Few years ago I was reading this in the news: “A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent.”

How did they get famous? This firm store data on their S3 bucket with public access. I.e. it was accessible to anyone - 1 terabyte of data.

Today I want to talk about the improper use of user profiles by third parties. This is probably the most serious potential risk with regard to personal data contained in user profiles of social networking services.

Depending on the configuration (default) available with respect to the privacy and the use or not of this configuration by users, as well as the level of security offered by the service, the information contained in the profile (including images, which can portray both the individual interested party and other subjects) become accessible, in the worst case, to the entire community of users.

At the same time, there are very few safeguards available today with respect to copying the data contained in the user profiles and using them to build personal profiles and/or republish such data outside the specific social network service.

However, even the "normal" use of the data contained in the user profiles can have an impact on the informative self-determination of users and, for example, seriously affect their career opportunities.

An example that has aroused widespread interest concerns the habit of personnel managers of individual companies to consult the user profiles of candidates for recruitment and/or employees.

According to press articles, already today two-thirds of executives admit to using data obtained from social networks, for example, to verify and/or complete the curricula of candidates.

Other subjects who can profit from these sources of information are the police and the secret services (even those of less democratic countries with a low level of privacy protection).

Furthermore, some social networks provide third parties with user data via application programming interfaces, and the data, therefore, ends up being managed by the third parties in question.

Experts have particular concerns regarding the further risk of identity theft caused by the widespread availability of personal data contained in the user profiles and by the abuse of these profiles by unauthorized third parties.

Use of an infrastructure whose security, unfortunately, leaves much to be desired. Much has been said about the (non) security of networks and computer systems, including web services.

Recent cases in this regard concern well-known service providers such as Facebook, Orkut, and StudiVZ. It is true that service providers have taken steps to enhance the security of their systems, but much remains to be done.

At the same time, it is likely that new security holes in these systems will emerge in the future, while it is very unlikely that the goal of total security will ever be achieved - given the complexity of software applications.

The still unsolved problems regarding the security of Internet services constitute an additional risk connected to the use of social network services and, in some cases, increase the overall level of risk, or involve specific "nuances" of risk of this type of services.

In a recent document drawn up by ENISA (European Network and Information Security Agency), among other things, spam, scripting between different sites, viruses and "worms", targeted phishing (spear-phishing).

Forms of phishing are mentioned specific social media, the infiltration of networks, the abusive use of user-profiles (profile-squatting), and reputational attacks based on identity theft.

According to ENISA, a further security risk is represented by "aggregation factors linked to social networks".

The introduction of interoperability standards and application programming interfaces (API: for example, the "open social" standard introduced by Google in November 2007), in order to allow the technical interoperability of typically different social network services, involves a whole series of additional risks.

In fact, it made possible an automatic evaluation of all social network sites that use the chosen standard. Through the API it is in practice the entire range of system functions that can be automatically evaluated through the web interface.

Applications potentially capable of interfering with the privacy of users (and perhaps also with the privacy of individuals who are not users, but whose data is part of a user-profile) include, for example, the overall analysis of professional relationships and individuals entertained by the individual user, who can certainly cross the "boundaries" of the individual social networks.

Also, interoperability can further facilitate the reuse by third parties of the information and images contained in the user profiles, as well as the creation of fake profiles.

My conclusion is - the protection of consumers’ rights and privacy is paramount.

This article was created in collaboration with David Cajilig from Privasim. Privasim is helping educators teach data privacy to students easily through game-based learning.

Used Literature

• Social Media Privacy Policy Loopholes You Need to Know About
• Social Networking Privacy: How to be Safe, Secure and Social
• Privacy concerns with social networking services - Wikipedia
• The Countries With The Most GDPR Data Breaches
• How to Protect Your Privacy on Social Media?
• Tips for protecting your social media privacy
• Social Media Privacy Laws
• How Social Media Networks Facilitate Identity Theft and Fraud
• 'Sustained and ongoing' disinformation assault targets Dem presidential candidates - POLITICO
• Messaging App Usage Statistics Around the World - MessengerPeople by Sinch
• Leaking privacy and shadow profiles in online social networks
• Privacy and human behavior in the age of information
• Online Privacy Concerns Among Social Networks' Users
• The Future of Privacy | Pew Research Center
• A computer science expert on the data privacy crisis | The University of Chicago Magazine
• Transborder Data Flows: Assessment Process and Transfer Mechanisms | Law Infographic
• Stop The Social Engineering Of Customers And Employees | FICO Decisions Blog