Hemanshu Nigam: Mr. Safety for MySpace

Can CSO Hemanshu Nigam make MySpace a safe neighborhood, without also making it an empty one?

It was late August, and depending on whom you asked, MySpace was either a Web 2.0 prophet or the devil gone digital. While the business world was reading about the social networking site's $900 million deal with Google, its expansion into Australia and its mention on Time's list of the 50 coolest websites, the security community was riveted by a different set of headlines. "Two teens arrested in MySpace hack," read one. "Three teens accused of sexually assaulting girl they met on MySpace.com," read another. A third: "Man accused of raping MySpace date."

At a conference in Dallas, Hemanshu Nigam had to address an audience focused on the latter set of headlines. And he was about to find out how public a stage he had stepped onto by taking the job as chief security officer of MySpace, the News Corporation entity on which owner Rupert Murdoch is staking his plans for a digital future. An hour before Nigam's first session, to be given at the annual Crimes Against Children conference, he and a staff member headed to the conference room at the Hilton to set up. They found a line outside the door.

"We asked somebody in line, Are you waiting for something?" recalls Nigam, who is also CSO for all of Fox Interactive Media. "And they said, Yeah, for the MySpace training. As soon as the doors opened, people kept coming, and they kept coming, and they kept coming. All of a sudden you had 4 feet by 6 feet of walking space, and all the way up to that you had people sitting on the floor. All the walls had people standing. It was crawling room only."

People were turned away. Everyone wanted to hear how MySpace could assist law enforcement with criminal investigations.

Nigam, a 42-year-old born in India and raised in Connecticut, took the stage, where he spoke both with the command of a seasoned federal prosecutor of child crimes and the empathy of a father of four. He described MySpace's 24-hour hotline for law enforcement, its track record of helping to find teenage runaways as well as rapists, and its efforts to get IP addresses and other crucial information to officers as quickly as possible. His words seemed to have their desired effect: Afterward, more than 90 percent of those assembled gave his talk a positive rating.

"He seems to be forthcoming in saying, We know there are issues that need to be addressed, and we are addressing them," conference organizer Larry Robbins says. "I didn't get the impression that he was trying to sweep something under the rug."

Law enforcement officers who have tested MySpace's response capabilities say it's not just lip service. "I was actually pleasantly surprised," says Deputy U.S. Marshal Robert Charette, who recently worked with MySpace to track down and arrest a man wanted in two states who was logging in to his MySpace account from a public library in Philadelphia. "We normally are used to waiting days and weeks on end [for subpoenaed information] from phone companies, and I expected a similar type of response from MySpace. But it was an immediate response, and they were extremely cooperative and a pleasure to deal with."

The fact is, the company had better be. MySpace is hot. Last July, according to the research service Hitwise, it passed Yahoo Mail to become the most-visited website in the United States. But as the number of profiles created at the Web community has exploded—to 150 million at the time of this writing, according to the company—so too has its appeal to everyone from small-time drug dealers to pedophiles to murderers. After all, it's just as easy for a criminal to sign up as it is for a 14-year-old who wants to share soccer photos or chat about Justin Timberlake.

The challenge for Nigam is to make the site a safer place for users (and, of course, advertisers) without destroying the very openness that has made it so popular. This places Nigam not just front and center at conferences about child safety, but also at the very nexus of culture, commerce and security. Despite MySpace's seeming ability to respond well when things go wrong, it's still far from certain whether Nigam can make the site measurably safer and more secure—and whether he can ever do enough to appease MySpace critics, including an outspoken group of 32 state attorneys general who want to tighten access to the site.

When Nigam took over last May, "there was a sigh of relief breathed by many folks [who felt] that now, at least, something is going to get done. There's an open door, and there's someone that they can communicate with," recalls Derek Broes, a senior vice president at Paramount Digital Entertainment, who worked with Nigam at two previous jobs. "His biggest challenge will be accomplishing what MySpace wants to accomplish without damaging the company itself and building a poor user experience."

It's no easy task. But as Broes puts it, echoing the sentiments of others who know Nigam, "if anybody is going to find the solution, it's going to be Hemu."

Nigam's New Space

Not long after the media conglomerate News Corp. bought MySpace for $580 million in October 2005 and wrapped it up into Fox Interactive Media, the suits started looking for someone to help improve security at the once-scrappy upstart. Social networking sites such as MySpace, Facebook and Xanga had been flying under the corporate radar despite concerns about child safety, malicious code and copyright infringement. But now things were different. Not only did the largest of those sites' new parent company, News Corp., have deep pockets (2006 revenue: $25.3 billion) but Murdoch also was counting on MySpace to be a big part of his company's strategy going forward. In fact, the News Corp. chairman and CEO told investors it was a $6 billion property. (A Chinese company owned by IDG, parent of CSO's publisher, is in talks with MySpace to invest in a Chinese version of the site.)

Ernie Allen, longtime president of the National Center for Missing and Exploited Children, soon got a phone call from someone at Fox Interactive Media, who wanted his recommendation on CSO job candidates with credibility on child safety issues as well as a solid understanding of technology. Nigam immediately came to mind.

The two men had known one another for more than a decade, since Nigam's days as a federal prosecutor for the U.S. Department of Justice, where he specialized in Internet-related child pornography, child predator, women and child trafficking, and computer crime cases. Later, they worked together when Nigam was director of consumer security outreach and child safe computing at Microsoft. (In between the two jobs, Nigam was a vice president for the Motion Picture Association of America, where he worked on antipiracy initiatives.) Allen had high regard for Nigam's integrity and ability to get things done. "I thought his background was exactly what they needed," he recalls, and said as much to the person on the other end of the line.

At Microsoft, Nigam got a call too. "Somebody said, can you call a friend of mine at MySpace and talk to them because you know child safety? And that turned into, would you like to work here? Then I called Ernie and said, what do you think of this? I don't want to go somewhere just because they're looking for a name from Microsoft. I want to go there because I'm really going to make a difference," Nigam says.

Allen was convinced that in offering Nigam the job, Fox Interactive Media had shown that it was looking for more than a figurehead to appease shareholders and talk to The Wall Street Journal. "I said to them, you should not hire somebody like Hemu if the purpose of this is pure PR, because his whole history is, he's a doer," Allen recalls. "He makes things happen. He tackles challenges and tries to solve them."

Despite the fact that the job would mean relocating his wife and four young children from Washington state to Los Angeles, the opportunity was enticing. "The reality is this company got hit with the worst kind of thing a company can get hit with, and that's predators, but it got hit at the best possible time that a company can get hit with a problem like that, and that's at its nascent stage of development," Nigam says. "The company hadn't been built in a way that it was going to be stuck in its ways. It was only a year and a half old. If they'd called me three years from now, I wouldn't even think about it. Now is the time to set the stage."

The public reaction to Nigam's appointment was swift and positive. With his legal background, technology smarts and reputation as a defender of children, all his experience seemed to lead him to this point.

"We were all optimistic about MySpace's hiring of [Nigam], because we felt that they would be able to implement effective measures," says Jay Chaudhuri, special counsel to North Carolina Attorney General Roy Cooper, the cochairman of a group of 32 attorneys general who have been trying to push MySpace to improve its safety and security practices.

But now, the honeymoon is over.

"In the last six months, MySpace has certainly made some changes," Chaudhuri says, "but are they sufficient to protect children online, and do a majority of attorneys general think MySpace is a safe ‘place for friends,' as they like to call it? I think the answer is no."

Pushing for Change

Within weeks of Nigam's start date of May 1, 2006, MySpace was proclaiming new measures to improve safety and security. First, the company would block members who list their age as over 18 from contacting members who are 14 or 15, unless the adult knows either the young member's full name or e-mail address. (MySpace says that members must be at least 14 years old but does not verify age, which is still a point of much contention.) Second, the company would allow members of any age, and not only 14- and 15-year-olds, to set their profiles to private, making their full information available only to people within their network of "friends." Third, the company would start targeting ads based on age, to ensure that members under 18 don't see ads for tobacco or dating services and that members under 21 don't see ads for alcohol. (This targeting of ads certainly fits into a larger strategy; Eric Openshaw, national managing director of the technology, media and telecommunications group at Deloitte Consulting, says that the amount of information members provide to MySpace makes it a "marketing data gold mine" that might allow News Corp. eventually to recoup its investment.)

Other, quieter changes were made. For instance, MySpace employees noticed that some young members were listing their age as 69 (shorthand for a sexual position). Older members were then running searches for, say, 69-year-olds under four feet tall, in hopes of finding young members interested in sex. Now, members can no longer browse for people over the age of 68.

From his third-floor office at the studiously hip new digs in Beverly Hills that News Corp. built for Fox Interactive Media, Nigam takes a pragmatic approach to these types of changes. He works with his team to create what he calls an issue list. "We look at, what are hackers doing, what are predators doing?" he says. "Then we go to our engineers and say, suppose you have no worries about resources—what can we do to solve these issues? Is there a change we can make or feature we can add?" Once they have this list in hand, they try to figure out which five or 10 things they can do to hit 80 percent of the problem, and they build the priority list from there.

Perhaps the biggest change to grow from this issue list is an attempt to block known sex offenders from the site. A constant stream of news reports of children lured into meeting ill-intentioned adults they chatted with on MySpace have battered the site's reputation. One woman and her 14-year-old daughter sued MySpace for $30 million, after the girl was allegedly sexually assaulted by a 19-year-old man she met on MySpace. (The case was dismissed in February.) An investigation published by Wired in October found hundreds of registered sex offenders who had created MySpace profiles using their real names, and some of them were busy collecting young "friends." So in December, MySpace announced that it was partnering with Sentinel Tech Holding, a background verification vendor, to build a central, national database of known sex offenders—information that previously had been scattered across numerous federal and state databases. The technology, known as Sentinel Safe, will allow MySpace to block those users from the site. (MySpace says its competitors can use the database as well.)

Critics were quick to point out that the move would simply force registered sex offenders to use aliases, but MySpace has been lobbying on that front too. On the heels of the Sentinel Safe announcement came a PR coup: Sens. John McCain (R-Ariz.) and Charles Schumer (D-N.Y.) announced plans to introduce legislation that would force registered sex offenders to disclose their e-mail addresses to law enforcement. Using a nonregistered e-mail address would be a violation of probation or parole. The law, if passed, would provide MySpace with more information with which to make a match. In Virginia, the attorney general pushed for similar state legislation.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)