You can download all the information Facebook holds on you and it’s sobering to hear that the file is gold dust for scammers
SOCIAL NETWORKING giant Facebook will have the biggest IPO in the history of technology companies but what should really interest its 800 million users is how big a databank of personal information it stores on all of us and how it handles this data now and in the future.
With over 180 complaints concerning data retention and disclosure made to the office of the Data Protection Commissioner, it came as no surprise that a comprehensive assessment was carried out on how Facebook holds up to Irish data protection law.
A report was produced on the back of this in December 2011 with over a dozen recommendations on how the social networking site can improve on its data retention practices. Deputy commissioner Gary Davis said at the time that there was “room for improvement in how Facebook Ireland handles the personal information of users”.
Facebook has committed to making these changes with a review of its progress to take place in July. In the meantime it allows users to download a file that presents the sum of all information it holds on this individual.
Curious about what kind of information Facebook deems necessary to retain on me I decided to grab my own personal potted history. Within “Account Settings” you click on “Download a Copy” and wait.
About three hours later an email arrived and I had a copy of all my personal Facebook data sitting on my laptop. It contained every status update I’d ever posted, everything my friends had written on my wall or replied to on my timeline, and all my uploaded photos and videos.
So far, this wasn’t very alarming; I knew I had placed these things on Facebook and wasn’t shocked to see them reproduced in an archive. There was also a list of all my friends, events I had RSVP’d to, private messages, and my profile information, with a time stamp telling me when this data had been downloaded.
It was disconcerting to see my first ever Facebook status updates; time may erase memories but what you say on the Internet exists forever. However, how much is this data worth to the highest bidder.
I handed my Facebook file over to online security expert Brian Honan of BH Consulting and asked him to do his worst. Could this data be used for identity theft or fraud?
His answer: “It depends on what you’ve been putting on Facebook. If I was to steal your identity I would need a few key pieces of information: your name, address, date of birth, where you were born and your mother’s maiden name. Most people will have a birthday on their profile but in your case it was relatively difficult because you’ve given Facebook a false date of birth that tells me you’re over a hundred years old.”
This wouldn’t stop a determined identity thief, says Honan. “If this file was handed to me on a USB key I’d take your friends list, draw a map and see who you’re dealing with most of the time. Then I’d try to figure out a way to leverage those relationships.”
Even taking my email address is useful, apparently. Using a method called spoofing, someone could set up an account with the victim’s email address but add their own as the “reply to” address, and this could trick quite a few unsuspecting recipients into replying.
Spoofing can be done without the Facebook file but effort is required to make the content of these emails convincing. This is where information from my timeline and profile comes in handy.
“I could search through your wall posts and private messages to see who you talk to most often,” says Honan. “Then I’d email these people with a convincing message appealing for money. If I was to email a group of your friends saying that you were on holiday in London but your wallet had been stolen at a Doctor Who convention and you needed them to wire money so you could get back home, how many would respond?” Hmm, perhaps enough to make it worthwhile for the scammer.
WHAT WORRIED ME most about my Facebook file were the private messages containing quite sensitive information. But these are private so I assumed they were encrypted in some way.
“There’s no such thing as private messaging on the Internet,” says Honan. “This goes for all messaging, including email.”
If they wanted to, Facebook admin staff can read these messages. In fact, this kind of privacy breach has already happened in the case of one Google employee. Engineer David Barksdale was fired for accessing several accounts to unlawfully attain personal information.
A good rule of thumb when privately messaging someone online is never to place something in there that you wouldn’t feel comfortable saying to your mother or your boss, says Honan. The second kind of information that falls under the Data Protection Act, aside from personal, is sensitive personal information, explains Honan. This involves getting hold of someone’s political and religious affiliations as well as medical or criminal records.
What would be potentially damaging in the wrong hands, says Honan, are references to your health.
“A mention of a cancer scare, or that your doctor put you on a diet, could come back to haunt you if an insurance company were privy to these details.”
This availability of my Facebook data made me take a good long look at what the social networking site has on me. It’s quite a lot but no more sensitive or at risk than what I would store on Gmail or Dropbox. I tell Honan that I feel relatively safe in placing this information online.
“That’s what Facebook wants; you are not the customer, you are the product. The more information you give the more valuable a product you become,” Honan says. “They make money by using your ‘likes’ as a commodity. We advertise on behalf of other companies to our friends.”
Although I’m safe for now I do wonder how valuable my Facebook file will be in the future and how it might be used. After all it’s not really a personal profile; it’s a product description.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)