Facebook spyware is pervasive. To understand Facebook’s spyware machine and their massive data collection and processing engine, we must start with what the term spyware actually means. Here are two definitions:
- software that enables someone to obtain sensitive information by covertly collecting and transmitting data
- tools that are used to conduct espionage
Facebook’s official numbers say the Like button is enabled on 7.3% of all global websites. But the overall number of Facebook plugins and links enabled on websites increases that number to a whopping 49% of all global sites. No doubt when either definition of spyware was created, the person who coined the term could not have foreseen users willingly volunteering their information. In the past, spyware was cleverly and covertly distributed on computing devices through an errant click on a pop-up window or visits to malicious sites. Today, however, spyware from companies such as Facebook and Google is far more covert and pervasive than the worms, viruses, and malware of even a few years ago. The spyware of yesterday was deceptively installed by a nefarious hacker, but Facebook is an application users choose to install and use regularly, and they offer up their most sensitive and personal information.
To understand Facebook spyware, let’s start with cookies. When you visit Facebook.com, you’re assigned a cookie, a unique identifier stored on your device. That cookie stays with you and follows you to other sites where you might be shopping, doing research, making a purchase, watching videos, or just reading the news. When you visit any site with a Facebook integration such as Like, Share, or Comment, information on your system, your behavior, and much more are collected, and the cookie ties everything back to you. And all this happens whether you’re still logged into Facebook or not. It happens whether you are a registered Facebook user or not!
Facebook collects and stores the data for an undetermined period in very sophisticated large-scale databases. Their data retention policy is vague:
We store data until it is no longer necessary to provide our services and Facebook Products, or until your account is deleted – whichever comes first. This is a case-by-case determination that depends on things like the nature of the data, why it is collected and processed, and relevant legal or operational retention needs.
Their commitment to delete data in the first sentence is undermined by the second sentence in which they counter it: “This is a case-by-case determination that depends on...operational retention needs.”
The Data Behind Facebook Spyware
Facebook collects and stores data forever. It uses the data to create a sort of Venn diagram of your behaviors, attributes, likes, and dislikes to build a detailed profile on you. It does it across all of your devices, computers, and even IoTs. The aim? To be the perfect advertisement machine that actively and transparently drives engagements. Facebook does this by merging all content from you, your friends, social causes, political issues, and advertisements so the user sees no distinction. Facebook is expert at targeting precisely the right users and matching them to specific products or services, but it has also mentally trained its users to assign the same level of credibility to advertisements as they do to actual content on their sites.
Facebook’s categorization slices people into many distinct buckets based on raw data, behavior, and attributes, as well as collective insights for easier targeting. At a high level, that includes stages of life such as starting adult life, established adult life, and late adult life. Other categories get more specific: away from family, traveling, console gamer, close friends of people with birthdays in a week, Gmail users, and US politics (liberal, conservative, independent, or apolitical). In other words, Facebook’s analysis machine can look at you from every angle imaginable, and most of them people cannot discern.
This categorization is used to drive you to advertiser sites. Once you bite and click, it can still track and monitor your every activity, even when you are no longer on Facebook’s platform or app. Facebook’s official response is that this ensures that your shopping experience is pleasant and unobtrusive. Or, as UX designers love to say, “delightful.” Although site administrators can get this same information from local tools, there is truth to the value of data provided by Facebook. It’s called conversion tracking in the advertising industry. And Facebook benefits from this constant stream of data it gathers across one-half of all global Internet sites.
Despite its official claims, Facebook also benefits from providing data and analytics to advertisers for their own specific purposes. Cambridge Analytica is one example.
This is how Facebook spyware earns its reputation:
“If you’ve previously received a cookie from Facebook because you either have an account or have visited facebook.com, your browser sends us information about this cookie when you visit a site with the “Like” button or another social plugin.”
Now suppose you don’t have a Facebook account. If you ever happen to touch on a Facebook property (and there are many), they’ve got you!
If you visit a public Facebook page on your favorite band and then bail, heading over to another Internet site, Facebook follows you.
You don’t have to be a Facebook user to get the Facebook cookie or to be affected by Facebook spyware. If you never sign up for a Facebook account, you still get the cookie, which follows you around the alleys, the back streets, and highways of the Internet, picking up information on you and your habits and sending it back to mother Facebook.
Then there are the Facebook Like, Share, and Comment buttons. “Facebook’s Like button is an extremely powerful tool and the lynchpin in its data collection efforts. Just think of it as a cyberstalker on steroids,” says Pasdar. When you visit a site with embedded Facebook Like, Share, or Comment buttons or the equivalents on other Facebook properties such as Instagram or WhatsApp, Facebook – and Facebook spyware – collects your data, even if you NEVER hit the button, never hover over it, and never look at it.
Facebook Spyware and IoTs
IoT (Internet of Things) is EVERYTHING to Facebook. These purpose-built technologies have seeped their way into everyone’s lives, but they don’t get much attention. Yesterday, the computer and mobile phone were the centralized platforms for Facebook to collect a handful of data categories. Now, hundreds, even thousands, of IoTs provide Facebook with a constant flow of data that spans thousands of data categories. IoTs are the path forward and Facebook’s strategic future. Whereas an empowered user could once control the Facebook data collection process, plugging the IoT data leak dam is nearly impossible with today’s technologies.
By simply monitoring phones, Facebook can tell if two or more people know each other by determining which way they are facing and reading their subtle body movements. What chance for privacy is there when hundreds or thousands of local IoTs are covertly feeding telemetry to the social media giant?
In his testimony to the United States Congress, Mark Zuckerberg, co-founder and CEO of Facebook, admitted that the company tracks all technologies, including computers, mobile phones, and IoT devices. Facebook has made it clear that cross-device ecosystem tracking is its future and its priority. Since IoTs are purpose-built technologies that are highly distributed, they are co-dependent on remote applications and remote management. The IoT, application, and management trio forms the ecosystem. As Facebook continues its successful integration into ecosystems, it connects them to third-party applications, each with possibly millions of globally distributed IoT data collection points per application. Here is a question posed by a member of Congress and Zuckerberg’s response:
Does Facebook collect user data through cross-device tracking, and does this include off-line data?
“Yes, Facebook’s Data Policy specifically discloses that we associate information across different devices that people use to provide a consistent experience wherever they use Facebook.
….Facebook’s services inherently operate on a cross-device basis: understanding when people use our services across multiple devices helps us provide the same personalized experience wherever people use Facebook—for example, to ensure that people’s News Feeds or profiles contains the same content whether they access our services on their mobile phone or in a desktop computer’s web browser. In support of those and other purposes, we collect information from and about the computers, phones, connected TVs and other web-connected devices our users use that integrate with our Products, and we combine this information across a user’s different devices.”*
*Quoted from the full congressional testimony.
Facebook spyware has become mainstream. So Facebook knows you and all your hundreds or maybe thousands of friends, AND all your IoTs and all their billions of friends.
About Acreto IoT Security
Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.