I read an article in which Reid Hoffman, LinkedIn’s founder was quoted this past summer as saying that privacy was for old people.   To be at least a little fair he was making a point about transparency of data and how it’s shared is an important component of social networks.  Young people are more interested in enhancing the experience and less concerned about revealing too much information in exchange for making that happen.  But really, isn’t it both a bit self-serving and irresponsible for someone atop the world’s largest professional social network to be thinking along those lines?

First of all it sort of makes him seem like a visionary rather than irresponsible for allowing LinkedIn to take certain liberties with regards to protecting my personally identifiable information (PII) in exchange for furthering the platform – he’s not irresponsible, he’s forward thinking.  Second he marginalizes the concerns of experienced people by making such a statement as if to say “you’re too old to understand that it’s more important to be out there too much rather than not enough” – it conveys a message that I’m not cautious, I’m slow to adapt and that’s primarily because I’m not young.  Third it makes it so much easier and cheaper for LinkedIn to continue building out their platform if security isn’t their top priority – wouldn’t we rather have them introduce cool new features rather than enhance their controls?

Well Mr. Hoffman here’s what I have to say about all of this.  What you call old, I call experienced.  I’m not concerned about my privacy because I have a dated way of thinking, I’m concerned because I know too much about identity theft and the damage it can cause.  I know that sites such as LinkedIn and Facebook have made it sooo much easier for the criminal element to develop profiles on people and figure out how to crack passwords, hijack email accounts and obtain information that allows them to assume someone’s identity.   I know that features such as TripIt and Foursquare allows criminals to figure out when people are going to be away from home and plan break-ins accordingly.  I know that it’s much easier to obtain inside information by trending activities on LinkedIn (e.g. I always know when someone works for a company facing downsizing or layoffs based on the type of profile updates they’re making).

And you’re right that privacy is for old people.  So are life insurance, money management and parenting.  We’ve worked long and hard to get what we have and we understand the value of losing it.  Anyone much under the age of twenty-five likely hasn’t a clue as to why privacy is such a big deal because their exposure is so much less.  If someone stole my identify when I first started my career they would have had access to a few hundred dollars, maybe one or two credit cards with ridiculously low limits and have discovered that my house was sparsely furnished with hardly anything worth stealing.   I could have repaired most of the damage from a stolen identity within a couple of paychecks.  At that point I would have totally thrown caution to the wind and have leveraged the full offerings of today’s social networks in order to market myself both professionally and socially.  At this point I simply want to protect myself from unnecessary risks and exposures.

Last night I watched a story on the news about how insurance companies are using Facebook as a way to investigate disability fraud as well as profile policyholders who engage in high-risk activities in order to decide who’s too risky to insure.  Do you think those people think their privacy is an issue for the old?  And doesn’t LinkedIn process credit cards for its paying customers?  Is PCI for old people too (now that would be a newsworthy quote)?

I’m sure at some point Reid Hoffman has backtracked on his statement in some measure because whether you hear it in or out of context it still sounds awful.  And I can only imagine that officially LinkedIn will point out that he’s no longer running the company (officially anyway).  And I also realize that his statement didn’t convey in any way that LinkedIn didn’t value privacy just like I know from firsthand experience that LinkedIn as designed allows me to throttle what I share with the rest of the community in a way that I’m comfortable with.  But still, comments like that make my blood run a little cold and make me jump online right away to make sure that I’ve kept my information sharing to a minimum.  Because in the end while “I’m older and I have more insurance” I don’t want to have to use it.

I’ve recently come to the conclusion that several of my Facebook choices are proving to be questionable across the board. As a baseball fan I “Liked” several Facebook pages to track my favorite team and any of their front office moves. As a movie fan I “Liked” certain movie pages, as a fan of certain shows I “Liked” their official page, as someone who moved away from Long Island I “Liked” the regional newspaper and also “Liked” the town blog from where we moved away from. I also wound up “Liking” a few charitable organizations we support, a few local businesses we frequent and one online electronics retailer because that was the only way to enter into a contest they were promoting. Lately it takes me forever to sift through all the Facebook chum to find out what’s going on in the lives and minds of real people that I actually know. It’s become something of a mess, pretty much the equivalent of having mixed my legitimate email with everything in my Spam folder, sorting it in no particular order and then trying to figure out what deserves or requires my attention.

Which got me to thinking, why are financial institutions looking to leverage this remarkably unwieldy domain?

The FDIC has been talking up their role in providing guidance to member banks on how to implement and secure controls focused on social networking. Both the FDIC and NCUA have designated internal resources to firm up and promote their own social networking strategies. Several of my banking clients have entered into the Facebook fray to try and market their products and services to a variety of market segments. LinkedIn routinely displays ads from the big banks (e.g. Chase, Bank of America, etc.).  And while I haven’t signed up for any related Twitter feeds I know there are several financial institutions tweeting away.  OK, does anything sound less like a respected financial institution than when you can say they’re “tweeting”?

I’m not one of those technology nay-sayers who’s always questioning why we need all of these new fangled devices. Quite to the contrary, I tend to embrace advances in both technology and its capabilities. I’m a fan of mobile and online banking. I consider email alerts from my bank an important tool in both managing and monitoring my financial life and have always felt that way right from the beginning of when it was first offered.

However, I just don’t see where I need to receive updates from the FDIC, the NCUA or my (very big) bank via Facebook, LinkedIn, MySpace or Twitter. They’re not going to be able to provide me with anything beyond what I already receive via email or can access upon demand. They’re only going to leverage these platforms as a way to expand their marketing strategies and I just don’t see how that benefits the common user. I don’t want the FDIC posting bank closing announcements on my Facebook page sandwiched between the latest Frontierville requests and pictures from a friends bachelor party (a very real example from yesterdays News Feed). I’m already souring on Twitter as an effective communication tool because a few of the feeds I signed up for and which I considered to be worth my time inundate me with run-on, cryptic sentences that often require I click on a link and navigate to a website. So the odds that I’ll notice a special loan rate being offered via Twitter by my personal bank in a timely fashion is slim at best. I just conducted a basic tweet-test; I went looking for the most recent tweet by one of my favorite Information Security sources (Security Curve’s, Ed Moyle) and couldn’t easily find it. Ed sends outs several such tweets each day and I’m not a heavy Twitter user so you’d think it would be easy enough to find, it wasn’t. It’s easier to simply navigate to his website and find what I need there.

I receive about a dozen email bulletins/alerts each week from the various sources I prefer to receive industry content from. When they arrive in my inbox they’re automatically moved into a special folder I set up for such things and when I have time I scan through them and read what I like (and the headlines and subject lines are typically complete sentences that don’t require learning a new form of shorthand). Plus I can do most of this offline and on a full-blown display, not my impressive-for-what-it-is but too small Droid screen.

This rush that’s underway to move into the social network space within the banking industry is reminiscent of what lemmings go through each year when the begin their mad, senseless but instinctive rush to dive off that cliff and swim away to their all-but-certain demise because that’s the direction everyone is moving in. I suggest that someone be forced to  come up with a legitimate business case for why banks, credit unions and their regulators should establish social media presences beyond “because everyone is doing it.” Besides, so many businesses block Facebook and Twitter access anyway, you have to question the logic in relying upon such forums as a legitimate communications vehicle.

Here’s the kicker though, I just checked up on those clients of mine who established Facebook presences over the past two years and guess what I found? Nothing new, literally. There are no recent posts, no recent planned events and nothing that would ever inspire me, as either a customer or member, to visit their pages. I went to their respective websites and found plenty of relevant and current content but none of it found its way to Facebook. I don’t know for certain why that is but am willing to speculate that when the people in marketing are formulating their strategies and Facebook comes to mind, visions of Farmville, poke-ing and embarrassing pictures with funny captions subliminally affect them.

Do I want to know about special teaser rates from my bank? Yes. Do I want it to be tweeted as “Spcl tzr r8 4 xisting cstmrs”? No. And I don’t want it to be embedded between weather commentaries from my connections in New York and daily quotes from the movie “The Princess Bride” on Facebook or MySpace. I suppose in the end I would remind the banking world that all because you can, doesn’t mean you should.

I’ve posted before about such things: about how you need to exercise good judgment when online and when sharing potentially sensitive information (avoid those Facebook “about me” quizzes always).  While something like the Facebook breach might make it a little easier for the bad guys, the truth is the sheer volume likely rendered the information useless.  I couldn’t find a Social Security number, bank account number or anything else remotely resembling a true digital prize.  And I looked, believe me, I looked.  I should qualify what that means; I have a well-earned reputation for being able to develop fairly extensive dossiers on people by using a variety of techniques, all based upon readily accessible online resources.  It’s sort of a hobby interest of mine and I find new and better ways all the time to improve my techniques.  But other than using the Facebook skimmed data for marketing activities, I wouldn’t think it to be too big of a deal.

However, if you’re looking for a really neat way to access social network sites in such a way that you get to work smarter, not harder, when up to no good there are far more effective methods available.  My newest favorite threat to all of our privacy and sensitive information is a recent add-on to Outlook that allows me to instantly access Facebook and LinkedIn information directly connected to an email account.  The way it works is that you send me an email, the Outlook add-on then scans Facebook and LinkedIn for activity linked to that email account and displays it all nice and neat in a sub-window below the message.  I installed the add-on on Wednesday out of curiosity, expecting little if anything useful.  The first email I receive after the fact was from an associate in the banking industry.  This person must use a business email for Facebook and LinkedIn because the aforementioned sub-window filled quickly with nearly a dozen different bits of information between Facebook and LinkedIn.  I can view family photos, a scheduled event detailing an upcoming vacation and several LinkedIn updates including new connections.  That by itself is scary enough but what makes it worse for me is that I’m not connected to this person on either site.  I was able to see all of this information without even wanting to.  In one neat little bundle, I have the person’s email address, access to personal information, a clear indication of when they plan to be away from the office, and a simple way to track the individual’s whereabouts.  Oddly enough, if I searched either site directly I couldn’t see much of the same information, but the Microsoft utility apparently removes such obstacles and gets me to where I want to be.

What would you rather have: A monstrous database with relatively benign Facebook user information or an email containing all forms of PII combined with the person’s title and position at a bank or credit union?  I know who they are and if they are likely to have broad access capabilities within their institution — information allowing me to reset passwords and close to no possible way to trace this all back to me.

As if though this isn’t enough to cause all you security-minded folks to lose sleep, there’s one more new wrinkle to worry about.  Facebook now has its new “Places” functionality working, in which mobile users can indicate where they are at a given point in time.  It reminded me of the Trip-it utility that people started using on LinkedIn last year.  Essentially, both tools allow you to provide specific information to everyone you’re connected to and many of the people they’re connected to, letting them know when you’re out of the office or away from home.  Think about it: You go to the beach for the day and update your location on Facebook.  You’re thinking that it’s no big deal if your friends and family know where you are and you may be right.  But on the day I tried it out, I tagged a family member who was with  me.  He has nearly 600 Facebook friends, of which he knows less than a third.  So 400 relative strangers knew that not only was he away from home but so was his family.  Any one of those connections instantly knew there was a reasonable chance that if they broke into our house they could get in and out with little chance of detection.  For a society where people have their mail collected daily and their newspaper service suspended when away on vacations to avoid the appearance that the house is empty, this is a stunning turn of events.  And you can’t stop the kids from using the newest and latest capabilities, so now we have potentially tens of millions of people advertising when they’re away from home and for how long.

It’s amazing, really, how we react to a threat framed for us by the media but almost completely miss out on another that’s way more likely to hurt us.  The first thing I would do as a CISO would be to have a script written that checked every corporate email account against all popular social network sites to see if anyone is showing up.  The second thing I would do (and already advise clients to do) is to update all of my related policies and training curriculum to address mixing business with pleasure: Never use your corporate email, never advertise travel plans, and never disclose anything even remotely resembling sensitive data on any of the social networking sites. And I would incorporate activities that check to see if these new policies are being followed.  Remember, the right way to manage this new evolutionary twist in technology isn’t to prevent it but rather to manage it appropriately.

Oh and just in case anyone needs to be reminded of the fundamental rule of security, make sure out-of-office replies are restricted to internal communications only.  I can’t believe how many of them I still receive, and with this new Outlook capability it’s just a recipe for disaster.

I was greeted by this status the other day on Facebook:  “Today’s game – PLACE OF BIRTH! Everyone please play! You will find it interesting to know where your FB friends birthplaces are. Copy & paste this on your profile, then put your place of birth at the end of this sentence…. Brooklyn, NY”.

Really?  I mean, really?

What’s next, have everyone post their Social Security number and date of birth to see how similar the numbers are?  Or even better, I suggested to someone that everyone post their Social Security numbers under the guise of seeing if people can guess where and when it was issued (that someone actually liked the idea).

So there I was, dumbstruck and amazed and started trying to figure out how to prevent this sort personal data exposure from happening in my own home.  I checked all of my PCs to see if the anti-virus software was up-to-date and functioning; it was.  I checked to make sure that all critical software updates were installed; they were.  I verified that each machine had a unique and strong password; they did.  And after conducting this basic sanity check it occurred to me that there’s still no automated solution to prevent ignorance or – dare I say it – stupidity.

Despite technology doing it’s best to prevent malicious or unwanted activity from occurring on your machine there’s nothing short of web-filtering to prevent people from doing what people do  best: act human.

When my family first became Facebook aware, I immediately instructed those who use it to avoid those lists that capture intimate details about your life (e.g. , 20 things no one would ever guess about you) and display it to all with access to your profile.  My family thought I was being paranoid but I explained to them how someone can take that information and guess password challenge questions or gain the trust of those who know you by making references to some of those details.  They weren’t happy with me because it all seemed to be in good fun but I assured them at some point, somewhere, it was a hacker’s mentality that came up with the idea.  You have to know, I’m the guy who refuses to use non-bank ATM’s, probes the card reader to see if it’s a permanent part of the ATM and checks the area for possible spy cameras that might capture my keypad input (no joke).  That same paranoia carries over to the online world we all spend so much time in these days.

It’s like the Trip-It application a number of my connections use on LinkedIn.  Here’s a great idea: Let’s advertise to hundreds of people when I plan to be away from home and for how long.  And while I’m at it, I’ll post some sensitive information about me on Facebook (because so many people mix their personal and professional networks) so that you could also potentially guess my alarm system access code or challenge question should the monitoring company call the house.

Really?  I mean, really?

Oh and hey, check back next week because I actually spoke with Rebecca Keen (see my March 2nd post) and will have an interesting update to share.