Have you ever been surprised how quickly social networks can show you an advert relating to something you have just googled? Right from its early social origins, Facebook has been the master of data collection. Personal details, photos, likes, locations, and recent updates that include your emotional state are collected by the social media giant. But the data you give consensually online is only the tip of the iceberg.
Most “free to use” services, such as Google, Facebook and Twitter, make their income from advertising revenue. Each time you interact with an advert on their websites they make money. Advertisers will pay more for a click than they do for a view so targeting is used to make it more likely that you’ll be interested in the advert they show you. But how do they know what to target you with?
The extent of Facebook’s tracking attempts may come as a surprise. Not only is Facebook recording what you do while logged in, it also tracks site users who do not have an account. Data broker Acxiom recently revealed that it has approximately 3,000 pieces of data on every consumer in the US. Facebook, like many other companies, uses a combination of technologies including cookies, iFrames, and tracking pixels, to collect data. Even if you’re not logged in, one of the combination of “fingerprinting” methods it uses can identify you through its “like” and “share” buttons on other websites. If you would like just a small glimpse of what Facebook knows about you, try downloading your Facebook data (look under Facebook Settings).
Not only could this be seen as a breach of privacy, it can also leave you susceptible to malicious threats online. Take MySpace – once one of the biggest social networks in the world before going out of fashion. When it was hacked in 2013, over 360 million user emails and passwords were exposed. How many of those people used unique passwords for every one of their online accounts? Probably very few. As a result of poor security from both individuals and MySpace, cyber criminals could work through the list of leaked credentials, gathering information from people’s accounts that was used for identity theft, financial fraud and blackmail.
Possibly even more disconcerting is the idea of being doxed and shamed online. This is the online practice of researching and broadcasting personal information and opinions about someone, typically on a massive scale. For example, the cyber security expert who found a kill-switch which alleviated the recent massive WannaCry ransomware attack was anonymous online, or so they thought. Journalists from the Daily Mail and other tabloids published extensive personal information on them including their age, name, home-address, friends, even speculative information about how they live their life; putting them at the mercy of the organised criminals that had launched the attack that he managed to stop.
Granted, this isn’t a situation everyone may find themselves in however that’s exactly what Justine Sacco thought. In 2013, the public relations expert tweeted observations to her 170 Twitter followers as she made her way to a flight from New York to South Africa. Included in these tweets was a distasteful joke intended to mock American ignorance of Africa. By the time she stepped off the plane eleven hours later her personal details had been published online and used to pick apart her life and shame her. People had even gone to the airport to live tweet her arrival in South Africa as she found out she had been on the receiving end of an anti-bigotry lynch mob and fired from her job.
Large organisations have the same problem. As a cyber security consultant, it is my job to help them identify what they need to protect and how they are going to do it. Most use risk management frameworks built specifically for them. In this series, we intend to simplify those techniques and apply them to individuals leading a normal – non-techy – life.
If you spend any time at all online you will probably have seen suggestions on how to protect yourself, published after each cyber-attack makes the news. It is difficult to know how much protection is enough. There are so many things that need protected it can be daunting to figure out. Over the coming weeks I’ll be helping you to decide what data is important to you, what level of security you need and how to go about protecting yourself.
Daniel B Brown is cyber security consultant at FarrPoint.