1|Privacy And Security In Social Networks

SEMINAR REPORT

On

“PRIVACY AND SECURITY IN SOCIAL NETWORKS”

Submitted in

Partial Fulfillment of the Requirements for BCA Ist Year

Session: 2019-20

Submitted To: Submitted by:

Ms. Krupali CHISHA PARWANI

(Asst. Professor) 19BCAN016

DEPARTMENT OF IT & CA

JECRC UNIVERSITY, JAIPUR

2|Privacy And Security In Social Networks

TABLES OF CONTENTS

CONTENTS

 INTRODUCTION
 DEFINITION OF SOCIAL NETWORKING
 ANONYMITY ON SOCIAL NETWORKS
 WHAT INFORMATION IS PUBLIC?
 WHO CAN ACCESS INFORMATION
 A HISTORY OF SOCIAL NETWORKING SITES
 FRAUDS ON SOCIAL NETWORKS
 SOCIAL ENGENIERING
 TIPS TO STAY SAFE PRIVATE AND SECURE
 REGISTERING AN ACCOUNT
 GENERAL TIPS FOR USING SOCIAL NETWORKS
 CONCLUSIONS

List of Figures
 Figure 1. Users Of Social Media

 Figure 2. Information Shared In Social Media

 Figure 3. Timeline of the launch dates of many major SNSs and dates when community
sites re-launched with SNS features
 Figure 4. Example of spam mail
3|Privacy And Security In Social Networks

INTRODUCTION
Social network sites (SNSs) such as MySpace, Facebook, Twitter, and Tagged have attracted
millions of users, many of whom have integrated these sites into their daily practices. As of this
writing, there are hundreds of SNSs, with various technological affordances, supporting a wide
range of interests and practices. While their key technological features are fairly consistent, the
cultures that emerge around SNSs are varied. Most sites support the maintenance of pre-existing
social networks, but others help strangers connect based on shared interests, political views, or
activities. Some sites cater to diverse audiences, while others attract people based on common
language or shared racial, sexual, religious, or nationality-based identities. Sites also vary in the
extent to which they incorporate new information and communication tools, such as mobile
connectivity, blogging, and photo/video-sharing.

Scholars from disparate fields have examined SNSs in order to understand the practices,
implications, culture, and meaning of the sites, as well as users' engagement with them. This
special theme section of the Journal of Computer-Mediated Communication brings together a
unique collection of articles that analyze a wide spectrum of social network sites using various
methodological techniques, theoretical traditions, and analytic approaches. By collecting these
articles in this issue, our goal is to showcase some of the interdisciplinary scholarship around these
sites.

The purpose of this introduction is to provide a conceptual, historical, and scholarly context for
the articles in this collection. We begin by defining what constitutes a social network site and then
present one perspective on the historical development of SNSs, drawing from personal interviews
and public accounts of sites and their changes over time. Following this, we review recent
scholarship on SNSs and attempt to contextualize and highlight key works. We conclude with a
description of the articles included in this special section and suggestions for future research.
4|Privacy And Security In Social Networks

Definition of social networking

We define social network sites as web-based services that allow individuals to (1) construct
a public or semi-public profile within a bounded system, (2) articulate a list of other users
with whom they share a connection, and (3) view and traverse their list of connections and
those made by others within the system. The nature and nomenclature of these connections
may vary from site to site.

While we use the term "social network site" to describe this phenomenon, the term "social
networking sites" also appears in public discourse, and the two terms are often used
interchangeably. We chose not to employ the term "networking" for two reasons: emphasis
and scope. "Networking" emphasizes relationship initiation, often between strangers.
While networking is possible on these sites, it is not the primary practice on many of them,
nor is it what differentiates them from other forms of computer-mediated communication
(CMC).

What makes social network sites unique is not that they allow individuals to meet strangers,
but rather that they enable users to articulate and make visible their social networks. This
can result in connections between individuals that would not otherwise be made, but that
is often not the goal, and these meetings are frequently between "latent ties"
(Haythornthwaite, 2005) who share some offline connection. On many of the large SNSs,
participants are not necessarily "networking" or looking to meet new people; instead, they
are primarily communicating with people who are already a part of their extended social
network. To emphasize this articulated social network as a critical organizing feature of
these sites, we label them "social network sites."

While SNSs have implemented a wide variety of technical features, their backbone consists
of visible profiles that display an articulated list of Friends1 who are also users of the
system. Profiles are unique pages where one can "type oneself into being" (Sundén, 2003,
p. 3). After joining an SNS, an individual is asked to fill out forms containing a series of
questions. The profile is generated using the answers to these questions, which typically
5|Privacy And Security In Social Networks

include descriptors such as age, location, interests, and an "about me" section. Most sites
also encourage users to upload a profile photo. Some sites allow users to enhance their
profiles by adding multimedia content or modifying their profile's look and feel. Others,
such as Facebook, allow users to add modules ("Applications") that enhance their profile.

The visibility of a profile varies by site and according to user discretion. By default, profiles
on Friendster and Tribe.net are crawled by search engines, making them visible to anyone,
regardless of whether or not the viewer has an account. Alternatively, LinkedIn controls
what a viewer may see based on whether she or he has a paid account. Sites like MySpace
allow users to choose whether they want their profile to be public or "Friends only."
Facebook takes a different approach—by default, users who are part of the same "network"
can view each other's profiles, unless a profile owner has decided to deny permission to
those in their network. Structural variations around visibility and access are one of the
primary ways that SNSs differentiate themselves from eac;=;h other.

After joining a social network site, users are prompted to identify others in the system with
whom they have a relationship. The label for these relationships differs depending on the
site—popular terms include "Friends," "Contacts," and "Fans." Most SNSs require bi-
directional confirmation for Friendship, but some do not. These one-directional ties are
sometimes labeled as "Fans" or "Followers," but many sites call these Friends as well. The
term "Friends" can be misleading, because the connection does not necessarily mean
friendship in the everyday vernacular sense, and the reasons people connect are varied
(boyd, 2006a).

The public display of connections is a crucial component of SNSs. The Friends list contains
links to each Friend's profile, enabling viewers to traverse the network graph by clicking
through the Friends lists. On most sites, the list of Friends is visible to anyone who is
permitted to view the profile, although there are exceptions. For instance, some MySpace
users have hacked their profiles to hide the Friends display, and LinkedIn allows users to
opt out of displaying their network.

Types of Social Networks

6|Privacy And Security In Social Networks

There are many types of social networks available. Most social networks combine elements of
more than one of these types of networks, and the focus of a social network may change over time.
Many of the security and privacy recommendations are applicable to other types of networks.

 Personal networks. These networks allow users to create detailed online profiles and
connect with other users, with an emphasis on social relationships such as friendship. For
example, Facebook, Friendster and MySpace are platforms for communicating with
contacts. These networks often involve users sharing information with other approved
users, such as one’s gender, age, interests, educational background and employment, as
well as files and links to music, photos and videos. These platforms may also share selected
information with individuals and applications that are not authorized contacts.

 Status update networks. These types of social networks are designed to allow users to
post short status updates in order to communicate with other users quickly. For example,
Twitter focuses its services on providing instantaneous, short updates. These networks are
designed to broadcast information quickly and publicly, though there may be privacy
settings to restrict access to status updates.

 Location networks. With the advent of GPS-enabled cellular phones, location networks
are growing in popularity. These networks are designed to broadcast one’s real-time
location, either as public information or as an update viewable to authorized contacts. Many
of these networks are built to interact with other social networks, so that an update made
to a location network could (with proper authorization) post to one’s other social
networks. Some examples of location networks include Brightkite, Foursquare, Loopt and
Google Latitude.

 Content-sharing networks. These networks are designed as platforms for sharing content,
such as music, photographs and videos. When these websites introduce the ability to create
personal profiles, establish contacts and interact with other users through comments, they
become social networks as well as content hubs. Some popular content sharing networks
include thesixtyone, YouTube and Flickr.

 Shared-interest networks. Some social networks are built around a common interest or
geared to a specific group of people. These networks incorporate features from other types
of social networks but are slanted toward a subset of individuals, such as those with similar
hobbies, educational backgrounds, political affiliations, ethnic backgrounds, religious
views, sexual orientations or other defining interests. Examples of such networks include
deviantART, LinkedIn, Black Planet, and Goodreads.
7|Privacy And Security In Social Networks

Most SNSs also provide a mechanism for users to leave messages on their Friends' profiles.
This feature typically involves leaving "comments," although sites employ various labels
for this feature. In addition, SNSs often have a private messaging feature similar to
webmail. While both private messages and comments are popular on most of the major
SNSs, they are not universally available.

Not all social network sites began as such. QQ started as a Chinese instant messaging
service, LunarStorm as a community site, Cyworld as a Korean discussion forum tool, and
Skyrock (formerly Skyblog) was a French blogging service before adding SNS features.
Classmates.com, a directory of school affiliates launched in 1995, began supporting
articulated lists of Friends after SNSs became popular. AsianAvenue, MiGente, and
BlackPlanet were early popular ethnic community sites with limited Friends functionality
before re-launching in 2005-2006 with SNS features and structure.

Beyond profiles, Friends, comments, and private messaging, SNSs vary greatly in their
features and user base. Some have photo-sharing or video-sharing capabilities; others have
built-in blogging and instant messaging technology. There are mobile-specific SNSs (e.g.,
Dodgeball), but some web-based SNSs also support limited mobile interactions (e.g.,
Facebook, MySpace, and Cyworld). Many SNSs target people from specific geographical
regions or linguistic groups, although this does not always determine the site's
constituency. Orkut, for example, was launched in the United States with an English-only
interface, but Portuguese-speaking Brazilians quickly became the dominant user group
(Kopytoff, 2004). Some sites are designed with specific ethnic, religious, sexual
orientation, political, or other identity-driven categories in mind. There are even SNSs for
dogs (Dogster) and cats (Catster), although their owners must manage their profiles.
8|Privacy And Security In Social Networks

Usage Of Social Media

There are lots of positive and negative uses of social media in our daily life. The positive uses

can lead people to productive use of time, peace of mind and happiness, healthy conversations in

which people like and enjoy by sharing personal and professional activities with a wide variety

of people, groups, and communities.

The negative uses of social media start when we don’t have an alternative to spending time.

When people are bored with work when students are bored with the study when they feel low or

even highly confident they go on social media.

Sometime to show the confidence by sharing their latest achievements with friends. Sometimes

to evoke empathy by sharing something sentimental with the world. Everyone uses it differently.

And many of us are using social media as per our priorities and knowledge to achieve our means.

Social Media is a time pass platform for most people, especially the younger population. The

content on social media is so much engaging that people even forget about the time and their

sense of purpose and goals. Today, social media networking websites and apps create captivating

content to make people excited and conversational, but this happens to such an extent that people

find themselves being addicted to it.

In this essay on social media, we will cover the positive uses and methods that not only make

you productive but also prevent you from becoming addicted to social media.

This compilation of the most popular social networks worldwide by active users (October 2018)
prepared by Statista using data from the Global Web Index panel gives a clear picture of the
number of active users (in millions) with Facebook ruling supreme. This won't be a shock to
9|Privacy And Security In Social Networks

anyone! With over 2 billion active users it holds the majority market share. Google's YouTube is
second with Facebook-owned, WhatsApp and Messenger not far behind. Facebook's Instagram
platform has fewer than half of the visits of Facebook...

Figure 1 No. Of Users (in millions)

10 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

Following from this, we have predominantly APAC favoured platforms, with QQ, WeChat and
Qzone all with over 600 million active users, highlighting the array of social platform offerings
in the APAC. We then see a cluster of predominantly western social media networks in Tumblr,
Instagram, and Twitter.

Figure 2. Information Shared In Social Media

11 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

3. PRIVACY CONCERNS WITH SOCIAL NETWORKS

3.1 How Much Are Users At Risk?
With millions of users logging into both Facebook and MySpace daily, trading information and
pictures, it is hard to imagine it being completely fault-free. Any time a system becomes larger
and more complex, it becomes harder and harder to find mistakes and holes in the system that
others can exploit. How much are users truly at risk, though?

There have been attacks on Facebook and MySpace, but none of them have been entirely
damaging to users since neither service requires any kind of credit card or financial data
from users to allow them to use the network. A user, however, does increase their risk of
being hurt in some

other way every time they log on and post something about themselves. The more a user shares on
the network with others, the more opportunities there are to exploit this openness. Clearly, the
person who uses MySpace passively for exchanging messages with friends and the occasional
photo has put themselves at much less personal risk than, for example, someone who logs in
multiple times a day and constantly uploads media.
3.2 Who Can See What?
In the beginning, social networks had much fewer controls over what users put out on the web.
Since their inception, however, there have been numerous calls for more privacy controls to be
implemented and many of those calls have been answered.
The problem remains, however. Why? The answer is simple: naivety. Most users are not aware of
the controls available to them; much less how much of what they post is made public across the
Internet. Simply tagging a friend in a photo then makes that photo (without the proper privacy
controls enabled) available to friends of the person tagged and then when people start commenting,
then it makes the photo all the more reachable and open. So again, we have a problem of people
not understanding exactly how these websites work and not taking the necessary steps to protect
themselves on the Internet.
3.3 How Can User Data Be Used?
It is clear to anyone that social networks are potential gold mines for market research data. Users
post what things they like and do not like and the reasons why readily all over various pages of the
12 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

networks. There are also numerous fan clubs available for users to join and further differentiate
themselves from their fellow users.
To give an example of legal market research using user data on a social network, Apple Computers
manages and sponsors its own fan club page on Facebook. This provides Apple Computers with
an easily searchable location where customers or potential customers can talk about what they
would like the company to do. This gives Apple a unique way of predicting market trends.
Social networks are also places that allow brands to maintain their images or change their images
in the public eye. For instance, Company A wishes to advertise to a specific demographic that
listens to Band A. Band A also has a MySpace page that receives 100,000 unique visitors per day
on average. Company A can purchase ad space on Band A’s page and then see if their sales
improve after being associated with Band A. Auto manufacturers and other companies do this all
the time in automotive racing through sponsorship of teams and events.

Facebook, however, has a notorious but little known reputation for abusing the data
exchanged over its networks

between users. Facebook offers applications to its users and the API (Application Programming
Interface) is open to any developer wishing to participate. The problem with the Facebook API,
however, lies within the data made available to third-party developers. The API provides
developers with information including your personal name and email all the way up to your private
photos and interests that would otherwise remain private. This very flaw within the API, however,
is built into Facebook’s framework and to change it would mean that Facebook would cause many
applications, many of whom are becoming large income-generating pieces of software, to no
longer function. Instead of repairing the flaw in the system, Facebook instead chose simply to
reword their user agreement but made no technical changes. What this means, is that it would be
a rather simple matter of collecting all the available data made available to a programmer via an
application and selling it off to the highest bidder.
4. SOCIAL NETWORKS AND PRIVACY LAWS
Cases involving social networks and personal privacy are appearing more often in courtrooms
around the world. Whether it is users posting scathing blog posts that could be potentially
construed as libel or governments monitoring citizen use of social networks, it is constantly a
question of how far a user’s personal sphere of privacy extends on the Internet.
13 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

4.1 Government Snooping

It is interesting to note two cases where governments are monitoring citizen use of social networks
and the Internet. One is in the United States in a typically conservative and traditional region of
the country in the state of Georgia. The state government has enacted a law requiring registered
sex offenders to hand over passwords to personal web pages in addition to a federal law from 2006
that requires law enforcement officers to track the web addresses of registered sex offenders.
Certainly, this could be seen as a very noble attempt to protect children and other citizens from
sexual predators, but where does one draw the line? Sex offences in the United States have very
wide reaching definitions and include such minor charges as statutory rape. Should someone
convicted of a one-time offense for consensual sexual conduct with someone underage be
subjected to a life of constant privacy invasion by the local government? What about extending
the law to other people convicted of crimes? Where does one draw the line to what is and what is
an unacceptable invasion of privacy?

The United Kingdom has also admitted to monitoring user activity on social networks.
Government officials claim that they monitor the private message traffic between
individuals. They say that they are not interested in the content of the messages, but rather
who the sender and between users. Facebook offers applications to its users and the API
(Application Programming Interface) is open to any developer wishing to participate. The
problem with the Facebook API, however, lies within the data made available to third-party
developers. The API provides developers with information including your personal name
and email all the way up to your private photos and interests that would otherwise remain
private. This very flaw within the API, however, is built into Facebook’s framework and
to change it would mean that Facebook would cause many applications, many of whom
are becoming large income-generating pieces of software, to no longer function. Instead of
repairing the flaw in the system, Facebook instead chose simply to reword their user
agreement but made no technical changes. What this means, is that it would be a rather
simple matter of collecting all the available data made available to a programmer via an
application and selling it off to the highest bidder.

4. SOCIAL NETWORKS AND PRIVACY LAWS

14 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

Cases involving social networks and personal privacy are appearing more often in courtrooms
around the world. Whether it is users posting scathing blog posts that could be potentially
construed as libel or governments monitoring citizen use of social networks, it is constantly a
question of how far a user’s personal sphere of privacy extends on the Internet.
4.1 Government Snooping
It is interesting to note two cases where governments are monitoring citizen use of social networks
and the Internet. One is in the United States in a typically conservative and traditional region of
the country in the state of Georgia. The state government has enacted a law requiring registered
sex offenders to hand over passwords to personal web pages in addition to a federal law from 2006
that requires law enforcement officers to track the web addresses of registered sex offenders.
Certainly, this could be seen as a very noble attempt to protect children and other citizens from
sexual predators, but where does one draw the line? Sex offences in the United States have very
wide reaching definitions and include such minor charges as statutory rape. Should someone
convicted of a one-time offense for consensual sexual conduct with someone underage be
subjected to a life of constant privacy invasion by the local government? What about extending
the law to other people convicted of crimes? Where does one draw the line to what is and what is
an unacceptable invasion of privacy?

The United Kingdom has also admitted to monitoring user activity on social networks.
Government officials claim that they monitor the private message traffic between
individuals. They say that they are not interested in the content of the messages, but rather
who the sender andreceiver of messages are. The British government has also said that they
will monitor the web browsing of citizens, record this data, and store it all in a central
database. This would potentially allow a government agency to put together a very detailed
picture of every citizen and/or household with an Internet connection. National security
and protection against terrorism are definitely important issues, but the question comes
again, where does one draw the line?

4.2 Private or Public?

Blog and forum posts have also gotten many a person in trouble ever since social networks became
popular with your average citizen. People have lost their jobs because of indiscretion on their
15 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

Facebook or MySpace page and others have suffered public humiliation via retaliation over
remarks they made.
For instance, a court case in California established that privacy laws do not protect a rude blog
post that a user made about what she thought of her hometown on her public MySpace page. The
user in question had not put any kind of privacy restrictions to prevent others from viewing the
blog page, therefore making it open to anyone that wanted to see it. This made the blog post
officially something said in the public sphere and thus legally subject to the criticism in newspapers
that it received.
There is another example of potential privacy invasion that is currently in the American court
system right now. It involves two workers who were fired from a restaurant because of comments
they made about customers and a manager in a private discussion group on MySpace. The group
was password-protected, but that did not help them when another member of the discussion group
gave the password to the group to managers of the restaurant. The managers then read the various
commentaries about the restaurant from workers and decided to fire two of them. Now the fired
workers are suing the company over invasion of privacy because the managers were not invited to
join the group and should not have been reading what was posted in the forum.
4.3 Industry Regulation

The European Union is also heavily involved with social networks and has advocated
heavily for protection of personal privacy on the Internet. While the EU does admit that,
for businesses, the personal data that can be gleaned via social networks is very useful for
market research, it believes that much of the data mining that is done crosses the boundaries
of personal privacy. Thus, the EU has put together a task force with a charter “to improve
the safety of children using social networks and to agree on a set of guidelines for use of
social networks by youngsters”.

This task force has already put together guidelines along with industry representatives that will
allow the industries to help govern themselves. This is expected to help in a world where the rules
are constantly changing and evolving faster than typical government agencies can keep up with
and provide easy to follow rules and regulations.

5. SOLUTIONS
16 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

There is, however, no single, silver-bullet solution to the problems with maintaining personal
privacy with a social network. Privacy solutions must be approached from multiple angles.
5.1 Social Solutions
Perhaps the largest cause of issues with personal privacy comes from the way that society has
viewed the Internet. Many view it as the gateway to free knowledge and connecting the world. The
issue most ignored, however, is that there is a dark side to the Internet. There are people and entities
that use the Internet for less than moral purposes. Therefore, people that use social networks must
acknowledge the risks that they expose themselves to and how they can reduce their personal risk.
The best way to solve the social problem is through education. Eight years ago, children were
taught never to reveal anything personal about themselves outside of perhaps their first name and
age and in what state or country they live in. Nowadays, children that are ten years old have social
network profiles and reveal all kinds of details about themselves and have no idea what they are
doing or how to protect themselves. Parents are also always slow to catch up to the ever-changing
technological landscape. Parents need to understand what their children are doing, not only know
what they are doing. If a child is using MySpace, then the parent needs to make sure that they
know everything there is to know about MySpace so that they can protect and educate their child.
5.2 Legal Solutions
Governments also need to acknowledge that social networks pose significant risks to society and
also, potentially, national security. Legislators need to draw specific guidelines that define what is
public on the Internet and what is not. Without clear and concise laws, people will continue to be
at risk and law enforcement officials will never have a clear answer of what they can and cannot
do to protect citizens from danger.

As mentioned before, the European Union has taken significant steps towards protecting
children and young adults from Internet predators. Industry representatives have been
consulted by and worked with the EU in creating laws and guidelines to define privacy in
a digital world.

5.3 Technical Solutions

Social network companies also need to step up and be responsible and control how members are
using their networks.
17 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

MySpace has perhaps become the safer of the two largest social networks. MySpace has
implemented security software that scans member pages and looks for abuse in profiles
and for evidence of potential underage users. In the past, they have also increased the staff
reviewing reports of abuse. The company also works with child safety groups in producing
public safety ads to help warn and educate users about the potential consequences of being
too open on a social network.

Anonymity on Social Networks

Many users of social networks choose to mask their real identities. This may be done via
anonymity (providing no name at all) or pseudonymity (providing a false name).
Some people who may prefer an anonymous or pseudonymous persona include, but are not limited
to:

 Individuals with medical conditions who want to discuss symptoms and treatment without
creating a public record of their condition
 Bloggers and activists engaging in political discourse, especially on controversial issues
 Teachers and childcare workers
 Medical professionals, including mental health professionals
 Law enforcement agents, prosecutors, parole and probation officers, judges, and other
court employees
 Victims of stalking, sexual assault, and domestic violence
 Children and youth
 Jobseekers

In fact, anonymity is a useful tool for anyone who prefers to keep a strict separation between an
online persona and an off-line identity. It can also be abused by individuals trying to shield their
identities while engaging in illegal activities.
Typically, users who prefer to engage in social networks without divulging their true identity will
create profiles using a false name as well as a false email address. If you are considering a
pseudonymous profile, refer to the terms of service for the social networking site. Providing false
or incomplete information violates the terms of service of some social networking sites. Users
should consider using software that masks IP addresses, such as TOR. Users should also
18 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

remember to delete all cookies after visiting a social networking site.

Bear in mind that it is difficult to truly separate online and off-line identities. It is possible to
divulge identifying information through status updates, group memberships, photographs, friend
networks and other indicators. In fact, numerous studies have shown that anonymized data can
often still be linked to specific individuals.

What Information is Public?

There are two kinds of information that can be gathered about a user from a social network:
information that is shared and information gathered through electronic tracking.

 Information a User Shares

Information a user shares may include:
 Photos and other media.
 Age and gender.
 Biographical information (education, employment history, hometown, etc.).
 Status updates (also known as posts).
 Contacts.
 Interests.
 Geographical location.

This information becomes public in a variety of ways:

 A user may choose to post information as “public” (without restricting access via available
privacy settings).
 Certain information may be publicly visible by default. In some situations, a user may be
able to change the privacy settings to make the information “private” -- so that only
approved users can view it. Other information must remain public; the user does not have
an option to restrict access to it.
 A social network can change its privacy policy at any time without a user’s permission.
Content that was posted with restrictive privacy settings may become visible when a
privacy policy is altered.
 Approved contacts may copy and repost information – including photos – without a user’s
permission, potentially bypassing privacy settings.
 Third-party applications that have been granted access may be able to view information
that a user or a user’s contacts post privately.

Social networks themselves do not necessarily guarantee the security of the information that has
been uploaded to a profile, even when those posts are set to be private. This was demonstrated in
one May 2010 incident during which unauthorized users were able to see the private chat logs of
19 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

their contacts on Facebook. While this and other similar bugs are usually quickly fixed, there is
great potential for taking advantage of leaked information.

Information Gathered Through Electronic Tracking

Information may also be gathered from a user’s actions online using “cookies” (short strings of
text stored on one’s hard drive). Some of the purposes of cookies may include:

 Tracking which websites a user has viewed.

 Storing information associated with specific websites (such as items in a shopping cart).
 Tracking movement from one website to another.
 Building a profile around a user.

In fact, a 2009 study conducted by AT&T Labs and Worcester Polytechnic Institute found that the
unique identifying code assigned to users by social networks can be matched with behavior tracked
by cookies. This means that advertisers and others are able to use information gleaned from social
networks to build a profile of a user’s life, including linking browsing habits to one’s true identity.

 Who Can Access Information?

When posting information to a social network, a user probably expects authorized contacts to be
able to view it. But who else can see it, and what exactly is visible?

Entities that collect personal information for legal purposes include:

 Advertisers interested in personal information so they can better target their ads to those
most likely to be interested in the product
 Third-party software developers who incorporate information to personalize applications,
such as an online games that interact with the social network

Entities that collect personal information for illegal purposes include:

 Identity thieves who obtain personal information either based on information a user posts
or that others post about the user.
 Other online criminals, such as people planning to scam or harass individuals, or infect
computers with malware (malicious software placed on a computer without the knowledge
of the owner).
20 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

A History of Social Network Sites

According to the definition above, the first recognizable social network site launched in 1997.
SixDegrees.com allowed users to create profiles, list their Friends and, beginning in 1998, surf the
Friends lists. Each of these features existed in some form before Six Degrees, of course. Profiles
existed on most major dating sites and many community sites. AIM and ICQ buddy lists supported
lists of Friends, although those Friends were not visible to others. Classmates.com allowed people
to affiliate with their high school or college and surf the network for others who were also
affiliated, but users could not create profiles or list Friends until years later. Six Degrees was the
first to combine these features.

Six Degrees promoted itself as a tool to help people connect with and send messages to others.
While Six Degrees attracted millions of users, it failed to become a sustainable business and, in
2000, the service closed. Looking back, its founder believes that Six Degrees was simply ahead of
its time (A. Weinreich, personal communication, July 11, 2007). While people were already
flocking to the Internet, most did not have extended networks of friends who were online. Early
adopters complained that there was little to do after accepting Friend requests, and most users were
not interested in meeting strangers.

From 1997 to 2001, a number of community tools began supporting various combinations of
profiles and publicly articulated Friends. AsianAvenue, BlackPlanet, and MiGente allowed users
to create personal, professional, and dating profiles—users could identify Friends on their personal
profiles without seeking approval for those connections (O. Wasow, personal communication,
August 16, 2007). Likewise, shortly after its launch in 1999, LiveJournal listed one-directional
connections on user pages. LiveJournal's creator suspects that he fashioned these Friends after
instant messaging buddy lists (B. Fitzpatrick, personal communication, June 15, 2007)—on
LiveJournal, people mark others as Friends to follow their journals and manage privacy settings.
The Korean virtual worlds site Cyworld was started in 1999 and added SNS features in 2001,
independent of these other sites (see Kim & Yun, this issue). Likewise, when the Swedish web
community LunarStorm refashioned itself as an SNS in 2000, it contained Friends lists, guest
books, and diary pages (D. Skog, personal communication, September 24, 2007).
21 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

The next wave of SNSs began when Ryze.com was launched in 2001 to help people leverage their
business networks. Ryze's founder reports that he first introduced the site to his friends—primarily
members of the San Francisco business and technology community, including the entrepreneurs
and investors behind many future SNSs (A. Scott, personal communication, June 14, 2007). In
particular, the people behind Ryze, Tribe.net, LinkedIn, and Friendster were tightly entwined
personally and professionally. They believed that they could support each other without competing
(Festa, 2003). In the end, Ryze never acquired mass popularity, Tribe.net grew to attract a
passionate niche user base, LinkedIn became a powerful business service, and Friendster became
the most significant, if only as "one of the biggest disappointments in Internet history" (Chafkin,
2007, p. 1).
22 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

Figure 3. Timeline of the launch dates of many major SNSs and dates when community sites re-
launched with SNS features
23 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

Like any brief history of a major phenomenon, ours is necessarily incomplete. In the following
section we discuss Friendster, MySpace, and Facebook, three key SNSs that shaped the business,
cultural, and research landscape.

Fraud on Social Networks

Criminals may use social networks to connect with potential victims. This section discusses some
of the typical scams and devices used to defraud consumers on social networks. Fraud may involve
more than one of the techniques described below. Some types of fraud may not be described
here. To learn more about how to protect yourself, see Tips to Stay Safe, Private and Secure.

Identity Theft
Identity thieves use an individual’s personal information to pretend to be them – often for financial
gain. The information users post about themselves on social networks may make it possible for an
identity thief to gather enough information to steal an identity. In 2009, researchers at Carnegie
University Mellon published a study showing that it is possible to predict most and sometimes all
of an individual’s 9-digit Social Security number using information gleaned from social networks
and online databases. (See Predicting Social Security Numbers from Public Data by Acquisti and
Gross)

Information often targeted by identity thieves includes:

 Passwords
 Bank account information
 Credit card numbers
 Information stored on a user’s computer such as contacts
 Access to the user’s computer without his or her consent (for example, through malware)
 Social Security numbers. Remember that the key to identity theft is the Social Security
number. Never provide a Social Security number through a social networking service.

Some fraud techniques to watch out for include:

24 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

 Illegitimate third-party applications. These rogue applications may appear similar to other
third-party applications but are designed specifically to gather information. This
information may be sold to marketers but could also be useful in committing identity
theft. These applications may appear as games, quizzes or questionnaires in the format of
“What Kind of Famous Person Are You?” (See ABC's Online Games Can Lead to Identity
Theft)

 False connection requests. Scammers may create fake accounts on social networks and then
solicit others to connect with them. These fake accounts may use the names of real people,
including acquaintances, or may be entirely imaginary. Once the connection request is
accepted, a scammer may be able to see restricted and private information on a user’s
profile. (See ReadWriteWeb's Fake Social Networking Profiles: a New Form of Identity
Theft in 2009)

 Hijacking Accounts (see Hijacked accounts)

For advice on avoiding identity theft on social networks, see Tips to Stay Safe, Private and
Secure. Learn more about protecting yourself from identity theft in general by reading PRC Fact
Sheet 17: Coping with Identity Theft: Reducing the Risk of Fraud. If you believe you may be the
victim of identity theft, read PRC Fact Sheet 17a: Identity Theft: What to Do if It Happens to You.

Malware
Malware (malicious software) is a term that describes a wide range of programs that install on a
user’s computer often through the use of trickery. Malware can spread quickly on a social network,
infecting the computer of a user and then spreading to his or her contacts. This is because the
malware may appear to come from a trusted contact, and thus users are more likely to click on
links and/or download malicious programs. (See Hijacked Accounts)

Some common techniques used in spreading malware include:

25 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

 Shortened URLs, particularly on status update networks or newsfeeds. These may lead the
user to download a virus or visit a website that will attempt to load malware on a user’s
computer.
 Messages that appear to be from trusted contacts that encourage a user to click on a link,
view a video or download a file.
 An email appearing to be from the social network itself, asking for information or
requesting a user click on a link.
 Third-party applications that infect computers with malicious software and spread it to
contacts. (See Third-Party Applications)
 Fake security alerts – applications that pose as virus protection software and inform the
user that his or her security software is out-of-date or a threat has been detected.

Social Engineering
There are a variety of social engineering scamming techniques which trick users into entering
sensitive information. This section describes a few of the well-known techniques.

 Phishing attacks are when emails, instant messages or other messages claiming to be from
a trusted source ask for information. For example, an email may appear to be from a bank
and could direct a user to enter a password at a fake login page, or tell a user to call a phone
number or risk having their account closed. For tips on how to spot and avoid phishing
attacks, see FTC Alert How Not to Get Hooked by a 'Phishing' Scam and OnGuardOnline's
Phishing page. Some Internet browsers, such as recent versions of Mozilla Firefox and
Internet Explorer, have taken steps to help identify fake websites. (See GetSafe Online's
Avoid Criminal Websites for these and other tips.)

 Spear phishing is a type of phishing attack that appears to be from a colleague, employer
or friend and includes a link or something to download. (This is often the result of account
hijacking.) These links or downloads can be malicious, such as viruses or fake websites
that solicit personal information.

 Misleading solicitations. A social network might use social engineering to make people
feel obligated to join. This often occurs when one person joins and (often inadvertently)
26 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

provides the social network with access to his or her contact list. The social network then
sends out emails to all of his or her contacts, often implying they are from the individual
who joined. For example, it has been reported that Tagged.com solicits contacts of users
with emails claiming the recipient has been “tagged.” These emails state: “Is <user name>
your friend? Please respond or <user name> may think you said no :( ” or “<user name>
sent you photos on Tagged.” The recipient may believe this is a personal invitation from
the user and feel obligated to join the network, giving out his or her information and
perhaps perpetuating the solicitations. See Time's Tagged: The World's Most Annoying
Website for more information.

 Hijacked accounts. A legitimate account may be taken over by an identity thief or malware
for the purpose of fraud such as posting spam, sending out malware, stealing the private
data of contacts or even soliciting contacts to send money. One typical scenario is when a
hijacked account sends out messages stating that the account owner is overseas and in
desperate straits. Contacts are urged to immediately wire money. A user may not realize
his or her account has been hijacked for quite some time. An attack could also be in the
form of a chat conversation.
27 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

Tips to Stay Safe, Private and Secure

There are many ways that information on social networks can be used for purposes other than what
the user intended. Below are some practical tips to help users minimize the privacy risks when
using social networks. Be aware that these tips are not 100% effective. Any time you choose to
engage with social networking sites, you are taking certain risks. Common sense, caution and
skepticism are some of the strongest tools you have to protect yourself.

Registering an Account

1. Use a strong password different from the passwords you use to access other sites. See
PRC’s 10 Rules for Creating a Hacker-Resistant Password

2. If you are asked to provide security questions, use information that others would not know
about you.

3. Never provide a work-associated email to a social network, especially when signing

up. Consider creating a new email address strictly to connect with your social networking
profile(s).

4. Consider not using your real name, especially your last name. Be aware that this may
violate the terms of service of some social networks. See Anonymity on Social Networks

5. Review the privacy policy and terms of service before signing up for an account. See
Reading a Privacy Policy.

6. Be sure to keep strong antivirus and spyware protection on your computer. See How to
Secure Windows and Your Privacy -- with Free Software.
28 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

Registering an Account
 Use a strong password different from the passwords you use to access other sites.
 Never provide a work-associated email to a social network, especially when signing
up. Consider creating a new email address strictly to connect with your social networking
profile(s).
 Consider not using your real name, especially your last name. Be aware that this may
violate the terms of service of some social networks.
 Review the privacy policy and terms of service before signing up for an account.
 Be sure to keep strong antivirus and spyware protection on your computer.
 Provide only information that is necessary or that you feel comfortable providing. When
in doubt, err on the side of providing less information. Remember, you can always provide
more information to a social network, but you can’t always remove information once it’s
been posted.
 During the registration process, social networks often solicit a new user to provide an email
account password so the social network can access the user’s email address book. The
social network promises to connect the new user with others they may already know on the
network. To be safe, don’t provide this information at all. There are some social networks
that capture all of a user’s email contacts and then solicit them – often repeatedly – to
join. These messages may even appear to be from the original user. If you consider
providing an email address and account password to a social network, read all agreements
very carefully before clicking on them

General Tips for Using Social Networks

1. Become familiar with the privacy settings available on any social network you use
.
2. Don’t share your birthday, age, or place of birth. This information could be useful to
identity thieves and to data mining companies. A research study by Carnegie Mellon
University found that Social Security numbers can be predicted based on publicly-available
information, including your birthday, age and place of birth. The Social Security
Administration will begin assigning randomized number series as of June 25, 2011.
Unfortunately, the more predictable Social Security numbers will remain in effect for
individuals born before June 25, 2011. If you do consider posting your birthday, age or
place of birth, restrict who has access to this information using the site’s privacy settings.
Also, some social networking sites allow you to show your birth month and day, but hide
29 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

the year.

3. Stay aware of changes to a social network’s terms of service and privacy policy. You may
be able to keep track of this by connecting to an official site profile, for example
Facebook’s Site Governance. Consider subscribing to an RSS feed for Tosback, a project
of the Electronic Frontier Foundation to track changes in website policies (covers some but
not all social networks).

4. Be careful when you click on shortened links. Consider using a URL expander (as an
application added to your browser or a website you visit) to examine short URLs before
clicking on them. Example of URL expanders include LongURL, Clybs URL Expander
and Long URL Please (Privacy Rights Clearinghouse does not endorse one URL expander
over another.)

5. Be very cautious of pop-up windows, especially any that state your security software is out
of date or that security threats and/or viruses have been detected on your computer. Use
your task manager to navigate away from these without clicking on them, then run your
spyware and virus protection software.

6. Delete cookies, including flash cookies, every time you leave a social networking site. See
PRC Fact Sheet 18: Privacy and the Internet

7. Don’t publicize vacation plans, especially the dates you’ll be traveling. Burglars can use
this information to rob your house while you are out of town.

Facebook, Twitter and LinkedIn spam hoaxes

Whether you use Facebook, Twitter, LinkedIn or any online site for social networking, online
banking or day-to-day purchases, be aware of emails that claim to be from these sites but are
actually hoaxes and may contain malicious content. I have received numerous emails that allege
to be from my bank, yet are actually sent by a spammer in the hopes of obtaining my online
username and password. Similarly, emails claiming to
30 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

be Twitter and Facebook invitations are now commonplace. (See Figure 4.) The messages may
even contain an attached ZIP file that recipients are asked to open to see who invited them. The
attachment actually contains a mass-mailing worm, which can cause damage to both your
computer and your reputation.

Figure 4. Example of spam mail

How is it possible to identify the legitimate messages from the hoaxes?

 Use an up-to-date email client such as Microsoft Outlook 2007, Outlook Express or
Mozilla Thunderbird which have spam filtering enabled and checks for “phishing”
messages (phishing messages are falsified emails that use these tactics to obtain your
username, password or other personal information)

 Never open an attachment unless it’s from someone you know, and you are expecting to
receive it. If you have any doubt, then contact the individual and ask if he/she actually did
send it.
 Use up-to-date antivirus/anti-malware software on your computer to block any harmful
files that you may have accidentally opened.
31 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

Conclusion

Social networking sites can be valuable sales and marketing tools, as well as fun diversions.
Inherent in these applications are security risks that can put the individual or a company in a
compromising position or at serious risk. Aside from not using these sites at all, end-user
education, alongside documented policies and procedures, is the most fundamental protection that
exists. A well-informed user will not only help to maintain security, but will also educate others
on these issues and establish best practices which can be standardized and updated as applications
mature or as new applications come along.
32 | P r i v a c y A n d S e c u r i t y I n S o c i a l N e t w o r k s

References
 Social Network Sites: Definition, History, and Scholarship
http://jcmc.indiana.edu/vol13/issue1/boyd.ellison.html

 Social Networking Privacy:How to be Safe, Secure and Social

http://www.privacyrights.org/social-networking-privacy

 The Security Risks of Social Networks

http://www.focus.com/fyi/security-risks-social-networks/

 Social networking and security risks By Brad Dinerman

http://www.gfi.com/whitepapers/Social_Networking_and_Security_Risks.pdf