Latest news
Facebook and Google+ are prime targets for easy attacks
Posted on 03 December 2012.
The law created to protect children's online privacy actually increases risk, according to new research from Polytechnic Institute of New York University (NYU-Poly).
The researchers found the Children's Online Privacy Protection Act (COPPA), enacted to protect the privacy of children under the age of 13, indirectly puts their privacy at risk because some children lie about their ages when registering on social media sites.
To protect children's privacy, online social networks – such as Facebook and Google+ – take additional precautions such as not listing minors in searches of a high school or city and displaying only minimal information in minors' public profiles no matter how they configure their privacy settings.
In order to bypass these restrictions and join a social media site, children under 13 will sometimes lie about their ages, often saying they are over 18 years of age. The social network will then consider them adults and no longer take special precautions to protect their privacy.
By gathering and statistically processing the friend lists of these lying minors, the research team showed that it is possible to find most of the students in any target high school – including those registered truthfully – and create detailed profiles of them. The analysis strongly suggests there would be significantly less privacy leakage to third parties without the COPPA law.
The NYU-Poly Department of Computer Science and Engineering research team led by Professor Keith Ross, the Leonard J. Shustek Professor of Computer Science, with doctoral students Ratan Dey and Yuan Ding, found that by using Facebook – with modest online crawling, computational resources and simple data-mining practices – an attacker can create extensive profiles of most of the minors in any target high school.
These profiles include full name, hometown, high school, grade and profile picture, and for many students much more. This amounts to significantly more information than what is available in a minor's public profile on Facebook.
To demonstrate the attack, the researchers applied it to three high schools in different regions of the United States. An attacker could use such profiles for many nefarious purposes, including selling the profiles to data brokers, large-scale automated spearphishing attacks on vulnerable minors, as well as physical safety threats such as stalking, kidnapping and arranging meetings.
The NYU-Poly researchers calculated how much privacy leakage there would be with and without the COPPA law. The results suggest that an attacker can discover significantly more minors and build more extensive profiles than what would be the case without COPPA.
"The problem with the COPPA law is that it introduces an incentive for minors to lie about their age," Ross said. "Lying about their age not only puts their own privacy at risk, but those of other minors who do not lie. However, there are solutions that both the federal government and Internet services can implement independently or together to make online social networks safer for young users."
One possible solution is to repeal the law. But Ross said social media sites could also significantly improve children's privacy by disabling the friend reverse-lookup feature, by which a user who hides her friend list can still be discovered on a friend's page.
"It is also important that parents assess the privacy risks of their children in light of this new study," Ross said. "Children need to know that, just as in the physical world, the actions of their virtual friends affect them."
The researchers found the Children's Online Privacy Protection Act (COPPA), enacted to protect the privacy of children under the age of 13, indirectly puts their privacy at risk because some children lie about their ages when registering on social media sites.
To protect children's privacy, online social networks – such as Facebook and Google+ – take additional precautions such as not listing minors in searches of a high school or city and displaying only minimal information in minors' public profiles no matter how they configure their privacy settings.
In order to bypass these restrictions and join a social media site, children under 13 will sometimes lie about their ages, often saying they are over 18 years of age. The social network will then consider them adults and no longer take special precautions to protect their privacy.
By gathering and statistically processing the friend lists of these lying minors, the research team showed that it is possible to find most of the students in any target high school – including those registered truthfully – and create detailed profiles of them. The analysis strongly suggests there would be significantly less privacy leakage to third parties without the COPPA law.
The NYU-Poly Department of Computer Science and Engineering research team led by Professor Keith Ross, the Leonard J. Shustek Professor of Computer Science, with doctoral students Ratan Dey and Yuan Ding, found that by using Facebook – with modest online crawling, computational resources and simple data-mining practices – an attacker can create extensive profiles of most of the minors in any target high school.
These profiles include full name, hometown, high school, grade and profile picture, and for many students much more. This amounts to significantly more information than what is available in a minor's public profile on Facebook.
To demonstrate the attack, the researchers applied it to three high schools in different regions of the United States. An attacker could use such profiles for many nefarious purposes, including selling the profiles to data brokers, large-scale automated spearphishing attacks on vulnerable minors, as well as physical safety threats such as stalking, kidnapping and arranging meetings.
The NYU-Poly researchers calculated how much privacy leakage there would be with and without the COPPA law. The results suggest that an attacker can discover significantly more minors and build more extensive profiles than what would be the case without COPPA.
"The problem with the COPPA law is that it introduces an incentive for minors to lie about their age," Ross said. "Lying about their age not only puts their own privacy at risk, but those of other minors who do not lie. However, there are solutions that both the federal government and Internet services can implement independently or together to make online social networks safer for young users."
One possible solution is to repeal the law. But Ross said social media sites could also significantly improve children's privacy by disabling the friend reverse-lookup feature, by which a user who hides her friend list can still be discovered on a friend's page.
"It is also important that parents assess the privacy risks of their children in light of this new study," Ross said. "Children need to know that, just as in the physical world, the actions of their virtual friends affect them."
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
