ID Thieves Hunt for ‘Friendprints’

Knowledge@Wharton
August 5, 2009 | COMMENTS

A generation is growing up with social networking Web sites such as Facebook and MySpace, casually posting accounts of their lives for their friends—and the world—to see. Few of these users realize that the information they post, when combined with new technologies for gathering and compiling data, can create a fingerprint-like pattern of behavior. The information provides opportunities not only for legitimate business purposes, but also for identity thieves and other predators, according to Knowledge@Wharton.

Research of online social networking and how it may alter privacy norms is just beginning, according to technology observers at the Information Security Best Practices Conference hosted by Wharton. “Our kids today will give everything in terms of personal information away, but it's not at all clear how this will shake out in the long run,” says Peter Fader, Wharton marketing professor. “Privacy is a moving target.”

On the Web, it's clear that individuals are increasingly using these sites to keep in touch with friends, find jobs, and enhance their careers. Between March and April, social networking sites saw a 12% increase in traffic, according to comScore, a service that measures Web traffic. MySpace led the category with 71 million visitors, while Facebook attracted 67.5 million, and Twitter drew 17 million—an 83% increase.

Data Mining

By giving up such information as their names, birth dates, and a list of their network of friends, users are revealing far more than they know. Third-party applications can take that data outside of the friendly confines of a social network and combine it with data from other sources to piece together enough information to steal a person's identity. Just a person's name and birth date—routinely found on a Facebook profile—can be useful for an identity thief.

And the line between professional networking on a site such as LinkedIn, and social networking on sites such as Facebook, has become very thin. Many Facebook users might create a more casual persona for themselves on that site than they would on LinkedIn, where they would include nothing but professional information. But both sites can be seen by potential employers and clients, and complications can ensue.

Ultimately, social networking security rests with each user of the service. Experts recommended that social network users know the privacy policies—governing, among other things, how the information provided can be used—of the sites they frequent.

At the same time, Web site operators need to make privacy policies easier to understand. Given that most users don't read the policies, new formats should act as simplified “nutrition labels,” like those on food products, say experts.

Private Here, Not There

Individuals' notions of privacy are inconsistent depending on the context of an interaction. Research shows that people are more likely to divulge key personal information—their photo, birthday, hometown, address and phone number—on social networking sites than they would on other Web sites.

People say privacy is important to them, but their behavior indicates a remarkable lack of concern, according to researchers. One concern is a “herding effect” —people divulging information when they see others doing so. That tendency may explain why so many people are willing to dish out personal information on social networks.

Information gleaned from such sites is useful not only to identity thieves, but to marketers and other legitimate business interests. Sometimes, the information can be used to find thieves. A person's pattern of behavior on various networks can reveal tell-tale signatures, similar to fingerprints—or perhaps “friendprints”—that can be used to solve a wide range of business challenges, from targeted marketing and advertising to fraud detection.

Still, the security and privacy questions pose tricky issues for marketers, who have been looking for successful social network advertising models. Spending on such advertising will be about $1.29 billion this year, up from $1.17 billion in 2008, according to research firm eMarketer. MySpace has half of the revenue pie. But social network advertising is only a small slice of the projected $25.7 billion that will be spent on online ads in 2009, according to eMarketer.

The Holy Grail for marketers is to track consumers and their friends—and what they say about a product—via social networks. “People are more willing to divulge information for social purposes, and the primary users are age 18 to 25,” says Eric Bradlow, Wharton marketing professor. “The social norms around privacy aren't going to be what they were before.”

But acceptable social norms will be subject to context. “Let's imagine that a credit card company had the information you put on Facebook,” says Bradlow. “You'd be appalled. It's context. People want to say when and where their data is shared.”

Reprinted with permission from Knowledge@Wharton, an electronic newsletter from the University of Pennsylvania 's Wharton School of Business.