Evolving Threats to the “Global Brain”

The “Global Brain,” a term coined by Peter Russell in his 1982 book The Global Brain, is the concept of a worldwide intelligent network involving people, data, and communication with the technologies they use interconnected into a ubiquitous processing system for the planet. One can argue that social media has been the biggest paradigm shift of the Internet era to date. As Internet-connected devices become faster and more intelligent and take over more responsibilities for us, so too do the threats posed by advances in hacking, malware, and viruses. Instead of a single Internet-connected computer, we now have potentially dozens of devices all accessing and distributing personal data across multiple interconnected platforms that are much easier to attack.

Your car’s GPS or mobile phone’s location-based services can be used to track and monitor behavioral patterns. These patterns can then be used for corporate espionage, data theft, or even physical threats. For example, in a recent social media–related attack, a 19-year-old man from Mexico, Pedro Lopez Biffano, is accused of kidnapping more than a dozen people after befriending his victims on social networking sites.² He would “friend” them and then trick them into meeting him, at which point he kidnapped and held them for ransom. If a person is active on social networks, “friends” can build complete profiles of everything that person does—finding out where he or she lives, hangs out, travels, all in real-time.

²“Mexican Teenager Used Social Websites to Kidnap People,” NDTV (January 17, 2011), http://www.ndtv.com/article/world/mexican-teenager-used-social-websites-to-kidnap-people-79781.

The ability to poach information from multiple social media accounts and across multiple devices, while convenient, has proven to be disastrous when breached. Because it costs almost nothing to capture this information, attackers have lower monetary barriers to setting up new scams and launching attacks. In the case of Pedro Lopez Biffano, no significant amount of money was needed to use Facebook and then trick people he “friended” into meeting him. As everything becomes connected, privacy concerns are not yet been addressed by companies or regulations to protect the end user properly. And new technologies will move control from centralized servers to things like mobile devices and user-controlled environments that will become more difficult to restrict, with the user taking on even more responsibility for his or her own security.

Loss of Control

The product marketing lifecycle changes when your users can take your content, modify it, and launch their own word of mouth marketing campaigns on your behalf if they really like your product. When this happens, it’s great, but you can also lose more control of aspects of marketing as consumers have much more freedom on social networks and have the ability to even modify your content. Social networking sites pose a greater risk of IP theft, and the viral nature of these sites can lead to the easy dissemination of your data before you even know what’s happening. Increasing challenges that companies face include:

Losing control of the brand message

Trying to control the end user

Inability to measure what’s impacting the brand

Consumers changing the brand’s message

Losing money without a tangible ROI on social media

Product and Data Threats

The main risk a company faces is the threat to data security in product development efforts using social media sites. Crowd sourcing can open your company to competition. Great ideas are hard to come by, copying an idea is very easy, and if those doing the copying have the monetary backing, and the ability to execute quickly, they can perfect the product, launch it, and gain market share over your company.

Corporate espionage is much easier using social media sites, as is creating disinformation. Research on people and competing projects is simpler to gather. Employees post details about projects they are working on or locations where they are going such as customer or partner sites. Data theft becomes easier because attackers know more about their target. With the availability of so many data points about a person and company on the social web, social engineering attacks are more prevalent and will continue to increase.

Privacy issues and identify theft are skyrocketing. “Becoming” someone else is simpler because so many parts of that person’s life are on social networks. This enables social engineering and authentication mechanism attacks, which can easily damage personal as well as company reputations.

Erosion of Privacy

Nothing a consumer or a company puts out into the social sphere is private. Once your employee sends some confidential information, whether by mistake or on purpose, it is just about impossible to pull it back in. If you want privacy, then opt for offline social exchange of information. But this is just not practical for business in today’s world. Once a social networking site has your data in its applications, you lose control of how that data can be used. You no longer have a controlled environment for containing your corporate data anymore.

If you complain about your irritating boss, talk about the latest project you are working on, or post pictures about what you did on your sick day, it is out there for your “friends” to discuss. As applications connect to your profile and become, in essence, friends, they will be able to interact with your data automatically, target you based on what you are posting or tweeting, and make it easier to harvest every bit of information about you in a programmatic manner. As you discuss what you will be doing and where you are going, you are expanding the privacy threat into your physical location.

Geolocation Targeting

Applications are moving toward geolocation functions. “Apps” being developed for smartphones are adding geolocation functions to target your current location. An app such as Facebook Places can geolocate where you are so your friends can find you. Foursquare allows your friends to join you at a venue. You may use the app AroundMe to find the nearest restaurant, hotel, or even hospital. There are tremendous benefits to geolocation services. But with great power, comes great responsibility. Are these apps protecting you from potential attackers? Or do they even give you the ability to restrict and block your geolocation?

For instance, let’s say you are about to meet a new prospective client at his office for lunch. You “check-in” with Foursquare to the customer office location. You are giving a lot of information to a potential attacker in the physical world about where you are and who are meeting with. If you take a picture of the venue and upload it with your iPhone to TwitPic with the geotag feature turned on, someone viewing the picture can get the longitude and latitude of the where you took the picture. Predators can discover your physical location by tracking you on the social networks you use such as Gowalla, Facebook Places, or Foursquare and target you for personal reasons or perhaps to conduct corporate espionage. Many mobile applications being sold now have some location-based service functions, making it easier to share data with other sites—and making it easier to track your movements.

Attack of the Appliances

Privacy infringement and identity theft have so far come from traditional places such as web applications, stolen databases, and now social media scraping of information. Compiling a list of data points about a person or company from all the social media platforms they use is easy. With the growth of networked devices, connected devices have moved from your mobile phone and TV to your home security system and even your central air conditioning; now and in the future even more information is being ported to the Internet and used by social media sites. Your interests, the things you buy and use daily, are part of these connected devices. This valuable information can be used for good and evil. When each device is networked, and potentially connected to the Internet, that usage data could be valuable. Consider the real danger of a virus or malware being able to disable your Internet-connected home security system and the real impact that could have on your security.

Attack of the Brands

Everything your company puts out on the Internet, either through corporate marketing or through employees posting on their personal time, contributes to the big database in the sky that is your brand. All of your customers and potential customers and competitors have access to the same information about your brand and can contact you or contact the world and say whatever they want about your brand. Many companies track messages about their brand. When companies gain an insight into consumer behavior, they work their advertising strategies around that.

These same information-gathering techniques can be used by your competitors to understand everything about your company and find weak points in your brand to attack. If the competitor sees consumers like your product, they might easily copy the concept and launch a competing line. If they see consumers are unhappy about your product, they can use that to steal customers and damage your reputation. Your competitors can be even more vicious and unethical by creating fake profiles and posting embarrassing messages, lies, or misleading statements using your name. We foresee corporate espionage escalating to brand attacks more often as hiding behind fake profiles becomes easier. Competitor attacks will only escalate as this becomes more readily understood.

“You R Owned!”

The evolution of all this information on the Internet has become a question of ownership. Who actually owns their personal information and the database of the messages you sent that are stored on a server owned by Facebook or Twitter? If the Library of Congress is already cataloging Twitter messages, does that mean the Government owns your tweets? More and more people are raising the question of privacy after Facebook revealed that it stores and owns the database of the wall posts sent by its users. With its ambiguous privacy policy, Facebook has the right to use and keep the information, even if the users have deleted their profiles. Facebook has since changed its privacy policy, but what happens a year from now—can they change it back? How about the 20 other social media sites you or your company use? What is their policy on information ownership? Once you send your information out and it is stored on a server you do not control, it is effectively lost to you.

Inconsistent Regulations

As more and more companies lose consumer data through hacker attacks, misconfigurations, and uneducated user activity, government officials have begun to take notice. Many countries are enhancing their consumer privacy protection laws. Many industries have regulations about how consumer data is managed. As attacks become easier and the voting public is impacted, they will force the government’s hand in adding some regulations to social media. And as you do business in different countries, you will have to contend with multiple laws. Contending with varying laws and regulations will increase the cost of doing business.

At this point, the regulation of social media across countries is inconsistent and can affect your security. In November 2010, the EU Commission announced a strategy to “protect individuals’ data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU.”³ The EU Commission’s strategy sets out proposals on how to modernize the EU framework for data protection rules through a series of key goals:

³European Commission Announces Intention to Strengthen EU Data Protection Rules, K&L Gates (November 19, 2010), http://www.ediscoverylaw.com/2010/11/articles/news-updates/european-commission-announces-intention-to-strengthen-eu-data-protection-rules/.

Strengthening the Rights of Individuals so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. The question of who owns your private data has become a major issue for both corporations and governments and will continue to provide challenges in the years to come.

According to the Pew Internet & American Life Project,⁴ 24 percent of Internet users who sought online support for health issues in forums have signed in with their real name and e-mail address. Every statement, question, and response they posted is now stored in the cloud or on a hard drive somewhere. But different countries will handle this real data in various ways. If you are from the U.S., you have fewer privacy restrictions placed on your data than if you signed into this health portal from Germany where the EU data privacy laws are stronger.

⁴86% of Internet Users Want to Prohibit Online Companies From Disclosing Their Personal Information Without Permission, Pew Internet & American Life Project, http://www.pewinternet.org/.