Evan Schuman: Social media endangers corporate secrets

Employees can unintentionally share more than their employers want anyone to know

Some companies go to a lot of trouble trying to keep their intellectual property and corporate secrets safe. Naturally, they're on the lookout for corporate spies and extortion-minded cyberthieves, as well as insiders turned Benedict Arnolds. Few of them, though, give much thought to employees who unintentionally leak sensitive data. The problem is that the ways of doing that just keep growing, and most people are blissfully unaware of the dangers.

Social media has become a big part of this problem. Here's an example. You would be amazed how many corporate coders are apt to include in their LinkedIn profiles deeply detailed accounts of things like disasters they helped avert at their company. Say that a programmer helped fix a deeply flawed database implementation. It wouldn't be unusual for him to go on LinkedIn and name specific vendor products used and provide lots of specifics about how bad the problem was and how he helped craft a nontraditional fix. The coder's intent is to tout his own creativity and resourcefulness. But one result is that a lot of information that his employer would prefer to keep quiet is visible to just about anyone. And there are people who will go looking for that sort of thing, including competitors, financial analysts and reporters.

But there are subtler ways to give away information without ever suspecting that you had done so. Let's say that you and some co-workers take a business trip together. When you go out to dinner one night, one of you posts a photo of your smiling faces to Facebook or Instagram. It all looks like innocent fun. And it would be, except that the photo probably carries geotag information that can tell anyone who cares to know your precise location. If the point of the trip is to save the relationship with your company's biggest customer, a rival might be able to make something out of repeated trips to that customer's locale. If you're visiting a company that is being confidentially considered for acquisition, that geotagged photo could tip your hand.

One employer that takes the dangers of geotagging seriously is the U.S. Army. It has instructed personnel to always disable geotagging. For the military, of course, this amounts to a matter of life or death. A geotagged photo could broadcast the exact location of a unit. And it's not just a hypothetical danger. Steve Warren, deputy G2 for the Maneuver Center of Excellence, is quoted on the Army's website regarding an event that occurred in 2007: "When a new fleet of helicopters arrived with an aviation unit at a base in Iraq, some Soldiers took pictures on the flightline. From the photos that were uploaded to the Internet, the enemy was able to determine the exact location of the helicopters inside the compound and conduct a mortar attack, destroying four of the AH-64 Apaches."

Your enterprise may not have Apache helicopters to protect, but it does have information that's every bit as valuable.

And as I said, the ways of unintentionally exposing data are growing. Twitter recently started allowing its network to mark the precise location of every tweet. This development has already been blamed for disclosing the home addresses of celebrities. But it won't be a problem just for celebrities. It can be a problem for your company if your employees tweet from the road.

But this should be an easy problem to address, right? Just tell your employees to disable the location option on Twitter. Maybe not, if IBM Research is to be believed. It has developed an algorithm that it claims can analyze anyone's last 200 tweets and determine his or her city with almost 70% accuracy. I have my doubts about assumptions behind this algorithm, though. For example, tweeting "Let's Go Red Sox" is taken to be evidence of Boston-area residency, but not all Red Sox fans live in the Boston area, and I can think of several reasons for a non-fan to tweet "Let's Go Red Sox." There are also assumptions about placing tweeters in specific time zones based on the frequency of their tweets in the course of each day, but those assumptions are fairly easy to dismantle. Maybe such faulty assumptions are what kept the tested accuracy of the algorithm down to 70%.

Not that social media sites are the only way to unintentionally reveal information. Far from it. Consider publications. Ars Technica ran a story in which the author was closely tracked for several days -- by Ars Technica. Like many websites that require logins, Ars Technica records the date, time and IP address that a user logs in from. The publication's normal practice is to discard all but the last of these records. However, it made an exception for editor Cyrus Farivar, who wanted to see just what is possible with such activity logs.

As it turns out, the answer is, "A lot." The analysis revealed where Farivar was when he logged in. It showed what he was reading. It showed how long he spent online. The information could be highly specific. Farivar writes, "In one instance, on Thursday February 6, at 9:30am, I was logged in at a particular San Francisco IP address. Looking up that IP on myip.ms turned up not only the city, but one of two possible street addresses as well."

The results of Farivar's experiment suggest that another publication might have data showing that several people in your company took a sudden interest in reading about some obscure emerging technology. That information quite likely carries implications about your company's plans. And it is entirely out of your control and in the hands of a for-profit company that sells information.

Companies can't possibly approve all social media comments and photos their employees post; those could amount to millions per day for the largest enterprises. And I would hope that companies would realize what a bad policy that would be.

What they need to do is to implement strict rules and guidelines about what can't be disclosed, and then they must raise awareness among their employees about the dangers that lurk in social media. If they have confidentiality rules already in place, they need to make sure that they explicitly mention social media. In other words, employees must become informed self-censors, always careful not to make inappropriate public posts that could be discovered by management.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Read more about security in Computerworld's Security Topic Center.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags social businesssecurityLinkedInDooprivacy

More about ApacheFacebookIBM AustraliaTopic

CIO
ARN
Techworld
CMO