The question is, can we have our online social connections and enough privacy control to safeguard our identities?

Highlights:

  • This problem is far, far worse than you might think
  • Identity theft is on the rise – and social data is powering that rise
  • Your face + your public social data can equal identity theft and bank fraud
  • Governments and some predatory corporations now have access to, and are shopping for, illegal hacking and surveillance tools
  • This isn’t about “targeted marketing”
  • We’re a bit addicted, aren’t we? We turn off our risk-o-meter. And social media enthusiasts may be the most resistant to the idea of social-powered risk.
  • Government is waking up to the problem, and Obama passes a new Consumer Privacy Bill of Rights –  a step in the right direction (see “2013 Update” at the end of this article)

A social strategist — concerned that social media has lost much of its safety

I COUNSEL FORTUNE 500 COMPANIES ON CORPORATE SOCIAL MEDIA FOR A LIVING. I also have a full-on love affair with both social networking and with my friends and my connections to them. Social technologies and memes are not just an interest, they pay my mortgage and they make me smile on a daily basis. They bring a tremendous richness to my life.

I’M ALSO A PRIVACY PRAGMATIST. I realize that if I want those connections and that constant stream of friend data, there is some risk involved. So when I post anything, I’m thoughtful about who might see it. I also know the business models of many sites rely on advertising and ad sales – and I’m cool with them making a buck within the context of a trusted, transparent relationship.

But as careful as we may be with what we post, a growing list of privacy breaches, bugs, and corporate malfeasance incidents put our identity, the control of our privacy, and ultimately our bank accounts in jeopardy. Our happy days of connecting with friends, and sharing a lot of info, without concern about privacy risk, have come to an end.

For the latter half of 2011 and into early 2012, we witnessed a significant increase in privacy breaches, bad corporate behavior and other Web-related violations of the social compact – each one seemingly more egregious than the previous. Concerned, I began looking into privacy and social media – particularly around Facebook, my primary social network.

Much to my dismay, I found myriad examples of privacy gaffes and slip-ups, along with powerful and secretive surveillance companies mining social media, and opportunities for identity thieves to use your social footprint to defraud you. Apparently, it’s easier than ever.

“Well, duh,” you snort. “None of that’s a surprise.” Here are a few things that might raise your eyebrows – or the hair on the back of your neck.

Serious new risk from identity theft

Identity theft is on the rise – powered in part by social sharing

According to a report by Javelin Research, social media users who post their personal information online or with smartphone apps are helping fuel the rise of identity theft in the US, up 13% in 2011 from 2010. Through accidental posts revealing too much, to naïve newbies who don’t realize the reach and search ability of social information, we are aiding those we’d rather not in taking our identity. For example:

Your photo, coupled with public social data, can lead thieves directly to your Social Security Number

A recent CBS News story on a study by Carnegie Mellon researchers showed that all it takes to get very very close to your SSN is a photo and public identity data available from paid databases or social networks. They even developed an iPhone test app that could extrapolate a social security number from a face – within three seconds. Take a snapshot, an image search occurs, your public social data is scanned, and voila, a SSN! Which means that nefarious parties with some cash, software and statistical savvy can use your online photos to steal your identity and clean out your bank account, just by walking by and snapping your photo. No I’m not kidding. Read the whitepaper to see how it’s done.

Inference engines, powered by freely available social media data, can fill in informational “holes” about you

Even when someone doesn’t have all the data on you, it’s easy to fill in the pieces, particularly if you’ve been active in social. The more you’ve willingly posted, the more likely it is that inference engines will accurately fill in the holes of what they don’t know about you, including behavioral projections, password projections and remaining pieces of your private personal data. Add social media to what data brokers sell, and you have identity theft on steroids and cocaine.

Facial recognition software now ties your face to your online footprint

THINK ABOUT IT – do you really want interested parties – government, corporations, stalkers, exes, opportunistic litigators, the press – being able to dig up dirt on you, from just your face? Facial recognition software has become rampant – perhaps irrevocably so. The problem is its use within social networks, where it can be tied to all sorts of very private information that you might not want others to have access to.

Law enforcement has become attracted to the power of this software in helping catch criminals, but simultaneously, its track record on a few high-profile tests netted few if any suspects.

Fortunately, lawmakers have taken notice about facial recognition. The real test is whether they do anything about it.

Once you’ve been defrauded, it’s going to get much harder to get your money back

This year, I had my first real identity theft, in which someone placed a skimmer (visual examples) on an ATM I used and created a fake debit card. They cleaned out my account. The surprise: how difficult my bank made it to get my money back, stating concerns that perhaps it was ME who was trying to defraud them! The investigation — in which I was simultaneously and very clearly using the “same” card in another part of the state — took two full months.

So don’t think it’s a simple call to your bank anymore. To protect themselves, banks need to do some digging on you as well.

Corporations and governments putting themselves first — and you last

Facebook using cookies to capture site visits — even when you’re logged out of Facebook

Facebook has been capturing URLs of sites you visit even when you’re logged out, “for your own safety and protection,” claimed one FB engineer. Facebook says this practice helps prevent fraudsters from logging in on public computers as you. Unconvinced, several plaintiffs are now suing Facebook for violation of federal wiretap laws.

In 2011, the FTC filed a formal complaint about Facebook’s privacy claims – calling them “deceptive.” The company settled in November, after which FTC Chairman Jon Leibowitz praised Mark Zuckerberg’s blog post making a commitment to privacy. So are you ready to trust? Read this article on Mark Zuckerberg first.

In my opinion, that attitude totally conforms with this article about half-apologies and privacy boundary pushing.

Former CTO claims that forcing you to move to Timeline is a mechanism to sell more ads

This year, you’ll have to choose to convert to Timeline and its Sponsored Stories ad product – or leave Facebook. Why the push to Timeline? A supposed former CTO shared a presentation on how Facebook appears to be ramping up ad placement technology in preparation for an IPO. His or her identity has been kept secret by Business Insider. Hoax? Perhaps. But it makes sense.

Predatory marketers are totally cool with practices that would be considered completely unacceptable if done by friends or neighbors

From Stanford Law School’s Center for Internet & Society: “Click the local Home Depot ad and your email address gets handed to a dozen companies monitoring you. Your web browsing, past, present, and future, is now associated with your identity. Swap photos with friends on Photobucket and clue a couple dozen more into your username. Keep tabs on your favorite teams with Bleacher Report and you pass your full name to a dozen again. This isn’t a 1984-esque scaremongering hypothetical. This is what’s happening today.”

Many marketers and management teams have let fear and recessionary pressures drive them to unethical techniques that would be considered sociopathic if done by individuals. Bypass consumer control and you destroy trust. Destroy trust, decrease your transactions. Destroy your reputation, destroy your revenue.

But isn’t targeted marketing a good thing?

Yes, of course. If I have to have advertising in exchange for free site use, absolutely I’d rather it be targeted than shotgunned. But I should be able to control what I give up in exchange. And corporations should give me fair warning when they use it – not try to sneak it in the background. As Joshua Topolsky so smartly noted in a recent Washington Post article, “simply acknowledging that you’re going to take [our] data doesn’t make it a good idea; it just means that now we know you’ve got it.”

Couple this with a very alarming WSJ report on how corporations and governments are buying massively powerful and sometimes illegal hacking and surveillance technologies

The Wall Street Journal recently did a chilling exposé on a private hacking and surveillance technology conference in which surveillance vendors hawked their wares to governments and corporations. The public and press were denied entry to this conference – because of the potential public alarm it would cause.

Recently the WSJ updated the site with a list of the US and foreign agencies who are shopping for illegal hacking and surveillance tools.

Culturally, shouldn’t we care more?

Europeans seem far more concerned about Facebook and privacy than we do

These worries aren’t just in the US. European countries like the UK, Ireland and Germany are growing quite concerned about Facebook, social networks, facial recognition and privacy. FB is taking steps to defuse the situation. More: “EU Set to Slap Facebook With Privacy Sanctions

All of this has also alarmed many long-time Internet veterans, several of whom are permanently logging out of Facebook

Stowe Boyd, managing director at Work Talk,  has spoken out against FB’s privacy follies. NYU’s Danah Boyd (unrelated to Stowe) is rightfully angry over the forcing of the masses to share personal data. Dave Winer, the social media pioneer who invented the podcasting concept, has bailed, out of concerns about Facebook’s alleged lack of privacy.

Surprisingly, many in the general user population don’t seem to care about the pervasiveness of surveillance and the selling of their information

Several surveys have been done that show that, despite multiple breaches of privacy and the resultant press coverage, many Facebook users don’t really seem to care — perhaps the desire to stay connected is that strong, or perhaps a feeling of powerlessness to change the trend. Are people just not aware that the more of a social footprint you leave, the bigger the risk of serious identity fraud? See “Facebook Users Don’t Care About Privacy After All” and “Facebook privacy is awful, but users don’t care, security expert says

We’re also accepting half-assed answers — and few are being held accountable

Senator Al Franken, in his role on the Senate Subcommittee on Privacy, Technology and the Law, demanded mobile software developer CarrierIQ explain its keylogging software. While CarrierIQ and several mobile networks responded, Franken continues to be “very troubled by what’s going on … there are still many questions to be answered here and things that need to be fixed.” Lame mea culpas about privacy violations aren’t just coming from Facebook. YOUR MOBILE PHONE KEYSTROKES WERE BEING CAPTURED WITHOUT YOUR KNOWLEDGE. People should be SCREAMING about this.

But should the blame also be on us? Are we creating a culture in which fear makes it acceptable to stalk anyone in your life?

Significant others, professionals, and others we meet in real life, can now be investigated via sites like BeenVerified. Have you seen the commercials? Some will say that if you’re doing nothing wrong, you have nothing to hide. But seriously — are you ready for this level of transparency? A dentist doing a background check to see if he should work on your teeth? A mortgage company’s loan offer being retracted because they found the WRONG record, for a different person with the same name?

A few years ago, I had all of my personal checks come back as fraudulent – because someone at CheckFree had miskeyed an account number by one digit, matching mine. Of course, there was no easy way to contact the company – and it took weeks to get my checking account number off the black list. What happens when the wrong social media data is pulled?

Or are we just accepting a lack of privacy as the norm, as Mark Zuckerberg suggests?

Think about your social footprint in the context of companies that are mining social data to stalk and report on you

New software and services offer unparalleled investigation into your social efforts. An underwriter might review your publicly available social media data to find out if you really did hurt yourself. I don’t mind fraud checking but this business practice has been largely ignored by the news media. What if I’m sick with a flu, but feel well enough to post “I have a flu” – and an underwriter judges me to be committing insurance fraud?

Your personal details aren’t just accessed – they are shared and sold and then sold and then sold

These privacy breaches aren’t just one-offs with limited outcomes. The implications echo on over time, because personal data is shared and sold. A recent report by CSO (Chief Security Officer) shows that criminals have established an online black market for login credentials. Path might take your contact data, but if Path is hacked, your data is now public – with the wrong kind of public.

Beware social media experts who downplay or disregard the risk

It behooves those who make their living off of social media expertise to downplay this entire issue. I also suspect many of them are so enamored by the technologies (like me) – and dependent on the incomes they provide – that my raising these issues is like being a messenger with bad news. No one wants to hear the party may be over – not when it’s so much fun!

They seem willing to trade their privacy for the functionality and connection, because a deep understanding and immersion in social is key to their business. Personally? I’m not willing.

IMO, this is a huge issue that all should be aware of and more should be concerned about. 

There is some good news

Awareness about privacy violations will drive change

A recent study by Pew seems to indicate that an awareness about privacy, and privacy controls, is on the rise. As more people are aware of the risks, they will clamor for change, driving both legislation and corporate change.

Some states are holding companies accountable

California just announced a privacy deal with the six largest mobile Web providers that will change how millions of consumers download apps to their smartphones and tablets. Through this deal, consumers should see prominent and easy-to-understand privacy disclosures before they download an app. This is great because it strengthens the existing California Online Privacy Act.

Government is finally getting involved

Thankfully, the Obama administration has accelerated legislation around consumer online privacy. Last week, on February 23rd, the White House announced the creation of a Consumer Privacy Bill of Rights – a huge step forward toward removing the status quo. Several privacy watchdog groups feel the bill doesn’t go far enough – the Electronic Freedom Foundation worries that it undermines privacy advances at the state level – and some groups like my *cough* creepy stalker *cough* friends at the Direct Marketing Association are actively opposing it – but I’m just glad we’ve started the conversation about giving the consumer some control back. This Privacy Bill of Rights push continues to unfold and we’ll likely see much more about it over the next few weeks.

So what can you do?

Avoiding social is not a good strategy

Simplists will say, “ya don’t want any private information to leak out? Don’t post it online!” It would be great if the world was such a simple place. But that’s not realistic – particularly when 90% of recruiters pre-screen based on LinkedIn, and 69% will vet a candidate based on their social footprint. Avoiding social will actually work against you in this situation.

And when Google is the front door for finding and vetting people (business partners, candidates, a new neighbor), having a controlled footprint is far more beneficial (think personal branding) than being invisible. In my opinion, controlled transparency is a good thing.

Switch from Facebook to a more privacy-focused network?

As much as I love my Facebook experience, I started looking into alternatives in January 2012 when the gaffes and breaches started seeming very intentional.

GOOGLE+: “What about Google+,” I often get asked. I have no comment (former client) but they too recently bought a facial recognition software firm. And they are in the business of finding information and selling ads.

Google was also caught circumventing cookie blocking technology within Apple’s Safari browser. Circumvention of privacy controls is unethical, in my opinion, and violates consumer trust in a huge way.

ANYBEAT: Anybeat sounds great on paper. Billed as an anonymous alternative to social networking, the idea of connecting while maintaining privacy seemed very interesting. But a look at the privacy policy shows you can turn off data, but that in doing so, you’ll “disable important features.” Almost as if to say, “sure, you can be private, but look at how much less fun you’ll have!” Enticement.

PATH: Mobile-based Path — with a key selling argument that “Path is private by default” — also seemed interesting. But its policy basically states “we own all your data in conjunction with our service” — and if it gets hacked, sorry, not our problem. Weak. And then there is the fact that they intentionally uploaded user address books from unknowing users. WHAT A JOKE. “Private by default,” hunh?

Path may have deleted the data it uploaded – but it shouldn’t have happened in the first place.

Stunningly, this month Twitter admitted to doing the exact same thing.

DIASPORA: New networks based on open-source code and distributed control have also thankfully appeared. The most interesting network to me is Diaspora — the only problem is that it doesn’t seem to have the funding behind it to survive long-term. I’m hoping they gain mass and a round of benevolent funding but in my opinion, they’re not quite ready for prime time.

MOVIM.EU: From my perspective, Movim.eu, Europe’s answer to a decentralized, more private social network, is similarly not quite ready for prime time. I’ll keep watching Diaspora and Movim, though – they’re “movim” in the right direction.

I’ll keep my eyes open but for now, there doesn’t seem to be any social network providing the real control of security and privacy that seems reasonable. Any suggestions?

What else can you do?

LEARN MORE. Read up on privacy, how you can protect yourself, at the Privacy Rights Clearinghouse.

BLOCK TRACKING ADS AND COOKIES: How much value do you get out of online advertising – seriously? I’m a marketer and I feel I get NONE. So why let them stalk you anyway?  Ghostery, a magnificent plug-in for several browsers, will let you see how websites are attempting to install tracking cookies – and will block them. Frictionless, an add-on for Google’s Chrome, will improve your privacy specifically on Facebook.

Also, not to be obvious-impaired, but make sure you are fully utilizing Facebook’s privacy settings.

DISCONNECT COMPLETELY: What if you want to delete your Facebook account completely? It’s an option. But do this very carefully to back yourself out of the servers so as not to leave undeletable data that lives on after you’re gone. “FoodAndArt” posted this six-step approach to leaving Facebook on CBSNews.com as a means to leave as small a trace as possible.

COMPLAIN UP A STORM! Write your congress representatives and senators. The conversation is heating up right now about this issue. Make sure you’re heard.

“What about you, Eric?”

I’m doing a few things differently.

PRUNING A LOT OF FACEBOOK DATA: I’ve started deleting photos and extemporaneous posts from Facebook, while not hiding things that are already widely available in the public record (like cities where I’ve lived). I’m also removing Likes, disconnecting tangential connections, and thinning the content into a smaller public online profile I am comfortable sharing.

REMOVING MY FOOTPRINT FROM NETWORKS THAT OFFER LITTLE VALUE: Path? Deleting it. Xing? Bebo? MySpace? FourSquare? Either deleting my profiles or stopping my activity. I’m a huge FourSquare fan so that’s saying a lot.

DELETING RECORDS FROM DATA BROKERS WHEREVER POSSIBLE: they won’t all let you delete your public listings, but you can write to many data brokers to have your records expunged. Doing that now. Want to do that for yourself? Here’s a great list of brokers and steps to expunge your record.

The bottom line

As immensely valuable as my friend connections are to me, and as ironic as it is that social media is my vocation, and as much as I am aware that there’s already a ton of information available about me online — I will not help anyone stalk me, sell me as a product, or defraud me or my family. So my days of open “friends-only” sharing on Facebook are grinding to a halt, and I’m reexamining my entire social footprint, with less experimentation and with a greater eye on identity theft opportunities.

I suggest you do the same.

* * *

Pre-emptive Caveat: I have no solid proof of any social site selling data or operating in an unlawful way — I only have public behavior, news articles and company and government statements to examine as I determine the best course of action for myself. This isn’t about crucifying some company or the social media scene in general. Read, research and draw your own conclusions about privacy, your boundaries, and your participation in any social network. Also, this post and all others here at EricWeaver.com/BrandDialogue.com are my own views and not those of my employer, my clients, my wife, my family or our dog. 

Key Links for Your Own Research

UPDATE 1 • MEN ARE MORE PUBLIC ON SOCIAL SITES • MAY 2012

In a study just released by Pew Internet Research Center , men seem to share more data online than women, who are more careful about what they post to social networks:

Forbes covers this study here.

UPDATE 2 • SOCIAL POSTERS ARE HELPING FUEL THE RISE OF IDENTITY THEFT • MAY 2012

Also, according to a report by Javelin Research, social media users who post their personal information online or with smartphone apps are helping fuel the rise of identity theft in the US, up 13% in 2011 from 2010.

UPDATE 3 • LOCK YOUR MAILBOXES • MAY 2012

Finally, our neighborhood watch group has noticed mailboxes all up and down our suburban residential street opened during the night. Identity theft is real, folks – and it’s not just hackers. As for us, we’re investing in a solid steel locking mailbox.

Never thought this would be the shiny future I imagined as a kid. :/

UPDATE 4 • NSA CRISIS • JULY 2013

Well, needless to say – the June 2013 outing of the fact that the NSA is collecting data, not only on us but on our allies, amidst questionable laws and secret courts, really makes me have to step back and question not only my support of President Obama but of our government.

It’s likely that several potential terrorist incidents have been avoided through the use of clandestine data collection and wiretapping. But at what cost?!? I don’t care whether or not our “government is broken” – it must be accountable to its own citizens. There can be no possibility for corruption or ownership of such data activities by a handful of people, and if there is, we need our leadership to remove it.

It’s one thing to scrape public Internet data. It’s another to store the movement of all citizens through license-plate camera tracking, or remote hard drive searches, or tapping lines at foreign embassies. When we piss off our allies, we end up standing alone against the world. How much goodwill has been squandered by this incident? Are we really that damned paranoid?

The NSA activities are a national embarrassment, a destabilizer, and a powerful potential weapon against our fellow citizens.

%d bloggers like this: