to attempt to defraud others through bogus money requests.
- Take additional precautions if you are the victim of stalking, harassment or domestic violence.
- In the event that your social networking account is compromised, report it to the site immediately and alert your contacts. You will need to change passwords, but proceed with caution because your computer security may have been compromised. Malware, including key-logging software, may have been installed on your computer. If you use online banking, do not log on from the computer that may have been compromised until you have ensured your computer security is intact.
- Prune your "friends" list on a regular basis. It's easy to forget who you've friended over time, and therefore who you are sharing information with.
- If you are using a social networking site that offers video chatting, pay attention to the light on your computer that indicates whether or not your webcam is in use. This will help you avoid being "caught on camera" by accident.
- Be sure to log off from social networking sites when you no longer need to be connected. This may reduce the amount of tracking of your web surfing and will help prevent strangers from infiltrating your account.
- Remember that nothing that you post online is temporary. Anything you post can be cached, stored, or copied and can follow you forever.
- Check your privacy settings often. Privacy policies and default settings may change, particularly on Facebook.
Download your Full Reports for Security and Privacy in Social Networks