Profiles on Social Media Platforms: As Obvious as it Sounds, They Are Not Always What they Seem
August 19th, 2008 . by Chris PierreMuch has been written about the evolving concept of identity as it relates to Web 2.0. The Internet allows us to construct imaginary identities that might be very different from who we actually are. Problems arise however when those identities we construct already belong to someone else, or when they are used maliciously
Forgetting for a moment about automated, large scale attacks on identities such as Phishing, targeted offences relating to “identity” on social media sites occur more often than one might think.
The most recent incident involves a family member of Tim McLean, the man who was brutally killed on a Greyhound bus in Manitoba in July of this year. The CBC reports that a person claiming to be McLean’s sister convinced the administrator of one of the Tim McLean Facebook memorial pages to allow them post messages and to collect money on behalf of the McLean family through a Paypal account. It wasn’t until McLean’s real sister found the site that the person claiming to be McLean’s sister was outed and the fraud was uncovered. The RCMP are currently investigating.
In another case Megan Meier, the very unfortunate Missouri teen who committed suicide several years ago, involved a false identity in the context of cyber bullying. The perpetrator was mother of a former friend of Meier’s whom she had fallen out with. The former friend’s mother, Lori Drew, created a MySpace profile of a fictitious boy named “Josh Evans” who accessed Meier’s MySpace profile and made a friend request, which Meier accepted.
With the help of an assistant at her office Drew began communicating regularly with Meier. Initially “Josh’s” comments were flattering; however, later the comments turned very hurtful and were considered by the court to be a large part of what motivated Meier to commit suicide.
In an odd twist, Fox News reported that a blog called “Megan Had It Coming” appeared on the Internet on December 3, 2007. The blog contains detailed information about the circumstances of Meier’s death as well as negative commentary about her. The writer of the blog claimed to be Lori Drew (aka Josh Evans).
Drew denies writing the blog and investigators are looking into its background. If what Drew says is true, it appears to be a case of Internet based vigilante justice.
Drew was indicted on a number of charges, some of which are being appealed at the moment.
Now on to the Olympic circuit. In a recent case in reported by The Mail Online, British Olympic Swimmer Rebecca Adlington was derided on a Facebook group page.
The issue is that the group was set up using the picture and name of Helen Fernandes, a prominent British brain surgeon who in reality had no connection to the swimmer or the group on Facebook. In her statement to the press Ms. Fernandes said “I didn’t even understand what Facebook was until I received a call alerting me about the fraud.”
This case is different than the one relating to Meagan Meier case because it involves possible defamation and not cyber bullying or harassment. However, these cases and the McLean case share the involvement of a forged identity and they illustrate that the problem of fictitious profiles in Social Networking environments are not limited to any specific class of person or crime.
This reasoning appears to be part of the logic behind a decision made in the District Court, Civil Division in Queensland Australia. In Citigroup Pty Ltd. v. Weerakoon heard in April of this year, Judge Ryrie denied a request by the plaintiff to email a “personal service” to a defendant through the defendant’s Facebook page. In her commentary, the Judge stated that:
“I am not so satisfied in light of looking at the uncertainty of Facebook pages, the facts that anyone can create an identity that could mimic the true person’s identity and indeed some of the information that is provided there does not show me with any real force that the person who created the Facebook page might indeed be the defendant, even though practically speaking it may well indeed be the person who is the defendant.”
It may be the case that Judge Ryrie was truly uncomfortable with the ability of someone to set up fake profiles; or that the lawyers for the plaintiff were not able to adequately prove through other means that the person receiving the messages from the Facebook profile was in fact the defendant; or that the lawyers were unable to use the information available from the Facebook profile to physically locate the defendant.
In my view it’s likely “d” a mixture of all of the above.
Leaving the debate about Privacy vs. Anonymity vs. Freedom of Speech aside, if these cases illustrate nothing else, it is this: from identity theft, to on-line harassment to requiring further evidence to prove that people are who they say they are, there are certain to be more and more investigatory issues that arise out of Web 2.0 platforms and their relationship to what we consider “an identity” than what we are used to dealing with in the Security and Investigations community.
This is a critical issue that doesn’t get talked about enough, in my opinion. We don’t deal with bullying and harassment effectively. Both are acts of cowardice and like with all issues, they need to be discussed and dealt with directly.
Are the current laws in North America effective in dealing with “non-web 2.0″ cases of bullying and harassment? I wonder…
As you’ve pointed out, Facebook, MySpace and other social media platforms are allowing these cases to increase, and in some cases with horrific endings.
Any ideas on how we can protect our children and loved ones with this new platform for harassment and bullying, Chris?
–Jeff
Yes, there are a few ideas floating around the community to help deal with this issue.
The first solution is education. Educating people on the appropriate way to use them in the appropriate context (i.e. school context, work context, social context, etc.) is important. Its easier to do in a school or work context, but more difficult in a purely social context.
In the social “group” context, my thoughts are that dialogue has to happen with the community, policies have to be formed, then communicated effectively through the channel, then enforced when breached. It is the responsibility of the group administrators, working with the community itself to develop those programs in either a formalized or an informal way.
It will also be the responsibility of the group administrators to do any due diligence required on potential administrator. In the McLean case, it appears that the con-artist posing to be McLean’s sister was made an administrator of the Group.
Having said that we can’t depend on the administrators alone. Members of the communities, groups and discussions are going to have to police themselves, and that includes reporting abuses.
If an abuse is reported to the level above the group administrator, to the site administrator, then a decision must be made as to whether to report the incident to the police. In my opinion any case where mischief has occurred and fraud or impersonation is involved would be a trigger to report the issue to the police.
Third, when a new user signs up for the service, their profile should be set at the most private settings first, not the most open or somewhere in the middle. It should be the user’s prerogative to open up the settings, not for them to have to make them more closed. Its kind of the “opt in”/”opt out” argument.
Admittedly, many improvements have been made in this area by Facebook, MySpace and some of the other sites, but users are still required to opt-out of the open settings.
It would also be helpful, especially for inexperienced users to have some sort of video or demonstration when the open their account that would describe how to protect themselves from identity theft and on-line harassment. There are a few simple tips, such as “Don’t put your date of birth in your public profile” that could really help.
This goes back to the education idea, but in the context of the site, rather than the context of the group. It would sure beat some EULA that most users click through without reading.
The third solution is that laws need to be appropriately written take into account the phenomena of social networking sites and how people are using them.
I’m not a lawyer so I would defer legal interpretations to other professionals. Furthermore there are existing laws about fraud, personation, hacking, etc. However, in the case of Meier there is an appeal against one of the convictions against Drew because the offence doesn’t quite fit the law she was charged under.
That makes it confusing for society, for the legal community and for the police who are supposed to be charging people with offences.
Those are just a few ideas. There are definitely more but it appears that I’ve turned my response into another blog post.
I think social networking sites like Facebook need to be more accountable to their users by being transparent about the changes they make to privacy. Earlier this year, Facebook changed the default of their privacy settings prior to notifying the community at large. In my opinion, the community should be the one to determine the appropriate level of privacy which Facebook, in turn, should implement.
I disagree that members should always set their privacy settings to the highest level. In the spirit of openness and all that is good about the Internet, being forthcoming is what leads to stronger relationships online. However, it is the member’s responsibility – and not the social media site’s – to self-regulate their own data. Content lives forever online. As such, you are only as vulnerable as the content you choose to post. Knowing what to post comes down to educating the public at large – as you so rightly mention, Chris.
Hi Kristina,
You make some excellent points, thank you for your comments. Also, I agree that the beauty of the Internet is that it allows people to connect, regardless of geographic or demographic disparities.
My only thoughts regarding the privacy level settings on social networking sites is that that in my view the default settings, i.e. the settings that you are presented with when you first sign up to the service should be set at the most private, and then the user can make them “un-private” at their discretion, as opposed to them being set “un-private” by default.
People, by nature, tend to execute the easiest option of a set of choices so if they are presented with privacy settings that are open then they might not be inclined to change them. Conversely, if they were presented with the “most private” option initially and they want to be open to the world, they could release as much about themselves as they want.
In my view it is somewhat of an ethical design question. A topic which Jeff covers in his interview with Joe Lamantia on the IA Consultants podcast.
The one final point is that I agree, Facebook or any other Social Networking site should be required to notify users about changes to Privacy settings; however, as you point out, at the end of the day we choose to post our information there, we are not required to. If Facebook is transparent about the changes they make then the users can make educated decisions about whether they might choose to stay on the service.
Thanks again for your post. Keep the discussions rolling!
I think your point about education Chris is the key to all of these issues. Living, working, and playing in the information age, we rarely take time to understand only to consume. We race from application to application; website to website clicking the “Accept” box on privacy policy terms and never reading them. (Not that it would matter even if you did as most of these are written in legal terms that you’d need a law degree to interpret properly.)
I believe we should be looking at this as not just a short-term problem that we in the workforce are having to manage, but also the longer term impact on future generations. We need to be talking with children as early as Kindergarten about what the Internet is all about, and the amazing world that exists within; as well as the inherent dangers in sharing personal information.
We fear what we don’t understand. Ignorance (aka lack of knowledge) is the basis of all anxiety, anger, and stress. Again, we live in the Information Age. Trying to control the conversation, or hide information from people is a fruitless task. Take the iPhone for example. I can access any site on the web from anywhere at anytime. Blocking, modifying or trying to prevent people from communicating with one other simply isn’t possible. Yet senior executives and public sector department still waste countless hours and millions of dollars every year thinking they are preventing people from communicating or accessing information; they are modeling the very definition of ignorance.
Does this not come down to individual accountability? I guess that’s what makes this topic a little gray in my mind. If people don’t read or can’t understand the privacy statements, whose fault is this? Does the developer of the application simply shrug their shoulders from a legal perspective and say “Well you agreed to the privacy terms, so it’s all on you.” I find that to be an incredibly weak argument; yet it’s the reality.
I agree with Kristina that setting the privacy settings to their highest levels is not the answer. This is exactly what public and private sector organizations are doing by blocking access to any and all potential threats or what they would deem to be non-work related sites.
This is why as a consultant I can almost never work on site in doing research as I can’t access even credible sites because an Executive or someone in the IT department has created a list of web sites that are a potential risk or may link over to other sites like YouTube or Facebook.
It’s time to deal with the reality of the Information Age; or we can simply wait and when the largest generation in North American history retires, we will see a major shift in the corporate cultures in both the public and private sectors; in my opinion.
You can hear part one of my discussion (and get access to part two) with Joe Lamantia here http://www.iaconsultants.ca/index.php/2008/06/13/joe-lamantia-ux-matters-part-one/
Cheers!