Staking a Claim in Social Media

This week I had a call from a lawyer who said that social media accounts in the name of one of their clients had been created and were being used for malicious purposes.  They wanted to know what they could do about it.

When deploying security controls we need to consider prevention, detection and response, and this case is no different.

Prevention.

There are a significant number of people - many of them in very senior roles - who wear as a badge of honour that they don't have any social media accounts.  Saying "I don't understand this new-fangled social media" may sound reasonable today, but 100 years ago the same people would have been saying "I don't understand this new-fangled electricity", and then gone on to sink their fortunes into steam power.

I'm not suggesting that everyone become Facebook addicts.  However I am definitely recommending that all companies and anyone with a senior role go out and register accounts on all of the major social media sites, as a prevention against anyone else doing it in their name.  There is no validation of who registers an account, and due to an interesting bootstrapping problem it really is impossible for the social media providers to confirm the identities.  Twitter's blue tick isn't the answer.

We did this with domain names a decade ago, and we have to do it all over again with social media now.

Detection.

Search for yourself on the search engine of your choice.  While it might be vanity, it also will allow you to determine if anyone else is pretending to be you.  Most of the major search engines allow you to set up alerts on new pages that they find with a given term, and you can use this as a detection mechanism against imposters.

This may be practical if you have a distinctive name, but is going to be quite difficult for the John Smiths of the world.  Even my name isn't unique in my own city, so getting in first and registering early becomes very important.

Response.

If and when someone does register a social media account in your name, there are a limited number of things that can be done about it.  It is always possible that they really do have the same name as you, and you got in late, in which case unless they are committing fraud by pretending to be you specifically you have no comeback.  Consult your lawyer on defamation laws in your jurisdiction as your only response.

Just like the domain squatters of the last decade, we now have social media squatters.  They can be dealt with in similar ways: (a) pay them what they ask to get the identity back; (b) raise a complaint with the social media provider; or (c) call the lawyers.  The difference here is that the social media providers are for profit companies, rather than not for profit organisations, and they don't have the same social responsibilities.

Ironic, isn't it.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com