Face-off in Oxford

Britain’s oldest university has become a flashpoint for students’ use of social networking and privacy, while companies debate whether to block or encourage Facebook and its rivals.
Britain’s oldest university has become a flashpoint for students’ use of social networking and privacy, while companies debate whether to block or encourage Facebook and its rivals.

This July saw a new twist to Oxford University’s tradition of ‘trashing’, which involves students celebrating the end of exams by attacking each other with aerosol string, flour or high-power water-pistols.

The university proctors, academic staff responsible for disciplining students, have previously issued fines for aspects of trashing, such as creating mess in the street with food or alcohol. But this summer, they turned to social networking web-site Facebook for evidence.

“The problem was that they were actively trawling Facebook to find individuals who, in their opinion, had acted inappropriately,” says Martin McCluskey, the elected president of Oxford University’s student union, which had agreed with the proctors that students would be fined for some kinds of trashing. “It was more the underhand tactics we objected to.”

The university says its proctors acted in response to complaints of antisocial behaviour from the public and university staff, and used “only publicly available material from Facebook” in identifying and disciplining students.

McCluskey thinks the university used Facebook in a way that went beyond the site’s terms and conditions, but believes the web-site also needs to modify the way it deals with such events. “Facebook was very reluctant to get involved in anything to do with this,” he says, regardless of what he sees as a breach of its terms.

But he says that students also need to change the way they behave online. To that end, the student union issued precise instructions on how to turn on strong privacy settings on Facebook: those joining the Oxford University ‘network’ on the site may not realise that this provides enhanced access to their profile to anyone within this network, including academic staff as well as students, unless settings are changed to avoid this.

McCluskey plans to continue this education through the student union’s web-site and emails to students. “We’re dealing with an unregulated marketplace here,” he says of such sites, adding that even students who use the maximum privacy settings are not safe, as their friends can still post labelled pictures of them without privacy.

Fresh-facebooked

"Academics have to consider how to use social networking and similar interactive web technologies to ensure a free exchange of ideas among students."

Student life has long involved doing things that participants are keen for everyone to forget later. Apart from misbehaviour, universities should provide a chance for students to consider and change their ideas and views, and to decide what they want to do with their lives. The question is, do social networking sites hinder that?

Research by Oxford University’s Oxford Internet Institute confirms that social networking is dominated by the young. 42% of British students have created a profile on the likes of YouTube, MySpace or Facebook in the last year, compared with 15% of those in work and 2% of pensioners (see reference 1).

Facebook, one of the newest, is gathering particular attention due to its explosive growth. It was created in February 2004 for students of Harvard University in Massachusetts, adding other universities from the US during that year, then others overseas in 2005. In July, internet research firm Comscore said Facebook’s British visitor numbers grew by 25% between May and June alone, to six million, (reference 2) and the company says it has 4.5m active accounts in the UK.

Ellen Helsper, survey research officer at the Oxford Internet Institute, says there is very little research into the specific impact of social networking, but there is evidence that school pupils and students are aware of privacy, partly as a result of warnings about grooming by paedophiles. “They know not to use their addresses or mobile numbers,” she says, although the institute’s research with teenagers has shown they often provide enough alternative information to people online – such as their school, their appearance, where they spend time away from home – to put them in danger.

Because Facebook has privacy protection available, users may feel their information is protected. But Helsper adds: “The software at the moment doesn’t really correspond to people’s everyday use of ‘privacy settings’, if we can call them that,” in other words, the conventions of privacy used in the real world.

Academics have to consider how to use social networking and similar interactive web technologies, she says, to ensure a free exchange of ideas among students. To that end, the institute is considering use of blogs visible only to those within Oxford University for academic work in progress.

A good social life

But universities can do little about private use of social networking. Helsper thinks that young people’s use of social networking appears to change during their teens: of video-sharing site YouTube, she says: “It’s not really used to create networks, tight-knit groups of friends, but in promotion of self-image,” and this is often of more interest to teenagers at school.

MySpace is a hybrid, both for promotion and for networking, while Facebook is primarily about networking, hence the privacy settings opening privileged access to information only to those who are trusted.

The trouble is that the older self-promotion profiles can undermine the newer networking ones. Infosecurity asked penetration tester SecureTest to attempt to gather information on Mike Simpson, a recently-graduated local student, starting from his name only (although far more information would be available on a CV). The richest sources of data by far were the profiles he had set up on social networking sites: his account of this is below.

In his case, an older MySpace profile provided keys to Facebook. The latter site used to be available only to those with email accounts at academic institutions, but is now available to all, and in September Facebook announced it would grant search engines access to basic profiles (although users can opt-out).

MySpace features fewer privacy settings and is marketed at school pupils as much as students, so people may arrive at university with such a profile already in place, only to forget about it in moving to the student-focused Facebook.

However, student union president Martin McCluskey says that, unlike last year, a large number of this year’s Oxford University freshers already have Facebook profiles.
A survey of 501 potential university students aged 16 to 18, carried out by research firm Ipsos Mori in June for UK universities’ Joint Information Systems Committee, found that 65% regularly use social networking sites – far more than the 27% who regularly use wikis, blogs or other online networks. Only 5% had never used social networking sites (reference 3).

Let’s get to work

“They think that Facebook will have their best interests at heart, but it needs to spread and grow as a business,”
Carole Theriault, senior security consultant, Sophos

Research by UK vendor Sophos suggests that many users of Facebook are casual about agreeing to requests from other users to link, and many even provide personal information when asked (see ‘Contacting a slippery character’). Carole Theriault, senior security consultant at the firm, says users may have a false sense of trust in the service. “They think that Facebook will have their best interests at heart, but it needs to spread and grow as a business,” she says, which means encouraging users to connect (reference 4).

Theriault adds that joining networks within Facebook presents a particular risk, as these provide everyone else within that network with a certain amount of access to a user’s personal data. Some of the networks, such as ‘London’, have more than one million members.

Joining the London network is exactly the sort of thing a recent Oxford graduate might do, if moving to the capital. Theriault says some employers are using Facebook as a business tool, such as for arranging meetings: she knows of a London law-firm doing this. Also, since establishing a profile herself, Theriault has been approached by recruitment firms through the system.

Those in the media seem to be particularly keen: in mid-July, Facebook said that 14 000 BBC employees were users, of the broadcaster’s 23 000 total staff (reference 5). Theriault says journalists often use the system to arrange interviews with Sophos, and Ellen Helsper says many young journalists would be at a loss without it: “It’s kind-of being in the loop.”

Some firms have banned its use completely, although concerns about productivity may be the main justification, rather than employees’ privacy. Theriault says a middle way may be desirable: “I would exercise caution, have guidelines in place on what you post,” she says. “When you are on Facebook, and you let it all hang out, you are putting your reputation at risk.” Policy may be affected depending on the industry, the size of the company and the value of internal information.

Facing the future

How might users be affected in the long run? Academics have been early adopters of each internet technology from email onwards. Ellen Helsper says that academics are already being affected by increasing records of what they said in the past, and this could affect other groups of opinion-formers such as politicians: “It is really difficult to change your mind. If you’ve said something in a public setting, it will probably register somewhere,” she says.

Student union president Martin McCluskey is more sanguine. “I think it may be one of those things where we look back on in 20 years, and see it with more hindsight,” he says, pointing out that trawls through newspaper archives are hardly high technology.
However, few students, even from Oxford University, receive regular press coverage before graduation. Only time will tell if the Facebook generation is networked like none before – or whether it collectively wishes it had never put up those trashing pictures.

References

1) W Dutton and E Helsper, The Internet in Britain: 2007, Oxford Internet Institute: www.oii.ox.ac.uk/microsites/oxis
2) www.comscore.com/press/release.asp?press=1553
3) www.jisc.ac.uk/media/documents/publications/studentexpectations.pdf
4) Sophos’ advice on Facebook, privacy and productivity:
www.sophos.com/facebook
5) http://business.guardian.co.uk/story/0,,2131375,00.html

 

UNIVERSITY CHALLENGE: A GRADUATE WRITES
by Mike Simpson

The ease with which personal information can be obtained through ‘social networking’ sites such as MySpace and Facebook has become a major information security concern. To see just how easy it is, it was with a mixture of excitement and curiosity that I sat in the office of Oxfordshire-based penetration testing firm SecureTest with managing director Ken Munro and technical consultant Iain Lewis, trawling through cyberspace, trying to discover exactly how much information about me, Mike Simpson, is available for the world to see.

The only information they were given was my name and the knowledge that I had recently graduated. Getting started was slightly slow, since not having a particularly unusual name made the search process harder.

They suggested that FriendsReunited.co.uk is usually an ideal place to start, but that did not turn up anything valuable. However, after a few false starts and with a bit of guesswork and deduction (guessing the correct university), they quickly hit a rich seam of information.

Google turned up my band’s MySpace page, which is a mine of personal information about me and the other two band members. From this, they were able to determine exactly which degree I had completed, along with my hometown, and with one more click which linked to my personal MySpace page, they established date of birth, place of birth and the last three areas in which I have lived.

Minutes later, using the personal data website 192.com, they had found my home address and phone number. What astonished me was that compared to many of my peers I have very little personal information available on my page. Many of the personal profiles I have visited include mobile phone number, place of work and email as standard.

It is not just identity theft that is worrying users of these resources. Some of my peers, particularly the ones applying for career jobs, have taken to editing out information which may cast them in an unprofessional light to potential employers. Social networking sites are becoming more commonly used by employers looking to build a picture of job applicants.

It is little surprise that information security experts are becoming increasingly worried about the threat of identity theft through these resources. In minutes, Ken and Iain showed me how identity thieves could create a ‘bogus’ MySpace or Facebook account for one of my acquaintances. By copying and pasting personal information and photos from my friend’s original profile, the bogus account would look entirely convincing. Then – and this is the big danger – the thieves could communicate freely with any of his acquaintances such as myself [by sending friend requests], passing themselves off as him, and ask them for all manner of confidential information which could potentially be used for criminal gain.

Whether it is a question of naivety, innocence or thoughtlessness that so many personal details are displayed on these profiles is irrelevant. With identity theft on the rise, perhaps it is time for the social networks themselves to educate their users about the potential dangers out there.

 

What’s hot on Infosecurity Magazine?