Fake profiles on Facebook
It was brought to my attention today that somebody created a fake Facebook profile of one of our employees. The page contains elements copied from a data source which is only available via our Intranet, and advertises the individual in such a way that it could damage that person's individual integrity, as well as to my employer's good name.
Unfortunately, reaching out to Facebook via their abuse@facebook.com email address did not solicit any useful reaction yet (just an automatic confirmation email), and given the general buzz I do not expect to hear much back from that route either.
An interesting question is if this problem can be classified as an information security incident. According to ISO/IEC 27002, an information security is the preservation of confidentiality, integrity and availability of information. In this particular incident, information that was only available on the Intranet has been used to create a public profile, and factually incorrect elements have been added (a breach of integrity). As such, posting a fake profile using proprietary information could be considered an information security incident.
Following our incident response workflow, we have documented the complaint and established that there indeed is a breach of information security. The preferred mitigation strategy would be to notify Facebook about the offensive content (done), and they would remove the page, or at least make it unavailable pending investigation (not done).
I understand that in situation of this, Freedom of Speech is a very important consideration. However, the legislator has also acknowledged that freedom is speech is not limitless (as with slander, fraud, copyright infringements, etc). How would you handle a situation like this? Involve legal council and have them try? Work to filing charges with the police? Ignore that it every happened and hope for the best?
update: The Facebook abuse team got back to us and we are working to resolve the situation. So far, they have been very cooperative. I have to say; my original opinion (based on hearsay) is rapidly being adjusted based on directly interacting with them. They seem to have their stuff well under control.
update 2: A reporter caught this too.
Unfortunately, reaching out to Facebook via their abuse@facebook.com email address did not solicit any useful reaction yet (just an automatic confirmation email), and given the general buzz I do not expect to hear much back from that route either.
An interesting question is if this problem can be classified as an information security incident. According to ISO/IEC 27002, an information security is the preservation of confidentiality, integrity and availability of information. In this particular incident, information that was only available on the Intranet has been used to create a public profile, and factually incorrect elements have been added (a breach of integrity). As such, posting a fake profile using proprietary information could be considered an information security incident.
Following our incident response workflow, we have documented the complaint and established that there indeed is a breach of information security. The preferred mitigation strategy would be to notify Facebook about the offensive content (done), and they would remove the page, or at least make it unavailable pending investigation (not done).
I understand that in situation of this, Freedom of Speech is a very important consideration. However, the legislator has also acknowledged that freedom is speech is not limitless (as with slander, fraud, copyright infringements, etc). How would you handle a situation like this? Involve legal council and have them try? Work to filing charges with the police? Ignore that it every happened and hope for the best?
update: The Facebook abuse team got back to us and we are working to resolve the situation. So far, they have been very cooperative. I have to say; my original opinion (based on hearsay) is rapidly being adjusted based on directly interacting with them. They seem to have their stuff well under control.
update 2: A reporter caught this too.