I went to Royal Holloway this week to give a presentation at the Information Security Group Alumni Conference about my personal views on social networking and the perception of risk. As a short summary, my main points were:

We’re bad at assessing risk

People really can’t tell whether it’s safer to fly that to drive and whether it’s more likely to drown in a flood than be hit by lightning. It all comes down to the perception of the risk.

Without context, it gets worse

People want to have sensory cues to allow them to work out the context in which they’re operating so that they can assess the risks they’re taking. People are inherently scared of the dark, because they can’t see what’s around them. In the absence of context, people fill the vacuum with the information that they do have: if they’re sitting at home, using the Internet, they are much less wary than in an Internet café in Bangkok but the level of risk hasn’t necessarily changed.

Younger people don’t necessarily have an enlightened view of privacy

While young people growing up today are much more au fait with technology than their forebears were at the same age, they don’t have the life experience in which to assess the long-term impact of their actions. Few people realise that:

  1. It’s very hard to delete stuff from the Internet
  2. That large employers will take into consideration anything they find on the Internet about a candidate before making a decision to employ them
  3. Most things are open, anyway and you should never post anything anywhere that you don’t want made public.

Facebook’s Privacy policy includes a section that says:

Risks inherent in sharing information. Although we allow you to set privacy options that limit access to your information, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your information. We cannot guarantee that only authorized persons will view your information. We cannot ensure that information you share on Facebook will not become publicly available*. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook. You can reduce these risks by using common sense security practices such as choosing a strong password, using different passwords for different services, and using up to date antivirus software.

*My emphasis

The Information Security Industry’s Responsibility

I’d suggest that we need to make it easier for people to manage their privacy settings and have a default=closed policy for social networking sites. The IT industry went through a period of providing operating systems, network gear and other kit with all of the bells and whistles turned on out of the box. It was realised that this wasn’t a particularly good way to go. I think the same is true of social network sites.

I realise that it is in the commercial interest of social media companies to have as much openness as possible and, in Facebook’s case, people who truly believe that a transparent society in the form of Mark Zuckerberg.

But nothing is inevitable and I, personally, am not happy with living on a society where everything is open. People do have a legitimate right not to tell people everything, in my opinion, and while you could argue no one is forcing them to post information (which is of course true) no one can say that anyone is posting data online in an informed way.

Several people made excellent points after my presentation, including one thought provoking one about the fact we don’t know what’s going to happen to all of this data in 10-15 years’ time and how it will affect people (think insurance companies harvesting data about you and it affecting your premiums, for example). There is a much wider, social problem about society’s inability to “forget” stuff, which is beyond the scope of this blog.

Comments welcome