Thursday, April 24, 2014

Are Buzzfeed Quizzes Lowering our Defenses?

So I’ve been toying with shutting down my Facebook account again—mainly because it gets on my nerves. The simple act of scrolling through the posts each morning has reached a ratio of 20% pleasurable and 80% grind. One reason? Buzzfeed quizzes.

security awareness, identity theft, infosecOh, Buzzfeed quizzes. Zimbio quizzes. Shudder.

To be fair, I’ve taken my share. The nerd gene in me just has to know what character I most identify with in every Joss Whedon universe. And while I rarely share my results (because that’s pretty annoying), I have started to wonder about some inherent dangers in the culture of quiz taking.

So, I spent a little time on “Internet research” yesterday (read: surfing the web). I wanted to see if I could get any hard, fast evidence that the data in Buzzfeed quizzes were dangerous. Do they harbor malware? Are they used for phishing purposes? Are there records of any data breaches that stemmed from a Buzzfeed quiz?

Not really. Although it would be a pretty clever ruse for social engineers, it appears that the quizzes are fairly harmless. The danger, it seems, lies more in the attitude and culture behind these personality tests. So many of my “friends” (ok, friended acquaintances) rant regularly about the dangers of Facebook privacy settings. They have a real “Big Brother is watching” or “Everyone is out to get my personal information” complex. But these folks may be very the same ones who will readily answer personal question after personal question in a Buzzfeed quiz and then share the answers with anyone who scrolls past their profile.

Jordan Shapiro hit the nail on the head for me in an article this past January.

“Why is it that when it comes to novelty quizzes, we enjoy being analyzed by simple algorithms that divide and reduce us into a limited number of determinate categories, but when it comes to Google and the NSA we’re terrified of the same thing?”

Personal information is personal information, whether is stolen from us by a social engineer, secretly gathered by the NSA, or voluntarily offered through an online personality quiz.

We seem to have developed an almost desperate need to share our opinions or facts about ourselves in an effort to identify with a larger group of like-minded people. Go ahead and admit it. You feel good when your poll answer is the most popular. The appeal of belonging has made many of us irresponsible—and irresponsible Internet users can be easily lured out of their comfort zones and into a trap.

While the danger may not come directly from an online quiz, click-happy Internet users are bound to slip up in other areas. And the more comfortable we become with oversharing, the more likely we are to find ourselves victims of social engineering scams or identity theft.

“Well, but…what difference does it make?” you say. “It’s not like they’re asking for my social security number. The results are all made up.” OK, that’s true. There is no proven rubric designed to accurately determine which superpower you should have, or whether or not you would in fact die of dysentery on the Oregon Trail. Yet, that does not mean the questions have no value to someone.

“We brush them off as ‘merely entertainment,’ forgetting that by participating–through the act clicking–we’ve once again provided Google with a plethora of personality data that is forever stored in our file,” says Shapiro.

In fact, some limited evidence suggests that quiz and Internet poll builders may be inserting more probing questions into harmless entertainment quizzes to get an idea of who you are, how you behave, or even what you might choose to buy. Lee Munson at BH Consulting gave his take on it in this week's Security Watch blog on oversharing. 

“…in a few instances the polls can pose some more serious questions…sometimes some of the sneakier sites on the web will even make completion of the poll mandatory in order to proceed onto your ultimate aim of, say, reading a particular news story. Such polls may not demand your name and address but they do drift roughly into areas of personally identifiable information.”

 He also offered a bit of sound advice.

“If you share information you need to be alert. Even if you are divulging personal information within an environment in which you feel safe, you need to be certain that the audience is the one you expect. I myself have a few friends who have completed polls on Facebook only to later discover that they actually handed all that info to a third party unawares.”

It may be time to find new ways to entertain ourselves rather than buying in to a culture of irresponsible clicking and mindless answering. While I may never know which Twin Peaks character I am or how well I know the movie ‘Clueless,” at least no one else will either.

More about Information Security