This document discusses privacy and social media. It notes that personal information shared on social media can be at risk if settings are not managed properly. Some key risks include information being shared broadly by users or accessed due to security issues. The document reviews examples of privacy issues that have occurred on Facebook and with Google. It emphasizes the importance of education about privacy, independent security controls, and involvement in legislative and policy changes to help protect personal information on social media.

1. Privacy & Social Media
Chuck Ben-Tzur CISSP, CISM, CRISC, PMP
March 29, 2012

2. Personal Information
• Uniquely identifiable data relating to a person that is collected and stored,
in digital form or otherwise.
– Can lead to fraud
• Social Insurance Number (SIN)
• Other identification numbers (e.g. Driver license)
– Can cause damage
• Financial Information (Credit and Tax Information)
• Health Information
• Personal information (e.g. email address, habits)
• Information privacy is the relationship between collection and
dissemination of data, technology, the public expectation of privacy, and
the legal issues surrounding them.
• In Information Security, it is mostly the “C” in the “C-I-A” (Confidentiality –
Integrity – Availability)
2

3. Social Media
• A group of Internet-based applications that allow the creation
and exchange of user-generated content
– Facebook (General)
• 800 Million active users (end of 2011)
• 250 Million users accessing Facebook via mobile devices
(workplace)
• 30 Billion pieces of content are shared each month
• 50% of users log onto Facebook everyday
• The average user has 130 “friends”
– Twitter (Micro blogging – 190 Million tweets a day)
– LinkedIn (Business Networking – 135 Million Users)
– You Tube (Videos)
– Flickr (photos)
3

4. Distribution of Information
• Users voluntarily provide personal and
private information
– Basic information (e.g. name, email,
cell number)
– Address or Location
– Relationship and Relatives
– Education
– Work history
– Access to other sites (e.g. contacts)
• Users are encouraged to provide
updates on current lives and share
information.
• Information is immediately:
– Made available (no filtering)
– Can be replicated (likes, retweets)
– Often cached
4

5. User Profile Information
5

6. Data Collection Comparison
Organization Social Media
Users provide personal information by Users actively and voluntarily provide
request and after consent. personal information.
There is a specific reason or a business The information is not required by
need for the information. website operations.
The organization is responsible for data The user is responsible for data privacy
privacy. settings.
The organization controls data access
The user can controls only data access.
and usage.
6

7. Risks
• Private Information “leakage”
– By other users (sharing, likes, retweets)
– Security controls related issues (bugs, hacking)
– Functionality and Features (e.g. location based services)
– Privacy Policy (sharing information with 3rd parties)
• Website’s owns and controls the information
– Management of Information (e.g. profile termination, Opt-out)
– Making changes to Privacy Policy
• Regulations and legislation
– Local to the data center or company registration
• Offline activities (e.g. social engineering, fraud)
7

8. Real World Examples
8

9. Real World Examples
9

10. Real World Examples
10

11. Real World Examples
11

12. Privacy Related Legislation (Canada)
• Privacy Act (federal)
• PIPEDA - Personal Information Protection and Electronic
Documents Act (private sector)
– Last Updated on April 2011
• Provincial laws (e.g. Ontario)
– Freedom of Information and Protection of Privacy Act
– Municipal Freedom of Information and Protection of Privacy Act
– Personal Health Information Protection Act (PHIPA)
12

13. “PIPEDA”/Facebook (May 2008)
• A complaint against Facebook by the Canadian Internet Policy
and Public Interest Clinic (CIPPIC). Issues centered around
users knowledge and consent, retention (account
deactivation) and third-party applications security.
• Some of the allegations (e.g. third-party applications, account
deactivation) were found to be well-founded.
• Facebook agreed to make several changes which address the
issues uncovered during the investigation (mostly by providing
additional information on screen).
Remember the Example in slide 9?
13

14. “PIPEDA”/Facebook (Excerpt from Report )
• “… the foundation on which the Personal Information
Protection and Electronic Documents Act (the Act) is built –
are being significantly challenged.”
• “…Individuals do post personal information for purely
personal reasons. Nonetheless, personal information posted
by individuals for purely personal purposes that would
otherwise be exempted under the Act does fall under the Act
and imposes obligations on Facebook to the extent that
Facebook uses such personal information in the course of
commercial activities.”
• Full report can be found at:
http://www.priv.gc.ca/information/social/index_e.cfm
14

15. EU/Google (Jan 2012)
• Google announces
privacy settings change
across products, users
can’t opt out.
• France’s data-protection
agency was leading an
EU “analysis” into the
changes, asking Google
to delay the changes.
• Google Declined (Feb 3,
2012)
15

16. What Should We Do?
• Education and Training
– WHAT is personal information
– HOW to maintain privacy
– Do and Don’t in Social Media
• Independent Security Controls
– Website Filtering
– Data Leakage Prevention (DLP)
– Logging and Monitoring
• Be Involved and Updated
– Changes in legislation
– Changes in Privacy Policies
• Embed in the organization
– Corporate Policies
16 – Privacy Impact and Risk Assessment

17. Thank You
cbentzur@atominfosec.com
Images from: http://www.priv.gc.ca/information/illustrations/index_e.cfm#contenttop