An Aging Security And Governance Geek Muses On Facebook's '25 Things' MemeAn Aging Security And Governance Geek Muses On Facebook's '25 Things' Meme

My buddy Ariel asked me whether my usual security paranoia reared its ugly head about posting "25 random things about me" to Facebook. This is one of those viral concepts that has blown through FB like the Melissa virus.It's like one of those chain letters that we used to throw people off of the system for forwarding to ALL.

So, shouldn't I be paranoid, and how the hell did an ex email admin fall for this stuff? Well, it's complicated. There are three factors that play into this: an awareness of how information is collected by marketroids outside of FB; an evolution of how I look at security; and what I think is a cultural shift of what ought to be private.

First, I think that most of us who work with info tech probably understand that, way beyond any "I like cats" assertions that you may post to FB, "they" are tracking your every move. The canonical example of this is Google, which quietly both offers a superior search experience and a comprehensive tracking mechanism for your mom and her Internet habits. The marketing industry has taken note of both this and the backlash against PC-based "spyware". We can all rest assured that the marketing industry has deployed and will continue to deploy very low key information gathering techniques to track your actions and preferences. And, even my luddite friend Ariel will agree to it. After all, Google's the easiest search in town. And that nifty-keen Google Maps app on your iPhone makes things so convenient that even I use it. (Ohhhh, so that's where Feldmonsters eat, or play, or drive to.) A quick look at software end user license agreements confirms this: your quick "yeah yeah yeah, yada yada yada" click-through can agree to all sorts of virtual proctological exams. My son plays World of Warcraft (ok, I've played too, but I didn't inhale), and you should look at THAT license agreement, which not only changes all the time, and forces you to agree prior to allowing you to play, but also allows Blizzard Entertainment to do pretty much anything they want to your PC in the name of preventing cheating.

Surveillance of your personal info isn't limited to smart phones, PCs, or even what we traditionally think of as info tech. Regular mobile phones and that "discount" card at the grocery and pharmacy all have quiet benefits that you can't live without, while all while quietly providing the industry a massive database about your condom-buying habits. Compared to this, Facebook is mild. While some of my buddies would compare FB to food & medicine, I continue to gamely assert: you don't have to use it. Really. Be right back, I have to log a status update!

I've also evolved in how I look at security and privacy. I used to demand lockdown everywhere, but that gets expensive and inconvenient. One bank president that I worked with had a great expression that encapsulated risk management: "you don't want to spend $5 on protecting a dollar."

There's also the relevant notion of "attack surface". If you've dealt with any network architecture or code design, you'll know this as the concept of what systems, data, and interfaces are exposed to a hostile environment. Maximum reduction of the attack surface is always desirable, because there's no way, short of unplugging servers & putting them under armed guard, that you're going to eliminate it.

Ok, back to Facebook. It's got an attack surface too. I think that everyone needs to be mindful that, even though FB is configurable to disallow everyone but friends to see your items, it is NOT to be considered a trusted environment. So, you won't see me saying anything that I'd be mortified to make it to my boss. I'm also only friends with those who I'm actually, well, friends with. So, please don't ask because I'll ignore you. News flash: having 2,483 friends creates a very large attack surface.

I've also come to grips that the world is changing. We might not want it to change, but it is. Our culture, just as surely as we went from "Mr. Feldman" in the workplace to "Jonathan", is also surely becoming much more permissive about what, exactly, constitutes "too much information".

Look at the 20-somethings (the Millennial generation) at your workplace. They really don't care about who knows what about their personal life. Indeed, they are comfortable blogging about their chemo, their tragic childbirth incidents, their sexual orientation -- and that's just the start. There are boundaries of course, and the Millenials act as canaries in a coal mine to point them out. Witness the recent issue in Charlotte where teachers got disciplined for their posts on FB. (News flash: despite your security settings, your comments on someone else's item are governed by that person's settings). But the Millennials are also on to something that strikes one of my personal quests to understand leadership and management in the IT world. They seem to deal well with the notion of "work as play" rather than the industrial revolution's "work as a means to avoid punishment."

Much has been written about dot-com busts and trainwrecks, but surely there is a powerful collabortion and motivation engine at the heart of that wreck. Undeniably, there's a change in social contracts and culture afoot that we will only truly recognize 20 years from now. What we now term as "TMI" in the workplace may one day be recognized as a variation on the theme of "to understand all is to forgive all." Maybe we'll recognize that understanding leads to better collaboration, and that it begins with candor and with holding back less about ourselves.

For me, it all boils down to the time honored and true risk/benefit ratio. I resisted FB for the longest time because the benefit component seemed zero. But, since I've taken off my old codger hat, and put on my Millennial hat to enter the FB environment, I've enjoyed the benefit of being in touch with old friends, been comforted when I've had a tough day, become better friends with people who would have been better friends but for time and distance, set up a birthday Skype with my buddies, and gained a sense of perspective from others' status updates. So, I am willing to dip a toe into Millenial waters and take a controlled risk by releasing things like my philosophy on work-life balance or, "I never apologized for when I was 8 and I made my brother be my personal slave". These are things meant for my friends, to be sure, but they're also not things that are catastrophic if released beyond my zone of trust. I'll participate in the social experiment, but I'll minimize the potential attack surface. I'll leave the pushing of the envelope to others. And that's my point: that I don't worry what FB scrapes off my page because I don't present any target that I truly care about. And, I think, ultimately I'm not going to be like the old codger who couldn't give up the mainframe, and who cursed the darkness rather than use the LAN and PCs to shed light. Or at least that's the theory. I'm still the guy who tries to apply the 3 month editorial cycle to blogging. (I'm trying, I'm trying...)

What's it all mean from an IT policy standpoint? Well, I'm going to be a renegade and suggest that organizations that want to tap into the Millennial energy source may want to be judicious about how they start to overly regulate social networking. Much has also been written about trade secrets flying out the door or public defacing of a brand (ala Charlotte), and I'm not suggesting that we ignore the issues. Deal with them. That's what you get paid to do. Educate employees. Use analogies, like "would you post this on a bar-room bulletin board?"

And frankly, maybe they would. Maybe it's embarrassing. Maybe it's the price of doing business. And maybe, just maybe, we need to consider the old risk/benefit ratio and how we need to change as the world is changing.