Privacy threats in a mobile enterprise social network

The ‘Instant Knowledge’ system is an enterprise based social network that aims to introduce employees of the enterprise to contacts within the organization who may have skills relevant to particular tasks. The skills database is maintained through context-aware devices, and mobile devices in particular. The aim is to populate the database automatically based on user context data and to provide automatic introductions, again based on context data. This paper examines the security and privacy implications of this system and shows that while threat modelling on its own provides a solid base from which to secure the system, this is not enough to ensure that all privacy issues are considered. This is demonstrated by applying a mis-use case analysis that shows how personal identifying information can be inadvertantly leaked to malicious parties.