Facebook knows a lot about you. Let us imagine some intelligence analyst for the Stasi laying awake one night in 1978, drifting into a dream about a hard case for which he lacked sufficient evidence to make a raid justifiable. ‘What if every photo he took I could get a copy of? What if I knew everybody she took a picture of?’ Instead, the KGB trained awoke to the usual nightmare: an office piled high with press clippings, bad leads, and dead ends.
Facebook, having GPS coordinates on photos it stores, a social graph that encompasses the globe, a (private) emotional inference model, and state-of-the-art facial recognition technology would give our restless agent an immaculate fantasy: an informer in everyone’s pocket.
Of course, we’re in 2018, and the amount of information that Facebook has been able to aggregate on behalf of its advertisers is absolutely staggering. How about credit reports? Check. Vehicle ownership history? Grocery store purchases? Data from thousands of companies that volunteered their private customer data to match up audiences- so your dentist, health insurer, pizza parlor, favorite blogs and everybody else…? You name it, Facebook has it.
I’m not of the mind that Facebook was conceived with nefarious intentions, and I will even go so far as to say that Facebook’s security failings are mostly beyond the scope of commercially reasonable security practices during the time they have been operating. Facebook doesn’t sell data to advertisers. They are not a list broker, they make their best efforts to anonymize everything.
Frankly Facebook gives data away to advertisers, in the form of their campaign planning tools and 3rd party view pixel support. Anybody buying ads on Facebook gets to stack on their own trackers for retargeting, audience measurement, and more. Retargeting pixels then give advertisers URL reports that show where their ads fire. That means if I buy facebook ads to target you and 19 fake people that have the same audience targeting as you, I suddenly get to watch which websites you browse via URL reports on my retargeting ad campaigns. That is a security flaw — a massive human exploit loophole.
Facebook elected to support 3rd party view pixels to win ad budgets from large agencies that wanted to audit their Facebook spend (rightfully so!). No product owner at Facebook intended to empower their advertisers to spy on their users web traffic. Each of those techniques have legitimate business purposes, and are usually happening at such a scale that the data would get lost in noise and aggregation. Usually. Facebook simply failed to spot holes in their logic. It happens when you get big and have to get bigger fast. It also happens when you ‘Move Fast and Break Things™’. It also happens when there are no consequences, or if they think they are too big for consequences to matter. As an outsider and somebody who has spent a few cycles around production software systems, my intuition tells me that they are failing at finding exploits that lived outside of the walls of their kingdom (i.e. data abuse via API), because they were primarily focused on all kinds of other abuse. Dealing with lots of humans is hard, treacherous work. I’m giving them the benefit of the doubt.
Except for one area: Facebook has entirely failed on having processes in place to screen Advertisers. They often have a terrible time knowing who is even running ads for whom, especially in the days prior to Facebook for Business, its account sharing and permission features. To register as an advertiser on Facebook, it required a Facebook account (any will do, no history or verification needed) and eventually a credit card.
Even without a working payment method, full an unfettered access to the largest repository of demographic information ever compiled is sitting right inside their planning interface. What to know how many people in the US are into ‘Kinky Boots’, ‘Very Conservative’ Politics, and have school aged children at home? Frankly it took me longer to think of a random thing to look up than to actually find the targeting data. PS — its around 8,900. With a little more effort I could bucket those people by age, gender, and geography. Until recently, there would be fine-grain detail about all audience members down to <20 users, which gave an insane amount of access to data, now its limited to 1000.
It would take me about 3 more minutes and $5 to kick off an ad campaign to reach that or any audience I chose. That ad would be screened for content, ensuring that I’m promoting a working link and that my ad follows Facebook ad policies (ie. doesn’t offend Facebook’s users or obviously break Federal laws) by an offshore team, then would go live. When I worked at a media buying agency, we did that for hundreds of clients, spending millions of dollars.
Never once did I have to prove I had a legal business entity (you have to do that to setup a Facebook page, so they have all of the tech and teams in place to handle that at scale.) Never once were our ads questioned for their content, the veracity of their offers, or what they intended to promote. I didn’t have to use my real name, my real email, or use a permanent payment method (sometimes we used prepaid cards to control spend). Facebook ad reps don’t meet you face to face, they don’t even reach out if you aren’t spending $5–10K/month. To my knowledge there is no control, no team stopping me from setting up hundreds of small accounts to target different audiences, or the very same ones.
This is in stark contrast to the process involved with getting setup to run background checks for pre-employment screening, which takes multiple forms of government ID, social security number, references and more.
Radio Shack knew more about me when I bought batteries than Facebook did when I spent $50K on a ‘behavior modification’ campaign for a PR firm.
Facebook has made access to its immense treasure trove of data and eyeballs available to anybody, everybody, and their creepy stalker on another continent. They have done so willfully, for encumbering their “Create an Ad” user flow would immediately and significantly impact revenue. They continue to do so, in gross negligence for anybody they have touched, including the millions of individuals that never registered with Facebook but made the unfortunate mistake of being in the address book of somebody that did.
The base principals that Facebook and the rest of the ad tech industry rely upon to make their data Safe For Work and no other purposes is privacy. They don’t hand out the names of the people they monetize to the buyers. Who cared if you’re in a group with 150K other people that might want to switch motorcycle insurance? No names, no blames.
My counterpoint is Poltergiest (I’m certainly dating myself now). Moving the headstones of personally identifiable information doesn’t change the fact that Facebook sells the highest bidder influence over real human bodies.
Look, I get it. I have worked in/on/for the internet for most of my increasingly long career. Its easy to think that you’re doing right when you see your systems working, your profits growing, and customers happy. Win Win Win Win Win Win… Consider this blogger’s enthusiasm for being able to reach out directly to members of his community in a targeted way, promoting a hair salon to some local zip codes:
Yesterday, a thorough study on the activities of the Internet Research Agency, the infamous Russian troll operation showed that their efforts specifically targeted African American voters with misinformation to try to discourage voter turnout.
Those two advertisers, a local salon and the IRA are the same in the eyes of Facebook: People who pay the bills. People who aren’t to be questioned.
Remember our comrade, the sleepless Stasi agent? 40 years have past, his dream has come true, and he is using it to this day to destroy his enemies abroad and consolidate power at home.
“Putin and his colleagues were reduced mainly to collecting press clippings, thus contributing to the mountains of useless information produced by the KGB.”