Your phone lights up and you see a message from Facebook security. The message states that your account is about to be disabled unless you verify it. You click the link and verify your login information and credit card number. Crisis averted! Or so you thought. Little did you know that that was a fake Facebook page and the hacker who created it now has your Facebook login, password and credit card number along with all the public information on your profile. It won’t take long until you start seeing unauthorized charges, a fake profile that looks like yours in an effort to prey on friends and family, or even new accounts opened in your name. One seemingly small click created an avalanche of issues.
Social media platforms including Facebook, Twitter, Instagram and LinkedIn allow us to be connected at all times. We use these sites to learn about the people in our world, and allow them to learn about us. We share personal details, likes, dislikes, photos, links, vacations, etc. Think about how much information is on your social media page – name, location, contact info, personal details, etc. This destroys privacy. Every piece of information we share can be extracted and shared. It leaves us open as targets for access to our personal data which can lead to issues like identity theft. Identity theft is not a new activity, but the method of obtaining the information needed has evolved. (Velasco, 2018)
Privacy concerns have been brought up multiple times in regards to social media sites. Facebook is a big player in the social media world, in fact it has become the most popular social network site in the United States with over 2 billion active users. Many of these platforms have been subject to a breach before. Most social networks have poor security measures and are littered with fake accounts. Many of the threats within those fake accounts, like Twitter bots, cannot be recognized until it is too late. Google, like Facebook, controls multiple logins across multiple apps and even devices. No matter how secure data is, there is still a risk of it being stolen. What do we do? We have to take responsibility for our own data and use some common sense. (Berzinya, 2018)
Over time, people have become more relaxed in sharing personal data. Matt McKeon, developed an interactive webpage called “The Evolution of Privacy on Facebook”. This looks at the changes in the default settings on a Facebook profile and how they have changed over time from 2005-2010 (See Appendix A for graphical representation of privacy changes). In the beginning, Facebook limited users to certain networks and therefore your data was also limited to those networks. The public couldn’t even tell if you had a profile or not until November 2009. (McKeon, 2010) The data issue really started to come into play with third party application developers started accessing Facebook data through their applications. As more options for sharing content became available, the default was always to share more broadly. Facebook has configured the default privacy settings to force you to share your data, and your friend’s data if you want to use the apps. Default settings matter because research shows that most people do not change them. (Boyd & Hargittai, 2010)
Facebook uses the data collected to target you with ads that appear on your site and others can see those ads. Twitter on the other hand is a lot less intrusive and does not force you to share your data. In fact, in 2011 Google developed technology that allows Facebook comments to be searchable. Tweets are not. (Wolfe, 2018)
The industry privacy issue is an externally driven issue. This is not specific to one organization, but rather the entire social media sector. Facebook has received the most publicity regarding the issue because of the type and quantity of data they are collecting. Externally driven issues are often escalated by others. In this case, the Senate has presented a bill that will regulate social media data collection and usage. The have called multiple hearings with representatives from Facebook, Twitter, Google, Apple, Amazon and more. (Griffin, 2014)
In 2010, the Electronic Privacy Information Center filed a complaint with the US Federal Trade Commission. Additionally US Senator, Charles E Schumer of New York, criticized Facebook and asked the FTC to investigate. There were also vocal critics that instated May 31 as “Quite Facebook Day”, even though not many actually quit Facebook. In July 2010, a Canadian law firm filed a class action suit against Facebook in concern with privacy issues. (Boyd & Hargittai, 2010) In November 2011, the FTC claimed that Facebook lied to consumers by stating their data would remain private and then in turn shared or sold the data. They settled by agreeing to a 20 year consent order where the FTC would review privacy issues bi-annually. The FTC has also issued consent orders with Twitter, MySpace and Google. (Claypoole, 2014)
Pew Research Center has released information on how American’s feel about social media and their privacy. 69% of American adults report they use a social media platform. Of those users, only 9% believe they have a lot of control over the information that is being collected about them on social media. Two-thirds of users state that the current laws are not good enough in protecting privacy. (Raine, 2018)
Troy Hunt, an employee at Microsoft, developed the website haveibeenpwned.com in 2013 which provides a service to the public to check if their email address has been a part of the data breaches that have been announced. This not only increases public awareness, but also gives advice on what to do if their email address was contained in a breach. (Hunt, 2013)
Facebook is the social media site that is the driver behind the data security concerns. In November 2011, Facebook settles with the Federal Trade Commission over third party apps being able to access nearly all of a user’s personal information. As part of the agreement, they will have an independent privacy evaluation every other year for the next twenty years. As those evaluations have progressed, so has the issue of data privacy. There were additional bugs and breaches to follow in 2013, 2014, 2015, and 2018. (Newcomb, 2018)
In 2015, Facebook discovered that even though access was limited to third-party app developers in 2014, they could not keep track of those who were using previously downloaded data. Cambridge Analytica is an organization that used the purchased the data of over 50 million users to assist with micro targeting during the 2016 Presidential Election from a third party app developer. The Trump campaign paid Cambridge Analytica to develop psychological profiles of the individuals and then targeted them with specific ads to push their agenda. (See Appendix B for documentation) The app developer who originally supplied the data did disclose to Facebook and the individual users that data was being collected for academic purposes. In 2015, Facebook removed his app and asked that all acquired data be deleted. However, it was not deleted. This was not discovered until March 2018. (Rosenberg, Confessore, & Cadwalladr, 2018)
As of 2014, there are over 45 U.S. jurisdictions with a version of a data breach law. These address how companies must address companies if data is exposed or lost. Social media websites are categorized a little differently as the customer is self-identifying or publishing their personal data. The platform is merely facilitating and will not trigger these laws unless the information is published or extracted further than the privacy settings the customer intended. For example, if a photo was published for “friends” only and it gets taken and published publicly, that is a violation of the data breach law. (Claypoole, 2014)
States are taking on legislature concerning social media in the workplace. As of 2013, 12 states including Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Jersey, New Mexico, Nevada, Oregon, Utah and Washington, have passed laws that restrict employers from demanding access to their social media sites. California is even taking steps to “protect the privacy of some social media users from users’ own poor judgement.” (Claypoole, 2014) This could be a black hole if the legislation passes. There will always be those who feel like the regulations for social media need to be tightened and others who think that tightening the regulations is a violation of their free speech. The general public is becoming more aware of social media privacy issues and the role it plays in their life.
Based on Hallahan’s Issue Processes Model, the audience is aroused. The vast majority of social media users have low knowledge about privacy issues, but it is affecting them personally. The public is mostly an inactive audience, but many are shifting into the aroused state. The inactive public think others, like the government, are working to fix the problem. After the Cambridge Analytica issue and the surrounding public press, the public is moving to more of an aroused state and are recognizing the problem. (Hallahan, 2001)
In regards to the Facebook data issue with Cambridge Analytica, there was a span of three years before Facebook figured out that the original data that was acquired was not deleted. When they found out, they suspended the accounts of Cambridge Analytica and key players. They updated their public statement a day later to say that this was not a data breach. “People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.” (Grewal, 2018) This was an interesting response as it seemed to some that they were shifting the blame to the individual Facebook user.
Facebook creator and CEO, Mark Zuckerberg posted on his personal page on March 21, 2018. He details out a timeline of events concerning the Cambridge Analytica scandal. He states that Facebook plans to investigate all apps that accessed data prior to 2014. They will continue to restrict app developer’s data access. Facebook will also take steps to ensure the public knows what apps have access to their data and how they can restrict or remove that access. Throughout his entire post, he does not issue an apology, which is probably a good idea. (Zuckerberg, 2018) As Benoit describes, an apology would be an admission of guilt. (Benoit, 2004)
The United States needs to step up and mirror our European friends and put regulations in place to restrict and limit access to personal data via social media. In May, the European Union implemented the General Data Protection Regulation (GDPR) that is a set of rules that all technology companies, including social media, must follow. First, apps should only take what they need. Second, if there is a known hack or breach, the company must notify users in less than 72 hours. Lastly, they have implemented fines that can be up to 4% of the annual revenue for not complying with these laws. These regulations put in place by the GDPR can be guidelines for the United States to have consistent regulations concerning data privacy throughout all technology and social media sites. (Chiara, 2018)
As a nation, we need to focus on the education of our citizens on the risks of sharing personal information online and social media. There are steps that can be taken to protect ourselves, but they aren’t widely known or shared. First, in the privacy settings there is a link called “How People Find and Contact You”. This contains important settings like “Do you want search engines outside of Facebook to link to your profile?” Make sure you review and change the default. The section above lets you review posts and other things you are tagged in before they are tied to your profile. Next, on the left hand side, you will see the “Face Recognition” setting. Changing this to “No” will not allow Facebook to recognize you in photos and videos. The face that this is a setting you have to turn off is disturbing. The Apps and Websites section on the left is where you can see what apps/websites/games are getting your information and what information they have access to. You can remove or restrict access to those apps at this time. It is recommended to limit the number of apps/websites/games with access to your profile as this tends to be where the security breaches, like Cambridge Analytica stem from. Lastly, go to the Ads section. This is where you can control what information Facebook uses to place you in ad groups. You can see what interests Facebook has flagged for you as well as which advertisers have added you to their contact list. You may be surprised to see some of them and how many there are. Controlling social actions is a big one that is recommended to turn off. This shows others if you like a page that they are seeing an ad for. These settings are all very hidden, but are ones that we can easily change, if we had the education to do so.
In conclusion, the social media sector has a major issue with data privacy. The industry leader, Facebook, has proven multiple times that there are weaknesses and issues within their own internal controls. Is the answer letting the government set regulations for data privacy control or should that remain on the individual user? If a user is knowingly distributing their data, which in turn is sold, like the Cambridge Analytica crisis, is that the social media platform that is responsible or the user?
Review your personal privacy settings using the instructions provided above. From a data security standpoint, it is always recommended to take the highest level of security. Next time you start to take a personality quiz on Facebook, take a second and read the request for information the app is asking for. Think of Cambridge Analytica. Would you be ok if your personal data was leaked and used to target you with specific ads? If you would not be ok with that, then do not download the app and do not take the quiz. Be a smart and savvy social media user.