How Many Security and Privacy Mistakes Are You Making in Social Media?


Christopher BurgessNot all that long ago Seattle’s Social Media Club held their June event and invited Christopher Burgess to speak. Christopher is a security expert and is very knowledgeable on its impact to the online world especially in regards to social media. You can read the recap of the social media security event later but now I wanted to follow up with him and ask a few questions as a social media professional. He was kind enough to oblige and I felt as if this were an appropriate place to share our conversation. Thank you Christopher for being so willing and generous in sharing your expertise!

What are the biggest privacy and/or security concerns you see currently ignored by the vast majority of participants in social media?

Great question Kristy – of those I see, and I recognize that I am seeing but a drop of water in the ocean of social media, I see individuals providing an unnecessary level of personal detail in their profiles and then not locking down those details so that they are restricted to specific individuals or sets of individuals – this is the number one privacy/security concern – as you don’t know who is reading the information and how it may be used by that reader – I urge caution in “over sharing.”

What responsibility do social media professionals have to their brand’s customers in educating them of privacy concerns?

I think the SM pro’s who are engaging with their customers have to ensure that their interaction is transparent.  What I mean by this, if you are requesting information from the customer, then you are obliged to educate the customer as to how the information is going to be used.  In addition, the customer should have the expectation that if the ground rules which they agreed to which formed the basis for sharing their information change, then the customer should absolutely be given the opportunity to re-evaluate the equation and opt-out.

What type of boundaries, if any, do you think brands should have when it comes to the usage of opt-in availability of personal information from brand’s SM connections?

This somewhat depends upon your industry. If you are involved in a regulated industry then some of your parameters are provided to you by those regulations.  If you aren’t then I think that your direct engagement needs to ensure that the customer understands what their “clicking” the opt-in button really means.  For example, I regularly read and download white papers on topics which came to my attention via the twitter stream.

Standard practice is to fill out a profile page prior to being provided access to the white paper.  IF the profile page asks for information which goes beyond the basis name, position, company and contact data – I walk – they don’t need my birthdate nor my home telephone number.  I assume, and thus am comfortable, that the brand will use this information as a metric – this tweet brough this individual who meets this demographic to our white paper and then measure whether or not a follow-up is worthwhile.

With the ever changing social permissions landscape, how do you best advise both participants in social media as well as social media professionals to stay abreast of the wide variety of privacy concerns that are likely to arise?

This question has three aspects of import.

1. If you the brand are changing your privacy processes, the expectation should be that not all of your clients will be in agreement with the new status quo (even if they all end up being pleased) and solicit a positive reaffirmation of the changes which the client had previously agreed.  In this manner, the client should never feel like the brand has blind-sided them and gone back on their word.

2. With respect to keeping abreast of changes in legal requirements both in the United States and Europe – I recommend dedicating a research stream to the FTC and EU privacy entities, which regularly publish updates and opinions.  Whenever a governmental or quasi-governmental entity is going to make a decision, it is rare if public opinion is not solicited – I urge participation in the discussion as every voice has a place.

3. Then there is the social media professional giving advice to their business clients on their social media strategy etc.  I advocate that you as the one with expertise being shared owe it to your client to have the client fully understand what the privacy policies which they are projecting to their customers/clients are saying.  Nothing is worse than having a privacy statement which is neither followed nor enforced internally.

Social media professionals who represent brands often balance the representation of their brands with their own professional representation in the space. How do you recommend they protect their own privacy in respect to their relationship with the brand?

I speak to creating voice compartments with clear differentiation.  So let’s use me as the example.  I use Twitter – for those of you who follow me on Twitter, you know that while I will engage with other’s topics, my topic origination falls within the realm of three social issues which are my personal passions: online safety for families (young and elderly focus); hunger and human trafficking (slavery).

It is no secret that I work for a large corporation, but my Twitter persona isn’t focused on my day job, though I may from time to time mention something about my employer.  When I do, I always let it be known that I may have a bias, with a Nota Bene (NB: I work at ….).  Similarly, I use Linked-in as my professional interaction – I push my professional position with my employer to the front – I highlight my online safety within the Linked-In environment as it is consistent with my employ.  Facebook is family, friends as that is my personal space.  Does this work for everyone, probably not, but it works for me.

Now to the second part of the question – should brands have their personnel using their names or using their brand – I advocate doing both.  If you are speaking for the brand, it should be the brand speaking – @acmeinSM – in this manner, you can scale if necessary and don’t have to adjust if your SM spokesperson gets promoted or moves to a different position.  You can highlight in the profiles who the individuals doing the speaking are if you like.  I believe transparency is key – I know that I like to know that there is an individual behind the brand, but I also understand that there may be more than one individual.

An additional area to keep an eye on is the endorsement aspects of social media – I like this or I visit this.  Think about those check-in games with respect to geolocation/location based services – if you check-in at a competitors establishment what does that say to your employer?  Similarly, if you read a review of a product and give it a high-five, and it’s your employer’s product, I’m thinking it makes sense to make it clear you are an employee and not to project a perception of stuffing the metrics.

As a security professional, what are some effective ways you have found to communicate privacy concerns to people who are not always as web savvy as those of us that work in the space? For example – how I might want to tell my mom/aunt/grandma NOT to use Facebook connect on a given site.

First need to say I am not familiar with how the mechanics (that’s behind the user interface) works for Facebook.  But I get the gist of your question and recognize it as a tough one,  Recongize each individual processes differently.  I think a good start might be using analogies between the online and the physical world.  Take for example filling out the user profile – coach DO NOT put your address in the fields – as there isn’t going to be anything coming your way – why?

Do you walk around town with your name and address on the back of your blazer?  It’s as if you are doing so if you don’t control your profile, do 500 million need to know where you live, your likes and dislikes – probably not.  But perhaps your family and friends do.  I also think one needs to define “friend” – prior to online the word friend may have a different connotation to different folks – for me, a friend implies trust; for others it may only signify the exchange of a business card or a Twitter exchange.

As social media professionals we find ourselves testing lots of new tools. Many of these today include options such as ‘Facebook Connect’ and ‘Twitter OAuth’ linking our accounts. How do you recommend these individuals keep track of their privacy settings and permissions?

As they say at the carnival midway, step-up step-up and take your chance.  That is exactly what we do when we cross authorize to sites we want to try and use.  Recognize that some of these entities will go toes up and others will thrive.  Similarly, some will have thought about and integrated security up front and throughout and others can’t spell it if you spotted them eight letters.  I recommend you keep track of who, what, when – you authorize, go back and check and as troublesome as it may be, change your passwords on a regular, intermittent basis.

About Christopher:
Christopher Burgess resides in Woodinville, WA.  He is an author/speaker on intellectual property, intelligence, security, safety, education and awareness, with a particular passion for the online protection and safety the young, the elderly and our families.  He is a regular contributor to the Huffington PostCSO Online and MomsMaterial as well as his personal blog where he notes “I speak from the heart and shine light upon the many safety, security and humanitarian issues” can be read at  Christopher is also the Senior Security Advisor to a Fortune 100 company.  Christopher can be found on twitter @BurgessCT.]]>


The Creative Marketer Newsletter ↓

Divergent takes on marketing, advertising, creativity, and art.