About Face: Weighing the Security Risks of Facebook Business Apps

by ID Experts

MobileApplications

Having a social media presence and strategy is becoming as much a business prerequisite as having a web site. The business benefits of social networking are obvious. The customers are already there—more than 150 million Americans, 800 million users worldwide— and they are constantly posting personal information that can be leveraged for pinpoint targeting of information and advertising. Businesses can easily take advantage of the information base, the growing ecosystem of Facebook-based business applications, and the Facebook application development platform. Businesses from multi-nationals to the bakery around the corner are nurturing their social media relationships and figuring out how to turn “friends” into dollars.

However, along with all the excitement about the recent Facebook IPO have come some sober reminders that social networking in general and Facebook in particular poses potentially serious and as-yet undefined risks for businesses entrusted with personal information. Last November, the FTC reached a settlement with Facebook over “unfair and deceptive practices” regarding user privacy.[1] The FTC order stated that Facebook had, in some cases, allowed advertisers to gain personally identifiable information when a Facebook user clicked on an advertisement on his or her Facebook page, and that the company had shared user information with outside application developers despite claims to the contrary to its users. A recent article in Consumer Reports points out that even information that users restrict to Facebook friends can be shared by those friends with third-party applications; that Facebook records whenever a user visits a site with a Facebook “Like” button, whether or not the visitor has a Facebook account or is logged in as a Facebook user; and now the company’s new Tag Suggest feature is collecting biometric data on users in order to automatically tag posted photos with the subject’s identity[2]. Complaints against the social media site over the years have included changes to security settings and policies without notifying users, sharing of private information with advertisers without user consent, and failure or delay in deleting personal information when a user closes his or her account.

If you use Facebook, it knows who you are, where you go on the web, what you read and listen to, your likes and dislikes, and your social schedule.[3] With its vast and active user base, Facebook obviously has enormous business potential. An InformationWeek commentary back in 2010 hailed Facebook as “the ultimate CRM system.”[4] New business applications such as Huddle and NetworkedBlogs offer business collaboration, regionally targeted blogging, and other appealing capabilities that leverage and depend on user identities. However, organizations that are responsible for personal information and subject to regulatory privacy requirements should approach social media-based applications carefully.

There is no point in carefully securing internal systems and practices, only to ask customers and potential customers to share information with you in an environment where you have little or no control. Anyone with a verified Facebook account including a cell phone number or credit card number can develop and deploy Facebook applications; there has historically been limited visibility as to what user information is gathered and how, where, and with whom it is shared; and the company has a history of making privacy-related changes unilaterally and addressing risks only when security problems are discovered or when users or privacy advocates raise an outcry.

At a minimum, before considering Facebook for business applications, an organization should consider the following:

  • Does the application ask or encourage users to post personally identifiable information or personal health information? (Don’t count on users to protect themselves. Consumer Reports surveys indicate that as many as 4.7 million Facebook users in the last year “liked” a page pertaining to a health condition or treatment, leaving themselves open to “phishing” scams.)
  • Carefully research Facebook privacy practices and mechanisms. How long is data retained? How and with whom might it be shared? Ensure that your privacy and retention policies can be enforced in the social media environment.
  • If you decide to move forward with a Facebook-based application, ensure that Facebook privacy practices and risks are transparent to users, and support them with clear guidance for privacy settings and what and what not to post.
  • Include Facebook and other social media efforts in your on-going risk assessments, privacy audits and policies, and incident response plans. Keep a constant and careful eye on changing Facebook features and privacy practices. (According to CIO, PrivacyScore recently released a Facebook app that rates other Facebook apps’ privacy on a scale of 0 to 100. You can visit their web page for a quick security assessment of your applications or third-party applications you’re considering.)

A recent commentary from Forbes[5] admonished Facebook and other social networking sites to learn from the demise of social news site Digg, that ignoring user concerns and the quality of the user experience can be fatal. Any organization with a responsibility for personal information already knows that the greatest risk of a privacy-related incident is the loss of consumer confidence. The social media industry has tremendous business potential but it has yet to learn that vital lesson, so proceed with caution.

________________________

ID Experts is the leading provider of comprehensive data breach solutions that deliver the most positive outcomes. Founded in 2003, ID Experts has managed hundreds of data breach incidents for leading healthcare organizations, corporations, financial institutions, universities, and government agencies across the United States. As a result, millions of Americans are protected by ID Experts against the threat of identity crime.

[1] Sengupta, Semini. “F.T.C. Settles Privacy Issue at Facebook.” New York Times, November 29th, 2011.http://www.nytimes.com/2011/11/30/technology/facebook-agrees-to-ftc-settlement-on-privacy.html
[2] ConsumerReports.org. “Facebook & your privacy.” Consumer Reports, June 2012, pp. 24–31.
[3] Hockenson, Lauren. “7 Big Privacy Concerns for New Facebook and the Open Graph.” Mashable, January 27, 2012. http://mashable.com/2012/01/27/facebook-privacy-open-graph/
[4] Rapoza, Jim. “Facebook Becoming Ultimate CRM System.” InformationWeek Software, November 22, 2010.http://www.informationweek.com/news/228300188
[5] Bercovici, Jeff. “The Lessons For Facebook, Twitter And Reddit In Digg’s Demise.” Forbes, July 13, 2012.http://www.forbes.com/sites/jeffbercovici/2012/07/13/diggs-power-users-explain-the-lessons-from-its-downfall/