Live by the Tweet, Die by the Tweet.
In one of many new mantras for our digital age, the impact and repercussions of user generated content, and posting it to one of several new and increasingly popular social media sites, have yet to be fully felt or realized.
As such, social networks - and the hardware and software that underpin them - are of increasing interest and concern for both private and public sector organizations.
These technologies do represent exciting new opportunities for people to share information and for companies to interact with customers, say privacy professionals, but social media tools also represent a new area of risk for the exposure of confidential, proprietary and/or personal information.
At the Canadian Privacy Summit, the second annual national conference presented by the IAPP, the International Association of Privacy Professionals such issues were discussed and debated by Canadian privacy professionals over the course of the three day event, held in Toronto.
In a special session called Social Media Privacy Risks to Enterprises, Louisa Garib, Policy Analyst, Legal Services, Policy and Parliamentary Affairs Branch, Office of the Privacy Commissioner of Canada and Constantine Karbaliotis, CIPP/C, Information Lead with security firm Symantec, described a number of the risks, issues, challenges and opportunities presented by social media techniques and technologies.
With some recent real-world examples to underscore their case, Garib and Karbaliotis described many of the workplace privacy and personal information issues associated with social networking sites such as Facebook, Twitter, MySpace, LinkedIn and more.
Attendees recalled the story of a would-be Cisco employee, who inadvertently proved that when it comes to placing a permanent black mark on your resume, the Web rules!
Having noted in a personal posting that weighing a “fatty paycheck” (sic) against “hating the work” was a challenge, the would-be employee was reminded by another post that “[w]e here at Cisco are versed in the web.”
The person may or may not still have a job, but they do have a website that memorializes their social media ineptitude, called CiscoFatty.com.
Then, there’s the story of a young man who took time off work due to “family illness” only to turn up in a time-stamped Facebook photo. Work associates noted online evidence of his attendance at a costume party in full fairy regalia with great interest.
The risk of such inadvertent or improper disclosure of personal information is one risk, but many others exist, explained Garib.
Internal risks are both to the employee and employer, and overall employment relationships can suffer as a result of social media use, she said. External risks to client relationships, supplier and other business partners must also be considered.
More than souring a working relationship, the disclosure of personal, proprietary or confidential information can have many other serious consequences, including a violation human rights codes, labour law, copyright regulations, privacy protections such as PIPEDA if not the criminal code itself.
As a business expense, the use of social networking sites has a potential down side, as well. Non-work related Internet surfing results in up to a 40 percent loss in productivity each year, according to The Gartner Group, an IT consulting firm.
In fact, 30 to 40 percent of Internet use in the workplace is not related to business, according to IDC, another U.S.-based market intelligence service provider.
Complicating the matter further, Garib noted, was the increasingly blurry lines between on and off work hours, as well as the breakdown of the walls between an office-bound, home-based or very mobile workforce.
No matter how, where or when, the use of the Internet and social media sites by employees is prevalent, and only increasing, Karbaliotis added.
He shared statistics that showed 42% of office workers between the ages of 18 and 29 discuss work-related issues on blogs and social networking sites, and that 50% of surveyed organizations indicated at least 30% of their network bandwidth was being consumed by social networking traffic.
The opportunities social networking sites present were not ignored, and the ability to connect and interact with professional peers, industry associates and work partners cannot be underestimated.
Many companies have initiated there own Web 2.0 social networking tools, in order to better communicate with staff, clients and other stakeholders.
But stand-alone social networking sites have their own business goals, as well, Karbaliotis said.
They may offer terrific tools at low or no cost, but they do so because the data they collect has value, either to them or to other companies.
Social networking sites observe what users do: what sites they visit, what pages, how long they look, what links they click, and they often link that back to other
information (demographics) they have collected or that users have provided.
“It’s very interesting data, and very valuable” Karbaliotis said, “At the same time, it’s attracting a lot of negative attention from privacy regulators concerned over how data is gathered, how long data is kept, and the lack of transparency over its collection or use. One of the key reasons to set up social media sites and
technologies – apart from advertising – is the generation of this behavioral information and thus targeted advertising.”
Rather than just shutting the whole business down and blocking all Internet access, Garib proposed a number of best practices that organizations and individuals could follow in order to reduce the risk of improper or illegal information disclosure online.
“Clear rules and policies, drafted specifically for the use of social networking sites in the workplace, should be communicated to all employees,” she explained, adding that any families and parents at home could follow similar steps.
If necessary, employees should be notified before monitoring their Web and e-mail activity (and the rules should be checked against employment codes, human rights practices and other legal precedents).
“A privacy-friendly workplace calls for the fair use of information by all parties,” she said, encouraging employers to craft a written policy that clearly outlines what employees can and cannot do when it comes to e-mail and Internet use on company time and equipment and what the consequences will be if the policy is violated.
Ontario Information and Privacy Commissioner Ann Cavoukian, also appearing at the conference, has said that “posting your personal information on a social networking website without considering your privacy options is like crossing the street without looking both ways.
“Neither is advisable.”
The Commissioner and Facebook have worked together on many occasions, and the two have released a brochure, When Online Gets Out of Line that encourages users to carefully consider their privacy options before hitting “send.”
“Social networking sites are becoming a significant technological and social phenomenon,” said the Commissioner in a release at the time. “These websites help to connect people with various interests and are becoming increasingly popular with university and college students. They can offer basic information about people and also provide blogs, chat rooms and discussion forums. There are hundreds, if not thousands, of these websites. Most offer students minimal protection.”
The IAPP was founded in 2000 with a mission to define, promote and improve the privacy profession globally. Its members share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals, and provide education and guidance on opportunities in the field of information privacy.