I really hope that you’ve enjoyed my previous posts looking at the small print of social networking sites’ T&Cs and privacy policies:

• Social networking privacy and data issues
• Social networking privacy issues - signing up
• Social networking privacy - where are your details stored?
• Social networking sites - inviting your friends to sign up
• Social networking privacy - forgetting your password and closing your account

I learnt several valuable lessons through conducting this investigation. Firstly, social networking sites thrive on personal information – they ask for much more than I’m comfortable to give away though. Most of them also send your data away to America to process and store, which I think it is an important point, as I’ve highlighted that Safe Harbor is a voluntary set of guidelines. I also think it’s a bit much for these companies to store your friends’ details without them having agreed to it, or at the very least having it mentioned before users use the ‘email a friend’ service. Lastly, the cancellation, deactivation or disabling of accounts worries me. Hardly anybody could give me the clean and simple answer that I wanted – that they had completely removed me from their database.

Whilst investigating these sites, I also came across a tool called Paterva – a social engineer’s gift. Basically it’s a nifty little thing that can search for a name and present a map of information about that name to you – emails, websites, phone numbers and more.

It didn’t find anything about me that I could see, but there was a plethora of information available about other Sarah Turners. Anyone wanting to launch a social engineering attack wouldn’t have to go to much effort if they incorporated pieces of information found by Paterva and spent a little time on a few social networking sites. It’s a term that I like to call social enginetworking, a cross between social engineering and social networking.

With social networking sites being very much en vogue at present, I think that most users and potential users understandably focus on, well, the social side of them. It doesn’t seem to occur to that many people (unless you are especially security-minded or work in security) to consider thoroughly examining and questioning privacy policies prior to signing up to these sites, which is a real shame, as that must mean that users don’t realise who they are potentially exposing lots of personal information to. From a security angle, these types of sites are undoubtedly attracting hackers – remember the MySpace worm? Personally, I’m steering clear of social networking sites; if I want to communicate with my friends I’ll give them a call or meet up with them rather than poke, tag or IM them.