Part of our occasional series “The Elephant on the Internet”
I remember the very first appearances of Facebook on the internet, and I happened to be working at a university when it first started making waves on campuses around the world. In our particular case, some students posted pictures of some other under-age students consuming alcohol, and this particular campus was (and still is) famously “dry”. I’d only heard about it because leadership prepped me for a conversation with some concerned parents about privacy and what exactly the university was going to do about it. I don’t remember the exact conversation, but I wasn’t able to offer much assurance to anyone at the time. Even back then (Facebook started in 2004), the internet and social media were well on their way to being out of anyone’s control. Fast forward nearly 20 years, and we have companies who are literally able to thumb their noses at just about any governing body, and has been proven time and again, literally able to influence elections and who is supposed to be in charge of policing themselves.
The trap is already sprung. We are in the net.
Unfortunately for everyone (including those of us who try to keep social media at arm’s length) the various platforms have become deeply embedded in our daily lives, to the point where we believe we could not survive without them, and for those brought up on it or who have made careers on these platforms, this might be actual a dreaded reality. A recent article published in Forbes shined a rare light on an internal practice at TikTok – already under fire for various privacy and security concerns – called “heating” which essentially is a button select folks at TikTok can push to make a video go viral. I’m sure some of you suspected that the notion of things going “viral” has long been controllable on the various platforms on which this can occur, but this particular article also details the why “heating” would be used strategically to secure the platforms dominance in the market. It’s an old carny trick – hook a bunch of suckers by letting someone win a big, showy stuffed animal in a rigged carnival game early in the day. The prize-winner walks around the carnival, happily advertising the game – in this case, perhaps you are an upcoming streamer on a different platform. Someone at TikTok has determined you would be a good investment and “heats” your video, causing it to go viral. The newly popular TikTokker tells his other platform audiences about his blow-up on the platform, and all of a sudden TikTok has thousands more eyeballs. You see how this goes? The insidious part is next: without the rush of a “heated” video, the TikTok creator is now chasing a high that was artificially created. Imagine this is also something that Facebook or Twitter does for its most popular creators, except when that creator’s views seem lackluster, they offer a little help in form of letting them pay to promote their content. Sound familiar? The first hit from a drug dealer is always free, and once you are hooked, it’s hard shaking that addiction. Meanwhile the drug dealer quietly pockets the cash while tsk-tsking about fickle viewers. This next hit will fix you right up, eh?
Image courtesy of TAW4 at FreeDigitalPhotos.net
Most of you know that I do not recommend using certain “freemail” accounts for any aspect of your professional lives. In short, many of them are poorly supported, barely secured and frequently targeted by cybercriminals because of these elements and because of who uses them. The ones that are being heavily targeted now are mostly legacy accounts that were established by old ISP companies that have since merged, sold or otherwise transformed into another company. Examples include sbcglobal.net, att.net, roadrunner.net, aol.com, yahoo.com, earthlink.net, etc, but they all share a common aspect: responsibility for maintaining the services that power these emails has been passed from company to company like a red-headed stepchild and the services are clearly suffering from neglect.
I’ve had this email for years! I can’t change this email!!
Invariably, we’re going to have this conversation, with you or perhaps with an elder member of your family. And yes, for some folks, changing an email address that you’ve had for 10+ years is going to be a huge pain. There are alternatives to completely abandoning the account, but there is still going to be some work to keep it, you and your loved ones safe. It depends highly on the email service, but most of them have made token efforts to upgrade their security and accessibility. Log into the account, look for account settings, specifically security to see if any of the following are available:
- First and foremost, if they offer multi-factor/2-factor authentication, set it up and use it. This is a no-brainer, and just about everyone has a cell phone.
- Set up a backup email account – most email services offer the ability to set another email account as a way to rescue or recover a forgotten password.
- Even if they can’t do 2-factor, some freemail services let you attach a cellphone for recovery purposes. Support personnel (if/when you can actually reach them) can use the cellphone to verify you are the proper owner of the account when you are in the process of attempting to recover access.
- Check to see if the password to secure this account has been compromised using this website: https://haveibeenpwned.com/Passwords. Even if it hasn’t, if it’s an easy to guess password, change it and write it down if it’s not one you or they are going to easily remember.
In the end, these are only stop-gap measures. Some email domains are currently on their 4th or 5th handoff, and at a certain point they are likely going to end up with the lowest bidder – something you never want for a critical technology service like email. Your eye should be on transitioning to a more sustainable platform like Gmail or Outlook.com.
Photo by Christin Hume on Unsplash
Late in the year, just in time for the holidays, LastPass released more information about the security breach they experienced in August of 2022. And as could be expected, it wasn’t good news. It wasn’t the worst news, but in my estimation, it’s still going to create a lot of headache and work for their customers, some of whom are using their service based on our recommendation. C2 uses LastPass internally but not to store client passwords, but regardless we will be migrating away from them as soon as practically possible.
What this means for you
If you’ve read their statements regarding this security breach you might be under the impression than your passwords are safe. The encrypted vault that was stolen was a backup of customer data from September 22, 2022. If you started using LastPass after that date, you are not part of the breach and you are actually in the clear (for the moment). If you’ve been using LastPass before that date, it’s highly likely that hackers have access to your encrypted passwords. Per LastPass, if you choose a strong master password, those passwords are relatively safe. However, given enough time and computational resources, any encryption can be broken, so the clock is ticking on how long they will remain encrypted. It’s more important that you should know that each password’s associated login name and URL were also captured in the data stolen and those important bits weren’t encrypted. This gives hackers many more points of data to hone their phishing attacks and will result in highly targeted, realistic phishing emails that purport to be from services you actually use, utilizing specific information you will recognize, to lend credibility to fake emails. Given that it is definitely easier to trick humans than to crack 256-bit encryption, we’re banking on the fact that everyone, not just our clients will be facing numerous phishing attempts in the coming year. What can you do to combat (I do not use that word lightly) this?
- Any passwords stored in LastPass should be changed. If you have lots of passwords stored, this may take some time, but it will be well worth it.
- Any opportunity you are given to utilize multi-factor authentication to further protect an account should be taken.
- Review your master password. If it is not complex and/or easily guessable, you should change it. Be careful! If you mess this process up and lose your master password, they will not be able to recover it. You will have to abandon the account and the data within.
- Regard emails received from your known services very carefully, especially if it results in a login prompt or a password inquiry. Phishing emails are getting very sophisticated. If you receive an email that looks legitimate, don’t use the links embedded in the email regardless. Hand-type the URL of the service you need to use into your browser or use a favorite/shortcut you created to get to the website. Make sure you don’t mistype the URL – there are plenty of fake domains created specifically to capture mistyped URLs. Don’t search for the website using your browser – this can also lead to fake websites if you aren’t paying close attention.
- Consider moving to a different password management platform. Industry opinion is mixed on whether or not LastPass was using best-in-class technology and methodology to store your data at the time of the breach, but they are being widely criticized for their lack of transparency and urgency in addressing the breach. Understand that with a breach on this scale, multiple lettered agencies will be involved as well as numerous lawyers, so transparency will always suffer in these types of matters.
If you have questions about how you might be impacted by this breach, or what your company can do to implement password management at an organizational level, please give us a call or send us an email. We can provide a platform that can provide secure password sharing for you and your co-workers that is also administered and supported by C2.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Traditionally I like my year-end messages to be hopeful, but as I am someone who does not mince words when it comes to your technology, I don’t come to you at the close of 2022 with a message of optimism. If anything, I want to congratulate you for surviving this year with your sanity and health intact, if not your technology security. Accomplishing all three is something to be commended, and I am sad to report that not all of our clients were as successful, including a client and good friend who passed unexpectedly this year. This post is dedicated to him, and to everyone who fought the good fight this year, either against cyberattacks, Covid and everything between.
“Don’t take security for granted.”
This is my year-end message for you: If there is one trend I can clearly point to in this past year (and in years previous), is that you are the first and last line of defense in the war for your technology security. You are the first and last line of defense in maintaining your privacy. We here at C2 Technology are willing and able to throw ourselves in front of as many attacks as we can, but we can’t be with you in every moment, everywhere you touch technology, nor should you want us there. In almost nearly all cases of hacks that we have worked through this year, and numerous others I have read about, breaches and compromises have occurred because attackers are very successful at exploiting human, not technology, weaknesses.
One thing that I know for sure is that you can count on even more cybersecurity attacks in every aspect of your personal and business technology. There is big money in compromising your security – organized crime has moved, full-scale, into funding, staffing and managing highly effective fraud call centers and hit-squads whose primary objective is to trick you into giving them access to your stuff and then cleaning house. On top of this, there is no singular magic bullet, app, governing body nor enforcement agency that can protect you. Let me reiterate – there is no perfect, monolithic solution C2 or any other organization can provide to you to keep you perfectly safe. As with cold weather, layers are better than just a single, bulky jacket. Your best defense will be a collection of services, software and best practices. Your configuration of those layers will vary based on personal or organizational need, but everyone should at minimum be considering the following:
- Constant vigilance is the key. You should assume that you are under constant cyberthreat and act accordingly. As much as it feels distasteful say this given the current political climate, you should consider yourself on cyber-wartime footing with no armistice or ceasefire in your near future. You may have heard me jokingly compare this vigilance with paranoia, but my gallows humor may have done you a disservice in making light of this situation. Make no mistake, this is very serious, and I do not see anyone being able to let down their guard anytime soon. As I mentioned above, C2 can’t always be there for a magical, “Get down, Mr. President!” moment. All we can do is attempt to train you to spot the peril. If you have employees, you should bolster their vigilance with actual, formal training – not everyone will have the same level of urgency on technology security as the principals of the organization, but training and testing will help them understand the importance and impress upon them that this is a part of their job responsibilities, regardless of their role in the organization.
- If you aren’t using unique passwords and multi-factor authentication for your critical online accounts, you are doing the cyber equivalent of leaving the keys in your running car in a dangerous neighborhood. You should check your most-used passwords here, and if any of them show up on the list, immediately change that password everywhere you used it. Right. Now. If you can turn on multi-factor authentication for your banking and other critical service accounts and haven’t already done so, do so. Right. Now.
- Back up your files to a cloud provider on a daily basis. You can get a very reliable, easy to use service for as little as $7/month, and you might already have access to a form of cloud backups through Apple or Microsoft by virtue of other services for which you are already paying. Keep in mind, services like OneDrive and iCloud are a form of short-term backup, but do not normally provide long-term recovery of files deleted more than 30 days ago, nor can they fully protect against certain forms of ransomware attacks, so make sure you consult with your friendly neighborhood technology professional about what would be appropriate for your use case.
- Keep work and personal separate. This may be difficult to do especially if you work from home on your own technology, but the more you intermingle, the more risk you take from one side or the other. This also goes for using your home network if you have family that aren’t as security conscious as you, especially seniors and young children, both of whom are particularly vulnerable to scams that most of us spot in a heartbeat. Your technology professional will have ways to segment your work and home life, but it will result in additional expense and inconvenience.
- At the business level, antivirus and malware protection has evolved into what is now known as “endpoint protection.” The free software that comes with your new PC is NOT endpoint protection, nor is the product they are trying to upsell you. The primary difference between the two is that last generation products relied heavily on definition tables and scheduled scans of your files, which is not nearly as effective against modern malware tactics that sometimes don’t even involve something being installed in your hard drive, or software that literally changes by the hour. Endpoint protection relies on algorithms that are able to analyze the behavior of softwares and services to determine if they might be harmful, and more importantly, are designed not only to protect the device on which it’s installed, but also to protect the network to which it is connected, something that previous gen antivirus software could not do.
- If you deal with any kind of PII (personally-identifiable information) where that information is stored on your computer – even if only in transit – your hard drive should be encrypted, especially if the device housing it is easily stolen, such as a laptop. Fortunately, both Windows and Mac OS do include encryption, but it isn’t always enabled, and in the case of Windows, it is only readily available in the “Professional” (more expensive) variant of their OS.
- You should be making sure your operating system and main software apps are kept up to date. Microsoft releases updates on a weekly basis, and about half of them require a reboot to full apply. Windows 10 (and to a certain degree 11) is so stable that it can go weeks without rebooting but waiting that long can cause other problems that will be a lot more inconvenient than restarting your PC. We recommend clients restart their PCs as frequently as every 3 days – this accomplishes needed housekeeping tasks as well as clearing the “virtual crud” that all PCs accumulate through daily use, especially if you like having lots of windows and apps open.
Technology security requires a holistic approach, and I don’t mean tuning your chakras and making sure your gut biome is balanced. Every aspect of your technology, from internet provider to software services, every device used in the work process, all users, and even your clients’ and customers’ technology should be reviewed and considered when formulating your security approach. The days of “set and forget” are long gone. Protecting your technology is something that will require effort and, dare I say, constant vigilance.
While it shouldn’t come as a surprise to any of our long-time readers, millions of less savvy taxpayers might be shocked to discover their online tax filing software has been caught red-handed leaking sensitive information. As discovered and reported on by non-profit news organization called The Markup, several popular online tax-filing websites including TaxAct, TaxSlayer, and HR Block have been collecting and passing user information to Facebook, including names, income, refund amounts, filing status and even dependent names and scholarship amounts.
What does this mean for you?
Most people are unaware that just about every app and website out there that isn’t strictly not-for-profit (and even some of those as well!) has a side hustle they don’t overtly share with their users/visitors/customers: data collection and selling. If you dig into their “Terms of Service” or various other fine-print agreements normal people don’t read before clicking “Accept”, you will likely find some generic or vague language that essentially says you agree to share data with their “partners” in exchange for using their services. In the case of the tax filing services, you might have even paid for that “privilege.” Don’t you feel special? In their meagre defense, the data that was gathered was done so by a very widely used data-gathering tool called Pixel developed by the #1 data-glutton, Meta née Facebook, and in a couple cases, seems to have been inadvertent or perhaps careless implementation of the data collection tool. On top of this, when asked to comment on whether Facebook was soliciting this type of data (which is illegal to share without your explicit consent!), they of course responded that partners were expressly forbidden to send Meta that data, and that Meta has filtering in place to prevent the collection of this type of data, regardless of who was sending it. It’s also been reported earlier this year that Facebook collects so much data it doesn’t fully understand how it’s used, or where it goes within Facebook’s various systems and algorithms. Should you trust a company that doesn’t even have a handle on its own data to properly filter data it’s not supposed to collect? How would they even be able to report accurately on that?
Shortly after reporting on their findings, The Markup was contacted by the named tax websites who shared that the data collection pixel had been removed from their services. Is it safe to use these services now? Probably, at least going forward. If you’ve used these services in the past few years, the damage is already done – data collection has been done on your returns and the data leaked to Facebook, regardless of whether you have a Facebook account. Unfortunately, as before, there is not much you can do about the leaks except to let your congressperson know that you expect them to take better care of your privacy. You can also contribute to organizations like the ACLU who have been fighting this fight longer than most of us realize.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
In case you happen to be ignoring the news like any sane human being, you might have missed that a certain billionaire bought Twitter about two weeks ago. Like some sort of stereotype out of an 80’s comedy, the new boss strutted into the place stating that changes were going to be made, and by golly, he made good on that promise. Among the many, possibly apocryphal, reports that surfaced on Twitter (where else?), the new boss fired lots of people, turned off a bunch of “unneeded” services and basically did his best impression of a bull in a china shop. One of the more interesting strategic choices he made was to monetize the “verification” system of Twitter which basically provided a way for celebrities, politicians, brands and journalists to “prove” they were who they said they were, for the purposes of differentiating themselves from other copy-cat Twitter accounts.
What could possibly go wrong?
Though in theory the new pay-for-verification systems was supposed to be different from the previous verification process (which was human-vetted and supposedly could not be purchased), the new leadership did not make this at all apparent and neither did the app itself, and so as expected, thousands of trolls lined up with $8 for their “verified” accounts, which then could be renamed to resemble any of the thousands of actual verified Twitter accounts. First to make headlines was comedian Kathy Griffin who used the new service to impersonate Twitter’s new owner for the purposes of doing what she is well known for: heckling famous people online. Said owner immediately flexed his boss powers and banned her and in the same breath issued a new proclamation – parody accounts must label themselves as such. Sensing an opening, the internet did what it does “best” and followed Ms. Griffin’s suit. Numerous celebrities, politicians and brands were “parodied,” and the results were variously hilarious, pointed, vulgar and in the case of at least one brand, actually financially damaging.
At the moment, this story continues to evolve. The new chief of Twitter is not backing down in his bold claims that Twitter will be remade under his leadership, while continuing to be called out by experts and (ex)employees for unsubstantiated claims and tweeting churlish reactions to the thousands of Twitter trolls ready for fresh meat – something the platform was infamous for long before the new king bought his latest crown. Something you can’t hide, however, is when real businesses put their money where their mouth is, or in this case, take that money elsewhere.
Last Friday, while I was in the middle of working with a client at their office, I received a voicemail that set off some alarm bells when I read the transcript. I had received a call from someone claiming to be from the local Sheriff’s department wanting to discuss an important matter. I’ve worked with law enforcement in the past as a consultant on various technical items, so I figured someone had provided my name to this Sargeant as a technology expert. Nope, that was not what he was calling about. This was regarding a “failure to appear” in court on a traffic ticket and a warrant for my arrest.
Talk about “record scratch” moments!
Prior to talking to this person, I had my office call back on the voicemail to verify the number rang through to an actual person. It did, so I called him back. He sounded legitimate, down to the faint southern accent, generous application of law enforcement terminology in our conversation, and the fact that I did have an old fixit ticket that I did resolve – I hadn’t updated my license with my new address after we moved – but was never able to close the loop on, as the ticket was never logged into the county’s online system. (It still isn’t, I just checked again, over a year after it was issued!) He had me sweating for a few minutes, until he brought up the matter of settling this over the phone by paying for a bail bond, which could be done using an app on my phone, as long as either were linked to my bank account. RED ALERT!!! I asked him to verify his identity and badge number, and he also offered to prove he was who he said he was by calling me from their “official” line. He did, and the caller ID displayed a number that, when searched up on Google, showed it was indeed the non-emergency number for the Sheriff’s department he claimed to be from. What he didn’t know was that I know scammers can spoof any number they like, including the Sheriff’s department. Perhaps sensing that he was losing me (a sign of an expert conman) he pulled out all the stops: wanting to know if I was ready to resolve this now or come on down to the Sheriff’s station to turn myself in. When I played dumb and said my GooglePay wasn’t set up with my bank account, he offered to walk me through it.
All throughout this, I was texting with my office to have them actually call the Sheriff’s office to verify this man was who he said he was. While I was verbally fencing with the “Sargeant”, they confirmed my suspicions that this was indeed a known scam, and the person on the phone was not in any way affiliated with the Sheriff’s department. I promptly hung up on the scammer and put in a call to one of our clients who also happens to be one of the top criminal defense attorneys in the county and a former DA. He also confirmed that local law enforcement would not be calling people to post bail via phone, and more importantly, there were no outstanding warrants for my arrest.
Here are the things that set off warning bells on this call, and may provide you with help in identifying similar scams when they inevitably call your cell:
- The scammer absolutely did not want me to hang up with him once he had me on the phone. He went to far as to throw around some official-sounding terminology – “Mandatory Contact Order” that required he stay on the phone with me to make sure this matter got resolved. Ostensibly this is so that I can’t call for help or advice (like I did anyways, via text), and to keep the intimidation factor active.
- Scammers will always want you to use your bank account, or to have you pay via a method that can’t be reversed, like gift cards or money orders. Credit cards are easily charged back, and often have blocks in place that make them non-starters for scams like this. No legitimate law enforcement agency is going to allow you to post bail on any matter via phone – how do they know the person they are talking to is actually the person named in the warrant?
- Don’t accept a call-back by the scammer from a different number as verification of their identity. Spoofing any number is trivial for them. They can pretend to call from any number that can be found on Google. Hang up and call the organization they are supposedly from on a new call, or have someone next to you do it for you.
- Don’t just assume because the person calling doesn’t have a foreign accent that it makes them more credible. I’ve heard from numerous clients about scam calls from people who were clearly native English speakers with a Western (or no) accent.
- Scammers will often use scare tactics to pressure you into a hasty decision – whether it’s being arrested, or that your name showed up on an FBI watch list for child pornography, or you have unpaid taxes and fines that will be levied against your paycheck. The claims will be hard to verify – more so because the scammer will be doing their best to keep you on the phone talking and not independently verifying whether what they are saying is true. They will often be counting on you wanting to avoid possible embarrassment or exposure so as to isolate you. Don’t be afraid to ask for help from someone you trust!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
They didn’t invent it, but the internet and specifically platforms like YouTube, provided a huge boost to the “Do-It-Yourself” movement. Instead of having to rely on hands-on training, word of mouth, books or walking back and forth between project and the VCR player, we can now bring up at least a dozen or more videos on just about any crafting, repairing, constructing, cooking, etc. endeavor we can imagine. I just watched a video on how to harvest and smelt iron from bacteria found in streams. It was detailed enough that I might have a reasonable chance at actually doing so, if I were so motivated. You never know if we might bomb ourselves back to the stone age and these types of skills might be important again. But at the point where this might actually become important, things like YouTube and smartphones aren’t going to be available. Perhaps a bad example, but damn if it wasn’t an interesting video.
Let’s assume the Apocalypse isn’t imminent
A less extreme example might be the myriad of repair and construction projects you can find on various household amenities. I also just watched a video on how to install a mini-split air conditioning unit, and assuming I have the tools and manual dexterity to not kill myself while operating them, I believe I have a reasonable chance at actually completing something like that. But what happens if things don’t go exactly as they are depicted in the video? What if I spend many thousands of dollars on equipment, dozens of hours of labor and the darn thing won’t turn on – or worse, it turns on but doesn’t actually work as expected? There are certain types of projects that make sense as a DIY project. Bookshelves from recycled materials? DIY. Three-D printed keychain rack? DIY. Mural for daughter’s bedroom? DIY! Email for your organization? DI-wait a second… Malware protection for your work PC’s? Uhhh…nope. Could you implement these solutions for your organization by yourself? Sure. There’s probably even videos on walking you through it. What most videos don’t contain are the instructions on when things go wrong, or how to make sure you’ve implemented the proper security measures that match your business requirements. YouTube videos and website FAQs can only provide the basics. Experience and training are what makes the difference between “hobby-grade” and “enterprise-grade” technology. Trust me when I say your organization deserves (and needs!) technology installed and serviced by experienced professionals. It may cost more up front, but will save you time, money and sanity in the long run.
Image by Peggy und Marco Lachmann-Anke from Pixabay
The Los Angeles United School District (LAUSD) was hacked in early September, prompting a near total shutdown of school network systems during the week following Labor Day while law enforcement and the district worked to recover and clear systems of possible backdoors and tripwires, of which many were found. The nation’s second largest school district is one of over two dozen US school districts to be attacked this year, and as you can imagine, the hackers are counting on the threat of releasing student data to provide enough pressure to convince administrators to pay the ransom. While at least 2 of the attacked school districts have indeed capitulated to ransom demands, the LAUSD did not, and the hackers made good on their promise to release the data, which happened this past weekend.
What this means for you
According to a recent report from LAUSD officials, the 500 GBs of data leaked contained a fairly limited amount of truly sensitive data. There were concerns that very sensitive information, such as student psychological evaluations, might be a part of the data stolen, but apparently not. Regardless of the data contents, or how quickly they were able to restore service, this isn’t a good look for the LAUSD especially since so many parents entrust their child’s safety and privacy to the district. Nor would it be a good look for any company, big or small, even if they were able to ignore hacker demands and rely on data backups to bring operations back online. If any confidential customer data was leaked, depending on the type and number of records, the hacked organization might be legally obligated to notified those customers. If that company relied on insurance claims to help recover from a cyberattack, they will most certainly be scrutinized by their insurance company, as well as a third-party audit firm, and again, possibly by law enforcement if the affected database is large enough or contains certain protected information. Being able to recover from an attack is an absolute necessity you should be planning for, but preventing the attacks should be even higher priority, don’t you think? On top of having multiple layers of technical protection around your email services, office networks and remote worker computers, everyone should be trained on how to protect themselves by understanding how to spot potential phishing and social engineering attacks, and this requires systematic training, testing and tracking.
Image by Pete Linforth from Pixabay
You probably already knew this: YouTube is the second most visited website on the internet. In obvious first place is Google.com which also happens to be the parent/sister company of the world’s biggest video streaming site. YouTube has over 800 million videos (and growing) and gets over 17 billion visits per month (source), so saying they make a lot of money on that website off your eyeballs is putting it very mildly. The secret sauce, of course, is the algorithm that keeping must-see videos constantly into your viewing experience, and because it’s Google-powered, you can bet those engineers know exactly how build a data-driven, personalized algorithm that knows exactly what you want to see. Or does it?
One Algorithm to rule them all?
Based on the platform’s success and profitability it’s pretty clear that this algorithm is doing something right, but there is still plenty of criticism and scrutiny on YouTube’s content selection, especially in light of continuing misinformation problems plaguing all social media platforms. If you are a user of YouTube (statistically likely!) you are probably already familiar with the various tools you can use to supposedly tailor YouTube’s algorithm to only provide content aligned with your interests. There are even buttons to dislike, remove from recommendations, or report as misinformation, but according to research done by Mozilla Foundation (full disclosure: a non-profit research and advocacy organization that is funded by Firefox money and search engine royalties from Google, etc.), these buttons are essentially ineffective. My takeaway? YouTube is using the age-old marketing trick in offering the illusion of control, while still driving traffic to the videos and trends that make them the most money. The article is lengthy, but Mozilla helpfully provides an infographic summary that is a bit easier to digest and leads to the true reason they published these findings. In the end, Mozilla is an activist organization attempting to drill some transparency into the biggest content platforms. The only way this is going to happen is if enough people step up and ask for change. You don’t have to stop using YouTube, but recognizing their placebo controls might give you better insight into why true control over your feed feels elusive.
Image by Pablo Jimeno from Pixabay