While it shouldn’t come as a surprise to any of our long-time readers, millions of less savvy taxpayers might be shocked to discover their online tax filing software has been caught red-handed leaking sensitive information. As discovered and reported on by non-profit news organization called The Markup, several popular online tax-filing websites including TaxAct, TaxSlayer, and HR Block have been collecting and passing user information to Facebook, including names, income, refund amounts, filing status and even dependent names and scholarship amounts.
What does this mean for you?
Most people are unaware that just about every app and website out there that isn’t strictly not-for-profit (and even some of those as well!) has a side hustle they don’t overtly share with their users/visitors/customers: data collection and selling. If you dig into their “Terms of Service” or various other fine-print agreements normal people don’t read before clicking “Accept”, you will likely find some generic or vague language that essentially says you agree to share data with their “partners” in exchange for using their services. In the case of the tax filing services, you might have even paid for that “privilege.” Don’t you feel special? In their meagre defense, the data that was gathered was done so by a very widely used data-gathering tool called Pixel developed by the #1 data-glutton, Meta née Facebook, and in a couple cases, seems to have been inadvertent or perhaps careless implementation of the data collection tool. On top of this, when asked to comment on whether Facebook was soliciting this type of data (which is illegal to share without your explicit consent!), they of course responded that partners were expressly forbidden to send Meta that data, and that Meta has filtering in place to prevent the collection of this type of data, regardless of who was sending it. It’s also been reported earlier this year that Facebook collects so much data it doesn’t fully understand how it’s used, or where it goes within Facebook’s various systems and algorithms. Should you trust a company that doesn’t even have a handle on its own data to properly filter data it’s not supposed to collect? How would they even be able to report accurately on that?
Shortly after reporting on their findings, The Markup was contacted by the named tax websites who shared that the data collection pixel had been removed from their services. Is it safe to use these services now? Probably, at least going forward. If you’ve used these services in the past few years, the damage is already done – data collection has been done on your returns and the data leaked to Facebook, regardless of whether you have a Facebook account. Unfortunately, as before, there is not much you can do about the leaks except to let your congressperson know that you expect them to take better care of your privacy. You can also contribute to organizations like the ACLU who have been fighting this fight longer than most of us realize.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As someone who is beyond jaded by social media and the mega-corporations behind them, this news isn’t surprising, and I actually expected to see it long before now, but it gives me no pleasure in seeing our worst fears play out. Motherboard has published a story today about a Nebraska teenager and her mother being charged with several felonies and misdemeanors surrounding the teen’s self-induced abortion after their Facebook DM chat logs were turned over to Nebraska law enforcement by Meta. Despite the divisive act at the root of this incident and the current political storm raging around the overturning of Roe V. Wade, I’m hoping it highlights rather than distracts from the point of this week’s blog.
Social media is the exact opposite of privacy and confidentiality
Social media and its daily use have become so pervasive that for most people it’s just a de-facto part of how they live their lives, to the point where many can’t conceive of life without it. Regardless of whether or not the women from the above story acted illegally or immorally, there should be no equivocation about whether or not a social media platform will turn over your data to law enforcement. The answer is, “Yes, they will.” In this particular instance, Meta (aka Facebook) was abiding by a court-ordered search warrant. This doesn’t excuse them morally, but also falls well within expectations we have called out, over and over again. Following the overturning of Roe V. Wade, Motherboard reached out to all the major social media platforms asking them how they would handle just these types of requests in relation to women’s health and pregnancy rights, and none of them were prepared to go on record saying they wouldn’t do exactly what Facebook did in the above case. Unfortunately, abortion simultaneously highlights and distracts from the issue – it shouldn’t matter what is being kept private – only that it is private. In case it wasn’t clear: don’t expect anything you share on social media to remain private, regardless of how that platform professes to honor that privacy. The only commitment they are required to honor is to their shareholders or the equity firm backing the company, possibly even over the laws of the land.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
There’s no way to spin this: Facebook is currently running a political ad with a false claim that Biden tried to bribe Ukraine regarding an investigation into a firm that employed his son. Facebook’s own fact-checking partners have debunked this claim, and yet, the ad has been viewed millions of times and even re-broadcasted by traditional media outlets.
According to its own misinformation policy governing ads, Facebook
“…prohibits ads that include claims debunked by third-party fact checkers or, in certain circumstances, claims debunked by organizations with particular expertise.”
https://www.facebook.com/policies/ads/prohibited_content/misinformation
Open and shut case, right? Not so fast, or at least, no so fast as of September 24th, when Facebook “clarified” why it was allowing political ads containing lies to run on its platform unchecked. Facebook VP of Global Affairs and Communications Nick Clegg announced on the stage at the Atlantic Festival in Washington D.C.
“We have a responsibility to protect the platform from outside interference, and to make sure that when people pay us for political ads we make it as transparent as possible. But it is not our role to intervene when politicians speak.”
https://newsroom.fb.com/news/2019/09/elections-and-political-speech/
And furthermore, Mr. Clegg cites a policy established in 2016 (approximately one month prior to the November 2016 elections) that literally grants an exception to ANY content it deems “newsworthy, significant or important to the public interest…“
“..if someone makes a statement or shares a post which breaks our community standards we will still allow it on our platform if we believe the public interest in seeing it outweighs the risk of harm.” (emphasis mine)
https://newsroom.fb.com/news/2019/09/elections-and-political-speech/
I can get behind the principle of this – Facebook is trying to tread the fine line between unbiased distribution of information while facing the impossible task of fact-checking the millions of posts that are published on it platform. But here’s the hitch: Facebook is telling us that it has our best interests at heart, but has repeatedly demonstrated that this is just not the case. Also consider the fact that Facebook considers profanity banworthy but not outright falsehoods. Based solely on that alone, I would question whether or not Facebook has an accurate understanding of what is actually harmful. That and the incident where the spread of false information via Facebook actually lead to genocide, something that the world seems to have conveniently forgotten.
Given that political ads are resulting in millions of dollars in revenue a week for Facebook, and that Mark Zuckerberg has been quietly hosting private dinners with high-profile right-wing conservatives (a verifiable large source of ad revenue) who have been critical of Facebook in the past, its pretty clear that Facebook knows exactly which side butters its toast.
I don’t care which side of the political spectrum an ad comes from, but I do care if you are relying on falsehoods instead of facts to profit, and I find it offensive that the world’s biggest social media platform on which billions trust as their primary news source disrespects its customers with double standards and naked profiteering. At minimum, you should be taking everything you see on Facebook with a huge grain of salt, especially the political ads.
Last year was not a good year for Facebook. Starting with the Cambridge Analytica, the social media giant seemed to stumble through a series of gaffes that literally erased billions from Mark Zuckerberg’s net worth. Yet, here we are again with the social media giant continuing to act with cavalier indifference towards its users’ privacy, and at this point, are you really surprised? We’re all adults here – I’m in no position to tell you what you should be keeping private or not, but I feel it’s my duty to make sure you are aware with whom you are sharing data, and that they are NOT here to serve you, but vice versa. And let’s put one big, stinging fact on the table – despite all of this, Facebook’s stock bounced back easily from last year’s drubbing, and is now poised to surge ahead thanks to better-than-expected fourth quarter earnings.
The latest proof that Facebook doesn’t care about your privacy
A few years back, Facebook instituted two-factor authentication for its login process, asking user’s for a phone number as the second factor. At this point, 2FA is the new security hotness, and millions are already smarting from a variety of virus infections, identity theft and account hacks to agree that 2FA was the best way to secure their accounts. While they weren’t (and still aren’t) wrong, could they have guessed that Facebook would start using that phone number as a means for other people to search for you, even if the searcher wasn’t someone you actually knew? How about doing this without even asking if its OK? This setting can be changed, but by default it’s set to allow “Public” access to use the 2FA phone number to help others find you. I don’t know about you, but that feels like the opposite of what everyone thought sharing this number with Facebook would do.
Strike two this month comes in the form of Facebook openly admitting that it receives data from many apps, including ones that help users track menstrual cycles, heart rates and website viewing habits, even if the user didn’t have a Facebook account. If this looks eerily similar to a recent article I wrote about a certain cell provider who was not being a good steward of your data, it is because it is yet another iteration of the same questionable practice.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
If you’ve been reading my blog for any length of time, you’ve seen me describe the current state of security in a variety of colorful ways, but my favorite analogy is the one where I liken ourselves to jugglers with many objects in the air and with more being tossed in every minute by hackers and criminals. We lose if we drop a single item, but there is no “win” condition for juggling. If anyone has enough hands and arms to keep a lot of things in the air, it should be Facebook, and they have a lot going on, but in the end, they have come up short on another promise: transparency in sponsored advertising. Facebook’s never ending torrent of fake news was supposed to be somewhat dampened by a tool rolled out in May of this year called “Paid for by” which was built to bring some accountability to Facebook publishing tools heavily abused by political trolls leading up to the 2016 US elections, and surrounding numerous other political events since then.
Transparency or Lip Service?
Just ahead of the 2018 midterm elections, Vice.com investigators, through the “Paid for by” tool on Facebook, applied to purchase ads on behalf of all 100 US Senators. All 100 applications were approved, despite the ads being shared from fake political groups built specifically to test Facebook’s transparency tool, and the very obvious fact that Vice investigators are clearly not actual spokespeople for any sitting US Senator. The same tool also allowed the Vice team to buy ads on behalf of Vice President Mike Pence and the Islamic State, but curiously enough, not Hillary Clinton. Based on the amount of effort the Vice team exerted to circumvent the “Paid for by” verification tool, it’s clear that Facebook put an equal amount of effort into building this tool, i.e. virtually none. It’s unclear if the “Paid for by” tool was a token effort put up by Facebook to appease shareholders and lawmakers, or if the problem of fake news on Facebook is truly unsolvable, but if an organization as big and as powerful as Facebook can’t (or won’t) solve this problem, the only other solution is to completely ignore it as a source of news.
And that’s the other problem with elephants on the internet: because of their size, they are hard to ignore.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
I’ll dispense with the editorializing about Facebook and other internet giants playing fast and loose with our information and get down to the nitty-gritty of what you should know about the latest Facebook breach, which I initially wrote about (only) two weeks ago:
- Go to this Facebook link (while you are logged in to Facebook) to determine if you were one of the 30M that was affected by the breach: https://www.facebook.com/help/securitynotice
- Initial estimate of compromised accounts revised down from 50-90M to “just” 30M (OK, you got me, I can’t help myself).
- Approximately half (15M) of the compromised accounts had an extensive amount of information leaked, including data that most people would consider private, such as religion, relationship status, recent searches and geographical location.
- The other half (14M less the small percentage in the next line) had access to names and email addresses or phone numbers, or both.
- Three percent (about 1M) did not have any information exposed though their access tokens were stolen.
- Nobody’s Facebook passwords was stolen as part of this breach.
- Facebook cannot divulge motive or identities as it is working with the FBI, but based upon analysis of the attack, the hackers were organized and well-equipped to pull off the data heist. Translation: likely nation-state or organized crime-backed.
What this means for you
If you happened to fall into the bucket where a large amount of private information was exposed by Facebook, be extremely wary of targeted phishing attempts, usually sent by email. Because your information is now readily available to be cross-indexed with any numerous other items exposed in previous breaches, it’s trivial for cybercriminals to create very realistic emails that appear legitimate based upon the use of this stolen data, whether it be fake password reset notifications from widely used services like Office 365, Facebook, Gmail, SnapChat, or strangely familiar emails using that private data to trick you into revealing additional info or access to strangers pretending to be co-workers, friends or even family. Just to add insult to injury, if some of the leaked data is info you might use as an answer to the “Forgot your password?” questions many services use, hackers can now use that info to try and guess your answers to reset your password for their own nefarious purposes.
Just because your password wasn’t stolen in this breach doesn’t mean that it wasn’t exposed in any of the myriad breaches over the past several years. Visit this site – https://www.haveibeenpwned.com/password – to determine if it might be exposed, and if so, continued use of it will likely result in any account secured by the exposed password being compromised very soon.
Back when I first heard about Facebook I was working for a private university known for its “dry” campus. I was asked to consult on the case of a student who was being disciplined for violating the no-alcohol policy because a picture had been discovered of them buying booze at a nearby supermarket. It had been uploaded by the student’s friend to a hot new website called Facebook. I distinctly remember discussing this with staff and faculty at the time, predicting, “This is going to get a lot of kids in trouble.” There was discussion of banning access to the site, but filtering internet content back then wasn’t as straightforward as it is now, and the discussion was tabled with a promise to review the issue at a later time. Fast-forward to the present, where Facebook is still getting a lot of people in trouble, and themselves as well.
From the frying pan, to the fire, to…incinerator?
It might be hard to believe, but it was only June when we had to air out the latest load of dirty laundry from Facebook. Prior to that, they have been blog subjects seven times this year alone, and none of them were for something good! I’d say this month’s two-fer entry might be their pièce de résistance of colossal cock-ups, but there are still 90 days left in the year, and Facebook seems bent on setting some sort of record for destroying themselves.
First, they were caught red-handed letting advertisers use phone numbers provided by users for authentication purposes, something they had previously denied. To add insult to injury, it’s also come to light that they will also target individuals through contact information uploaded by their friends through the Facebook app, even if the individual never provided any sort of consent for such use.
If that isn’t enough to get your blood boiling, how about 50M Facebook users having their accounts compromised? Rather than the old-fashioned password hack, attackers exploited a bug in Facebook’s “View as” feature which allowed them to essentially steal the authentication token used to provide continued access after you’ve initially logged in. Think of this token as a VIP wristband you might wear at an event that also gets you access to the backstage. This token not only provides you a quick login to Facebook but to dozens of other connected services, such as Instagram and WhatsApp, that allow users to authenticate through Facebook instead of creating a unique login and password. Just like the wristband, Facebook only looks at the token and not the person using it, to determine what they are allowed to access, so you might get an inkling of why it being stolen is kind of a bad thing. The investigation is still ongoing, but according to Facebook, no passwords or credit cards were stolen, and it doesn’t look like the perpetrators of the September breach used their “wristbands” get into the various third-party platforms it could have granted access to, but I’d put even money on Facebook having yet another, “Wait, hold my beer,” moment, so don’t put the pitchforks too far out of reach.
Unfortunately for the two billion humans who are still trying to get some sort enjoyment (or livelihood) out of Facebook, there really isn’t any platform that comes close to being able to replace it. Your choices are “deal with it” or go cold turkey, the latter of which I don’t see any of my Facebook-hooked friends doing any time soon. If you’ve tied your various other online services to Facebook’s login in the pursuit of convenience, it only makes giving up Facebook that much harder and further illustrates just how dangerous this type of practice can be – Facebook login gave everyone a shovel, and quite a few people dug a hole that they have no idea how to get out of. Sadly, not climbing out of that hole and permanently putting the shovel aside essentially rewards Facebook for their negligent security practices, something that we should not do if we ever want the service to be something more than a way for advertisers and hackers (and Facebook!) to exploit for their own profit.
It’s been a solid three weeks since Facebook last graced our blog, but just like the proverbial bad penny, it just can’t stop turning up in the news for all the wrong reasons. There is a worn adage that claims there is no such thing as bad PR, but in Facebook’s case, I’m betting they’d rather stay out of the spotlight for a little longer. During CEO Mark Zuckerberg’s grueling congressional testimony earlier this year, Mr. Zuckerberg assured senators that Facebook users had complete control over who sees their data as well as how you share it. In a recent interview with the NY Times, Facebook has now owned up to previously undisclosed data-sharing relationships with four Chinese manufacturers, including Huawei who is viewed by American intelligence officials as a national security “threat” due to its close ties with the Chinese government.
What this means for you
According to an agreement Facebook entered into with the Federal Trade Commission in 2011, Facebook is not allowed to override a user’s privacy settings without first getting explicit consent. As part of the partnership agreement with these manufacturers – Huawei, Lenovo, Oppo and TC – Facebook granted privileged access to these partners to data collected through Facebook apps installed on their devices, even to the point of overriding the user’s explicit denial of access. Facebook executives have argued that they had adhered to the letter of the 2011 consent decree because the data in question (your data, your friends’ data, and your friends’ friends’ data) never actually leaves the device, and is only used “locally” to power applications and social media platforms. I’m no lawyer, but that sounds like splitting hairs, and as has been amply demonstrated by the Cambridge Analytica debacle (not even 2 months old, mind you!) relying on a partner company to adhere to Facebook’s privacy policies is not guaranteed, nor apparently something they can even enforce, once again demonstrating a clear gap in trustworthiness. Should you continue to use Facebook? As long as you keep your eyes open to the fact that Facebook might not be as transparent as they promise, even in the face of Congressional scrutiny, and more importantly, the watchful eye of journalistic rigor.