The recent outing on Facebook of the new head of Britain’s Secret Intelligence Service, known as MI6, may not have all the makings of a spy thriller.
But the blunder still has security observers in an uproar — and critics pointing fingers at both the new spy chief, Sir John Sawers, and at the popular social networking site.
“Senior politicians said the security lapse raised serious doubts about Sir John’s suitability to head the intelligence service — and raised questions over whether an outsider should have been appointed to such a sensitive role,” thundered the conservative UK newspaper The Mail in a report on Sunday that detailed how the MI6 appointee’s wife had posted family photos, personal information, and links to friends on her Facebook page.
The Facebook page of Lady Shelley Sawers — now since removed — also linked to a relative with ties to controversial right-wing historian David Irving.
Despite revealing the spymaster’s friends, family members and details of where the couple lives to the site’s public “London” group, security may not be the real issue. After all, the BBC had already published an announcement that Sawers would be the new MI6 chief, complete with photo.
Instead, the real issue for some is that far too many enterprises — and even critical government entities — have no rules for the use of social networks, or are unable to convey those rules to new hires.
Those organizations that do have such rules rarely base them on facts. “Yesterday, I spoke with an organization that was stipulating in their policy that employees could spend no more than 15 minutes per day on social networks,” Gartner vice president Anthony Bradley wrote in a blog entry. “A different company last week had verbiage in their draft policy that set a 30 percent social computing limit on employee time. In both cases, I asked the how they arrived at those blanket numbers. They were arbitrary.”
“Guidance on how to participate and behave when participating (positive as well as negative) in the social Web is appropriate and necessary,” Bradley added in his post, titled “Substituting Social Software Policy for Good Management.”
Not all government entities are unprepared. The official Facebook blog highlights the use of Facebook by the U.S. Army as a tool to help keep families together.
Could Facebook help?
Sophos security researcher Graham Cluley wrote in his blog that Facebook must share the blame.
“No, the bigger issue here is something we have talked about before: Facebook users joining geographic networks and not properly checking their privacy settings afterwards,” he wrote. “When Sophos investigated this problem before, we found that that a staggering 75 percent of people in the Facebook London group allow their profiles to be viewed by any other member, regardless of whether or not they have agreed to be friends.”
Facebook is addressing the issue. It recently changed the way privacy settings work and says it is giving users more control over their privacy.
“Facebook has led in providing granular privacy controls and we strongly encourage people to use them,” a Facebook spokesperson told InternetNews.com in an e-mail.
She added that Facebook has announced in a blog post that it will soon be removing the regional networks feature.
For the meantime, at least, steps are being taken to mitigate the damage.
“Users … need to take more care over who they share their personal information with,” Cluley wrote. “Lady Shelley Sawers certainly seems to have learnt that lesson. All traces of her account on Facebook have disappeared following the newspaper investigation.”