SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 85: Facebook Follies

Posted on April 19, 2018

When you log on to Facebook, do you still feel like you’re having fun? The social network used to be an awesome place to reconnect with old friends and keep in touch with family. Today, more people than ever are choosing #DeleteFacebook.

While Facebook is a free service in theory, since no one pays to sign up for an account, it turns out the real costs are much higher than any subscription fee. From the Cambridge Analytica story we reported on recently to even more unwelcome news about privacy for Facebook users, today we’re going to discuss the “Facebook Follies.” We’re running down everything you need to know about the latest developments and asking the toughest question of all: is Facebook really worth it still?

The items on our checklist for today include:

  • Facebook Caught Creeping on Android Users
  • Digging Through Your Facebook Data
  • The Cambridge Analytica Story: An Update
  • Mr. Zuckerberg Goes to Washington
  • A Facebook-related update to our machine learning episode

With all the latest news, it’s easy to think that Facebook has ensnared all of us in privacy problems to one degree or another — but it turns out that for Android users, in particular, the situation was much worse. That’s where we’ll begin for today.

Facebook Caught Creeping on Android Users

Back on episode 32 of The Checklist, we looked at shadow profiles — collections of data Facebook had amassed on tons of people who weren’t signed up for the service. In that episode, one of the things we talked about was the way Facebook can connect your phone number to your online identity, even if you personally never handed it over to Facebook at all. Simply put, anyone who installs the Facebook mobile app on their phone will at some point see a prompt that asks for access to the user’s phone contacts. The purpose, ostensibly, is to help you “connect” with other people. Facebook vacuums up all this data, which could include your full name and telephone number, and hangs on to it for later.

Now it turns out that if you used Facebook on an Android device some years back, you could have inadvertently given Facebook access to a lot more information than just the people listed in your digital address book — such as lots of information about who you called on your phone! If that sounds surprising and if you think that kind of information should be none of Facebook’s business, you’d agree with Dylan McKay, a New Zealander who initially uncovered this problem at the end of March.

After downloading an archive of his data from Facebook, McKay began to explore what it contained. What he found shocked him: nearly two years of metadata related to calls he made from his Android phone. That data included the dates of the calls, the length of the call time, and of course the names and phone numbers of those he dialed. While it turns out this was not exactly an intended behavior on Facebook’s part, that didn’t stop their data collection programs from not only gathering the information but from storing it on Facebook’s servers as well. We don’t have to come up with an elaborate example to point out why that’s a major privacy problem.

Ars Technica, after hearing of McKay’s discovery, asked for others to come forward with more information. They found several other people who had similar stories to share, wherein they discovered Facebook had logged tons of data about not only their calls but their text messages, too. None of these users could ever recall granting Facebook explicit permission to access such data. After doing further digging, the root cause turned out to be a problem with the way in which Android governed app access to call logs.

If a user installed Facebook and allowed Facebook access to their contact information while using any Android release before Jelly Bean (v4.1), Android granted access to call and message logs as a default behavior. It wasn’t until the release of Android Marshmallow (v6.0) that users gained the ability to exercise finer control over app permissions. Until then, any app that bundled separate permissions requests into one could skate by without asking for permission individually. Though Marshmallow hit phones in 2015, many Android devices continue to run old versions. As of February 2018, nearly 40% of the total Android installation base continues to run on Android version 5 or below, often due to having older phone hardware or their cellphone carriers not offering the latest versions on those phones.  For iOS users, however, you can feel good in knowing that Apple has never given app developers the ability to access call logs as a matter of privacy.

Digging Through Your Facebook Data

Just because Apple users were safe from this particular instance of data collection doesn’t mean that we iPhone users are totally out of the woods. In fact, it would be a little naive to assume we were any safer using the Facebook app simply because we downloaded the iOS version! Thinking about that got us curious: what would a data archive similar to the one McKay downloaded look like for an Apple user instead of an Android one? To answer that question, we grabbed archives of our own Facebook data to peek through it ourselves.

Want to do the same? Here’s what you need to do in case you don’t already know how to access the archive of information Facebook has on you:

  1. Log in to your Facebook account.
  2. Visit the Settings page and navigate to “General” account settings.
  3. Locate and click the link at the bottom of the page that says, “Download a copy of your Facebook data.”
  4. Request your archive, input your password to prove to Facebook it’s really you, and wait. You will soon receive a link in the email address associated with your account, though it may take some time for Facebook’s software to automatically gather and prepare the archive for you.

In our own investigation, we do not use Android devices and have never opted-in to allow Facebook to access contact information; we didn’t find any surprising evidence of call logs or text message metadata hiding in there. However, there can be a lot to look at in these archives, and we found some interesting and cool things — and of course, some creepier things as well.

What was cool to see in the archive? One section of the archive is dedicated to the security of your account, and it shows a detailed log of every time you’ve logged in to your account or updated a user session. Those logs include the date of the login, the time, the IP address of the accessing machine, and the browser used for every occasion. This section of data isn’t exactly a new feature — for example, Google’s Gmail allows you to quickly see a recent list of logins and sessions based on IP address to help you identify a potential problem, such as when your account may have been compromised. However, Facebook maintains this information going back for years. If you ever had any concerns about illegitimate access to your account, this would give you a great starting point to see if it ever happened.

Facebook stores more than just login data, though. You’ll also find a section in your archive about “recognized machines,” which means you don’t have to manually scroll through that giant list of logins to see how many different devices you logged in with; Facebook also estimates the location of your log-in based on the geolocation of IP addresses. There are also records of all your administrative requests, such as changing one of your security questions or resetting your passwords. This is all excellent information to have, and it’s certainly important for protecting your account; all this data makes it much easier for Facebook’s algorithms to recognize bogus logins.

It’s not all good, though. We discovered that in our archives, there was information relating to how many advertisers had received our contact information. Some of the names on that list were companies we’ve done business with, and that makes sense — but there are many other instances where not only had we not transacted anything with a company, we didn’t even know who they were! In many of these cases, it wasn’t clear how or why some of these entities had received our data through Facebook.

For example, the archive indicated that Netflix had our contact info. That makes sense when you have a Netflix account. However, the Department of Homeland Security had that info too — why? It’s not clear. Meanwhile, it showed someone named “El Chapo” (after the Mexican drug cartel lord) had contact data, presumably someone using a fake name. On top of that, it looked like many individuals listed as advertisers had our contact data; these turned out to be politicians, many of whom lived and worked in states we’ve never visited. Obviously, that raises some questions about how our info got to these people. Look into your archive to see what you can turn up!

The Cambridge Analytica Story: An Update

Looking through all that data can be overwhelming, especially when you start turning up things you might not fully remember uploading — or when you see that Facebook remembers things that happened almost ten years ago. For some time now, there have been lingering concerns about how much data Facebook collects and stores. Of course, with the emergence of the news about how much data Facebook shared with the research firm Cambridge Analytica, that concern has moved to the fore of a national conversation.

It was only a few weeks ago, on Episode 81, that we initially covered the Cambridge Analytica story. Today we’ve got an update for you on that story and the steps Facebook has taken in response to the public outcry. The social media company is now rolling out a feature that allows users to find out if their data specifically was shared with CA. Simply visit Facebook’s Help Center and search the term “Cambridge Analytica.” The search will return a page that enables you to know whether you or one of your friends logged into CA’s “This Is Your Digital Life” app. You can find a direct link to this page below in the links for today’s show.

However, FB has chosen to go a step further rather than simply hiding this page in their help section. For the 87 million users whose data ended up in CA’s hands, Facebook will be pasting a big alert to the top of your news feed to let you know that your data was included in what CA received. With that said, even if you come away scot-free from Cambridge Analytica, there’s a near-zero probability that they were the only business engaging in the shady tactics they used for harvesting information through Facebook’s developer platform.

That’s why we think now is a good time for you to take the time to review all your Facebook settings. See what apps you’re allowing to access your data and take steps to revoke their permissions when you no longer use the app or didn’t intend to give it access in the first place. However, keep in mind that there is an element of “closing the barn door after the horse has bolted” to this. Revoking access now doesn’t delete your data from a third party’s servers; it just means they can’t access any changes you make after revocation. That’s why it is so important to take a critical look at who wants your data before you ever click “I Agree.”

Mr. Zuckerberg Goes to Washington

Just a little over a week ago (as of the airing of this episode), founder and CEO of Facebook, Mark Zuckerberg, had his moment in the hot seat before panels in Congress. Testifying in front of both the House and the Senate in response to growing concerns about user privacy stemming from the Cambridge Analytica scandal, it was a unique moment in recent history. What Congress wanted to know: what is Facebook doing about protecting user privacy? How much data does it collect, and to what benefit? Of course, it also served as an opportunity for various Congressional members to grill Zuckerberg about everything under the sun related to Facebook.

In his testimony, which lasted for hours, Zuckerberg repeatedly apologized for his company’s failures in the realm of user privacy. He also promised to continue to try harder to find ways for the social media giant to do better and to live up to its responsibilities more fully in the future. It’s nothing we haven’t heard before, and it sounded especially familiar considering all the major breaches other companies have experienced in recent years. Senator Richard Blumenthal of Connecticut pointedly remarked to Zuckerberg that “We’ve seen the apology tours.”

Another senator, Dick Durbin of Illinois, put the issue in stark relief for Zuckerberg. During the testimony, Durbin asked Zuckerberg if he would reveal the name of the hotel he was staying at in Washington, D.C. After an awkward pause, Zuckerberg declined. Durbin then asked if he would like to share the names of the people he had sent messages to in the recent week. Again, Zuckerberg declined — and Durbin pointed out that this was the root of the privacy issues facing millions of Facebook users. Zingers from sitting senators aside, several things became abundantly clear as the testimony proceeded.

First and perhaps foremost, Facebook doesn’t seem to think they’re doing anything potentially wrong by collecting so much information from users. In fact, they believe they’re helping us! Their goal, they say, is to forge better connections between friends, improve targeting for advertisers (and thus improve the experience users have with ads), and so forth. There is very little remorse for when things go wrong because Facebook doesn’t see what they’re doing as problematic in any way — rather, “other people,” like Cambridge Analytica, are the ones that Facebook believes are really at fault.

Second, it was painfully obvious that most Senators have no clear understanding of how the technology powering platforms such as Facebook work. While they may be clear on banking regulations and foreign relations, it was clear they had a poor grasp on one of the biggest players in modern technology. A great many of the questions posed to Zuckerberg were highly convoluted and difficult to follow, or simply wrong in the basic assumptions behind the questions.

The result was a fair amount of testimony that was unrelated or of no consequence. However, as frustrating as it may be to watch elected officials fumble the ball when it comes to technological issues, there’s one important thing to remember: these senators aren’t much different from the vast majority of Americans in this regard. You shouldn’t need a degree to be able to decipher how to keep your information private on the web!

There is often a line of thinking, even from within Facebook itself, that goes: “these people opted in, and so they were fine with handing over their personal data; why should they complain now?” Think of it this way, though: if you sat down with each person and explained how Facebook takes their data and uses it to make money — and the third-party companies who receive that data and make off with it — how many people would still feel okay?

The truth of the matter is that the reality of what happens to our data has been so heavily obfuscated that it is now hard to understand how businesses use that information. With thick legalese and lengthy paragraphs, modern user agreements and terms of service make it almost impossible to decipher what’s allowed and what isn’t. That’s not to mention that most people do not read these documents anyway, and so pointing to them as an excuse just doesn’t hold water. Instead, Facebook must do better — or we should all look for another, less invasive way to stay in touch with our friends and family online.

A Facebook-related update to our machine learning episode

For today’s final topic, we’re jumping back to last week’s episode on machine learning to make a connection with all the stories we’ve discussed today. In Checklist 84, we talked a bit about how Facebook uses facial recognition machine learning to match your face to photos on your Facebook account and in photos uploaded by your friends. Thanks to Zuckerberg’s testimony before Congress, we now have more insight into Facebook’s approach to machine learning. It seems the company believes it will be a silver bullet to solve all their problems.

In Zuckerberg’s testimony, he spoke about Facebook’s efforts to stop the publication and spreading of harmful and hateful content on the platform. According to the Facebook founder, the company relies on “AI” developments to help filter out his content. In one example he gave, Zuckerberg said that nearly all content affiliated with ISIS and Al Qaeda is now automatically flagged by the site’s AI and removed before any human eyes see the posts.

Thanks to this success, Zuckerberg said, the company is investing heavily in AI technology to solve all the content problems plaguing Facebook. Within 5 to 10 years, he claimed, Facebook’s AI would be advanced enough to detect, flag, and remove hate speech before a user can make the post. While it sounds good, there are pros and cons on both sides here.

First off, it’s not a bad idea to take the human element out of the equation when we’re talking about flagging harmful content. Normally, big sites who try to filter out this content must go through the raw, complete feed of posts made by users. Moderators may sign off on individual posts to make them visible, or they may approve or deny posts only on a review basis. In the latter case, user reports are what prompt an item to go up for further review. Either case requires employees who must sit and look at the worst of what the Internet has to offer as their day job. Not only can that be incredibly mentally damaging and draining on a long-term basis, but it’s an inconsistent process, too. Passing those duties off to a machine that doesn’t care about the content of what it “sees” is certainly preferable.

At the same time, automated content removal is ripe for abuse, too. Eliminating hate speech from Facebook is a valid goal, but who is deciding what constitutes hate speech? There are obvious and clear-cut cases, especially regarding racism for example, but it doesn’t take a giant leap of the imagination to see a regime using an AI such as this to implement censorship on a massive scale. In fact, for countries such as China that already exhibit massive control over the Internet within their borders, this type of technology seems more like a logical next step for them.

Zuckerberg’s optimism about the future of AI may help us get to a world where Facebook and other social media contains less radical and offensive content, but do the risks outweigh the rewards? This topic is something we’ll keep an eye on going into the future. Machine learning is here to stay, though, whether Facebook succeeds in its efforts or not.

That’s everything on the roster for today’s discussion — but if you feel like what we know is only a scratch on the surface of what’s really going on, you aren’t alone. In fact, it almost seems as though we could gather enough material to run an episode on Facebook every other week. This story is so big already, and from all indications, it looks likely to get even bigger. For now, we’ll keep an eye on the headlines as these stories develop, and we’ll bring you more in-depth discussion on these topics as needed.

Feel like you need a refresher on what’s happened and how we got to this point? You’ll find links for more information on today’s stories below, while you can head into our archives right here for more. Episode 81 contains our initial look at the Cambridge Analytica scandal, and if you want to delve even further into the shadowy world of Facebook data, check out Episode 32 — Shadow Profiles. Of course, you can also always find the full notes and audio for all our episodes in the archives, too.

Join our mailing list for the latest security news and deals