Posts

Facebook Privacy: New Data Use Policy Banks on User Laziness

facebook privacy 2Is there such a thing as Facebook privacy? You’ve might have heard that Facebook is proposing a new Data Use Policy and Statement of Rights and Responsibilities (formerly known as a privacy policy). No one refers to it as a Privacy Policy anymore, because there is absolutely no sign of privacy left. And if you read the email from Facebook alerting you to the changes, or even the summary of changes that they provide, you are left with no clear idea of the magnitude of those alterations (you’d have to read the actual suggested changes).

Facebook is masking privacy erosion with a deceptive executive summary. The latest changes make me very uncomfortable in three ways:

  1. It appears that Facebook has left open the option to collect and utilize your mobile phone number when you access Facebook from your mobile device. That is valuable information to advertisers who want to text, call or serve up ads to you directly.
  2. Facebook is already using, and will continue to use facial recognition software to identify photos that you are in (even if they aren’t your photos), and recommend that they be tagged with your identity. Now they are considering adding your profile photo as a benchmark for the facial recognition software. In other words, the minute any photo is put up with you in it, it can be tagged and exposed to the rest of the world. You can change your Timeline & Tagging Settings to stop non-consensual tagging.
  3. By default and unless you make somewhat complicated changes, your photos can be used in advertisements. Any photos you load to Facebook can be served up to your network in connection with items you have “Liked”, which means that your picture (or worse yet, your child’s) can show up next to the raunchy movie you just “Liked”.

As quoted in the British newspaper, The Register, Facebook is practically flaunting your addiction to their social network, knowing you will likely do nothing about it:

“You give us permission to use your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you… You understand that we may not always identify paid services and communications as such.”

Facebook is so confident that you won’t make the necessary changes to your privacy settings (let alone actually deleting your Facebook account), that they can arrogantly announce these changes without fear of reprisal. They are literally banking on your apathy.

There is good news! You have two clear options:

  1. You have 7 days to comment on Facebook’s new policies before they take effect. If there is a strong enough backlash against these erosive changes, they will rethink their position (maybe – or they might just outlast you until you’ve stopped paying attention). But the backlash won’t happen without your input.
  2. You can outright delete your Facebook account, but don’t do it until you have downloaded a copy of your data, posts, pictures and such. Even then, they reserve the right to use the data you already posted for a certain period of time.

In the coming days, I will post a video on how to do both of these items.

John Sileo is a keynote speaker and CEO of The Sileo Group, a privacy think tank that trains organizations to harness the power of their digital footprint. Sileo’s clients include the Pentagon, Visa, Homeland Security and businesses looking to protect the information that makes them profitable.

 

 

Dropbox a Crystal Ball of Cloud Computing Pros & Cons

, ,

Dropbox is a brilliant cloud based service (i.e., your data stored on someone else’s server) that automatically backs up your files and simultaneously keep the most current version on all of your computing devices (Mac and Windows, laptops, workstations, servers, tablets and smartphones). It is highly efficient for giving you access to everything from everywhere while maintaining an off-site backup copy of every version of every document.

And like anything with that much power, there are risks. Using this type of syncing and backup service without understanding the risks and rewards is like driving a Ducati motorcycle without peering into the crystal ball of accidents that take the lives of bikers every year. If you are going to ride the machine, know your limits.

This week, Dropbox appears to have altered their user agreement (without any notice to its users), making it a FAR LESS SECURE SERVICE. Initially, their privacy policy stated:

… all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password. (Quoted from PCWorl)

Currently, the privacy policy says that Dropbox can access and view your encrypted data, and it might do so to share information with law enforcement. Why is that important? Because it means that the encryption keys that keep your files private are actually stored on Dropbox’s server, not on your own computer. This puts the keys to your data (and every other Dropbox user) in the hands not only of Dropbox employees and law enforcement, but vulnerable to hackers. When the encryption key is located on your computer, at least the risk is spread over Dropbox’s user’s network.

But there is an even bigger issue that this exposes about the world of cloud computing in general: anytime your data lives on a device that you don’t own, you lose a certain amount of control over what happens to it. Here is just a sampling of factors that can affect the privacy and confidentiality of your cloud-stored data:

  • The cloud service provider changes their Terms of Service (like Dropbox just did) to cover their legal bases, making your data less secure without your even being alerted. This happens almost every week with Facebook, which changes privacy terms constantly. When you log back into your account, you are automatically agreeing to the new Terms of Service (and probably not reading the tens of pages of legal jargon).
  • The provider is bought out by a new company (possibly one overseas) or has its assets liquidated (the most valuable assets are generally information), that has different standards for data security and sharing. You, by default, are now covered by those standards.
  • The security of your data is weak in the first place. Security costs money, and many smaller cloud providers haven’t invested enough in protecting that data, leaving the door wide open for savvy hackers. SalesForce.com might be well protected, but is the free backup service or contact manager that you use?
  • Your data exists in a more public domain than when it is stored on internal, private servers, meaning that it is subject to subpoena without your being notified! In other words, the government and law enforcement has access to it and you will never know they were snooping around. This isn’t a concern for most small businesses, but it is still a cautionary note.

So does this mean we should all shut down our Dropbox, Carbonite, iBackup accounts? No. Does this mean that corporations should not implement the highly scalable, dramatically efficient solutions provided by the cloud? No. It means that both individuals and businesses must educate themselves on the up and down sides of this shift in computing. They can  begin the process by realizing that:

  1. Not all data is created equal and that some types of sensitive data should never be placed in someone else’s control. This is exactly why there are data classification systems (I subscribe to those used by the military and spy agencies: Public, Internal, Confidential and Top Secret).
  2. Not all cloud providers are created equal and you must understand the privacy policy, terms of service and track record of each one individually (just like you would choose a car with a better crash-test rating for your family).
  3. Anything of immense power comes with costs, and those costs must be calculated into the relative ROI of the equation. In other words, the answer here, like most complex things in life, exists in the gray area, not in a black or white, one-size-fits all generalization.

John Sileo writes and speaks on Information Leadership, including identity theft prevention, data breach, social media risk and online reputation. His clients include the Department of Defense, Homeland Security, the Federal Reserve Bank, FDIC, FTC and hundreds of corporations of all sizes. Learn more about his motivational data security events.