Understand the Privacy Risks of Social Media

Wait, didn’t we just cover that? Yes, any data you put online using any social network can potentially become public. I know you know that.

What I’d like to emphasize here is how that could be a problem for you.

As I mentioned early in this book, everyone from Local Villains to Big Data can easily find you on social media. You might be astonished how much private data could be culled from years of Facebook updates and likes, tweets, LinkedIn updates, Instagram pictures, Yelp reviews, YouTube comments, blog posts, and a long list of other social media activities.

It’s easy to discover not only basic facts about you and your family but also where you’ve been, who you hang out with, which causes you support, what your political and religious beliefs might be, and, perhaps most important of all, what sort of person you are. Even if no individual statement tells the story, the combined data from all these sites and services can do something akin to browser fingerprinting (see On a Web Server)—it can often paint a vivid and surprisingly precise picture of you. So…

• If you’re trying to get a job, a prospective employer may use social media to determine whether you’re likely to be trustworthy, polite, punctual, and loyal—and to see how you’ve behaved in other jobs.

• If you’re applying to a college or university, admissions officers may use online profiles to judge your seriousness and confirm any personal details you’ve submitted.

• If you’re dating, someone thinking about starting a relationship with you could also learn a lot about your tastes, biases, character, and history with previous partners.

• If you’re ever suspected of a crime, the police or prosecutor could scour social media for evidence of bad behavior—or a defense attorney could try to demonstrate a pattern of selflessness.

• If you ever get involved in politics (national, local, academic, or any other kind) or run for political office, anything you’ve ever said online can and will be used against you by your opponents. (Whether that proves effective or not is another question.)

And those sorts of concerns merely involve the historical record. Day-to-day social media posts can also cause privacy problems:

• You mention on Twitter that you’re going on vacation (or just going to a concert), and burglars break into your house.

• You post geotagged pictures on Flickr that show your location and the time you took them—today, just after you called in sick to work.

• Your Facebook relationship status says “It’s complicated,” but your romantic interest didn’t think so.

You get the idea, I’m sure. The stakes when it comes to social media are much higher than you may imagine. Your social media history can win you—or cost you—a job, love, or even your freedom.

Learn About the Facebook Problem

But it’s not just the things you post that could cause you grief. There’s an even bigger underlying issue.

Folks, we need to have a little talk about Facebook. Yes, there are other huge companies (including other social media companies) that collect an obscene amount of personal data. But Facebook—which, by the way, also owns Instagram and WhatsApp—stands out as an extreme example, not only in the volume of information it absorbs but also in its repeated and blatant disregard for privacy, transparency, and accountability.

In case you’re unaware of the extent and nature of Facebook’s issues, let me give you just a tiny sampling:

• In 2018 it was revealed that Facebook’s Onavo VPN service enabled the company to spy on nearly all the internet data of its users, many of whom were teens—some of them actually paid in gift cards in exchange for letting Facebook watch all their online data. Under public pressure, Facebook eventually shut down Onavo. Even then, the company initially said that less than 5% of Onavo users had been teens, but was later forced to admit that the number was 18%.

• Shortly thereafter, Facebook was at the center of the Cambridge Analytica data scandal, in which an outside data broker was permitted to gather private data from tens of millions of Facebook users without their knowledge or permission—and use it for political purposes.

• Facebook was also shown to be a major platform for Russian and Iranian trolls attempting to use propaganda influence the 2016 U.S. election. Facebook was also used to spread propaganda that contributed to the possible genocide in Myanmar.

• Researchers discovered that when you set up Facebook’s two-factor authentication (see the sidebar About Two-Factor Authentication, earlier) to send login codes to a mobile phone number, that phone number can also be targeted by advertisers; in early 2019, it was revealed that phone numbers used for two-factor authentication are also fully searchable, presenting a significant privacy risk and even physical danger to some Facebook users. Facebook is also using other aspects of your contact information in ways that are not disclosed to users—and that you can’t opt out of.

• Facebook has asked some users for their email passwords in order to create an account—something Facebook should never need. Facebook says they ended the practice in early 2019, but only after it was publicly disclosed by a security researcher.

• A security breach reported in October 2018 revealed information such as phone numbers and email addresses for nearly 30 million Facebook users, as well as more personal information (such as relationship status, religion, and a partial search history) for nearly half of them.

• Then, a Facebook software bug reportedly exposed as many as 6.8 million users’ private photos to app developers.

• More recently, a variety of third-party mobile apps were found to be covertly sending personal data to Facebook. And when I say “personal,” I mean things like users’ heart rate info, menstruation data, and the addresses of real estate listings the users were looking at.

Facts like these (and many, many more) have led respected journalists and pundits to say some pretty strong things. Walt Mossberg says Facebook CEO Mark Zuckerberg has never cared about privacy. John Gruber goes further, repeatedly referring to Facebook as a criminal enterprise. Rene Ritchie at iMore thinks you should Delete your Facebook. And even Roger McNamee, an early Facebook investor and mentor of Zuckerberg, wrote a book called Zucked that’s devoted to “stopping Facebook from destroying our democracy.”

In a March 2019 post, Zuckerberg claimed he’s going to take Facebook in a new, privacy-centered direction. But, candidly, no one believes him, because Facebook’s entire business model is built on the very opposite of privacy. Indeed, if you read that post carefully, you’ll see that Zuckerberg never says Facebook is going to stop collecting personal data and using it to show you ads, only that Facebook will develop more and better ways of exchanging encrypted messages. Big. Deal.

Facebook has shown itself over and over again to be untrustworthy, even regarding the most basic aspects of data security—in early 2019 researcher Brain Krebs revealed Facebook had been storing hundreds of millions of user passwords in plain text, available to thousands of employees, for the better part of a decade. It’s clear that revenue is not only more important to Facebook than privacy, it’s the only important thing.

As the examples above show, it’s not enough to lock down Facebook’s privacy settings (though you should certainly do that anyway; every little bit helps). Reducing your number of Facebook friends or the frequency of your posts won’t solve the problem either. As long as you have Facebook and Instagram accounts, you should assume that the company is slurping up every last bit of personal data it can—and sharing it with anyone and everyone.

I’ve heard lots of people say, “But I can’t quit Facebook! That’s the only way I have to keep in touch with all my old friends!” Is it really? Really? And even if it is, is it worth giving up all your online privacy? I can’t answer that question for you, but it’s my obligation to lay out the facts so that you can make a decision with both eyes open.

Realistically, I imagine most of you are going to keep using Facebook, and that will be my assumption for the remainder of this chapter. But please at least give some thought to exploring alternatives to Facebook in the future.

Check Your Privacy Settings

Every social media site and service has a privacy policy (see What About Privacy Policies?). You should read it, if only to be aware of how much data you’re inevitably giving away.

Beyond that, examine each account’s privacy settings. Some services offer very little privacy control—for example, your only real options for Twitter are to protect your tweets (meaning you must approve each follower, and those followers can’t retweet you—not a terribly engaging way to use the service, if you ask me) and to hide your location. Facebook has changed its privacy settings repeatedly. It currently offers at least the appearance of control (Figure 17), letting you limit who can see various categories of information (for example, everyone, only friends, or friends of friends)—but even limiting sharing to your friends is no guarantee that one of those friends won’t share it, or that a programming error or misbehaving app might not reveal it (as discussed above).

In other words, do pay attention to the settings and configure them as best you can, but don’t count on them. They aren’t foolproof.

Here are direct links to access the privacy settings for a few popular social networks:

• Facebook

• Instagram

• LinkedIn

• MySpace

• Pinterest

• Twitter

Use Other Social Media Precautions

Apart from the obvious advice not to post anything on social networks that you’d mind being public, allow me to offer a few privacy tips:

• Limit your friend lists. Most people assume the more Facebook friends you have, the better. But if your list includes people you know only a little or not at all, you can’t think of them as friends—you can’t trust them to take care of your private data. Everyone has their own rules, but I wouldn’t want anyone to be a Facebook friend who I wouldn’t invite into my home for coffee.

  The situation is different with Facebook followers, Twitter followers, and other one-way relationships. You may think of these as being more private because you’re not required to friend or follow the other person, but that doesn’t stop them from reading everything you post about yourself. If you can’t control who sees your photos, videos, or updates, censor yourself accordingly.

• Be careful about what you “like,” “favorite,” and so on. When you “like” a post, page, brand, movie, musician, political candidate, or even a generic category on Facebook, that information is added to your profile—Facebook uses that data to help determine what you’re likely to be interested in and therefore what ads to show you. There’s a lot of data like that, and you won’t even find it in your privacy preferences—go to the Access Your Information page, and then click on each category and subcategory, but especially those under Ads. You might be surprised at who and what Facebook thinks you like.

  Although I call out Facebook here as the prime example, you should be similarly careful about favorites and retweets on Twitter, and comparable actions on other social media services.

• Don’t assume “private” messages really are. You can send messages on Facebook that function much like email messages, or have a live chat. You can send direct messages to another user on Twitter that don’t appear in your public timeline. And many other social networking sites also offer direct, seemingly private modes of communication with other members. But these messages aren’t sacrosanct. Site administrators may be able to read them, and can almost certainly provide them to anyone who showed up with a court order. And there have been cases where, due to a programming error or other security breach, the contents of such discussions have leaked out.

• Don’t assume “secret” services really are. Lots of services claim to let you share thoughts and feelings with other people anonymously using mobile apps such as Whisper. Unfortunately, as the Wall Street Journal’s Geoffrey A. Fowler pointed out in Psst, Secrets You Share Online Aren’t Always Safe, such apps can store and transmit enough information about you to give away your identity (and are subject to hacking and bugs, just like everything else).

• Limit apps. On Facebook and other sites that let you install apps, just say no. Although each app is different, some of them can read everything you write and spread your data around in ways you might dislike.

• Use HTTPS. On sites that support it, use HTTPS to log in to prevent eavesdropping (see Browse Securely).

• Use good passwords. As I said in Choosing Better Passwords and Protect Passwords and Credit Card Info, be sure to use long, random passwords that can’t be guessed by human or machine. And, if a site offers two-factor authentication, consider enabling it (see the sidebar About Two-Factor Authentication, earlier). That will greatly reduce the chance of your account being hacked. Be sure to keep those excellent passwords safe—don’t share them, and log out of your user account before letting someone else use your computer.

• Think carefully about pseudonyms. You may use an alias rather than your real name on Twitter, Tumblr, or other sites. Although pseudonyms like this can protect your privacy, they’re not impenetrable—so again, don’t stake anything critical on them. Furthermore, sometimes pseudonymity can work against you, as I describe in the sidebar When Privacy Hurts, ahead.