Facebook Knows A Whole Lot About Your Offline Life
Facebook has long let users see all sorts of things the site knows about them, like whether they enjoy soccer, have recently moved, or if they like Kim Kardashian.
But the tech giant gives users little indication that it buys far more sensitive data about them, including their income, the types of restaurants they frequent and even how many credit cards are in their wallets.
Since September, ProPublica has been encouraging Facebook users to share the categories of interest that the site has assigned to them. Users showed us everything from “Pretending to Text in Awkward Situations” to “Breastfeeding in Public.” In total, we collected more than 52,000 unique attributes that Facebook has used to classify users.
Facebook’s site says it gets information about its users “from a few different sources.”
What the page doesn’t say is that those sources include detailed dossiers obtained from commercial data brokers about users’ offline lives. Nor does Facebook show users any of the often remarkably detailed information it gets from those brokers.
|“They are not being honest,” said Jeffrey Chester, executive director of the Center for Digital Democracy.
“Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well.”
When asked this week about the lack of disclosure, Facebook responded that it doesn’t tell users about the third-party data because its widely available and was not collected by Facebook.
|“Our approach to controls for third-party categories is somewhat different than our approach for Facebook-specific categories,” said Steve Satterfield, a Facebook manager of privacy and public policy. “This is because the data providers we work with generally make their categories available across many different ad platforms, not just on Facebook.”|
Satterfield said users who don’t want that information to be available to Facebook should contact the data brokers directly. He said users can visit a page in Facebook’s help center, which provides links to the opt-outs for six data brokers that sell personal data to Facebook.
Limiting commercial data brokers’ distribution of your personal information is no simple matter. For instance, opting out of Oracle’s Datalogix, which provides about 350 types of data to Facebook according to our analysis, requires “sending a written request, along with a copy of government-issued identification” in postal mail to Oracle’s chief privacy officer.
Users can ask data brokers to show them the information stored about them. But that can also be complicated. One Facebook broker, Acxiom, requires people to send the last four digits of their social security number to obtain their data. Facebook changes its providers from time to time so members would have to regularly visit the help center page to protect their privacy.
One of us actually tried to do what Facebook suggests. While writing a book about privacy in 2013, reporter Julia Angwin tried to opt out from as many data brokers as she could.
Of the 92 brokers she identified that accepted opt-outs, 65 of them required her to submit a form of identification such as a driver’s license. In the end, she could not remove her data from the majority of providers.
ProPublica’s experiment to gather Facebook’s ad categories from readers was part of our Black Box series, which explores the power of algorithms in our lives. Facebook uses algorithms not only to determine the news and advertisements that it displays to users, but also to categorize its users in tens of thousands of micro-targetable groups.
Our crowd-sourced data showed us that Facebook’s categories range from innocuous groupings of people who like southern food to sensitive categories such as “Ethnic Affinity” which categorizes people based on their affinity for African-Americans, Hispanics and other ethnic groups. Advertisers can target ads toward a group 2014 or exclude ads from being shown to a particular group.
Last month, after ProPublica bought a Facebook ad in its housing categories that excluded African-Americans, Hispanics and Asian-Americans, the company said it would build an automated system to help it spot ads that illegally discriminate.
Facebook has been working with data brokers since 2012 when it signed a deal with Datalogix. This prompted Chester, the privacy advocate at the Center for Digital Democracy, to filed a complaint with the Federal Trade Commission alleging that Facebook had violated a consent decree with the agency on privacy issues.
The FTC has never publicly responded to that complaint and Facebook subsequently signed deals with five other data brokers.
To find out exactly what type of data Facebook buys from brokers, we downloaded a list of 29,000 categories that the site provides to ad buyers. Nearly 600 of the categories were described as being provided by third-party data brokers. (Most categories were described as being generated by clicking pages or ads on Facebook.)
The categories from commercial data brokers were largely financial, such as “total liquid investible assets $1-$24,999,” “People in households that have an estimated household income of between $100K and $125K, or even “Individuals that are frequent transactor at lower cost department or dollar stores.”
We compared the data broker categories with the crowd-sourced list of what Facebook tells users about themselves. We found none of the data broker information on any of the tens of the thousands of “interests” that Facebook showed users.
Our tool also allowed users to react to the categories they were placed in as being “wrong,” “creepy” or “spot on.” The category that received the most votes for “wrong” was “Farmville slots.” The category that got the most votes for “creepy” was “Away from family.” And the category that was rated most “spot on” was “NPR.”
The World’s Best Security Engineers Are Working On Flappy Bird
Fewer people want to engage in a modern “spy vs. spy.”
Eugene Kaspersky explains hacking like it’s a bank robbery:
|“Imagine you visit your bank and there are a thousand people crowding the office,” Kaspersky tells Inverse.
“There are so many of them, you simply can’t get inside. They’re just messing around asking irrelevant questions, shouting, and acting silly. Most workers at the bank won’t be able to serve you or anyone else that day. That’s a DDoS attack.”
“Later that night, someone unarms the alarms, breaks into the bank, cracks the vault, and steals all the money. That’s hacking.”
The bank in his metaphor is a server, and hackers in 2016 have had a banner year screwing with them. In October, a chunk of code known as Mirai hijacked thousands of internet-connected devices to launch a record-size DDoS attack.
Together, they spewed access requests at a DNS server – a switchboard for the internet, basically – and brought down some of the biggest sites on the internet: Twitter, Reddit, and Spotify among them. Again, merely an annoyance.
The more sophisticated attack on a server is when hackers – either lone wolves, loose collectives, or state-sponsored snoops – retrieve information from a server and release it to the public to influence public opinion and even sway elections. This scenario should be familiar to everybody by now.
The problem is, there just aren’t enough people smart enough to guard the vaults. Kaspersky would know. He’s a big deal in the world of cybersecurity.
As the founder and CEO of cybersecurity giant Kaspersky Lab, he’s often in the news for spotting security flaws for his clients. He also can’t find enough people to work for him.
There are more than 1 million unfilled security jobs worldwide, a number that could grow to 1.5 million by the end of the decade, according to a report from technology conglomerate Cisco Systems.
Would a healthier cybersecurity industry have stopped the year’s biggest hacks – Wikileaks and DDoS attacks – from being pulled off?
|“Protecting against these two threats requires different skills and different technologies, including the software and hardware needed,” Kaspersky tells Inverse. “To some extent, there’s an overlap of skills simply because IT security people get to learn about both threats.”|
But DDoS attacks are ham-fisted and blunt. They don’t do much damage and often don’t keep a website down for long. What’s more dangerous are targeted attacks carried out to destroy machinery or collect information. And there aren’t enough security experts to stop those, either.
Perhaps the most famous example is the so-called “zero day” virus named Stuxnet.
Although the United States government still won’t even address it, the destruction of uranium enrichment machinery in Iran in 2009 – the kind that could provide ingredients for a nuclear bomb – is widely seen as an American ploy. The machinery was destroyed after malware infected the program that regulated centrifuges.
It was brilliant, but it spread beyond its target of the Iran nuclear facility.
Eric Chien, an engineer at California-based security company Symantec, helped track how the weaponized code used in Iran known as “Stuxnet” worked. (Kaspersky Lab also analyzed the virus over the course of about two years.)
At a panel after a screening of Zero Days, a documentary about the attack, Chien lamented that the next wave of computer science graduates might be more interested in making freemium apps rather than uncovering international intrigue.
|“We go into the office thinking about how we are going to defeat these adversaries.”
“We see a lot of people getting into things like mobile or social, and people are creating Flappy Bird and people are making millions of dollars”, Chien said.
“But what we both really love about this job and why we’re super-passionate about this, is it’s unique in some sense. While we have competitors in our business – also creating security products – when we go in the office, we’re not thinking about, ‘Oh, how do we make another dollar? How do we beat our competitor?’
We go into the office thinking about how we are going to defeat these adversaries. How are we going to defeat these actors. And those actors are constantly changing.”
Bruce Schneier, a cyber security expert and author, gets it. “Young engineers might not see security as sexy,” he says. “Which is weird to me, because I think it’s the coolest ever. It’s spy versus spy.”
At a hacking competition at New York University this year, one could find a lot of students who would agree with that sentiment.
One of the annual competitive formats during NYU’s Cyber Security Awareness Week is known as “Capture the Flag,” or CTF, and it attracts the kinds of students who could help fill the computer security talent gap.
This year, students from all over the world competed in a 36-hour marathon, scrolling through endless lines of code to crack security challenges.
|“The skills you learn in a CTF are exactly the type of outside-the-box thinking that is required,” says David Kohlbrenner, a Ph.D. student in security and systems at UC San Diego.|
He got involved in cybersecurity “purely through CTF,” and is an original member of the Plaid Parliament of Pwning, a dominant CTF team from Carnegie Mellon that won this year’s competition.
|“What the companies need are people who can solve a variety of different challenges and can approach them from different angles,” Kohlbrenner tells Inverse.|
Kohlbrenner says the Mirai botnet responsible for October’s massive DDoS attack was “honestly trivial to set up,” and a continued dearth of security engineers (and, Schneier argues, a market failure to make the Internet of Things decently secure) could keep it that way in the future.
Click on the image above to open a larger verion in a new window
It’s clear companies need more manpower, whether that’s to ward off DDoS attacks or server hacks. But when it comes to recruiting, Schneier says new technology companies have the upper hand in attracting talented young programmers.
|“You don’t want to work for Procter & Gamble,” he says.
“You want to work for Google, or you wanna go work for Facebook, or the next high tech startup,” Schneier says.
“But Procter & Gamble, turns out, needs maybe a couple dozen cybersecurity people.”
Nick Winter, the co-founder of a gamified coding community called CodeCombat, agrees. “No one is thinking, hmm, I’m gonna get a job at an insurance company”.
Doesn’t matter if they have all these interesting technological problems to solve and tons of important data to protect. They’re at a huge disadvantage there compared to any start-up in San Francisco or even, like, a tech-focused, big tech company like Cisco.
Both Schneier and Winter’s examples are reminders that it isn’t just tech companies – from router manufacturers to dating apps – that have a lot to lose when security engineers are in short supply.
|“All companies become software companies,” Winter says. “And all data becomes more important and mission critical.”|
Half of the 4,000 companies in a recent survey by Kaspersky Lab cited cybersecurity as a concern.
|“The findings show a general shortage in full-time security staff and expert talent availability, which calls for the need for more specialists in the field,” reads a press release about the survey results.|
It’s up to universities like NYU to prepare students for an ever-changing field, Kaspersky says. Server attacks in the future shouldn’t feel like bank robberies that change elections.
|“The job market is changing too fast for the education system,” Kaspersky says.
“Universities are fairly conservative institutions, plus, of course, it takes considerable time to educate people.
We see that there’s a growing number of IT security programs, and more and more people are getting interested in the field, but the job market is expanding faster.”
His advice for young programmers? Learn how to prevent attacks.
|“There are many skills that are in deficit that require very focused technical training” Kaspersky says.
“Intrusion detection, development of secure software, digital forensics. All these skills are in high demand, but there are not many folks who have them.”
From: Digg / Inverse