Enterprises invest a great deal of time and money protecting their information, be it intellectual property, user information or customer information, and for good reason. In fact, security is one of the many key reasons that many enterprises choose to deploy Lotus Notes. Like the RIM BlackBerry, Notes allows information to be secured and encrypted end-to-end so that the only time the information is not encrypted is when it is being viewed by the authorized user. Lotus Notes gives me a great sense of security.
No matter how secure our software may be, that security can be undermined, however, when Social Software applications outside the enterprise offer to "connect" you to your friends or people you may want to know.

What many people may not realize is that to do their "magic" and connect us with others, these social networking applications must scan your personal and company address books as well as your calendar and related information and upload it to a server where it can be indexed and cross referenced. That's the power of LinkedIn, Plaxo and similar "Social Networking" services and we are seeing more and more of these applications are showing up on the desktop, the web, and even in our mobile devices.

I consider myself a very security conscious individual and yet, today, I installed an application that forced me to reevaluate my own responsibilities toward the information on my system and what I choose to share externally. As soon as I installed the application, I noticed the CPU and network activity spike as I realized that my personal information in my encrypoted Notes databases was being scanned and that some of it was being sent outside my firewall to the service. Apparently, I had consented to this automatic upload when I installed the software, so shame on me. I had misunderstood the privacy agreement, which I did read. I thought that I would get to choose which information would be uploaded and when before the upload would happen. I was wrong. My bad. Fortunately, the company had a method in place to allow me to quickly delete my information from their service. It was a good wake-up call.

This does not mean that I will never use that software again. In fact, from a productivity and knowledge management perspective, I'm actually very intrigued by this class of software. I plan to do a more structured review of this and other similar applications in the near future because I think the productive potential is significant. At the same time, I am concerned that the relative ease of deploying Web 2.0 applications that so easily allow anyone to bypass the corporate firewall may create an environment where people do not consider, do not understand, or perhaps are simply unaware of the implications of what they are doing. Web 2.0 allows anyone to be their own IT manager; that's great but with that freedcom comes the need to take personal responsibility for the tools we use as well as how we use them.

When we connect what we know to what someone else knows there's no limit to the new knowledge can result.

I'm not opposed to using Social Software, but I am concerned about the legal and security implications when a user knowingly or unknowingly installs an application that scans what they believe to be their "personal" information and sends out outside of the firewall (or outside of the country). I'm even more concerned when users do not understand what will happen when they allow this transfer to happen (or when the vendor does not make it clear what information is being moved, where).

We must be diligent to understand the implications of the software we install -- this has always been true. With Social Software, we must also carefully consider the ethical, security, and legal implications of doing so. Where appropriate, a risk assessment should be conducted to evaluate suitability of the application for a particular situation, individual or organization.

Vendors can help by accurately communicating what they do with the data they mine from our systems, where it goes, and how it is protected in transit and in storage. IT Managers can help by educating their users so that they understand the risks and by providing intelligent advisory services. It's no longer appropriate to simply say "no social software because private information could be shared" -- that would be like saying "no more phones" because someone may leak confidential information over the phone. That's silly. What we need is a responsible and balanced approach.

As an end-user, you can begin by reading the information privacy policies and by understanding the implications of the software you choose to use.

There's some amazing Social Software out there. It's exciting. Yes.

We must be vigilant to balance that opportunity with our responsibility to protect information entrusted to our care.

I'll leave it at that.

For discussion:
How do YOU balance the productive potential of Social Sofware with the need to protect information for yourself, your users, or your organization? As an employee do you carefully study the software privacy notices and do you consider your company security policies before you load new software? (You may answer that one anonymously, if you wish). As an IT professional, how do you educate your users to help them make wise decisions in this area?

Discussion/Comments (3):

Rick Ladd (http://rickladd.com): 4/14/2010 3:22:25 PM
When Social Software does an end-run around information security

This is a very important subject; one I have had to examine with at least two different hats on - as have most people. The first hat is that of me, the individual; what does my participation mean to me and, possibly, my family. The second is as an employee, in my case one who was working in an industry that worries not only about standard IP issues, but must also take into consideration International Traffic In Arms regulations.

While I believe it is every person's responsibility to understand the implications of social services or sites one becomes involved with, in my opinion large organizations would better protect themselves with well-thought-out policies and educational approaches than to simply take away administrative rights or severely restrict in other ways their employee's access to their computational - and connective - power. In other words, treat your employees like criminals a priori . . . and guess what kind of behavior you're likely to elicit.

Having said that, I still have to say this is a difficult subject that hasn't come close to being resolved to much of anyone's satisfaction as far as I can tell. I still feel a little queasy about Facebook's approach to privacy . . . yet I participate. 'Tis a bother. Good subject to tackle, Eric.

Rick


Eric Mack (http://www.ica.com): 4/16/2010 1:54:52 PM
When Social Software does an end-run around information security

Luis Suarez has a very relevant and timely post on this: { Link }


Luis Suarez (http://www.elsua.net): 4/19/2010 7:48:32 AM
When Social Software does an end-run around information security

Hi Eric & Rick! Great blog post, Eric, and spot on with regards to finally provoke what I think we need to do next with social networking tools: introduce, and take very seriously, the subject of privacy and security, if we would want to make use of these social networking tools as business tools. Rick shared a link to a blog post I put together on this subject last Friday and something I'm going to keep challenging folks about, whenever someone asks me to go and check a specific new 2.0 tool, amongst several other things...

With regards to current state of affairs with the ones available out there, and after reading your post, I know now why I no longer make use of Facebook, Slideshare, LinkedIn, Plaxo, and a bunch of others; if they can't respect my fundamental rights I might as well stop using them, which is what I did. Guess folks may start doing that soon as well... if they would still consider both security and privacy important and relevant topics to their 2.0 presence out there.

Like you said, it's a beautiful 2.0 world out there, but if you don't protect yourself from odd behaviours like the one you describe, no-one will; so it all starts with each and everyone of us making good and responsible use of the social tools at our disposal ...



Discussion for this entry is now closed.