Who's getting your data (and what are they doing with it)?
Last week we looked at the foundation for what data Facebook collects on it's users and how it provides anonymity while still being able to identify a person on an individual level. But what does Facebook actually do with all of that data that it collects? That's what we're looking at today. Now before we get started, it's important to know that this is a very simple view of what Facebook and it's partners do with that data. The reality is much more complex and explaining all of the intricate details would take far longer than you would want to read and far longer than I would want to write! That said, lets dig in.
is was Cambridge Analytica?
Why was? Because as you may or may not have heard, Cambridge Analytica was shut down by it's founders just over a week ago. However there are many other companies out there that are very similar. Cambridge Analytica was a political consulting firm that primarily dealt with data analytics pertaining to politics. The reason they are in the news is because they have been accused of using Facebook profiles that were obtained from Facebook for influencing voters of the 2016 presidential election. Whether or not the influence was real is the subject of debate however the real subject we're going to focus on here is how they obtained that data from Facebook in the first place.
Signing in with Facebook
You've probably seen it before somewhere on the internet. There is a website or an app that requires you to create an account to access it. Or, you can just sign in with your Facebook account and bypass that account creation process. Sounds great right? After all, one less login, one less password one less place that could get breached and expose your email address and password to evildoers. Unfortunately it's not that simple. In many cases signing in with your Facebook account to a website, app or service links your Facebook account to that site/account/service. This then grants permissions for that third party company (TPC) to look at things on your account and, consequently, all of that data that Facebook collects about you. Sometimes these TPCs show you an informative popup or warning about what is collected and how it is used, sometimes it's buried in a Terms of Service agreement that few ever bother to read and still others make no mention of this collection at all.
As it pertains to Cambridge Analytica, the story is that the company created an app that allowed users to sign in with their Facebook account. This app then mined an enormous amount of data about that person and was then used to push targeted political ads on Facebook to those same users. This was done without making explicit mention of it to those users who were completely unaware that this was happening.There has been a large public outcry about these practices against Cambridge Analytica who claim all of their practices were legal and standard practice in the industry. While legality is often a very technical field the more important of the two terms to note is standard practice. As in: Everybody is doing this. There are currently thousands of website, apps and services that perform similar tactics as to what Cambridge Analytica has done. Not all of them are looking to influence people to vote for one candidate over another but all of them are trying to glean information about you to sell a product or achieve a desired result in some way.
"Sharing" vs "Selling"
Over the years Facebook has adamantly maintained that they do not sell data on it's users. While it is true that a company cannot go and purchase only the data related to your unique user ID (remember that long garbled number from part 1?), Facebook does provide data and information about groups of people who have matching data. For example, if you are 35 and interested in pottery making, Facebook will not sell your unique ID to a company to sell you pottery ads. Facebook will however sell ads to a pottery company with special targeting to anyone who is 30-40 years old and who, according to Facebook's calculations, has an interest in pottery. In this manner, Facebook is not directly selling your data to another TPC, it is however providing that company with tools to target your profile based on the data that Facebook knows about you.
Publicly available info
Finally, the last and most obvious way for a TPC to gain information on you is to look at your actual profile. To actually go to the profile for Jane Smith and read and catalog every piece of information that was publicly published. This method tends to be the one that seems obvious but is also highly mis-understood. The common train of thought for many folks is that the data they put on Facebook to share with their friends and family: pictures, comments, videos and more is still somewhat private. Unfortunately that is not the case unless it is specifically set to be private only. As a result, not only can Joe Schmoe see what you've posted, but so can any TPC who happens to scan your profile. This is important to remember as there has been recent outcry against some companies for 'stealing' data that was publicly shared. The problem is, when this info is public it is 100% legal for a company to collect and use that info. It is no different than going to the local courthouse or looking in the phone book to find your name, address and phone number.
When "Free" isn't really free
Facebook is purportedly a free service. You can sign up, create a profile and use it without paying a cent. Facebook however is also a business and the sole purpose for a business to exist is to make money. If they're not making it from the people who use it then where does the money come from? The answer is from TPCs who pay Facebook for ads and analytics that are based on the information and data gleaned from all of the users who are using it. The more users Facebook has, the more data it can glean which means it can more effectively sell those ads and analytics.
Facebook is a business. Every business sells something. What it sells is called the product. When it comes to Facebook, the product is you.
So now that we're done with the scary parts, what can you do to protect your data, your privacy and make sure you don't get caught up in a scheme you would never want to be involved in? We'll cover that, as well as some closing thoughts in part 3.