What to make of Facebook’s ‘data breach’: Local experts weigh in

April 2, 2018 GMT

According to Facebook, I’m interested in ads related to sushi, Sutter County and Dan Rather – all of which make sense.

It also has ads targeted for me relating to the band R.E.M., the 2010 U.S. Census, and the Republican People’s Party of Turkey ... all of which don’t make sense (sorry, Michael Stipe). Among ad topics, it shows a list of advertisers with my contact information, most of whom I never gave permission.

In light of the knowledge that 50 million Facebook users’ information had been accessed by a data firm for targeted advertisements with political implications, I downloaded a copy of my Facebook data. After about 10 minutes, I received a copy and could see all of my information Facebook had stored.

Most of it didn’t come as a surprise. I’m aware of the expression that once something is online, it’s there forever. Sure enough, Facebook had kept all my messages, photos and other interactions since I joined the social media platform in 2011.

It also kept phone numbers for every contact I’ve stored in a cellphone I’ve had associated with Facebook, even if I’ve changed phones and even if I’ve deleted the contact from my phone. Facebook also has records of when I became friends with people, when I’ve declined friend requests, and when I deleted certain people from my friends list.

But perhaps the most puzzling thing is under the “ads topics” tab, once I downloaded my Facebook data (which can be done by visiting the general tab of settings). Some of the ad information Facebook has listed is probably from pages I’ve “liked,” such as the Green Bay Packers or a senior dog sanctuary. But it’s unclear how many other topics for targeted ads were collected, like alligators or a French electronic musical duo I’ve never heard of.

The downloaded copy shows recent history of your ad interactions, like when you clicked on an article or advertisement ... and then there’s a list of advertisers who have your contact information.

So what does it all mean for users who signed up for the free platform and agreed to its terms and conditions (probably without reading them)?

According to wire reports, users’ data was harvested by Cambridge Analytica, which paid for the personal information through an outside researcher who claimed to be collecting it for academic purposes. Instead, the “breach” allowed the company to exploit the private social media activity of millions of users to profile voters for the Trump campaign in 2016.

But Facebook says calling it a data breach is incorrect.

“People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” Facebook wrote on its site. But, the platform still suspended Strategic Communication Laboratories and Cambridge Analytica, and took out full-page ads in newspapers in the U.S. and the U.K. issuing an apology.

Though Cambridge Analytica gained access to the information legitimately, Facebook learned it did not abide by the platform’s rules by passing it on to a third party. When Facebook learned that in 2015, it demanded certifications that the data had been destroyed, it wrote in a statement, though it is now investigating claims that not all data was deleted.

Joe Wang, an assistant professor of electrical and computer engineering at Chico State, said the data mining incident matters because it means data firms stole users’ information without consent.

“We should care about our privacy and the level of trustworthiness of those social media platforms,” Wang said. “As users, it’s our responsibility to control the information on Facebook.”

Worrisome Activity

He said it’s also worrisome that Facebook has been tracking online actions outside of the platform. According to media reports, Facebook saved extensive data from personal phone calls and texts made by Android users.

“From a technical perspective, in my opinion, the platform should be designed in such a way that users can have the clear idea of what he or she is connecting with,” Wang said.

Gary Bradford, a Yuba County supervisor who also works in cybersecurity, said the data mining is different from a traditional data breach, as has been reported by banks and businesses.

“Facebook wasn’t compromised by a third party that essentially broke in,” Bradford said Tuesday. “Facebook essentially allowed access through Facebook apps to people’s profile information... Individuals granted that access, though certainly maybe not understanding what they were agreeing to.”

The idea of targeted ads isn’t necessarily nefarious – Bradford said targeted ads are legitimate for businesses to be successful, such as when ads target those in a geographical area for elections.

But Bradford cautioned users to be more aware of what apps they grant access to through Facebook.

“When services allow it for critical accounts (like email or financial institutions), you should enable two-factor authentication,” Bradford said. “It’s not fool-proof but what it does is if someone gets a hold of your email and password, they need your phone, too. It’s an added layer of protection.”

Paul LaValley, chief information officer for Yuba County, agreed about organizations having a regulatory responsibility to protect information. He said as a matter of convenience, many users sign in to other apps or websites using their Facebook log-in.

“One thing you have to really think about when you do that, the implications of what other information you’ve given Facebook and users to see,” LaValley said Tuesday. “You think it’s a short-term trading some personal data for convenience or other things, but you need to think about the longer term.”

Tips on how to protect your data:

Joe Wang, Gary Bradford and Paul LaValley shared some tips for users to consider for being more secure online:

– Use different passwords for different accounts, especially with financial institutions and other sensitive accounts.

– Spend time going through your Facebook, or other social media platforms, to review your privacy settings and the platform’s policies.

– When installing an app on your phone, read over the brief description and see what the app wants to access; it will usually notify if it needs access to a user’s camera, mic, or contacts.

– Enable two-factor authentication when possible (for example: in addition to a password and username, another piece of information would be needed, such as a code, that would be sent via cellphone.).

– Remove access for apps and services you haven’t used in months.