Who Is Using Your Data?

Zuckerberg: Yeah so if you ever need info about anyone at Harvard Just ask. I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend’s Name]: What? How’d you manage that one?

Zuckerberg: People just submitted it. I don’t know why. They “trust me”.

Zuckerberg: Dumb f**ks.

This was an ironically leaked series of messages between 19 year old Zuckerberg and a friend back when it was still called “The Facebook”. The messages were leaked and made headlines back in 2010 when Facebook was undergoing a “new round” of scrutiny over what Business Insider described as “their cavalier attitude toward user privacy”. It seems nothing has changed in the past decade as new round after new round of security leaks and data mismanagement has created a groundhog day of people being shocked that Facebook could ever betray them in such a way.

The 2018 edition of this cycle has included the biggest leak yet. Facebook user data was scraped by a third party using a Facebook personality test app called “This is your digital life”. While only 270,000 users used the app, it took advantage of a hole in Facebook’s privacy permissions that allowed those 270k users to also give permission to scrape the data of everyone on their friends list.

This resulted in up to 87 million users data to be harvested. Locally only about 10 kiwis used the app but our two degrees of separation from each other ended up getting 63,714 New Zealanders data stolen.

The info scraped from the app by its creators was sold to UK based Cambridge Analytica, who then used the data to create highly targeted political adverts for the Ted Cruz political campaign.

After his campaign flopped, the firm started to help the Trump campaign. The firm’s CEO told news broadcasters in 2016 that it had been responsible for the “Defeat Crooked Hillary” video campaign on Facebook. This brings real life consequences to the table, where Facebook’s security hole may have helped elect Donald Trump as president. Not only that but dreaded “foreign actors” could have a hand in swinging elections and public discourse in another country. Unless you’re numb to this sort of news already, it should give us all pause for thought as we continue to throw our backstabbing gripes about our workmates into the ether alongside our porn watching habits. That data could help get someone elected.

The permission gap was put in place for third party developers to take advantage of in 2010. To stop developers from using this information for nefarious purposes Facebook had terms and conditions that made the devs scouts honour promise not to do anything bad with it.

We could (and should) place the blame on shoddy privacy by management on the various tech giants that make our lives so convenient, but at the same time we should also take some good old fashioned personal responsibility. But it’s not easy, not if you want to be truly secure. Before you even have a chance to log into Facebook, your Internet Service Provider can see where you’re going and we’re not even considering things like text messages getting sniffed by your local cell provider yet.

Not being able to trust your providers is paralysing. Before long you’re wearing a tinfoil hat, operating on a cash only basis and not using a cellphone because you can never really be sure if turning your GPS off really turns it off.

Edward Snowden, the whistleblower of Five Eyes and other NSA programs, realised this. “We rely on the ability to trust our communications,” he said in 2014 at SXSW. “Without that we don’t have anything. Our economy cannot succeed.”

Outside of the internet, we’re quite trusting of the facilities we use. Your medical records aren’t being sold off in bulk and libraries aren’t creating psychometric profiles on you based on your borrowed books. But this trust has been too easily given to Silicon Valley who’s been too excited till now to realise what can be done with our data when it’s been gathered at such a massive scale.

Herd Security

Looking at your data on a personal level does make it seem sort of trivial. You might not think it’s worth the time and effort because you’re not a terrorist, you already know who you’re going to vote for (because you’ve been voting for the same people for years anyway), and you’ve got nothing to hide.

But we need to start considering our security on a larger level, herd security, if you will.

Much like herd immunity if more of us put an emphasis on personal security it would mitigate the leaks that do occur. Checking permissions on apps, downloading privacy plugins like Ghostery, and making sure your friends can’t tag your face in every single photo can make all the difference. In the case of the 10 Kiwis who fell prey to Cambridge Analytica, one person not doing the quiz would have protected 6,400 of their peers.

Likewise, targeted political campaigns and propaganda would have a hard time penetrating a significant amount of people. With 20/20 hindsight, peoples actions five years ago could have protected their peers from being bombarded by Kruz and Trump ads (and nothing is stopping the left from getting in on the action either).

This concept of Herd Security isn’t just applicable to us individuals either, as Alexandra Samuel points out in the Harvard Business Review “Online security is only successful if every company does its part.”

She says this in regards to Snowden’s message at SXSW, who believed it took a critical mass of people and companies to protect the whole. While there’s a small cost for each of us involved to keep our information locked down, it all benefits the whole. If we take the extra steps necessary, it means more money and emphasis is being poured into security technology. This investment allows security tools to innovate, become easier to use by the mainstream, and more importantly keep up with black hats wanting to nick all your information.

Time to Regulate

These seem like utopian ideals, that somehow the free market and a little personal responsibility can create the ideal conditions for corporations to start caring about not letting our data fall into the wrong hands. As much as I hate to say it, the more realistic cure for our current problems will have to be rules and regulations put in place by governments. Silicon Valley has had a good couple decades being cowboys in the wild west of the internet, but maybe it’s time to settle down.

As this article was getting put together, Zuckerberg sat in front of senate to be interrogated over the Cambridge Analytica leak. The Senate have looked toward Zuckerberg for guidance for the best ways to navigate the tech landscape to protect consumers. Surely he must have learnt something from his mistakes right?

America isn’t the first to start thinking about this. Moves have already been made in Europe with the General Data Protection Regulation which will be going into effect in late May. The law has been designed to harmonize data privacy laws across Europe and to protect EU citizens data privacy. Breaches of security will require companies to inform those affected within 72 hours. Failure to work within these rules can result in a fine of 4% of annual global turnover or €20 Million, whichever is greater.

“I am not sure we shouldn’t be regulated,” Zuckerberg told Senators. “If it’s the right regulation, we’ll welcome it. I think that’s a discussion that needs to happen.”

Zuckerberg told the hearing that “It will take some time to work through all of the changes we need to make, but I’m committed to getting it right.”

Senator Blumenthal wasn’t sucked in by this heartfelt promise to “getting it right.” During the hearing he announced that he alongside Senator Markey will bring in their own privacy bill, designed to protect American consumers online against organisations like Facebook and Google. “I don’t see how you can change your business model to maximize profit over privacy,” Blumenthal said “unless there are specific rules from an outside agency. I have no assurance that these vague commitments will produce any action.”

Blumenthal may not need to do too much legwork on his bill however. Zuckerberg has already committed Facebook to follow the European GDPR laws, so we can expect many of the security features to be rolled out globally.

The Way Ahead

Lawmakers and tech leaders are all feeling in the dark for the way ahead, since there’s no clear roadmap. The Mozilla Foundation had the same problem when compiling their Internet Health Report which was released in early April of 2018. It’s a White Paper outlining the security, privacy, safety, and decentralization of the web. The researchers were having trouble tackling the problems with “fake news” until eventually Executive Director Mark Surman jotted down these notes onto a napkin:

This overview helped give the research in that area direction and slotted it into the bigger picture of the report.

But more importantly “This process also served as a reminder that the internet is a complex social, business and technical ecosystem: a living system made up of computers and data and humans.” said Surman.

Any laws put in place are likely to have ripple effects across the web. Stringent regulations Facebook are able to handle due to it’s sheer manpower may not be so easily overcome by smaller startups and new players.

At the moment our information is siloed with far too few players. In the west, it’s Google, Facebook and Amazon while in China you’re contending with Baidu, Tencent and Alibaba.

Now you can probably already imagine what Google could do with it’s information about you, but as Chrome has become the go-to browser, Google can begin to call the shots on web standards. This, as the report points out, means they can push for “standards or formats that other browsers can’t or don’t want to deliver on,” further squeezing out competition.

What You Can Do

As a business owner, the best way to protect a users data is by not having it. Only keep information about your customers you actually require for the operation for your business. No need to keep a PR disaster lying around waiting to happen.

On a personal level, things you can do right now to protect yourself (and the herd) is to switch to a new browser like Firefox with the unblock origin and Ghostery plugins. Limit how many Google services you use. Perhaps switch to a new search engine like duckduckgo.com which doesn’t track and gather data on you. Keep your chats private with the Signal messaging app. Speed up your browsing as well as keeping it private by setting up https://1.1.1.1/ on your devices.

All of the above suggestions are easy to turn on and forget about but if you’re truly brave consider dropping some of your social media accounts. But I could never ask you to do something so drastic.

Oh, and remember that series of incriminating messages from Zuckerberg at the start of this article? The ones calling us all ‘dumb f**ks’ for giving him all our information? Since that time, Zuckerberg has had a system in place which deletes his messages from other people’s inboxes after a certain period of time. Evidently, Zuckerberg sees the value in privacy after all.