Sunday, April 27, 2008

washingtonpost.com
Social networking applications can pose security risks

http://www.dailygalaxy.com/photos/uncategorized/2007/08/05/social_networks2.jpg

By MARTHA IRVINE
The Associated Press
Sunday, April 27, 2008

CHICAGO -- Sarah Brown is unusually cautious when it comes to social networking. The college sophomore doesn't have a MySpace page and, while she's on Facebook, she does everything she can to keep her page as private as she can.

"I don't want to have to worry about all the different online scandals and problems," says Brown, an education major at St. Joseph College in Connecticut. She'd like to control her personal information and keep it out of the hands of identity thieves or snooping future employers. "It's just common sense."

It sounds like her info is locked down and airtight. But is it?

Turns out, even the privacy-conscious Sarah Browns of the world freely hand over personal information to perfect strangers. They do so every time they download and install what's known as an "application," one of thousands of mini-programs on a growing number of social networking sites that are designed by third-party developers for anything from games and sports teams to trivia quizzes and virtual gifts.

Brown, for instance, has installed applications on her Facebook page for Boston Bruins fans and another that allows her to post "bumper stickers" on her own page and those of her friends. It's a core way to communicate on social networking sites, which allow friends to create pages about themselves and post photos and details about their lives and interests.

People often think Facebook profiles and sometimes MySpace pages, if they're set as private, are only available to friends or specific groups, such as a university, workplace, or even a city.

But that's not true if they use applications. On Facebook, for instance, applications can only be downloaded if a user checks a box allowing its developers to "know who I am and access my information," which means everything on a profile, except contact info. Given little thought, agreeing to the terms has become a matter of routine for the nearly 70 million Facebook users worldwide who use applications to spruce up their pages and to flirt, play and bond with friends online.

News Corp.'s MySpace, which has about 117 million unique visitors each month, recently added an applications platform, giving developers access to the profiles of anyone who downloads them. Unlike Facebook, though, MySpace users don't have to include their names on their profiles.

So what do these third-parties do with the information? Sometimes, they use it to connect users with similar interests. Sometimes, they use it to target ads, based on demographics such as gender and age (something Facebook and MySpace also do).

Facebook and MySpace say they hold application developers to strict standards _ and boot them if they don't comply. They also point out that some information, such as e-mail addresses and phone numbers, aren't made available.

But experts who track online security issues think there's too much personal information flying around out there, with few guarantees that it's safe. They also think social networkers have little understanding where their information goes and how it's used _ and as a result, have a false sense of security.

"I suspect that there's a whole lot of clicking without a lot of thinking," says Mary Madden, a senior research specialist at the Pew Internet & American Life Project who studies privacy issues. "So much of this sharing happens in a way that users don't see the consequences. It's kind of a big, black hole."

Part of the risk stems from Facebook applications being created by anyone, some of them tech-related companies and others individuals with know-how. And they could be anywhere in the world, as is Jayant Agarwalla, co-founder of Facebook's popular Scrabulous application, a takeoff on the game Scrabble.

Reached by e-mail, he says Scrabulous does use demographic information to target ads that show up as a person plays the game. But Agarwalla, who's based in India, stresses that that information is provided in "real time" and not stored. "In my humble opinion, users have nothing to worry about," he says.

Some would argue that it's much like trusting an online vendor with your credit card information.

Still, it's an honor system, says Adrienne Felt, a computer science major at the University of Virginia. A Facebook user herself, she decided to research the site's applications and even created her own so she could see how it worked.

Most of the developers Felt polled said they either didn't need or use the information available to them and, if they did, accessed it only for advertising purposes.

But, in the end, Felt says there's really nothing stopping them from matching profile information with public records. It also could be sold or stolen. And all of that could lead to serious matters such as identity theft.

"People seem to have this idea that, when you put something on the Internet, there should be some privacy model out there _ that there's somebody out there that's enforcing good manners. But that's not true," Felt says.

Last year, Facebook users revolted when the company started using a tool called Beacon, which tracked its users' purchases and actions at dozens of Web sites and then broadcast the data on the pages of the users' friends.

Beacon has since been scaled back.

By comparison, the issue of personal information going to application developers, both on Facebook and now MySpace, has remained relatively quiet.

Jonathan Gaugler, a 26-year-old New Yorker, is one who finds targeted ads on his Facebook page a bit too invasive.

"Getting married? Do your registry here!" read one recent ad that showed up. Another on his fiancee's page was advertising for egg donors for fertility clinics.

"Creepy," Gaugler says.

He keeps his Facebook activity to a minimum as a result _ and rarely downloads an application because he doesn't want to be further targeted.

But many others are much less cautious, seeing the risk of social networking "as low and the reward as high," says Patricia Sanchez Abril, an assistant professor at the University of Miami's business school who studies privacy law.

"It is the chosen mode of communication of everyone they know. So if you're not in it, you're just not in the loop," she says. "There's a lot of peer pressure."

What they don't realize, she adds, is that there is little legal backup if their information is used in a way they didn't intend.

"This is an area that's completely unregulated. Yes, there are contracts. But if the receiving end doesn't abide by the contract, you're still out of luck," Abril says.

And applications, she notes, are only one worry when it comes to online threats.

A social networker's friends can, for instance, give access to personal information or photos in a profile. That happened to the call girl involved in the recent sex scandal with former New York Gov. Eliot Spitzer.

Researchers at Indiana University also published a study last year showing how they "scraped" information from students' social network profiles. Posing as people's friends, they then used the information to fool the students into providing their university ID and password on a bogus external Web site.

Whether the profile is private or not, users should limit the information they post, said Tom Jagatic, one of the researchers and now a senior information technology consultant at the Massachusetts Institute of Technology.

It's good advice, says Jeremy Miller, a fraud investigator based in Nashville, Tenn., but he wonders how many will heed it. He uses MySpace and sees people who routinely list everything from their income to phone numbers on their profiles _ and don't even bother to make their profiles private.

"It's kind of a status symbol, so privacy takes a back seat," says Miller, who works for Kroll Inc., a risk management consulting firm. "It's much like people saying you shouldn't carry your Social Security card around in your wallet.

"But a lot of people still do it."