The booming popularity of social networking sites raises several security issues that must be tackled with educational campaigns and updated legislation, recommends the EU agency for network and information security ENISA.
In its first position paper on social networking, Enisa defines such websites as “one of the most remarkable technological phenomena of the 21st century” and “a great tool to allow like-minded individuals to interact with each other”.
However, the agency outlines 15 threats related to the incorrect use of online social networks. The report, published on 25 October, distinguishes between privacy, information security, identity and social threats.
An example of a privacy-related threat is what the report terms ‘digital dossier aggregation‘. Third parties can easily download and store the profiles of online social network users. Among the negative consequences of this practice is the career-related risk, since potential employers can exclude candidates on the basis of data collected through networking sites. Cases of this kind have already been reported.
The report also underlines the risks for companies whose employees use social networking sites. Dangers include the publication of sensitive information by employees and the illegal use of the tools made available by some sites. The report says, for example, that one “social-networking site-search results page lists employees currently or previously working at Barclays Bank, which could be useful to someone collecting information for a social engineering attack on an enterprise”.
The website concerned is LinkedIn.
Other threats result from spam, phishing, face recognition, worms and viruses, difficulties in deleting an account completely, profile-squatting, stalking and bullying.
Enisa recommends increasing awareness-raising campaigns to make the related risks clear to a naïve user of these sites. The agency suggests carrying out these campaigns on the networking sites themselves to educate people in “real-time”.
The report discourages the banning of online social networks in schools, and promotes the use of the most recent tools to address some of the risks involved. For example, it suggested introducing ‘Report Abuse’ buttons as ubiquitously as ‘Contact Us’ options.
The report underlines that all these problems are not just a matter for service providers or users, but also for governments, who should adapt legislation to the requirements of social websites.
Such sites “present several scenarios which were not foreseen when current legislation (especially data protection law) was created. This means that certain issues may need to be clarified. In some cases, the existing legal framework may even need to be modified or extended”, says the Enisa report.