July 10, 2018

Episode 4: 50 Shades of Facebook - Privacy, Snooping and You

50 types of data that Facebook is collecting from you. The wrong practices Facebook has been conducting since its foundation and how these activities affect privacy of 2.2 billion people around the globe.

Episode 4: 50 Shades of Facebook - Privacy, Snooping and You

In this Episode Nikoloz talks about 50 types of data that Facebook is collecting from you, sometimes without you even knowing it. We will discuss the wrong practices that this company has been conducting since its foundation and how these activities affect privacy of 2.2 billion people around the globe.

Other ways to listen:

Anchor    Apple Podcasts (iTunes)    Google Podcasts    Breaker    CastBox    Pocket Casts    Radio Public    Spotify    Stitcher    RSS

Transcript

Privacy, Snooping and 50 Shades of Facebook

Facebook… the uncontrollable machine with only desire to get its hands on following data:

Available storage space

Background applications

Battery level

Beacons

Bluetooth signals

Browser type

Browsing history

Calls

Camera

Cell towers

Contacts

Cookies

Data usage

Device IDs

Device operations

Device signals

Devices

Dislikes

DNS

Family

Files on your devices and their types

Foreground applications

Friends

Friends of your friends

Friends of your friends friends (if that makes sense)

GPS location

Hardware and software versions

Identifiers from games and apps you use

Identifiers from other accounts you use

Installed applications

Internet behavior

IP addresses

Likes

Location

Messages

Metadata

Mouse movements

Nearby Wi-Fi access points

Network connectivity

Operating system

Personal interests

Photos

Plugins

Purchase history

Relationships

Signal strength

SMS

Unique identifiers

Voice

Work history

 

And more.

Whooh! That was quite a list was not it? And that's only the tip of the iceberg.

Imagine how much power you would have over me and my future decisions if you had been collecting this data for past 10 years, without clearly informing me about it. Meaning that you would be snooping on me during my normal personal life, because I am not changing my behavior to avoid your eyes and ears, I consider that you are trustworthy person since I am not aware of how far you can go and I assume that you would at least act in legal terms and good faith.

With this kind of data, you could conduct an analytical research about my behaviors. I bet your chances of guessing where I would be tomorrow, what movie I would watch and what restaurant I would most likely visit, would increase dramatically. With this information you would be able to successfully sell me a product, make me watch a movie trailer that I might like and even influence me to visit a restaurant nearby which is serving great pasta, because you know from my pictures and messages that I love pasta.

I think you could even go little bit further and make some extra money, by selling this information to other persons or companies who might be interested in selling me something, so you will still retain data but would provide access to other parties and the data would be always up-to-date and fresh to sell.

Let's say you provide access to my 50 types of data, which is probably significant amount of my personal life, for 10 EUR per month for an individual subscription. I can already imagine the advertisement “Freshly bits of Nikoloz's personal life! Only for 10 EUR". Sounds nice, right? But let's be frank, 10 EUR will probably buy you, what? 3 coffees at max... 3 coffees will not pay your bills. But what if there were 100 companies and persons who would want to sell me something or want to affect my behavior or just had a fetish of stalking me every second? What if there were thousands of them? Would you allow thousand persons and companies to access my personal life without you explicitly notifying me? Of course, you would, I am a sheep to you who has been spied on for over a decade without even doubting in your service. What could go wrong? I will not suddenly become a wolf now, will I? And with that in mind you start making around 10 000 EUR per month. Not shabby, not too shabby at all.

So, you have a business model that brings you significant monthly income, but something is really bugging you, you have limited number of customers and 10.000 EUR is not enough for you, because I might not be a good target for a Fish restaurant, I love pasta do you remember? You are missing an opportunity to make 10.000 EUR extra. Now you are getting a brilliant idea... You know I am messaging my friend John constantly and he loves fish. Only thing he talks about is fish. He called me last week to mention the great fish soup he ate at the restaurant and since you monitor my calls you are already aware about it.

Hmmm...

“Maybe Fish restaurant is not interested in Nikoloz but it would be surely interested in John.” You think. So, you start spying on John as well, you gather data, combine it with 10 years of calls, messages and pictures of me with John and voila! You can now sell John's data to Fish restaurant and make 10.000 EUR more.

With this you could lay a road to building a multimillion EUR empire or even multi billion. Good job! You are a smart guy or girl who realized the American dream, congrats!

But what if I was the one in control and you were my product, I was the one having all this information for over a decade and was making money out of you, while you are just using my free services? What if I was advertising "Freshly bits of Your personal life! Only for 10 EUR" I would be spying on your calls, seeing where you are located, what plans do you have, listening to when you speak, even if you were not an actively using my service? I would be providing real time access to this data to thousands of companies and individuals. Some of them with just intentions to sell you something, offer you products and services, and others to influence your decisions, behaviors and just cyber stalk you? What if I was conducting same operations on your kids, family members, friends and their friends without you even realizing it? Would you still use my service?

…I think you would, because you have been comfortable using my services for free for last decade, everyone else you know is using same services for communication, because you were the one telling your friends how awesome Nikolozbook is and you would be afraid to lose this integrity. You would be afraid to make an independent decision to quit and I would be victorious and you would be the same old user that you were 10 years ago, represented as an ID in my database.

That's dear listeners are why hardly any user has deleted their Facebook accounts after Cambridge Analytica incident and why Facebook is back to pre-Cambridge Analytica scandal stock prices as of May 10 and rising. Well, even #DeleteFacebook campaign did not help.

I will not dive deep into Cambridge Analytica, because I guess most of you should be familiar with the story so I will just do a brief recap:

In March 2018, multiple media outlets broke news of Cambridge Analytica's business practices. The personal data of approximately 87 million Facebook users were acquired via the 270,000 Facebook users who used a Facebook app called "This Is Your Digital Life". Facebook gave this third-party app permission to acquire their data, back in 2015, this also gave the app access to information on the user's friends network; this resulted in the data of about 87 million users, the majority of whom had not explicitly given Cambridge Analytica permission to access their data, being collected. Later this data was allegedly used by Trump campaign advisers to influence elections. At that time Facebook stated that it already cut off third-party access to its users' data and their friends in May 2015.

Later Facebook's CEO Mark Zuckerberg went on a brand-new apology spree, saying traditional "we are sorry" in a Capitol Hill testimony and also during his appearance in European Parliament. But was he really sorry? Is Facebook doing anything substantial to improve user's control over their data and life that they are sharing with the service? Has anything changed to better during last years? I guess nothing, only thing that changed is that Facebook widened its arsenal for getting even more data from you. But about this later.

Let's talk about latest developments from Facebook, to understand how the privacy monster has "improved" since March.

Between May 18 and May 22, about 14 million Facebook users around the world had their default sharing setting for all new posts set to public. Facebook posts typically default to the last "audience" a post was shared with, such as family members, friends, or friends except their boss. But this bug exposed all posts between May 18 and May 22 to public. So if you were posting something bad about your boss during that period you need to be worried. It's interesting how exposing private posts of 14 million people is considered a "bug" but not a privacy violation.

You remember how Facebook stopped letting other companies access your friends' data in 2015 -- right? That's what they said in March. But The Wall Street Journal reported back in June that Facebook cut special deals with some companies that let them continue to access data on its users' friends. Companies included Amazon, Apple, Microsoft, Samsung, Huawei, ZTE, BlackBerry and many personal data hungry players.

On June 22nd Facebook admitted that roughly 3 percent of apps on Facebook Analytics had their weekly summary information leaked to outsiders. These reports contained three metrics about the apps -- the number of new users, weekly active users and page views, and were mistakenly sent to people identified as "testers". Of course, this incident was also followed up with an apology, this time Facebook spokesman Joe Osborne said "We're sorry for the error and have updated our system to prevent it from happening again."

A different third-party quiz app, called NameTests, found exposing data of up to 120 million Facebook users to anyone who happened to find it, an ethical hacker revealed by the end of June. NameTests[.]com, the website behind popular social quizzes, like "Which Disney Princess Are You?" that has around 120 million monthly users, uses Facebook’s app platform to offer a fast way to sign up. A bug bounty hunter and ethical hacker, found that the popular quiz website was leaking logged-in user’s detail to the other websites opened in the same browser, allowing any malicious website to obtain that data easily. So what happened? Apparently storing user data in JavaScript file caused the website to leak data to other websites, which is otherwise not possible due to browser’s Cross-Origin Resource Sharing (CORS) policy that prevents a website from reading the content of other websites without their explicit permission.

In the beginning of July Facebook again has admitted that the company gave dozens of tech companies and app developers special access to its users' data after publicly saying it had restricted outside companies to access such data back in 2015. This is clearly stated in a 747-page long document [PDF] delivered to Congress by the end of June, where Facebook admits that it continued sharing data with 61 hardware and software makers, as well as app developers after 2015 as well.

On July 2nd the federal investigation into data mining firm Cambridge Analytica and its relationship to Facebook has been expanded to include an examination into the social network itself. Apparently, investigators want to know whether members of the social network lied to lawmakers, the public, and investors about the massive data privacy scandal that broke back in March. Separately, Facebook remains under investigation by the Federal Trade Commission over its privacy practices and whether the social network violated the agency’s consent decree, which Facebook signed in 2011.

As this was not enough to uncover Facebooks hypocrisy, again on July 2nd Facebook disclosed a new “bug” on Monday that temporarily let some users who’d been blocked on the service send messages to the people who had blocked them. The bug also let some previously-blocked users view posts that were shared “to a wider audience,” such as publicly or with friends of friends, Facebook said.

Surprisingly after all these events Facebook dares to publish a full-page advertisement on major newspapers such as the Telegraph of the UK, saying: Data misuse is not our friend. Facebook is changing.

Even if Facebook was interested in protecting your personal life, which they are obviously not, the developers and third-parties will not take similar precautions or responsibility to do so. And imagine all the third-party application that your children, friends and family members are using, even if you do not sign up for such applications their activities will directly impact your personal data and your personal life. Let me remind you about an automatic facial recognition feature that compares newly uploaded photographs to those of the uploader's Facebook friends, in order to suggest photo tags giving an invasive ability to Facebook for discovering people via your photos even without tagging them. Tracking of non-members of Facebook via tracking cookies. 63% of Facebook profiles are automatically set "visible to the public", meaning anyone can access the profiles that users have updated. It is even affecting families all around the world. According to a 2009 survey in the UK, around 20 percent of divorce petitions included some kind of reference to Facebook.

Who can forget daily brainwashing with Fake news, large number of censorships set out by Facebook on various occasions?

Apparently, Facebook has a policy to censor anything related to Kurdish opposition against Turkey, such as maps of Kurdistan and flags of opposing parties (such as PKK and YPG). In 2015 Facebook started to automatically ban accounts that use the word "moskal", which may be seen offensive by some Russian individuals. However, use of similar words such as "khokhol", which are widely used by Russian nationalists against Ukrainians were not prosecuted.

In September 2016, a Norwegian newspaper has published an open letter to Zuckerberg after banning "Napalm Girl", a Pulitzer Prize-winning documentary photograph from the Vietnam War made by Nick Ut. Half of the ministers in the Norwegian government shared the famous Nick Ut photo on their Facebook pages, among them prime minister Erna Solberg from the Conservative Party (Høyre). But after only a few hours, several of the Facebook posts, including the Prime Minister's post, were deleted by Facebook.

Now some of you might ask “What about the Gmail news last week where third parties were able to access and read user’s emails? Why are no you talking about it and blaming only Facebook?” Okay. You asked for it.

In the last week the Wall Street Journal reported that Third-party app developers can read the emails of millions of Gmail users. Gmail’s access settings allows data companies and app developers to see people’s emails and view private details, including recipient addresses, time stamps, and entire messages. And while those apps do need to receive user consent, the consent form isn’t exactly clear that it would allow humans — and not just computers — to read your emails.

Many of my connections on LinkedIn were very worryingly sharing the news on their feed, claiming that Google has betrayed their trust and some of them even were announcing of closing their accounts.

There are two key points in this story. First, if you have ever used Gmail and tried integrating it with other application, you might have noticed that every single application explicitly asks for your permission and states that this application is going to read your emails and asks if you accept it very clearly. If you decline, then the application will not be integrated and you are safe, otherwise the permissions is given. For example, if you have ever used a service like unroll.me, application which unsubscribes you from desired emails, you are going to want to review list of applications that you have granted permissions to read your emails. I mentioned that you would be safe if you declined application’s access by that I meant that third-party application will not read your emails, but Google is always reading it and developing new A.I. features by snooping on your emails and activities. Have a look at inbox application as an example.

Second point that I want to emphasize is that I am not defending Google in any way, quite opposite, I think that thanks to Google Search, Google Analytics, Android and various types of applications and services that Google is offering, they might be even bigger personal data mongers and privacy monsters than Facebook.

Now let’s have a look at how truly Facebook is changing. In the end of June, Facebook has filed to patent a system that can remotely activate the microphone on someone’s phone using inaudible signals broadcast via a television. The patent application describes a system where an audio fingerprint embedded in TV shows or ads, inaudible to human ears, would trigger the phone, tablet or long-rumored smart speaker to turn on the microphone and start recording “ambient audio of the content item”. The recording could then be matched to a database of content to allow Facebook to identify what the individual was watching – like Shazam for TV, but without the individual choosing to activate the system.

A review of hundreds of Facebook’s patent applications conducted by New York Times, reveals that the company has considered tracking almost every aspect of its users’ lives: where you are, who you spend time with, whether you’re in a romantic relationship, which brands and politicians you’re talking about. One of them describes using forward-facing cameras to analyze your expressions and detect whether you’re bored or surprised by what you see on your feed. The company has even attempted to patent a method for predicting when your friends will die.

Facebook has said repeatedly that its patent applications should not be taken as indications of future product plans. Let’s have a look at this article from New York Times and most importantly at 7 patents from Facebook:

Number 1: Reading your relationships

One patent application discusses predicting whether you’re in a romantic relationship using information such as how many times you visit another user’s page, the number of people in your profile picture and the percentage of your friends of a different gender.

Number 2: Classifying your personality

Another proposes using your posts and messages to infer personality traits. It describes judging your degree of extroversion, openness or emotional stability, then using those characteristics to select which news stories or ads to display.

Number 3: Predicting your future

This patent application describes using your posts and messages, in addition to your credit card transactions and location, to predict when a major life event, such as a birth, death or graduation, is likely to occur.

Number 4: Identifying your camera

Another considers analyzing pictures to create a unique camera “signature” using faulty pixels or lens scratches. That signature could be used to figure out that you know someone who uploads pictures taken on your device, even if you weren’t previously connected. Or it might be used to guess the “affinity” between you and a friend based on how frequently you use the same camera.

Number 5: Listening to your environment

This patent application explores using your phone microphone to identify the television shows you watched and whether ads were muted. It also proposes using the electrical interference pattern created by your television power cable to guess which show is playing.

Number 6: Tracking your routine

Another patent application discusses tracking your weekly routine and sending notifications to other users of deviations from the routine. In addition, it describes using your phone’s location in the middle of the night to establish where you live.

Number 7: Inferring your habits

This patent proposes correlating the location of your phone to locations of your friends’ phones to deduce whom you socialize with most often. It also proposes monitoring when your phone is stationary to track how many hours you sleep.

Now, these patents might never go live in Facebook services, but it definitely provides us with a good idea of how this company is thinking and how they want to spy on you in ways that you might never expect. After all 99% of Facebook’s revenue comes from advertisement, and all they need to be focused is to gather more and more data and innovate new ways for doing this.

Clearly, Facebook has become a heavily biased censorship machine that does not comply with laws, good faith, privacy and especially user’s expectations. It is a non-regulated data mongering beast that forms your thoughts the way it feels right and manipulates your opinions with the help of technology and A. I. A company that operates personal data of 2.2 billion monthly users, roughly a third of the world population, a company that has severely breached users privacy countless times, a privacy monster that is famous for its experiments on its users behaviors and who is very sorry for manipulating you and lying to you every time it has an opportunity, a company that allegedly decides who you vote for and promises to improve on every now and then, a company that had 7 severe incidents of exposure of their users personal data in past 4 months. And surprisingly people are still using it, for some users quitting social networking sites has become comparable to quitting smoking or giving up alcohol. People are addicted to free services while not realizing that they have been a product for all along, they were by themselves selling their own rights to privacy and the rights of their friends, family and children for free, they are manipulated into making choices as decided by the software in the cloud.

Don't forget to subscribe below, stay up-to-date with latest podcasts and other developments!