Is it time for Total Privacy Management?
By Amichai Shulman, CTO, and Kane Lightowler Regional Sales ANZ, Imperva
Facebook’s privacy policy is longer than the US Constitution, exceeding 5,000 words according to a recent New York Times report. Now, with governments coming after them, the Financial Times reports that Facebook is considering a privacy policy overhaul. This situation is reminiscent of Keith Richards’ “I've never had a problem with drugs. I've had problems with the police.”
Let’s start with the obvious: If you want to keep your information private, don’t use a social network to store it. The essence of social networks is to provoke solicited, and unsolicited, interactions between individuals. If I want to share photos with my friends over Facebook, why do I need to have my religion, birthday, marital status, or political affiliation stored in Facebook?
Further, privacy does not coincide with the interests of Facebook creators or with the attitude of many Facebook users. If social networks were about keeping private information, and controlling it, then the default would have been not to share any new piece of information and have a ‘share’ or ‘publish’ button that users need to click, to make the information available to others.
From a security perspective, digital social networks are inherently susceptible to data dispersion and inference attacks. That is, you may block the direct access to your (explicit) religious information but your profile photos, which you chose to be public, show a Star of David or your race.
Additionally, a lot of private information can be deduced or analysed via friend’s network (religion, sexual orientation, or age). Someone may also post a sensitive message to the wall of a friend who at some point in time decides to make his wall, and hence your post, public. Unsurprisingly, cybercriminals and freaks build dossiers from social networking sites. (And this is just security problems with simply surfing Facebook and doesn’t even begin to describe the laundry list of technical vulnerabilities.)
But Facebook has its virtues. Staying in touch with family and friends is undeniably engaging. Or as comedian joked: “I’m on Facebook to ensure my ex-girlfriends aren’t doing better than I am.”
Today, Facebook is at a serious crossroads. If it continues giving the impression that consumer privacy is a football, it risks further alienating users. However, if it sets the right example and makes privacy sacred, Facebook can set the right tone for social networking for years to come.
Better yet, there is a big opportunity for Facebook to educate people—especially younger users—about the issues of privacy. With 500 million users, gaining consumer trust will, in turn, bolster advertising and other revenue.
Plus there are big reasons for Facebook to worry: recent evidence shows social networks are losing lustre when it comes to trust. Edelman’s Trust Barometer found that peers and friends are no longer creditable sources for third party endorsements, dropping 45 per cent to 25per cent, since 2008. This will have a huge impact on marketers’ ability to convert social networks into revenue.
Consumers must believe that Facebook’s intentions are in line with their best interests. In this case, Facebook, with overwhelming zeal, must show it’s doing everything it can to maintain user privacy.
What should Facebook do?
First, Facebook should universally provide audit trails to help the consumer adjust security settings. An audit trail might look something like:
• Friend ‘Mom’ has viewed ‘Wild party’ pictures (Oh no! Should block her from that.)
• Application vendor ‘Yelp’ has viewed your friend list (I didn't want that—block them.)
• Friend ‘Larry’ looked at your wall (That’s fine.)
• Stranger has viewed ‘Wild party’ pictures (Oh no… I forgot to share it only with my friends.)
Second, Facebook should universally, and automatically, default all privacy controls to the most conservative option, meaning:
• Make the default for all items ‘private’.
• Automatically reset all default settings to ensure only selected contacts can see user profiles.
• Automatically make information inaccessible to search engines until an end user allows it to be public.
• Automatically block applications having full access to private data.
• Provide two level administration for children’s accounts.
Third, Facebook should offer a some de facto levels of privacy. Consumers, better informed with audit trail results, will have a better vantage point edit their security settings. Facebook should provide three privacy options:
• Super-secret: With a click, consumers will be guaranteed ultimate privacy with no pictures or information posted anywhere, except to a designated circle of friends. Also, personal information could not be shared with application makers. As Facebook changes, they should assure users that all default settings will be set to the most conservative option.
• Fully public: For those who thrive on voyeurism.
• Customised: Power users can set their options.
During the 1950s, Deming defined how quality in manufacturing became vital for profit and competitiveness, coining the concept of ‘total quality management.’ Facebook, at an analogous point in its history, should implement ‘total privacy management’ to show consumers and government regulators that consumer privacy is a sacrosanct holy grail. Consumers will react with dollars, governments will placate regulators.
For more information
Amichai Shulman, Imperva
Email: Shulman@imperva.com
Kane Lightowler, Imperva
Phone: +61.2.(0)413 114 186
