Tuesday, 9 February 2010

Mobile social networks - ENISA's 17 golden rules for privacy and security

EU cyber-security agency ENISA have just issued a report on mobile social networking - "Online as soon as it happens" (PDF) (49 pgs). ENISA's reports are usually excellent - well-informed and clear without being too jargon-ridden - and from a quick skim this looks to be on form. From the summary:

"The report describes the social networking world and the mobile phone services allowing the users to experience the social networking sites (SNSs) on their handset, also illustrating the major risks and threats connected to their use. While many of the privacy issues originating from the web-based access to SNSs also apply to mobile social network s, there are also a number of unique risks and threats against mobile social networks. The report aims to provide a set of recommendations for raising the awareness of social networks users and in particular of social mobile users of the risks and the possible consequences related to their improper use."

Apt as today is Safer Internet Day 2010.

The report includes a section on the EU Data Protection Directive and the article 29 working party's opinion 5/2009 on social networking, the applicability of the Directive to non-EU social networks, and the question of whether the SNS user is responsible for compliance with the Directive (user as data controller and the implications of that). These are of course some of the most problematic data protection issues relating to social networking websites.

Here are their recommended golden rules "to raise awareness about the risks and threats related to the misuse of social networks, in particular when accessed through mobile phone, with advice on how to avoid unwanted consequences":

Golden rules

Category

No

Recommendations

Description

Pay attention to what you post and upload

1

Consider carefully which images, videos and information you choose to publish

Remember that a social network is a public space; only post information or upload images you are comfortable with, keeping in mind that at a later stage you might be confronted with the content you uploaded, e.g. in a job interview. Information and pictures you post online should be considered permanent. They can be copied and stored by other individuals and can resurface years later in search engines.

2

Never post sensitive information

Do not make information such as address, date of birth or financial data available in your profile. A criminal might access your profile and steal your identity.

3

Use a pseudonym

You do not need to use your real name in an online profile. Using a nickname can help you protect your identity and privacy; only close contacts will know who is behind the nickname.

Choose your friends with care

4

Do not accept friend requests from people you do not know

Be selective about who you accept as a friend on a social network. You do not have to feel obliged to add someone to your friends’ list. Politely refuse or simply ignore the request.

5

Verify all your contacts

Ensure that the people you are in contact with or who sent a friend request are really who they say they are. Do not trust them immediately.

Protect your work environment and avoid reputation risk

6

When joining a social networking site use your personal e-mail address

Do not use your company e-mail address but your private one and do not post confidential or competitive information about your organization. Be careful about the information you reveal about your workplace, for example do not post pictures shot in front of your office with the company's address or logo on the background that may lead to your job or workplace address.

7

Be careful how you portray your company or organisation online

Consider what your employer would think before posting any comments or material online about your company or organisation.

8

Do not mix your business contacts with your friend contacts

You have no control over what your friends may post online or how they may portray you and consequently what your employer, colleagues and clients may be exposed to.

Protect your mobile phone and the information saved on it from any physical intrusion

9

Do not let anyone see your profile or personal information without your consent

Before accessing your profile through your mobile phone pay attention to the environment and people that are surrounding you. If someone is trying to see what you are doing access your profile in a safer place.

10

Do not leave your mobile phone unattended

Someone with malicious intent could update your profile and status with false details. Remember to log out from the social network once your navigation is over and not to allow the social network to remember your password (this function is called ‘Auto-complete’).

11

Do not save your password on your mobile phone

Mobile phones can be easily lost or stolen and if you save your password on your mobile device anyone who may have possession of it can access your profile, see your pictures and friends. Try to commit your password to memory and if you write it down be careful where you store it.

12

Use the security features available on your mobile phone

Remember to lock the keypad when not in use and to protect the device with a PIN or a password. Backup your details to another device such a PC in case your mobile phone is lost or stolen. Configure connections (such as Bluetooth and Wi-fi), especially in airports and public spaces, to be secure and if your mobile device has a built in firewall remember to enable it.

Respect other people’s privacy

13

Be careful what you publish about someone else

Do not upload pictures or personal information regarding other people without their consent. You might commit a criminal offence.

Inform yourself

14

Read carefully and in full the privacy policy and the conditions and terms of use of the social network you choose

Always be informed about who provides the service and how your personal information will be used and who has the right to access the information you post.

Protect your privacy with the privacy settings

15

Use privacy-oriented settings

Set the profile privacy level properly. Check the privacy settings of your profile — who can see your pictures, who can contact you and who can add comments in order to avoid making your profile available to everyone.

Report immediately lost or stolen mobile

16

Be careful when using your mobile phone and pay attention to where you put it

Report immediately stolen or lost mobile phone with contacts and pictures saved in its memory and personal information regarding you and your friends (e.g. those friends whose contacts on the SNS have been synchronized with the mobile phone) and change the passwords on the social networks your are a member of.

Pay attention to the location based services and information of your mobile phone

17

Deactivate location based services when not using them.

Remember to deactivate location based features of your mobile phone if you don’t need them.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.