Spanish authorities warn about the risks to privacy and security on social networks and suggest improvements in protection systems


The National Communications Technology Institute (INTECO), in collaboration with the Spanish Data Protection Agency, has presented a report on the security and data privacy issues that arise from social networking sites, making a number of recommendations.

The report warns that there are three different and critical stages where the users’ security and privacy may be specially hindered: registration; when additional information is uploaded to the site by the user; and if the user wants to unsubscribe from the service.

Among the risks associated with the initial phase, registration, the study highlights the existence of standard on-line forms to be filled by users that request a high amount of information. Although many of these fields shall be filled only on a voluntary basis, sometimes the information disclosed may imply a danger to the privacy of users who are providing information relating to their political ideology, sexual orientation and religious preference, considering that such information may be accessed by third parties.

In this sense, the report has also discovered that the highest public profile advertising is usually enabled by default by the social networks. As a result, 43% of the profiles published by social networking site users can be viewed by anyone. Most of the analysed networks allow indexing the profiles in the search engines in order to publicly expose their data and their main contacts. The risks to privacy and security that such situations involve are not always sufficiently appreciated by the users or advised by the social networks before registration.

There are some risks at the second stage that should be borne in mine such as phishing, pharming, the installation and use of cookies without the user's knowledge and the generation of spam addressed to the rest of the network users through the compilation of their e-mails.

Furthermore, the report warns that social networks may be easy targets of spy software, that may access and register the activity carried out by the user’s computer.

As for the third stage, cancellation of the records, allowing users to unsubscribe from these services, sometimes the cancellation is difficult to achieve because the users’ published data remain published in other users’ profiles.

The report also shows that intellectual property may be endangered by the use of social networking sites. After reviewing the terms of use for all major platforms/social networks operating in Spain, it has been found that all disclaimers set mandatory assignments of all copyrights in favour of the platform. In this sense, it emphasises the fact that by accepting these terms of use, the user is licensing freely to the network the copyright of his information and data for a period of five years, as established by the Spanish Intellectual Property Act.

Finally, the study includes numerous recommendations addressed to all parties involved in social networking sites related to security measures and privacy policies. INTECO urges the sites and the ISPs to improve systems so as to protect user’s rights guaranteed by the Information Society, Data Protection, Intellectual Property and Consumer regulations by enhancing transparency and improving access to terms and conditions by subscribers.

Indeed, INTECO recommends information technology measures for the social platforms such as requesting the user’s prior consent to include their profiles or data in search engines, the use of safe DNS servers, avoiding the possibility of attacks on servers, the implementation of tools to detect and block phishing or pharming cases and the codification of the content hosted in the platform.

Furthermore, INTECO has also issued recommendations to information security systems manufacturers and suppliers, companies that are considered key players for the users’ security. According to INTECO, manufacturers and suppliers should focus on two main security aspects: prevention of online fraud and carrying out security technology research and development programmes.