Are you faking it online? Or faking it at work? While faking it certainly has its benefits in both places, I want to touch upon a couple of concerns I have with using fake identities.
Is real data *really* fake data?
Example #1…
A few weeks ago I got a text message from a phone number I didn’t recognize, with a rather odd message. I sent a text back asking, “Who do U think U sent ur txt 2?” The response, “Myrtle!” I’m not Myrtle. Turns out they were using a phone number they had found online that was associated for the Myrtle they knew. That number associated with Myrtle was my real number. Turned out this was a site, amongst a growing number of similar others, that is providing what they are touting as fake identities for others to use to test software and applications. However, upon doing some searches on their site, all the data items I found were actually verifiable names, addresses, social security numbers, and so on. It appears they took real data items and just mixed them, to a certain degree, to create what they are calling fake identities. They were mixed completely; at least not for the data items I looked at. For example, the phone numbers and social security numbers were partnered with addresses for the actual vicinities where such numbers would actually be found. So, instead of creating a true fake identity, the sites are creating new identities composed of a cobbled-together mish-mash of real information; I call them Franken-IDs.
Example #2…
The previous experience reminded me of a situation that occurred in the mid-1990’s when I was responsible for information security and privacy at a large multi-national financial and insurance organization. After many meetings and messages, I finally convinced business leaders to stop using social security numbers are the primary customer identifier for most of the business services from that point going forward, and to allow existing customers to request another number if they did not want their SSN to be used as their identifier. Keep in mind, at that time there were not laws or regulations against using SSNs as identifiers like there are today.
However, whenever a customer asked to have a new account number, the business managers told the customer service representatives to simply make up a new number that met the same format. They kept the format of an SSN because they didn’t want to take all the time and cost necessary to build a completely new database on the mainframe; it would be too expensive, they said. So, the various customer service agents throughout the business units started to simply make up number, in the SSN format, to replace the real SSN whenever a customer requested their SSN to not be used.
A few months down the road customer complaints started to trickle then, and then come in more frequently. It seems that a large portion of customers were customers of multiple business units, including the investments and 401K services. The customer statements were printed and sent to these customers using the customer ID (which was the SSN) of the customers, and many of the so-called “bogus” numbers that were made-up by the customer service reps were actually real SSNs of other customers! So, through the programming logic that was in place, the people who had the made-up SSNs ended up receiving the statements of the people for whom the SSNs were real and valid. Oops. They hadn’t thought of that.
Of course the information security and privacy area found out about this after all the complaints had come in. We worked with all the business units to establish a process to create IDs that would not be actual SSNs for others. By knowing how SSNs are constructed we were able to accomplish this. FYI, no SSNs with an area number in the 800s, 900s, or with a 000 or 666 area number, have been assigned; and an area number of 666 will never be assigned. So, if you want a truly bogus SSN, or a fake identifier that must be in the form of an SSN, use a number starting with three digits from these possibilities.
So…
The previous examples provide just two examples of how “fake” data, that was in actuality real data for someone, somewhere, resulted in some minor to major bad impacts. We could probably collectively brainstorm many other ways such “fake” identities that consist of actual personal information could negatively impact others.
It *IS* a good, and recommended, practice to use data for testing, and for IDs, that are not actual date for any individuals. So, when you are considering the use of services that provide what they claim to be bogus or fake data for your organization to use for testing, or when you are determining identifiers for customers and employees, ask yourself the following:
- Could the data be actual identifiers for real people?
- If phone numbers, could they be real for someone? If so, could people start calling them? You can create truly bogus phone numbers by creating one by using 555-0100 through 555-0199; they are specifically reserved for fictional use – except for the 800 area code where only 800-555-0199 reserved.
- If SSNs, could they be real for someone? If so, what could the potential impacts be? Make sure you use a bogus SSN generator that will NOT create real SSNs by knowing how real SSNs are constructed.
- If credit card numbers, could they be real for someone? If so, could people actually start using them?
- And ask yourself similar questions for other types of personal identifiers.
Are fake online identities *really* harmless?
There are growing numbers of sites urging businesses to create fake Twitter IDs to follow their business ID to make it look like they have lots of customers, and to create fake Facebook IDs to follow and friend the business Facebook page, and basically urging the use of fake IDs on all other types of social networking sites for the same reasons. Facebook recently released statistics showing that there are more than 83 million fake accounts on its social network. This is over 8% of all their accounts. Businesses and other organizations (such as political groups, religious groups, and other types of membership or interest groups) are increasingly using face social media accounts they created to “like” and “follow” and “endorse” and…the list goes on…their organizations as a marketing differentiator. Businesses are faking it as a marketing move to make their business look more popular than what it actually is. Celebrities are faking it to make it look like they are much more popular than they really are. Some individuals in general are faking it to simply give themselves an ego boost; I guess imaginary friends are better than none, at least from their perspective? There are now even businesses making large amounts of income by selling these fake identities/friends/followers/etc. to such attention-starved organizations and individuals as their only business activity. So, no harm, no foul, right? Well, that depends.
Sometimes what seems like a harmless act will actually be something you realize upon thoughtful consideration as something that could result in harm of some kind. Consider the following:
- Fake accounts are being used to spread rumors that are increasingly impacting health and safety, such as during Hurricane Sandy.
- Pranksters are putting up fake accounts and pages pretending to be legitimate companies, and then putting up abusive messages to their customers, resulting in loss of business and public relations nightmares.
- Fake accounts are created to use as “botnets” (such as Koobface) specifically to spread malware and spam to social network users.
- There are increasing numbers of criminals, pedophiles and other nasty folks using fake accounts to commit their crimes.
- Marketing departments are putting up fake accounts to make it look like customers are bragging about their business, as well as to put down competitors.
- Businesses are even creating fake identities to get back at dissatisfied customers, such as the restaurant that created a fake profile on a sex dating social network site for a reporter that gave a bad review.
Now think:
- Do you want your business participating in activities that pranksters, fraudsters, crooks and pedophiles are also doing?
- Could this damage your organization’s reputation or brand value?
- Could this be viewed as unethical? (Usually…yes!)
- Could this result in your business having it’s industry rating lowered, or being removed from some type of designation, such a Better Business Bureau stamp of approval, Good Housekeeping Seal, etc.?
- Is it really worth the risk just to get better stats about how many people are “like”ing or “following” your social media business presence?
Bottom line for all organizations, from the largest to the smallest: If you are thinking about using fake identities within your business, or are already using them, carefully and thoughtfully consider the potential negative impacts along with the positive. Then, make a decision based up how much risk of damage to your business’s reputation, and what possible problems could occur to individuals that actually possess your “bogus data,” that you have with your considered/current “faking-it” activities.
Additional information about using fake online identities
Here are just a few other articles discussing a much wider range of issues related to using fake online identities (there are hundreds of others out there for you to see if this topic intrigues you):
- The Ethics of Fake Twitter Accounts
- Are Companies Spending Money Buying Fake Facebook Likes?
- Chick-Fil-A Accused of Setting Up Fake Facebook Account
- Millions of fake Twitter accounts boost wannabe celebrities
- The Twitter black market: dealers, abusers, and fake accounts
- Buying Their Way to Twitter Fame
- Fake Tweet Builder: Make your own Twitter conversations
- Three Ways to Create Fake Facebook Profiles for Historical Characters
- How To Make a Fake Facebook Account [Video]
This post was written as part of the IBM for Midsize Business (http://goo.gl/S6P7m) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
Tags: awareness, breach, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, facebook, fake IDs, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, social media, social networking, SPI, systems security, test data, training, twitter