Facebook fallout follow-up: Can you trust BYOD?

We’re 10 days on from the Facebook/Cambridge Analytica revelations, but the story refuses to die.

Although Mark Zuckerberg and friends might have hoped it would go away, new angles keep cropping up. Now we hear of new government investigations, class-action lawsuits, concerns about what secret actions the mobile app is up to, and new ways to combat data-collection overreach.

Ultimately, it’s a question of trust—so what price BYOD? In this week’s Security Blogwatch, we lay out everything you need to know.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: You cannae change the laws of physics

State of Security Operations 2018: Go Inside World SOCs

BYOD back in the hotseat

What does Sara Salinas say? FTC launches probe of data scandal:

The Federal Trade Commission announced it is investigating the company's data practices in the wake of the Cambridge Analytica leak.

A violation of the [2011] consent decree could carry a penalty of $40,000 per violation.

If you read one writer, remember to read only Tony Romm[You’re fired—Ed.]

A panel of Senate lawmakers aims to grill the top executives of Facebook, Google and Twitter next month. … The Senate Judiciary Committee’s chairman, Republican Sen. Chuck Grassley (Iowa), … scheduled an April 10 hearing on the “future of data privacy and social media” — and the panel said it would explore potential new “rules of the road.”

[It] spells the first time that congressional lawmakers have expanded their scrutiny to include Zuckerberg’s peers, Google CEO Sundar Pichai and Twitter CEO Jack Dorsey. … A spokesman for Zuckerberg … said Facebook is still reviewing the request. A spokeswoman for Twitter declined comment. Spokespeople for Google did not immediately respond.

[It] could prove to be the toughest political territory for Facebook and its Silicon Valley peers. Lawmakers there have been seething … since last fall, when the panel grilled those tech giants’ lawyers about … Russian propaganda.

Lest we forget, the scandal has spread to our jolly Brexiting friends over the pond. But as Natasha Lomas reports, Zuckerberg refuses UK parliament summons over Fb data misuse:

So much for ‘We are accountable‘; Facebook founder and CEO Mark Zuckerberg has declined a summons from a UK parliamentary committee that’s investigating how social media data is being used, and … misused — for political ad targeting.

Facebook’s policy staffer, Simon Milner, previously told the committee … Cambridge Analytica … did not have Facebook data. … In his letter to Zuckerberg, the chair of the committee … accuses Facebook officials of having “consistently understated” the risk of user data being taken without users’ consent.

Regardless of rising pressure around what is now a major public scandal … Zuckerberg has declined the committee’s summons. … A company spokesperson said it has offered its CTO or chief product officer.

But so what? Heed the thoughts of IGnatius T Foobar:

Why would Zuckerberg comply with anything other than armed officers escorting him out of the building?

Facebook is toxic. Facebook is a cancer on the Internet. Facebook brings out the worst in people. … The Internet needs to rid itself of Facebook.

To which Roger W Moore raises an eyebrow:

However, if you are going to do business in [other] countries and … potentially involved in a massive violation of their online privacy laws then expect to get summoned by their governments, if not their courts.

What did Paul Sawers see? Mozilla launches … add-on to isolate your web browsing activity from Facebook:

The Facebook Container add-on for Firefox promises to make it “much harder” for Facebook to track you when you’re not on its site. Mozilla has been working on the technology for several years already, accelerating its development in response to what it called a “growing demand.”

The add-on, which can be installed through the usual means in Firefox, essentially “isolates” your Facebook profile from the rest of your web browsing, meaning you can use Facebook as usual without experiencing the off-site tracking part.

But Opportunist sees a great opportunity for a better addon:

I think it's time for a "tracking cookie mix and match" addon. Every time you start your browser, you get a new tracking cookie from a pool … that originally belonged to someone else. After a couple minutes you return the cookie to the pool and get a new one from someone else, while yours goes to some other person.

What this eventually does is invalidate and thus poison the cookie data. Unless Google finds a way to voluntarily eliminate these cookies from their data mining, their whole data pool is useless. Which is basically all we want.

Either is fine by me.

It gets worse: Molly Olmstead reports Facebook Acknowledges It Has Been Keeping Records of Android Users’ Calls and Texts:

Last week, one user who downloaded his data to learn what Facebook knew about him in the aftermath of the Cambridge Analytica scandal found that the company had a record of the date, time, duration, and recipient of calls he had made from the past few years. [And] several others … found similar records.

In response, Facebook published a post [acknowledging] it was collecting and storing these logs, attributing it to an opt-in feature for those using Messenger or Facebook Lite on an Android device. [However] that opt-in was the default setting and users were not separately alerted to it. Nor did Facebook ever say publicly that it was collecting that information.

jrumney refuses to install any Facebook apps:

I got used to checking facebook via the web page. … Then I noticed them trying to push me back to the app, first by taking Messaging away from the mobile web interface, and more recently by popping up messages about my friends posting time-limited stories that you need the app to view.

When they started that tactic, I took it as a sign that the app was doing something nefarious, so it just made me more determined to avoid it.

And worse: Jon Christian witnesses It’s possible that the Facebook app is listening to you:

Cambridge Analytica whistleblower Christopher Wylie breathed new life into longstanding rumors that the Facebook app listens to its users in order to target advertisements. [He speculated] Facebook and other smartphone apps are listening in for reasons other than speech recognition. Specifically, he said, they might be trying to ascertain what type of environment a user is in in order to “improve the contextual value of the advertising itself.”

Facebook has long denied [this]. But users have often reported mentioning a product that they’ve never expressed an interest in online — and then being inundated with online ads for it.

For example? For example, Eluan Costa Miranda:

I can confirm that I (and close people) have received targeted ads related to stuff we merely TALKED about, with the phones in our pockets.

In more than one occasion it was awfully obvious that Facebook listens. It's not everyday that someone talks about wanting "red cookware" for her new house and a few minutes later I get spammed with ads for red cookware. This is ridiculous.

So, time to #DeleteFacebook? bheerssen wishes you good luck with that:

I wonder about the utility of deleting facebook accounts. They aren’t going to delete the data they have on you; it’s their data, not yours, even if they want you to think otherwise. I simply stopped using Facebook except in extenuating circumstances. (Such as the recent loss of two friends. Since I still had my account, I was able to log in to find out about their memorials.)

Afterwards, I log out and delete cookies. The point is to block facebook from continuing to gather and sell information about me. I don’t have to delete my account to do that.

Meanwhile, Jean-Louis Gassée opines Zuckerberg Thinks We’re Idiots:

Facebook’s disingenuous explanations call for more questions and even less trust. … Zuckerberg’s apologies have been well-rehearsed in their embarrassment and clumsy phrasing.

Yes, of course, our privacy is important to you; you made billions by surveilling and mining our private lives. One wonders how aware Zuckerberg is of the double entendre.

Zuckerberg thinks we’re idiots. How are we to believe Facebook didn’t know — and derived benefits — from the widespread abuse of user data.

A company’s culture emanates from the top and it starts early. … In 2004, [he] allegedly called Harvard people who entrusted him with their [data] “dumb ****s”. Should we charitably assume he was joking?


The moral of the story? Consider enforcing #DeleteFacebook on your users’ phones. And what about the other apps in there?

And Finally…

Inside an Antimatter Factory


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: U.S. government (cc0)

State of Security Operations 2018: Go Inside World SOCs
Topics: Security