Digital Security Breaches – Facebook’s Present, Your Data’s Future
As the leading social media platform slowly crawls along this bumpy trail, the general public is left with many questions, few answers, and some serious decisions to make about Facebook.
What are you talking about, Paul?
Earlier this month, Mark Zuckerberg testified in front of Congress on behalf of Facebook regarding the privacy rights of his 1.85 billion users. Zuckerberg spent 10 hours in Congress thanks to a piece of code that was added in a 2007 update. The change allowed third-party developers access to the Facebook network, opening Facebook’s vast collection of personal data to anyone who could make an app.
The 2007 update was designed to help recruit new users to the Facebook community, which was only around 20 million users at the time. Facebook granted app developers access to the growing web of users, allowing developers to create games, quizzes and other apps that were synced with the Facebook account. For Facebook, these apps were a great way to increase their user base. For example, a user may decide to create a Facebook account to challenge their sister to a game of Words with Friends.
On the flipside, the social giant was entrusting all of their app developers with access to a literal treasure chest of personal data, from their likes and interests to their gender, age, location, political views, and even their friend lists. This New York Times video does a great job of outlining the various data points that are collected, as well as the other data points that are inferred based on your activities on the platform. Much of this detailed information was available to each developer, depending on the permissions granted. One developer example is Rovio, the company that created the internationally-popular mobile game, Angry Birds.
When Angry Birds was first released, the app featured a number of “Facebook-Only” aspects including their weekly tournaments. Basically, in order to save your progress over time, you had to log in with your Facebook account. When you first log in with Facebook, the app asked for permission to access a number of things, and when users clicked accept, their data was in fair play. In 2013, Angry Birds updated the App, allowing users to play the game without Facebook. However, by 2013, there were over 200 million Angry Birds users, most of which had already given data access to Rovio.
Then think about this. Angry Birds was one of tens of thousands of apps that functioned in this same way.
The long-term consequences of the 2007 update have recently been brought before the public eye thanks to the growing Cambridge Analytica (CA) scandal. Like Rovio, the CA firm created a number of apps dating back to 2007. One such app, This is Your Digital Life, has been at the forefront of the scandal, as it allowed CA to access not only all the data of users who opted-in but also the data of the users on their friend list.
This extended beyond the permissions granted by that individual in exchange for the fun of the game, and into Facebook’s pocket, pulling out valuable information on hundreds of thousands of people who hadn’t given the app permission to do so. But their friends did.
The Steps You Can Take
The first thing you can do is to check to see if you were affected by the CA data breach. While this is only one of possibly millions of data sets, Facebook is helping users know if their information was ‘compromised,’ either from using the app themselves or from having a friend who used the app. To check now, follow this link to be re-directed to the Facebook Help Center. You’ll be able to see if your information was included in this data breach.
If you’re concerned about your data, the next thing you can do is turn off “platform” ability in your Facebook settings for apps, websites, and games. The upside here, all of the apps that you’ve ever connected to Facebook will be disabled, and your information will no longer be shared with those developers. The downside, any information they’ve already collected is still accessible. You also won’t be able to use apps or games that required that Facebook log-in, anymore. Sorry, Clash of Clans.
You can also download all of the data that Facebook currently has regarding your profile. This was both entertaining and eye-opening for me, as I’m not an extremely active user, but have had an account on the platform for over a decade.
As Zuckerberg repeatedly mentioned in his testimony, Facebook’s archive tool allows people to see all the undeleted information they’ve ever put on Facebook. However, that doesn’t mean you can delete any and all of it. Even if you delete your account, data is still accessible for 90 days on Facebook server backups. Additionally, records of you on other users’ photos or in their conversation threads live on.
This downloaded set of information is also extremely detailed and extends back to the day you signed up for Facebook. As one of the early adopters, my account traces back more than a decade and includes not only all of my current friends but also the people I am no longer ‘Facebook Friends’ with, including former classmates, random acquaintances, and even a few brands and businesses. There is also a detailed record of every conversation I have had via Facebook Messenger. For some on my team, the archive included account deactivation data. My data included all of the locations I’ve ever logged in, basically tracking my movements whenever the Facebook app was open on my phone, a tablet or a computer.
But beware, you can spend a lot of time looking through this detailed archive of information. What really interests me is how that information is being used by digital advertisers.
Let’s Talk About Advertisers
Your Facebook account also tracks every interaction you’ve had with an advertiser on the platform. Advertisers track the actions you complete on the site, with the almighty click being the most popular marketing metric. Facebook is also tracking all advertisers who have uploaded your information via a custom list, and this was the surprising one. Of the hundreds of custom lists I was on, many were from brands that friends liked, others made sense based on my other online activities, (like bands I’ve listened to on Spotify or Pandora), and a few were complete surprises or unknowns.
Per Facebook, my name likely appears on these lists because the brands acquired/compiled a list of emails, or other contact information, and uploaded it to Facebook as a Custom Audience set. Brands can then use these lists to create “lookalike audiences” of similar profiles to serve targeted ads.
Again, per Facebook, brands can obtain your data in a number of ways, including but not limited to the following:
- Buying information from data providers. These massive databases include information gathered from all over the web, and then the lists are sold to the highest bidder(s).
- Using cookie tracking technologies. Like other platforms, Facebook uses cookie data collected from your account to help target ads, very similar to Google search ads. Facebook uses these cookies for a number of things, but from a security perspective, this allows them to alert you if someone attempts to log-in to your account from a new location.
- Getting the information from others you’ve shared it with, either from digital sources like Pandora, your favorite news site, or offline sources like your credit card loyalty program.
These custom audiences are usually very effective and for good reason. One of Zuckerberg’s repeated talking points in his Congressional testimony seems to back up my theory: “Users understand that they need to see ads, as the platform is free to use. These users have stated that they would rather see relevant ads than ads that aren’t interesting to them.”
So, with that said, it does not come as a surprise that so many businesses have and use my data. Yes, Facebook is at the forefront of this scandal, but they’re by no means the only culprit.
Google, and other major digital players, also track your online data. Google’s main data points are the things you do (like searches, website visits, video views and other cookie data), things you create (like emails, contacts, events and anything on the Drive), and things that make you “you,” (like your name, birthday, gender and phone number). According to Google, these three data pillars help Google improve its offerings for you. And like Facebook, this data is tracked indefinitely and is used for targeted Ads, mostly via Google search, but also on their partner platforms like YouTube. You can also download your current google content, should you be interested.
And as I mentioned, CA is only one of thousands of similar agencies and organizations who’ve created apps and games to gather advertising data from the Facebook’s and Google’s of the world. There are thousands more who leverage your Google account in a similar way. Prior to this scandal, once an app was approved and in use, the data collected by that app was out of Facebook’s control. It wasn’t held on Facebook servers, nor did they have a way of tracking how the data is used or sold. Facebook essentially turned a blind eye, likely because this ignorance would reduce the legal liability that Facebook faces.
Since the scandal, that liability has been pushed onto third-party partners. Now that Facebook’s audience base is approaching 2 billion users, the incentive for them to share this data has been reduced. This resulted in Facebook releasing new advertiser requirements last week, which put a damper on what third-party advertisers can and can’t do with this data.
Why is this happening to Facebook now?
In my opinion, Facebook wasn’t going to make a move on this unless the public demanded it. And the public would not have been any the wiser had the media not pushed the story to a national level. I say this because the original story about this data was scooped by The Guardian in 2015. And basically, nothing changed.
The Guardian highlighted CA’s relationship with Ted Cruz, among others, including the psychological data provided to the then-presidential candidate. The 2015 article outlined exactly how CA collected and then utilized the data without the users’ knowledge. Nothing major happened. Why? Because the public didn’t make a big deal out of Ted Cruz using that data. Flash forward to the past few weeks, and the story bubbled up again because it was released that Trump also utilized CA data during his run.
And when Trump’s name is inserted into a topic, it is politicized, and the public scrutiny begins. This scrutiny led to hundreds of news outlets taking a deep dive on the topic, and ultimately, to Zuckerberg’s Congressional testimony.
So, what is the Future of Data Security?
Technology has consistently outpaced regulation. Solutions and innovations simply grow too fast and too fruitfully that the government can’t keep up. It’s become the virtual Wild West, literally and figuratively. And even if there were an organization solely dedicated to digital law and data privacy, that still couldn’t guarantee major breaches like the Equifax, Target or Home Depot data hacks wouldn’t happen.
But that doesn’t mean everybody chooses to wear a black hat, (excited for you, WestWorld). Zuckerberg himself is in favor of increased regulations, as he mentioned multiple times in his 10-hour proceeding. In fact, he has pledged to meet all the standards of GDPR when it rolls out in Europe in May, and he plans to extend the measures to the entirety of Facebook over time.
Wait, Paul, What is GDPR?
Good question. GDPR stands for General Data Protection Regulation, and it has become the European standard for digital security. At its base, GDPR is a set of laws designed to give the people more access and control over their personal data. The rules are designed to mimic the world we live in, (constantly changing and evolving), so both businesses and people can benefit from the technological advancements.
So, for international businesses, if you’re not looking for ways to be more GDPR compliant, you’re already behind the eight ball. However, if you’re based in the United States, now is the time to start thinking about data security, and how your business will approach it in the near future. If you’re moving toward a more user-friendly data plan, you should be going in the right direction. If you’re still confused about what is changing, think of it this way.
When a person is let go from a job, according to the GDPR rules, all of their company emails and data would be turned over to the person, not the business. This is a big shift in how most businesses handle data management, but greatly benefits the individual’s right to privacy. All the emails and text messages would be owned by the user, not the organization that owns the device.
However, this should not be a feared change for businesses and advertisers. If you’re targeting users, there are some positives for you, including more segmented audiences for targeting and more viable, earned contacts, as all users must Opt-In for email and other communications. In addition, organizations that are GDPR compliant will gain a competitive advantage in international deals compared to those who aren’t up to code.
But I could talk all day about GDPR. In fact, I will. Pay attention in a few weeks for another feature on GDPR.
Anyway, let’s get back to Facebook.
Zuckerberg stated several times that Facebook currently complies in full with the new GDPR rules for European users, and as I mentioned, they would be more than willing to comply for US users, as well. Zuckerburg also mentioned overreaching regulations wouldn’t hurt the giants like Facebook or Google, rather they’d be bad for new businesses and companies that don’t boast the same quantity of resources.
And while the result would ideally be great for customers, strict regulations would be more of a double-edged sword than a solution. It will be fairly easy for Facebook and Google to comply, and much more difficult for new start-ups to manage.
Ultimately, the hearings last week will likely result in little more than another slap on the wrist for the social network, if you consider 7 figure fines a wrist slap. That is, at least until the government can figure out the best way to move forward with data security regulations. Could they adopt a similar rule as GDPR? I think that’s very possible.
And you? What does this breach actually mean to you?
The first thing – your data is out there, and it’s likely been accessed by many businesses and marketers to help create custom advertising audiences. You should definitely check to see if you were included in the CA breach. Another easy step is to close off the permissions to the other apps you use in your Facebook settings. These two are basic steps to help you maintain your privacy online, but the best way is to simply share fewer details.
When talking with my marketing team, it was evident that I’m among the rare social users who don’t click on many ads, don’t share access with many apps (only 3 currently have access for me), and generally, I’m more of a ghost than an active participant. And even my data dump was substantial. My team’s data extended far beyond my own, so my final takeaway for you is simple.
Be cognizant of what you’re sharing online, because the internet is forever, and your data is more than just YOUR data.
If you’d like to read more of my industry thoughts, check out my recent articles: