SOCIAL MEDIA ANALYTICS - A Threat on Personal Space
Introduction
In September 2010, Twitter saw trouble when apparently users were sending nasty messages to their followers by as much as moving their mouse over a Tweet. Later, Twitter’s Security Chief Bob Lord wrote on his blog, ‘The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts’
In May 2011, Symantec reported leakage of Facebook users’ personal information to third-party companies. Approximately 100k Facebook applications were carelessly leaking vast amounts of private information including account login information and posting rights to advertisers and analysts. Some of these “access tokes” may still be available in log files of those third-party servers or still being actively used by advertisers.
The latest privacy problems emerged from Google+ which is known for its privacy-friendly setup. Users can choose to share their content with some people barring some others without delving into the nitty-gritties of the interface. However, recently Google integrated Google+ with Gmail giving rise to unexpected problems. Now Google+ users could exchange emails with each other even if they had never exchanged email addresses. This doesn’t sound like a problem until we realize that A adding B on Google+ Circles doesn’t mean B adding A. Now, A has access to B’s email address, whether B likes it or not.
Every day, we are prompted by ads and acquaintances to install and use privacy protection measures in the form of software updates, patches and general settings. This poses a lot of questions on the nature of these threats. How do they originate? Who wants to invade our privacy? What information do they want? Why? And most importantly, does our response to them really protect us?
To answer these questions, let us understand a fundamental principal of Economics through a diagram.
While this may seem intuitive from the outset, it is the perfect model to understand the working of Social Media service providers. If you’ve never paid Facebook for the 1,000-odd friends you have, then you’re not the consumer Facebook is serving. But someone is paying Facebook and Facebook must be giving them some product. And you are involved in the game. If you’re not the producer, consumer or the payer, then you’re the product!
Stimulus
In our view, privacy threats can be classified into 3 broad areas, as shown. While attacks on personal privacy motivated by fraud and personally motivated attacks fall in the realm of law, commercially motivated privacy threats might not violate the law of the land. The first two require scheming measures and are difficult to carry out on a mass scale by the use of analytics alone. However, the use of social media analytics in online marketing is big business contributing $36.57 bn to the US GDP in 2012 while growing at a rate of 18%. This commercial activity is primarily based on the value of customer data to businesses, which in turn poses the danger of third-party companies intercepting personal data.
The value of the information comes from the understanding that the better a business knows its customers, the more effective will be the marketing potential. With the advancement of newer technologies, businesses are able to explore new instruments to exploit personal information in unprecedented ways which may even put the lawmakers in an abyss. Consider the spyware phenomenon which allowed new technologies to place ads in front of the viewers. At times, the law was uncertain on what call to take on these “grey” areas. It took 8 years for the authorities to frame rules for acceptable and legal behavior of such software. But this phenomenon can be expected to repeat as new technologies emerge allowing consumers and producers to interact in newer ways. The Federal Trade Commission, Canada, is currently trying to draft principles intending to establish a self-regulating regime for companies partaking in behavioral advertising. After all, how does one measure the legality or ethics of tracking a person’s online activities, often without their knowledge, than then targeting them with online advertising?
Also, this increase in interaction and data collection gives birth to additional threats – security breach. Even if businesses promise to use users’ information only for the purposes of economic expansion, there is no surety that the information would remain secure and not fall in the hands of fraudsters. In fact, this feature of businesses makes them attractive targets for such breaches.
Tools
Social Media, with its vast presence (as shown in the image), offers prospects of individual liberation and public welfare. But it also offers privacy threats. These Web 2.0 applications house viruses, worms, Trojans, and spyware that will attack any user if given the opportunity. With the amount of personal data users post on these websites, they become invaluable repositories of information.
Consider Facebook. A Typical user creates a profile with personal information like full name, email address, birthday, gender, hometown, political views, religious views, IM names, phone numbers, address, relationship status, schools attended, courses undertaken, current employer, previous employers, personal interests, and preferences. In addition to this, Facebook collects information on a user’s browser types, IP address, location, Operating System. Facebook also states that they may ‘collect information about you from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation of the service, in order to provide you with more useful information and a more personalized experience.’ However, many users fail to understand that social networking sites are not private spaces but public forums. Any user generated information on Facebook may be copied and distributed without the users’ knowledge.
Such information generated on a massive scale gives analysts and cybercriminals alike the ability to deliver spam and malware to targeted users at unparalleled speeds and efficiency. Facebook proclaims that it is an intermediary allowing advertisers to ‘reach the exact audience with relevant targeted ads.’ However, the more Facebook becomes capable of learning about users and translate that data into advertising revenues, the more is the burden on user privacy. Facebook’s CPO (Chief Privacy Officer), Chris Kelly, has often protested that internet users no longer wish to remain anonymous online.
Spyware, keyloggers, scrapers, are some of the tools which have applications in online threats. The commonality shared by these tools is that they exchange consumer information for applications. Though it must be mentioned that such tools do find applications in secure internal environments, such as maintenance of trade secrets.
Behavioral Engineering is another method of inducing desired behavior in a target that relies on “smooth talking” or other manipulative behavior. This implicates persuading the target and convincing them to go against their better judgment and divulge personal information.
Adware
Adware is a software that spontaneously displays downloads and advertising material to users I unexpected and unwanted manners. Often, adware employs tracking functions to compile information to generate complete profiles on websites such as Yatedo and Skillpages. Adware also collects information about websites that the users visit and monitor the usage to target advertising efficiently. Often, such information is procured in unwarranted ways.
Adware that engages in tracking behavior reports back to a central server and stores information in databases. The information is then analyzed and used to select the types of advertisements to be displayed to users. Adware can tie personally identifiable information to specific individuals, ensuring data is collected only once for each user.
Not all adware is privacy breach. Often users sign up for adware in exchange of free software. It is when adware is installed without the consent of the user it calls in the category of unwanted technology. The most notorious forms of adware annoy consumers by opening multiple browser windows and displaying pop-up advertisements.
In 2005, Symantec performed an experiment connecting a new computer without security software to the internet and browsing websites directed at children. Within an hour, 359 pieces of adware were found. During the same time, Trend Micro conducted a survey of 500 IT managers and found that 95% of the companies frequently find adware in their organization. The majority of the survey respondents ranked spyware among the top 3 IT priorities for 2005. Although adware exists mostly in the realm of individual consumers rather than businesses. The most prolific adware distributors are as shown. McAfee’s SiteAdvisor.com survey found that 97% of internet users could not differentiate between safe and unsafe sites, and the vast majority just 1 click away from downloading spyware, adware and other potentially unwanted software.
Conclusion
The world would seem alien today without the presence of social media. But we must also be aware that every piece of information we are generating and perceiving is going to affect us in the future. We want to be able to decide what we share, with whom we share, and till when we share. We would like to know how much information about our online behavior the companies are collecting and what are they using it for.
What the companies really want is simple – a detailed profile of our interests to target advertising at us. And since we use the services of these companies every day, they are in a well-equipped position to know more about us than most.
Despite that knowledge, balancing between making useful products while keeping the users safe seems like a chore every company struggles with. This might lead us into a future where users realize that social media is a necessary evil which just treats users like information clusters rather than people.
References
a. 21 September 2010. Nasty Twitter Worm Outbreak. KrebsonSecurity Official Blog.
http://krebsonsecurity.com/2010/09/nasty-twitter-worm-outbreak/
b. Doshi N, 10 May 2011. Facebook Applications Accidentally Leaking Access to Third Parties. Symantec Official Blog.
http://www.symantec.com/connect/blogs/facebook-applications-accidentally-leaking-access-third-parties
c. Internet Advertising Bureau. April 2013. IAB internet advertising revenue report: 2012 full year results. PricewaterhouseCoopers.
http://www.iab.net/media/file/IAB_Internet_Advertising_Revenue_Report_FY_2012_rev.pdf
d. Internet Advertising Bureau. October 2013. IAB internet advertising revenue report 2013 first six months' results.
http://www.iab.net/media/file/IAB_Internet_Advertising_Revenue_Report_HY_2013.pdf
e. Facebook’s Privacy Policy.
http://www.facebook.com/policy.php
f. Killick R, 7 February 2008. Facebook and the death of privacy. Spiked Ltd, London.
http://www.spiked-online.com/newsite/article/4482#.U8fQbPmSxhM
g. Facebook ads.
http://www.facebook.com/ads/?src=gca2
h. Malkin B, 11 September 2007. Facebook under fire over targeted advertising. The Telegraph, UK.
http://www.telegraph.co.uk/news/uknews/1562752/Facebook-under-fire-over-targeted-advertising.html
i. Cippic (Canadian Internet Policy and Public Interest Clinic), 2008. Online Privacy Threats: A Review and Analysis of Current Threats. Cippic, University of Ottawa, Faculty of Law, Ottawa, Ontario, Canada.
https://www.cippic.ca/sites/default/files/publications/CIPPIC-Online_Privacy_Threats-Final.pdf
j. Symantec, September 2006. Symantec Internet Security Threat Report: Trends for January 06 - June 06, Volume X. Symantec Corporation, Cupertino, CA, USA.
http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_symantec_internet_security_threat_report_x_09_2006.en-us.pdf
k. Trend Micro, February 2007. Threat Management: Challenges and Solutions, Web Threats. White Paper.
http://www.trendmicro.com/NR/rdonlyres/75541153-BFB6-4540-8E12-FD4051DCB28D/22391/WP03_Webthreats070223EU.pdf
l. McAfee, 2006. Adware and Spyware: Unraveling the Financial Web.
http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_adware.pdf