Recently in Web 2.0 Category

USMC Social Media Handbook

The United States Marine Corps has released a social media handbook (PDF) outlining acceptable uses of social media for Marines across the globe. "The social media principles provided in this handbook are intended to outline how our core values should be demonstrated, to guide Marines through the use of social media whether personally involved or when acting on behalf of the Marine Corps."

This is one of the more comprehensive social media handbooks I have come across. The Marines did a great job covering the uses of social media and the behavior the Corps expects in personal, family, and professional uses. It also, importantly, covers operational security (OPSEC), using social media for crisis communication, and provides safety tips.

This is a big step forward for the Marine Corps, which, in August of 2009, caused a controversy by outright "banning" social media on their unclassified, war fighting, network. This ban was smart; the media in their coverage of the ban, however, was not. The media took an overly dramatic viewpoint that the order, MARADMIN 458-09, would prevent Marines from using social media services to contact their families and friends, cutting off deployed Marines worldwide. This was far from the fact or intent of the order. The order sought a default-to-secure posture and offered a waiver process that would allow commands and units to engage on social media while also gathering data on legitimate uses throughout the Corps to make more informed decisions down the road (hence the one-year time frame). The ban affected operational networks, not the networks used for morale and welfare (USO, internet cafes, etc) -- a critical distinction missed by the press. Nonetheless, it started a ground swell within the DoD community that ended with the use of social media being green-lit by the DepSecDef in February of 2010. Full disclosure, I had a hand in the creation of the referenced maradmin as noted within the document.

Kudos to the Marine Corps for this excellent handbook and for embracing a new style of engagement for Marines, their families, their friends, and the world.

My one criticism is the section on facebook privacy and tracking. My assumption is that the handbook will not be updated as often as facebook, so the information will quickly become stale. A general overview or perhaps a common sense approach to privacy concerns on social networking sites would have been better suited in the document with a more expansive, and more easily updated, website showing Marines the specific steps needed to protect themselves.

My two favorite parts of the manual are the introduction of the term "social media Marine" and a motto found on the last page of text in the handbook that reads:

"Engage the Community   •   Maintain Operations Security   •   Be Smart - Set the Example: In Life and Online"

A great message and motto for all DoD/Government social media engagements.

This is a great template/starting point for other DoD components and government agencies currently without a social media handbook/policy. I'd also urge the Marine Corps to embrace new media to deliver the content of this handbook. For example, using video to disseminate the policy.

Mozilla Secure Coding Guidelines

Mozilla has a great resource for webapp and website developers: The Mozilla Secure Coding Guidelines.

These guidelines will help create a more secure app/site. However, they will not, by themselves, decrease privacy risks. Design your app/site to be privacy-conscious.

Facebook cookies and sharing

They are never tasty and now they leave a potentially never ending after taste. Nik Cubrilovic (@nikcub) has a intriguing write up on his blog about a potential for expanded tracking by facebook through their social plugins (comments, likes, APIs, etc) even after a user has logged out. Facebook has denied the potential threat. Interesting discussions in the comments (disqus platform, no less) section of his blog, including facebook's response, and on his twitter page.

I love seeing research like this surface and I give Nik credit for approaching facebook multiple times before publishing. His post is fairly technical but his intro boils it down nicely into layman's terms.

It seems Dave Winer's (@davewiner) post titled "Facebook is scaring me" may have prompted Nik's post after sitting on the data for more than a year. And all of this, of course, after the recent announcements at F8, which prompted renewed privacy concerns regarding facebook's new timeline profile and frictionless sharing features.

It amazes me how often the privacy pot gets stirred, even with pending legislation looming over a largely unregulated industry. You'd think they might lay low on making these drastic and norm-challenging changes.

Google+ Social Identity?

| 2 Comments
Business Insider has an article highlighting recent comments made by Eric Schmidt regarding Google+'s real name policy. Andy Carvin of NPR had a chance to ask Eric Schdmidt how Google justifies the policy given that real identities could put people at risk. Eric's response was a rather frank admission that Google sees G+ not as a social service but as an identity service.

I can't help but wonder if this was the original intention of G+ or a strategic shift that happened after the announcement of the National Strategy for Trusted Identities in Cyberspace (NSTIC) in April, 2011.

Eric also said that G+ use is completely optional. Users are not required to join the service and users who dislike the policy can easily walk away**.

Will Eric Schmidt's comments impact your use of G+? Do you believe anonymous/pseudonymous access should be allowed?



**Google has made it very easy to close out your Plus account. Access https://plus.google.com/u/0/settings/general and look under the "Services" section. Follow the "Delete profile and remove associated social features."

LinkedIn Social Advertising

Thanks to Steven Woodruff (@connectionagent) for his post on this topic.

LinkedIn has recently opted-in their user base into a third-party advertising agreement that allows for use of name and photos in those advertisements. Follow the directions below to opt-out:

  1. Click on your name on your LinkedIn homepage (upper right corner). On the drop-down menu, select "Settings"
  2. From the "Settings" page, select "Account*"
  3. In the column next to "Account", click "Manage Social Advertising
  4. De-select the box next to "LinkedIn may use my name, photo in social advertising"\

Steven created a great graphic for assisting you you in opting-out. Click here.


Hackers keep companies honest

New Zealand Hacker Aldo Cortesi (@cortesi) published a great article showing yet another vulnerability associated with mobile devices and the data they share: De-anonymizing Apple UDIDs with OpenFeint. Using a tool he wrote himself that executes a man-in-the-middle attack against SSL (HTTPS) encrypted traffic, he was able to deconstruct traffic from his Apple iPhone to various application providers.  For his write up, he chose OpenFeint which boasts a 75M user base.

Man-in-the-Middle Attack: Alice and Bob believe they have a secure connection; however, Mallory has injected herself into the stream and can view the conversation.  For the purposes of this post: Alice is your iPhone, Mallory is Aldo, and Bob is OpenFeint's servers.  Photo from Wikipedia.

Aldo set out to examine the Application Programming Interfaces (API) and the data that was passed back and forth, specifically concentrating on the Unique Device Identifier (UDID) of an Apple device and how it could be associated (or linkable) to other identifying data sets.  His results were not wholly unsurprising -- given the increased inter-connectivity of the world more and more data sets are being linked together. Aldo demonstrated a linkability between UDID and GPS coordinates, exposing a geolocation privacy risk to the person who carries the device. He also demonstrated a linkability to facebook profiles and profile pictures. 

Legitimate privacy risks?

OpenFeint users had to opt-in to the connection to facebook -- they, ideally, should have known what data could be transferred back and forth. OpenFeint only serves up an image through the Facebook Content Distribution Network (CDN); however, the CDN embeds the Facebook profile ID into the image URL thus giving the information needed to link back to a profile & a name.

The GPS data linkage is simply annoying.  Why does a game provider need GPS data?  Why does it need to store it and why is returned through API calls?

Well the only person that can see this data is me...right?  Wrong.


The largest risk is that OpenFeint is returning all of this data unauthenticated.  Anyone can query, based on a UDID, and get this information back.  That is a huge privacy risk, as it exposes a user's information to any Mallory on the internet. 

More and more data is being generated every day.  New platforms, services, and communication methods are being developed.  As companies strive to capture market share they will most likely neglect stupidly trivial things -- like authentication(!) -- in order to get to market before their competition. This won't stop, but there will always be a hacker in the background to keep the company honest in how they handle our data.  Kudos.
Back in mid-April, I posted about a video that had made its way across my screen (see: Using social media to disseminate policy...brilliant). The video was produced to disseminate the Victoria Department of Justice's social media policy. 

I thought this was an absolutely fantastic move and spent some time trying to find a point of contact there.  After poking around the Victoria Department of Justice website, I fired off an e-mail to their Freedom of Information office and crossed my fingers.

While waiting for a response, I reached out to a few folks in the strategic communications community and ask them to supplement my list of questions with ones they would enjoy seeing answered.

That e-mail was eventually routed to Darren Whitelaw (@darrenwhitelaw), who kindly responded and agreed to answer some questions. Darren is the General Manager of Corporate Communications in the Strategic Communications Branch of the Victoria DOJ.

The Q&A below provides some great insight for governments and corporations still struggling to engage social media. Darren's responses shed light on a government agency willing to engage thoughtfully and with purpose. The policy put forward by the Victoria DoJ clearly lays out the policy for the organization and also gives some great tips for personal use. I'd like to thank Darren for his time in answering the questions below.

Social Network Spy Game

I try, very hard, not to weigh in on some of the sillier things going on in the online world but I felt compelled to make a quick post about the shenanigans going on in the DC twitter world regarding @PrimorisEra.

Spencer Ackerman over at wired wrote up a great piece summarizing the events and went the extra mile talking to @PrimorisEra to get "her" side of the story.  Read his write up to get the background if you don't know what this post is about thus far.

Aside from the almost high school level drama, there is a serious issue at root here.  Namely, that the general lack of suspicion and skepticism that plagues the online world -- that enables phishing schemes to work, that allows people to compromise themselves in new and creative ways, that is the general dismay of the entire security industry -- somehow has crossed over to individuals in positions related to national security. Individuals who work in national security roles are trained -- beat over the head -- with operational security (OPSEC) rules but somehow forget this when engaging in social media.  Yet, again, we have another example of people acting foolishly in the online world.  I say again because something VERY similar (yet very different as it was fake) happened almost eight months ago: The Robin Sage experiment.

I have asked many people in the security field about their thoughts on the Robin Sage experiment.  My main question, always, is what they think the lasting repercussions of the experiment would be on the community (intel, national security, cyber).  The answer, universally, is that the impact would be minimal.  That it would be forgotten within months.

Eight months later, the uproar that Robin Sage caused was forgotten.  Eight months later we have another example of why the nexus of social media and national security is...well...complicated. I am not advocating a full stop and a reverse course.  The virtues of social media engagement are manifold. The good that comes out of social engagement is phenomenal.  But when we are talking about intel, defense, and diplomacy, are publicly accessible feeds the absolute best place for individuals to engage in a non-professionally sanctioned way?  Perhaps @PrimorisEra could have built a following and engaged on Intellipedia. Perhaps she should have compartmentalized her work life from social life on twitter.  Perhaps this all could have gone differently.

I am eager to see, what if anything, results from this.  Will it end up that @PrimorisEra was, in fact, a honey pot?  If she was, this drama is going to intensify greatly.  Whichever way that chip falls, what are the repercussions for her and the government?  What are the lessons learned that policy makers and information assurance (security) professionals can take away?  What will change?  What will stay the same?

We must remember, this is both a one-time event and also the greatest systemic fear of those charged with protecting our national security networks and information.  To the policy makers out there, I urge you to be methodical and rational in your approach to this event.  To the individuals in the national security field, I URGE YOU to be smart about engaging online.  To be skeptical and suspicious.  To not, damnit, ruin this for the rest of us.

I'd also like to applaud the individuals who called attention to the situation. While it did not unfold, lets say, as professionally as possible attention was nonetheless called to some questionable behavior.  You showed the healthy dose of skepticism and suspicion needed.  Kudos.

Readers, what are your thoughts?
Update: Responses from the Victoria DoJ can be found here: http://www.privacywonk.net/2011/05/victoria-doj-social-media-video-follow-up.php

The video below was released on March 16, 2011 by the Department of Justice, Victoria, Australia.  It details the departments view on appropriate personal and professional uses of social media.  It's a fantastic four minute video that clearly communicates policy about social media while also demonstrating exactly what the policy's intent is through example  interactions. 

I recently presented at the International Association of Privacy Professionals (IAPP) Privacy Summit in March of 2011 on the topic of implementing the new compliance requirements of OMB M-10-22 (new cookie policy) and OMB M-10-23 (third party websites and applications).  I would have loved to show this video to hammer home the professional v. personal use portion of the presentation.  Budgetary constraints aside, I think this is a fantastic way to disseminate policy.  Imagine asking your employees to watch a four minute video vs. reading a 10 page policy document? Benefits?  Minimal work disruption, increased knowledge of new policies, and higher compliance/adoption of the new policy.






I am going to reach out to the Victoria DoJ and see if they have been tracking statistics after the release of this video...stay tuned.

Update: Responses from the Victoria DoJ can be found here: http://www.privacywonk.net/2011/05/victoria-doj-social-media-video-follow-up.php
A great talk on kids online privacy and security.  Love the closing lines.

Note: if you don't see a video below it may be due to certificate errors with YouTube.  Try accessing: https://www.youtube-nocookie.com/v/RAGjNe1YhMA and confirming the exception.