In June 2009, I finally created a Facebook account, but not for any of the conventional reasons folks join social networks. At the time, I worried about the threat of impersonation and possibility of reputational harm. After six months of Facebooking, I'd recommend that many professionals should join a social network even if the reasons are purely defensive. Here's the situational analysis that led me to this conclusion (from an earlier post).
Perhaps I'm too long in the security business, but I began to consider how easy it would be for someone with malicious intent to fabricate a social networking account for a targeted identity. For folks who have considerable online "visibility" - published articles, a blog, email activity published on a WiKi,... - this isn't terribly difficult. Let's assume I'm targeted. All a miscreant needs is to create or gain access to an email account to which the membership confirmation email for Dave Piscitello is sent. Once the miscreant confirms the account, he can populate the newly created account with personal information about "me" that he can easily gather from other sources: my personal page at SecuritySkeptic.com, bios from conference speaker pages, ICANN, or Core Competence provide ample information for a convincing deception, especially if the deception targets colleagues and members of the security community over intimate friends and family.
If the purpose of this deception is to harm me, the miscreant might build a social network to serve as the audience for some embarrassment he'd create while impersonating me. Since social network sites constantly suggest friends to add, this is trivial. Once the miscreant grows a satisfactory friends list, he can use my Facebook wall or the walls of my colleagues, family and friends to post abusive, insulting or libelous comments, lies or misinformation. He can intimate that I'm unhappy with my employer, my wife or children. He can post photos that might be embarrassing, or for a truly worst case scenario, use the account for predatory or porn publishing purposes.
It's quite likely that someone who really knows me will undoubtedly contact me using one of my legitimate email accounts or phone numbers to read me the riot act or fire me. At this point, however, my Facebook situation is no different from any web defacement attack. I've been victimized and I'll have to take action to recover from the incident. I've got to contact the social network operator, provide compelling evidence of the impersonation, and get the page removed. And like all defacement attacks, my reputation is tarnished.
I haven't painted a particularly pretty picture of what might happen to me. Now, after 6 months of Facebooking, I've connected with enough colleagues and friends, and shared enough information both professional and personal that I would expect that my legitimate Facebook page would hold up against any impersonation social networking pages. Try unfolding the same scenario for yourself and see if a defensive social networking page isn't worth the effort.