Facebook, MySpace, LinkedIn, Twitter, Ning, Digg, MeetUp, blogs, etc., — the number of social networking sites and tools is exploding. Social networking is the killer app of the Internet for everyone – not just the texting teenybopper crowd. Such sites have breached the walls of the corporate firewall, are a part of our most important smartphone apps, are a vital tool for any serious job search, and are the new way to connect with current and new friends. Social networking is about self forming groups, a dynamic author Clay Shirky examines in his book Here Comes Everybody: The Power Of Organizing With Organizations.
But using social networking tools and sites seems to be in direct conflict with another important principle of using the Internet – protect your identity from identity theft. Participating in online social networking sites leaves a trail of personal information that can make stealing your identity a whole lot easier. What’s a current-day Internet user to do? Should we go blithely along like a fish protected in a larger school of potential identity theft victims, or maybe we should forego social networking altogether? No and no. Instead each of us should take responsibility for protecting ourselves. On the following pages, I bring you my top 12 tips to help you practice safe social networking.
(To quickly flip through this list, check out the slideshow version, 12 tips for safe social networking.)
TIP 1 – Beware of TMI: the five things you should never share
Social networking means opening up and sharing information online with others, but there’s some information you should never share online. Protecting yourself from sharing Too Much Information (TMI) can save you from identity theft and even protect your physical safety. So let’s start with the obvious … never share your social security number (including even just the last 4 digits), your birth date, home address or home phone number (although sharing your business phone is ok ). Of course, you should protect all of your passwords, PIN numbers, bank account and credit card information.
But I advise you to never share the state where you were born as this information can be used to obtain your social security number and other identity information. Facebook, for example, allows you to restrict who can see your birthday or your hometown (often times the same as your city of birth.) But not every site has these options. In those cases avoid the problem altogether by not entering information you don’t want to share. If the sites you are using don’t offer these kinds of protections, e-mail them and request these features. If enough of us make the request, they’ll get the message.
TIP 2 – Customize privacy options
Social networking sites increasingly give users more control over their own privacy settings. Don’t assume you have to take whatever default settings the site gives you. Check out the settings, configuration and privacy sections to see what options you have to limit who and what groups can see various aspects of your personal information. Facebook probably has some of the broadest privacy options, giving you control where no one, friends, friends and networks, or everyone can see basic info, personal info, photos, friends and postings.
Search is a new area where users are gaining control of what others are allowed to see. Some sites let you set limits on who can see search results about you on the social networking site.
If you’ve just joined a social networking site, or even if you have been a user for some time, log onto your account and view and adjust the privacy settings –new settings are often added over time.
TIP 3 – Limit work history details on LinkedIn
Would you put your full resume online for everyone to see? Probably not. It would be too easy for identity thieves to use the information to fill out a loan application, guess a password security question (like hackers did with VP candidate Sarah Palins’ Yahoo account) or social engineer their way into your company’s network. Limit your work history details on sites like LinkedIn. If you feel you need the added information to help in a job search, expand the details during the job hunting process and then cut back later after you have a position, leaving just enough information to entice recruiters to contact you with interesting new positions.
LinkedIn also offers some capabilities to restrict information. You can close off access by others to your network of contacts, something you don’t have to share if you don’t want. This is a common practice by sales professionals and recruiters not wanting to expose their valuable network to others who might poach customers or prospects from them.
TIP 4 – Don’t trust, just verify
There are lots of reasons (most of them bad) why someone might impersonate or falsify an identity online. It could be as a prank or for “fun” such as those who impersonate a celebrity as satire. Faking an identity has a legit side too – it can be used by people who simply want to conceal who they are in order to protect their real identities. But its also the first step of those who want to embarrass or defame someone else by impersonating them, or steal an identity for financial gain or other crimes. Two security researchers demonstrated at the Defcon/Black Hat 2008 conference how easy it is to set up a Facebook or LinkedIn site using a false or impersonated identity, including links to malicious sites.
The question becomes, how can you verify that the page page belongs to who you think it does before sharing too much information or clicking on links? Start by being on the lookout for anything unusual or out of the ordinary. If the content on the site doesn’t look like or sound like the person you know, avoid it. E-mail or call your friend to verify the site is legit. Let them know, too, if you think someone else is faking your friend’s identity online.
TIP 5 – Control comments
Blogs are beginning to use authenticated commenting systems like Intense Debate (acquired by Automatic, the makers of WordPress blogging software.) Anonymous blog comments (marked as anonymous) are fine but some goofballs get their jollies leaving comments under someone else’s name. It probably happens more often than we think. Commenting systems like Intense Debate allow users to make anonymous or unregistered comments, or registered users can login and leave the comment as a verified user, letting others know it really is them. Contact the site administrator immediately if you find someone is impersonating you on a social networking site or in blog comments. Most reputable sites will take down the impersonated content. If they won’t remove the content, ask that they note you’ve contacted them indicating you didn’t leave the comment or personal page.
TIP 6 – Avoid accidentally sharing personal details
You wouldn’t put a note on your front door stating, “Away for the weekend… Returning on Monday.” Micro-blogging tools like Twitter and What are you doing right now? features in Facebook, LinkedIn and other social networking sites make it easy to let details slip you wouldn’t otherwise tell friends or strangers. Be aware of what information you put out there which others might use for nefarious purposes.
Micro-blogging tool are a bit like the proverbial frog in slowly warming water that’s eventually brought to a boil. Over time, seemingly innocuous information can be pieced together, giving lurkers a much more complete and rich picture of you, your family, your habits and other personal information. Software like Twitter is often used at conferences, parties and other social scenes where alcohol is consumed. That makes it even easier for personal details to slip out for the world to see. Twitter users frequently use it to communicate and share their travel woes, giving clue to others that you aren’t at home, leaving your family or possessions at risk for intruders. Just keep that in mind as you share tidbits of your life on micro-blogging tools. You might want to be a little bit less specific in your tweets.
TIP 7 – Search yourself
It is a good idea to search your name on Google and check out your profile as others see it on social networking sites. Understand where you show up and what information is available about you, and then adjust your profile, settings and habits appropriately. Don’t worry, it’s not vain if you only search your own name once a month or so. If you unexpectedly see your name in locations you don’t frequent, it could give you a heads up someone else is using your identity online. Set up a Google alert with your name, which emails you when Google finds your name on sites. While some names, like John Smith, are so common they would generate lots of false positives, you may still find out a lot about where your information is appearing online. Even if you find there are others online with the same name, it can help you avoid confusion, (or maybe it’s an opportunity to reach out and connect to someone with the same namesake).
TIP 8 – Don’t violate your company’s social networking policies
You’ve probably heard about an employee who was outted when playing hookie because they called in sick but blogged or Twittered about their escapades that same day. But there are more serious reasons you might be let go from your job due to the use of social networking tools. As blogging and social networking sites enter the workplace, so too are corporate acceptable use policies (AUP) being updated to define boundaries for employees, contractors and the company. Data leakage incidents (loss of corporate, confidential or customer information), making inappropriate public statements about the company, using corporate resources for personal uses and harassing or inappropriate behavior toward another employee can all be grounds for reprimand or dismissal. Social networking sites are another way those things can happen and they create an easy digital paper trail to investigate.
Data leakage (or loss) prevention is currently one of the hottest areas in security. Companies are looking for ways to prevent company confidential and proprietary information from slipping through the firewall. Most incidents probably occur via email or file transfers but IM chat tools, blog posts, Twitter messages and even online resume content could disclose proprietary company information. Even using social networking sites on company time or using company resources could be a violation of the company’s acceptable use policy. Before you become the corporate poster child for some publically humiliating episode from using social networks at work, check your corporate AUP to make sure you aren’t violating the policy.
TIP 9 – Learn how sites can use your information
There is currently a lot of M&A activity in the social networking software industry. A significant part of what an acquirer buys when acquiring a social networking company is the community of users on the site. Your account, including personal information, trades hands from the old company to the new one as part of the transaction. Privacy statements on sites like Digg discuss situations like this. The new owners may have new and different plans for using the information contained in the site. Changes in privacy policies may follow an acquisition. Watch for this when you hear about an acquisition and always read notifications about changes to privacy terms, acceptable use policies and user agreements.
IP 10 – Forget the popularity contest
Put a number on something and suddenly you have a competition. The person with the most “friends” isn’t necessarily the winner in social networking, unless of course you are running for president or you are in some type of recruiting, sales or media business. That’s just more people, including possibly strangers, who now have access to more of your information. It is best to only friend people who really are or have become your friends. Your personal information has less opportunity for misuse. If you do get an unsolicited invite to connect, check them out first and try to figure out why you know them or if you even do at all.
For some, blogging and social networking sites are more than casual places for casual connections. Presidential candidates use MySpace and Facebook to reach out to constituents and hundreds of thousands of potential voters. Industry thought leaders and influencers use blogs and twitter to build up communities of readers and followers for business purposes. That may also be your reason for being a part of online communities, but if your intentions are more casual in nature, massive readership is probably less important to you. Some sites, like Linkedin, discourage blind connections and will begin restricting a user’s ability to connect if they receive too many I don’t know this person responses. Keeping your network to people you really do know helps keep the spam and other unsolicited messages to a minimum too.
TIP 11 – Create a smaller social network
Bigger isn’t always better. There’s more to social networks than MySpace, Facebook and Twitter. Self forming communities often form around very narrow topics and these can easily get lost on the bigger sites. You may be better served creating a smaller, more focused network using tools aimed to help narrow or smaller groups such as Ning, or Meet Up. By narrowing your purpose and using tools appropriate for smaller groups, you can keep unwanted solicitations, invites to connect, applications and spam to a minimum. You’ll also find you build closer relationships amongst community member.
TIP 12 – Setup an OpenID account
OpenID is an open source standard for creating a single sign-on to multiple online services and applications. As a framework, OpenID accounts are available from multiple providers. Companies like AOL, Microsoft, Sun, and Novell are beginning to accept and provide OpenIDs. It is estimated that there are over 160-million OpenID enabled URIs with nearly ten-thousand sites supporting OpenID logins.
OpenID is making inroads into the SaaS application market to better manage user accounts. We’re also likely to see OpenID used in online social networking sites (for instance, IntenseDebate uses OpenID) to help verify users identities and reduce impersonators and false identities. If the social networking sites you frequent don’t use OpenID or a similar technology, e-mail the site creator and lobby for adding it.