Security awareness

Security and Privacy Awareness in the Age of Facebook

Susan Morrow
April 27, 2018 by
Susan Morrow

Introduction

The recent events that highlighted the privacy violations of Facebook and Cambridge Analytica will go down in history, and not in a good way. The basic problem boils down to Facebook allowing their data-mining partner, Cambridge Analytica, to use the data of around 87 million individuals without the users’ express consent. After the scandal, there was a lot of hand-wringing from the privacy community and advertisers alike. The privacy and security community (myself included) shouted out a big “I told you so” and advertisers like Mozilla and Commerzbank put their Facebook marketing accounts on hold. Others threatened to do the same, although we will have to wait and watch to see if that actually happens.

This is not the first time that Facebook has faced the privacy music. Back in 2013, law student Max Schrems filed a complaint about the privacy of data transfers between the EU and U.S. as a response to the Snowden surveillance revelations. Max also created the privacy advocacy organization “Europe vs. Facebook.” Schrems used the group as a way to force Facebook to comply with existing EU laws on data privacy. In doing so, he revealed a number of privacy violations, including: the creation of “shadow profiles” by which Facebook collected data of non-Facebook users via “friend-find” features; retention of previously deleted messages, etc. Max Schrems has been successful to an extent at reining in Facebook, such as overturning the Safe-Harbor deal, but the case is ongoing.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Though it seems that Facebook is no newbie to privacy violations, this latest privacy hash-up has taken the whole issue of data privacy and respect of personal data to new heights (or lows). Out of the social media giant’s privacy violation expose, two schools of thought have popped up from the ashes of trust: "Delete your account" or "Who cares anyway?" Which school of thought is right? And, how does this affect both individuals and companies that depend on Facebook for marketing and customer contact points?

The “Who Cares Anyway” Camp

The question comes down to “Why even care about privacy?” Many people feel that our personal data is at large anyway after massive security breaches at organizations like Equifax and Uber. And statistics such as the fact that there have been 9.7 billion exposed data records since 2013 don’t make the argument for “who cares” any clearer.

But privacy isn’t just about your name and address being revealed to a hacker on the Dark Web. Privacy is so much more than that and it starts with a choice. When we decide to share our thoughts, views, feelings, and personal information online, we should be able to do so in a manner that gives us control. Sharing something with one individual should not mean that we automatically share it with an extended eco-system of third level and beyond contacts. Well, unless we choose to do so.

Privacy is also about data aggregation and using that to create user profiles, deciding for us what we should and shouldn't like. In fact, pulling in data from disparate sources will become more prevalent as we move more towards smart cities and data aggregation will be used to power services such as smart grids, smart transport, and smart homes. Aggregated datasets can be more valuable than your name and address. Sure, some of your personal data may already be on the Dark Web, but that should not preclude putting privacy first when designing products. If you are not given the option to share data in a climate of choice and consent, it leads to disaffection with the system. Research by The Associated Press-NORC Center for Public Affairs (APNORC) found that 60% of Internet users were concerned that companies did not protect their personal data. The same study found that 70% of social media users were worried about privacy violations by hackers and 50% were troubled by advertisers’ misuse of their data.

Many businesses, both small and large, have invested in marketing campaigns and customer touchpoints on the Facebook platform. The rise of Facebook has created a central silo of ready-made customers and Facebook has capitalized on this, allowing companies to create targeted marketing campaigns based on user profiles. In 2017, Facebook managed 1.7 billion users daily and companies have been able to tap into this source by creating marketing campaigns that target specific demographics. Facebook’s success is the success of the marketers who utilize this resource. If users start to move away from Facebook, or take the platform less seriously, logging in less often, for example, then this negatively impacts companies using the platform, so privacy is important not just for the individual, but for companies, too. Ultimately, privacy is about respect for your customer, which is returned as brand loyalty.

The “Delete Your Account” Camp

Full disclosure, I have to admit to being in the #DeleteFacebook camp, although I deleted my account a long time before the privacy debacle and for reasons that were above and beyond the privacy factor.

Facebook’s share price dropped by 14% after the privacy scandal broke. This was due to a number of reasons but it included the #DeleteFacebook campaign run from Twitter and highlighted by high-profile “deleters” like Elon Musk. Many Facebook users felt compelled to protest against the feeling of being used and abused by Facebook. This feeling of disengagement by Facebook users was captured in polls from the U.S. and Germany, which showed that less than 50% of U.S. citizens believe that Facebook respects U.S. privacy laws. In marketing, it has always been accepted that customers can have a direct impact on a market and modify that market through customer preferences. Word of mouth is the ultimate tool in the marketer’s toolkit, and anything that impacts that negatively will have repercussions on a company from market reach to share price. Deletion of Facebook accounts will ultimately be costly to any business that has made use of the prolific uptake of Facebook across the planet.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Can We Have Our Online Privacy and Eat It Too?

Facebook and other online companies have to face the fact that privacy matters. In the APNORC study mentioned earlier, it was found that data security and privacy are issues that people care about very much. In fact, most Americans want to see that their online data is respected and secured, with 63% of respondents stating that companies such as Google and Facebook should not sell users’ personal data to third parties. However, these same respondents said that they thought this may come at a price. I for one, do not want to see a two-tier system of privacy. Privacy should be available for all people, no matter what their social demographic is. Privacy is valuable, but it is of value to everyone. If a company disrespects an individual's privacy and security needs, then the consumer can and will disengage. We need to build our products based on the principles of privacy by design and default and create ecosystems based on mutual trust and respect. Then we will all reap the rewards and only the hackers will suffer.

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.