1. Jang-Vijay Singh v 0.2 21 April 2017
This particular article is not against Facebook or the practice of sharing content on Facebook. On the
contrary, it assumes Facebook (and similar social media) is a “trusted party” in this context…
Who took our data?
Do we ever voluntarily give away our personal/ family photo albums, dates of birth, names of close
relations and family members, contact lists, contact information and possibly many other personal
details to a random person or company?
What if it is a company (or individual) who we know nothing about, and whose personnel names or
addresses we cannot even obtain (let alone verify)? We might not even know which country they are
based in, where they store our information, how securely and what they will use it for?
Well, as users of the Internet and especially as a social media users, chances are that this is precisely
what we have been doing.
Here is an example – an app1
that claims to guess anyone’s nationality by analysing their pictures – I
was tempted to click on it because a friend’s activity appeared in my newsfeed -
Other similar ones could include – “how smart are you”, “check your geography score”, “do you
have grammar OCD” – essentially “clickbaits” with catchy lines designed to tempt people into
clicking on them. Another category, somewhat less frequent now, is where the app, usually a game,
encourages its users to actively invite their friends to use it. Often the user interface is designed
where the option to “skip” these invitations is practically hidden away for all practical purposes.
There is no way to tell how many of these apps are malicious2
– at the very least, their goal is to
make the user go through a series of advertisement-heavy web pages answering questions on
1
In this context, an app is an internet based application – usually integrated with major social media
platforms, ostensibly so you don’t have to create separate user accounts to use them. The real
underlying goal of many of the integrations appears to be to suck information out of your social
media account.
2
Think of a random stranger you met on the street who wants a copy of the front of your driver’s
licence
2. Jang-Vijay Singh v 0.2 21 April 2017
geography, grammar or some other such thing. But what’s certain is that once you authorise these
applications with Facebook, if you stick to the default options, they simply harvest as much of your
information as they can (yes, the stuff we carefully mark as private, for a select audience and such).
Some friend tagged you in a photograph? Chances are the photograph might have ended up in a
BigData store in a computer far far away… In the screenshots below, I have no way of knowing if
the example apps I chose were indeed malicious3
.
3
Malicious could mean many things:
1) Clicking on them to visit their website could infect user computers (especially unprotected ones)
with viruses
2) Apart from data they receive from social media, they could extract more from your computer (if
unprotected)
3) They could be selling personal data to other third parties (for advertising or spam or other
reasons) who we might know nothing about
4) They could be holding personal data insecurely in a location with no privacy or data protection
requirements
5) Data (including location information from photographs, dates of birth) etc. could expose
individuals to fraud and criminal activity
There are many possibilities here – the point is we don’t know – just because something is on a
website on the Internet and was shared on social media is not a reason to trust it; rather, it is
better to mistrust it until proven otherwise.
3. Jang-Vijay Singh v 0.2 21 April 2017
What has been going on?
To start with, have a quick look at what you have shared already.
Facebook navigation options as of this writing are:
From settings, click on “Apps” – chances are, those of us who have been active on social media for a
few years have authorised hundreds of such apps.
4. Jang-Vijay Singh v 0.2 21 April 2017
Now, many of these are well known companies4
, so you might consider it okay for them to have your
data (even if a bit more than you might normally want to give to them – say, what if one of these
apps is created by your employer? Or your bank?5
).
The key concern here is random unknown or little-known apps that appear out of nowhere with
catchy “clickbait” headlines that suddenly go viral because all our friends are clicking on them and
authorising them. What exactly are they doing with your data (apart from trying to make money by
showing you advertisement loaded pages) and where are they keeping it?
If I click on one of the apps l can see what I have shared with them already – now a lot of this
information is optional and had you used the “edit this” option when authorising the app, Facebook
probably would only have shared the bare minimum information.
4
Such as the BBC app– unless someone had the tough luck of authorising a spoofed BBC app, you
are able to identify who created that app, office addresses and phone numbers. If you required them
to remove all the data they hold about you, It is likely to take quite a while and hassle but there is a
high chance they would oblige on request.
5
On a side note, it’s not too far-fetched (subject to legal/commercial/security considerations of
course) for your Bank to “friend” you on Facebook, maybe offer support/advice and show you your
balance? Watch this space….
5. Jang-Vijay Singh v 0.2 21 April 2017
In theory, you do have some recourse – each app identifies you with a unique number as shown
below. Technically you should be able to contact the app developers and get your data removed on
request.
Is it feasible to do this for tens or hundreds of apps you might have already authorised? Possibly not
– no one has that much time on their hands.
Oh and by the way, you think you are mostly safe because you never use these? Well, unless you
had carefully reviewed and disabled the “Apps others use” options beforehand, by default Facebook
seems to allow all this to be given away when your friends used some apps, which you most likely
know nothing about:
7. Jang-Vijay Singh v 0.2 21 April 2017
What to do about it?
For data that’s already shared, as pointed out above, it might be infeasible to track each individual
app developer and get them to remove your data (assuming you can contact them, assuming they
haven’t sold it on and assuming they mean well and will oblige)
Other than that:
Definitely review the “Apps others use” option
Use the “Remove app” option for those apps you don’t know and don’t need (see below)
For those that you do need, allow the bare minimum data to be shared
For future, avoid using apps you are not very confident about and carefully review what you
share with them (when you authorise them for the first time)
Final disclaimer: I am not suggesting that any of the apps I used as examples in this article are in any
way malicious – all I am pointing to is that most social media users are unlikely to perform the due
diligence necessary to verify what they are sharing and with whom. Also, the underlying assumption
here is that Facebook itself (and other similar social media) is a trusted platform and will faithfully
allow or deny third party requests for information only depending on what the user explicitly or
implicitly allowed.
Chances are that if an app tried to suck out a lot more data than it needed (via crafty default
options), it might be up to no good.
On the other hand, this is what the BBC app used by default – only my public information and
nothing else:
9. Jang-Vijay Singh v 0.2 21 April 2017
Other notes
Many countries (including the UK) require company websites to include their registered
address and company details on their websites.
UK/EU data protection laws may or may not apply to many or most of these sites – as we
mostly can’t tell where they are located
Many of them do not have complete or reliable whois records (e.g.
https://who.is/whois/<<insert website name .com here>>)
Acknowledgements
Deepina Singh for an initial proofread
References
A. Kritzinger , von Solms, 2010 - Cyber security for home users: A new way of protection through
awareness enforcement
B. The 'Most Used Words' Facebook app is a privacy nightmare:
http://www.wired.co.uk/article/facebook-app-privacy-settings-most-used-words