The booming popularity of social networking sites raises several security issues that must be tackled with educational campaigns and updated legislation, recommends the EU agency for network and information security ENISA.
In its first position paper on social networking, Enisa defines such websites as “one of the most remarkable technological phenomena of the 21st century” and “a great tool to allow like-minded individuals to interact with each other”.
However, the agency outlines 15 threats related to the incorrect use of online social networks. The report, published on 25 October, distinguishes between privacy, information security, identity and social threats.
An example of a privacy-related threat is what the report terms ‘digital dossier aggregation‘. Third parties can easily download and store the profiles of online social network users. Among the negative consequences of this practice is the career-related risk, since potential employers can exclude candidates on the basis of data collected through networking sites. Cases of this kind have already been reported.
The report also underlines the risks for companies whose employees use social networking sites. Dangers include the publication of sensitive information by employees and the illegal use of the tools made available by some sites. The report says, for example, that one “social-networking site-search results page lists employees currently or previously working at Barclays Bank, which could be useful to someone collecting information for a social engineering attack on an enterprise”.
The website concerned is LinkedIn.
Other threats result from spam, phishing, face recognition, worms and viruses, difficulties in deleting an account completely, profile-squatting, stalking and bullying.
Enisa recommends increasing awareness-raising campaigns to make the related risks clear to a naïve user of these sites. The agency suggests carrying out these campaigns on the networking sites themselves to educate people in “real-time”.
The report discourages the banning of online social networks in schools, and promotes the use of the most recent tools to address some of the risks involved. For example, it suggested introducing ‘Report Abuse’ buttons as ubiquitously as ‘Contact Us’ options.
The report underlines that all these problems are not just a matter for service providers or users, but also for governments, who should adapt legislation to the requirements of social websites.
Such sites “present several scenarios which were not foreseen when current legislation (especially data protection law) was created. This means that certain issues may need to be clarified. In some cases, the existing legal framework may even need to be modified or extended”, says the Enisa report.
A social networking site is a website on which users can post personal information - similar to blogs, but with the added value of providing tools for developing interaction with other users and filters to determine who has access to the data available.
The main online social network sites are MySpace and
. MySpace was bought by media tycoon Rupert Murdoch two years ago for US $580 million. At the time, the site had some 90 million users - a figure which has almost doubled since, according to the latest figures cited by Murdoch in a recent interview.
Moreover, figures reported in the ENISA paper indicate that in June 2007, MySpace was the most visited website in the US. MySpace's first global competitor is Facebook, valued at US $2 billion in 2006, a year after the sale of MySpace, a figure which by September 2007 had risen far higher, say ENISA.
ENISA - located in Heraklion, Crete - was established as an EU agency in September 2005, in recognition of the increased importance that the EU attaches to communication networks. Its current executive director is Andrea Perotti, an Italian.
EU official documents
- Enisa Position PaperEU agency for network and information security suggests updating legislation to face new social networking-related risks(25 October 2007)
- EU directiveDirective on the protection of individuals with regard to the processing of personal data(24 October 1995)
- BBCArticle on Murdoch's acquisition of MySpace(19 July 2007)