Saturday, August 20, 2011

Who Owns Your Identity?

 on  with No comments 
In , ,  
The following is is the final paper written for my Internet Law class back in 2010.  Still relevant?

Social networking sites are becoming more and more a part of our lives. We use sites such as Facebook and MySpace to keep touch with friends and family all over the world. We update our statuses with what is going on in our lives, post or latest vacation pictures, and comment on the statuses and pictures of our friends. When there are no more updates to read or comment on, we can play games such as Mafia Wars and Farmville with our friends and family against complete strangers all over the world and in real time. Sites such as LinkedIn provide much of the same features, but with a more professional theme. Rather than friends and family, LinkedIn links us with our coworkers and other professionals in our industry. There are other sites such as Gawker and LiveJournal, known commonly as Blogs, where we submit longer and more informative posts on just about any topic imaginable. And then there are sites such as Classmates.com which let us look up friends from school that we haven't heard from in years.

If the answers are not known, users of these websites should be asking a lot of questions at the very least. After I click submit, who really owns the words you posted, and who gets to see them? Are my posts and pictures really visible only to those I have allowed to see them? Will my wishes on these matters be honored for the duration of the site's existence? What happens to the data if the site no longer exists? Will I ever be able fully delete these posts , or my entire profile, should I later choose to do so? Due to the increasing popularity of social networking, your online privacy is at an increasingly greater risk and increased effort to protect it should be taken.

It seems like every month or two now there is another major security breach involving one of the numerous social media websites. There is no website that can every expect to be fully immune to the threat, but sites that deal with Personally Identifiable Information are particularly attractive targets for hackers. Gone are the days where a hacker did what they did simply to gain skills, increase their reputation, or just have a little fun at someone else's expense. And it's not just the work of hackers that exposes this information. As we will soon see, data can be leaked as a result of a programming error, a partner to the website overstepping their boundaries, and even just plain carelessness on the part of the website. In the following pages, I will show a range of examples of how this information becomes available, and then what can be done with it. My focus in this paper is social media websites, however any website that keeps any data on you can potentially leak that data for the world to see.

There have been many social networking sites that have come and gone over the years, from the accepted first site, SixDegrees,com in 1997, Friendster in 2002, MySpace in 2003, through today's most widely successful site, Facebook in 2006 (Boyd, 2007). While these sites are hosted in different locations by different administrators and on different platforms, they all have had their share of security issues. I could write an entire book on all of the security breaches of all the social networking sites over the years, however I am going to focus on more recent issues with the most heavily used sites: Facebook, MySpace, and Gawker.

The first security breach with MySpace that I'm going to discuss happened in 2006. This issue involved a vulnerability in Microsoft Windows that allowed a serious piece of adware to be spread to computers through a banner advertisement which was written to exploit the flaw. Adware is a program that is installed on a users computer, normally unknown to the user, which causes the computer to constantly display pop-up windows displaying various advertisements during a normal web browsing session. The Windows vulnerability was first reported and patched by Microsoft, but due to the lax attitude towards system updates by most users of Windows, more than a million MySpace users were still vulnerable and became infected with the program according security company iDefense, which detected servers on the Internet logging installations of it (Espiner, 2006). It should also be noted here that an exploitation of a vulnerability by a malicious advertisement can happen when visiting any website. However, the volume of users that visit a social networking site such as MySpace make it a much more attractive target than a more specialized website that doesn't have the same volume of traffic.

In 2008, a flaw in the overall architecture of the MySpace website allowed anyone to view photographs posted on any users profile, regardless of the settings that the user chose for who should be allowed to see their photographs. The instructions on how to exploit this flaw were simple to carry out, and available on many different websites all over the Internet. The issue with this is that MySpace allows profiles to be created by minors under the age of 16, and their photographs were compromised as well. The default settings for users under the age of 16 is for these pictures to be private, only viewable by people that are on that user's friends list and therefore believed to be private and not given a second thought once posted. It doesn't take an experienced police office to imagine a number of different ways that pictures could have been used once collected from the site. And as a parent, you try to monitor what your children are doing online and what they're posting, but it's impossible to know for sure as many parents obviously learned with this security breach.

Moving along to Facebook, we have a security breach where 100 million accounts were published online. After another round of changes to the privacy settings on Facebook where the website reverted every users settings back to allowing everyone to view everything. Security consultant Ron Bowes harvested information information from a number of accounts identified simply by a public search. He then took all of this information, formatted it into a single file, and then shared that file with the world on the notorious BitTorrent site, The Pirate Bay (Gaines, 2010). It's easy to discount the severity of this incident because all Mr. Bowes did was collect information from users who chose to leave their profile as public. The first argument that I present to this conclusion is that Facebook had recently made changes to the privacy settings, leaving users settings wide open, as it often does when changes are made. Users who had previously protected their profile may not have known yet that their settings had reverted back to open. Second, many of the accounts that were harvested into this file were those of users who had deactivated their accounts before the new settings were implemented. These users deactivated their accounts, perhaps believing at the time that they were actually completely deleting the accounts, and may not have any idea that the account still exists untouched. They would have no reason to come back months or even years later to check the privacy settings for an account that they believe no longer exists.

Less than three months later, Facebook was in the news again with another massive breach of security. This time the issue involved the publisher(s) of an unknown number of Facebook applications harvesting information from users who use those applications. According to Mike Vernal, an engineer with Facebook, only the ID numbers associated with users accounts were collected, not the users actual names or any other private data. Mr. Verrnal was also quick to point out that this action was not the fault of Facebook, it was mostly the fault of the rouge application (Boryga, 2010). While this latest breach may indeed have not been a direct result of the actions of Facebook, the breach still was a result of the use of their site. The third party applications may be owned and operated by another company, but they are still used within the framework of the Facebook site, and the URL to these applications all being with http://apps.facebook.com/.

Our information is being entrusted to Facebook, not a third party company that Facebook refuses to disclose. It is because of issues such at the privacy settings being reset to open and the refusal of Facebook to disclose the company or companies that were guilty in the second incident that lead to speculation that it is actually Facebook that is guilt of selling information, and a lot more than they are willing to admit to having been disclosed. The update to the privacy settings in July 2010 was not the first time that Facebook reset users privacy back to open after a major change in the privacy settings.

The latest security issue, which has hit popular blog site Gawker, is one that is still unfolding in the news. In fact, my source for this story was just published yesterday. What is known is that the information of 1.3 million Gawker users was obtained, which among other facts included over 200,000 email addresses (Ries, 2010). It has been speculated that Anonymous, the hacker group associated with the infamous website 4Chan who are known for their ongoing battle with the Church of Scientology, is behind the theft as a result of a feud. Anonymous has often taken offense to the Churches use of cease and desist letters as a means to silence their critics online.

Hackers noted a vulnerability in the architecture of the Gawker site, which was first disclosed in August, in addition to another undisclosed vulnerability which was used to steal the information. The version of the software that is used to operate the Gawker website is over three years old, demonstrating Gawker's poor stance on security. "Gawker should know about this, but they haven't bothered to do much it seems,” noted one of the hackers behind the theft. As of yesterday, the vulnerability in Gawker's software appears to be patched, however it was not specified if this means the known issue, or the unknown issue that was actually used (Ries, 2010). I chose this incident despite all the facts not being known yet to demonstrate the main point in all of this. These websites have a very poor track record when it comes to security. They use old versions of software with known vulnerabilities, and often do not patch their servers until after a major data theft lands them in the news.

So now that we have seen how these social networking sites put security on the back burner, and how these vulnerabilities are exploited for the theft of data, let's move along now to how this data can be used. The first obvious answer to this question is selling it to data miners, which many users suspect happened when they speculate that it was Facebook that disclosed the user ID numbers rather than the unnamed third party application author. Despite Facebook's assurance that only the ID numbers were disclosed, that alone can be enough. According to a recent article on cnn.com, data miners can use that ID number to harvest your profile picture and email address at a minimum, despite what privacy settings that you have applied to your profile (Goldman, 2010). When matched against the file published by Ron Bowes, the miner may already have a pretty telling story before we even begin to speculate what else may have been disclosed with the ID numbers, or what other information that the data miner already has that can be linked to. Yes, you can opt out from your data being collected by some of these miners, but it could turn into a full time job tracking them all down and filling out the forms. And once the data has been sold, the purchaser of the data is at no obligation to stop using it if you later opt out from their supplier.

Secondly, there are now a number of websites online that will give you a disturbing amount of information on any name that you enter. These sites do their own data mining from a number of sources. These sources include public records, social networking sites, online forums and numerous other sources. Linking a forum username to a real person may be difficult for you or I, but it is often trivial for a company with large database. What information that they can provide can be frightening.

I will demonstrate what you can find from these sites by walking through a search on the first site that I became aware of, Spokeo (http://www.spokeo.com). The Spokeo website allows you to choose a name, email address, phone number, or friends to search on. I'll enter my name into the box. I get a number of matches, 2 in the state of Michigan. The entries are both me, records at my last two addresses though nothing listing my current address. Clicking on either of them will bring up another window which will allow me to purchase a full report (which I will not be doing at this time), view a satellite image of the address, and pay for a list of family members, social networking site data, and a description of the neighborhood and financial data.

Another site, Peek You (http://www.peekyou.com), features a more detailed interface to define your search. This site lists two records with the same addresses as Spokeo. However, one of the addresses is also linked to the screen name that I often use for online forums. It doesn't offer any additional information on its own, however it links to other sites where other information can be found. For example, I can follow links to People Finders (http://www.peoplefinders.com), reunion.com, Intellius (http://www.intelius.com), and even Spokeo. Following these links, I find the same two previous addresses, in addition to an additional one, and of course links to paid reports. Also listed is a number of people the site believes to be relatives, which they are right on the of the three they list (my wife in this case). I have never heard of Marilyn Whitney or James Allen Knox, though I have often received mail for James Allen Knox at my previous address, so that is probably where the connection was made.

In this paper, I have demonstrated the poor attitude towards the security of your information shown by the social networking sites. Old versions of software are used to run these sites, and known vulnerabilities are left unfixed. I then showed a number of examples of what happens when a hacker with the skills to exploit these vulnerabilities comes along. The breaches are not limited to any one website, they have all had a remarkable past. And finally, I showed two examples of what can be done with this information once gets out. And we all know the old saying about letting the cat out of the bag. And it must also be noted that it's not just Facebook and MySpace, but any website that you provide with any amount of information. How many times have you disclosed a single seemingly harmless piece of information to a website for any reason? Alone it may be harmless, but all of these small facts together begin to paint a picture.

So what can be done to protect our privacy online? Obviously, the first option is to never post anything online or disclose anything in written form either. The next best thing is to be careful in what you disclose. Next, understand the privacy settings of every service that you use, and use those controls to properly protect your privacy. And since the entire infrastructure of the privacy settings may be overhauled at any time, without notice, it is also crucial that you verify your settings regularly. Next, when you are filling out any form, always look for every opportunity available to opt out of anything. The completely paranoid can use an anonymous browser, create a number of throw away email addresses with Yahoo! And Hotmail, and surf the web through an anonymizing proxy to hide the origin of all of their traffic.

And finally, all the same information and procedures used to protect your privacy online must also be applied to your children's accounts, and with even more emphasis on the verification. Do you know everything that your children are posting online? Of course not, even the most paranoid helicopter parent only has a rough idea. It only takes a few moments to look through the online profiles of young men and women to get an idea of what kinds of things that they say and what kind of pictures that they post without a second thought as to who might see them and the fact that they might as well be considered to be online permanently. This may also be a good thing to go over with grandma right after explaining to her that a Nigerian prince doesn't really need to use her bank account to safely store $10 million for any reason.
Share:

0 comments:

Post a Comment

Discuss this post!