SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 81: Facebook’s Privacy Failures Leave You in the Cold

Posted on March 22, 2018

If you’ve been listening to the news recently, you’ve probably heard the name “Cambridge Analytica” come up — and all kinds of stories about the data firm’s former executives claiming they could manipulate and intimidate large numbers of people with crafted, targeted social media content. While that’s not what we’re here to talk about today, it does tie in to the greater issue: the parts we, the general users of the web, might have played in giving Facebook access to enormous amounts of our data. Before we can really kick off today’s discussion, we’ll need to run down a bit of history about the situation — then we’ll get into some of the potential next steps you can take.

The story so far

According to a report by CNBC, the story began back in 2014 when a company called Global Science Research published a Facebook app titled “thisisyourdigitallife.” GSR was ostensibly run for academic purposes by a man named Aleksandr Kogan. In the “thisisyourdigitallife” app, users had the opportunity to receive a small payment in exchange for taking a psychological test, which also allowed the app to collect data from the user’s Facebook account and their friends as well. CNBC says this ultimately allowed Global Science Research to harvest information from roughly 50 million profiles on the social networking platform. Later, GSR handed this over to the political firm Cambridge Analytica in a massive data sale.

We know this thanks to a whistleblower who worked for Cambridge Analytica, Christopher Wylie, who began to speak to the press about the firm’s actions. He claims that GSR’s sale of the data enabled Cambridge Analytica to develop so-called “psychographic profiles” on users and broad groups of people. This information was then used to target content and tailor messages to push beneficial to then-presidential candidate Donald Trump. CA was also heavily involved in the “Leave” campaign during the run-up to the Brexit vote in the UK as well — so the British Parliament wants to have a word with them.

Facebook disputes the notion the information Cambridge Analytica came to possess was gathered in any illegitimate manner. Instead, executives claim that Kogan and Global Science Research lied to them about their research and subsequently violated the terms of use when it sold the data on to Cambridge Analytica. Facebook acted back in 2015, banning the “thisisyourdigitallife” app and demanding the destruction of the data, no matter who held it at the time. Cambridge Analytica officially claims they complied with this order; whistleblower data suggests it did not.

Despite the social media giant’s insistence that it was deceived and remains committed to user privacy, we should recall that Facebook has been in the political arena for some time now. According to a piece on The Next Web, Facebook was billing itself as a way to connect “candidates with constituents” as early as 2014. The Next Web also points out that while CA’s usage of the data and the way it obtained it was potentially nefarious, Facebook itself already uses similar data to target ads to users and to allow businesses to do the same. Therefore, from Facebook’s perspective, the problem is all about the way the data was obtained.

Whenever you add an app to Facebook, you see a page that lets you know what permissions the app requests from your account. thisisyourdigitallife was no different, but users may not have known the extent to which they were exposing not only their information, but that of their friends, too. The app accessed everything from a user’s location to the pages and posts they’d “Liked” — and it gathered that information from everyone on a user’s friends list, too, if their settings would allow for it.

So confusing privacy settings, the allure of toying with simple apps online, and some murky motivations have all led us to this point, and it brings with it an important question: what do you do next? What do you need to know about the way Facebook gathers and uses information, and what do you do if you want to get out of this mess altogether? That brings us to the rest of the items on today’s Checklist, which will include:

  • How ad microtargeting works
  • How to stop Facebook from sharing your info with third parties
  • Deleting your Facebook account — completely
  • Don’t just give away your data: it has value

What is microtargeting? What does that even mean? To explain that clearly, we’ll need to hop in a time machine to discuss the way ads used to work, back in the days before we all started driving on the information superhighway that is the Internet.

How ad microtargeting works

The goal of advertising has always been the same: to attract the interest of a consumer and ultimately make a sale to them. Advertisers have many methods at their disposal which they use to boost the odds that they’ll convert someone who looks at their ads into an actual customer. One of the most essential tools is timing: making careful choices about when and where to place an advertisement for the maximum amount of exposure and effect.

On television, advertisers have a small amount of control over targeting, to the extent that they can arrange for ads for certain products to play at particular times of the day. Ads for toys, some fast food, and sugary products often run in conjunction with afternoon cartoons, or generally on channels such as Nickelodeon. Anyone who’s watched TV late at night or during the daytime blocks knows those time slots are often filled with ads targeting the elderly. The same principle works in print advertising: companies place ads in publications related to their industry. While these methods work somewhat well overall, it’s hard to measure success, and there are no guarantees the right audience always sees their ads.

That’s all changed with the Internet and the advent of large-scale demographic data collecting. We give away tons of information on ourselves, our habits, and our preferences to websites for free almost every day. That means advertisers can have much-improved opportunities for putting their ads in front of the right eyes, increasing their chances of “converting” a customer from a viewer into a buyer.

Let’s consider an example where we’ll pretend we’re all advertisers, with the goal of selling an expensive and highly specialized golf club. Not just anyone will be interested in such a purchase: we need to advertise it to a particular type of customer. Without the Internet, there are a few approaches we might take to ensure we get a good return for the money we spend on ads.

First, we could try renting a billboard in a visible location to show off the golf club’s design. With this scenario, we hope that of all the people who see it, some of them will turn out to be golfers who would be interested in such a product. Most of the people who see the ad, though, won’t be in our target demographic. So next, we try buying ads in golf magazines instead. Now we know the people looking at the ad already enjoy golf, and we’re banking on attracting attention specifically from golfers with extra disposable income — enough to afford our expensive item. As you can see, we’re still doing a lot of hoping and wishing in the process of waiting to convert sales.

What if we took our ad online instead? Now we can stack the odds in our favor much more heavily. Wherever we go online, whether we want to buy ads to appear next to search results on Google or in your Facebook feed, we can use “microtargeting” to eliminate the hopes and wishes. With this tool, we can know we’re targeting rich golfers, and only rich golfers.

Microtargeting works on both very broad and very granular levels, allowing us to customize and fine-tune who sees our ads. We could start, for example, by showing the ad only to people from a specific country or in a specific age range. When we start combining more than one “microtarget” together, we can start drilling down towards individual users.

So how do we microtarget our golf club successfully? We could set our ad to display only to people over the age of 35 in the United States with an expressed interested in golf and at a particular income level that would make our club affordable or an attainable luxury purchase. This allows us to not only maximize our chances of making a sale, but we also save a ton of money on advertising costs since we pay based on the number of “impressions,” a term for people who see the ad.

Online advertisers operate in broad terms, and it’s why the data we generate on ourselves through “Likes,” retweets, shares and so forth is so useful. Keep in mind that as far as our golf club example goes, we’re speaking in very wide audience categories. The huge volumes of data and networks gather, both from voluntary information and “best guess” estimations made from data collected by tracking cookies, allow advertisers to become extremely specific with their targets.

That could include only showing ads to people with certain relationship statuses (such as divorced individuals), with a certain level of education, or based on a user’s ethnicity, political viewpoints, and other information. The vast amount of options available means advertisers only need to show their work to people who are most likely to convert. This technology, ultimately, is a major part of what Cambridge Analytica used to target their political messages.

How to stop Facebook from sharing your info with third parties

Okay—so now you know what microtargeting is, and you know that advertisers are hungry for any information they can (hopefully legally) gather to be able to target you with their ads. Maybe you’re all right with that to an extent — many people think it can be a fair trade. Just look at the success of the MoviePass, which lets people see many movies in the theater a month for a small fee while gathering tons of information on users such as their location before and after going to the movie and other data. Otherwise, though, we should be safe, right? If we’ve taken the time to lock down the privacy settings on our social media so only our friends and family can see our profile data, then there’s no problem — right? Maybe not.

Facebook’s main revenue stream is advertising, so it would prefer if you make information about yourself available. That’s why the site has a setting buried deep beneath several menus, and if enabled, it has the potential to let third parties get their hands on your data, even if you wanted it to be genuinely “friends only” from the get-go. Let’s talk about how to find that setting so you can exercise more control over your privacy.

On Facebook, go to your Settings page, and then select “Apps” from the menu on the left-hand side. In this new pane, find the label titled “Apps Others Use.” Now click edit. Do you see the items checked off here? Any of the items checked on this screen are fair game for third-party apps used by your friends. It’s true: even if you didn’t know about these settings, you’ve been depending on the good judgment of your friends and their taste in apps when it comes to who has access to your profile data. Of course, the reality is confusing and difficult to untangle.

Some say that the data here only goes to the apps if both you and your friend have and use the same app; others believe it doesn’t matter and the data gets shared regardless. Facebook has yet to clarify what these settings actually do — so we think it’s better to be safe than sorry in today’s digital climate. That’s why we recommend that you uncheck anything on this list you don’t want to share with other apps. Once you’re done, click Save and you’re all set. It is possible to go further, though, if you’re willing to make some sacrifices to get Facebook out of your life.

We can do that by disabling Facebook integration across the web. Any time you see a Facebook button on a site, your profile and all its info follows you around — but it can be turned off for good. On the same page as the “Apps Others Use” setting, you’ll find “Apps, Websites, and Plugins.” Click edit again, and you have the option to disable the Facebook Platform and its integration with your account. A word of warning, though: if you disable Platform, it will break any of the apps for which you use Facebook as your primary login. Websites, where you’ve used your FB profile, will not recognize your account anymore, either.

Whether you signed up for your local newspaper with your account or you used it to order food through a service, contact your service provider to discuss options for migrating to a regular user account. Otherwise, you’ll risk locking yourself out of your account until you re-enable the Facebook platform. Disabling these features doesn’t delete the data you already shared with third parties, though. If you want to go that route, you’ll need to contact each company or app developer on a one-on-one basis to discuss their process for removing your data. This is one of the challenges with modern social media platforms – once your information is shared, it’s out there and can be very difficult to undo.

Deleting your Facebook account — completely

What if you want to say, “forget about settings — I’m getting out of here!” instead of dealing with the increasing headaches that surround user privacy on Facebook? There are plenty of reasons to want to delete your Facebook account, and all of them are understandable. Whether you want to remove an addictive influence from your life, escape the recent news, avoid unwanted contact with other individuals, or just because you don’t like the way your newsfeed makes you feel, getting away from it all is a perfectly valid choice. With #deletefacebook trending recently, more people are beginning to feel like this is the right way to go. Facebook doesn’t want you to leave, of course — but you don’t have to feel as if you’re trapped in the Hotel California. Instead, it helps to understand what options you have available.

Recall that there’s a big difference between deactivating and deleting your account. The deactivation option (found in Settings under “Manage Account” and then by clicking on “Edit”) allows you to disable your account, removing it from public view temporarily. It’s a good way to test whether you feel you can get along without Facebook in your life since it allows you to reactivate the account by simply logging back in; it’s also a good option if you just want to “take a break” from the flood of news and opinions coming at you.

What if you’re ready to throw in the towel altogether and leave it behind for good, though? In that case, you’ll want to visit a very specific URL, which you can find by clicking here. When you reach this page, Facebook will display a serious warning running down what you need to know about account deletion.

Needless to say, this is permanent: you won’t be able to undo this action. If you decide you want to come back later, you’ll need to make a whole new profile and start from scratch. Otherwise, all the data you created on Facebook will (hopefully) vanish into the ether of the Internet. Facebook does note that the full process can take up to 90 days due to the fragmentation of data across many servers and the potentially large data trail users can leave behind. However, some things you created – such as messages between you and your friends – will stick around in their accounts after yours is gone, albeit you will appear as a generic “Facebook User” instead of “Your Name.”

It’s also worth going into your Activity Feed on Facebook to browse through your posts to discussions groups or other people’s feeds. You must manually delete all these posts yourself before account deletion if you want them to vanish. You may also want to install some browser extensions or use web utilities designed to help you back up data, such as your photos, from Facebook prior to your account deletion. Once you’re satisfied you’re ready to move on without looking back, click the delete button and your account will be gone – forever.

Don’t just give away your data: it has value

With all these things going on, we think it’s worth taking the time to consider how we expose ourselves to advertising by simply giving our information away without thinking about it. Consider the adage: “If you’re not paying, you aren’t a customer: you’re the product.” That’s what online advertising boils down to, with so many different players looking for ways to harvest your information. Social media is a good way to stay in touch with family and friends, it’s true — but it comes with serious caveats we need to consider.

The primary purpose of these platforms today is to gather as much personal information on you as possible so they can sell it to online advertisers. While Facebook claims not to sell your information directly to these businesses, they do make it available for them to use through FB’s systems. That doesn’t mean you should boycott social media altogether (unless you want to), but we do think you should go into the situation with your eyes open to how advertisers use these platforms.

Providing Facebook with your information is one thing; you expect that they’ll need some of your data to be able to provide the experience you want. However, many people fork over access to their profile data and much more about themselves every day without a second thought — and it’s not FB they’re letting in the door. It’s third parties, often in the form of shady app developers who put up quizzes and “personality tests” that can go viral and harvest tons of user data. There’s very little real oversight regarding what these third parties can do with your data. Just because Facebook’s policies say what a third party can and cannot do with your data, that doesn’t mean some might not go beyond that!  No matter what Facebook claims, Cambridge Analytica’s actions prove that they were not taking good care of your information.

With the way your friends’ apps can access your data, even the most security conscious person in the universe could have their information harvested thanks to someone else who’s less concerned with the impact. That’s why we suggest starting conversations with your friends on these risks — and maybe you can even share this very podcast with them to introduce them to the problems. Chances are, they don’t even know how their data and your data is used online. It’s not a transparent process, after all.

Think of it this way: your information is money to advertisers, and not just the money spent on products. Why should you give it away for free when the only thing you receive in return is less content you want to see and more ads? Safeguard your information, recognize its value, and treat it like the precious commodity it is.

When we step back and look at the big picture present in today’s discussion, it’s easy to feel a little overwhelmed — who knew we’d have to devote so much energy to protecting ourselves on services that claim to value user privacy? That’s why it’s good to step back, take a deep breath, and consider all your options carefully. Share what you know with friends and family, too, to help educate them on the risks out there and what they can do to safeguard their information better.

That wraps up today’s discussion. Congress has called for testimony from some leading Facebook executives, including Mark Zuckerberg himself, who says he is more than willing to speak before the government — what will come out during such testimony we’ll have to wait and see for now. In the meantime, consider how you want to proceed, and if you choose to delete your account altogether — well, we can’t say we blame you!

Want to take your mind off all these current events? Head back into the archives for The Checklist, available right here, where you can catch up on every episode we’ve done so far alongside complete notes on the topics we discussed. Don’t forget that we’re always looking for emails from our listeners, too, whether you’ve got questions or a subject you’d love to hear us break down in a future episode. You can always reach us at Checklist@SecureMac.com.

Join our mailing list for the latest security news and deals