As a risk management professional, one of my particular concerns is the significant and rapidly growing scope of risks created by social networking and smart mobile technology.  I admit to being in “two minds” about this space.  On the one hand there are definite and clear branding, sales, performance, communication, and social benefits associated with the social media technologies.  On the other hand there are serious and real, present and potential risks that are growing rapidly. I remain concerned that these risks are little understood by the vast majority of the user base, and that there is not a clear path to either mitigating or avoiding them.

The one guiding principle that all internet users should remember, is that “the internet is forever”.  If you are bold enough to venture into the very dark-side of the internet – spend an educational few hours browsing the encyclopedia-dramatica (EA) web site.  (WARNING:  Not Safe For Work.  This site contains extremely offensive, bigoted, obscene and abusive content.  You WILL be offended by some, if not all the content.  While it is intended to be a humorous web site, its humour is based on being deeply offensive to almost everyone – so do not visit unless you have a very thick skin, it is not even remotely possible to offend you, you have a secret fascination for the sordid, an extremely well developed sense of the right of free speech, a professional excuse to be there and/or believe that there is no image or viewpoint too strong to gross you out.  Also, be warned, that there are some things that once seen can never be “unseen” and the image or text may haunt you for the rest of your life. )   One of EA’s pet projects is to explore and ridicule internet “memes” as they rise to fame.  A meme is an internet fashion – the internet equivalent of the proverbial 15 minutes of fame.  It may be a person, an idea, an identity, etc.  EA delights in recounting in depth the foolishness of targeted memes, the process used in tracking their real world identities and exposing their details (names, addresses, associates, phone numbers, etc).  Erstwhile anonymous people who have either done some thing foolish on internet social media sites or people who hold views they consider extreme or hypocritical are targeted and occasionally harassed.  It is this aspect of EA’s function that is relevant to this article, and the step by step accounts of how some of these semi-anonymous people have had their real identities, with phone numbers and addresses, family and real-life jobs exposed and linked together with their internet foolishness are a very strong lesson in how dangerous the illusion of anonymity is on the internet.  The advent of modern social media has made this work simpler, faster and possibly even more devastating to the individual.  

In the world of simple social networks – bulletin boards, chat rooms, YouTube and Email Lists , however, considerable resources and skills were required to achieve this kind of exposure.  It is possibly the ability of the group of people championing or supporting the EA website and the bulletin boards/chat sites from which it draws many of its victims to utilise their apparently large world wide participation base that allows them to sew the data together from these many sources and form a coherent story that facilitates their success.   The sheer effort required to do this kind of work has traditionally made it unlikely that the ordinary internet user whose internet behaviour is more “ordinary” had much about which to be concerned.   With the advent of increasing “smart” social media sites, like FaceBook combined with technology advances like facial recognition, smart phones with mobile apps and GPS tracking technology,  marketing agencies and commercial data tracking firms and 20 years of data tracking this is changing.

Consider the recent article in The Wall Street Journal published 18 October 2010: FaceBook in Privacy Breach.  The essence of the matter reported was that various apps in FaceBook were providing data to external sites that breached user’s privacy settings.  The apps on your FB  page have access to a considerable amount of your private data regardless of your privacy settings and are therefore capable of transmitting this data to external systems.  Even without this dimension, FaceBook uses a unique identifier to identify its users (a characteristic that would be difficult to avoid).  That identifier probably has to be available to any app used by a user for many of the app’s socially beneficial networking capabilities.  Given many apps make use of external (to FaceBook) databases, that id probably has to be available outside of the FaceBook environment.  For the 500 million or so FB users, this is effectively a unique identity number.  Combine that id number with even a polynomial hash of the personal data held in a user’s FB account, and then match that hash with a hash code held for the same fields – say name and address or email address – in a marketing or data tracker’s database and you can link the offline database with the FaceBook user even if you are not transmitting identifiable private information.  

Data tracking and marketing firms can use things as simple as advertisements and images displayed on a web page you visit to identify you by your browser and IP address to track where you go on the internet – before we even get into more sophisticated tracking methods.  So now we have the potential for that information to be tied to your FB user identity.

Now let’s add the latest FB innovation – facial recognition.  The addition of facial recognition capability to FB and applied to the profile and other images loaded up into the FB database and tagged with personal and “friend” identities gives FB possibly the largest facial recognition database outside of any government – and possibly larger than 90% of governments around the world.   

Lastly, we add to this mix the wide spread use of smart mobile technology with their GPS and web browsing systems – including FaceBook, and the growing social media linking systems like Xobni that matches your email inbox to the various social media sites like LinkedIn, FaceBook, Twitter, etc.

Take all of these systems together and we have a growing ability for people’s lives to be comprehensively monitored – real life, social life and internet life:  who you are, what you look like, where you go – in real life and internet life, who you work for, what you do, what you say, who your friends are, what you like, what your political views are, what you buy and what you would rather not have others know.  Does this bother you yet?

Even if this unprecedented potential for tracking and data matching – social convergence – does not concern a given individual, from a corporate perspective if creates some unique risk management questions:  

• When a person’s real-world private life, internet private life and real-world corporate identities converge, and that convergence brings disrepute on an organisation, what should be the organisation’s response?
• How can an organisation measure and limit the risk from social convergence?
• Should an organisation be actively outcome-testing the social convergence of its key employees in order to anticipate the impact of ill-timed exposures?
• Should employees be discouraged from using any data that can be used to match their corporate identities in social media?
• Should an organisation actively educate their staff about the risks of social convergence to them and their employer?
• To what extent should organisations apply the same social-convergence morality tests to the organisations with which the trade?

As a strong proponent of the rights of the individual, freedom of speech and the duty of employers to “mind their own business” with respect to the individuals they employ I find the implications of these questions extremely troubling, but I fear they will not be able to be ignored forever.

So you are looking to lift your company, education institution or government agency’s web profile…

You do the usual things: rework the main web site, stat-up blog feeds, revamp forums, establish wiki or other information feeds, acquire/renew SSL certificates so the site can be authenticated as really being a bricks and mortar business .  So far so good.  All this stuff is under your control on your servers.  Your IT team can establish control and security over the software, you can monitor it and get a reasonable level of comfort that you can assure visitors that your site is safe to visit.

Then a consultant advises you that to reach the younger market, or even simply to project a progressive and innovative image you need to embrace the more inclusive social networking spaces like MySpace, FaceBook, YouTube and/or Twitter.   “Everyone” is using these sites so they must be safe. Right? 

No, wrong. 

Identifying the Social Networking Strategy

Let’s look a little more closely at MySpace and FaceBook, specifically.  There are three broad approaches to using these platforms in business:

1. Teams use the sites to establish private networks for intra-team communication;
2. Employees establish individual profiles and use the sites to establish direct customer to staff connections; and
3. The business uses the sites (primarily, MySpace in this case) to establish branding for a product or service and allowing the public to friend the product or service, etc.

Analysing The  General Risks

Each of these uses, in the right context, carries advantages to the business,  so one view of the risk profile would say that not using the facilities is an opportunity cost that may disadvantage the business with respect to the competition, or (in the case of government) achieving the best possible policy outcomes and staying in-tune with a target market or spinning the desired message.  So the case for adoption, might consider possible causes of outcome failures to include:

1. Costs of  setup and maintenance (staff time, materials preparation, policy formation, training, etc) exceeding tangible and intangible returns;
2. Inattention of staff to maintenance of the material – hence tarnishing the organisation’s image rather than enhancing it;
3. Inappropriate, inconsistent,  or confidential content being posted  hence complicating both the public positioning of the business or occasioning legal exposures;
4. Inconsistent branding or product/business positioning, where branding and positioning consistency are part of the business image, thus creating confusion in the market;
5. Disproportionate effort/investment (time, cost, attention, etc) being injected into maintenance of social marketing at the expense of other marketing or activity streams when measured in terms of comparative effectiveness and efficiency in achieving the business objectives, thus resulting in an overall drop in business performance and a net reduction in outcome achievement;
6. Exposure of information that materially benefits competitors more than than advantages the business, thus resulting in a general weakening of the market positioning through more effective and targeted competitor behaviour;
7. Market awareness among the target market of potential or actual service consumers of the social services being low while awareness among the non target groups is relatively high, thus resulting in a net reduction in spend efficiency, or no perceived improvement of service among the consumer group.
8. Increased allocation of staff resources from finite available resources to maintenance of profiling information and friend interaction at the expense of productive outcomes (the traditional email productivity problem) – thus resulting in a demand for increased resources now for the same transaction outputs as before.

 We will  identify these collective issues as the overall risk “That  adoption of social networking within an Enterprise will fail  to achieve intended  business objectives” (such as improved brand awareness, improved profit, public acceptance of policy objectives, improved targeting of consumers through better feedback, etc).  The risk’s identified causes and consequencescan be managed by appropriate remediation strategies and informed through the right measurement systems.  They are essentially under your control – if in some cases, only just!

Between the three broad purposes of FaceBook/MySpace adoption there are some additional point-risks (a cause – consequence subgrouping of an overall master risk) that are specific to your purpose for the site(s).  For example:

1. Objectives 1 & 2 increase the information available to both internal and external recruiters, better enabling them to target your staff;
2. Objectives 2 & 3 increase the group awareness of public perceptions of the business and the individuals because comments and feedback posted to the individual profiles by customers (or people pretending to be customers)  can be visible to all other customers;
3. Objectives 2 & 3 can be hampered by perceptions of low friend counts implying general public disinterest in the service, or the firm, etc.

Identifying The Show Stopper Risk

Again these potential outcomes can, to some extent, be managed, but there is another risk that is potentially far more serious.  It  is either not under your control or only controlled with an extensive amount of effort on your part.  It is squarely in the IT domain, surprisingly traditional  and arises directly as a consequence of the social networking medium:

• Client or staff computer infection by Trojan software.

Now before, you go “oh right, that one again”…I fall squarely in the camp of IT professionals who consider that virus and Trojan defences are not a big issue, and relatively easy to manage for both the individual and the enterprise.  An enterprise just needs a sensible and proactive defence policy and some basic good house-keeping rules, and common sense.  So this is a most unusual thing for me to decide to highlight.

The difference is the nature of the interaction among users and otherwise experienced and knowledgeable staff that a social web site creates.   If someone you trust gives you something to look at,  in an environment in which you feel secure, you will probably look at it…and that is the essence of the problem.   I suspect that users are likely to be less cautious in the social networking context than they are even with email systems – which we know are 98% spam (statistic based on our own email filter logs!).

 For some years my IT Audit team ran “Tiger Team” penetrations of secure networks.   All IT intrusion specialists understand, that apart from systems that are simply below standard in their defences, effective intrusion generally requires some degree of social engineering – a bit of research on key people to get an idea of the passwords possibilities and targets, knowledge of where to go to get access (eg. where branches are located, where systems are located in virtual or physical space, etc), physical access (or virtual access) to a weakly protected node, knowledge about work habits, an understanding of human nature, the ability to claim an association with someone else who is trusted,  some degree of trust (eg an employee) so you can get others to cooperate with you, knowledge of the technologies in use, the ability to hide in a stream of otherwise normal activity without attracting attention, the ability to attract the attention/assistance  of individuals or applications that can facilitate an attack without them realising they are assisting, etc.  

MySpace and FaceBook in the first instance, deliver on all these fronts:

1. Their nature is to expose personal information about the individuals profiled on the pages – that is, after all, what they are about.
2. They provide a common meeting place that is universally known – the MySpace and FaceBook sites themselves.  The whole point of using these sites is that the job of getting your market to find you is done, so setting up your own version of MySpace or FaceBook on your web site does not achieve the same outcome.
3. They facilitate the knowledge of the technologies in use  -  Anybody can create FaceBook and MySpace apps, or learn how to create a profile page, or interact with others, etc – it is the entire purpose of and essential to the medium.
4. The sites create a false sense of safety.  They protect themselves from attack, but not the necessarily the users, yet the illusion of a controlled space promotes an expectation that the services available have been vetted, when in fact the nature of the web means that services are no more secure than any other web service.
5. They foster trust of individuals through artificial group association when in reality “friends” are simply random potentially unknown individuals who are self selected.  While you do not have to accept them, part of the point about using such a medium to promote yourself or your business/product is that you will probably be inclusive rather than exclusive – so clients visiting you should not assume that your other friends are in any way a vetted and approved group (as opposed to a user group forum, who will generally all be actual clients).   “Strangers” would be a better, more appropriate term.
6. They facilitate the exchange of large volumes of trivia.

Now, all this is not necessarily a problem without the last ingredient.  They attract your clients like bees to honey, and because of all the other factors, in the process your clients “open the door” – they click on links of your friends, they view pages with add feeds fed by a third party and they post things (potentially with links) to you bulletin boards that you do not control, but that others access in trust.   And it all happens in real time.

Does this matter?  Yes. 

Where Theory Meets Reality

Here are some examples:

• In July 2006,  1 million users of MySpace were infected with ad-ware simply by visiting profile pages.
• In 2007, 12 million page views potentially infected up to that number of MySpace visitors with with a Trojan.
• This month and last (2009), an unknown number of MySpace and FaceBook users have been infected by the KoobFace Trojan as a result of viewing items added to the postings of friends of others’ MySpace and FaceBook sites.    The first thing this Trojan does is contact all your existing “friends” via your site and post messages to them from you with the Trojan embedded in the message (after changing your mood so they are encouraged to take a look!).    The second thing this Trojan does is monitor your key strokes so as to collect identity, account and credit card information.

This is just the start of the list.   When we tested this, the KoobFace Trojan slipped straight past two of our anti-virus/anti-spy-ware systems unnoticed!   Our tertiary network analysis defences spotted the change – but these are security specialists tools and not the stuff on normal machines – and we knew for what we were looking.  Imagine how infecting the networks and computers of your corporate and public clients would help your market brand.  Bad if the client’s protection systems detected the infection attempt – but even worse, if they didn’t!   Not only will the Trojan keylogger infection compromise their security, but as they enter the user id’s and passwords to access your client support systems, they will compromise your security.

The first problem here is that you and your IT team do not control the platform – and that is the issue that has to be addressed with all cloud computing solutions.  The second problem is that the essence of these technologies is unstructured social interaction (which is good), seemingly in a playground with nice metal fences (which is also good), but really in the middle of a highway, where the cars and trucks are invisible – but just as dangerous  (which is not so good). 

Wan’na play outside?  Yep – why not play in the street?