Digital Media

A study commissioned by Web security company AVG Technologies and the Chief Marketing Officers Council (CMO) points out an interesting contradiction between people's concerns and actions regarding security risks on social networking sites.

The summary report says that "while the majority of social networking users are afflicted by web-borne security problems, less than one third are taking actions to protect themselves online."

Unfortunately, the data provided to the media as of Tuesday afternoon says very little about the study's methodology, lacks the actual questions asked, and in some cases lacks the actual percentages of responses. It did, however, say that the data is based on "responses from a random sampling of more than 250 consumers." It was conducted online during second quarter of 2009. The report didn't specify how they developed a random sampling--a difficult task for Web-based surveys. In addition to the small sample size, it's not clear how they derived the sample and whether it was truly representative of the population they were studying.

As someone who has studied, taught, and conducted survey research, I am disappointed by how little information was provided to the media about the methodology and specific results of this study. However, with that caveat, I still think the data is interesting and worth reporting.

Participants, according to the summary, "indicated concern over growing phishing, spam and malware attacks, and nearly half of those surveyed are very concerned about their personal identity being stolen in an online community." The report said that "nearly 20 percent experienced identity theft" but didn't define identify theft. An AVG spokesperson told me that it means impersonation online, not the typical definition that almost always involves financial fraud. A CMO spokesperson said it was based on a concern that users could download malware on social-networking sites, which could lead to identity theft and other problems.

Online impersonation can result in financial fraud but often is used as a form of cyberbullying to embarrass someone or make them look as if they said something they didn't really say. It can also be used as part of a scam to get a "friend" of the person being impersonated to send money to help their "friend" who claims to be stranded in a foreign country or otherwise in trouble. As per malware--that too is true. Malware, however it is distributed, can install keyloggers that can capture confidential information that can lead to identity theft.

In the survey, 47 percent of the respondents said they "have been victims of malware infections" and "55 percent have seen phishing attacks." What isn't clear is whether the infections or phishing attacks are from social-networking sites or some other source. It is possible for malware to be distributed through social-networking sites, often in the form of links to Web sites that contain malicious code, but there are plenty of other ways to get it. Social-networking sites could be used for phishing attacks, but phishing usually comes via e-mail. To say that users of social-networking sites have been exposed to phishing and malware would be like saying that most people who eat spinach are likely to have had measles when they were children. There is a correlation, but no evidence of causality.

The study also reported that most of the 86 percent of the sample who said they use social-networking sites "fail to perform the following basic security measures on a regular basis," including changing passwords (64 percent infrequently or never), adjusting privacy settings (57 percent infrequently or never) or "informing their social network administrator on security issues." The report didn't specify what a "social networking administrator" is. In my house it's me, but an AVG spokesperson said that the report was likely referring to the "report abuse" links provided by most social-networking sites.

The survey also found that 21 percent accept contact offerings from members they don't recognize, "more than half let acquaintances or roommates access social networks on their machines, 64 percent click on links offered by community members or contacts and 26 percent share files.

AVG recommends that social networking users:

1. Don't accept pop-ups or prompts for software unless you're armed with Web scanner software such as AVG's free LinkScanner

2. Don't post or submit confidential personal data

3. Change password at least once per month

4. Don't let others access their social networks on your computer

5. Don't auto save your password, and clear your history at least weekly

6. Don't accept friend requests or request friends that you don't know

Mostly good advice

I certainly agree that it's a very bad idea to post confidential information, even if you limit access to your profile to people who really are friends. I don't even like using e-mail to send out anything confidential--digital information has a way of being copied and friends can sometimes become ex-friends.

I also agree with the suggestion not to autosave passwords and to periodically clear your Web history and strongly agree that all Windows users have up-to-date malware-detection software.

While a terrific idea, it's unrealistic to expect people to change their passwords monthly though, as I pointed out in a recent post, it is important for social networkers to have very strong passwords and consider using a password manager like LastPass.

The advice to not let others use your computer is also unrealistic. Some people have to share a computer at home or at work and few of us would turn down a friend's request to sit at our computer a few minutes to check their social-networking profile.

As per accepting friend requests from strangers, it depends how you use your social-networking page. I accept all friend requests on Facebook but never post anything that I wouldn't publish in a newspaper or say on radio or TV. If you use your social-networking site to share personal information, then AVG is right--be careful who you accept as a friend and even then, be cautious about what you post.

With so many czars running around trying to solve the nation's problems in tech, auto and drugs, perhaps Sony should consider hiring a common-sense czar.

Is there any major consumer company around that seems to understand basic customer relations less than Sony? Isn't rule No.1 in the CR manual, "Don't spy on customers?" If so, then rule 1-A must be: "Take extra care to avoid spying on customers' children."

The latest example of Sony's disconnect with the masses came this week when the company's music division was fined for surreptitiously collecting information on children under 13-years old.

On Thursday, Sony agreed to pay $1 million to the Federal Trade Commission for collecting information on 30,000 children without obtaining parental consent. According to the Associated Press, Sony violated the Children's Online Privacy Protection Act when it collected the data from hundreds of fan sites, including those of such musical acts as Kelly Clarkson, Britney Spears and Christina Aguilera.

Sony representatives declined to comment.

Sony's growing list of scandals raises the question of whether anyone at the conglomerate has an ounce of public relations savvy. If they don't, the company should find someone fast and that person's mission should be to smack down overly zealous marketing types who come up with lamebrain ideas like this one.

Or how about the one for last year's promotional party for the PlayStation 2 game God of War II that turned into an international embarrassment for Sony. In keeping with the video game's Greek mythology theme, comely women were hired to prance around topless and feed grapes to partygoers as part of the "theatrical dramatization." If that wasn't over the top enough, the centerpiece of the festivities was a butchered goat that was dressed up to look like the animal's entrails were falling out.

Across the world, animal activists howled and critics blasted the company's "bad taste." Sony apologized and yes, returned the goat carcass to the butcher. (I'm not kidding, that was their response).

Then there was the company's supreme blunder, which also came from the music division.

Before Sony, even some hardcore techies were unfamiliar with rootkits. Now, the two are synonymous. In 2005, Sony loaded MediaMax CD 3 and Extended Copy Protection (XCP) software on music CDs to help boost copy prevention. The software loaded a rootkit malware onto the PC of anyone who loaded the discs. Rootkits are programs designed to hijack control of a computer.

Texas' attorney general filed suit against the company and accused it of loading spyware onto computers. Class action suits were also filed in New York and California. The fallout lasted years.

The rootkit debacle makes this latest child-spying case all the more mind-boggling. Even if you give Sony the benefit of doubt and discount the possibility the company is evil, then what are you left with? Yes, that's right: incompetence.

I have met a lot of smart people from Sony and I have to believe that some of them realize the company is developing a nasty reputation as an enemy of consumer privacy.