Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik.

Similar presentations


Presentation on theme: "Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik."— Presentation transcript:

1 Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik Forum – GI Deutsches Eck Universität Koblenz-Landau 17. Januar 2013 http://www.rogerclarke.com/EC/eCIS {.html,.ppt} eConsumer Insecurity Five Headlines – Sensationalist But True

2 Copyright 2013 2 What Do eConsumers Do? Inter-Personal Comms Email, Chat/IM Content Discovery and Access Reading Content Publication Web-Sites, Blogs, Personal Galleries, Music, Video Doc Prep File-Sharing with Friends, Colleagues Personal Databases Accounting, Investments, Hobbies, Family Trees

3 Copyright 2013 3 Consumer Computing Email clients, using smtp/pop/imap Personal Web-Sites Dedicated Devices Office on the Desktop FTP-server and -client [Books] Webmail, using http / https Flickr, Picasa, 3rd Party Blogs iTunes Zoho, Google Docs Dropbox eBooks, Rented Functions Applications ==>> Services 1975-2000 2000- Email Personal Galleries Personal Music Doc Prep File-Sharing Reading http://www.rogerclarke.com/EC/CCC.html

4 Copyright 2013 4 A Participant-Oriented Classification of Social Media Email / Chat-IM / Skype Web-Pages 'Walled-garden' 'wall-postings' YouTube Wikis Dis/Approval 'Like', '+1' Second Life http://www.rogerclarke.com/DV/SMTD.html

5 Copyright 2013 5 eConsumer Wants – 1 of 4 The Basic Needs Does it do what I want it to do? [Fit] Will it be there when I want it? [Availability, Reliability] http://www.rogerclarke.com/EC/CCC.html

6 Copyright 2013 6 eConsumer Wants – 2 of 4 The Basic Needs Does it do what I want it to do? [Fit] Will it be there when I want it? [Availability, Reliability] The Basic Protections How do I keep going if it stays fallen over for a long time? [Service Interruptions] Will you respond helpfully and quickly enough when I ask for help? [Customer Service] Will you lose my data, or muck it up? [Data Integrity] Do I get my data back if you fall over or withdraw the service? [Survival] Can I move my data to another supplier? [Lateral Compatibility] Who can I complain to if I get dudded, and will they actually help me? [Consumer Protection] http://www.rogerclarke.com/EC/CCC.html

7 Copyright 2013 7 eConsumer Wants – 3 of 4 More Advanced Needs Will it keep doing what it does now? [Service Integrity] Will it stay up-to-date? [Future Fit] Will it fall over too often? [Robustness] Will it come back quickly after it falls over? [Resilience] Is my service protected against you, them and the gods? [Service Security] If bits of it are broken, will you fix it without breaking it some more? [Maintainability] Can I fiddle with it a bit if I need to? [Flexibility] Can I move my data to an upgraded version? [Forward Compatibility] How long will old versions keep working for me? [Backward Compatibility] Am I breaking the law if I use the service? [Legal Compliance] http://www.rogerclarke.com/EC/CCC.html

8 Copyright 2013 8 eConsumer Wants – 4 of 4 More Advanced Protections Am I going to get gouged? [Cost] Can only appropriate people get in and do things? [Authentication and Authorisation] Can I get access to all data that you hold about me? [Subject Access] Is my data protected against you, them and the gods? [Data Security] Is my privacy protected against you, them and the gods? [Privacy Controls] If I terminate our relationship, will my data be irretrievably deleted? [Fully Effective Withdrawal] What happens to my data if I die? [Archival / Memorialisation] http://www.rogerclarke.com/EC/CCC.html

9 Copyright 2013 9 Headline 1: Software on consumer devices becomes dated and local data is often not recoverable, but... eConsumer services are a very bad deal

10 Copyright 2013 10 The Terms of Service eConsumers can usually only know what Terms apply to an earlier transaction if they mirrored the Terms at the time The Terms applicable to the next transaction may not be the same as they were for previous transactions The Terms applicable to transactions and to the eConsumers data are entirely under the provider's control eConsumers can place no reliance on what they may have previously read or heard about the Terms

11 Copyright 2013 11 Second-Party Risk-Exposure Summary of Results 3 – the Terms provide the ISP with no right to use the data (iinet, Internode, Yahoo!) 2 – use is authorised, but... only in a manner directly related to the contract (Infinite, Zoho) 1 – use is limited to 'access' - although what that limitation means is unclear (Dropbox) 1 – use is authorised "to provide the service" - which can be readily interpreted as being the service as a whole not just the service provided to that user (MS Live) 2 – the ISP has very substantial rights (Google, LinkedIn) http://www.rogerclarke.com/EC/IU-SPE-1012.html

12 Copyright 2013 12 In-Depth No responsibility to provide the service, or to do so reliably, or to sustain data stored in it Subscribers must disclose physical location, even if irrelevant No internal complaints process No rights to restitution, no liability for identity fraud LinkedIn gains rights to customers' data that are almost equivalent to the rights of the customers themselves Unilateral changes to the Privacy Statement, without notice Storage in the USA under lax privacy laws No undertakings to control staff behaviour Enforced 'permission' to disclose personal data, "to assist government enforcement agencies", without legal authority Inadequate subject access and correction rights http://www.rogerclarke.com/EC/LinkedIn-1012.html

13 Copyright 2013 13 The Cloudy Future of Consumer Computing Inaccessibility and Lack of Clarity of Terms Service Malfunctions Loss of Data Provider Exploitation of Personal Data Largely unfettered scope for changes to the Terms Supra-Jurisdictionality and Use of Regulatory Havens Seriously Inadequate Consumer Protections Dominance of US marketing morés Pro-corporate / anti-consumer US regulators Meekness of regulators in other countries Lack of Organised Consumer Resistance http://www.rogerclarke.com/EC/CCC.html http://www.rogerclarke.com/EC/CCEF-CO.html

14 Copyright 2013 14 Headline 2: Mobile devices are irretrievably insecure

15 Copyright 2013 15 MalContent How Much Illegal Porn is on Your Personal DeVices? http://www.rogerclarke.com/II/OffIm0511.html

16 Copyright 2013 16 MalContent How Much Illegal Porn is on Your Personal DeVices? Unexpected Email-Attachments and Microsoft Email-Emedded Files Unexpected Downloads over the Web Unwitting Downloads over P2P Malware, Unauthorised Users,... http://www.rogerclarke.com/II/OffIm0511.html

17 Copyright 2013 17 MalContent How Much Illegal Porn is on Your Personal DeVices? Unexpected Email-Attachments and Microsoft Email-Emedded Files Unexpected Downloads over the Web Unwitting Downloads over P2P Malware, Unauthorised Users,... How can you know? http://www.rogerclarke.com/II/OffIm0511.html

18 Copyright 2013 18 MalBehaviour Many categories, including Flaming, Incitement, 'Trolling',... 'Social Engineering' Enveigling users into harmful actions, incl. 'Phishing', esp. for authenticators Download of 'free anti-virus software'

19 Copyright 2013 19 Malware A Definition to Cope with the Complexities Software, or a software component or feature, that (1)is capable of being Invoked on a device; and (2)on invocation, has an Effect that is: Unintended by the person responsible for the device; and Potentially Harmful to an interest of that or some other person http://www.rogerclarke.com/II/RCMal.html Virus Worm Spyware Backdoor / Trapdoor Remote Admin Tool Rootkit Drive-by-Download

20 Copyright 2013 20 Absolute-Minimum InfoSec Safeguards Malware Detection and Eradication http://www.xamax.com.au/EC/ISInfo.pdf

21 Copyright 2013 21 Absolute-Minimum InfoSec Safeguards 1.Physical Safeguards 2.Access Control 3.Malware Detection and Eradication 4.Patching Procedures 5.Firewalls 6.Incident Management Processes 7.Logging 8.Backup and Recovery 9.Training 10.Responsibility http://www.xamax.com.au/EC/ISInfo.pdf

22 Copyright 2013 22 Absolute-Minimum InfoSec Safeguards 1.Physical Safeguards 2.Access Control 3.Malware Detection and Eradication 4.Patching Procedures 5.Firewalls 6.Incident Management Processes 7.Logging 8.Backup 9.Training 10.Responsibility As applicable to consumers as to business and government

23 Copyright 2013 23 Headline 3: That's not a Password; it's a Passéword Kennwort wurde schon Bekanntwort

24 Copyright 2013 24 Password Vulnerabilities and Threats Direct Acquisition Visual Observation Electronic Observation Keystroke Logging Discovery of a Personal Password Database Interception Phishing Compounding Factors Use of One Password for Multiple Accounts Continued Use of a Compromised Password Indirect Acquisition Guessing 'Brute Force' Guessing Compromise of the Password-Reset Process Compromise of a Password Stored by a Service-Provider Acquisition and Hacking of a Password-Hash File http://www.rogerclarke.com/II/Passwords.html

25 Copyright 2013 25 Access Control – Threats Safeguards What You Know password, 'shared secrets' What You Have one-time password gadget, a digital signing key Where You Are your IP-address, device-ID What You Are a biometric, e.g. fingerprint What You Do time-signature of password- typing key-strikes Who or What You Are reputation, 'vouching' Interception Channel Encryption, e.g. SSL/TLS Rogue or Compromised Second Party Transmission and Storage of only a password hash Compromise of the Client One-Time Passwords, Variable Action Passwords Imposter Multi-Factor Use Authentication:

26 Copyright 2013 26 Headline 4: Mobile devices are irretrievably insecure Web technologies are designed to be insecure

27 Copyright 2013 27 Server Control of Consumer Devices Java Applets ActiveX 'Controls' 'Asynchronous JavaScript and XML' (AJAX) Drive-by Downloads HTML5 Mobile Apps

28 Copyright 2013 28 Drive-By Downloads A big majority of requests to web-sites result in Unrequested Content being pushed to the browser from other sites – variously 'strategic partners' and parasites Third-Party Tracking Cookies are imposed by the vast majority of commercial web-sites, and are used by over 200 tracking companies (DoubleClick, et al.) Those companies use Additional Spyware to try to circumvent protections (web-bugs, Flash cookies, etc.) All of this is in breach of eConsumer consent Careful eConsumers use Protections

29 Copyright 2013 29

30 Copyright 2013 30 HTML Support for: multi-media streaming open channels as well as sessions geolocation A way to subvert sandboxing A way to subvert user control, by inverting the Web from pull to push A way to access local data and devices (e.g. cameras, microphones), giving rise to "A Pandoras box of tracking in the Internet http://www.sophos.com/en-us/medialibrary/PDFs /other/sophosHTML5andsecurity.pdf

31 Copyright 2013 31 Mobile Apps Will Google and Apple protect eConsumers against other parties? Who will protect eConsumers against Google and Apple? Retrofitting of Mobile OS to the Desktop Mac OSX iOS Android / bluetracks

32 Copyright 2013 32 Headline 5: The spy in your pocket leaks your location, 10 times per second, and to far more organisations than you thought

33 Copyright 2013 33 The Practicability of Location and Tracking Cell-Location is intrinsic to wireless network ops More Precise Location is now mostly available http://www.rogerclarke.com/DV/YAWYB-CWP.html

34 Copyright 2013 34 The Primary Geolocation Technologies http://www.rogerclarke.com/DV/LTMD.html

35 Copyright 2013 35 The Practicability of Location and Tracking Cell-Location is intrinsic to wireless network ops More Precise Location is now mostly available Tracking is feasible, because the handset sends a stream of messages Retrospective Tracking is feasible if the series of locations is logged (), and the log is retained () Real-Time Tracking is feasible if the data-stream is intense () and latency is low () Predictive Tracking is feasible if the data-stream is intense () and latency is low () http://www.rogerclarke.com/DV/YAWYB-CWP.html

36 Copyright 2013 36 Terms of Service Imposed by ISPs on Consumers Substantial Rights to collect, use and disclose personal data, incl. location data Unilateral Power: to change the Terms of Service to do so without notice to do so with immediate effect No Obligation to delete data, ever http://www.rogerclarke.com/EC/IU-SPE-1012.html

37 Copyright 2013 37 Rampant Location and Tracking Through Pseudo-Consent: Uncontrolled personal data collection Uncontrolled personal data use Uncontrolled personal data disclosure US data havens undermine EU protections Consumer rights and data protection laws inadequate for the task Parliaments, Regulators asleep at the wheel

38 Copyright 2013 38 Headline Spare: Unauthenticated payments are switching card risks from merchants to consumers

39 Copyright 2013 39 Headline Bonus: Social media services have only one business model, and it's based on personal data exploitation and behaviour manipulation

40 Copyright 2013 40

41 Copyright 2013 41 Some Implications

42 Copyright 2013 42 Naive Advice from 1998 'Apply Consumer-Friendly Principles' Information Choice Consent 'opt-in' the norm 'opt-out' with stringent justification Fair Conditions Recourse http://www.rogerclarke.com/DV/DirectMkting.html#Princ

43 Copyright 2013 43 Consumer-Oriented Social Media Features Interoperability, Portability Content, Messages Consent, which means: Informed Freely-Given Granular not Bundled Settings Management Conservative Defaults Trustworthy Terms Identity Protections Protected Pseudonyms Multiple Identities Caveats, Social Norms and Reputations Non-User Protections Content Social Networks Location Protections http://www.rogerclarke.com/II/COSMO-1211.html

44 Copyright 2013 44 Some Possible Measures IT Security Risk Assessment (SRA) done by someone, from the eConsumer Perspective IT Security Risk Management Planning (SRMP) done by someone, from the eConsumer Perspective Designed-In Security Safeguards Practicable and Economic Default and with Minimal Usability Trade-Off Documented, with Tutorials

45 Copyright 2013 45 Ways to Get There Depend on the proactive and productive prosumer? Impose liability for designed-in insecurity? Impose liability for serious security errors? Develop eConsumer Protection Law? http://www.rogerclarke.com/EC/ICEC06.html#TNT Impose Minimum Privacy Undertakings? http://www.rogerclarke.com/DV/PST.html Impose Standards on eConsumer Services? http://www.rogerclarke.com/EC/CCC.html#CRR

46 Copyright 2013 46 BYOD Issues Hosting Organisation Perspective Need for Network Protection Need for Device Challenge and Testing Need for Minimum Security Standards Need to provide Device-Cleansing Advice eConsumer Perspective Transparency of the Organisations Actions Auto-Reporting of Sensitive Information Exclusion from Services / Participation

47 Copyright 2013 47 Will Consumers Be Precluded From Owning General-Purpose Computing Devices? Many powerful groups will discover that they want it Copyright-Dependent Corporations Government Censors The Moral Minority, who want governments to extend censorship to whatever content the moral minority thinks the majority shouldn't have access to (Dominant) Computing Device Providers (iOS, Android) Law Enforcement & National Security Agencies (LEANs) 'Fraud Experts' Employers and other Organisations permitting BYOD

48 Copyright 2013 48 eConsumer Insecurity Five Headlines – Sensationalist But True Agenda eConsumers 5 Headlines eConsumer services are a very bad deal Mobile devices are irretrievably insecure Passwords are Passé; Kennwort heisst Bekannt Web technologies are designed to be insecure Mobiles leak location, very often, far and wide Some Implications

49 Copyright 2013 49 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik Forum – GI Deutsches Eck Universität Koblenz-Landau 17. Januar 2013 http://www.rogerclarke.com/EC/eCIS {.html,.ppt} eConsumer Insecurity Five Headlines – Sensationalist But True

50 Copyright 2013 50

51 Copyright 2013 51 eConsumer Differentiation Education, Income, Wealth Infrastructure Availability Technical Capability Opportunity-Awareness Leadership / Followership Risk-Awareness, Risk-Aversion Age / 'Generation'

52 Copyright 2013 52 The Generations of eConsumers Indicative Indicative GenerationBirth-YearsAge in 2010 Silent / Seniors 1910-45 65-100 Baby Boomers – Early 1945-55 55-65 Baby Boomers – Late 1955-65 45-55 Generation X 1965-80 30-45 Generation Y 1980-95 15-30 The iGeneration 1995- 0-15

53 Copyright 2013 53 The Generations of eConsumers Baby Boomers (45-65) Handshake/phone, PCs came late, had to adapt to mobile phones Work is Life, the team discusses / the boss decides, process-oriented GenXs (30-45) Grew up with PCs, email and mobile phones, hence multi-taskers Work to Have More Life, expect payback from work, product-oriented GenYs (15-30) Grew up with IM/chat, texting and video-games, strong multi-taskers Life-Work Balance, expect fulfilment from work, highly interactive iGens (to 15) Growing up with texting, multi-media social networking, networked games, multi-channel immersion / inherent multi-tasking ?Life before Work, even more hedonistic, highly (e-)interactive

54 Copyright 2013 54 ActiveX 'Controls' There is no sandbox. Access is given not just to the browser but to the entire workstation The designer thereby gains enormous power over remote workstations An ActiveX control can be authenticated, but that doesnt assure that it will not be harmful ActiveX security problems are far worse than Java: The embedding of ActiveX into the Internet Explorer web browser created a combination of functions that has led to an explosion of computer virus, trojans and spyware infections (An over-ridden Wikipedia entry for ActiveX)

55 Copyright 2013 55 A Lightweight Alternative – AJAX 'Asynchronous JavaScript and XML' A Successor to the vague Dynamic HTML Applies well-established tools: (X)HTML/CSS -> XML, JavaScript/ECMAScript Utilises the XMLHttpRequest Method of HTTP in particular to enable partial-window-refresh Involves an 'Ajax engine' within the browser, which intercepts and processes user-requests and server-responses http://www.rogerclarke.com/EC/Web2C.html#AltT

56 Copyright 2013 56 Headline Spare: Unauthenticated payments are switching card risks from merchants to consumers

57 Copyright 2013 57 Contactless Chips RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 (cf. original $25)

58 Copyright 2013 58 Contactless Chip-Cards as Payment Devices RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 and $35 resp. (cf. original $25) Presence of chip in card is not human-visible, but Logo / Brand may be visible No choice whether it's activated Operation of chip in card is not human-apparent No action required when within 5cm range, i.e. automatic payment No receipt is increasingly the norm Used as Cr-Card: Unauthenticated auto-lending Used as Dr-Card: PIN-less charge to bank account

59 Copyright 2013 59 Authentication – None? / A Non-Secret? (but Yes, for Transactions >$100 Only) Act of Consent – None? / Unclear? / Clear? If the card is within 5cm of a device, whether seen or not Notification – None? / Audio? / Display? If 'None', then enables surreptitious payment extraction Receipt / Voucher – None? / Option? / Y? Safeguards

60 Copyright 2013 60 Mobile Payments can be Faster More Intuitive More Convenient Less of an Obstacle

61 Copyright 2013 61 Mobile Payments can be Faster More Intuitive More Convenient Less of an Obstacle For the Thief Too

62 Copyright 2013 62 Risk Analysis Summary A lost, stolen or borrowed card can be used by anyone, for multiple transactions up to $100 at a time, without any form of authentication, against the credit or debit account the card it linked to The facility is in every card, the choice is merely to have a card or to not have one, and there is no 'Off' switch Many Parliaments and Consumer Protection Agencies have done absolutely nothing about it http://www.rogerclarke.com/EC/CPS-12.html

63 Copyright 2013 63 Risk Management Possibilities Reconcile your Statements. But: Statements are now very long indeed Statements are increasingly online, not sent, and charged for The time available for challenges is limited (60 days?) Many transactions will not match against a receipt Many business names are not recognisable Query unrecognised transactions. But: The consumer has no evidence, much detail, and is uncertain Only a minority of unreconciled entries will be fraudulent Effort, time and fees are incurred for each challenge Processes are designed to be inconvenient and slow (60 days?) Card-issuers can refuse to reimburse

64 Copyright 2013 64 Headline Bonus: Social media services have only one business model, and it's based on personal data exploitation and behaviour manipulation

65 Copyright 2013 65 A Participant-Oriented Classification of Social Media Email / Chat-IM / Skype Web-Pages 'Walled-garden' 'wall-postings' YouTube Wikis Dis/Approval 'Like', '+1' Second Life http://www.rogerclarke.com/DV/SMTD.html

66 Copyright 2013 66 Currently-Available Social Media Genres 1-with-1/Few INTERACTION Tools networked text email (asynchronous) networked text chat / IM (synchronous) SMS / texting from mobile phones email-attachments, any format (asynch) voice: over Internet (VoIP, Skype) (synch) tele-conferencing (VoIP, Skype) (synch) videophone (Skype Video) (synch) video-conferencing (Skype Video) (synch) 1-to-Many BROADCAST Tools bulletin boards systems (BBS) Usenet / netnews email lists web-pages indexes (Lycos, Altavista, Google, Bing) blogs (WordPress, Blogspot) micro-blogs (Twitter, Tumblr) glogs – wearable wireless webcams, cyborg-logs, retro-nymed as 'graphical blogs' 'content communities', e.g. for images (deviantArt, Flickr and Picasa), for videos (YouTube), for slide-sets (Slideshare) closed / 'walled-garden' 'wall-postings' within SNS (Plaxo, MySpace, LinkedIn, Xing, Reddit, Facebook, Google+) 1-with-Many SHARING Tools Content Collaboration wikis (Wikipedia) social news sites (Slashdot, Newsvine) online office apps (Zoho, Google Docs, MS Live) Indicator-Sharing 'social bookmarking' (Delicious) dis/approvals (Digg's dig & bury, Reddit's up & down, StumbleUpon's thumbs-up & thumbs-down, Facebook's Like button, Google+'s +1 button) Multi-Player Networked Gaming text-based MUDDs social gaming sites (Friendster) Massively Multiplayer Online Games (MMOGs), esp. Role-Playing Games (MMORPGs), e.g. World of Warcraft online virtual worlds (Second Life) http://www.rogerclarke.com/DV/SMTD.html

67 Copyright 2013 67 Social Medias Business Model 'There must be a way to monetise this somehow' 'You will find something interesting here' is a self-fulfilling prophecy, because people can be enticed to contribute 'something interesting' Contributors, and the people who come after them, can be enticed to click on targeted advertisements Targeting is based on: profile-data that users supply about themselves content that they have donated their online behaviour while using the service their online behaviour more generally data that other people contribute about the user

68 Copyright 2013 68 Privacy Risks in Social Media Second-Party Risk Exposure (Service- Provider) Content relating to Oneself Content relating to Others Social Networks including Oneself and Others Third-Party Risk Exposure Openness that was Unanticipated Openness through Breach of Original Terms The Service-Provider's Strategic Partners 'Syndication', to any player Government Agency Demand Powers Interception and Hacking

69 Copyright 2013 69 A Catalogue of Social Media Privacy Concerns Source: Reviews of Media Reports 2005-11 1Privacy-Abusive Data Collection 2Privacy-Abusive Service-Provider Rights 3Privacy-Abusive Functionality and User Interfaces 4Privacy-Abusive Data Exploitation http://www.rogerclarke.com/DV/SMTD.html

70 Copyright 2013 70 A Catalogue of Social Media Privacy Concerns 1Privacy-Abusive Data Collection Demands for User Data identity data profile data contacts data, including users' address-books: their contact-points (some sensitive) comments about them (ditto) by implication, their social networks Collection of User Data about users' locations over time about users' online behaviour, even when not transacting with the particular service from third parties, without notice to the user and/or without user consent 2Privacy-Abusive Service-Provider Rights Terms of Service Features substantial self-declared, non-negotiable rights for the service-provider, including: to exploit users' data for their own purposes to disclose users' data to other organisations to retain users' data permanently, even if the person terminates their account to change Terms of Service: unilaterally without advance notice to users; and/or without any notice to users Exercise of Self-Declared Service-Provider Rights in ways harmful to users' interests in order to renege on previous undertakings Avoidance of Consumer Protection and Privacy Laws location of storage and processing in data havens location of contract-jurisdiction distant from users ignoring of regulatory and oversight agencies acceptance of nuisance-value fines and nominal undertakings

71 Copyright 2013 71 A Catalogue of Social Media Privacy Concerns 3 Privacy-Abusive Functionality and User Interfaces Privacy-Related Settings non-conservative default settings inadequate granularity complex and unhelpful user interfaces changes to the effects of settings, without advance notice, without any notice and/or without consent 'Real Names' Policies denial of multiple identities denial of anonymity denial of pseudonymity enforced publication of 'real name', associated profile data Functionality and User Interface inadequate documentation and reliance on interpolation frequent changes; and/or without advance notice to users, without any notice to users and/or without user consent User Access to Their Data lack of clarity about whether, and how, data can be accessed lack of, even denial of, the right of subject access User Deletion of Their Data lack of clarity about whether, and how, data can be deleted lack of, and even denial of, the users right to delete 4 Privacy-Abusive Data Exploitation Exposure of User Data to Third Parties wide exposure, in violation of previous Terms, of: users' profile-data (e.g. address, mobile-phone) users' postings users' advertising and purchasing behaviour users' explicit social networks users' inferred social networks, e.g. from messaging-traffic changes to the scope of exposure: without advance notice to users without any notice to users; and/or without user consent access by government agencies without demonstrated legal authority Exposure of Data about Other People upload of users' address-books, including: their contact-points comments about them by implication, their social networks exploitation of non-users' interactions with users

72 Copyright 2013 72 A Catalogue of Social Media Privacy Concerns 3 Privacy-Abusive Functionality 'Real Names' Policies Denial of multiple identities Denial of anonymity Denial of pseudonymity Enforced publication of 'real name', and associated profile data

73 Copyright 2013 73 A Catalogue of Social Media Privacy Concerns 4 Privacy-Abusive Data Exploitation Exposure of Data about Other People Upload of users' address-books, including: their contact-points comments about them by implication, their social networks Exploitation of non-users' interactions with users Disclosure of non-users' social networks

74 Copyright 2013 74 Social Media Privacy Disasters Plaxo, 2004 http://www.rogerclarke.com/DV/ContactPITs.html Twitter http://tweepi.com/blog/2011/07/10-must-know-twitter-privacy-tips/ Facebook, 2004- http://www.rogerclarke.com/DV/PrivCorp.html#FB Google Gmail, Orkut, Buzz, Google+ http://www.rogerclarke.com/DV/PrivCorp.html#Goo04 http://www.rogerclarke.com/DV/PrivCorp.html#Goo10 http://www.rogerclarke.com/DV/PrivCorp.html#Goo12 Instagram http://www.rogerclarke.com/DV/PrivCorp.html#Instagram


Download ppt "Copyright 2013 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Wirtschaftsinformatik."

Similar presentations


Ads by Google