Social Media for Social Evil – Part II Network Analysis

This is the second of what is intended to be a three part series. To catch up, read “Social Media for Social Evil – Part I“. Since some of the darker parts of the web have been doing these things for *years*, I’m going to cover them in great detail here. Hopefully people can take steps to better protect themselves. Anything detailed here that might be illegal is neither condoned nor encouraged by me, anyone I work with, nor my ferocious kittens. It is highlighted here for analysis only.

'Refereevesdropping' by Joe Schwartz
‘Refereevesdropping’ by Joe Schwartz

This weekend when Mike Arrington created a fake Eric Schmidt (CEO of Google) on Facebook, I was reminded of a few other attacks. Last time, I talked about the ease and risk of the impersonation angle, but what if we just wanted to be annoying?

The easiest thing to do is to add someone else’s email as a secondary or tertiary address on our own account. Most services – like LinkedIn – support attaching a variety of email addresses and prevent it from being entered twice. This would prevent them from registering with the same email address. You wouldn’t want to use it as your primary email as any password reset emails would go to them. Bad News.

Of course, it’s unlikely to slow them down for long but it’s going to be annoying.

But from the same attack, there’s another weakness. When you sign up for any of the social networks, you have the option to import your email address book. It’s a quick and easy way to find people you already know and interact with. Unfortunately, this is another attack vector.

As Mike notes:

Of course I could have created a fake Eric Schmidt account without using his real email. But by using that email address Facebook immediately started suggesting friends to me – presumably people who have uploaded their contacts, including that email address, to Facebook in the past.

From a research perspective, I just gained insight into who has used (and imported) that address previously. Granted, I’m unlikely to get any sensitive information or secret corporate documents, but I can begin to see who is interacting with who. This is a well-known concept called Information Leakage.

For most people this is completely irrelevant and uninteresting. But what if I’m the Securities and Exchange Commission trying to detect relationships between corporate leaders.. Martha Stewart? What if I’m the FBI and have the email address of a “person of interest” and I want to see who they interact with? What if I’m just a bored researcher trying to figure out who might be gay?

But – and this is the scary one – what if I’m an oppressive regime like Iran or North Korea and I have the email addresses of a few dissidents?

Please note that this attack doesn’t get access to the actual communications or even the frequency of those communications.. it just confirms that they exist. In some cases, that may be enough to make trouble for those involved.

I’ve also submitted some of this analysis as a Core Conversation to SXSW 2011 under the title “Shattering Secrets with Social Media“. If that sparks your interest, let me know as I’m turning it into a regular presentation for interested technology groups.