Cisco’s 2009 Security Report: Social Media Users, Be Careful!

Check out the Cisco’s 2009 Annual Security Report!

One of the most interesting observations — which should not be surprising to information security professionals — is that online criminals are successfully exploiting social media and social networks, using people’s willingness to respond to messages that appear to be from others whom they know and trust.

Anyone who has clicked on a Twitter direct message URL that turned out to be tweetspam, that’s at least part of what they mean. When someone who doesn’t usually send you a direct message unexpectedly sends you a vague but inviting message, like, “Check out this funny video!” DON’T CLICK ON IT. Do a search for tweetspam, instead, and see how many thousands of the exact same message have been sent all over the twitterverse.

And once you know it to be tweetspam, tweet a warning to your followers. (Without the spam URL — instead tell them “Don’t click on any DMs that say ‘check out this funny video!’ They’re spam and malware!”

Of course there’s a lot more to the Cisco Security Report. Take a look!

FTC Guidelines for Ads Now Apply to Social Media

Today the Federal Trade Commission published final revisions for its Guides Concerning the Use of Endorsements and Testimonials in Advertising [81 page pdf], which now explicitly includes bloggers and other forms of “new media.”

Based on comments submitted to the FTC when it published the Guides revisions as a proposal:

[T]he Commission is setting forth a construct for analyzing whether or not consumer-generated content falls within the definition of an endorsement in Section 255.0(b) of the Guides. The Commission will, of course, consider each use of these new media on a case-by-case basis for purposes of law enforcement, as it does with all advertising.

That construct focuses on this fundamental question:

[I]n disseminating positive statements about a product or service, is the speaker: (1) acting solely independently, in which case there is no endorsement, or (2) acting on behalf of the advertiser or its agent, such that the speaker’s statement is an “endorsement” that is part of an overall marketing campaign?

The specific set of facts that the FTC will examine when considering enforcement actions include:

whether the speaker is compensated by the advertiser
or its agent; whether the product or service in question was provided for free by the advertiser; the terms of any agreement; the length of the relationship; the previous receipt of products or services from the same or similar advertisers, or the likelihood of future receipt of such products or services; and the value of the items or services received.

This certainly suggests that bloggers and other social media users who are given free products to review must disclose that the products have been provided to them for free.

While it seems unlikely that items of de minimus value, such as a coupon for an ordinary sized food product, would be the target of an enforcement action, it is also clear that the FTC will look at the totality of the circumstances and the specific facts of any complaint.

Because of that fact-based analysis, a blogger writing once about how much she enjoyed the free sample food products made available at a conference would be in a different situation under this analysis than a food blogger writing regularly about a variety of products provided by a single manufacturer, because of the greater “likelihood of future receipt of such products” even though the value of the products might be the same fairly low dollar figure.

However, even that is uncertain. In footnote #21 within the Guides, the FTC almost seems to simultaneously say that a one-off recommendation, published on a personal blog, of a product provided as a freebie, is not a sponsored advertising message, and that it could be “essentially” sponsored by the advertiser.

Later commentary suggests that larger blogs, blogs with high readerships in a demographic of interest to the product provider, and bloggers who participate in word-of-mouth marketing programs are most likely to be considered as having “sponsored” content and the need to disclose such relationships. The FTC also notably used an example of a parenting blogger who frequently receives games from a toy manufacturer — sending the signal that so-called “mommybloggers” are still on the FTC’s radar on this issue.

Even if you are not a “Mommyblogger,” do not participate in any word-of-mouth-marketing networks, don’t think your blog is read by anyone other than your parents and your best friend, if you get something for free and write about it on your blog, disclose that you got it for free. If someone offers to sponsor your blog, make that fact completely clear and easy to find on the blog.

And do not think that the focus on blogs in the examples mean that this only applies to bloggers. The actual rules use the term “new media” — which is clearly intended to include any form of media that is currently in use or becomes widely used in the indefinite future. Sponsored Tweets and sponsored Facebook activity are clearly on the FTC’s radar.

The key question is how is a blogger, a tweeter, or a user of any other form of social media required to make the disclosure of that sponsorship relationships?

The folks at Blog With Integrity held a webinar on the topic a few weeks ago, which will be made available on their web site. But here is the bottom line: Sponsorship disclosure must be easy to find, easy to read, and easy to understand.

You don’t have to lead with the disclosure, but if the sponsorship is of an individual post or tweet, it should be included within the post or tweet. If it is sponsorship of the blog or your whole Twitter account, it should be visible — including being identifiable and readable — on the landing screen of the account. Being buried in the “About” or “Profile” page is a risky move, and I don’t recommend it.

Privacy, Anonymity, and the Importance of Having a Social Media Policy

Are your employees blogging? Tweeting? Using FaceBook, LinkedIn, or BlogHer? Do you have any idea?

If you don’t know, and your company or organization is large enough that you can’t call out “Hey? Are you using any of these things?” and get a verbal answer from everyone, then the answer is probably yes.

And they might not be using it in a way that reflects well on their workplace. For example, the now-Internet-famous Lindsay and her former boss both used Facebook in a way that few employers would find acceptable.

In that example, the boss clearly knew who was posting disparaging remarks about him and about the workplace.

What if she’d been complaining anonymously? On Twitter, there is no identity verification, or even any particular motive for using a personally identifiable username. There, so many people complain that they hate their jobs that someone created a feed to capture all of the “I hate my job” tweets in real time.

I tried to find anonymous complaints, but nearly all of them appeared to be either fully identifiable — first and last name — or partially identifiable — first name + profile photo or location. Some even named the employer!

Still, it isn’t hard to imagine a de-identified or anonymous complaint stream in a social network. Companies and organizations should consider instructing employees not to post disparaging comments about their workplaces anywhere that is generally viewable by members of the public.

These kinds of posts and comments seem like the same kind of “venting when you get home from work” comments that many people engage in, but it is in fact, completely different.

Your competitors can’t show potential clients or recruits a transcript of your employees’ dinner table discussions. Inappropriate verbal comments made to an employee’s friends or family are unlikely to become evidence in a discrimination or harassment complaint. These are searchable, they last indefinitely online, and they very well may result in people losing their jobs.

And although your employees may feel anonymous while complaining about their jobs in social media settings, they need to know that they aren’t really anonymous.

If they said something actionable, you could subpoena Twitter’s records about the account, which at a minimum, include an email address. Very likely it also includes the IP address where the account was first created, or where it was most recently used.

While that isn’t necessarily a good proxy for identity, if a person is using their home computer, it should give you ISP data that could be tracked back to a specific customer account. And if that account belongs to Joe Smith at 123 Main Street, and you have an employee with that name and address, you have a pretty good idea who has been “anonymously” disparaging your company online.

Tempting as it might be, don’t fire them online. Some things really should be done the old fashioned way.