Friday, March 16, 2012

Should your employer care about your (off time) privacy?

Originally posted 4/7/2011 at

Have you ever thought about how the things you do online when you're not at work could affect your job? I'm not talking about a careless rant on Facebook or an ill-considered tweet about your boss. I'm talking about all the information you put up online. Even if all you do is use Google to find information you've probably put far more than enough information online to identify you.

In 2006 AOL released "anonymized" search data that was used by the New York Times to identify several searchers. For an idea of the kinds of things available in search data, look at the Consumerists post on AOL User 927. I'm sure he didn't want anyone knowing what he was searching for. Just to make sure we understood how much we tell about ourselves online, around the same time Netflix released anonymized data that ultimately outed gay and lesbian members, or would have if the researchers had publicly released the data. An in-the-closet lesbian mother sued Netflix over their release of the data. The researchers who were able to determine sexual preference were also able to determine political affiliations. All based on the movies people rented and rated.

If so much can be discovered from supposedly anonymized data, imagine what can be learned from your Twitter and Facebook accounts. It's not uncommon for people to post their full name, birthday, all the schools they attended, the names of most of their family, pets past and current, favorite everything, first everything, and just about everything else. How many of those things are used as security questions to recover you password for your online banking? How many of those things, or some permutation of them, are used for passwords by people? How many of them are used for passwords related to work?

But even if you use randomly generated passwords all of that information is useful to bad guys. It is the ammunition for the weapons used in social engineering attacks. With the information on many peoples Facebook pages a skilled social engineer can gain trust, either from you or from someone you know. After all, if he knows so much about you he must know you. Using that trust he (or she) will get information a person would normally never give someone they barely know. It works better than you might think. A lot better. But if a salesman has ever sold you something you didn't really want or need, or if you've ever watched John Edwards on "Crossing Over" you know that.

Without privacy you can't have security, and many of us don't even think about privacy while we're online. It's bad enough when I think about all the individuals exposing themselves to all the bad guys on the internet. Then I think about the CSO's who are trying to protect data hidden behind passwords and relationships tied to all that data being published on Facebook, Twitter and the rest of the web and I wonder that we manage to keep any data secret at all.