Schneier on Security: A Taxonomy of Social Networking Data

Oh, you mean the conference at which members of an NGO had their property confiscated by UN security because they had the temerity to point out that China has a firewall?

http://www.boingboing.net/2009/11/15/...

As Andreas Weigend (former chief scientist, amazon.com) points out, there is also a huge difference between data given explicitly (2, 3, and 4) and data collected implicitly (5).

@Angel one:

I'd say there's also a huge difference between (1,2,3) and (4,5).

As you note, items 2,3,4 are all types of "Disclosed data" - I suggest this be made more explicit by naming as follows:

2. Disclosed data (controlled)

3. Disclosed data (entrusted)

4. Disclosed data (incidental)

@ Bruce,

There is another type of data you need to add to your list.

That is cross linked or infered data.

You may not post on a social network site that you live or work in any particular place or other details. However time of day you post etc can bring your location down as can other things that give indicators of other places to search.

For instance you may have once posted (as many admins have) to a news group or been mentioned in corperate news (as many execs have). The time of day you post helps bring the location you are at to a time zone. This can then be used to filter out other people with similar names (there's atleast six people with my name that I have tracked down ;)

As in "traffic analysis" sometimes it's not the message contents that are important but the times and places it originates and ends at.

As another example assume the person trying to track you down has credit checking (CCN) and other "marketing target" DB access and reads on your social site that you have just purchased the latest wiz bang 90" home movie system with 10 channel suround sound and UWB networking.

There are not many places you could have obtained it and you may have taken out a credit agrement to buy it, or forgoton to check the "no marketing contact" box on the warenty or other paperwork. Some or all of those details will nail you down cold.

Great taxonomy. I like!

Perhaps worth finding a better term than "incidental disclosure" to describe third-party postings etc. about oneself though; that wasn't an obvious connection to me terminology-wise.

I agree with Clive's comment about "cross-linked"/"inferred" data being different than just "personal" data.

While I am not sure inferences made about data alone (e.g. time zones of postings) warrant a separate class, I do sense there's a substantial difference between a person's disclosed information, and that same information put in a "cross-linked" form with other people's personal information.

I once created a cross-link system to gather/crosslink such data to vastly reduce credit card billing fraud detection system in a prior ecommerce/telecom position.

Without going into all the details, let's just say that service data that relates just to you ("who you called/who called you") is substantially different in nature from the all the data that can be linked to you via all users (named and pseudo-anonymous) of a given service for all time. (Who calls the people who call you and who do they in turn call? ... a full graph that can has distinctly different/greater value when linked with data of many other people using the same/similar service.)

A service-wide graph that links your information with others connected to you in some way (calling/communication patterns, IPs/geographic locations, similar web traffic browsing patterns, credit card aliases used, etc) contains not just your personal information but an potentially exponentially larger amount of context when linked all together.

Cross-linked data can spiral into a mess and get one nowhere, but at times it can be tremendously powerful (cf isolating/identifying friends of Saddam).

@GregW:

Incidental data is more a case of "observational" or "reputational" data.

Bujold described the difference between Honor and Reputation... but things other people post about you is more related to reputation since its authorship is by an observer.

It can be argued that these will have varying relationships to one's "ego"...

@Clive Robinson, GregW

There's a blog on 'de-anonymization' out there (http://33bits.org/) where problems like that are discussed. For example, its author has a paper 'De-anonymizing Social Networks' out (http://randomwalker.info/social-networks/).

Abstract:

Operators of online social networks are increasingly sharing potentially sensitive information about users and their relationships with advertisers, application developers, and data-mining researchers. Privacy is typically protected by anonymization, i.e., removing names, addresses, etc.

We present a framework for analyzing privacy and anonymity in social networks and develop a new re-identification algorithm targeting anonymized social-network graphs. To demonstrate its effectiveness on real-world networks, we show that a third of the users who can be verified to have accounts on both Twitter, a popular microblogging service, and Flickr, an online photo-sharing site, can be re-identified in the anonymous Twitter graph with only a 12% error rate.

Our de-anonymization algorithm is based purely on the network topology, does not require creation of a large number of dummy "sybil" nodes, is robust to noise and all existing defenses, and works even when the overlap between the target network and the adversary's auxiliary information is small.

@ John Campbell,

"It can be argued that these will have varying relationships to one's "ego"...

Hmm "personality type" possibly some people "live inside their own heads" (techi types) others "live inside the heads of others" (your always "networking" managers / execs / politicos / con artists /etc).

Depending on your usage of "ego" you could say the former have none whilst the latter are all ego.

Techi types tend to have "social communications" issues which tends to get them (unfairly) marked down by others. Where as your networking types tend to be very good at social communications (and not a lot else) which tends to get them (unfairly) marked up by others.

The desire to be "top dog" etc (ie egotistical) is not in most cases related to ability to do a job or social communications ability (you only have to watch the X-factor to see when ego/self belife is baddly misplaced).

From the way you phrased your use of "ego" you could also argue that the "ego" has an inverse relationship to ability.

(A point many will have sympathy for as their "networking" bretherin steal the credit for their work).

@ r721,

"Our de-anonymization algorithm is based purely on the network topology... ...is robust to noise and all existing defenses,... ...and the adversary's auxiliary information is small."

And people ask me why I pay in cash and don't "twitter" or "facebook" etc etc ;)

All these kinds of information also have differing levels of veracity (insofar as that term means anything any more). The fact that someone associates your name with a photo or a note or a link may or may not mean that it actually has anything to do with you. And information posted on sites may or may not be factual (and may draw, via links, third and fourth parties who have no direct association with a particular social networking site.)

I am amused, for example, to note that the overwhelming number of people following me on Twitter (which I don't really use) are malware bots. Not sure exactly what that says about me, though.

following @uqbar, I'd suggest that 2,3 & 4 are all varients on disclosed data, and that you're missing the fourth data-type in the 2d grid where 'posted by you / posted by someone else' is one axis and 'posted in your area of control / posted in someone else's area of control'.

The important thing about information about you that is posted by someone else in an area outside your control it that (compared to the other three data-types) you're less likely to be aware of the disclosure, and so less likely to be able to do anything about it, even if the ability to in some way object to the disclosure exists.

@ Bruce,

"That feels like a subset of behavioral data to me.

Your type 5 is one half of it (ie traffic analysis on what you do,) that may be visable just to the admins of the "social network" site, or those that have access restricted or otherwise.

An example of the former is where for instance the site owner/admin "outs sockpuppets". The admins have access to data that the site does not normaly show (IP address / etc).

An example of the latter has been seen on some "social network" sites. What you think is limited to just a small group (say your family) can become available to many (through their friends lists). Either directly (your post and the family members post) or indirectly (just the family members half of the post).

The other half of the problem is the actual data that is cross linked to is not on your list. In a more general case (ie not just "social networking") it would be a subset of your type 4 data.

That is it is not on a "social network" site at all, or you have "deleted it" but the site has not, or issues to do with metadata.

Examples of the first could be a business web site such as a newspaper's online edition, an e-commerce site (such as Amazon) where you have rated a product, or a "black hat" site that has posted / made available your bank / CC details. Or as I previously noted commercialy available data on you such as credit rating or marketing DBs.

An example of the second is "orphaned data". Where "social network" sites use many servers to build a page. Photos have still been visable on their original URL on the photo server even though the link refrence has been removed on the HTML body server.

An example of the third type is unautherised access due to predictable naming in site URLs that enable a private URL to be fairly easily determined.

One example of this is where a "thunb nail" picture URL could be used to find the high resolution image just by changing the end of the URL (which has comercial implications for those wishing to charge for the high resolution images).

Another is where the URL contains a sequence number either put in by the site software or the user (such as uploading files from a digital camera and not changing the file names in the process).

Then there is the possability of infering "missing data" for instance a site admin might decide to delete one or more entries on an open comments page. The fact that each entry is given a unique serial number may be used to determine how many have been removed from public display or if in fact they have been deleted at all or mearly had the links removed.