When you sign-up to social media services, the information fields can sometimes be ridiculously extensive. So how safe is your data? The Electronic Frontier Foundation (EEF) recently released a report detailing the extent of encryption that a number of companies currently use. While not all are social media related, quite a few have been examined including Facebook, Twitter, Google, LinkedIn, Tumblr, Myspace, and Foursquare. See the interesting results in the EEF’s graphic.
In October 2013, the Office of the Australian Information Commissioner (OAIC) released their privacy report survey (PDF) which noted that only 1 in 10 respondents trusted social media organisations with their personal information. So it is curious to see that these privacy fears aren’t completely validated by bad data security practices by social media sites. There is however, still significant scope to increase user data protection online.
For all the slack that Facebook receives over user privacy, it actually ranks the highest of other social media services. It currently uses all EEF’s recommended encryption methods, or will shortly be implementing them. Twitter also rates quite highly, using all methods except STARTTLS, while Tumblr, and especially Myspace, appear to significantly lack on the encryption front.
Surprisingly, LinkedIn doesn’t appear to currently use any, but has ‘plans’ to use HTTPS, HSTS and Forward Secrecy in 2014.
So what are these criteria exactly? The five recommended encryption methods which were reviewed include;
- Encrypt links between datacentres: All companies with data centres in the cloud should immediately encrypt all traffics between their datacentres.
- Enable HTTPS by default: The companies should encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS). As a result when a user connects to their website the whole communication will be carried out on a secure channel.
- Enable HTTP Strict Transport Security (HSTS): HSTS is a security policy that insists the users to interact with the web server using only HTTPS connection.
- Forward secrecy: A strong key is extremely important for encryption. But what if the key gets compromised? Forward secrecy ensures that access to the encryption key will not compromise user data.
- Implement STARTTLS for email transfer: STARTTLS is an encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard.
Overall, the report aims to have these methods adopted to increase the standards of data encryption for user protection. Kurt Opsahl, an EEF senior staff attorney with the EFF states, “we want to use this as a positive encouragement where if companies see other folks getting good reports, they may want to apply more.”
“They understand their customers want privacy and security, and are willing to deploy additional measures to ensure crypto is in place against a wide variety of attack vectors,” Opsahl said. “This helps their customers feel more secure about their data.”
Ideally, user data entered online will always remain secure. EEF’s efforts in applying industry pressure to increase user privacy online and establishing best practices around data security is definitely a step in the right direction.