Tonight is the last night that Facebook will be a privately held company. In the morning, Facebook shares will hit the market and there will be a feeding frenzy from investors world wide. Stock buyers will put up somewhere near 16 billion (yes with a “B”) dollars to own a portion of the social networking behemoth. However, the Veracode blog isn’t a stock trading or business blog, it’s a security blog. The real concern with Facebook for us security practitioners, is a lack of privacy.
The ability to choose what is disclosed to others is the essence of privacy today. Some would argue that this disclosure policy is not really privacy but equates more closely to confidentiality. Confidentiality deals with relationships and not individual privacy. Confidentiality “involves trusting others to refrain from revealing personal information to unauthorized individuals.”
It’s in this choice of disclosure that the essence of privacy resides. The fact that we willingly give information from ourselves to another entity does not inherently mean that we give permission for that entity to share it with others. Nor does it give the entity the permission to sell, use, or otherwise attempt to profit from that information. Yet that exact premise is what numerous businesses are built upon today. Privacy transference is a major problem.
We click through and digitally sign user agreements that give web properties the rights to share any and all data we upload to third parties. This includes online social networks, games, software as a service solutions, and especially mobile device applications and providers. Advertising is becoming more and more targeted thanks to the customer specific profiles being created. (See Veracode post – Mobile Apps Invading Your Privacy)
Three specific Internet phenomenon have exacerbated the privacy problem to that of high risk making it something that will have to be solved sooner rather than later. The quantity of data we are putting online is enormous and growing exponentially. The type of data that is being placed online is becoming increasingly more private, and in the event we are diligent and only put up public data, many times private information can be inferred. Finally, thanks to big data and the continually lowering cost of storage, we can be assured that all of the data that we place online will be there long after we are gone. The collection of content and the mapping of that data to create a detailed consumer profile is rapidly becoming a major issue for individuals world wide. The collection of detailed data crosses personal boundaries for those that feel it will be abused.
As always I’m sure people want to know how to fix the problem. I don’t have an answer. I wish I did because this is a real problem that requires intelligent solutions. My gut tells me that the problem will be solved eventually via government regulation and intervention. For the sake of businesses and consumers today I hope that we can police ourselves and do the right thing so that government intervention isn’t required. Businesses need to stop private data transference. Consumers must stop putting sensitive data online (I know, this one is a pipe-dream). And everyone must opt OUT of tracking by default and allow users who want the convenience of direct marketing to choose that service, not the other way around.