Archive for the ‘Compliance’ Category

Who owns and regulates MY Facebook data?

February 14, 2012 21 comments

I am also the editor of the Neohapsis Labs blog. The following is reprinted with permission from

My previous post briefly described the data that makes up a user’s Facebook data and this post will try to shed light on who owns and regulates this data.

I am probably not going out on a limb here to say that the majority of Facebook’s registered users have not read the privacy statement. I was like the majority of users myself, in that I did not fully read Facebook’s privacy statement upon signing up for the service. Facebook created a social media network online, and there were few requirements previously defined for such types of business in America or the world. A lack of rules, combined with users constantly uploading more data, has allowed Facebook to maximize the use of your data and create a behemoth of a social media networking business.

Over time, Facebook has added features to allow users to self regulate their data by limiting others (whether Facebook users or general Internet public) from viewing certain data that one might want to share with only family or specific friends. This provided a user with the sense of ownership and privacy as the creator of the data could block or restrict friends and search providers from viewing their data. Zuckerberg is even quoted by WSJ as saying “The power here is that people have information they don’t want to share with everyone. If you give people very tight control over what information they are sharing or who they are sharing with they will actually share more. One example is that one third of our users share their cell phone number on the site”.

In addition to privacy controls, Facebook gave users more insight into their data through a feature that allowed a user to download ‘all’ their data through a button in the account settings. I placed ‘all’ in quotes because, while you could download your Facebook profile data, this did not include data including wall comments, links, information tagged by other Facebook users or any other data that you created during your Facebook experience. Combined, privacy controls and data export are the main forms of control that Facebook gives to their users for ownership of profile, pictures, notes, links, tags and comment data since Facebook went live in 2004.

So now you might be thinking problem solved; restricting your privacy settings on the viewing of information and downloading ‘all’ your information fixes everything for you. Well, I wish that was the case with Facebook business operations. An open letter by 10 Security professionals to the US Congress highlighted that this was not simply the way things worked with Facebook and third party Facebook developer’s operations. Facebook has reserved the right to change their privacy statement at any time with no notice to the user and Facebook has done this a few times, to an uproar from their user base. As Facebook has grown in popularity and company footprint, security professionals along with media outlets have started publishing security studies painting Facebook in a darker light.

As highlighted by US Congress in December 2011, Facebook was not respecting user’s privacy when sharing information to advertisers or when automatically enabling contradicting privacy settings on new services to their users.  Facebook settled with the US Congress on seven charges of deceiving the user by telling them they could keep their data private.  From my perspective it appears that Facebook is willing to contradict their user’s privacy to suit their best interest for shareholders and business revenue.

In additional privacy mishaps, Facebook was found by an Austrian student to be storing user details even after a user deactivates the service. This started an EU versus Facebook initiative over the Internet that put heat on Facebook to give more details on length of time data was being retained for current and deactivated users.  Holding on to user data is lucrative for Facebook as this allows them to claim more users in selling to advertising subscribers as well as promoting the total user base for private investor bottom lines.

So the next step one might ask is “who regulates my data held by social media companies?” Summed up quickly today, no one outside Facebook is regulating your data and little insight is given to users on this process. The governments of the US, along with the European Union, are looking at means of regulating Facebook’s operations using things such as data privacy regulations and the US/EU Safe Harbor Act.  With Facebook announcing their initial public offering of five billion USD there is soon to be more regulations, at least financially, to hit Facebook in the future.

As an outcome of the December 2011 investigation by the United States Congress, Facebook has agreed to independent audits by third parties, presumably of their choosing. I have not been able to identify details regarding the subject of these audits or ramifications for findings from an audit. Facebook has also updated the public statement and communication to developers and now states that deactivated users will have accounts deleted after 30 days. I have yet to see a change in Facebook’s operations for respecting their user’s privacy settings when pertaining to third parties and other outside entities – in fairness they insist data is not directly shared for advertising; although some British folks may disagree with Facebook claims of advertising privacy.

From an information security perspective, my ‘free’ advice to businesses, developers and end users, do not accesses or give more data than necessary for your user experience as this only brings trouble in the long run. While I would like to give Facebook the benefit of the doubt in their operations, I personally only give data that I am comfortable sharing with the world even though it is limited to friends.  In global business data privacy regulations vary significantly between countries, with regulations come requirements and everyone knows that failing requirements results to fines so business need to think about only access appropriate information and accordingly restricting access.  For the end user, or Facebook’s product, remember that Facebook can change their privacy statement at their leisure and Facebook is ultimately a business with stakeholders that are eager to see quarter after quarter growth.

I hope this post has been insightful to you; please check back soon for my future post on how your Facebook data is being used and the different entities that want to access your data.

Hiking the mountain to security enlightenment (video)

July 21, 2009 3 comments

Freeform ramblings while hiking to the top of Multnomah Falls in Oregon.

Approaches to enterprise information protection changing – as Axelrod, Bayuk, Hunt and others show

March 18, 2009 1 comment

A book I contributed to is available on Amazon.  Warren Axelrod and Jennifer Bayuk edited this collection of essays on security and privacy. Axelrod Book
I think it is a special, unique view of how physical and logical threats, plus dynamic business and compliance trends are changing how security needs to be done.  My chapter was on security as it relates to the Transportation industry.  I took a logical and physical view of the problem.

Learning an IT lesson from a home contractor

January 27, 2009 2 comments

Here is a post written by an end user security professional who will be known here simply as Padded Arrow.  I believe you will find his perspectives on IT, security, risk management, and technology to be enlightening. -sh

Mike Holmes is a Canadian building contractor whose popular TV show tag line is "Make it right". Not just a catchy phrase but rather his way of working.  If you have watched his shows, one of the underlying messages is “Building codes are MINIMUM guidelines.”  Often, the right way to do the job is not in the same league as "code."  Mike prefers to "Make it right" rather than "make it code."

What does this have to do with IT and Security?  Many regulatory requirements (SOX, GLBA, HIPAA, etc.) come from a need to "raise the bar" on the quality of IT construction, safety and security.  Too often, IT projects are a knee-jerk reaction to the current challenges in the IT environment, both real and perceived (aka marketing hype). Sometimes, regulations (building codes) seem to have more influence to direct IT than what is the best course of action for the company.  At what point does a company decide to plan its IT strategy with the business and long term survivability as a priority?

Instead of "Make it right", team up to "Make IT right".

Topics We’re Talking to Clients About

January 26, 2009 Leave a comment

My team and I are spending more time talking to end user business managers about compliance lately. Here are some of the inquiries we've received.

1.       The area of compliance is very complex. My organization is multinational and has several overseas locations – what is the best way to approach compliance from the corporate standpoint?

2.       Massachusetts has just enacted a new data privacy law “201 CMR 17.00 "Standards for the protection of personal information"; how does this law differ from others and what should organizations do to prepare for similar laws?

3.       Is it true that payments that are legal in many countries are prohibited by the Foreign Corrupt Practices Act (FPCA)?
   a.      How do organizations avoid issues with FCPA?
   b.      What are an organization’s core responsibilities under FCPA?

4.       How can organizations figure out what they should be doing in terms of preparing and executing electronic discovery?

5.       What are the latest trends in domestic partner law and how will they impact employers?

Forrester Analyst Launches Risk Consultancy

December 14, 2007 Leave a comment

One of my long time Forrester colleagues, Michael Rasmussen, has formed a new consulting firm.Rasmussen_logo
  Michael made a name for himself over the last several years as one of the leading voices in governance, risk and compliance best practices and trends.  Now he will be offering more services in GRC and writing a blog

He features an essay on integrity on his new website opening with this quote.

Integrity is a mirror revealing the truth about an individual or a
corporation. It involves walking the talk — not just talking it.

I’d say Michael is the embodiment of that statement.  Please check out his services at

Categories: Compliance

Weak Link in Chase Bank and ABN Amro security

October 8, 2007 5 comments

When my team and I find mismanaged confidential information in a security audit we launch
an awareness campaign around trash, recycling, and shredders. Not surprisingly, recycling bins, like
dumpsters, are repositories for plenty of corporate secrets.

But bank dumpsters are the worst (or best, if you’re a bad
guy). The large bank branches in wealthy
neighborhoods attract the most valuable dumpster data of all: personal
financial statements of millionaires. You heard right. Dive a dumpster
in Lake Forest or Bal Harbour and commandeer the bank accounts of the very rich.

I’ve noticed that ABN Amro and Chase Bank are particularly
lax in shredder placement. Private
bankers, every night, throw out reams of paper with names, addresses, bank
account details, social security numbers, and dates of birth. Even mother’s maiden
names are included on ducuments thrown out in ABN and Chase dumpsters around the US.

Climbing through these dumpsters is usually a crime (if not
performed as part of an authorized security audit, of course), since they sit
on private property – behind that crooked wooden gate in the parking lot. But I know of more than one Chase Bank branch in
wealthy neighborhoods with dumpsters in the alley – that is, in the public

Some communities have laws that inhibit trash picking, but
in general, the U.S. Supreme Court protects dumpster diving and trash picking
on public property, ostensibly to permit law enforcement to gather evidence
without a warrant. You don’t have to be
a freegan [a person who chooses to live off food and property retrieved from
trash] to see the value of that kind of accessibility. Identity thieves and all-around scum bags can
benefit, too.Discoverdumpsterdiving

The personal financial statements of the very wealthy that I
mentioned are the documents used to "apply" for high end personal and
business loans and usually have all the info needed to set up bank-by-phone and
an Internet account. After all, the very
rich don’t usually do their own banking. Their accountants do it for them the old fashioned way, by balancing
ledgers against monthly statements. Enough time for a bad guy to set up wire transfers, print checks, and
connect to a Paypal account.

You bankers out there may want to have your dumpsters inspected and your "shredder culture" assessed before the bad guys do it for you.

The irrational fear of being forthright – how Cisco teaches a lesson in customer service to Honeywell and Tyco

September 18, 2007 Leave a comment

Honeywell announced a recall of fire alarm panels this week. Chips in the Apex Destiny 6100 and 6100AN Security System Control Panels, made by Xicor, might lose programming during a power outage of more than four hours, the U.S. Consumer Product Safety Commission said. The system failed to alert homeowners in at least three incidents.

If you search the Honeywell website, or Tyco’s for that matter, for software or hardware bugs or security vulnerabilities, the best you can hope to find is the announcement of a recall like this one.

However, there is a standard for error reporting used in IT for the last 15 or 20 years that would serve the physical security industry well.  An excellent example is a page on the Cisco website that shines light on a philosophical difference between the old guard of the physical security industry and the convergence leaders.

Cisco actually publically reports bugs. I recommend that Cisco’s Security Vulnerability Policy ought to be required reading for everyone in the physical security industry. Search a physical security vendor’s website for software bug, security vulnerability, patch, or any other word indicating in interest in proactively improving products and you’ll come up empty.  Searching for "software bug" on Tyco’s website brings up a bunch of hits of the company’s Software House marketing collateral (Is Tyco saying that Software House is all bugs?!) :-) .  On Honeywell’s site, the closest you get is a link to Microsoft’s hotfix schedule.  On you can find a few bugs reported, but nothing like the infrastructure Cisco has built.

Cisco uses the error reporting policy to improve its products and boost its reputation.  Cisco looks for problems in its products, encourages users to report new problems through a public forum, promptly notifies customers, then fixes the problem.  Now that’s a company with the welfare of its customers and its brand in mind – in sharp contrast to the insular, protective, paranoid behavior of Honeywell, Tyco, Bosch, Pelco, HID, and so many other of the older names of physical security.

Don’t think of Verdasys as just another data leakage protection vendor

I’ve been briefed by Verdasys a few times over the years, but frankly the fog never quite cleared for me.  While I was Research Director at Forrester I would talk to these guys, usually in the context of data leakage protection, or what Forrester later termed Information Leak Prevention (ILP).  This week in Boston, however, I had another briefing and finally got it. (Gimme a break – I never said I was the smartest guy in the industry…. Oh, well, maybe I did, come to think of it…)

Digital Guardian, the flagship Verdasys product, is like a framework for managing
information. WhenGps
data is transferred from the safe confines of data repository or
server to the wild and unregulated world of laptops, desktops and PDAs, Digital Guardian acts
as a governor of the data, permitting all normal and authorized use, auditing
and reporting on that use, and when appropriate, inhibiting malicious and
unauthorized use. I think of it as a GPS for corporate data making the proper use of data easy and unencumbered while alerting to "wrong turns."

I think the $17 dollars Verdasys has spent on marketing has not stratched as far as they may have hoped, and that’s why most folks erroneously stick them in the ILP/ DLP bucket.  But the Verdasys approach goes far
beyond the simple filtering of the data leakage vendors, or the unsophisticated "on/off"
endpoint security device control products.

Categories: Audit, Compliance, InfoSec, Software

If you can’t trust your locksmith – or your network admin – who CAN you trust?

August 9, 2007 10 comments

Why is the possession of lock picks by non-locksmiths
illegal in some states? That was the
unlikely question posed to me by IT security expert and CEO of ProofSpace,
Paul Doyle, when he called me this morning. The obvious answer to the question is that lock picks in trained hands
may be burglary tools. That kind of “super
power” is also disconcerting. When my neighbor locked his babysitter out of the
house accidentally last week, the babysitter came over. I called my neighbor on
his cell phone and asked if he wanted me to pick the lock – I am a locksmith
after all. He declined and preferred to
drive 20 minutes back to his house to unlock it himself. He really didn’t like the idea that his house
wasn’t private to someone with lock picks.

There is a corollary to law and IT security. Individuals with admin privileges on a
corporate computer – like an email server or database – essentially have
logical lock picks. So shouldn’t admin privileges
be closely guarded. In many states locksmiths
have to be licensed. Should we license
our computer and network administrators?  Just about every computer I’ve ever seen in use by security personnel is logged in as admin.

It was American Express or some other mega financial
services firm which recently had its complaint thrown out of court. The company contended that another firm
misappropriated confidential data. The
judge in the case asked the plaintiff a simple question: How do you know the
data was authentic? The company did not
have an adequate answer and the case moved no further.

Fascinating. How do
you prove that data – like emails – are authentic? Well, you can sign it with a hash, measure it
with a checksum, closely audit all activities with Verdasys Digital
Guardian™, or sign it with ProofMark™ from ProofSpace.

If there were an easy, cost effective way of ensuring or
measuring authenticity of data that companies would buy it? I think so. Just like companies bought RACF and ACF2 for their mainframes, or
SeOS/eTrust Access Control for their Unix boxes. What do you think?

Categories: Audit, Compliance, InfoSec, Trends

Get every new post delivered to your Inbox.