Privacy & Social Media

Chuck Ben-Tzur CISSP, CISM, CRISC, PMP

March 29, 2012

Personal Information

• Uniquely identifiable data relating to a person that is collected and stored, in digital form or otherwise.

– Can lead to fraud

• Social Insurance Number (SIN)

• Other identification numbers (e.g. Driver license)

– Can cause damage

• Financial Information (Credit and Tax Information)

• Health Information

• Personal information (e.g. email address, habits)

• Information privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal issues surrounding them.

• In Information Security, it is mostly the “C” in the “C-I-A” (Confidentiality – Integrity – Availability)

2

Social Media

• A group of Internet-based applications that allow the creation and exchange of user-generated content – Facebook (General)

• 800 Million active users (end of 2011)

• 250 Million users accessing Facebook via mobile devices (workplace)

• 30 Billion pieces of content are shared each month

• 50% of users log onto Facebook everyday

• The average user has 130 “friends”

– Twitter (Micro blogging – 190 Million tweets a day)

– LinkedIn (Business Networking – 135 Million Users)

– You Tube (Videos)

– Flickr (photos)

3

Distribution of Information

• Users voluntarily provide personal and private information

– Basic information (e.g. name, email, cell number)

– Address or Location

– Relationship and Relatives

– Education

– Work history

– Access to other sites (e.g. contacts)

• Users are encouraged to provide updates on current lives and share information.

• Information is immediately:

– Made available (no filtering)

– Can be replicated (likes, retweets)

– Often cached 4

User Profile Information

• Facebook requires the following information when registering to the website: – Name

– Date of Birth

– Email

– Sex

5

Data Collection Comparison

6

Organization Social Media

Users provide personal information by request and after consent.

Users actively and voluntarily provide personal information.

There is a specific reason or a business need for the information.

The information is not required by website operations.

The organization is responsible for data privacy.

The user is responsible for data privacy settings.

The organization controls data access and usage.

The user can controls only data access.

Risks

• Private Information “leakage” – By other users (sharing, likes, retweets)

– Security controls related issues (bugs, hacking)

– Functionality and Features (e.g. location based services)

– Privacy Policy (sharing information with 3rd parties)

• Website’s owns and controls the information – Management of Information (e.g. profile termination, Opt-out)

– Making changes to Privacy Policy

• Regulations and legislation – Local to the data center or company registration

• Offline activities (e.g. social engineering, fraud)

7

Real World Examples

8

Real World Examples

9

Real World Examples

10

Real World Examples

11

Privacy Related Legislation (Canada)

• Privacy Act (federal)

• PIPEDA - Personal Information Protection and Electronic Documents Act (private sector) – Last Updated on April 2011

• Provincial laws (e.g. Ontario) – Freedom of Information and Protection of Privacy Act

– Municipal Freedom of Information and Protection of Privacy Act

– Personal Health Information Protection Act (PHIPA)

12

“PIPEDA”/Facebook (May 2008)

• A complaint against Facebook by the Canadian Internet Policy and Public Interest Clinic (CIPPIC). Issues centered around users knowledge and consent, retention (account deactivation) and third-party applications security.

• Some of the allegations (e.g. third-party applications, account deactivation) were found to be well-founded.

• Facebook agreed to make several changes which address the issues uncovered during the investigation (mostly by providing additional information on screen).

Remember the Example in slide 9?

13

“PIPEDA”/Facebook (Excerpt from Report )

• “… the foundation on which the Personal Information Protection and Electronic Documents Act (the Act) is built – are being significantly challenged.”

• “…Individuals do post personal information for purely personal reasons. Nonetheless, personal information posted by individuals for purely personal purposes that would otherwise be exempted under the Act does fall under the Act and imposes obligations on Facebook to the extent that Facebook uses such personal information in the course of commercial activities.”

• Full report can be found at: http://www.priv.gc.ca/information/social/index_e.cfm

14

EU/Google (Jan 2012)

• Google announces privacy settings change across products, users can’t opt out.

• France’s data-protection agency was leading an EU “analysis” into the changes, asking Google to delay the changes.

• Google Declined (Feb 3, 2012)

15

What Should We Do?

• Education and Training – WHAT is personal information

– HOW to maintain privacy

– Do and Don’t in Social Media

• Independent Security Controls – Website Filtering

– Data Leakage Prevention (DLP)

– Logging and Monitoring

• Be Involved and Updated – Changes in legislation

– Changes in Privacy Policies

• Embed in the organization – Corporate Policies

– Privacy Impact and Risk Assessment

16

Thank You cbentzur@atominfosec.com

Images from: http://www.priv.gc.ca/information/illustrations/index_e.cfm#contenttop