Facebook question... for anyone, users or non-users

[DeltaBond]

Spork, thank you for taking the time to share that.  That stuff isn't my main concern for myself, although I do care about it on a broader scale, but its hard to make people understand that it is important.  Its hard to remind people that 10 years ago they lived just fine without facebook and other internet sites.

What I don't like is that stores are carrying less and less due to internet shopping.  Its very hard to find items you truly need when you can't buy them in person, unless you shop online.  Not all things, but more than I'd like.  So my little idea of just 'getting off the net' proved difficult.  I changed to a dumb phone, reduced what I do on the net to the bare minimum... and yeah, they already have all the info I've given so far, can't take that back.  My reason, though, isn't really what they do with the data mining (even though it really should be), although that is part of it... my main concern is my stress level, the time I spend fighting off spam, avoiding social problems.  I just enjoy simplicity.  I just want to get news about my side of my city or I wouldn't be on FB at all.

[esq]

Okay, so here's a little explanation on why some folks are a little bothered by Facebook data mining.  It may still very well not bother you.  You may not be participating in all of these collection streams.  Thats fine.  But maybe you will gain some understanding.  This is not a complete list.  I just banged this out in a couple of minutes.  If we sat and hashed it out, we could have a much more complete list of risks.

* One need only read a little bit of the various security expert's opinions on the "Snowden documents" to understand the relevance of metadata and the huge amount of data you can glean from someone just from metadata.  In the case of FB, we're talking much more than metadata.  We have detailed data on users: Name, sex, sexual preference, political preference, location, whom they are associating with, whom they are related to, whom they are currently with, religion, financial status ... the list goes on.
* Unless you have explicitly blocked FB's cross-site tracking ... or use a totally different browser instance for FB, they pretty much have tracking to determine exactly what web sites each user visits.
* Some (possibly all) of that data is shared with FB advertisers.
* If you use FB's built in app platform, this data is potentially shared with application developers -- who may again share this with their affiliates.  FB apps essentially log in AS YOU and can pretty much do what they want AS YOU.  Your privacy settings really don't apply.
* If you use FB apps on your phone, they will have location data... not just for check-ins, but for pretty much all the time. 
* Government agencies have a great interest in FB data.  Government has requested of FB a huge number of national security demands.  We don't really know what they've requested, just very general numbers.  There is a huge undercurrent in IT industries to create data mining partnerships with governments.  What is being requested and complied with is generally just not known.  This mostly applies to "US government" ... but it also applies to others... As the data golden egg grows, more and more will participate.
* Advertising is not necessarily as simple as you think it is.  It isn't necessarily just an image saying "Buy widgets!"  They are usually javascript that runs on your computer.  They are not designed by Facebook, but by some third party.  This might be someone with very little security coding knowledge that makes dumb mistakes.  It could also be a bad actor (malware, etc).  A huge amount of malware propagates via ad-based injection.  Now... with good data the malware can be targeted to a single person... or group (gun owners, people that have a particular stance on abortion, people likely to have bigger bank accounts, etc).
* If you trust FB today... it could be sold tomorrow.  The holders of your data can and will change over time.  Deleting information is of little use.  They have it.
* Many sites are starting to use FB as a single sign on entity.  This is A REALLY BAD IDEA.  This means putting all your eggs in one basket.  If it gets compromised/hacked/etc... you get EVERYTHING that is attached to it.
* There is a significant risk of hackers getting FB data.  They already glean lots of single accounts and sell them on the open market.  Getting the backend data would be worth quite a lot of money to them.  FB is a pretty decent target. 
* The primary concept of computer and network security is "least required privilege".  FB design is exactly opposite of this.  It's just bad design that is sort of set up for major security issues.  It may never happen.  It may happen every day and not be published.  But trust me as a "computer security professional" ... It is a "bad thing."

Once again: I'm not listing all this to be all tinfoil hat paranoid.  Computer paranoia was my job for over 25 years.  If you are comfortable participating and sharing fully, please continue to do so.  If you think you're not sharing much... you are likely wrong.  Learn what's likely being shared and decide if you're still comfortable.

Very interesting.  Thank  you.  Am I correct in saying that the above information makes the whole fake vs. real fb name issue a moot point?

[Zikoris]

Spork, I guess I'm still not sure what exactly someone could do with pictures of my cat, recipe links, and a few posts about recent hikes or trips. Even if everyone and their brother were to get access to everything I've ever posted, what could they possibly do with it that could harm me? That's the part I'm confused about.

They can't advertise to me, anyways, as long as Ad Block keeps working.

[robartsd]

I think Facebook ought to have an option to have ID's verified and then they could mark accounts "Real Name verified by Facebook". Facebook could then allow users to block users who have chosen not to allow Facebook to verify their ID. (Since real names are beneficial to Facebook, this will be the one time a new privacy setting defaults to the more restrictive setting.)  Of course we don't know the outcome of a lawsuit where the stalker creates an account that Facebook verified using a borrowed/forged/stolen ID - Facebook may be opening itself up to liability here by creating an expectation that Facebook has verified the ID of account holders.

I imagine Facebook will eventually have their ID check go to all users, but is targeting users who are not connected to reletives with similar names first as they are more likely to be using a fake name.

Spork did a great job outlining the biggest privacy threats Facebook, Google, and other major online players pose. The only real defense I use is NoScript - I don't use an "ad blocker" but blocking scripts from untrusted advertiser domains greatly reduces the ads I see. On older hardware, the overhead of advertiser scripts can be quite noticable even if they aren't introducing security risks.

[DeltaBond]

It interesting to see all the different aspects of privacy different people care about, including those who don't care at all.  This has been a very productive thread, in my opinion, and I'm thankful that those who don't care about it can't force me to provide more personal info, lol.  Some folks aren't interesting enough to be harassed ;p  Be hopefull you aren't chosen at random by one of the crazies.  "Johnson, Nathan R.... " -- "The Jerk" right before Steve Martin's character got shot at a dozen times by that man with the phonebook, lol

[Spork]

Very interesting.  Thank  you.  Am I correct in saying that the above information makes the whole fake vs. real fb name issue a moot point?

Moot isn't the right word.  But it's close.  They're collecting data on you whether you want them to or not.  You can attempt to limit the data in various ways.  Or ... attempt to poison your data slightly.  I think not using a real name helps EVER SO SLIGHTLY.  But... it would be trivial for FB to sort out what my real name is if they tried.

Spork, I guess I'm still not sure what exactly someone could do with pictures of my cat, recipe links, and a few posts about recent hikes or trips. Even if everyone and their brother were to get access to everything I've ever posted, what could they possibly do with it that could harm me? That's the part I'm confused about.

They can't advertise to me, anyways, as long as Ad Block keeps working.

Just like using a fake name helps (a little), so does Ad Blocking.  It doesn't mean they aren't collecting data with their various facebook cross site scripts.  Unless you are running something like NoScript AND have specifically added XSS strings in there to catch facebook XSS... they're collection.  Does it matter to you?  I don't know.

Ad blocking is also becoming slowly more difficult.  More and more sites are implementing adblocking blockers.  It isn't everyone yet... but as it becomes more common, it will eventually be difficult to successfully block ads.  I.e., "if this bit of javascript does not execute on your PC and give us an answer we expect: We won't serve the page to you."

The "least required access/information" is so ingrained in my way of thinking that it just really gets under my skin.  It is similar to (but very different because it isn't law enforcement) a cop asking if he can search my car on a routing traffic stop.  HE WILL NOT FIND ANYTHING... but: Damn it!  He doesn't have any reason to do that.  And it will not benefit me in the least if he does.

[DeltaBond]

Fake name is not a moot point if you care about the other users harassing you... so you can't just blow that off.  As many people on here have explained, that is more of what they care about.

[robartsd]

Ad blocking is also becoming slowly more difficult.  More and more sites are implementing adblocking blockers.  It isn't everyone yet... but as it becomes more common, it will eventually be difficult to successfully block ads.  I.e., "if this bit of javascript does not execute on your PC and give us an answer we expect: We won't serve the page to you."

The easiest way for sites to circumvent ad blockers is to serve the ads from the same domain as the content - wait don't tell me you don't trust/value your advertisers enough to serve as a proxy for serving up their ads to your readers.

[DeltaBond]

Here's a funny article about Zuckerberg - I guess even the folks at facebook have an issue with security.

http://www.popsci.com/mark-zuckerberg-is-super-intense-about-his-computer-security?src=SOC&dom=fb

[Rural]

Has anyone gotten a message that it was someone "reporting" their name? The article makes it sound like that's a lot of the source of Facebook questioning names.


http://www.adweek.com/socialtimes/real-names-policy-reporting-verifying/631558

[Inaya]

I actually have two Facebooks. My main one is the one I've always had under my longstanding nickname. It's pretty much limited to close friends from high school and college that I don't want to lose contact with. It's where I rant about work and life and share things that I think my social circle might find interesting, and occasionally a politically charged post (but I avoid that normally since I find it annoying and assume others do as well).

My "professional" Facebook is under my real name. I started it when I graduated, and it's part of my professional "brand"(LinkedIn, my Web site, my portfolio, etc.). It's also a red herring to draw people away my main account. Family, co-workers, people from professional associations, etc., all go on there. I curate my posting much more carefully--nothing political or religious, nothing that could get me fired, etc. Lots of personal information, but nothing that's not already on my Web site or my LinkedIn.

My rule for both is that if I don't know you in person, I don't accept your friend request (with some exceptions for VERY close Internet friends, many of whom I've subsequently met in person).

I'm not worried about my personal information getting found because I know it's already out there. I was part of the OPM breach, so they already have far more information that I put on my Facebook page. I'm anonymous on this site for the same reason many others are: it's a safe zone where we can talk about pretty much anything, including our personal financial situations. Posting under our real names would jeopardize that, and I sure as heck wouldn't want some of my posts from here to be indexed by Google under my real name.

[DeltaBond]

Rural, when I got the message about FB questioning my name, it did not state how I came up on their list.  People can report each other, and FB also has some program running through the names, but the message didn't clarify that for me, at least.

Inaya, that's exactly it, a safe zone.  For a lot of people, that is what they want, real name or fake, they want a safe zone.  I always laughed at people who were upset when a family member ended up seeing something personal they posted - they clearly needed two accounts if they were going to have people on there they weren't comfortable sharing everything with.