Corporate Security

Harvesting Data From Social Media – A Can Of Data Protection & Privacy Worms?

NOTE: This is a previously unpublished draft. I had completely forgotten about it. I can only assume I felt jumpy for years about depth of some of my data protection knowledge, but it does rather make my subsequent specialisation in data protection less surprising. Rather than rewrite I’ve decided to publish. 0_9220113250.jpgIt’s a window into past events and issues are just as pertinent as they were 4 years ago.

There’s tangible legal and moral tension between naivety and greed in the current social media-verse. On one hand, an evolution of the definition of private, with generation Y making parents, companies, and security bodies ever more nervous about what they consider acceptable to share (spuriously so in many cases).

On the other hand, all firms with an iota of interest in digital futures are scrabbling to gather and analyse as much content as possible. Desperate to secure that competitive advantage for future product development and marketing.

To compound the tension, data protection legislation just isn’t keeping up, neither is broader related case law. Not least because politicians and judges are woefully ill equipped to understand the challenges and most are at least a generation removed from those building the new natural law. New rights and wrongs defined by the way virtual communities interact with the internet.

There is a very real possibility that companies could be hit with a raft of requirements to catalog, delete or more stringently protect the buckets of data already gathered. That can be an incredibly pricey undertaking and derail all kinds of plans and systems that have come to depend upon it.

Is ignorance a defence if data is lost, stolen or misused?

In my opinion, one of the most serious disconnects between current law, the openness of web dwellers and companies taking advantage of that, centres around an old principle;

“Ignorance is no defence”

Actus reus and mens rea (despite sounding like unpleasant medical conditions), are also quite important. The former is the actual activity and the latter refers to the circumstances/intent surrounding it. Here’s what Wikipedia has to say if you’re feeling up to it.

social-media-ignorance.001-16ncs04On the side of the general public, How can anyone reasonably expect folk to get all the words (let alone the implications) of terms and conditions and associated privacy policies? And, lets face it, who reads the small print anyway? Apparently, being a paranoid security person, I’m among only 7% who do.

Even then, it’s not just absorbing and interpreting rafts of information, it’s keeping track when Ts & Cs change (yes I’m looking at you Facebook). Finally, unless you have joint honors in cyber security and data analytics, you have next to no chance of grasping all the new ways your data can be criminally or commercially exploited. That, in my book, adds up to a great defence for being ignorant of the rules.

It’s not just Joe or Josephine Bloggs who would be utterly appalled by the number of “selected 3rd parties and trusted partners” who legally get access to data shared with favourite websites. Everyone from your CEO to your next-door neighbour has great fun working out how public or private their next post, pin, update or upload will be.

The people who really call the financial and political shots may join the fight with the tech firms in possession of most of this data, because they have skin in this game too…when they’re not leveraging it to obtain intelligence and build influence.

On the side of companies, many are turning to relatively young players in the IT service market to buy in social media management and data analytics capability. The seeds of this post were sown some years ago after a fellow InfoSec pro told me about a discussion with an early entrant in this market.

Data Protection Act definitions (especially ‘personally identifiable data’, ‘data processor’ and ‘data controller’) aren’t desperately helpful when trying to unpick contractual liability for protection of social media information gathered and transferred across international borders. Latest EU Data Protection Regulations are also hard to practically apply. Many suppliers, especially those not used to operating in highly regulated industries, fail to grasp the subtleties, typically falling back on these kinds of statements:

“But it’s just public data”

or, in the case of demographic data and online user names

“But it’s not personal data”

The implication clearly being that this negates any debt of care. It doesn’t of course, but legal waters are still muddy. How closely are you watching changes to data protection and privacy law to make sure you don’t get any nasty surprises?

Right to be forgotten or free rein to erase history?

040bddbPast ignorance is now being seen as a legal defence with the new-ish (it’s roots are many years old) Right To Be Forgotten (RTBF). Free speech battle lines have been drawn with Eurocrats on one side and the US and civil liberties campaigners on the other (Wikipedia founder Jimmy Wales recently called it “deeply immoral”).

The concerns boil down to a fear that fundamental rights to free speech could be eroded, or (more dramatically) history could be altered or erased. Not the intention set out by Viviane Reding (European Commissioner for Justice, Fundamental Rights, and Citizenship). To quote from a user friendly but detailed article in the Stanford Law Review.

“When Commissioner Reding announced the new right to be forgotten on January 22, she noted the particular risk to teenagers who might reveal compromising information that they would later come to regret. She then articulated the core provision of the “right to be forgotten”: “If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system”

If someone shares something that is later legally deemed irrelevant (or, if you’re feeling cynical, politically unhelpful), by whatever yardstick we land on, they can get it removed from search results. Over 91,000 requests to take down data were submitted between May and July and cases have already gone to court. Implications of a recent ruling are explored by Daniel Solove (Research Professor of Law at GW Law School). This isn’t a trivial thing. Search providers who refuse to comply could be liable to a fine of up to 2% of their global income (that’s 2% of $15.7 billion for Google in 2013). A BIG stick.

Social media platforms and bulk personal data stores are a red rag to cyber underworld bulls

If in any doubt about the motivation to target personal data, here are some fun facts;

“By some accounts, the ‘Cyber Black Market’ yields more profits than the global illegal drug trade, meaning it’s larger than many of the multi-national corporations currently listed on the Nasdaq” Peter Nguyen in May for Hotspot Shield Blog

Financial information is still the main prize. In 2013, Idan Aharoni (Head of RSA Cyber Intelligence) told a TIME reporter one of the most expensive commodities is a package of “fulls” — a single package with a victim’s credit card number, social security number, expiration date and mother’s maiden name — at that time the cost was about $4 to $5 per victim.

Even seemingly innocuous bits of data are being used to effectively plan crimes including burglaries (they knew you were on holiday), kidnaps (ever posted a picture of your child in their uniform), phone scams, phishing, commercial espionage and terrorism.

There are underground forums dedicated to finding missing pieces of data. Bounties are posted to attract cyber-criminals able to provide that last vital fact about companies and individuals. It’s black hat bingo. The prize – the potential financial gain from whichever crime the poster has in mind.

Lawyers and Information Commissioners struggle to interpret the law as it applies to social media too

The critical benchmark for an actionable data protection case is harm not media excitement, but the latter appears to influence some decisions.

The biggest complication with social media is that value and therefore harm are also evolving concepts. Just like their attitudes to data sharing, gen Y think about their virtual selves in a way the judiciary have little chance of understanding. Users and their followers imbue online accounts with significant emotional and increasing financial value. Heck, Twalue and many other sites make it explicit (my @S_Clarke22 ID comes in at about $200 at the mo – not quite time to hook that big bucks advertising deal, but who knows – any offers welcome).

As mitigation, we all (including Information Commissioners), struggle to quantify reputation damage for either companies or individuals. Here is the UK ICO’s take on responsible social media use. It’s not addressing many of the challenges highlighted here, but they are not easy challenges to address. While definitions and legal interpretations are hard to apply to this kind of freely shared data, it really all boils down to how you or your customers would be impacted if something goes wrong.

How do you keep on the right side of data protection and privacy law?

download (40)

Until legal waters are easier to navigate individuals and companies will have to draw (and regularly review) their own lines in the sand for what is and isn’t acceptable.  Two fifths of companies use social media to screen candidates, but the legality of that is now being questioned and Facebook is in the middle of class action lawsuit (with over 17,000 claimants) alleging they have abused their access to user data. Proof that preexisting lines can and do move.

It’s essential to personally and professionally risk assess the potential fallout of the great data grab. How hard will reputations and bank balances be hit if data is lost, disclosed or stolen?  Would your customers be hacked off, what could hackers do and would media hacks have a story?

You need to keep your data protection and privacy SMEs close right now and make sure they are keeping an eye on this. It should be a key consideration in supplier selection, contract negotiations, change management and security training for all staff. Think about contingencies because the legal interpretation of ‘acceptable’ data usage is evolving.

You could try and follow Google’s lead if you can find and afford one of the lawyers able to practically interpret privacy law in the context of new technologies and data handling practices. The pool of these skills is growing, but currently very shallow.

Irreconcilable differences?

The law on data protection and privacy is being pulled in many different directions at the moment and lawmakers have competing motivations. It makes the position in the near future very hard to predict…

  • Will those with most to lose support things like the right to be forgotten for personal or political reasons? Possibly.
  • Will they understand all implications of stopping the free flow of information that defines the value of the internet? Probably not.
  • Will companies get caught out by their greed after merrily scooping up terabytes of our data, not appreciating the security risks or the possibility that current actions could later be deemed illegal? Entirely likely.
  • Will everyone you know get bitten (more or less seriously), on the ass because of data they carelessly shared or didn’t adequately secure? This is almost universally a current reality – ask around.
  • Does any of this matter when governments are increasing their surveillance and data retention rights year on year? Something for another post.

How do we reconcile these competing needs?

The need for meaningful, enforceable protection for netizens vs the need to oil the wheels of commerce vs the risk of breaking the spirit of the internet…that cherished means to connect for knowledge hungry, creative, entrepreneurial, inspiring, humanitarian, lonely, ill and oppressed people of every country in the world.

We will have to wait and see.

Want to add to the discussion?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.