Let’s perform a small experiment. You’ve probably heard about haveibeenpwned.com, a webpage capable of showing whether your personal data has been leaked just by entering an email address you use. It can be a private or a business one, all you have to do is enter it on the site’s front page. It is recommended to use a private one because most of us use private emails for creating social network accounts, accounts for various sites, Steam accounts, and other digital accounts we use. Of course, since known companies that provide tools used by businesses – such as Dropbox – also had their servers breached and user accounts stolen, you can also check whether your business email was a part of a data breach.
The chances are, you've probably already used the service (maybe out of curiosity, like most of us), probably found out that your personal data has been leaked, because we live in a world dominated by digital presence, dominated by companies that base their services on the web, and dominated by new ways to steal someone’s personal details. The personal email address we entered showed that it has been a part of three major data leaks – Dropbox data breach that happened in 2012, Last FM breach that also took place in 2012, and Nexus Mods (a game modding site that covers mods for popular games such as Skyrim, Fallout, The Witcher 3, etc.) – which is an excellent result when we take into account that the site lists 275 websites that got their users’ data stolen. Our business email address luckily hasn’t been pwned.
Facebook and Cambridge Analytica and The Misuse of private data of 50 million Facebook users
Facebook still is the most popular social network in the world, and although it saw a steady decline of its younger users in Western markets during last year the network sees a steady rise of users in Asia, which became the network’s largest region. No matter the fleeting numbers, Facebook still has more than 2 billion active users in the world, and they all give access to their private data to the company, but more on that later.
Before delving into Facebook’s Terms and Conditions, let’s talk about the latest data breach that included all kinds of private data from 50 million Facebook users. Of course, the company didn’t characterize this massive scandal as a data breach, and technically it isn’t.
You see, Facebook Terms and Conditions allow the company to gather and to store all kinds of user data. Your photos, likes, online activity while on Facebook (and while browsing the web in general), pages you visit, purchases you make online, your contacts list, even your location, it’s all stored somewhere on Facebook’s servers used for one major purpose – to give the network better data for advertising purposes. Names are unimportant here – all that matters is data, your age group, your gender, where you live, which brands you like, everything but your name. Metadata used by the company to serve better ads function better without names, and we aren’t even numbers. For Facebook (and other social networks and many online services) we are just nodes filled with lucrative data that can make those nodes spend more money and raise the profit margin.
The human mind is quite complicated tool and personality traits don’t affect behavior in high enough level to be used for controlling people’s opinions.
And when you know all this, it is easier to comprehend the next part of the Cambridge Analytica scandal, and why it can’t be called a data breach. You see, Facebook allows app developers as well as page creators to access every bit of data available to Facebook. And back in 2014 (when personal data of those 50 million users was gathered), the company also allowed developers to get personal data of users’ friends, but it disabled it some time ago. This allowed app developers to know almost anything about you, all you had to do is use Facebook Login feature or take one of the numerous quizzes that jump all over Facebook while you browse your News Feed.
And one of those apps was developed by Dr. Aleksandr Kogan, a psychology professor at Cambridge University. His app used the infamous Facebook Login feature and gathered data from around 270,000 users. Back in 2015 when Kogan gathered data, Facebook allowed developers access to friends data from users’ who used apps, so in total, he managed to gather data from 50 million Facebook users in total. And that highly personal data was then used for building psychometric maps (maps of users’ personality traits) that could, in theory, allow researchers from Cambridge Analytica – a political data firm hired by President Trump’s 2016 election campaign – to influence user behavior as well as their political views.
In practice, this is highly unlikely. The human mind is quite complicated tool and personality traits don’t affect behavior in high enough level to be used for controlling people’s opinions. But, the fact stands that one person gathered private data of 50 million people and then gave the data to a political data firm, which used the data to try influence voters, which is highly unethical and highly troublesome. So, Kogan used data because he was allowed to, but once he handed it over to Cambridge Analytica he violated Facebook Terms and Conditions. So, in the end, it wasn’t a data breach, it was just mishandling private user data. If you think about it, that’s even worse.
It’s worse because Facebook gives access to their user data to anyone who integrates Facebook Login to their app, or has an app or a page on Facebook. In other words, not only Facebook does have your data, but numerous other individuals. And who knows how many more of them misused data for their ill intentions, but never got caught? And this raises the question of moral and responsibility when you hold a huge base of private data. Should you allow third parties access to the data, and should you allow them access in such a simple way? All one has to do in order to start building their own private database is to create a simple quiz/questionnaire/any type of simple app and that’s it! Sure, your database will be a lot smaller than Facebook’s but for some experiments and advertising researchers even a couple of thousand users and their private data is more than enough. And when it is known that people at Facebook ran all kinds of social experiments on their users (some of them being highly disturbing and unethical) just imagine what it can be done with users’ private data if it gets into wrong hands.
User data is the oil of the 21st century
Let’s talk a bit about selling user data to third parties. If you visit big.exchange you will see that the company provides a platform for selling and buying user data. Yes, you read it right, they enable individuals and companies to exchange their databases including all kinds of private information of their users. Sure, the site explains that the data is encrypted while kept on their servers and that anyone interested in buying users data won’t receive any personal info regarding individual users, only “behavioral data like URLs visited and search queries and sociodemo data like gender and interests.”
So, as we said, our names don’t matter, but everything else does. Sites we visit, pages we like, platforms we have accounts on, our gender and age group, and much other info that some (if not all) users would consider private. So, even if your name or home address won’t be used, that doesn’t mean selling your data is something morally positive, but it is legal. And while it technically doesn’t endanger your privacy, on a larger scale this, and other practices that involve using databases from large groups of users for research, advertising, social experiments, or something else, means that we, as a humanity, live in a world where privacy slowly becomes a remnant of the past.
Sure, the big companies don’t know your name, but they don’t need it. Based on your age group, gender, location, and stuff you do online, they can completely customize your experience while browsing Facebook, reading the latest Tweets, or checking out Instagram. And the worst thing is, that in the case of Facebook, they have your name, on top of everything else, enabling the company to perform social experiments on highly specific user samples (or shall we say, unwilling participants).
And let’s think for a minute about how many cases of user data misconduct happened that Facebook hasn’t been aware of? Kogan and his questionnaire gathered data from 50 million users, and he later handed them over to a major analytics company, and Facebook knew about it from the beginning. But, what if an individual creates an app, harvest data from a much smaller number of users and then sells it to an ad company? That’s highly possible, and because of Facebook’s immensely powerful ad targeting tools, ad companies (or experimental psychologists, for instance) can just hire a programmer, let them create a simple app (in the form of a quiz or a questionnaire or something else), then target a highly specific user group – unemployed males age 20-25 living in and around Göttingen, Germany, who liked pro-marijuana pages – and perform a research with the collected data, or create targeted ads using the data they collected. Possibilities are endless and privacy is nowhere to be seen. It has been done for years!
And there is, of course, a black market for stolen user data. Passwords, social network accounts, data gathered via smartphone apps, medical records, credit card info, you name it. The market is huge and you can buy practically anything you want there. Even data from secure sources, such as Apple IDs, aren’t safe. Private data, such as Facebook details and likes, probably isn’t listed there because it can be accessed extremely easy. Just create an app, target your audience and wait for them to solve the quiz. It’s simple, in 21st-century user data, not oil, is the thing that drives the economy forward.
Facebook isn’t alone in this
While Facebook was, and still is, the most controversial social network of them all when it comes to handling user data and using their user base in social experiments, they aren’t the only social network or a large online company mishandling private data.
Google, Twitter, all kinds of online platforms, LinkedIn, Instagram (owned by Facebook), Snapchat, and many more all have access to highly sensitive private data, which is stored on their servers and could be stolen anytime now. Some of them were victims of data breaches, like LinkedIn, and Snapchat. More than 360 million MySpace user credentials surfaced online. Most social networks use poor security measures and aren’t even able to recognize all of the fake accounts they have on their platforms.
And many threats cannot be recognized before it’s too late. That’s the case with numerous Facebook scams, Twitter bots stealing user data, Snapchat and their poor security measures allowing everyone to send you a friend request (and teens, the main portion of Snapchat users, are the ones who will almost certainly accept any friend request), and many more social network vulnerabilities that happen all over the world. Google uses all kinds of data from their users, and numerous apps on Android and on the web also have access to the data (just check out all of the permissions you gave to various apps installed on your smartphone). So, when a breach happens, who is responsible?
Individual responsibility and data protection in a global village where every house has different laws.
When the data breach happens, CEO’s are likely to be blamed. And many of them did take responsibility for, but penalties they face are sometimes laughable. Melissa Mayer, Yahoo CEO, got a price cut but still kept her job after the biggest data breach in history when more than billion user accounts were compromised!
And then we come to the problem of globalization. You see, social networks operate on a global scale yet we live in more than two hundred countries, each with their own set of laws. And many of them don’t have laws regarding internet privacy and data breaches. Lots of countries are just trying to keep their head above the crushing waves of the last economic crisis and the sad reality of uneven distribution of goods in the modern world, with growing drinking water shortages and food scarcity, and they don’t have the time or resources to hire experts to create such laws, let alone enforce them. And lots of countries, like the US, have some sort of consumer privacy law but they are imperfect, to say the least.
Every company that does business with citizens of EU member countries will be required to notify authorities of a data breach within 72 hours of discovering the event or face stiff fines...
The EU and its General Data Protection Regulation (GDPR) is the move in the right direction when it comes to personal privacy. When GDPR goes into effect on May 25, 2018 “every company that does business with citizens of EU member countries will be required to notify authorities of a data breach within 72 hours of discovering the event or face stiff fines. The rule applies to any company, located inside or outside the EU, that offers products or services to citizens of EU member countries, and that collect, process and hold personal data of EU citizens.” Russia’s law on personal data asks from companies to hold user data on servers located inside the country, which is an excellent solution in theory but can lead to problems in practice. If a company doesn’t move servers to Russia, it will be blocked by authorities, like was the case with LinkedIn. But, this law doesn’t include measures to counter data breaches and to force companies to notify authorities when a breach happens, like GDPR does.
Overall, laws concerning personal privacy are scarce and many countries either don’t have them, don’t enforce them, or have them but they aren’t good enough. And since we live in a global village where each house functions by its own laws, global responsibility, where CEOs will take the blame and penalties and where companies will face charges and fines, is practically nonexistent. We will see how GDPR will work once it goes into full effect, but even if the regulation proves to be effective, most countries won’t be able to protect their residents’ online privacy on a global scale. So, what can we do?
It all comes down to personal responsibility
Yes, servers, where personal data is kept, are secure in many ways but can be hacked. Many large companies faced cyber-attacks and the trend will continue. No matter how to secure private data is, it can be stolen. Data protection is there, but it isn’t an all-powerful measure capable of stopping everyone. NSA probably has backdoors placed inside most large internet companies, it sure had them in past. And we, the users, are often behaving contrary to the belief that most people cherish and highly appreciate their privacy.
So, when it comes down to online privacy and protection of our own personal data, the penultimate responsibility is on us, not some CEO of some social network on which you put your whole life on a plate for everyone to see. Our online behavior is important and if you want to keep your privacy don’t fill any silly Facebook quiz, don’t enter your personal data. You see, a person can live without Facebook. Twitter is a great source of information but that doesn’t mean you should create an account under your real name.
Next, don’t visit unsecured sites. Modern browsers show when your connection is secure (a little lock icon usually found next to the site web address), so don’t visit those sites that are labeled as unsecure, and if you decide to visit them don’t leave any kind of personal information (like usernames, passwords, credit card info, etc.) on them. Use password managers and when you discover that a service you have an account on is compromised, change the password immediately even if your account isn’t part of the breach. Two-step verifications are also extremely useful tools capable of keeping your private data safe, use them on any service that offers one.
Be responsible, your online data is as important as your passport, your ID card, or your medical record. Don’t hand out social networks your privacy on a plate, there are already billions of people who already did that, and more will come. Don’t be one of them.