Facebook “Likes”

If you have been on Facebook at all, you have been faced with the option to “like” a product, service, or business.  You might select to “like” it to make a statement of support.  More likely you selected “like” in order to get messages from the organization on your Facebook feed, or to register fora contest or coupons or the like.  If you are like most of us, you do not think much more about the action.

Facebook, and corporations that would like to advertise on Facebook, however, think a great deal about that click.  We all know that the organization will send us information on our feed about the product or service, thereby opening ourselves to advertising.   Facebook and the organizations that advertise want to achieve much more with this information.    This additional use is the source of a lawsuit in California claiming that Facebook and certain advertisers use the information without paying them or giving them a way to opt out.  According to an article in the New York Times,

The case focuses on an advertising tactic known as sponsored stories, in which Facebook users endorse brands, in some cases without their knowledge. For example, if users “like” Wal-Mart, the retailer uses their names and pictures in advertisements to their friends on the social network. Wal-Mart pays Facebook for the service.

In other words, they use your image and the fact that you “liked” the organization to advertise to your Facebook friends and even to others who may not know you over Facebook.  Think how much stronger advertising can be if they say “John Smith, Mary Jones and Ken Anderston all like this product.”  It is an endorsement.  Perhaps your “liking” had nothing to do with an endorsement … maybe it was just a way of getting information about a product — or even a competitor’s product.   It could be misleading to say you are advocating the organization, and might be down right wrong to say you are.  Hence, the California law.

Senate Bill 2105: Cybersecurity Act of 2012

On Valentine’s Day, four Senators introduced Senate Bill 2105, which is also known as the Cybersecurity Act of 2012.  If you would like to read the bill as it was introduced, it is available in full as presented.   If passed, this law would authorize the Federal government to regulate the security of privately owned critical infrastructure, much of which is controlled by Internet-connected systems and susceptible to being hacked.  This includes electrical power grids, telecommunications networks, air traffic control systems, dams, and nuclear power plants.  Said differently, this would allow the Federal government to have security standards, to assess a company’s compliance, and to levy fines if the security is not sufficiently high.

Last week, the Wall Street Journal reported that a group of Senators have weakened the bipartisan legislation.   They responded to business lobbyists who claimed that such regulations would “regulations would create a costly and cumbersome process.”  Rather than requiring the companies to meet these regulations, they should be encouraged to do so.  According to Senator John McCain, “Instead, we must leverage the ingenuity and innovation of the private sector in partnership with the most effective elements of the federal government to address this emerging threat.”

I am perplexed as to why Senator McCain, who has a strong record on National Security, would take this stand …. unless he does not really understand the real and present threat of such an attack.  Consider the number of companies in the last few months that have reported a security breach.  Sometimes the breach provides thieves with passwords, which can be problematic enough, but sometimes instead it is social security numbers, bank accounts and more personal information.  The people whose identities are stolen have a never ending hassle to fix the problem.  Many companies do not take security as seriously as they should.  Even when security is a priority, the companies have a significant task keeping a step ahead of the hackers.

Now, take that up to a regional or national level.  Suppose the U.S. had no access to electricity or telecommunications equipment.  Suppose this is not for a couple of hours as you might get in a thunderstorm, but rather for an extended period of time.   What would that do to the company’s productivity?  What if it happened during peak holiday shopping and no one could buy gifts or food?  What if it happened on election day and half the people were not able to vote?  What if …. there are many horrible examples.

We have already proven this can happen.  Well, it is unclear whether “we” proved it or someone else proved it by the introduction of the Stuxnet virus into Iran’s nuclear reactor.  Not only did it stop operations, but it did it in a way to damage the plant and roll back their development.  Other similar viruses, aimed at the “Internet of Things” (such as a power plant) have also been identified.

People release viruses all the time — sometimes without even knowing the impact of what they have done.   Why do we believe it won’t happen here?  Personally I think it is because people just do not understand technology and what security breaches can do.   They understand bombs or people shooting guns and know how to respond.  But electrons?  It is easy to listen to those claiming to be experts and follow their advice.

I hope we get the legislation.  I hope that it is flexible enough to be able to adapt to the rapid changes in technology.  I hope we can find a way to protect ourselves before it is too late.  If you agree, please share your concern with your Senators and Representatives.

 

A postnote:  Even weakened, the bill failed.  Too many people thought telling infrastructure companies that they need to be secure was a problem.  Sigh.