Survey: Users of social networks take risks despite concerns

A study commissioned by Web security company AVG Technologies and the Chief Marketing Officers Council (CMO) points out an interesting contradiction between people's concerns and actions regarding security risks on social networking sites.

The summary report says that "while the majority of social networking users are afflicted by web-borne security problems, less than one third are taking actions to protect themselves online."

Unfortunately, the data provided to the media as of Tuesday afternoon says very little about the study's methodology, lacks the actual questions asked, and in some cases lacks the actual percentages of responses. It did, however, say that the data is based on "responses from a random sampling of more than 250 consumers." It was conducted online during second quarter of 2009. The report didn't specify how they developed a random sampling--a difficult task for Web-based surveys. In addition to the small sample size, it's not clear how they derived the sample and whether it was truly representative of the population they were studying.

As someone who has studied, taught, and conducted survey research, I am disappointed by how little information was provided to the media about the methodology and specific results of this study. However, with that caveat, I still think the data is interesting and worth reporting.

Participants, according to the summary, "indicated concern over growing phishing, spam and malware attacks, and nearly half of those surveyed are very concerned about their personal identity being stolen in an online community." The report said that "nearly 20 percent experienced identity theft" but didn't define identify theft. An AVG spokesperson told me that it means impersonation online, not the typical definition that almost always involves financial fraud. A CMO spokesperson said it was based on a concern that users could download malware on social-networking sites, which could lead to identity theft and other problems.

Online impersonation can result in financial fraud but often is used as a form of cyberbullying to embarrass someone or make them look as if they said something they didn't really say. It can also be used as part of a scam to get a "friend" of the person being impersonated to send money to help their "friend" who claims to be stranded in a foreign country or otherwise in trouble. As per malware--that too is true. Malware, however it is distributed, can install keyloggers that can capture confidential information that can lead to identity theft.

In the survey, 47 percent of the respondents said they "have been victims of malware infections" and "55 percent have seen phishing attacks." What isn't clear is whether the infections or phishing attacks are from social-networking sites or some other source. It is possible for malware to be distributed through social-networking sites, often in the form of links to Web sites that contain malicious code, but there are plenty of other ways to get it. Social-networking sites could be used for phishing attacks, but phishing usually comes via e-mail. To say that users of social-networking sites have been exposed to phishing and malware would be like saying that most people who eat spinach are likely to have had measles when they were children. There is a correlation, but no evidence of causality.

The study also reported that most of the 86 percent of the sample who said they use social-networking sites "fail to perform the following basic security measures on a regular basis," including changing passwords (64 percent infrequently or never), adjusting privacy settings (57 percent infrequently or never) or "informing their social network administrator on security issues." The report didn't specify what a "social networking administrator" is. In my house it's me, but an AVG spokesperson said that the report was likely referring to the "report abuse" links provided by most social-networking sites.

The survey also found that 21 percent accept contact offerings from members they don't recognize, "more than half let acquaintances or roommates access social networks on their machines, 64 percent click on links offered by community members or contacts and 26 percent share files.

AVG recommends that social networking users:

1. Don't accept pop-ups or prompts for software unless you're armed with Web scanner software such as AVG's free LinkScanner
2. Don't post or submit confidential personal data
3. Change password at least once per month
4. Don't let others access their social networks on your computer
5. Don't auto save your password, and clear your history at least weekly
6. Don't accept friend requests or request friends that you don't know

Mostly good advice

I certainly agree that it's a very bad idea to post confidential information, even if you limit access to your profile to people who really are friends. I don't even like using e-mail to send out anything confidential--digital information has a way of being copied and friends can sometimes become ex-friends.

I also agree with the suggestion not to autosave passwords and to periodically clear your Web history and strongly agree that all Windows users have up-to-date malware-detection software.

While a terrific idea, it's unrealistic to expect people to change their passwords monthly though, as I pointed out in a recent post, it is important for social networkers to have very strong passwords and consider using a password manager like LastPass.

The advice to not let others use your computer is also unrealistic. Some people have to share a computer at home or at work and few of us would turn down a friend's request to sit at our computer a few minutes to check their social-networking profile.

As per accepting friend requests from strangers, it depends how you use your social-networking page. I accept all friend requests on Facebook but never post anything that I wouldn't publish in a newspaper or say on radio or TV. If you use your social-networking site to share personal information, then AVG is right--be careful who you accept as a friend and even then, be cautious about what you post.