Online exposure

Social networks, mobile phones, and scams can threaten your security

Woman on a computer will lots of eyes looking over her shoulder
Photo illustration by Stephen Webster

More than 5 million online U.S. households experienced some type of abuse on Facebook in the past year, including virus infections, identity theft, and for a million children, bullying, a Consumer Reports survey shows.

And consumers are at risk in myriad other ways, according to our national State of the Net survey of 2,089 online households conducted earlier this year by the Consumer Reports National Research Center. Here are the details:

  • Overall, online threats continue at high levels. One-third of households we surveyed had experienced a malicious software infection in the previous year. All told, we estimate that malware cost consumers $2.3 billion last year and caused them to replace 1.3 million PCs.
  • Millions of people jeopardize bank information, medical records, and other sensitive data they store on mobile phones, we project. Almost 30 percent in our survey who said they use their phone in such ways didn't take precautions to secure their phones.
  • Many active Facebook users take risks that can lead to burglaries, identity theft, and stalking. Fifteen percent had posted their current location or travel plans, 34 percent their full birth date, and 21 percent of those with children at home had posted those children's names and photos. Moreover, roughly one in five hadn't used Facebook's privacy controls, making them more vulnerable to threats.
  • Twenty-three percent of active Facebook users didn't know some of their "friends" well enough to feel completely comfortable about their own or their family's security or safety. An additional 6 percent admitted to having a friend who made them uneasy about those things. That means almost one in three Facebook users aren't fully comfortable with all their friends.
  • The persistence of Internet threats makes it important to use security software. In our tests, we found that free anti-malware programs should provide adequate protection for many people.

Facing up to Facebook

If you're like some 150 million Americans, you share the details of your life on Facebook, assuming that you and other users are its main customers and that it's accountable to you. But Bruce Schneier, chief security technology officer at security firm BT Global Service, says you're not Facebook's customer. "You are Facebook's product that they sell to their customers," he says, referring to the network's advertisers.

With "Find us on Facebook" tags popping up in malls, on popular TV shows, and elsewhere, Facebook has a lot of product to sell. And with no comparable alternative service, consumers are left as fodder for Facebook's advertisers and app developers. "You are on Facebook because everybody else is," Schneier says. "You can say 'I don't like Facebook, I'm going to Live Journal,' and suddenly you're alone."

Its position as the king of social networks has made Facebook the custodian of arguably the nation's largest collection of details about consumers' personal lives. "Any time you have a party with such a large amount of data, there's reason for concern," says Justin Brookman, director of consumer privacy for the nonprofit Center for Democracy and Technology.

Already, use of that data by outsiders is widespread. It might not be news that people have been fired because they posted ill-considered status updates or photos. But job recruiters might check Facebook to find out who people are connected to.

One recruiter told us that headhunters have used social-network data to make sure job candidates are a fit with their clients. So if you lost out on a job because of Facebook, it might not have been because of just one indiscretion. You might have been rejected because an employer or recruiter found telling details in your postings, even though such a rejection might constitute discrimination.

Facebook posts are also widely used as evidence in divorce and family-law cases. Randall Kessler of Kessler, Schwarz & Solomiany, chair-elect of the American Bar Association's family-law section, says he advises new clients to "consider a cyber-vacation."

"Facebook makes our lives so much easier as divorce lawyers," he adds. "Some people give it to us on a silver platter. There are spouses who list themselves as single while they are still married."

Lawyers and recruiters aren't alone in tapping into Facebook's vast database. Despite the uproar last year over Facebook's sharing of user data with some websites, the service recently proposed allowing developers of its more than 550,000 apps to request and obtain users' home addresses and phone numbers. The proposal prompted howls from several members of Congress.

"This information is extremely sensitive, and the policy Facebook proposed would force users to give up this info if they want an app," says Sen. Al Franken (D-Minn.), who heads the new Senate Subcommittee on Privacy, Technology, and the Law. "The potential for fraud is just too great." Franken and three other senators noted in a letter to Facebook that a phone number and a home address, coupled with a small fee paid to a "people search" website, could yield enough information to complete a credit-card application in someone else's name.

Franken told us that he's particularly concerned about the potential violation of children's privacy if Facebook implements that policy. "Kids should not be able to give that information away to strangers even if they wanted to."

Facebook recently began testing a program to use status updates and other information to deliver highly targeted ads. So if you post that you're looking for a car, you might find ads from auto dealers peppering the screen. Some might welcome such customization, but others might consider it an invasion of privacy. Regardless, such plans raise questions about what else the service hopes to do with the immense database of personal information it controls. Consumers' concerns might be allayed if they had more of a say in what Facebook does with their personal information.

Facebook publishes privacy policies like other companies do, but as a private corporation it needn't file the annual reports and other disclosures required of publicly held firms such as Microsoft and Google, which can provide even more information about a company.

Whatever the company's obligations, Franken told us, "Facebook needs to make its users' privacy a top priority."