This post originally appeared in the San Jose Mercury News

More and more people are using social networking sites, including, sadly, criminals seeking to take advantage of the rest of us.

Threats on those sites include applications and quizzes, as well as malware, worms and viruses. But the main risk, says Trend Micro’s Rick Ferguson, is information you post yourself that can jeopardize your privacy and your security.

Ferguson says that “we have a tendency on social networks to share more information that we need to.” While you may need to reveal which schools you went to and where you worked to connect with old school mates or colleagues, “you don’t need to share your date of birth, phone number and address,” Ferguson said.

The threats are not limited to Facebook or MySpace. Ferguson also warns users not to be lulled into a false sense of security when using professional networks like LinkedIn. “Because it’s a professional networking site, people give it more credibility and think it’s safer than other networks,” he said, adding that you put yourself at risk by “posting your entire résumé and exposing your business connections.”

Both Ferguson and Symantec safety education director Marian Merritt warn about online quizzes and applications that are popular on social networking sites.

“Every time you accept an application, you’re giving some third-party developer access to information in your profile,” Merritt said.

She warns that “quizzes are sometimes attached to fraudulent marketing companies.” She said her own teenage daughter took an IQ quiz and had to put in her cell phone number to get her score.

“She didn’t notice that the terms of service would sign her up for premium texting until the bill came.” Fortunately, this particular teenage girl has one of the most cyber-security-conscious moms on the planet, who convinced the carrier to stop the charges.

Some quizzes and surveys reveal far too much information. I recently came across a third-party survey that asks users to reveal “60 Things You Didn’t Know About Me” with such questions such as “What are you wearing?” “When was the last time you were drunk?” and “How often do you have sex?” With answers to questions like these on your profile, it doesn’t take a sophisticated hacker to derive information that he shouldn’t have access to.

Some Facebook users don’t seem to be aware of the difference between private messages and wall postings. I have a friend who is posting personal messages to family members’ walls, unaware that those messages are seen by all of the person’s Facebook friends.

Ferguson says to beware of applications that don’t seem to have any purpose other than to spread themselves. Some of these applications automatically send notices to all your friends, telling them that you’re using the applications and encouraging others to install them as well. In addition to spamming your friends, these applications could be gaining access to your profile information and displaying unwanted advertising to all who sign up.

Company spokesperson Simon Axten said Facebook has a team of people and software tools working to enforce rules for application developers. MySpace, according to a spokesperson, also employs a robust security team and tools, including software to block outgoing and incoming spam and warn users about potential phishing sites.

Facebook’s application development process, said Axten, “is relatively open to stimulate innovation and allow people to develop quickly.” But he said developers must agree to a set of rules which, among other things, prohibit them from sending messages on the users’ behalf.

Developers are now required to disclose what information they collect during the installation process, and Axten recommends that users “pay attention to those notices.” He said developers are allowed to collect only the information that they need to run the application, but that can sometimes include profile information and the profiles of your friends.

On all sites, be cautious about clicking on any links, especially those shortened ones that are commonly used on Twitter. If a link is shortened by bit.ly or tinyurl, you have no idea where it will lead you until after you click. Most security suites can warn you before your browser opens potentially dangerous Web sites.

There are other threats, including the Koobface worm, that can steal your password and send spam from your account. Most Internet security programs will protect you against this and other malware.

Users should also be careful about links that appear in posts and messages that could lead to phishing or malware sites. And put on your thinking cap before responding to a friend’s plea for money, even if it comes from your friend’s Facebook account and includes a horrendous story such as being stuck in an overseas jail. Try to reach your friend some other way before responding, because it’s likely a scam.

Disclosure: I am co-director of the nonprofit Internet safety organization, ConnectSafely.org, which receives support from Facebook, MySpace and other social networking companies.

A long awaited report from the Internet Safety Technical Task Force concludes that children and teens are less vulnerable to sexual predation than many have feared. The report also questions the efficacy and necessity of some commonly prescribed remedies designed to protect young people.

The task force was formed as a result of a joint agreement between MySpace and 49 state attorneys general.

Over the past couple of years, several state AGs have been looking into potential dangers to youth, and some have called for social-network sites to use age verification technology to confirm the ages of users in an attempt to prevent adults from or interacting online with minors. The task force includes representatives of Internet and social-networking companies, security and identity authentication vendors, and nonprofit advocacy organizations. It’s chaired by John Palfrey of Harvard Law School’s Berkman Center for Internet and Society.

Disclosure: I served as a member of the task force, representing ConnectSafely.org, a nonprofit internet safety organization I co-founded along with Anne Collier. ConnectSafely receives financial support from MySpace, Facebook, Google, Yahoo, and other Internet and social-networking companies. I am also founder of SafeKids.com and am on the board of directors of the National Center for Missing and Exploited Children, which is represented on the task force.

Based on data analyzed by its Research Advisory Board, the task force concluded that “actual threats that youth may face appear to be different than the threats most people imagine” and that “the image presented by the media of an older male deceiving and preying on a young child does not paint an accurate picture of the nature of the majority of sexual solicitations and Internet-initiated offline encounters.”

While the task force found that youth risk from predators is a concern, the overwhelming majority of youth are not in danger of being harmed by an adult predator they meet online. To the extent that young people have received an unwanted online sexual solicitation, data from a 2000 study and a 2006 follow-up from the Crimes Against Children Research Center concludes that “youth identify most sexual solicitors as being other adolescents (48 percent in 2000; 43 percent in 2006) or young adults between the ages of 18 and 21 (20 percent; 30 percent), with few (4 percent; 9 percent) coming from older adults, and the remaining being of unknown age.”

What the task force did find is that “bullying and harassment, most often by peers, are the most salient threats that minors face, both online and offline.” Partially because researchers can’t agree on a definition of bullying and harassment, the actual risk is hard to quantify, but it is clearly much higher than the risk of being harmed by a predator. Some studies suggest that as many as 49 percent of youth have experienced some type of bullying or harassment. In many cases no serious emotional or physical harm occurred. However, a study by Michelle Ybarra and Janice Wolak found that “39 percent of victims reported emotional distress over being harassed online.”

There is also a widespread belief that deception is often involved where adults pose as teens to engage with young people, but research shows that that’s rarely the case. The report found that “although identity deception may occur online, it does not appear to play a large role in criminal cases in which adult sex offenders have been arrested for sex crimes in which they met victims online.” Interviews with police show that “most victims are underage adolescents who know they are going to meet adults for sexual encounters.” This does not imply that such relationships are healthy or safe, nor that we should blame the victims or tolerate the actions of adults who engage in sex with minors. But it does suggest that child safety advocates need to take a more proactive role in helping teens understand the risk of seeking engaging in relationships with adults.

Importantly, the task force found that online risks “are not radically different in nature or scope than the risks minors have long faced offline, and minors who are most at risk in the offline world continue to be most at risk online.” For example, “a poor home environment full of conflict and poor parent-child relationships is correlated with a host of online risks.”

The attorneys general who called for the task force were anxious for us to study the efficacy of using age verification to help limit inappropriate contact between adults and children online. To help in that job, the task force formed a technical advisory board (TAB) composed of technology experts from Harvard, MIT, Dartmouth, University of Massachusetts, University of Utah, Rochester Institute of Technology, and Bank of America. This board looked at a wide range of technologies including age verification and identity authentication, filtering and auditing, text analysis, and biometrics.

What the TAB found was that age verification technology can be used to identify adults and therefore help prevent minors from engaging in adult-only activities such as accessing adult content or purchasing alcohol or tobacco. There were several technologies submitted by companies that could identify adults based on accessible records such as credit reports, criminal history, and real estate transactions, but these relatively automated systems cannot reliably identify or verify the age of minors because, as the TAB concluded, “public records of minors range from quite limited to nonexistent.” Documentation about young people such as birth certificates, passports, and school records are restricted by federal law for some very good privacy and security reasons.

Age verification options presented by some companies would allow parents to request that their child’s school verify his or her identity and age, but these proposals have their own critics including those who worry about the cost, the possibility of privacy or security leaks, and the financial model presented in some cases that includes providing marketers with information about kids.

The TAB also looked at “peer-based” verification schemes that “allow peers in a community to vote, recommend, or rate whether a person is in an appropriate age group based on relationships and personal knowledge established offline” but worried that with these methods “users can vote as many times as they wish to artificially raise or lower a peer rating.” There were concerns that “minors might organize against another minor in their ratings or recommendations in an online form of bullying.”

At one task force meeting, a company presented technology that tries to distinguish between an adult and a child by analyzing the bone density of the person’s hand. Another tool attempts to identify an individual through facial recognition to match that person against a database of registered sex offenders.

Although the TAB expressed “cautious optimism” about the possibility of using technology to protect kids, it concluded that “every technology has its problems” and that “no single technology reviewed could solve every aspect of online safety for minors, or even one aspect of it one hundred percent of the time.” The bottom line was that “technology can play a role but cannot be the sole input to improved safety for minors online” and that “the most effective technology solution is likely to be a combination of technologies.”

But even if these technologies can be employed effectively, there remains the question of whether they are necessary or helpful. Using technology to separate kids from grown-ups doesn’t address the fact that kids are far more at risk from other kids than from adult predators.

Another danger is that age verification or new rules could be used to keep kids off of social networks or require parental consent. But before issuing rules about this, authorities should explore possible unintended consequences such as isolating kids, causing them to go underground, failing to serve kids from dysfunctional families, and preventing kids from accessing vital services such as the Suicide Prevention Hotline or one of the many online self-help groups.

The task force report will have its critics, including possibly some attorneys general and others who feel that it underestimates the risk of online predators. Indeed, sting operations from law enforcement (as well as the TV show To Catch a Predator) demonstrate that there are plenty of adults who, if given the chance, would engage in sex with youth they meet online. But, based on the research presented to the task force, it appears that the vast majority of young people are savvy enough to avoid such encounters.

Still, there remains a minority of youth who–for a variety of psychological and social reasons–are vulnerable both online and offline. More research needs to be done to identify these young people and provide them with resources and protective services. The fact that most kids are safe is reassuring but it’s not sufficient. If even one child is in danger, then there is work to be done, and that is one thing everyone who cares about this issue can agree on.

by Larry Magid

What Lori Drew allegedly did to Megan Meier was despicable, but it doesn’t justify her conviction late last month for violating federal laws designed to keep hackers from invading computer networks.
Two years ago, Megan, a 13-year-old Missouri girl, hanged herself after her online friend “Josh Evans,” who had befriended her on MySpace, reportedly told her that he didn’t want to be friends with her and that the world would be better off without her. But Josh was in fact Drew, a 49-year-old mother of one of Megan’s former friends.

According to published reports, Megan had been mean to Drew’s daughter and Josh’s fake online relationship with Megan was a way for Drew to retaliate.

During the trial in Los Angeles, it was revealed that some entries made by Josh were typed by Ashley Grills, a then-18-year-old employee of Drew who was a witness for the prosecution and was not prosecuted.

The case has widely been characterized as a legal assault on cyberbullying, though it is extremely unusual for an adult to bully a teen. There is no reason to believe that Drew intended for Megan to kill herself, but the case against Drew is frequently cited as a warning to would-be bullies that their actions could bring severe consequences to both their victims and themselves.

From what I can gather, this is a case of a squabble between two 13-year-old girls and a mother who intervened in a terribly immature and inappropriate way. Adults are supposed to help young people peacefully resolve problems, not exacerbate them. This is not so much a case of cyberbullying as a case of bad parental intervention that had tragic consequences.

We need to fight against rude, deceitful and cruel behavior on and off the Internet. But that doesn’t justify a reinterpretation of anti-hacking laws to jail people who misuse Internet services.
The legal theory behind the prosecutor’s case is that Drew violated MySpace’s terms of service that prohibit misrepresenting your identity and harassing others. MySpace rules, which Drew says she hadn’t read, require that “all information you submit is truthful and accurate.” Clearly Drew lied. But so have a lot of other people.

She was prosecuted under Section 1030 of the U.S. Code, which was crafted to protect against unauthorized access to computer networks to cause damage, steal information or money or jeopardize national security. As far as I can tell, the law was not designed to prevent people from lying about their identity or otherwise violating rules on a publicly available online service. But that didn’t stop the jury from convicting Drew of misdemeanor violations. The jury refused to go along with the prosecution’s felony charges.

Based on this case, I’m one of millions of people who might also be guilty of a federal crime. I didn’t harass anyone, but I did violate MySpace’s terms of service by creating several fake identities with a variety of ages to test privacy features for teenagers while I was researching a book about MySpace in 2006.

And what about police officers who pose as teenagers to lure would-be predators? Should they have to request immunity from federal prosecution each time they engage in such a sting operation? I’ve even heard cases of law enforcement people advising kids to lie on their profiles to protect their privacy. Should they be indicted for conspiracy?

There are plenty of adults who lie online about their age. I have a friend who set up a profile on an online dating service using a false age, an old photograph and the exaggerated claim that he was “athletic.” A date might have cause to be disappointed or angry at him, but should she have the right to demand a federal prosecution?

Even Megan, with her mom’s knowledge, lied about her age. She was 13 and, at the time, MySpace required users to be at least 14. MySpace recently started allowing 13-year-olds to sign up.
The usual penalty for violating terms of service is to be kicked off the service. Had MySpace decided to go after Drew in court, it could have done so as a civil matter. But it’s not up to federal prosecutors to take it upon themselves to enforce a company’s online agreement with its members, especially if that company never asked for federal intervention.

I can understand why a jury wanted to punish Drew for what happened to Megan. But it’s not clear to me that putting Drew in prison on a hacking charge will help prevent cyberbullying or future tragedies.

What is needed is an educational campaign that makes bullying or harassing just as unacceptable as racial epithets or subjecting others to secondhand smoke. Cyberbullying is a real problem but it requires serious long-term solutions, not quick fixes and prosecutorial hijinks.