Liabilities Associated with Social Media

Table of Contents

Liability -1 ........................................................................................................................................ 2

Liability -2 ........................................................................................................................................ 4

Location / Traceability .................................................................................................................... 6

Malicious Apps -1 ............................................................................................................................ 9

Malicious Apps -2 .......................................................................................................................... 10

Notices .......................................................................................................................................... 12

Page 1 of 12

Liability -1

19

Liability -1

Discovery• Source of discovery in liability cases

Discrimination• HR may look at social media sites of prospective employees.

— These sites may contain information about race, gender, religion, age, nation origin, etc.

— It may not be lawful to use some of this information for employment decisions.

**019 Are there any liabilities associated with social media? Yeah. One of the issues we run into when it comes to liability is discovery. When I think about discovery, law enforcement is using social media to track down these people that may have perpetrated crimes. There was a situation recently where somebody was breaking into homes and when he broke into homes, he was taking pictures of his bounty, I will say, and advertising to his friends, "Look at the new Xbox I have," or "Look at the new Wi-Fi stereo system I have," and so on. So law enforcement was able to use that information to track this information down and arrest him,

Page 2 of 12

and use that information as part of the evidence against the individual. When companies are hiring, one of the first thing HR employees will do now is take a look at your social media sites. When I was young, we had a saying-- and I know you guys have all heard it-- "What happens in Vegas stays in Vegas," and that used to be a true statement, but now what happens in Vegas is immediately going to be published to everybody's social media site, and the dumber your behavior, the more idiotic your behavior, the quicker it gets published and broadcast around the world. Right? So what happens in Vegas does not stay in Vegas. So let's say an HR department wants to hire you, they look at your social media site and they see that you were doing these types of activities in this location, and here's your behavior in this situation, and so on. Well, they can use that. Whether they intend to be biased based upon the information they see there or not, it's almost impossible not to be in some form or fashion influenced by what we see. Unfortunately sometimes, from a legal standpoint, a company cannot use those biases to make decisions because they're considered to be discriminatory decisions based upon things we're not allowed to discriminate on-- age, sex, gender, race, religion, so on. So could be a challenge for HR.

Page 3 of 12

Liability -2

20

Liability -2

Free speech• Companies are held to a higher standard of care for truth and

accuracy.

Word of Mouth advertising• Employees posting on behalf of the company are held to the higher

standard.• Employees must disclose the relationship.

General Liability Insurance• Does our GL policy cover social media?• Consult corporate council

**020 What about free speech? Companies are held to a high standard when it comes to free speech. If a company were to put some statement on his or her corporate website or on their social media page and it turns out that that statement is not truthful, it is not factual, well, that could end them up in some sort of legal dispute. Right? So for example, let's say, I don't know, I'm a pharmaceutical company and I have this miracle drug that's going to cure foot fungus-- I don't know. "Foot fungus goes away in three days using our product." Well, what if it doesn't actually go away in

Page 4 of 12

three days? You said it on your Facebook page, you said it on your Twitter account, and I'm holding you to that standard, and it could come back and bite you in the backside. All right? Word-of-mouth advertising. A lot of social media sites allow other people to make recommendations and comments and reviews about products and services provided. We have to be careful about who's making the reviews. I'll use-- not Craigslist-- Angie's List, because Angie's List is an organization or a site that allows people to shop for and buy services-- so I want to find a plumber, I want to find out who is a good plumber in my area. Well, let's say we have Al's Plumbing Service. Don't you think it would be in Al's best interest to have a couple of nice comments about how good of a plumber he is? So if his customers don't put that information up, Al might put the information up himself. Well, it could be misleading, and Al could get himself into trouble if he does not disclose, "Hey, my name is Al. I run Al's Plumber Service, and I'm telling you we're the best plumber in the world." If he were to mislead me and say he was a customer of Al's Plumber Service and say they're the best in the world, he could get himself into hot water there. All right? And when we do run into legal issues as a result of our online activities, how do I protect myself? Is insurance going to help me? Does

Page 5 of 12

my general liability policy cover me for these types of activities? I would say-- and I'll start off with this: I'm not a lawyer. I don't ever give any legal advice, other than consult your corporate counsel. If you are going to, as an organization, have an online presence and you're going to rely on your insurance to protect you, you need to make sure there's some sort of clause in that insurance that does account for the online activities. So consult legal counsel and make sure that you are protected under general liabilities or other type of insurance.

Location / Traceability

21

Location / Traceability

Metadata in pictures• Date, time, location, GPS info

Hobbies• What you like to do• Clubs you associate with

Check-in with friends• Foursquare Swarm• Apple Find My Friends

— May show who is near by even when they have not “checked-in” using passive location information

**021 Let's see. Social media can

Page 6 of 12

be used to track people down. I already alluded to this earlier. Somebody puts a picture on their social media page, there's a very good chance that there is metadata associated with that picture. We can track not only where it was taken, but also when it was taken, and even possibly the type of equipment that was used to capture that photo. Now, this is going back before social media really came into existence, but there was a serial killer who was caught as a result of metadata associated with a photo. So, what information are you putting online that you don't even know that you're putting online? We could track somebody just by a shirt that they wear. You might have a shirt-- let's say you're part of some organization and your shirt has that organization's logo on it. Well, maybe I can find out who that logo belongs to, find out where that organization meets. Let's say you're part of an Elks Lodge, Elks Lodge number 1236, and so I can now find out where Elks Lodge 1236 meets and I can track you down and find you through the Elks Lodge-- all kinds of information. There are apps out there that allow friends to know where other friends are. So let's say I was walking down the street and I have one of these apps like Foursquare Swarm on my phone. Foursquare Swarm might give me some sort of indication, "Hey, you have one of your friends,

Page 7 of 12

that's in your little circle of friends, that is within a 50-foot radius of you," or "They're somewhere within a mile of you right now." So I could learn where my friends are, what restaurants they might be sitting at to have dinner, what movies they might be at and watching. The whole idea is so that we can get in physical contact-- not only logical or social contact-- but we can get in physical contact with each other. The downside is you're being tracked. Not only by your friends, but you could be tracked by the people that make the apps. They might know who you are and where you're going. Third-parties might know who you are and where you're going, and so tracking your activities-- it's hard to control that. Even if I were to say for a period of time "I don't want to be tracked," there still might be ways that people can find out where you happen to be.

Page 8 of 12

Malicious Apps -1

22

Malicious Apps -1

TROJ_FEBUSER A • Malware hi-jacks social media accounts

— Google+— Facebook— Twitter

• User is conned into installing a fake video player.— This download installs browser extensions.

• The Trojan can update social media site information— Like pages— Share posts— Join a group— Invite friends to a group— Chat with friends— Post comments— Update status

**022 There's also a lot of malicious apps that can be transferred via social media. When I think about malicious apps, we mention a specific Trojan horse that was out there at one time. A Trojan horse is a piece of malware that does something legitimate in the foreground, but it also does something illegitimate in the background, and this particular Trojan use, FEBUSER.A, what it's going to do is hijack your social media accounts-- so your Google Plus accounts and Twitter accounts and so on-- and the way that it does this hijacking is that it provides a free video player. And by the way, that is the number one best term for social

Page 9 of 12

engineering-- free. If I make something free, people are going to download it and they think they're going to use it to play a video, which they might be able to do that, but then in the background it is joining other groups, sending messages to your friends, updating your status with malicious information, and so on. All right? So FEBUSER.A was one example of malicious software we run into.

Malicious Apps -2

23

Malicious Apps -2

Man in the Browser (MitB)• Enticing tweets

Example: “Beyonce falls during Super Bowl concert, very funny!!”— Contains script to collect Twitter authentication token— With token, make new malicious posts on behalf of the victim

Rogue applications / games may be used for• Spamming• Phishing

Links to malware downloads

**023 We also have this concept of man-in-the-browser attack. This is a particular type of attack that in this case allowed the software to send

Page 10 of 12

out some tweets for a celebrity. For example, maybe we're able to send out a tweet and have it retweeted by others that are out there saying that Beyonci-- is that how you say it?-- Beyonci had a mishap during her Super Bowl concert and she fell down. It was very funny, and because of that tweet, that causes people to say, "Oh, I want to see this," and so they click on whatever the link is and that link causes them to download malware through their browser. So man-in-the-browser types of attacks. We could also use social media for phishing attacks and spamming attacks as well. Phishing is when we throw out a line in the form of an email-- maybe it's a message that says, "We need you to log into your PayPal account and update your information." And so you then try to log into your PayPal account and it directly you to a PayPal lookalike site. When you update your information, they are able to harvest that information and gain access into your resources, your data, whatever it happens to be. So anyhow, there's lots of malicious software out there that's going to take advantage of social media. It uses the social media to propagate, it uses the social media to socially engineer all of the users of social media.

Page 11 of 12

Notices

2

Notices© 2015 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 12 of 12