Is Facebook use in the enterprise too risky to allow?
With an outright ban on social sites nearly impossible, companies need a strong security regime and staff training, say experts
May 04, 2012 — CSO — It is not news that Facebook, the behemoth of social networking, is less than aggressive about protecting the personal privacy of its 900 million users. But even relatively savvy users may not be aware of how much of their information is collected, how it is used and how little control they may have over it.
And with millions of workers now using social networking in their professional as well as personal lives, those privacy risks extend in a very big way to the enterprise.
Consumer Reports, which released its annual report on Internet privacy and security last week, devotes an entire section to "Facebook and your privacy." Its findings may not surprise most CISOs, but will likely be unsettling all the same.
More than 150 million Americans use the site, with that number increasing daily. And in exchange for helping people do things like stay in touch with family and friends, find old classmates, share photos, organize around interests and causes, promote their businesses and learn about the tour schedule of their favorite band, Facebook collects and distributes vast amounts of sensitive personal information. It is one very prominent example of Big Data.
CR notes Facebook CEO Mark Zuckerberg's claim in a blog post last November that, "We do privacy access checks literally tens of billions of times each day to ensure we're enforcing that only the people you want see your content."
But CR does a reality check on the claim: "Facebook gets a report every time you visit a site with a Facebook 'Like' button, even if you never click the button, are not a Facebook user, or are not logged in."
"Even if you have restricted your information to be seen by friends only, a friend who is using a Facebook app could allow your data to be transferred to a third party without your knowledge," CR writes.
That information includes visits to pages about health conditions or treatments, which would interest insurers; announcements about attending an event, which would interest burglars; and information about sexual, religious and racial/ethnic affiliations, intimate relationships and even drug use, which would interest potential employers.
ITWorld's Dan Tynan reported last week on how many of the more than 500,000 games, puzzles and quizzes on Facebook exist mainly for the purpose of, "sucking data out of your account."
Some of those apps violate Facebook policies, but Tynan notes that the enforcement of those policies can be lax, at best. And while there is now a Chrome plug-in called Privacy Score from Privacy Choice that rates how each app treats your data, that score is largely based on the policies published by the apps and tracking companies, which can also have credibility problems.