by Consumer Reports Staff/Consumer Reports — May 3, 2012
If you’re reading this article, chances are good you have a page on Facebook, too. More than 150 million Americans already use the site, and the number grows daily because Facebook makes it so easy to keep up with friends, family, and colleagues, discover great content, connect to causes, share photos, drum up business, and learn about fun events.
To deliver this service, Facebook and other social networks collect enormous amounts of highly sensitive information—and distribute it more quickly and widely than traditional consumer data-gathering firms ever could. That’s great when it helps you find old classmates or see ads for things you actually want to buy. But how much information is really being collected about you? How is it being used? And could it fall into the wrong hands?
To find out, we queried Facebook and interviewed some two dozen others, including security experts, privacy lawyers, app developers, and victims of security and privacy abuse. We dug into private, academic, and government research, as well as Facebook’s labyrinthian policies and controls. And we surveyed 2,002 online households, including 1,340 that are active on Facebook, for our annual State of the Net report. We then projected those data to estimate national totals.
The picture that emerges has bright spots but also many causes for concern, including the following:
Some people are sharing too much. Our projections suggest that 4.8 million people have used Facebook to say where they planned to go on a certain day (a potential tip-off for burglars) and that 4.7 million “liked” a Facebook page about health conditions or treatments (details an insurer might use against you).
Some don’t use privacy controls. Almost 13 million users said they had never set, or didn’t know about, Facebook’s privacy tools. And 28 percent shared all, or almost all, of their wall posts with an audience wider than just their friends.
Facebook collects more data than you may imagine. For example, did you know that Facebook gets a report every time you visit a site with a Facebook “Like” button, even if you never click the button, are not a Facebook user, or are not logged in?
Your data is shared more widely than you may wish. Even if you have restricted your information to be seen by friends only, a friend who is using a Facebook app could allow your data to be transferred to a third party without your knowledge.
Legal protections are spotty. U.S. online privacy laws are weaker than those of Europe and much of the world, so you have few federal rights to see and control most of the information that social networks collect about you.
And problems are on the rise. Eleven percent of households using Facebook said they had trouble last year, ranging from someone using their log-in without permission to being harassed or threatened. That projects to 7 million households—30 percent more than last year.
Some of these issues arise from poor choices users themselves make. But there is also evidence that people are treating Facebook more warily; 25 percent said they falsified information in their profiles to protect their identity, up from 10 percent two years ago. Other problems can stem from the ways Facebook collects data, how it manages and packages its privacy controls, and the fact that your data can wind up with people or companies with whom you didn’t intend to share it.
Andrew Noyes, Facebook’s manager of public policy communications, says the company takes privacy and safety issues seriously. He pointed us to a blog posted last year by founder and CEO Mark Zuckerberg, who wrote, “We do privacy access checks literally tens of billions of times each day to ensure we’re enforcing that only the people you want see your content.” And Facebook has made efforts to respond to concerns. Even as this article went to press, the company announced that it would offer users greater access to records of their past Facebook activity.
But some critics worry that the very existence of such a massive repository of personal data demands extraordinary protections and controls. “Last time I checked, large corporate interests aren’t allowed to trample on widely recognized fundamental rights just because their founders have invented some new, profitable privacy-busting product, yet that is exactly what has happened to privacy rights over the past few years,” charges James Steyer, founder of the children’s-advocacy group Common Sense Media and author of the book “Talking Back to Facebook.”
In this article, we examine the gap between these two viewpoints to see where the truth lies. We focus on Facebook because it is the world’s largest social network, with 800-million-plus users, far more than competitors such as Google+ and LinkedIn. Facebook is also of interest because it has declared its intent to go public and is poised to raise billions more dollars in funding. What we found was sometimes fascinating and other times disquieting—but always worth knowing if you wish to keep your data under better control.
Social networks are rewriting social rules
One thing is for sure: Facebook and other social networks are changing the way the modern world operates and “rewriting the rules” of social engagement, as Chief Operating Officer Sheryl Sandberg puts it.
Examples abound. Facebook recently partnered with the Department of Labor and others to help connect job seekers and employers, developing systems to make job postings viral. When tornadoes hit the Midwest and Texas this year, photos of animals posted on Facebook helped families find lost pets. The network keeps active-duty soldiers in touch with families, including a National Guardsman serving in Afghanistan who not only reconnected with the woman who later became his wife but now uses it to follow the daily milestones of his newborn daughter. And millions now turn to Facebook to express their opinions to government and businesses, flexing their collective muscle in ways never possible before.
The site also aids commerce. Last year, 1-800-Flowers.com boosted sales of its Modern Embrace Pink Rose & Lily Cube and Make Mom’s Day Bouquet before Mother’s Day by asking moms to use a “Like” button to indicate their preference. And more than 18 million people visited or “liked” a brand’s page after learning that friends had done so, our survey suggests. That’s why so many organizations maintain pages on Facebook. At the Consumer Reports page, for example, we host live chats with our experts, share articles, and query visitors to help in our reporting. We have also bought ads on Facebook to tell users about our activities.
Ads like those are what keep Facebook so profitable. The company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account. Such reach helped Facebook multiply revenue almost fivefold in the past two years, to $3.7 billion in 2011.
This revenue model dovetails neatly with Zuckerberg’s oft-stated goal of “making the world more open and connected.” The more data you share, the more Facebook knows about you and the more powerful its ad-targeting machine becomes.
Privacy experts worry that Facebook’s business model runs contrary to people’s interests. “Facebook has purposefully worked to erode the concept of privacy by disingenuously claiming users want to share all of their personal information,” says Jeff Chester, founder of the Center for Digital Democracy, a D.C.-based consumer group.
Others, like widely followed blogger Robert Scoble, scoff at this fear. “I make everything public on my Facebook account and I’m not worried about privacy because the more I share about who I am and what interests me, the more Facebook can bring me content that I care about,” says Scoble, startup liaison officer for Rackspace, a global Web-hosting company. “Yes, people have lost jobs because of things they have posted on Facebook, but you can also end up getting jobs and making all kinds of great connections because you’ve posted about your passions.”
Different standards regarding your privacy
This deep division of opinion is reflected in the widely divergent approaches that nations have adopted regarding laws that govern privacy.
In Europe, companies must notify consumers before collecting their data, and people have the right to obtain and correct copies of their information. The European Commission recently proposed even tighter rules that would require explicit “opt-in” consent before data were gathered and let you order that your data be permanently deleted—a provision known as the “right to be forgotten.”
In the U.S., on the other hand, there are strong federal privacy laws covering your financial and health data. But Americans have few federal rights to see and control much of the information they share through social networks.
Given the differing protections, it’s worthwhile to ask what data Facebook actually keeps about you. Until recently, that was hard to find out. Even Facebook’s “Download Your Information” tool yielded only part of your personal file.
We know that thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook’s Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list.
Schrems formed an activist group called Europe-v-Facebook.org, which posts redacted copies of the files he and others have freed from Facebook. His file contained 57 categories of personal data, including the date and time of log-ins and his last known geographic location, including longitude and latitude.
Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff. He committed suicide in jail in 2010 shortly before going to trial for the murder of a young woman in what news accounts had dubbed the “Craigslist Killer” case. Markoff’s Facebook file included copies of his wall posts, page after page of photos, a list of the exact times he logged in, his IP addresses (the unique strings of numbers that identify where you’re accessing the Internet), as well as his list of friends.
“It is very likely that no government or corporation has ever managed to gather such a huge amount of personal and often highly sensitive data,” Schrems said in complaints filed with the Irish Data Protection Commission. The commission conducted an audit and said it would review in July Facebook’s progress toward giving European users greater control over their data. The changes Facebook announced recently represent a step in that direction, though users still won’t be able to get everything. Facebook says the expanded data will be rolled out in Europe and Canada first, and later in the U.S.
While improved privacy controls are welcome, some observers say they don’t address the core issue. Eben Moglen, a Columbia University law professor who supports decentralized data sharing, worries that Facebook’s focus on privacy controls is “like a magician who waves a brightly colored handkerchief in the right hand so that the left hand becomes invisible. From a consumer’s viewpoint, Facebook’s fatal design error isn’t that Johnny can see Billy’s data. It’s that Facebook has uncontrolled access to everybody’s data, regardless of the so-called privacy settings.” And even users who adjust those settings can be surprised by where their information winds up.
Apps can pose privacy risks
One way your data can escape is through Facebook games and apps. Whenever you run one, it gets your public information, such as your name, gender, and profile photo, as well as your list of friends even if you haven’t made that list public. And if you give the app certain permissions, it can peer deeper into your data and even see information that your friends share with you, unless they have specifically forbidden sharing with apps in their own privacy settings.
The result is that unless you’ve chosen your privacy settings meticulously, a friend who runs an app could grant it access to your information without your knowledge. Given that fact, it’s troubling that our survey found that only 37 percent of Facebook users say they have used the site’s privacy tools to customize how much information apps are allowed to see.
Facebook exercises only basic oversight of developers of Web-based apps, according to Kevin Johnson, security consultant at Florida-based Secure Ideas, who has developed apps and tests their security. The sole credential needed to create an app is a verified Facebook account, including a cell phone number or credit card. And the company doesn’t have to review your source code (programming instructions) before it goes live, experts told us.
Facebook counters that it watches vigilantly for apps that misbehave. “We have a dedicated team that reviews apps using a risk-based approach to ensure we address the biggest risks, rather than just doing a cursory review at the time an app is first launched,” a spokesman told us. “We also have stringent automated systems in place to quickly catch bad actors before they can gain access to user data.”
Those apps run on Facebook in an environment the site maintains for developers to build user tools. But users can also share data through another type of app—the mobile apps that you download to your Apple or Android tablet or smart phone.
Consider Highlight. This free iPhone app, developed by Math Camp, taps into certain parts of your Facebook profile that you agree to share, and then can follow your travels using your GPS data. It runs quietly on your device until it detects another person running Highlight nearby. When it does, it alerts you to each other’s presence and shows your profile photos, mutual friends, and anything else you’ve shared. It’s easy to imagine that Highlight could help you meet interesting people. Scoble says he found the app valuable for making connections at the recent South by Southwest (SXSW) technology and music conference in Austin, Texas, for example. But some privacy experts worry that such apps could also facilitate stalking and other antisocial behavior.
The vast Facebook biometric database
Privacy critics also point to one of the newer features on Facebook, Tag Suggest, which scans your photographs using facial-recognition technology. This system detects human faces in photos and then calculates a unique numerical identifier for each face based on characteristics such as the shape of the eyes and the distances between eyes, nose, and ears. It then tries to tie that face to a specific user’s name.
Tag Suggest uses this system to search photos you upload of your friends. If it finds one, it suggests that you “tag” the photo with the friend’s name. The aim is to make it easier to label photos in ways that facilitate sharing.
Tag Suggest sparked controversy last year when Facebook announced it had enabled it for some users without alerting them. Users could opt out, but first they had to notice that Tag Suggest was active. “If this new feature is as useful as Facebook claims, it should be able to stand on its own, without an automatic sign-up,” Rep. Edward Markey, D-Mass., said last June. Facebook quickly responded by making Tag Suggest messages more prominent. Users who are automatically tagged are notified and can untag themselves or ask their friends to do it. Or they can disable the feature altogether.
Once again, though, critics say the issue goes beyond specific notifications to the fact that one company now controls such a vast biometric database about so many people. Facebook already stores more than 60 billion photos and says the number grows by 250 million a day. Its recent acquisition of the popular mobile photo-sharing service Instagram promises to add even more images to this cache.
Last year, Carnegie Mellon University researchers demonstrated in an experiment the potential such a database holds for connecting the dots in people’s digital lives. Using off-the-shelf facial-recognition software that’s probably far less effective than Facebook’s, they were able to match subjects whose photos were posted on a dating site to their profile photos on Facebook.
Besides knowing what its users look like, Facebook keeps track of the other websites they visit. That happens via the “Like,” “Recommendations,” and similar buttons that so many sites include. In addition to reporting your presence, the “Like” button sends along the date and time of your visit and your IP address, whether or not you click on it. The company has acknowledged that this happens even when Facebook users are logged out, a practice that had prompted class-action lawsuits in the U.S. If you’re logged in to Facebook, it can collect even more data.
The company also said that it collects data from people who are not its users and have never visited its site. That rang alarm bells among privacy watchdogs since an IP address can function “like DNA at a crime scene,” according to Lori Andrews, a law professor at the Illinois Institute of Technology. “There often will be enough data points connected with your IP address to clearly identify you.”
In November, regulators in Germany found that such information was being collected on Facebook users for up to two years even after they deactivated their accounts. Facebook said that was needed to enhance security, a claim German regulators rejected. Both sides say they are willing to talk, but Facebook’s website says it doesn’t share such data without your permission and deletes it or makes the information anonymous within 90 days. The Irish Data Protection Commission concluded last year that the information Facebook gathered from third-party websites was not used for advertising or profiling.
Employers, insurers, and the IRS watch social networks
Some of the greatest threats to privacy have nothing to do with fancy technology but simply with poor judgment about what information to post and for whom. Here are groups that use such data:
Decision makers. Insurers, employers, and college admissions officers sometimes use social media to evaluate people. They may, for example, turn to a service such as Social Intelligence that scours public postings on Facebook and other social networks as part of a background check. Among the red flags employers look for, the company says, are sexually explicit photos or videos, racist remarks, and evidence of illegal activities. It also reports that 69 percent of human-resource officers have rejected job applicants based on social media reviews that turned up any of those flags.
“We can now collect information on buying behaviors, geospatial and location information, social media and Internet usage, and more,” says a recent report from Novarica, a New York-based research and consulting firm serving insurers and financial service companies. “Our electronic trails have been digitized, formatted, standardized, analyzed and modeled, and are up for sale. As intimidating as this may sound to the individual, it is a great opportunity for businesses to use this data.”
The fact that insurers can mine social media should serve as a warning to Facebook users who publicly post information about their medical or health issues.
The same goes for would-be college students. Last year, Kaplan Test Prep found that almost a quarter of admissions officers had checked out applicants’ Facebook or other social pages. Twelve percent said that what they found had hurt the applicants’ chances, including things like photos of alcohol use, which are notoriously common on young people’s pages.
Government investigators. IRS agents can scan public postings on Facebook as part of research to “assist in resolving a taxpayer case,” according to a 2009 training manual obtained by the Electronic Frontier Foundation, a privacy and consumer rights group. The manual offers an example that reads like a “Seinfeld” episode: An IRS officer learns that a taxpayer he’s investigating is a comedian who posts a video on a social network to promote previous and upcoming performances. It suggests the agent contact past performance locations to find out how much the comedian was paid or serve the performer a summons at a future venue.
Comics can relax about at least one point: The manual bars agents from “friending” a taxpayer to gain access to data. But that’s not true of a memo the U.S. Citizenship and Immigration Services wrote for investigators at the Office of Fraud Detection and National Security trying to spot immigration fraud. “Many of these people accept cyber-friends that they don’t even know,” the memo notes. “This provides an excellent vantage point for FDNS to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities.”
Enemies or criminals. Last September, someone with a gripe against Kevin Jolly gained access to the Lake Forest, Calif., lawyer’s Facebook page and launched a damaging attack. Jolly, 47, says the person downloaded his profile photo to create a fake page in his name and established contact with his Facebook friends. The perpetrator then inserted pornographic language into the fake profile and sent vulgar sexual messages daily to Jolly’s friends, family, and business colleagues.
Although Jolly reported the fake profile promptly, it took almost a month and several e-mails from Jolly for Facebook to remove it. “I can’t believe how long it took them to resolve this,” he says. “And even in a situation like mine, where someone is being personally and professionally destroyed by something abusive on Facebook, the only way they’ll communicate with you is through e-mail. Never once could I speak to a human being there.”
Contrast that with the case last year when a security flaw let outsiders grab more than a dozen of Mark Zuckerberg’s private photos and post them on Imgur, a photo-sharing site. That flaw was fixed in a day. Facebook says that by making users resort to online tools to access customer service, the company can process many more inquiries than it could through a telephone call center.
Even your own Facebook friends can occasionally be a risk. Our survey projects that something like 20 million U.S. Facebook users aren’t fully comfortable with all their friends in matters of personal security, either because they don’t know some of them very well—or because they know them quite well enough to understand how poor their judgment really is.
Privacy advocates urge better protections
Under a settlement that Facebook signed with the Federal Trade Commission last year, it was barred from making misrepresentations about the privacy or security of consumers’ personal information. It also agreed to obtain users’ consent before making changes that override their privacy preferences, among other things. Consumers Union, the advocacy arm of Consumer Reports, has praised the settlement, saying it sends “a strong message to companies that they must live up to the privacy promises made to consumers.”
Some privacy advocates think the settlement wasn’t tough enough. The Electronic Privacy Information Center has urged consumers to join its petition asking the FTC to make Facebook restore its privacy settings of 2009. EPIC also wants Facebook to offer complete access to all data it keeps about users, stop creating facial recognition profiles without their consent, cease secretly tracking users across the Web, and publicly disclose the results of the privacy audits that the FTC agreement requires every other year for the next two decades.
Consumers Union wants a national privacy law that holds all companies to the same privacy standards and lets you tell companies not to track you online. It also supports the Obama administration’s effort to bring industry and privacy groups together to set clear rules for how your data is collected and used.
Leaving aside formal government regulations, there are plenty of steps that Facebook could take on its own to protect users better. It could, for example, fix a security lapse we first identified nearly two years ago that permits users to set up weak passwords including some six-letter dictionary words. It could help users avoid inadvertently sharing wall postings with the public, either by alerting them more prominently when they are about to do so or by changing the default audience for posts to the user’s preferred audience. Facebook could also tighten its oversight of apps and respond faster to urgent user problems, such as those of Kevin Jolly.
Until it does, perhaps the best advice comes from Ed Skoudis, an instructor at the D.C.-based SANS Institute, which trains security experts: “Maximize your privacy settings, but even then, assume anything you do on Facebook can be seen by all of your friends, your mom, your great-great-grandchildren, your employer, health insurer, and the government.”
How children fare on Facebook
Children under 13 aren’t supposed to use Facebook. We project from our survey that the company closed about 800,000 such accounts in the last year.
But some 5.6 million underage kids still have accounts, our survey suggests. And 800,000 minors were harassed or subjected to other forms of cyberbullying on Facebook.
Our survey also shows that most parents who knew their preteen used Facebook had not discussed online threats with them or “friended” them, while up to a third did nothing to keep up with their children’s Facebook activities.
Targets: 11- to 13-year-olds. The least vigilant parents in our survey were those with children under 13 on Facebook. “The kids most often targeted are 11- to 13-year-olds, because they’re more naive and less likely to tell an adult about it,” says Nils Frederiksen, a spokesman for the Pennsylvania Attorney General’s Office. Its Child Predator Unit recently charged William Ainsworth, 53, with using phony Facebook identities to lure hundreds of girls as young as 11, whose profiles revealed that they were vulnerable because of trouble at home or school. Ainsworth allegedly solicited nude photos from some and arranged to meet for sex. He has pleaded not guilty.
Investigators interviewed more than 30 girls; almost all said they were using Facebook with little or no parental knowledge when they communicated with the predator. Most used cell phones or other mobile devices, making supervision difficult.
An elusive solution. The Federal Children’s Online Privacy Protection Act (COPPA) prohibits sites from collecting, using, or disclosing personal information from preteens without parental consent. The Federal Trade Commission proposed changes last year for children who use child-oriented sites, which include improving methods for securing parents’ permission. Final recommendations are expected by year’s end.
But the new rules wouldn’t require sites with a more diverse audience, such as Facebook, to try to verify the age of someone who opens an account.
In a recent study published by the University of Illinois at Chicago, more than 80 percent of parents said they’d known when their underage child had signed up for Facebook. The study implied that one strong privacy standard for adults and children would be better than two, since with two policies kids may pretend to be older than they are.
Jeff Chester, a child-privacy advocate who led the campaign to enact COPPA, wants the FTC and Congress to consider a different option. He thinks Facebook should create a section for children under 13 and require opt-in parental permission, as COPPA requires.
We asked Facebook for its views about such an option. “We see ourselves as innovators, and believe it is time to focus on how to keep kids safe online and on Facebook, rather than on how to keep them off,” a spokesman replied in an e-mail.
What you can do. If your young teenager wants to join Facebook, insist that he or she “friend” you, says Colleen Cronin of East Hampton, Conn., who interceded when she found evidence of bullying among children in her son Cameron’s Facebook network. Monitor kids’ activity. Make sure that they really know their “friends” and that they set the audience for all wall postings to “friends” only.
After all, it’s your data
Facebook says that it will soon give users access to portions of the data below, and more, which it didn’t disclose before.
• Time and date of Facebook log-ins
• IP address used for each session
• Friend requests you’ve made
• Facial recognition data
• Previous names used
• Your searches and page views within Facebook while logged in
• “Poke” information
Nine ways to protect yourself
Facebook offers many privacy controls, but good luck understanding them. A new study by Siegel+Gale, New York-based consultants, finds that Facebook’s and Google’s privacy policies are tougher to comprehend than the typical bank credit card agreement or government notice.Google’s widely promoted new policy was so dense that researchers “found it impossible to write an adequate question to test a reader’s comprehension.” Facebook’s tools were nearly as opaque. Here are tips to help you with them. For more details, read “Protect Your Privacy on Facebook.”
Think before you type. Even if you delete an account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.
Regularly check your exposure. Each month, check out how your page looks to others. Review individual privacy settings if necessary.
Protect basic information. Set the audience for profile items, such as your town or employer. And remember: Sharing info with “friends of friends” could expose it to tens of thousands.
Know what you can’t protect. Your name and profile picture are public. To protect your identity, don’t use a photo, or use one that doesn’t show your face.
“UnPublic” your wall. Set the audience for all previous wall posts to just friends.
Turn off Tag Suggest. If you’d rather not have Facebook automatically recognize your face in photos, disable that feature in your privacy settings. The information will be deleted.
Block apps and sites that snoop. Unless you intercede, friends can share personal information about you with apps. To block that, use controls to limit the info apps can see.
Keep wall posts from friends. You don’t have to share every wall post with every friend. You can also keep certain people from viewing specific items in your profile.
When all else fails, deactivate. When you deactivate your account, Facebook retains your profile data, but the account is made temporarily inaccessible. Deleting an account, on the other hand, makes it inaccessible to you forever.
*Editor’s Note: The figures we cite on the behavior of Internet users, including those on Facebook, are drawn from our State of the Net survey, which was conducted January 16 to 31, 2012, by the Consumer Reports National Research Center. The findings are nationally representative of Internet households. Participants were 2,002 adults with a home Internet connection who were part of an online panel convened by TNS, the world’s largest custom-research agency. From those respondents, we created national projections. The margin of error for the full sample was plus or minus 2 percentage points at a 95 percent confidence level.