Social Media Privacy Risks to Enterprises Presented at the IAPP Canadian Privacy Summit Constantine Karbaliotis, LL.B., CIPP/C/IT Information Privacy Lead April 30, 2009

Session Description Social media and software are of increasing interest to both private and public sector organizations. While these technologies represent exciting new opportunities for individuals to share information and for organizations to interact with customers/citizens, they also represent a new area of risk for the exposure of confidential and personal information. We'll take a focused look at the new risks and issues arising from social media and software that your organization may be facing, and discuss strategies to minimize security risks, protect personal information in your organization's custody, and minimize liabilities for individuals using these technologies Constantine Karbaliotis

Social media and software are of increasing interest to both private and public sector organizations. While these technologies represent exciting new opportunities for individuals to share information and for organizations to interact with customers/citizens, they also represent a new area of risk for the exposure of confidential and personal information. We'll take a focused look at the new risks and issues arising from social media and software that your organization may be facing, and discuss strategies to minimize security risks, protect personal information in your organization's custody, and minimize liabilities for individuals using these technologies

Agenda Constantine Karbaliotis Introduction 1 Social Media 2 Social Media Privacy Issues 3 Strategies and Mitigations 4 Conclusion 5

Constantine Karbaliotis Introduction

What is Social Media “ Social media” includes: social networking (Facebook, MySpace) blogging (WordPress, Blogger, TypePad, etc.) wikis (Wikipedia, Wikia, etc.) microblogging (Twitter) business or technical networking (LinkedIn, Spoke) in short, anything that can be considered user-generated content Constantine Karbaliotis

“ Social media” includes:

social networking (Facebook, MySpace)

blogging (WordPress, Blogger, TypePad, etc.)

wikis (Wikipedia, Wikia, etc.)

microblogging (Twitter)

business or technical networking (LinkedIn, Spoke)

in short, anything that can be considered user-generated content

Social Networking in the News… Destructive Koobface virus turns up on Facebook: Koobface spreads by sending notes to friends of someone whose PC has been infected. The messages, with subject headers like, "You look just awesome in this new movie," direct recipients to a website where they are asked to download what it claims is an update of Adobe Systems Inc's Flash player ( Reuters ) Salesforce.com-Twitter integration could spell privacy fears: In March, CRM vendor Salesforce.com announced its Service Cloud would be integrated with Twitter this summer to help companies gauge brand reputation. But experts warn of potential privacy concerns among the Twitter community (ComputerWorld) Google's Rumored Twitter Buyout Could Raise Privacy Concerns: A purchase of Twitter by Google would allow a company that already knows too much about us to find out even more. And sell it to people who could aggressively use our words to pester us. Or worse. (PCWorld) Constantine Karbaliotis

Destructive Koobface virus turns up on Facebook:

Koobface spreads by sending notes to friends of someone whose PC has been infected. The messages, with subject headers like, "You look just awesome in this new movie," direct recipients to a website where they are asked to download what it claims is an update of Adobe Systems Inc's Flash player ( Reuters )

Salesforce.com-Twitter integration could spell privacy fears:

In March, CRM vendor Salesforce.com announced its Service Cloud would be integrated with Twitter this summer to help companies gauge brand reputation. But experts warn of potential privacy concerns among the Twitter community (ComputerWorld)

Google's Rumored Twitter Buyout Could Raise Privacy Concerns:

A purchase of Twitter by Google would allow a company that already knows too much about us to find out even more. And sell it to people who could aggressively use our words to pester us. Or worse. (PCWorld)

Constantine Karbaliotis Social Media

Organizational Uses of Social Media Employee social networking (internal) Help employees network, connect to each other more effectively Support on company initiatives, idea generation Recruiting, HR Technical and customer support Provide knowledge, support to customers Customers providing knowledge and support to each other Marketing and customer data collection Learning customers needs, interests, concerns better Creating enthusiasm, support and interest Constantine Karbaliotis

Employee social networking (internal)

Help employees network, connect to each other more effectively

Support on company initiatives, idea generation

Recruiting, HR

Technical and customer support

Provide knowledge, support to customers

Customers providing knowledge and support to each other

Marketing and customer data collection

Learning customers needs, interests, concerns better

Creating enthusiasm, support and interest

Content Creation Social media can be operated by: The organization, for employees to create content internally to provide internal networking, communication, support The organization, often through vendors, with content provided by employees and customers, as external facing social software sites others (Facebook), and used officially by the organization, with content created by the organization, or accessing and using content created by others others (Facebook, LinkedIn, and many others) and content generated by employees informally others with content partially generated by both the organization and others (e.g. security blogs, blogs by employees) with contributions approved by the organization as part of a coherent marketing strategy Constantine Karbaliotis

Social media can be operated by:

The organization, for employees to create content internally to provide internal networking, communication, support

The organization, often through vendors, with content provided by employees and customers, as external facing social software sites

others (Facebook), and used officially by the organization, with content created by the organization, or accessing and using content created by others

others (Facebook, LinkedIn, and many others) and content generated by employees informally

others with content partially generated by both the organization and others (e.g. security blogs, blogs by employees) with contributions approved by the organization as part of a coherent marketing strategy

Some Interesting Statistics Constantine Karbaliotis • 42% of office workers between the ages of 18 and 29 discuss work-related issues on blogs and social networking sites (YouGov) • 50% of surveyed organizations indicate that at least 30% of their network bandwidth is being consumed by social networking traffic (Forrester) • It is estimated that nearly half of all web developers are already using AJAX • More than 30% of large companies will have a Web 2.0 business initiative underway by 2008 (Gartner) • 66% of surveyed organizations indicate that Web 2.0 is essential to maintaining their company’s market position (McKinsey)

Selling the message in the organization…. The goal is not to stop innovation or creativity The goal is : To understand the risks associated with an activity; To address them by minimizing them to the extent reasonably possible; and for a responsible person to accept the residual risk. Conscious acceptance of risk No sleepwalking Constantine Karbaliotis

The goal is not to stop innovation or creativity

The goal is :

To understand the risks associated with an activity;

To address them by minimizing them to the extent reasonably possible; and

for a responsible person to accept the residual risk.

Conscious acceptance of risk

No sleepwalking

Constantine Karbaliotis Social Media Privacy Issues

Social Media and Privacy Risks Most privacy risks not exclusive to social media sites and technology Simply blocking these sites will not mitigate the hazards of increasingly interactive consumer Web applications There are corporate advantages to use of social media, the most compelling of which are innovative marketing, attracting employees and providing a progressive work environment Social media is just one part of our overall concerns about doing privacy ‘right’ Constantine Karbaliotis

Most privacy risks not exclusive to social media sites and technology

Simply blocking these sites will not mitigate the hazards of increasingly interactive consumer Web applications

There are corporate advantages to use of social media, the most compelling of which are innovative marketing, attracting employees and providing a progressive work environment

Social media is just one part of our overall concerns about doing privacy ‘right’

Scenarios for Privacy Risks Internal risks Violate the privacy of others: too much information about customers, fellow employees, business partners, others Violate their own privacy: Can disclose too much information about themselves, risk harassment or stalking, or put company in awkward position in respect to personal conduct External risks All of the above, and… Can disclose confidential company information about the organization, business partners, their own companies Can create a ‘record’ of rants, flame-wars or inappropriate conduct that comes back to bite them Affect employment with the organization, stakeholders, partners, or others Creation of a ‘permanent’ record thoughtfully kept for all time by search engines … Constantine Karbaliotis

Internal risks

Violate the privacy of others: too much information about customers, fellow employees, business partners, others

Violate their own privacy: Can disclose too much information about themselves, risk harassment or stalking, or put company in awkward position in respect to personal conduct

External risks

All of the above, and…

Can disclose confidential company information about the organization, business partners, their own companies

Can create a ‘record’ of rants, flame-wars or inappropriate conduct that comes back to bite them

Affect employment with the organization, stakeholders, partners, or others

Creation of a ‘permanent’ record thoughtfully kept for all time by search engines …

Behavioral Tracking The data collected by observing what users do : what sites they visit, what pages, how long they look, what links they click…over a period of time…and often linked back to other information (demographics) you might have Very interesting data, very valuable and at the same time, attracting a lot of negative attention from privacy regulators concerned over how data is gathered, how long data is kept, and the lack of transparency over its collection or use One of the key reasons to set up social media sites and technologies – apart from advertising – is the generation of this behavioral information and thus targeted advertising Constantine Karbaliotis

The data collected by observing what users do : what sites they visit, what pages, how long they look, what links they click…over a period of time…and often linked back to other information (demographics) you might have

Very interesting data, very valuable and at the same time, attracting a lot of negative attention from privacy regulators concerned over how data is gathered, how long data is kept, and the lack of transparency over its collection or use

One of the key reasons to set up social media sites and technologies – apart from advertising – is the generation of this behavioral information and thus targeted advertising

Unintended Consequences: Data Exports ‘ Address importing conveniences’: downloading the LinkedIn Outlook Toolbar, using “Find your Friends” features or similar tools would allow all of your Outlook contacts to be automatically uploaded to LinkedIn, Facebook or the site of your choice Could be a violation of the EU Data Directive and the EU Directive on Privacy and Electronic Communications if containing EU contacts – export without consent Putting your company contacts in hands of third party without any guarantees or controls Constantine Karbaliotis

‘ Address importing conveniences’:

downloading the LinkedIn Outlook Toolbar, using “Find your Friends” features or similar tools would allow all of your Outlook contacts to be automatically uploaded to LinkedIn, Facebook or the site of your choice

Could be a violation of the EU Data Directive and the EU Directive on Privacy and Electronic Communications if containing EU contacts – export without consent

Putting your company contacts in hands of third party without any guarantees or controls

Unintended Consequences: TMI By offering TMI, employees can create awkward situations Employees might reveal conduct that undermines confidence in them or their trustworthiness or of the organization Conversely, how does the organization counter the argument that access to this information was not a factor in discipline or other actions? Employers cannot ignore criminal activities when known and therefore employers must consider reporting any unlawful conduct to appropriate authorities Conversely, the majority of the social networking sites cooperate freely with law enforcement Certain social networking communications may be seen as creating a hostile work environment and puts the company and employee(s) in jeopardy Constantine Karbaliotis

By offering TMI, employees can create awkward situations

Employees might reveal conduct that undermines confidence in them or their trustworthiness or of the organization

Conversely, how does the organization counter the argument that access to this information was not a factor in discipline or other actions?

Employers cannot ignore criminal activities when known and therefore employers must consider reporting any unlawful conduct to appropriate authorities

Conversely, the majority of the social networking sites cooperate freely with law enforcement

Certain social networking communications may be seen as creating a hostile work environment and puts the company and employee(s) in jeopardy

Unintended Consequences – Security Adding applications to social media (such as Facebook) could represent security risk to data on your machine, or accessible over the network – undermining our security software and efforts Providing information on one site, or multiple sites together, could facilitate someone using social engineering to gain access to the organization’s network by allowing them to convincingly pretend to be a user Some user ‘tools’ are actually spamware or spyware – e.g. they may help ‘collect’ e-mail addresses from Outlook, but they upload them and e-mail invitations to them, without consent of the user… Constantine Karbaliotis

Adding applications to social media (such as Facebook) could represent security risk to data on your machine, or accessible over the network – undermining our security software and efforts

Providing information on one site, or multiple sites together, could facilitate someone using social engineering to gain access to the organization’s network by allowing them to convincingly pretend to be a user

Some user ‘tools’ are actually spamware or spyware – e.g. they may help ‘collect’ e-mail addresses from Outlook, but they upload them and e-mail invitations to them, without consent of the user…

Unintended Consequences: The Durability of Data Google and other search engines also scan content created by users: The content created by the user can have an unanticipated durability – it will never, ever go away What may not bother you at one point in your life or one context, may be a problem years later, or a different context What is out there, is out there seemingly forever Social media sites can become an ‘e-discovery heaven’ for litigators if it provides a record of ongoing or unanswered complaints or issues Some search engines focus on social media sites and the ‘deep web’: Pipl, ZoomInfo, Wink, Spokeo, Zabasearch and CVGadget that reveal a disturbing level of detail and aggregation – aggregating identities that creates a whole new identity Constantine Karbaliotis

Google and other search engines also scan content created by users:

The content created by the user can have an unanticipated durability – it will never, ever go away

What may not bother you at one point in your life or one context, may be a problem years later, or a different context

What is out there, is out there seemingly forever

Social media sites can become an ‘e-discovery heaven’ for litigators if it provides a record of ongoing or unanswered complaints or issues

Some search engines focus on social media sites and the ‘deep web’: Pipl, ZoomInfo, Wink, Spokeo, Zabasearch and CVGadget that reveal a disturbing level of detail and aggregation – aggregating identities that creates a whole new identity

Constantine Karbaliotis Strategies and Mitigations

Internal: Revisit and Update Privacy Policies and Code of Conduct Ensure your Code of Conduct addresses the risks associated with social media: minimize the harm to the organization’s customers, employees, and reputation Address specifics of social media interaction Revisit policies, privacy notices/statements – do they address the risks of social media? Train and Inform: Adequate training / user education Adherence to privacy policies Update employee guidelines, employment contracts and acceptable use agreements to allow for social media Constantine Karbaliotis

Ensure your Code of Conduct addresses the risks associated with social media:

minimize the harm to the organization’s customers, employees, and reputation

Address specifics of social media interaction

Revisit policies, privacy notices/statements – do they address the risks of social media?

Train and Inform:

Adequate training / user education

Adherence to privacy policies

Update employee guidelines, employment contracts and acceptable use agreements to allow for social media

Revisit: Consent and Notice Informed consent is key to obtaining and using personal information in social media and elsewhere: Update privacy notices to address social media, possible uses Must be careful to anticipate business uses because secondary uses not reasonably contemplated at time of consent will not be covered by notice Consent cannot be overbroad: “We can do anything we like with it” – and consent must be specific for it to be meaningful Privacy statements are a very public thing, and law/regulation is not the operative consideration Must be reasonable in light of intended use, and the nature of the service being provided Constantine Karbaliotis

Informed consent is key to obtaining and using personal information in social media and elsewhere:

Update privacy notices to address social media, possible uses

Must be careful to anticipate business uses because secondary uses not reasonably contemplated at time of consent will not be covered by notice

Consent cannot be overbroad: “We can do anything we like with it” – and consent must be specific for it to be meaningful

Privacy statements are a very public thing, and law/regulation is not the operative consideration

Must be reasonable in light of intended use, and the nature of the service being provided

Privacy Notice Considerations User names – made up or real? Is there ‘pseudonymity’ (you know your users’ names, but this is not available to users generally) Profiles – hidden or visible to other users? Can you restrict access to those who can view user profiles? Uses – What are your uses of the data? What do you retain, and how long? Are you restricting the use made by users of other users’ data? Deletion – what happens when a user chooses to delete their account – is the data really gone? Lawful disclosure – in what circumstances might users’ data be required to be provided – have you warned them? Transfers – from where is the information collected, and where is it sent? Does this require a data transfer agreement for EU compliance? Complaints – do you have a mechanism to address issues with users? Constantine Karbaliotis

User names – made up or real? Is there ‘pseudonymity’ (you know your users’ names, but this is not available to users generally)

Profiles – hidden or visible to other users? Can you restrict access to those who can view user profiles?

Uses –

What are your uses of the data?

What do you retain, and how long?

Are you restricting the use made by users of other users’ data?

Deletion – what happens when a user chooses to delete their account – is the data really gone?

Lawful disclosure – in what circumstances might users’ data be required to be provided – have you warned them?

Transfers – from where is the information collected, and where is it sent? Does this require a data transfer agreement for EU compliance?

Complaints – do you have a mechanism to address issues with users?

FTC Principles on Behavioral Tracking Transparency and consumer control Reasonable security and limited data retention for consumer data Affirmative express consent for material changes to existing privacy policies Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising Constantine Karbaliotis

Transparency and consumer control

Reasonable security and limited data retention for consumer data

Affirmative express consent for material changes to existing privacy policies

Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising

Design Considerations: Taking the High Road in Social Media Do a privacy impact or risk assessment for any project involving social media, and all suppliers – to identify and mitigate risks, identify data flows Users should be presented with a notice as to what activities are tracked when they first register, at a minimum, and ideally should be allowed to set a cookie that ‘opts out’ of such tracking – and always link to privacy notices Be clear about what you’re doing and why: E.g. we are doing this to track traffic to pages, we want to offer you information that is relevant to your interests and as long as you’re clear about how long you keep the data, and what you’ll do with it, most people won’t bother to turn off tracking Constantine Karbaliotis

Do a privacy impact or risk assessment for any project involving social media, and all suppliers – to identify and mitigate risks, identify data flows

Users should be presented with a notice as to what activities are tracked when they first register, at a minimum, and ideally should be allowed to set a cookie that ‘opts out’ of such tracking – and always link to privacy notices

Be clear about what you’re doing and why:

E.g. we are doing this to track traffic to pages, we want to offer you information that is relevant to your interests

and as long as you’re clear about how long you keep the data, and what you’ll do with it, most people won’t bother to turn off tracking

Taking the High Road (2) Be clear about how long you keep the data that can be linked to an individual – and be able to get rid of the personally-identifying information on request A really good strategy here would be to anonymize it or de-link it from an individual, after six months – then you can keep the statistics and analytics as long as you like. Data must be secure, and access limited to those within the company who actually need to see who is linked to what behavior – everyone else should only get de-personalized statistics Turn off ‘caching’ on social media sites (robots.txt) – tells search engines not to index the information (thus keeping it forever) Constantine Karbaliotis

Be clear about how long you keep the data that can be linked to an individual – and be able to get rid of the personally-identifying information on request

A really good strategy here would be to anonymize it or de-link it from an individual, after six months – then you can keep the statistics and analytics as long as you like.

Data must be secure, and access limited to those within the company who actually need to see who is linked to what behavior – everyone else should only get de-personalized statistics

Turn off ‘caching’ on social media sites (robots.txt) – tells search engines not to index the information (thus keeping it forever)

Taking the High Road (3) Preference management – allowing the individual to control what we know about them and to get rid of their data later – is the ideal self-serve solution Use SSL when account information is created or modified, or where users can affect entitlements or access personal information Protect accounts with protection appropriate to the sensitivity of the data that can be accessed Make sure privacy notices and terms of use are prominently available at the point of account creation and when logging in Deletion of accounts should be possible at any time, with notice as to when it will be effective, and what residual information is left behind Constantine Karbaliotis

Preference management – allowing the individual to control what we know about them and to get rid of their data later – is the ideal self-serve solution

Use SSL when account information is created or modified, or where users can affect entitlements or access personal information

Protect accounts with protection appropriate to the sensitivity of the data that can be accessed

Make sure privacy notices and terms of use are prominently available at the point of account creation and when logging in

Deletion of accounts should be possible at any time, with notice as to when it will be effective, and what residual information is left behind

Constantine Karbaliotis Conclusion and Q&A

Conclusion There is often a mad rush to the ‘technology of the month’ especially for marketing folks who are being challenged – in challenging times – to increase market penetration Cool ideas, fascinating uses, and people flock to them But in doing so, consider: What is the intent of collecting this information – no service is really for free, so what is being ‘traded’? Be up front about what the trade is Have in place the measures to enforce the deal And keep in mind that transparency won’t excuse actions represent unexpected uses of personal information Do what you say; say what you do; and above all, behave reasonably Constantine Karbaliotis

There is often a mad rush to the ‘technology of the month’ especially for marketing folks who are being challenged – in challenging times – to increase market penetration

Cool ideas, fascinating uses, and people flock to them

But in doing so, consider:

What is the intent of collecting this information – no service is really for free, so what is being ‘traded’?

Be up front about what the trade is

Have in place the measures to enforce the deal

And keep in mind that transparency won’t excuse actions represent unexpected uses of personal information

Do what you say; say what you do; and above all, behave reasonably

Constantine Karbaliotis © 2008 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. Thank You! Constantine Karbaliotis [email_address] 416.402.9873