I have been following the Facebook/Cambridge Analytica saga since it broke just over a week ago and my initial feelings were lack of surprise and “oh, here we go again”. But something felt different about this latest exposé, so I decided to delve deeper to see how much Facebook have captured (or at least what they tell me they have captured – how will I ever verify whether they have sent me everything?). This is my story, what I found out and what I’m going to do next….
I requested a copy of my data from Facebook on March 24. It was an easy process once I discovered that I could only do this via the FB website (at the bottom of the General Account Settings page) but NOT via the FB App on my iPad. My data arrived within the hour – all 673 files of it. I then performed an initial browse of the files to see what was there. Initially it looked to be exactly what I expected – loads of photos, a myriad of comments regarding other folks FB posts etc. etc. Nothing surprising. Then I started to delve deeper……
The really interesting stuff (in my case) comes in the last few files, so if I had not spent time during the initial analysis making sure I scanned EVERY SINGLE FILE, I wouldn’t have uncovered the juicy stuff!! So, what is the juicy stuff? The majority of the files contain photos in my case as this is typically what I post. The next major category of posts fall into the “commenting on others” posts. This is open to all comers as far as I am concerned so I spent only a short amount of time on this. However, as I mention towards the end of this piece, the photo data does uncover a few nasty surprises 😦
The first file that really grabs my attention is file no. 551 (of 673). This contains my main FB profile data. This reveals my (FB allocated) email address – something I’ve never used, won’t ever use but could be a direct access point for spam and malware for those who do. Next up on my Profile Page is the date I first joined FB (2006) followed by my primary email address, the city where I currently live and my FULL date of birth. Within my account settings I restrict the access of these fields to “Me Only”, yet they are readily available here, unencrypted and completely free for anyone to read. What upsets me the most though is the information regarding my family. There is a list of ALL my family members who are (or have been) on FB. The list also specifies their exact relationship to me. Again this is not information that I have sanctioned for sharing, yet here it is in an unencrypted file. My reaction to this is that I must tell all my family of this breach so that they are also aware. The other disappointing breach on my profile is the disclosure of all the “interests” that I have tagged over the years, the majority of which I don’t remember but would be very useful in understanding my lifestyle, my ethics, my politics, my specific interests and pastimes. Wonderful information for anyone wanting to target me.
The second file I zero in on is no. 666 of 673, it provides a complete list of all my family and friends on FB (past and present) plus the date that they joined. Why FB would keep the joining date (of my family and friends) within MY data is baffling. The underlying file structure within FB would already have the joining dates for each person and the only reason that I can see for also storing them within my data is to make it easier for someone data mining relationships between the various FB users. As part of this file there is a breakdown as follows: current friends, my friend requests still outstanding, friend requests to me that I rejected (all, in my case, because I didn’t know them), friends that I have removed (in my case I regularly clean up all my social media contacts). This final category is the most concerning for me because it includes people who have passed away and therefore it could be very upsetting to the families of those affected if this information were misused.
This is not, unfortunately, the worst breach regarding my family and friends data. File 672 (the penultimate file) provides the worst breach with respect to my story. File 672 includes details of family and friends who are NOT on Facebook. Mysteriously, it also contains details of people I have never heard of!! This is really baffling. I am going to go into this breach more forensically and provide some examples.
1) All (231) of the people listed have their mobile (cell) phone number provided. Some have multiple numbers provided.
2) 15 of these people are completely unknown to me
3) The majority of the people on the list are NOT on Facebook – to the best of my knowledge
4) The list (of 231 people) does not correspond to my current mobile (cell) phone contacts list and (as I have previously stated) I have NEVER provided permission for FB to access my personal contacts list anyway
5) Two of the people on the list have never even used the Internet – one of them is deceased and the other is over 80 years old and wouldn’t know a computer from commuter!!
6) At least 10% of those I do know (on the list) I have never had in any of my contacts files and until I received this data (from FB) didn’t know their contact details
If this data that I have received is a true reflection of my utilisation of Facebook then how come I don’t recognise some of these people? How trustworthy is any of the data? It leaves me thinking that FB have NOT provided me with everything they have from the time I joined. What is even worse is that this could be a system failure/oversight, meaning that they think they have the right data, but they don’t!! There is a big difference between knowingly providing false evidence and unknowingly providing false evidence.
Before I conclude this first part of my story I want to just briefly touch on a few other rather worrying aspects of the data captured. While I expected my uploaded photos to be stored I didn’t expect the meta data relating to them to be captured. For example, they have captured the exact longitude and latitude coordinates for many of my photos (to 14 decimal points). They have stored the IP address from where the photos were uploaded. They have stored the equipment used to take the photos. What reason could they possibly have for capturing this information? I won’t ever look it up on FB and I’m sure none of my family and friends are interested. This is an obvious data grab for future sales/marketing opportunities for FB.
So, what am I going to do next? Firstly, I am NOT going to leave Facebook, at least not in the short term. This is mainly due to my wanting to finish this analysis and I can only do this by staying on FB.
Here are my next steps…
1) Write to FB and ask them why they have captured information (that I believe has been captured against my express wishes). My contacts data being accessed will be my first question
2) Write to FB and ask them who they have shared my data with (and why) since I joined in 2006
3) Write to FB and ask them NOT to share ANY of my data with ANYONE NOT specified within my FB Privacy settings
4) Continue to request files from FB on a monthly basis, so that I can monitor the data they are storing. I am going to compare successive data files and identify changes and report any strange/unexpected activity via this Blog and other social media forums
I use FB for one reason only, it is the most appropriate software for staying in touch with my family and friends. It doesn’t mean it’s the best software for staying in touch with my family and friends but it is the most effective from a reach perspective and at this moment in time that is a major factor in my decision to stay.
I have read widely over the past week and listened to many better qualified folks that I with respect to personal and technical risk. I am hoping that my story will help others with less time on there hands (and maybe less inclination) to make their own judgement with respect to using Facebook. I have also analysed my risk with respect to Google and have closed my Google account and deleted my GMail account – as of yesterday. Google’s invasiveness is a whole other level of risk that I am not prepared to endure. There are many excellent accounts of this risk already out there – I have provided references to these via Twitter and Facebook, so you can make your own judgements there too.
In closing, I would like to offer any support I can to help my family and friends make their own decisions (and perform their own analysis if they are interested) in order that we can all come to the best decisions regarding our use of social media.
Stay safe, stay vigilant.
Dateline: Melbourne, Friday March 30 2018