In Social Media, is Privacy the First Casualty?

  • Article

Last December on TechCrunch, Rohit Khare posted an article called “Privacy Theater: Why Social Networks Only Pretend To Protect You.” In it, he deconstructed the data breach at RockYou, in which thirty-two million user accounts were exposed via a SQL injection attack. What’s notable is not the breach itself—these happen all too often—but that apparently RockYou downplayed the incident. More troubling was the discovery that all of the passwords were stored in the clear. As a result, RockYou was sued for failing to protect its users’ personally identifiable information.

Innovation as an Excuse
In his article, Khare argues that in certain cases it’s actually desirable to share data between social media sites but that many times this is not possible due to privacy restrictions. The implication, of course, is that privacy demands that user data be highly protected. In reality though, according to Khare, this is only theater. Social media sites are not actually doing enough to safeguard your private information, mostly due to sloppy programming and bad architecture.

In reading the article, it occurred to me that many social media sites were started by very smart individuals who had a great idea. Eventually they attracted VC money and were ultimately launched as a business. As a former developer, I realize that in this world it is imperative that you build your product as quickly as possible so you can demonstrate the viability of your idea. But in doing so, are the traditional policies and governance ever put into place once you RTM? I mean, honestly, who does not know that you never store passwords in the clear?

While we’re on the subject of security, it’s well known that it is vastly more expensive (and less reliable) to “tack on” security once your application is built. Yet this is precisely what many developers do.

Security Is Not a Bad Thing
A lifetime ago, I delivered training on threat modeling. The idea is to get in a room with your developers before a line of code is written and go through the entire application architecture, thinking of ways that security can be compromised. Once you’ve identified a threat, you redesign the offending module to mitigate the threat. Only when this process is complete do you begin coding. It’s not foolproof but it certainly can reduce the attack surface.

Poor architecture is not the only reason privacy is more myth than reality. In a well-publicized blog post, Mark Zuckerberg tried to explain why Facebook was changing its privacy settings—again. At first reading, it sounded like these changes were for the best and would be of benefit to all users. But as people drilled into the details, many realized that in fact these changes meant less privacy as your personal information is now more open to sharing without your knowledge or permission.

The main reason for the change? Supposedly to better accommodate Facebook’s lucrative partnerships with search engines like Google and Bing (see “Facebook’s New Privacy Push Concerns Experts”). In order to prevent unintended consequences, every user should go through each privacy setting to ensure that they are clear on how their data is being shared—something Zuckerberg recommends, to his credit. It’s my guess that most users will not take the time.

What Do Users Really Want?
In the case of Facebook, does it matter that my list of friends, photos and posts about me can be shared with the world without my explicit permission? Well, it all depends on how much I value my privacy—or whether there is embarrassing information that I would rather not be available to search engines. A more insidious problem is the many Facebook apps that can potentially share (read “abuse”) this information beyond what I intended when I originally allowed the app to access my data.

Where does it all end? My sense is, the market will take care of itself—but only if people insist on their data being protected according to some universally agreed-upon set of standards (and, trust me, there are plenty of standards out there). To my knowledge there has not yet been a huge outcry against social media sites that are cavalier about protecting information. When that happens, practices will change.

What do you think? Do issues with privacy make you more reluctant to incorporate social media into your enterprise? Conversely, for marketing purposes, would you like access to the vast pool of rich user data that is now available courtesy of social media?

The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of Microsoft.