No matter how secure our software may be, that security can be undermined, however, when Social Software applications outside the enterprise offer to "connect" you to your friends or people you may want to know.
What many people may not realize is that to do their "magic" and connect us with others, these social networking applications must scan your personal and company address books as well as your calendar and related information and upload it to a server where it can be indexed and cross referenced. That's the power of LinkedIn, Plaxo and similar "Social Networking" services and we are seeing more and more of these applications are showing up on the desktop, the web, and even in our mobile devices.
I consider myself a very security conscious individual and yet, today, I installed an application that forced me to reevaluate my own responsibilities toward the information on my system and what I choose to share externally. As soon as I installed the application, I noticed the CPU and network activity spike as I realized that my personal information in my encrypoted Notes databases was being scanned and that some of it was being sent outside my firewall to the service. Apparently, I had consented to this automatic upload when I installed the software, so shame on me. I had misunderstood the privacy agreement, which I did read. I thought that I would get to choose which information would be uploaded and when before the upload would happen. I was wrong. My bad. Fortunately, the company had a method in place to allow me to quickly delete my information from their service. It was a good wake-up call.
This does not mean that I will never use that software again. In fact, from a productivity and knowledge management perspective, I'm actually very intrigued by this class of software. I plan to do a more structured review of this and other similar applications in the near future because I think the productive potential is significant. At the same time, I am concerned that the relative ease of deploying Web 2.0 applications that so easily allow anyone to bypass the corporate firewall may create an environment where people do not consider, do not understand, or perhaps are simply unaware of the implications of what they are doing. Web 2.0 allows anyone to be their own IT manager; that's great but with that freedcom comes the need to take personal responsibility for the tools we use as well as how we use them.
When we connect what we know to what someone else knows there's no limit to the new knowledge can result.
I'm not opposed to using Social Software, but I am concerned about the legal and security implications when a user knowingly or unknowingly installs an application that scans what they believe to be their "personal" information and sends out outside of the firewall (or outside of the country). I'm even more concerned when users do not understand what will happen when they allow this transfer to happen (or when the vendor does not make it clear what information is being moved, where).
We must be diligent to understand the implications of the software we install -- this has always been true. With Social Software, we must also carefully consider the ethical, security, and legal implications of doing so. Where appropriate, a risk assessment should be conducted to evaluate suitability of the application for a particular situation, individual or organization.
Vendors can help by accurately communicating what they do with the data they mine from our systems, where it goes, and how it is protected in transit and in storage. IT Managers can help by educating their users so that they understand the risks and by providing intelligent advisory services. It's no longer appropriate to simply say "no social software because private information could be shared" -- that would be like saying "no more phones" because someone may leak confidential information over the phone. That's silly. What we need is a responsible and balanced approach.
As an end-user, you can begin by reading the information privacy policies and by understanding the implications of the software you choose to use.
There's some amazing Social Software out there. It's exciting. Yes.
We must be vigilant to balance that opportunity with our responsibility to protect information entrusted to our care.
I'll leave it at that.
For discussion: How do YOU balance the productive potential of Social Sofware with the need to protect information for yourself, your users, or your organization? As an employee do you carefully study the software privacy notices and do you consider your company security policies before you load new software? (You may answer that one anonymously, if you wish). As an IT professional, how do you educate your users to help them make wise decisions in this area?