Tag Archives: Facebook

Facebook Continues it’s Damage Control Program

Facebook is used to riding high.  Not so much lately.

First they said that Cambridge Analytica inappropriately captured the data of 47 million users after 250,000 or so users completed a survey and they captured the information of all of those people’s friends without their permission.

Now they are saying that their arithmetic wasn’t so good and it wasn’t 47 million but rather 87 million users (Source: National Review).

Facebook is also saying that “malicious actors” took advantage of the search tools on Facebook and captured public information on most of all 2 billion users.  The attack was very creative.  Take email addresses or phone numbers compromised in one of many breaches and pop them into Facebook’s search box.  Until yesterday, that would retrieve any information you marked as public including photos, job history, friends and other information.  Yesterday, as part of their  “rehabilitation”, they disabled the feature, but not before bad guys stole terabytes of data (Source: Washington Post).

Then there was the memo by Facebook exec “Boz” who said that anything that we do to connect more people is good, even if it is used by terrorists.  Now that the memo has become public, he claims that he didn’t really believe that. (Source: CNBC).

Finally, after first saying that while he liked the EU’s new privacy regulation, GDPR, Facebook had no plans to make that the rule in places where they were not being forced to do that by law, they are now saying, just kidding (Source: Ars Technica).

Okay, given that Facebook seems to be acting like the twin of Mr. Robot’s Evil Corp., what should you do?

First, be a conscious user.  Even today Facebook allows you to make information private or visible to just friends.  My posts are public, intentionally, but nothing else is public – only visible to friends.

Given that Facebook makes all of its money from selling your data, the default is always going to be share (or steal) your data.  You need to proactively change the defaults.

As Facebook makes changes in response to the current PR disaster it is in the middle of, see what new capabilities they offer and take advantage of them.

Finally, don’t post so much.  Do you really need to post everything that you do?  Once you post it, it is out there.  At least one insurance company is denying burglary claims if people posted their vacation plans prior to returning home.  Be smart;  post less.

Social media is wonderful, but with wonderfulness comes problems, so be smart.

Facebooktwitterredditlinkedinmailby feather

Facebook Caught Mining User Data Again

This time, the data that Facebook is mining is your call data and your text message data.  But there is a difference.  In this case, Facebook says that it asked permission when you installed Messenger or Facebook Lite.  However, the default was to collect the data and it was not very clear to users that the data was being collected.

They have been doing this from both Android and iPhone users.

If you download your Facebook data (to download your data, go to http://www.facebook.com/settings  and click on the tiny little link at the bottom that says download a copy of my facebook data), you can see what data Facebook has.

Roughly a year ago, Facebook made it more obvious that they were collecting the data when you install the app.

Facebook says that they never sell this data (probably true) and it’s purpose is to let friends find each other on Facebook and help them create a better experience for everyone (more doubtful).

OK; lets say you are a FB Messenger user, what can you do?

1.  Check if your contacts are being synced with Facebook.  The instructions are different between iPhone and Android users, but the instructions can be found at https://www.facebook.com/mobile/messenger/contacts/ .

2. You can turn off syncing contacts by following the instructions at https://www.facebook.com/help/838237596230667 .  Again, the instructions are different between the iPhone and Android.

3. You can delete your call history from Messenger also.  Instructions can be found at https://www.facebook.com/help/messenger-app/870177389760756?helpref=hc_fnav .

Suffice it to say, Facebook is going to try real hard to capture the data.  After all, the name of the game for them is to harvest your data to increase your use and dependence on Facebook and to use that data to sell you stuff.

However, you can disable it.  Just not easily.


Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather


Why do people usually use a VPN connection over the Internet?  Usually it is for added security and privacy.  What if a VPN offered security, but even less privacy than without it – would you use it?

Well some people are and probably do not even know it.

In 2013 Facebook bought an Israeli company, Onavo.  Onavo bills itself as a data analytics company – which makes perfect sense why Facebook would purchase it.

But where do they get the data that they want to analyze?

Well that’s easy.  They also make a VPN software product – a virtual private network – that creates a secure tunnel for you to send your Internet traffic over.

However, unlike reputable VPNs which work very hard to collect as little data about you as possible, hence aiding your privacy, Onavo collects as much data as possible about it – to aid Facebook’s mission of shoving more ads down your digital throat.

According to a Wikipedia article (here), Facebook is also using Onavo to internally monitor competitors, influence acquisitions and make other business decisions.

If you have the Facebook iPhone app installed and you click on the menu item for Protect, it will direct you to download Onavo.

It also has an Android app available in the Google Play store.

Facebook says that by collecting as much data as possible about your use of the Internet they can protect you better.  Hmmm, interesting thought.  Other companies seem to do that without having to track what sites you visit.

Many anti-virus products have a browser plugin that looks at the site you want to visit and see if it is malicious.  They don’t need to store the history of what sites you have visited nor do they need to associate those sites with your advertising ID in order to tell if the site is malicious.

Unlike most VPN products that only run when you ask them to run, Onavo tries to stay in your browsing stream all the time.  After all, it cannot collect data on your browsing habits if it is not running.

Onavo says that it may retain your data for as long as you have an account.  Or beyond.  I somehow don’t think that is required to protect you either.

So, if you are looking for more targeted Facebook ads (and ads on those other web sites that use the Facebook ad platform), this is the software for you.

If you are looking for privacy, I am thinking there are probably better alternatives.

Information for this post came from Wired.




Facebooktwitterredditlinkedinmailby feather

Max Schrems’ Fight With Facebook – Next Chapter

Some of you probably remember when then Austrian law student Max Schrems started fighting a battle over privacy with Facebook.

Now probably neither you nor I would want to pick a fight with Facebook’s legal team, but Max, a law STUDENT, said, hey, what the heck.

That battle wound up at the CJEU – The Court of Justice of the European Union.  The CJEU, the equivalent of the U.S. Supreme Court, is the final legal arbiter of EU law.

In October 2015, the CJEU ruled in favor of Max.  Against Facebook.  And against the United States.  Safe Harbor, the agreement negotiated between the EU and the United States 15 years before to protect EU citizens data that was transferred by companies like Facebook from the EU to the US, was flushed down the toilet.

To replace that, the Commerce Department under President Obama negotiated a replacement agreement called Privacy Shield and that has been in force for about a year.

One of the clauses in the Privacy Shield agreement says that it will be reviewed one year after it became effective.

Many people, Schrems included, said that Privacy Shield was just Safe Harbor with a bit of lipstick on it.  Not even a lot of lipstick.

An alternative to Safe Harbor was something called Standard Contract Clauses.  These legal terms were written by the EU and when included in end user agreements VERBATIM, provided pre-approved permission to move data from the EU to the US because these clauses, supposedly, provided EU citizens with protection regarding their data.

Schrems being the thorn in the backside of Facebook that he was decided that these standard contract clauses didn’t really protect his data, so he went to the Irish Data Protection Commissioner and ultimately the Irish High Court and asked them to rule on Standard Contract Clauses.

Well that High Court decision is in and Facebook (and many other US companies that want to be able to move data back and forth between Europe and the US) is not happy.  The Irish High Court agreed to ask the CJEU – the same folks that invalidated Safe Harbor – to rule on Standard Contract Clauses.

While we have no idea what the final ruling will be, Facebook and others, including the US government, have a very different interpretation of a person’s expectations of privacy.  In general, US privacy rules are much looser than EU privacy rules and penalties are almost non-existent.  Under a new law going into effect mid next year called the General Data Protection Regulation (GDPR), Facebook could be fined up to 4% of it’s global annual revenue for a privacy breach.  For Facebook, with revenue of $27 billion last year, that means that they could be fined UP TO a billion dollars.  That is why they are fighting so hard to keep these known rules in place.

The CJEU is the final stop.  There is no appeal from there.  Given that the CJEU ruled against Facebook two years ago, the odds of ruling for Facebook this time are shaky – but we don’t know how it will turn out.

Schrems, on the other hand, is a pretty happy camper.

Stay tuned.  IF the CJEU rules in favor of Schrems, President Trump and the current administration will have to do some interesting dancing.

Alternatively, all data transfer between the EU and the US could be stopped unless the person who’s data it is has EXPLICITLY approved that transfer.  That approval cannot be buried on page 27 of a terms of service agreement that no one reads.

STAY TUNED.  It could get interesting.

Information for this post came from Fortune.

Facebooktwitterredditlinkedinmailby feather

Facebook and Google Fell For Business Email Compromise

Since we all know that misery loves company, it may bring some comfort that even Facebook and Google can fall victim to business email compromise scams.

In one way, that makes perfect sense since the weak link is always people.  On the other hand, you would think that big companies like Facebook and Google would have been controls in place, but apparently not.

What is staggering is the scale of the business email compromise.


A hacker in Lithuania was recently arrested at the request of the U.S., but he claims he is innocent and is fighting extradition.

According to the indictment, filed in New York, he created false invoices under a legitimate Asian support, Quanta, for computer parts.  Both companies apparently buy lots of stuff from these guys so the invoices didn’t seem out of line, I guess.  While the details of the indictment are not clear, I assume that he used his own, special wiring instructions.

Because we are talking about Facebook and Google, the indictment only calls them Company 1,2 and 3.  Quanta has admitted they are Company 1.  Facebook, in response to a request from Fortune, admitted they are one of the parties.  Google just admitted that they are one of the parties also.

Facebook said they were able to recover “the bulk of” the funds, whatever that means.  Google also said that they recouped the funds.  For an attack as sophisticated as a hundred million dollar scam would be, it is surprising that he was not able to hide the money.  YOU should be so lucky.

The only difference between this attack and an attack on you or me and why the Manhattan U.S. Attorney was willing to take the case was the sheer size of it.

One question is whether this is a material event that needed to be disclosed to shareholders.  For either company, $50 million (half of the take) might not be material and it certainly might not be material if they got some or all of the money back.

Still, this indicates that it can be hard to stop these guys and companies really need to pay attention, especially when amounts that ARE material to smaller companies are involved.

Information for this post came from Fortune.


Facebooktwitterredditlinkedinmailby feather

European Court Of Justice Rules On Safe Harbor Agreement

As many people expected, the European Court Of Justice, the highest court controlling European Union law,  ruled in favor of Max Schrems and said that the Safe Habor Agreement, negotiated between the United States and the European Union  in the mid 1990s is invalid and does not provide EU citizens with the protections mandated by the EU data protection directive.

I am currently on a conference call with 2,000 other privacy professionals discussing the impact of this ruling.

The short version is that technically, many companies are now transferring data in violation of the law between Europe and the United States, but that executives should not panic.  Yet.

One part of the ruling is that the EU country data protection authorities (DPAs) do not have to bow down to the European Commission’s decision from the mid ’90s and MAY rule on whether adequate protections are in place – which then have to be referred to the European Court Of Justice, as Max Schrems did.

Another part of the ruling says that disclosures to law enforcement (read this as the NSA, FBI and others) needs to be necessary, proportionate and subject to judicial redress.  Needless to say, that is not what happens today.

It would seem to me that those same rules ought to apply to European surveillance activities, but I don’t think that court directive addresses that.

The US and EU have been working for two years trying to negotiate a new safe harbor agreement and last month initialed a form of agreement, pending the US passing new laws protecting the rights of EU citizens.  Given the ruling today, I assume that this agreement will need to be revisited.

The privacy experts are saying that companies that transfer data between the US and the EU need to start – like tomorrow – looking at their situation with expert counsel and planning the future.

They also point out that this particular judgement ONLY affects Max Schrems lawsuit against Facebook and does not invalidate all other agreements in the world.  It does, however, create a framework or standard for the EU country’s DPAs to assess other lawsuits.

I also expect, now that Schrems has a ruling in his favor, that other lawsuits will be filed.

The United Kingdom data protection authority said that THEY do not plan to shut down the Internet, that people should not panic, etc.

The experts expect that a lot of conversations will begin between the 28 data protection authorities, the European Commission and the United States.

Stay tuned,



strictly necessary, proportionate and subject to judicial redress

Facebooktwitterredditlinkedinmailby feather