Social ratings: Be careful what you post

Another reason not to share everything online.

What to expect from social ratings

It’s already hard to imagine life without social networks. We use them to chat, communicate, share our creations, discuss the hottest news, and more. It’s worth keeping in mind, though, that people may use your social media profiles to assess, for example, your ability to repay a bank loan. Or to decide whether you’re suitable for a particular job.

The measure of a person’s potential based on past actions, social circle, and the like is called a social rating. A person’s social rating is similar in some ways to the credit rating that banks use when issuing loans, but it can include a far wider range of information.

Many countries already see the use of social ratings in various arenas. For example, insurers in New York are officially allowed to determine premiums by analyzing data from social networks.

And China is developing a social credit system that some describe as 1984-esque. However, not everybody considers such systems scary; some people actually think they are useful, saying they help make life more secure. Are people and technology ready for what’s coming?

Social ratings: What people think

To gauge user attitudes about social ratings, we polled more than 10,000 people around the world. Here’s what we found out.

Slightly less than half (46%) had heard about them. The phenomenon is better known in Asia. For example, in China, where ratings are rolling out nationally, 71% of respondents know about social ratings, compared with only 13% in Austria and Germany. What’s more, again almost half (45%) of respondents admitted to having issues with understanding how the ratings are calculated. Only one in five (21%) had ever come across them in real life (although it’s possible that some people are simply unaware that social ratings play a role in getting a loan or mortgage).

Nevertheless, many generally agree with the underlying idea of social ratings: 70% say it is fair and right to limit access to public resources (transport, education, housing, etc.) based on people’s behavior.

Many people don’t mind being monitored if there’s a good reason. For example, to improve security, almost half are ready to allow the government to monitor social networks, and two in five would share their data with a company in exchange for discounts and other benefits. And only about 20% of respondents expressed unease about private and public organizations taking an interest in their personal information.

Social ratings: The technology

Many of the people we surveyed support the idea of social ratings, probably in the belief that they will, on the whole, deliver a fair and unbiased assessment. Alas, with current technology, that is unlikely.

For one thing, it is difficult to track errors. Current systems are based on neural networks, the operating principles of which are opaque even to the developers, let alone the operators or general public. When lowering or raising someone’s rating, the neural network does not disclose its informational basis for a decision. If the computer says you don’t qualify for a loan, you won’t get one — even if you’re a decent person with a good income.

In the language of medical testing and computer security, the above is known as a “false positive,” the same as when a security solution flags a clean file as infected, or a medical test erroneously identifies a disease in a patient’s sample.

On our favorite topic — antivirus — the level of false positives varies greatly from one product to another. Some products deliver wrong verdicts far more often than the average, and others far less (our security solutions have minimal false positives). The point here is that it is impossible to eliminate errors entirely. But in the case of ratings that affect human rights and even lives, the price of such an error can be very high.

Aside from mistakes caused by imprecise algorithms or imperfect data, systems can also be intentionally hacked. As regards nationwide social ratings, our experts have identified three types of potential attacks.

1. Attacks on data-collecting devices

To accurately assess a person’s rating, the system needs a lot of information about them. It gets this data not only from social networks, but also from various appliance-based cameras and sensors — the so-called Internet of Things. These devices are often vulnerable and get repeatedly attacked. In the first half of 2019 alone, we detected 105 million attempts to hack them.

2. Attacks on software implementation

To assign you a social rating, it is not enough for the system to harvest information about you, it also needs to process and interpret it. The mechanism that handles this may be vulnerable too — both to malware infection attempts and to nonstandard attacks.

For example, an attacker might wear colored glasses. A human being would easily recognize the person, but a smart camera might mistake them for someone else — so everything they did in front of the camera could be attributed to someone else.

3. Attacks on system logic

Lastly, an attacker can identify actions that, if repeated many times, change the rating beyond all recognition — either positively or negatively. For example, by exploiting gaps in the system logic, it might be possible to boost one’s own rating or, conversely, spoil that of a potential victim.

Preparing for the world of social ratings

In summary, social ratings may not be as fair and unbiased as we would like or suppose. All the same, such systems are already deployed in certain fields and likely to be introduced more widely over time. Although there’s no way to shield yourself from their flaws completely, it’s worth trying to minimize the risk.

Think twice (or thrice) before posting ambiguous photos of yourself or other potentially compromising information on social networks. Some things are best kept private. At the very least, do not make them publicly available.

Protect your accounts so that cybercriminals can’t hack and use them against you. Create strong, unique passwords, enable two-factor authentication, and don’t enter login credentials on suspicious sites.

Guard your privacy. So that the bank doesn’t refuse you a loan because it knows, for example, that you’re looking for a job, protect yourself against online data harvesting. We explain how in this post.