Monday, October 18, 2010

Facebook, Privacy, and the Department of Homeland Security

For a virtual book's worth of posts I've done in the past on Facebook's rather strained and adversarial relationship with privacy just put in "facebook" in the search box in the upper left corner and click search. Due to time constraints (been keeping me from posting here as much as I'd like), rather than rehash all of Facebook's "attack on privacy greatest hits", I want to get straight to what privacy expert Bruce Schneier had to say on the issue last week and then get to some recent revelations coming from documents obtained by the Electronic Frontier Foundation indicating the Department of Homeland Security is big on social network surveillance.

First, Bruce Schneier on how social-networking sites deliberately encourage people to disclose personal details about themselves so the sites will have content to sell to advertisers.

Zdnet reports: "These CEOs are deliberately killing privacy — it's their market — and Facebook is the worst offender," Schneier told reporters at RSA Conference Europe in London. "In the end, Facebook will do its best by its customers, who aren't you [but advertisers]."


Schneier added that people "shouldn't be surprised" that a service paid for by third parties is acting in the interests of those third parties.

Earlier in the day, the security expert said in a conference keynote speech that many social-networking sites only give limited options for privacy. For example, Facebook does not make it easy to delete posts, and those posts are shared with a wide variety of people, Schneier noted.

He told the press conference that organisations are collecting increasing amounts of data on people, to the detriment of privacy. While technical solutions implemented by ISPs would go some way to improving internet privacy, governments should ultimately shoulder the responsibility, he said. "I would like to see governments pass broad data-protection laws," Schneier added.

Now, coupled with Schneier's remarks, I found this bit of related, and concerning news.

Documents obtained by the Electronic Frontier Foundation reveal two forms of tracking: First, surveillance of social networks to investigate applicants for citizenship, and second, the Homeland Security Department's use of a "social networking monitoring center" to collect and analyze public communication during the period of President Obama's inauguration.

A May 2008 memo (obtained by the EFF through a Freedom of Information Act request) by officials at U.S. Citizenship and Immigration Services, a unit of DHS, encourages security employees to "friend" citizenship petitioners on social networking sites as a means of ferreting out fraud.

"Many of these people accept cyber-friends that they don't even know," the document says. "This provides an excellent vantage point for FDNS (Office of Fraud Detection and National Security) to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities."

Here's more from EFF:

Of the two disclosures, the citizenship verification initiative is perhaps the most disconcerting, both for its assumptions about people who use social networking sites and for its potentially deceptive and unethical approach to collecting information. Specifically, the disclosure contains a May 2008 memo by the U.S. Citizenship and Immigration Services (USCIS) entitled Social Networking Sites and Their Importance to FDNS [Office of Fraud Detection and National Security] [PDF] which states:

Narcissistic tendencies in many people fuels a need to have a large group of “friends” link to their pages and many of these people accept cyber-friends that they don’t even know. This provides an excellent vantage point for FDNS to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities.

This social networking gives FDNS an opportunity to reveal fraud by browsing these sites to see if petitioners and beneficiaries are in a valid relationship or are attempting to deceive [United States Citizen and Immigration Services] about their relationship. Once a user posts online, they create a public record and timeline of their activities. In essence, using MySpace and other like sites is akin to doing an unannounced cyber “site-visit” on a [sic] petitioners and beneficiaries.

(Emphasis added). In other words, USCIS is specifically instructing its agents to attempt to “friend” citizenship petitioners and their beneficiaries on social networks in the hope that these users will (perhaps inadvertently) allow agents to monitor their activities for evidence of suspected fraud, including evidence that their relationships might not live up to the USCIS’ standard of a legitimate marriage.

More analysis from EFF: "Of course, there are good reasons for government agencies and law enforcement officials to use all the tools at their disposal, including social networks, to ferret out fraud and other illegal conduct. And while one might just chalk this up to another case of “caveat friendster," it does raise some questions about the agency’s conduct.

First, the memo makes no mention of what level of suspicion, if any, an agent must find before conducting such surveillance, leaving every applicant as a potential target. Nor does the memo address whether or not DHS agents must reveal their government affiliation or even their real name during the friend request, leaving open the possibility that agents could actively deceive online users to infiltrate their social networks and monitor the activities of not only that user, but also the user’s friends, family, and other associates. Finally, the memo makes several assumptions about social networking users that are not necessarily grounded in truth and reveal the author’s lack of understanding of the ways people use social networking sites.

...the memo engages in armchair psychology by assuming a large friend network indicates “narcissistic tendencies.” Second, and perhaps more disturbing, the memo assumes a user’s online profile always accurately reflects her offline life. While Facebook and MySpace would like their users’ profiles to always be current and accurate, users may have valid reasons for keeping some of their offline life out of their online profiles (for example, many users still feel their relationship status is private). Unfortunately, this memo suggests there’s nothing to prevent an exaggerated, harmless or even out-of-date off-hand comment in a status update from quickly becoming the subject of a full citizenship investigation."

No comments: