Anticipating The Future of User Account Access Sharing

We might learn what the future holds for information technology by observing how teens use IT. After all, a decade or so from now, today’s teenagers will be consuming, influencing and creating a significant portion of IT products and services. In this note I’d like to consider how today’s use of shared user accounts among teens might influence our future access restriction practices.

User Account Access-Sharing Among Teens

A recent New York Times article by Matt Richtel discusses teens’ customs of “sharing their passwords to e-mail, Facebook and other accounts. Boyfriends and girlfriends sometimes even create identical passwords, and let each other read their private e-mails and texts.”

Exchanging something as intimate as logon credentials is a way of expressing affection for each other, Matt explains. This is also a way of expressing trust for each other, because of the potential for the person misusing access if the relationship goes sour. The article references Sam Biddle from Gizmodo, who called password-sharing “a lynchpin of intimacy in the 21st century.”

In a blog posting on this topic, danah boyd, who researches teenagers’ social media use, likens access sharing among teens to giving out one’s school locker combination to friends. She also references a study by Pew Internet & American Life Project, which found that “roughly one in three online teens (30%) reports sharing one of their passwords with a friend, boyfriend, or girlfriend.” Such practices are the result of “parental online safety norms,” says danah. She elaborates:

“With elementary and middle school youth, this is often a practical matter: children lose their passwords pretty quickly. Furthermore, most parents reasonably believe that young children should be supervised online. As tweens turn into teens, the narrative shifts. Some parents continue to require passwords be forked over.”

User Account Access Sharing Among Adults

In reality, adults frequently share user account access as well, though our practices are tinted by the guilt of violating modern societal norms and corporate security policies:

• You might give our colleague a password to the accounting system, so she can perform business-critical duties while you’re on vacation.
• You might store shared Administrator account password in a spreadsheet on the internal IT team SharePoint site.
• You might borrow your spouse’s iPhone when running out for an errand, because you cannot find your own in the rush to leave.
• You might allow your friend to login to your Netflix account to share the joy of legal Internet movie streaming.
• You might be privy to our parents’ email account passwords, so you may help make sense of the data overwhelming their inboxes.

Implications for the Future of Information Access

Societal norms are continuing to adjust, as information systems gain a more profound presence in our lives. Teens are at the forefront of this change, because they have grown up in the world where computers, mobile devices and the Internet is everywhere. Their account-sharing practices, when compared to the limited but still significant sharing among adults, suggest that we’ll become more accepting of sharing account access.

What does this mean for information technology and security professionals? Nothing for the short-term horizon, as these changes will be gradual. But there will be an increasing need for tools, applications and policies that support shared access in a way that somehow provides an element of privacy or auditability. Here are a few examples of what we have today to illustrate that we are already moving in that direction:

• Gmail allows its users to delegate access to their email accounts.
• HTC’s Sense 4.0 phone supports Guest Mode, which restricts “what can be accessed if someone else is browsing their device.”
• Several password vault products support shared access to logon credentials in an enterprise environment.
• Facebook allows its users to recover forgotten passwords with the help of their friends.

What form will shared access controls take ten years from now? I don’t know, but I bet it will be more more elaborate and sophisticated than what we have today.

What learn more about the future from teenagers? Here are a few tips:

• Teens on Formspring Are Redefining Privacy Norms
• Learn the Future of Privacy and Social Interactions from Teens

— Lenny Zeltser

Learn the Future of Privacy and Social Interactions from Teens

Observing the rapid rate at which on-line social networking is taking over the world, I cannot help but feel that our perception of data privacy is changing. Some might declare privacy dead, but I think the situation is more complex than that. We might be experiencing a shift from a private by default to a public by default mentality, though we haven’t yet developed the societal norms to deal with this change.

Learning from Teenagers

We might learn what the future of data privacy may hold 15 years from now by understanding how teenagers see this topic today. After all, teens will will be playing increasingly important roles as they gradually turn into adults over the next decade or two. The behaviors they are developing now will have a strong affect on society when they grow up.

One of my favorite source of insights into the world of teenagers’ online social networking is the research conducted by danah boyd. The draft of a paper that she and Alice Marwick recently published offers a wealth of information on teens’ privacy attitudes, practices and strategies (PDF).

The paper defines privacy as “a social construct that reflects the values and norms of everyday people.” The values and norms of one generation differer from those of another. Our children are our future, to quote a song. We can project the future of social interactions and technologies that affect privacy by understanding the values and norms emerging among teens.

The Importance of Context

According to danah and Alice’s research, teens’ perception of privacy being violated depends greatly on the context within which information is shared. For instance, when educators attempted to teach students about privacy by showing during an assembly public photos from the teens’ Facebook profiles, the students were furious. “By taking the images out of context, the educators had violated students’ social norms and, thus, their sense of dignity, fairness, and respect.

Private by Default vs. Public by Default

The paper points out that until recently, communication protocols and technologies made it easier not to share information. Sharing information with a large audience historically required an effort, such as making a formal announcement in a medium that could reach the audience.

As the result, our social norms for exchanging information developed to support the notion of private by default. For instance, most adults assume that when having a one-one-one conversation, each party will not share the information with others unless explicit permission was granted. Those who violate this norm risk being labeled gossipers.

On-line social media is changing those norms, making content easily available to a mass audience without significant effort. As the result,

“Rather than choosing what to include or what to publicize, most teens think about what to exclude. They accept the public nature of information, which might not have been historically shared (perhaps because it was too mundane), but they carefully analyze what shouldn’t be shared. Disclosure is the default because participation—and, indeed, presence—is predicated on it.”

The Future of Data Privacy

Adults associate privacy with controlling what information is made public. Their perspective is that data is private by default. In contrast, teens seem to see privacy as controlling what information to omit from being public.

To support this public by default view of the online world, teenagers are organically developing elaborate societal norms and sensitivity to the context in which the information is shared. Understanding these dynamics may help us predict what the on-line—and perhaps the off-line—world will be like in the next decade or two.

Related:

• Teens on Formspring Are Redefining Privacy Norms
• Why On-line Social Identity and Reputation is a Big Deal

— Lenny Zeltser

Teens on Formspring Are Redefining Privacy Norms

I read about Formspring in the New York Times, which described the site as a “fast-growing social network that lets people ask each other personal questions and then has others answer them.” Doesn’t this sound like a goldmine of information for attackers? Having briefly toured the Formspring site, I’ve come to appreciate the changing norms of Internet privacy and confirmed that we’re headed for troubled waters.

Teens and Privacy on the Internet

What personal details are considered private on the Internet is rapidly changing. We increasingly reveal information about our jobs, families and interests on social networking sites, photo galleries, blogs, and so on. This means that on-line scammers have an increasing wealth of information to use for social engineering and password-reset attacks.

The group that’s truly influencing societal norms regarding privacy on the Internet is teenagers. They are using various public forums to exchange uncensored free-form banter without considering the long-term repercussions of having their conversations archived and searchable forever. As these teens grow up and take on professional personae, more personal information will be available about them than about the current generations of professionals on the web.

Formspring’s Questions and Answers

Unlike professionally-focused Q&A sites, such as Quora, Formspring encourages its users to ask and answer deeply personal questions. When a new user signs up, he is presented with a list of questions to “seed” his profile, such as:

• Who’s the most overrated musician?
• What video game have you played the most?
• What’s the furthest you’ve ever traveled?

By default, the answers the person provides are public. The user can change the privacy settings, but I suspect many people don’t even think about this.

Formspring users can search the site for other people using the “Find Friends” feature, which supports searching by username, email and name.

According to The New York Times, “20 million people have signed up for the site and nearly two billion answers to questions have been posted through the Web site.” As far as I could tell by randomly sampling a few public profiles and reading the Q&A streams, many—if not most—of the users are teens.

How Formspring Data Could Be Misused

An attacker can use the “Find Friends” feature to locate profiles of targeted individuals, or might create a script to mine data in bulk. Furthermore, the attacker doesn’t need to be a registered Formspring user to view public profiles, if he knows the victim’s Formspring username.

The collected details could be used to target people using social engineering techniques. Moreover, many of the questions answered by users of Formspring are similar to those used for resetting forgotten passwords. Here are a few examples from various public profiles:

Implications for Information Security

When designing security systems, we are making assumptions regarding personal details and related data that is only known to the user. For instance, many applications provide a secondary login mechanism by asking the person for “private” details, such as his favorite color, flower or restaurant. However, privacy norms are changing rapidly. What was once private will soon be public. We need to anticipate this change and adjust our security mechanisms in anticipation of the increased transparency of people’s once-personal information.

If you found this useful, take a look at my other posts related to social networking

— Lenny Zeltser