Tag Archive: facebook



While I am not a lawyer and others have said this before, notably Rob Carolina in his talk “The Cyberspace Frontier has Closed“, I thought it worth reviewing some recent developments that demonstrate the fact that the Internet is not lawless and behaviour online may well result in liabilities “in the real world”.

There still seems to be this perception that laws don’t apply to online activity. Take Joanne Fraill, the juror who was jailed for eight months for contempt of court by contacting one of the defendants in the trial she was on. She had received clear guidance from the Judge on the case, as had all of the other jurors, not to research the case online and definitely not to contact anyone related to the trial. I had exactly the same advice when I was a juror at the Old Bailey a couple of years ago.

And, yet, she still did it, no doubt believing that:

  1. It wasn’t so bad, and;
  2. She wouldn’t get caught anyway.

She was wrong. The trial collapsed.

This sort of thinking is rife online, which is exacerbated by the fact that any search will bring back results that confirm every point of view on every subject, thus not really being much help.

Other areas on the Internet that people should consider in terms of consequences, include:

  • Copyright infringements
  • Data protection issues
  • Harassment
  • Money laundering
  • Tax evasion
  • Libel

Some of these apply to corporate organisations in a different way to individuals. For example, a data protection breach has the potential to seriously damage an organisations reputation. Libel may get you a hefty fine.

Just because people have a romantic notion of the Internet where normal laws don’t apply, doesn’t make it reality.

Advertisements

News reaches us of the latest, unannounced Facebook feature: facial recognition. What this implies is that Facebook will trawl through all the photos on the site, automatically “tagging” you in pictures that the system think you’re in.

Great time saver, you might think, but there are several things to think about:

  1. It was enabled, quietly, without user consent and requires users to actively disable the feature
  2. No technology of this sort is 100% accurate, so if you don’t disable it, you may find yourself tagged in embarrassing pictures that aren’t of you
  3. This is an indication of the power of data mining. What’s to stop Facebook mining Google or Bing, looking for pictures on other sites?

With thanks to the Sophos blog on this topic, here’s how you disable it:

Go to Account -> Privacy Settings -> Customise Settings (near the bottom) and go to the “Things others share” section.

Then go down to “Suggest photos of me to friends” and click the edit button.

 

Then select “Disable”.

If Facebook want to be seen to be taking privacy seriously, they should start by adopting a policy of opt-in for new features.


It’s a sad fact that many people exploit human nature for their own ends. The BBC reports that there is a text message circulating in Asia suggesting that radiation has “leaked” [sic] across Asia from the Fukushima power plant in Japan. Sophos’ Graham Cluley has blogged about malware spreading across the globe in the guise of videos supposedly coming from Japan with subject lines like: “VIDEO: The village that escaped the tsunami”, “VIDEO: Struggle for normal life in Japan”, “VIDEO: Woman talks about tsunami escape”, and “Japan tsunami touches New Zealand”.

Other examples include the fake Japanese Tsunami charity appeals, fakes CNN footage of the tidal wave, and a Facebook “clickjacking” scam that entices people with the bizarre claim of showing viewers a whale stuck in a building after the Tsunami.

This goes to show that everyone needs to be extra careful when tragedies such as the one in Japan happen, as people will try to hijack the event, appealing to people’s curiosity or good nature for their own purposes. Even viewing a video or clicking on a site may reveal more than you want.

If you want to donate to the relief effort, go directly to a reputable charity.


This case just goes to show that you really should never post anything online you don’t want the world to see.

In summary, a woman in the US has been claiming that she is largely bed-ridden. The company that she works for disputes this, citing pictures of her being active on her Facebook account and they have applied to a judge to gain access to her Facebook and MySpace postings, including those that she has deleted.

It’s not overly clear from the article whether deleted posts were actually recovered, but Facebook’s privacy policy implies that at least some deleted content can be recovered.

More analysis can be found from The Register.

Hoax Malware


If you’ve had an email account for any length of time, you will have received an email that probably starts along the lines of:

URGENT! VIRUS!

This information arrived this morning, from Microsoft and Norton. Please send it to everybody you know who accesses the Internet.

You may receive an apparently harmless email with a PowerPoint presentation called “Life is beautiful.pps.”

If you receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES, and delete it immediately.

If you open this file, a message will appear on your screen saying: “It is too late now, your life is no longer beautiful”, subsequently you will LOSE EVERYTHING IN YOUR PC and the person who sent it to you will gain access to your name, email and password.

There are lots of these hoaxes floating around on the Internet; you just need to search for “hoax” at Symantec’s Security Center to see that there are hundreds. What people don’t appreciate is that the hoaxes do also cause damage. People can panic when not fully aware of facts and Chinese whispers can distort a fairly benign situation into something seemingly far worse.

An example of this is today’s announcement by Facebook Security that rumours have started about a virus that was affecting user profiles called the “knob face virus” (full article is here). The full text states:

Virusspreading like wildfire onFaceBook!! It is a trojan worm called “knob face”. It will steal your info, invade your system and shut it down! Do NOT open the link “Barack Obama Clinton Scandal”! If “SmartGirl15” adds you, don’t accept it; it is a virus. If somebody on your list adds her, ……then……. you get the …………virus too!! Copy and paste to your wall

So, the advice? Don’t forward or post anything like this without checking it out. All it does is create fear and clog up inboxes.


I’m in the process of creating some “Top Ten Tip” flyers for work to try to distil some best practice into bite-sized chunks.

Here are my Top Ten Social Networking Tips:

  1. Never post anything you don’t want made public
  2. Check your privacy settings often
  3. Don’t use the same password as for your email account
  4. If one of your friends starts chatting and asking for money, phone them up!
  5. Don’t install apps you don’t know the provenance of
  6. Remember: everyone can read your tweets!
  7. Be careful on tagging other people in posts
  8. Don’t show your date of birth to anyone
  9. Be careful who you friend
  10. Consider the future implications of posts and pictures: nothing ever gets deleted

Are there any more important ones? What would you suggest?

Social Networking Risks


I went to Royal Holloway this week to give a presentation at the Information Security Group Alumni Conference about my personal views on social networking and the perception of risk. As a short summary, my main points were:

We’re bad at assessing risk

People really can’t tell whether it’s safer to fly that to drive and whether it’s more likely to drown in a flood than be hit by lightning. It all comes down to the perception of the risk.

Without context, it gets worse

People want to have sensory cues to allow them to work out the context in which they’re operating so that they can assess the risks they’re taking. People are inherently scared of the dark, because they can’t see what’s around them. In the absence of context, people fill the vacuum with the information that they do have: if they’re sitting at home, using the Internet, they are much less wary than in an Internet café in Bangkok but the level of risk hasn’t necessarily changed.

Younger people don’t necessarily have an enlightened view of privacy

While young people growing up today are much more au fait with technology than their forebears were at the same age, they don’t have the life experience in which to assess the long-term impact of their actions. Few people realise that:

  1. It’s very hard to delete stuff from the Internet
  2. That large employers will take into consideration anything they find on the Internet about a candidate before making a decision to employ them
  3. Most things are open, anyway and you should never post anything anywhere that you don’t want made public.

Facebook’s Privacy policy includes a section that says:

Risks inherent in sharing information. Although we allow you to set privacy options that limit access to your information, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your information. We cannot guarantee that only authorized persons will view your information. We cannot ensure that information you share on Facebook will not become publicly available*. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook. You can reduce these risks by using common sense security practices such as choosing a strong password, using different passwords for different services, and using up to date antivirus software.

*My emphasis

The Information Security Industry’s Responsibility

I’d suggest that we need to make it easier for people to manage their privacy settings and have a default=closed policy for social networking sites. The IT industry went through a period of providing operating systems, network gear and other kit with all of the bells and whistles turned on out of the box. It was realised that this wasn’t a particularly good way to go. I think the same is true of social network sites.

I realise that it is in the commercial interest of social media companies to have as much openness as possible and, in Facebook’s case, people who truly believe that a transparent society in the form of Mark Zuckerberg.

But nothing is inevitable and I, personally, am not happy with living on a society where everything is open. People do have a legitimate right not to tell people everything, in my opinion, and while you could argue no one is forcing them to post information (which is of course true) no one can say that anyone is posting data online in an informed way.

Several people made excellent points after my presentation, including one thought provoking one about the fact we don’t know what’s going to happen to all of this data in 10-15 years’ time and how it will affect people (think insurance companies harvesting data about you and it affecting your premiums, for example). There is a much wider, social problem about society’s inability to “forget” stuff, which is beyond the scope of this blog.

Comments welcome

%d bloggers like this: