by Larry Magid

This post originally appeared in the San Jose Mercury News

More and more people are using social networking sites, including, sadly, criminals seeking to take advantage of the rest of us.

Threats on those sites include applications and quizzes, as well as malware, worms and viruses. But the main risk, says Trend Micro’s Rick Ferguson, is information you post yourself that can jeopardize your privacy and your security.

Ferguson says that “we have a tendency on social networks to share more information that we need to.” While you may need to reveal which schools you went to and where you worked to connect with old school mates or colleagues, “you don’t need to share your date of birth, phone number and address,” Ferguson said.

The threats are not limited to Facebook or MySpace. Ferguson also warns users not to be lulled into a false sense of security when using professional networks like LinkedIn. “Because it’s a professional networking site, people give it more credibility and think it’s safer than other networks,” he said, adding that you put yourself at risk by “posting your entire résumé and exposing your business connections.”

Both Ferguson and Symantec safety education director Marian Merritt warn about online quizzes and applications that are popular on social networking sites.

“Every time you accept an application, you’re giving some third-party developer access to information in your profile,” Merritt said.

She warns that “quizzes are sometimes attached to fraudulent marketing companies.” She said her own teenage daughter took an IQ quiz and had to put in her cell phone number to get her score.

“She didn’t notice that the terms of service would sign her up for premium texting until the bill came.” Fortunately, this particular teenage girl has one of the most cyber-security-conscious moms on the planet, who convinced the carrier to stop the charges.

Some quizzes and surveys reveal far too much information. I recently came across a third-party survey that asks users to reveal “60 Things You Didn’t Know About Me” with such questions such as “What are you wearing?” “When was the last time you were drunk?” and “How often do you have sex?” With answers to questions like these on your profile, it doesn’t take a sophisticated hacker to derive information that he shouldn’t have access to.

Some Facebook users don’t seem to be aware of the difference between private messages and wall postings. I have a friend who is posting personal messages to family members’ walls, unaware that those messages are seen by all of the person’s Facebook friends.

Ferguson says to beware of applications that don’t seem to have any purpose other than to spread themselves. Some of these applications automatically send notices to all your friends, telling them that you’re using the applications and encouraging others to install them as well. In addition to spamming your friends, these applications could be gaining access to your profile information and displaying unwanted advertising to all who sign up.

Company spokesperson Simon Axten said Facebook has a team of people and software tools working to enforce rules for application developers. MySpace, according to a spokesperson, also employs a robust security team and tools, including software to block outgoing and incoming spam and warn users about potential phishing sites.

Facebook’s application development process, said Axten, “is relatively open to stimulate innovation and allow people to develop quickly.” But he said developers must agree to a set of rules which, among other things, prohibit them from sending messages on the users’ behalf.

Developers are now required to disclose what information they collect during the installation process, and Axten recommends that users “pay attention to those notices.” He said developers are allowed to collect only the information that they need to run the application, but that can sometimes include profile information and the profiles of your friends.

On all sites, be cautious about clicking on any links, especially those shortened ones that are commonly used on Twitter. If a link is shortened by bit.ly or tinyurl, you have no idea where it will lead you until after you click. Most security suites can warn you before your browser opens potentially dangerous Web sites.

There are other threats, including the Koobface worm, that can steal your password and send spam from your account. Most Internet security programs will protect you against this and other malware.

Users should also be careful about links that appear in posts and messages that could lead to phishing or malware sites. And put on your thinking cap before responding to a friend’s plea for money, even if it comes from your friend’s Facebook account and includes a horrendous story such as being stuck in an overseas jail. Try to reach your friend some other way before responding, because it’s likely a scam.

Disclosure: I am co-director of the nonprofit Internet safety organization, ConnectSafely.org, which receives support from Facebook, MySpace and other social networking companies.

by Larry Magid
reposted from CNET.com

A long awaited report from the Internet Safety Technical Task Force concludes that children and teens are less vulnerable to sexual predation than many have feared. The report also questions the efficacy and necessity of some commonly prescribed remedies designed to protect young people.

The task force was formed as a result of a joint agreement between MySpace and 49 state attorneys general.

Over the past couple of years, several state AGs have been looking into potential dangers to youth, and some have called for social-network sites to use age verification technology to confirm the ages of users in an attempt to prevent adults from or interacting online with minors. The task force includes representatives of Internet and social-networking companies, security and identity authentication vendors, and nonprofit advocacy organizations. It’s chaired by John Palfrey of Harvard Law School’s Berkman Center for Internet and Society.

Disclosure: I served as a member of the task force, representing ConnectSafely.org, a nonprofit internet safety organization I co-founded along with Anne Collier. ConnectSafely receives financial support from MySpace, Facebook, Google, Yahoo, and other Internet and social-networking companies. I am also founder of SafeKids.com and am on the board of directors of the National Center for Missing and Exploited Children, which is represented on the task force.

Based on data analyzed by its Research Advisory Board, the task force concluded that “actual threats that youth may face appear to be different than the threats most people imagine” and that “the image presented by the media of an older male deceiving and preying on a young child does not paint an accurate picture of the nature of the majority of sexual solicitations and Internet-initiated offline encounters.”

While the task force found that youth risk from predators is a concern, the overwhelming majority of youth are not in danger of being harmed by an adult predator they meet online. To the extent that young people have received an unwanted online sexual solicitation, data from a 2000 study and a 2006 follow-up from the Crimes Against Children Research Center concludes that “youth identify most sexual solicitors as being other adolescents (48 percent in 2000; 43 percent in 2006) or young adults between the ages of 18 and 21 (20 percent; 30 percent), with few (4 percent; 9 percent) coming from older adults, and the remaining being of unknown age.” › Continue reading…

Reposted from San Jose Mercury News
December 8, 2008

by Larry Magid

What Lori Drew allegedly did to Megan Meier was despicable, but it doesn’t justify her conviction late last month for violating federal laws designed to keep hackers from invading computer networks.
Two years ago, Megan, a 13-year-old Missouri girl, hanged herself after her online friend “Josh Evans,” who had befriended her on MySpace, reportedly told her that he didn’t want to be friends with her and that the world would be better off without her. But Josh was in fact Drew, a 49-year-old mother of one of Megan’s former friends.

According to published reports, Megan had been mean to Drew’s daughter and Josh’s fake online relationship with Megan was a way for Drew to retaliate.

During the trial in Los Angeles, it was revealed that some entries made by Josh were typed by Ashley Grills, a then-18-year-old employee of Drew who was a witness for the prosecution and was not prosecuted.

The case has widely been characterized as a legal assault on cyberbullying, though it is extremely unusual for an adult to bully a teen. There is no reason to believe that Drew intended for Megan to kill herself, but the case against Drew is frequently cited as a warning to would-be bullies that their actions could bring severe consequences to both their victims and themselves.

From what I can gather, this is a case of a squabble between two 13-year-old girls and a mother who intervened in a terribly immature and inappropriate way. Adults are supposed to help young people peacefully resolve problems, not exacerbate them. This is not so much a case of cyberbullying as a case of bad parental intervention that had tragic consequences.

We need to fight against rude, deceitful and cruel behavior on and off the Internet. But that doesn’t justify a reinterpretation of anti-hacking laws to jail people who misuse Internet services.
The legal theory behind the prosecutor’s case is that Drew violated MySpace’s terms of service that prohibit misrepresenting your identity and harassing others. MySpace rules, which Drew says she hadn’t read, require that “all information you submit is truthful and accurate.” Clearly Drew lied. But so have a lot of other people.

She was prosecuted under Section 1030 of the U.S. Code, which was crafted to protect against unauthorized access to computer networks to cause damage, steal information or money or jeopardize national security. As far as I can tell, the law was not designed to prevent people from lying about their identity or otherwise violating rules on a publicly available online service. But that didn’t stop the jury from convicting Drew of misdemeanor violations. The jury refused to go along with the prosecution’s felony charges.

Based on this case, I’m one of millions of people who might also be guilty of a federal crime. I didn’t harass anyone, but I did violate MySpace’s terms of service by creating several fake identities with a variety of ages to test privacy features for teenagers while I was researching a book about MySpace in 2006.

And what about police officers who pose as teenagers to lure would-be predators? Should they have to request immunity from federal prosecution each time they engage in such a sting operation? I’ve even heard cases of law enforcement people advising kids to lie on their profiles to protect their privacy. Should they be indicted for conspiracy?

There are plenty of adults who lie online about their age. I have a friend who set up a profile on an online dating service using a false age, an old photograph and the exaggerated claim that he was “athletic.” A date might have cause to be disappointed or angry at him, but should she have the right to demand a federal prosecution?

Even Megan, with her mom’s knowledge, lied about her age. She was 13 and, at the time, MySpace required users to be at least 14. MySpace recently started allowing 13-year-olds to sign up.
The usual penalty for violating terms of service is to be kicked off the service. Had MySpace decided to go after Drew in court, it could have done so as a civil matter. But it’s not up to federal prosecutors to take it upon themselves to enforce a company’s online agreement with its members, especially if that company never asked for federal intervention.

I can understand why a jury wanted to punish Drew for what happened to Megan. But it’s not clear to me that putting Drew in prison on a hacking charge will help prevent cyberbullying or future tragedies.

What is needed is an educational campaign that makes bullying or harassing just as unacceptable as racial epithets or subjecting others to secondhand smoke. Cyberbullying is a real problem but it requires serious long-term solutions, not quick fixes and prosecutorial hijinks.