Data security is a crucial issue when it comes to Social Networks - not only when suddenly the profile (on the right) of Facebook-Investor Microsoft-CEO Steven Ballmer is published. While Steve Ballmer is probably quite careful what he puts in his Facebook profile, other users might not show the same care, therefore in the following article I want to discuss some data security issues of social networks and Facebook specificially.
Rumours of data leaks seem to have very little impact on the growth of social networks. Yet incoherent data security can (in some situations) can be a reason for terminating a company, especially in Germany when online-data of underage students are collected.
Facebook has extensive privacy options. Users can determine which part of their profile is accessible, they can distinguish between various networks, edit the privacy settings for their widgets, block users or limit the access of certain users to their profile:
Facebook wants you to share your information with exactly the people you want to see it. On this page, you’ll find all the controls you need to set who can see your profile and the stuff in it, who can find and contact you on Facebook, and more.
Internal access to user-data?
However, Facebook is maybe not as rigorous when blocking user data from their own employees. Nick Douglas writes about a case where a Facebook employee confronted a Facebook user with her viewing history:
“My friend got a call from her friend at Facebook, asking why she kept looking at his profile,” says a privacy-conscious source at a major tech company. Turns out Facebook employees can (and do) check out anyone’s profile. Not only that, but they also see which profiles a user has viewed — a major privacy violation.
Currently, it is not possible to see which users have visited your profile - unlike in other social networks like StudiVZ or Xing.
Someone in a company running a Social Networks needs to have full access to all user data, there is no doubt about it. Furthermore, user data are never fully deleted - they are only marked as deleted when a user deletes his profile. However a company the size of Facebook could easily restrict user data access to those employees that are handling complaints and disruptive bevahior. In Nick Douglas words:
Well, Facebook’s privacy policy doesn’t explicitly reserve or waive employees’ right to check out your profile for any reason. Of course, the practice still reeks of skunkery — it’s one thing to check profiles in the course of business, but these people are looking up records for kicks. This is a company with $150 million in projected revenues this year and a gigantic ad deal with Microsoft, not a corner video store.
Display of data user without consent
Facebook has in the past issued legal statements when data of users were published without their consent. In the Summer of 2006, the blogs Gawker and Wonkette released data of Facebook users and promptly received a cease-and-desist-letter from Chris Kelly (facebook profile), Chief Security Officer, and Rudy Gadré, Vice President and General Counsel. So far, the websites showing the user data of Facebook users are still available, among many other examples.
Facebook Data Security Handling
In a testimony before the Oversight and Investigations Subcommittee (from the US-House of Representatives Energy and Commerce Committee, information on the hearing) on June 28 2006, Chris Kelly said:
We have a safety net of protection through both technological tools we deploy to detect misuse of the site and human capital dedicated to potential problems - our 20 person and growing customer service staff, headed by a seasoned veteran and backed up by myself and two other attorneys. Most of our customer service representatives are recent graduates of outstanding colleges, and dedicated Facebook users, so they know the system inside and out. On those rare occasions where someone has attempted to misuse our network, we engage rapidly with the relevant authorities. Because the system is built for accountability with its email validation requirement and segmentation of communities, misuse is both deterred and generally detected quickly. We quickly launch an internal investigation and step in where we receive reports of the misuse of Facebook in any way.
Protections for minors
The distribution of user data is not the only concern of Chris Kelly. In a recent blog entry he writes:
But right now, we want to make clear some of the things we are working on to prevent abuse from happening through Facebook. We are automatically moving complaints about nudity or pornography, and harassing or unwelcome contact to the top of our queue for Customer Support to address within 24 hours. We are limiting certain search functionality as it applies to minors. We are making sure that minors know explicitly when they are in contact with someone who is an adult.
Privacy permissions along user groups
This is a bold step, giving a fixed time for reaction to complaiments. I agree with Josie Fraser that there are no other social networks which have made such commitments.
However, it is unclear whether this will be enough. She argues:
The problems with opening up the Facebook platform to external apps was that […] many just expanded the Facebook sink into a black hole - eg - more information that I can’t get out.
and insists that the various security settings are maybe not used by all users:
Having your boss included in your contact list as a good excuse to finally get to grips with Dante’s 10th circle of hell - aka the peculiar granularity of FB permissions. […] It’ll be interesting to see whether the introduction of friend categories makes permissions easier, harder, or no different to navigate.
Data Harvesters
Furthermore, companies such as Rapleaf are aggregating data from social networks, claiming that…
…Rapleaf’s goal is to make it more profitable to be ethical. Rapleaf is the only email-based reputation lookup on the web. We encourage you to lookup people’s Rapleaf reputation before transacting, hiring, or even interacting with them.
But as Stefanie Olsen and Harald Weiss are writing:
By entering an email-adress, it is possible to get information about name, age and other data of a person’s social network. On the website Upscoop, which also belongs to Rapleaf, people can find out in which other social networks are person is present […]. Through the collection of E-Mail adresses, Rapleaf has saved more than 50 million profiles […]. These are useful for another subsidiary of Rapleaf, Trustfuse, which sells these data-sets (except for the email-address) to Marketing Companies. […] All three companies do not violate their data security regulations because they do not transfer the email-address.
Conclusion
Neverthless, my impression is that the overall data security is strong. I am sure that there have been several attacks on the Facebook database and so far it does not seem as if large amounts of user-data has leaked. Unlike other social networks, Facebook seems to take data security very serious. Given their growth, they need to work hard that this attitude is maintained inside the company at all levels. I think one of the big challenges will be how to deal with the data-transfer between certain widgets and the Facebook-Main-Database. This, however, will be covered in a later article on this website.
Within 12 days, a group on Facebook is about to gain 1.000.000 users. The 