Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others

More bad news for privacy. This simply can’t continue, allowing companies you’ve never heard of to gather colossal amounts of data that notionally can have a bigger impact on individuals than their credit rating.

Source: Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others | ZDNet

The Facebook scramble to rewrite history

As Facebook scramble to try to head off prohibitive legislation in the UK, Europe and the USA, it’s trying to reinvent it’s history and mission.  I’m no Facebook historian, developer, professional watcher but it’s worth remembering some of it’s actual history, bugs, screw-ups and the often terrible defaults it implemented with new features.

I’d long imagined that Mark Zuckerberg was the embodiment of Zeke Hawkins character in the 1993 movie, Sliver. One of the things Hawkins said in the movies about his surveillance was the Google-esq:

We’ll do only good things.

All of the recent disclosures about access to Facebook data isn’t about hacking or other malicious activity, it is about poor design decisions; defaults in privacy that were good for Facebook but not for the user; and ultimately necessary for Facebook’s’ business model. They were not, as Facebook and Zuckerberg oft refer to them as data breaches.

As the voiceover says at the end of the Sliver trailer:

The view from the outside is nothing…. compared to the view…. inside.

My history with Facebook goes back to when it was “thefacebook”. I’d been a regular speaker and panelist at the Silicon Valley World Internet Center between 1998 and 2003 when I gave my last session on Open Source. The center was housed at Stanford University. Over my time there, I made contacts with many professional and personal contacts.

I started using livejournal as an emerging platform for “blogging” and tracking news for my then key triathlon interests in January 2004.  That April, through one of the contacts I’d made at the World Internet Center, I was offered a userid to take a look at “thefacebook”. I didn’t spend much time on it, it was fascile, juvenille and voyeristic. I wasn’t surprised to hear that in 2003, the Harvard University administration had charged Zuckerberg with breach of security, violating copyrights, and violating individual privacy.

That set the path that Facebook has followed since then, their design decisions, their defaults, everything has been aimed at making your information publicly available, searchable and collectable. As I texted a few days ago, none of this need happened if Facebook actually cared about privacy. Each and every time they implemented a new feature, they did so by setting the user privacy to the least private allowed.

While Facebook claimed they were not selling data, which was probably legally true, but they were always selling access to the data. If privacy was really central to Facebooks management of data, then they would have made the defaults very different than they did.

All those infuriating apps and quizzes that your “friends” were playing Farmville, Candy Crush, etc. let alone the apps that wanted to know actual personal information, like where you’d travelled to etc. For a while in 2007 there was even a class at Stanford known as the “Facebook class” where students, many of whom went on to make hundreds of thousands of US Dollars, were instructed on how to make Facebook apps.

As early as 2010, many of us were imploring people not to give companies like OK Cupid and apps like Lover of the Day access to your data, it was only ever going to end badly for someone.

Lover of the Day was installed nearly a million times. If every user that installed it had at least one hundred “friends” on Facebook,  that meant through a single app, four hundred million facebook users data could have been exposed and scraped. Even if “Lover of the Day” hadn’t overtly exploited this, it was totally naive rather than malicious.

By the end of 2010, there were hundreds of website scams that were, as far as I can see, just there to harvest your data, and that of your friends. There were numerous websites set up to track these, of which Facecrooks, was and still is one of the best.

When I got my Facebook data, before #DELETEFACEBOOK, I spent an hour searching through the data and my timeline to find interesting posts, pleas that I’d made to my friends about the lax controls, bad defaults and bad app choices they were making.In 2010 alone, I posted the following on my wall.

January 10th: “Well get used to it, the Facebook founder says your privacy is a relic of the past, everything should be public!”

March 2010: “So, not paying attention to the FB Privacy issue? Well last night the dumb ass’s made a change which made everyone’s email address public for about 30-mins even if you said not to or your settings… “

May 2010: “So yesterday Facebook blew their privacy yet again revealing private friend to friend conversations, allowing one friend to see outstanding friend requests of other friends…”

May 2011: When discussing the Symantec revelation that Facebook was leaking information to Third parties, I ended the post with – friends don’t give their friends personal information to strangers, don’t do the same on facebook!

By 2011, music streaming startup, Spotify, was known to be aggressively using and promoting their business through facebook by exploiting the weak/lax Facebook privacy. If anything, the US Government Federal Trade Commision hearings lead to facebook changes that were in marketing speak “more transparent” but reality, more opaque. They made it easier to stop sharing, but harder to know what was being shared.

In 2015, the scraping of user data was still rampant, I found a number of examples of warnings, mostly in so called “Big company” giveaways.

March 2015: Friends don’t invite friends invite to the SW Airlines ticket give away. It’s scam, they are harvesting Facebook id’s, friends lists and email addresses and who knows what else!

It was followed by a long bullet list of ways you could tell if the giveaway was a scam. My post ended in

If don’t doesn’t have at least two of those it’s a scam… It’s not harmless, it’s like showing up at an orgy and not using a condom.

When Zuckerberg and Facebook try to rewrite history claiming these were a breach of trust, or they didn’t sell data, or they acted as soon as they were notified, I don’t know what the hell they are talking about. They knew, they just didn’t care until the politicians got hurt, and now the optics look really bad.

Next. What should be done.

The Data Linkedin has

While I’m at it, I thought I’d take a look at what data linkedin.com has on me. It’s likely to be much less, since I rarely use the service and it’s been getting less and less as their emails with anything useful, plus new contacts, connect requests etc. always take me to the Google Play app store to install the linkedin app. That’s not happening, and I mostly just delete the emails and make a mental note to login via the website.

If you are interested in your linkedin data, you can get it via the linkedin.com Settings and then Privacy page. Here.

The email that arrived with a link said:

Here’s just the first part of the information we have archived for you, including things like connections, contacts, messages, and profile information.

It seems that will likely be the more interesting part of their archive. The first .zip file seems to mostly include only static data, most of which I’ve provided.

Interestingly, I joined linkedin on April 11th, 2006. I learned that from the registration .csv.

At least in the .zip file I got it had the following structure.

The media files were very limited, just two image files, and a PDF of a presentation that I posted directly to linkedin. This clearly isn’t all my data from linkedin, since it did not contain and links, articles, or images I’ve posted. It didn’t for example even include my profile and profile background pictures.

The spreadsheets were no more than comma seperated variables, but seemed fairly accurate. There is no clue how they came about these, I can only assume from businesses I “liked” etc. Here is the entire contents of the “Causes you care about” .csv

Civil Rights and Social Action
Economic Empowerment
Environment
Human Rights
Politics
Science and Technology

Which seems about right. What I’m sure most people will be interested in are the contacts that linkedin has a mix of my personal contacts, and linkedin connections. For each “connection” it has firstname, surname, physical address, email address,current employment/employer, position, a date and time field(?) and finally a web address.

The physical address doesn’t seem to have come from my contacts, which I’m pretty sure I’ve not given linkedin access to via the app or a website link/upload. The majority of physical addresses are blank, even for people I have work/home addresses in my contacts.

So I think this is pretty much

Move on, nothing to see here!

When the 2nd .zip file arrives, I’ll add another post.

The Data that Google has

In the push-back over the Facebook privacy scandal, many are also asking questions about the data other platforms have. Many commentators draw a parallel to Google. For my part, this is valid at least as far as tracking, visiting locations etc. goes. Since I have a Google Phone, with a Google Fi service, and I use Google Maps, I pretty much expect them to track me.

GoogleIn addition, in my prior home I had Google Fiber, plus add in all the Youtube videos, if you watch movies or listen to music on Google Play; they have my calendar; all my files in Google Drive; as much as I try not to have my photos in the cloud, they’ve almost certainly got some of them in Google Photos. I typically avoid using Google Search directly, as for the most part, my search history seems a definitive list of things I’m interested in, but it’s much more subjective than that. I prefer startpage for search.

I don’t read ebooks, but they’d have them if I did; of course I use a few Google Groups; and so on. So, it’s a pretty exhaustive list. You do need to take care if you decide to download your Google information from google.com/takeout – It can get pretty big, pretty quickly if you’ve purchased books, films, music and make extensive use of drive, in addition to all the metadata, you’ll also get all the content.

Despite all this, I feel like Google have not crossed the trust boundary. They may be using and aggregating all this data to sell to advertisers, but it’s not all clear how. It certainly isn’t obvious from the adverts. So for now, I trust Google to “Don’t be evil“.

Zuckerberg/Facebook called to UK Parliament

Of course as a US Citizen, Zuckerberg can’t be compelled to attend. There can be so many serious consequences to not attending that Rubert Murdoch and other News International Executives attended when they were called.
 

Facebook has a lot of questions to answer

I teetered on the brink of deleting my facebook account last year. I removed the main app from my phone and a Windows tablet, and have never installed messenger. When it came down to it I balked at the final step. I did ulike pretty much all businesses and pages, as well as unfriended anyone not a real contact/friend etc.

The utility of facebook is still too great to remove myself completely. Although frankly I’ve had better results contacting businesses through Twitter and getting things done. Given it’s reach, facebook still remains useful. Delete the apps Facebook, Facebook Messenger, Instagram and Whatsapp.

If you want to delete your facebook account, it’s still relatively simple and you have 14-days to recover it, if you decide it was a mistake. Use this URL.

The Guardian published this over the weekend. It’s a long and important read that contains all the context and background detail into how Facebook was used to target people with advertising and social  profiling of potentailly millions of people to bias or persuade them to take a particular perspective.

Much of this data came through those terrible apps which ask you to confirm access to your facebook profile, and your friends profile. Even though you may have never used one of these apps, if your friends did, they likely gave away your data.

The New York Times is today reporting that Facebooks Chief Information Security officer is leaving the company. So this is obviously a big deal. Alex himself denies that, although with the share price drop already seen today, who knows the truth, the data misappropriation is still a big deal.

Charles Arthur has a daily email which goes out under the guise of The Overspill from his blog of the same name. It’s well worth the subscription. Todays included a link to Justin Hendrix blog for justsecurity.org on the Facebook data use, in it Justin poses seven key questions:

1. Why did Facebook take more than two years to inform the public of this massive breach?

2. Did the Trump campaign or Cambridge Analytica violate campaign finance laws?

3. Did Trump campaign or Cambridge Analytica employees lie to Congress, or to the British Parliament?

4. Did Facebook’s failure to disclose this breach to the public and notify its directly affected consumers break any laws?

5. Did any of the Facebook embeds in the Trump campaign know that stolen data was being used for targeting?

6. Did Facebook have evidence its own employees mishandled this situation? Was any disciplinary action taken?

7. Did other organizations or individuals exploit these apparent weaknesses, and are there other breaches we do not know about?

Irrespective of what you think about how the data was used, and the outcome, these questions need to be answered.

“Profiteering” in prescription drugs

The New York Times has an interesting piece on the price of drugs, of which Pharmacy Benefit Managers are only part of the story. Add to this the general secrecracy over prices and Pharmacy benefits and drug list (aka the formulary) which are their negotiated discount drugs, brand or generic.

This has been my experience, even without insurance, it’s almost impossible to find out how much specific drugs are going to cost in advance; if there are cheaper generics; and if there is a better price.

Glass full, not half empty!
Drugs R-US

I took an alternative route and did a deal with the devil for my most expensive drug. Despite having supplied the drug manufacturer with more financial information than I did to get a mortgage, they still declined to help financially, unless and until I applied for AND was declined for Medicaid.

I most probably would be eligible for (full scope) Medicaid, since I’ve already surpassed the 5-years/40-quarters requirement. That said, I’m really not comfortable in applying for any government assistance(despite assertions like this unofficial website) until I become a full US Citizen.

Faced with a circa $300 per month drug cost, I took an alternative route and was able to secure the best part of a years’ supply. Also, to get to this point, I’d spent probably 50+ hours trying to find alternative prices and supplies.

Like many other things, this is another example of the disgraceful profiteering in the US Medical for-profit business.

On the remainder of my medical billing, I’m about to give-up, the system has worn me to down, I just can’t waste any time or energy on it. In my last communication, I laid out specifically, in detail where the billing didn’t agree with what they’d told me the cost would be. Their answer:

Our financial aid has been applied and your balance is correct. If you have any other questions, feel free to contact our customer service team.

Which takes between 30-60 minutes per call since you have to go through multiple layers of call center and no one has any real authority to change anything which means they have to appeal to a “supervisor” and they never return calls. It’s time to pay them all off before they go into collection and hurt my credit rating.

Prime Music?

I got to reading this review of the Amazon Prime Music offering that’s been included with Amazon Prime for a while. I’ve spent the last 5-days or so trying out the service, and have to say, overall I’m pretty disappointed.

I had always assumed, perhaps wrongly, that Prime Music was the function that allowed me, in most cases, to buy a CD album and be able to download the “Auto-rip” version, for less than buying the digital MP3 version alone. Otherwise that service makes no sense. Except I’m sure there is some arcane music industry tracking/licensing reason.

It turns out that Amazon Prime Music is a pseudo streaming service, ala Spotify, Pandora etc. So I thought worth trying. I’d already installed the Amazon Music app on my Windows Media Center (WMC) PC, that way any download or auto-rip albums can go straight onto the NAS based music server and be available to stream around the house.

Another big benefit of Prime Music, is it keeps track of what you buy, and allows you to add (Prime only) tracks and albums to your Amazon music collection, which you can stream mixed with your purchased music, or download and play offline. Want to listen for free to The Beatles – Abbey Road, offline, but don’t want to buy it? Amazon Prime Music lets you do that.

In summary, I would say it’s a great way to listen to very specific albums(provided they are available free). As I write the 3x CD version of Oasis (What’s the story) Morning Glory? is streaming in its entirety to the WMC, which it turn is playing streaming it around the house using wifi to players in each room.

They have a lot of back catalogue material, which is good, plus some timely new material. After the Superbowl on Sunday, we streamed the Justin Timberlake “Man of the Woods“. It’s also good for streaming commercial-free, top-50, original artist, playlists, and curated playlists, like this one, 50 Great Songs from the Last 10 Years, but on most other stuff I’d give it a C-.

I have not tried out Amazon Unlimited Music, Business Insider has a good overview of the 99c Trial offer but doesn’t cover the content. What follows are my tweets from my journey around Prime Music, and especially the content.

I’ll be continuing the thread with other thoughts and discoveries. If you are a twitter user, you can follow along here.

In full transparency, I’ve never been a Spotify or Pandora customer. I’ve never felt the need to. Given I have over 1,000 albums and CD’s, and am still cataloging and converting about 2,000 vinyl albums to digital, I’ve never felt the need.

#TEDxBoulder2017

I got to attend my first TEDx Boulder yesterday, it was a good mix of both motivational speakers, those talking about lessons they’ve learned from personal experience, and some professional development speakers on the topic of CLIMATE and CHANGE. Overall an excellent way to spend an afternoon and early evening.

I’ve curated my tweets from the event into a Twitter Moment. If you have any questions, or feedback on the subjects, feel free to leave a comment or email the usual way.

You get what you want in Texas

The Austin American Statesman today published a frank review of the Texas rules on disclosure of chemical storage “Information scarce on chemical plant blasts — just like Texas wanted“. I wrote about this issue precisely back in “The Texas Freedom Illusion” and after the “West Disaster” report.

In essence, under the veil of “security”, Governor Abbott has effectively just stopped individual Texans from finding out about these storage facilities, and in the same way as you are much more likely to be shot by a gun owning family member, than a jihadi; you are much more likely to get killed, poisoned, or otherwise impacted by a local company than you are by terrorists exploiting the freely available information.

This regulation was alway problematical and is going to bite ordinary Texans until it is repealed. The idea that people have time to go around to each and every high fenced industrial lots within a mile or so of their home and ask what chemicals they are storing is just nonsense, more so in large cities.