Janie Fedosoff

In the world of information security, two of the guiding principles are those of “least privilege and need to know,” or in texting terms, “TMI.” At first glance, the basic concept seems sound, but few really seem to grasp the deeper meaning in our digital world. I discovered this over the last few months while I was involved in writing policies and guidelines on information security for a large financial organization.

I can’t tell you how many times I’ve had to shake my head and wonder, “do I really need to spell this out for people?”

Unfortunately, the answer is a resounding yes, and with the advent of social media, it is a cry from the Temple Mount accompanied by a good ol’ slap upside the head that seems to be required.

First, let me explain the basic meaning of these principles. In a nutshell, they mean nobody gets nothin’ for no reason. The Hollywood gangster version is, “I could tell ya, but I’d have to kill ya,” which has a lot fewer double negatives and provides the appropriate, albeit not politically correct, threat level.

Okay, so it’s not quite that drastic, but these basic principles are what allow us to sleep at night knowing that the information we divulged to our local banker or government agency isn’t being misappropriated. Or closer to home, that nosey, gossiping Sally who works at the bank or the license office in our small town can’t just snoop at our records on a whim and then spill at her next book club meeting.

Case in point from recent news: the Ohio Department of Public Safety issued an apology to American Idol runner up Crystal Bowersox after several employees decided to snoop through her government records apparently for no reason other than curiosity.

The snoopy Sallies had access to a database that contained not just Crystal’s, but most of Ohio’s drivers’/taxpayers’/citizens’ records. They had this access possibly for a number of reasons including: they required access to do their job; they needed access to do someone else’s job some times; everyone has the same access, so why not them; no one knew they had this access because access permissions aren’t tracked; no one considered that someone from Ohio would rise to the level of being snoop-worthy, so they gave everyone access to everything.

Okay, the last reason is tongue in cheek. I’ll go on record to say that Crystal should have won, that she’s better off not having won, and that I don’t think she should have let them fix her tooth or wear that hideous dress. Nuff said on that, but realize that this is not an isolated incident.

Every organization that gathers and stores your private information has a responsibility to protect it. We all blindly count on these behemoths to do the right thing, but all the policies in the world cannot overcome human fallibility combined the nosey town gossip. More importantly, while expecting these firms to protect this information, too many are unwittingly giving it all away on social media without considering the consequences.

So back to the principle; as I mentioned, over the last few months, I’ve been involved in writing guidance on the use of Social Media for a large company. Big companies and government agencies have lots and lots of rules. But many of them are firmly rooted in the principle of what your grandma should have taught you about keeping things to yourself.

Once upon a time, in those halcyon days of yore before Oprah, Jerry Springer and Survivor, people kept pretty much to themselves when it came to personal things like money and sex. We drew a safety zone around our private lives and kept most everyone outside the zone except for a few entitled and trusted compatriots. There was a time when we didn’t know everyone’s salary or the price of their house or car or who was doing who when and where.

In our Facebook world, people feel the need to “share” everything with everyone. And, now that even the most serious media networks have stooped to the level of the National Enquirer, nothing is sacred as everyone uses social media to reach for the 15 minutes of fame they feel they deserve—no matter how tawdry the story. Thanks to social media, everyone has access to their own reality show, and it doesn't take long for the chairs to start flying and the mobs to form. As a society, we long ago jumped the shark.

What I wouldn’t give to see Paris Hilton or Lindsay Lohan adopt a Garbo-esque approach to fame. In the early days of Hollywood, great stars maintained an air of secrecy that made them all the more mysterious and desirable. The studios carefully crafted and controlled the image of their best stars to protect their investment. There was a time after the death of Rock Hudson from Aids-related complications and the release of Mommy Dearest that society recoiled from the fake images. We wanted the raw truth.

Well, be careful what you ask for. Now, thanks to the paparazzi and Twitter, we not only get to see the truth, but we also must roll around in the mud with them as they lurch from driving drunk to expletive racist-fueled tirades to incalculable sex scandal.

And that brings me back to the principles of least privilege and need to know. Maybe we all need to exercise this in our daily life. My father taught me that perfume should be subtle so that only those close enough get a hint of scent, and those who are interested, lean in for more. What if we did that with the details of our lives? Would it be so bad if everyone on Facebook did not know what I ate for lunch or what a deal I got at Walmart—or that I shop at Walmart for that matter (which I don’t)?

Companies rely on these principles to protect the confidentiality of information, and they do it to keep our identity and our money safe from criminals. It’s a firing offence to willingly thwart these principles. But, while they are working hard to keep information safe in one area, their clients are creating enormous personal security breaches all over the web.

Social media is a treasure trove of information for the criminal element. GPS enabled cameras and camera phones broadcast the location of the pictures we post. So yes, that picture of you posted of your child on the front lawn of your house, a wily predator can use the meta data embedded in the picture to determine where you live. And if they follow the bouncing ball on your Facebook account through your friends and updates and links, they can approach your child with a pretty compelling “I’m a friend of mommy” story.

Social media sites and digital devices put the onus on the user to understand and properly apply the privacy settings. In other words, it is your responsibility to secure your information and protect yourself and your family online. Most do not understand their responsibility in this equation. They are relying on big brother, but big brother isn’t there. Big brother is a 26 year old billionaire and star of a movie.

Let’s take a simple example like passwords. At this very moment, I am willing to bet that most people reading this are using at least one password that can be easily found on more than one of their social media sites. It might be a composite of their kid’s names, a birthday, an anniversary, a pet, or even a favourite team. But it’s there for all to see. I am also willing to bet than many reading this are using the same password on a multitude of sites and don’t change it very often, if at all. Don’t even get me started on complexity and length.

We expect our bank, insurance company, school et al to do everything possible to protect our information while at the same time we are swinging around the web with our pants down and our bank books hanging out. Let's consider people who announce their vacation on the same site where they post their full name and home town. Think about that. Every time you post an update on social media, you are not talking only to your close pals. Imagine instead an audience of criminals and cretins drooling over the innocent details of your life. They are there. And if you think you aren’t, you are kidding yourself.

Implement the principle of least privilege and need to know into your online interactions. Implement it in your life and teach your family to do the same. The truth is that no one really needs to know that much about you, but they are more than willing to roll around in it if you choose to share. No one other than your closest friends will tell you that you have toilet paper on your shoe, but they will post it on Youtube for everyone in the world to view. Think about it.

Watch this video to learn a little something about creating complex passwords. It’s a first step in protecting yourself from…well… you. Good night and good luck.