As much heat as Facebook has taken recently for its privacy policies and the freedom with which it shares data across the Web and around the world, Facebook is still not the biggest threat to online privacy--you are. A study by Consumer Reports illustrates that users are really their own worst enemy when it comes to online privacy.
Here are some of the key findings of the Consumer Reports survey:
• A projected 1.7 million online households had experienced online identity theft in the past year.
• An estimated 5.4 million online consumers submitted personal information to e-mail (phishing) scammers during the past two years.
• Among adult social network users, 38 percent had posted their full birth date, including year. Forty-five percent of those with children had posted their children's photos. And 8% had posted their own street address.
• An estimated 5.1 million online households had experienced some type of abuse on a social network in the past year, including malware infections, scams, and harassment.
As I stated in my Open Letter to Facebook on Privacy, Facebook can make services opt-in and explain the security and privacy issues in graphic detail. Most users will accept the terms--and the inherent risks--without even reading the agreement, and will still jump at the opportunity to share information with their own social networks, as well as the rest of the world.
Now, Consumer Reports has--by definition--a consumer-oriented focus. But, the dirty little secret of network and information security is that consumers have jobs, and they bring those same social networking practices into the workplace as well.
IT administrators should be cautious of the way entities like Facebook share data, and concerned when Facebook has serious security issues like those it encountered this week, but should also understand that their own users are a much more serious threat to network security and data protection than Facebook.
Businesses should have policies in place to govern the use of social networking on company computers or network resources. I don't recommend a complete ban per se, but users should be given boundaries regarding which social networks they can or can't visit, or the amount of time spent conducting personal business on social networking sites.
More importantly, users should be educated to raise awareness that seemingly innocuous information shared on the Web can still compromise security. For example, if you post on Facebook that you're astrology sign is Virgo, then you send out a Tweet about how you were born the same year that JFK was assassinated, then share a comment online that 28 is your lucky number because it's the date of your birthday, it is possible to combine all of those tidbits and derive that your birth date is August 28, 1963.
Similar deductions can be made regarding business-related data. As secretive as Apple is about its product development and launch dates, rumors are circulating that the iPhone 4.0 will be launched in June based on the fact that AT&T employees have shared that all vacation and discretionary time off for that month has been banned.
There is also peripheral risk of compromising information through family and friends. A company vice president may have the common sense not to post any details of an upcoming merger prior to the official announcement, but if that executive's spouse posts a Facebook status update alluding to a huge windfall, or new management others can still put two and two together.
By all means, challenge Facebook, Google, and other online and social networking providers to tighten online privacy controls and respect that users want to control their own data. But, when it comes to exposing sensitive information and sharing personal details, you might want to look in the mirror instead.