May 9, 2008

Securing Private Data from Network ‘Zombies’

As more of us integrate social networking into our daily lives online, the layered privacy choices we make through our in-network interactions are becoming increasingly complex.

In the process of creating accounts on social networking sites, many users embrace the “fix it and forget it” approach — either choosing to accept the default privacy settings or making deliberate choices to customize those settings to their own preferences. And while these initial choices might serve us well for some interactions online, the process of managing our privacy preferences on these networks often requires us to have a dynamic, evolving conversation with the applications we use.

Beyond the basic decisions we make about restricting access to our profile through settings, users are faced with a myriad of choices about what we share and who we share it with each time we post new content, add an application, accept a new friend, or join a new group.

As noted in an Associated Press article, “Social Networking Applications Can Pose Security Risks,” the implications of these privacy choices are often not fully understood. Of particular interest in the article is the rising popularity of Facebook applications, programs that are designed by third parties to provide added services and games to users.

Every time users agree to start interacting with a new application, they agree to share their names, networks, and lists of friends with the Facebook Platform applications. In addition, those who read the “Platform Application Terms of Use” will see that they also give their consent to share “any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information.”

So, what happens to all of the excess data we routinely entrust to the kind folks who created the “Zombies” application or “What Kind of Dog Would You Be?” Do the Zombies really need to see the photos of my cat to know best how to attack me?

How this information — which can include things like your birthday, your dating interests, or your photos — ultimately gets used by these third parties is a bit of a mystery. Clearly, some applications, such as the popular online word game Scrabulous, use basic demographic information to serve up relevant ads while a user engages with the interface.

Yet, as enterprising young researcher Adrienne Felt has shown along with her colleagues at the University of Virginia, developers are often granted access to much more data than they actually need to ensure that the application functions properly.

As Dan Solove points out in a recent post to his Concurring Opinions blog, even the most conservative users who refuse to add any applications to their profiles still end up sharing many of those same details with third parties via their friends. (The default settings on Facebook permit the sharing of profile information with applications your friends choose to add.)

CNET writer Chris Soghoian emphasizes the challenge this presents to users: “To restate — if you set your profile to private, and one of your friends adds an application, most of your profile information that is visible to your friend is also available to the application developer — even if you yourself have not installed the application.”

Fortunately, the user can easily change these default settings with a few clicks. But those who are sensitive about the information they share may be surprised to find that their friends have inadvertently disclosed their personal details to third parties — especially if it turns out that they’re also Zombies.

This post also appears on the Thinkernet Forum here.

For recent related research from the Pew Internet Project, see: “Digital Footprints: Online Identity Management and Search in the Age of Transparency”