Facebook User Data Stolen In Hack. Facebook Offers No Protection.

In a recent breach of Facebook it is suspected that approximately 29 million users had their data stolen, with the most severely affected being a group of 14 million. The attack is currently being attributed to spammers pretending to be a digital marketing firm. According to Facebook, Data stolen includes: “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches”. News of the hack first surfaced on October 5th when it was suspected that 50 million users were affected, a number that has since been lowered.

Facebook first shared details of the attack last week, fearing as many as 50m people had been affected

Usually, companies in such a predicament offer access to credit protection agencies and other methods of identity theft prevention like in the case of the 2013 Target breach. However, Facebook declared that it would not be taking such steps, and would instead direct users to help pages where they could learn how to avoid phishing. Experts worry about the potential for smaller scale attacks. Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, believes that though no financial data was captured, information gathered could still be used in knowledge based authentication to break into accounts. He believes that the best move for Facebook would be to offer free access to password managers and other similar software to help combat this.

In Europe, the breach is costing Facebook about $1.6 billion, or 4% of its yearly revenue. This case is being recognized as the first major test of the General Data Protection Regulation which was enacted in May.

  • Nicholas Antiochos

Sources:

https://www.businessinsider.com/facebook-thinks-spammers-responsible-hack-stole-info-from-29-million-users-2018-10

https://www.bbc.com/news/technology-45845431?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-correspondent

Facebook’s personal data acquisition and use in the wake of court rulings

On Monday, February 12, a ruling from a German court regarding Facebook’s default privacy settings and personal data use was made publicly available. The ruling handed down from a regional court in Berlin found five of Facebook’s default privacy settings and eight clauses of their terms of service to be in breach of consumer law. A similar case in Belgium occurred later that week, on the 16th of February, in which Facebook has been ordered to cease tracking through third party sites. These rulings appear to be continuing a precedent of European concern regarding Facebook’s collection, use, and distribution of both consumer and non-consumer data.

Under the requirement for explicit and informed consent, the German court ruled that the default privacy settings were in violation of German data protection laws. Other rulings of interest are as follows: “read and understood” clauses are invalid, a clause that required users to use their real names or names they are popularly identified by was ruled invalid, and a clause that was designed to give consent for Facebook to transfer user data to the United States was ruled invalid.

The ruling regarding “read and understood” clauses has interesting implications regarding the future of methods of consent in Europe. A great number of services have obscenely long terms of service contracts which are generally ignored but serve as the primary form of communicating the conditions of a product’s use. If these sorts of terms and service contracts can be declared invalid under the assumption that a user cannot be expected to fully read and understand the terms, then it could potentially force companies to either find alternative ways of setting terms of use or just encourage companies to shorten them.

The removal of a “real name” clause theoretically removes a convenient user id for select users, possibly requiring Facebook to resort to cross referencing to tie data available on Facebook with other identifying data in order to maintain the same user data structure they once had. This would be complicated by the fact that cross-referencing personally identifiable data is currently illegal in all EU countries, and Facebook has already faced an EU taskforce in October of the previous year regarding the cross-referencing of data between Facebook and WhatsApp. Of course, the implications of the removal of the “real name” clause runs under the assumption that Facebook haven’t already discovered or designed a more convenient alternative.

The final ruling of interest here regarding the transfer of personal data to the US actually has much stronger implications on the value of the personal data collected by Facebook than it seems. Much of the data collected by Facebook is very niche, and not very useful for their advertisement algorithms on their own. To allow for more insights into this data, Facebook cross-references the individual data sources in order to generate a more valuable combined dataset for their algorithms and for other companies. In Europe, however, the cross-referencing is complicated because of the illegality mentioned previously. To circumvent this, Facebook would send the individual data to the United States, where cross-referencing personal data is legal, combine the data sets, and then send the combined dataset back to Europe. This ruling could remove the ability for companies to circumvent the data protection laws via this method, which would reduce the desire for companies to gather as much niche data.

– S. Carlton

References:

Court Ruling (German):

https://www.vzbv.de/sites/default/files/downloads/2018/02/12/facebook_lg_berlin.pdf

German Court News:

https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW1FI?il=0

https://www.theguardian.com/technology/2018/feb/12/facebook-personal-data-privacy-settings-ruled-illegal-german-court

https://www.theguardian.com/technology/2017/oct/26/whatsapp-facebook-eu-data-article-29-working-party-taskforce-sharing-user

Belgian Court News:

https://www.theguardian.com/technology/2018/feb/16/facebook-ordered-stop-collecting-user-data-fines-belgian-court

Facebook is Pushing Spyware as Security

Hidden inside the navigation menu of the facebook app (currently for iPhone only) lies a banner titled “Protect”. If you click this you will be redirected to download Onavo a “VPN Security” app for both iOS and android. This app was acquired by Facebook way back in 2013 but is just now being pushed. Sadly, Facebook didn’t have security in mind during this acquisition.

With the download of Onavo, Facebook has the ability to monitor user activity across all apps on their phone. This information gives Facebook a heads up on trend spotting allowing it to know which apps to buy next or if their changes affect the other social media giants. What it also does is invade the privacy of any user that downloads this product. Facebook hides this invasion by calling it protection and assuming users will look into the app’s description for more details. But, Onavo does it’s best to hide its spyware like behavior from the user, the details of which can’t be found until after the read more:

To provide this layer of protection, Onavo uses a VPN to establish a secure connection to direct all of your network communications through Onavo’s servers. As part of this process, Onavo collects your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences

Soon enough many users who think they are protecting their Facebook will accidentally be feeding more of their information into the product itself. This protective feature is one that can definitely be skipped when trying to secure your Facebook from unwanted security breaches. Instead follow a tutorial and secure your account on your own. And, in the future when Facebook suggests any apps to download be sure to read the fine print.

Sources:

– Bailey Pearson

Facebook? More like FakeBook.

Jordan omo

Csec

10/20/2014

              So in recent news there is a bit of buzz regrading certain Facebook accounts. Specifically Facebook accounts created by the DEA (Drug Enforcement Agency) and no, these are not accounts for DEA agents these are fake accounts used to catch other criminals. This is all coming to light because of a letter written by Joe Sullivan (CSO of Facebook) which states.

           “We recently learned through media reports that the Drug Enforcement Administration (“DEA”) created fake Facebook accounts and impersonated a Facebook user as part of its investigation of alleged criminal conduct unrelated to Facebook. Although we understand that the U.S. Department of Justice is currently reviewing these enforcement practices, we write to express our deep concern about the DEA’s conduct and ask that the DEA cease all activities on Facebook that involve the impersonation of others.”

          The DEA was first discovered doing this with an account created for a woman who was arrested using information from her phone. After creating the profile the officer added photo’s of the woman, and added friends on her behalf, including a man who is a known fugitive. All of these actions are in direct violation of Facebooks policies and terms of service.

Willingly allowing to be tracked?

An American citizen (unsure if he was American-born or naturalized) named Hasan Elahi had returned to U.S. soil after leaving the country for a while and was questioned intently by the FBI for over 6 months over his whereabouts, his storage locker in Tampa, FL and if he may have had connections to Al Qaeda, Islamic Jihad, Hamas or Hezbollah. It appears that he did not, and he had several pieces of evidence that he, in fact, did not. He willingly cooperated above and beyond what the FBI requested to the point when after he was cleared, he willing gave the FBI his personal information (ex: where he was when he left the country, account information, call logs, pictures of his current locations etc). He did this as a symbol to show the FBI he was not trying to do anything fishy, and believed if he did this, the FBI wouldn’t consider him a suspect for anything else in the future.

Hasan’s belief is that this would not work if every American citizen did this, because the FBI would have to hire some 300-million extra employees to keep up with that data coming in, and felt his act was more symbolic then anything.

But his final point correlates what he was doing to what people do every day and may not even realize it.  When we post where we are, what were doing, who we are with, check in to locations on social networks like Twitter, Facebook etc, how is that any different to what he was doing with the FBI willingly? Ultimately, the only difference is the information isn’t being directly supplied to the FBI. The FBI could, however, get that information easily by contacting Facebook, for example, subpoenaing information if needed.

I admit I do use Facebook (the only social network I use), however I never was into telling the world where I was, or what I’m doing or who I’m with. Not strictly because I don’t want people to keep tabs on me,  but for the most part I don’t think most people care to know “Oh, he’s at Wal Mart with John Doe. Ok?” But you never know who does want to know. Your jealous ex-girlriend or ex-boyfriend may want to know.

For me, I’ll stick to posting random sarcastic comments, sports posts and miscellaneous comments here and there.

 

http://www.nytimes.com/2011/10/30/opinion/sunday/giving-the-fbi-what-it-wants.html?_r=1&pagewanted=all