Social Media versus Data Privacy (& GDPR)

I was a late adopter waiting until about 2007 before getting onto Facebook. Back in the 2000s I remember my brother calling Facebook a platform for narcissists. Just over 10 years later and 2.3 Billion narcissists later he and I are both active participants.

DevOps Connect:DevSecOps @ RSAC 2022


I don’t think he was wrong! To a degree of course. I think Facebook, to take a positive spin, provides an outlet for many people to express themselves without directly expressing themselves.  Kind of like wearing a Nike t-shirt. Do I like sports or do like to look like I like sports. Hard to know and you’d need a larger piece of the profile to figure it out but the point remains, I’ve made a statement without having to say anything. Facebook allows people to ‘share’, ‘like’, or ’emoji’ to provide indicators of their feelings without the risk of direct criticism to direct messaging. In fact don’t we find it a bit annoying sometimes when somebody breaches the unwritten rules and posts something blatantly opinionated… I mean come on people… allude to your feelings damn it, don’t provide direct feelings, we are not capable of coping with that!

So why the analysis… there is a point and that point is the what has happened over the past few weeks with Facebook and their handling (mishandling) of your data.

Social Media Privacy



Is that a contradiction or oxymoron? It feels like it at the moment with the current Cambridge Analytics fiasco and the recent completely american congressional hearing with Mark Zuckerberg where a raft of generally out of touch old bastards asked the Facebook boss-man about whether he’d be happy telling them what hotel he stayed at and attempt to impress upon the world that the information Facebook gathers and it rules of dissemination somehow equated to this. Most of the hearing has been almost a grand scale of a bunch of parents scolding a child for letting a technology they don’t understand get out of hand. That isn’t actually too far from the truth. I feel for Zuckerberg probably for the first time ever. I understand that a company like Facebook which is growing as an unprecedented rate, fending off all many of cyber-security attacks, it must be humbling and humiliating to find out it was your own API (application programming interface for the uninitiated) that allowed another company claiming to be doing research to hoover excessive data from your system. Oops would be the understatement of the year.

I think I’ll start by summarising with extreme brevity what the breach of data actually was, how it happened and what Facebook appear to be doing about it.

Getting back to the scandal itself and the company who we really should be blaming, Cambridge Analytica, are a bunch of assholes. The breach itself was a product of a “researcher” using an app called mydigitallife to coerce Facebook users into a quiz about themselves. To do that the subject (Facebook user) had to allow permission to their account voluntarily. This is like inviting the vampire in for a quick bite. I wrote a blog article in 2015 about a similar app which created a tag cloud of your most used words that at least 4 of my friends did. It was the same premise where you needed to give a 3rd party complete access to your account. Why would people do it? It’s just a case of not full comprehending what we are doing to ourselves. Social Media is progressing fast and just as much as my smart friends made that mistake, Facebook, led by some of the smartest technical minds, also neglected to think thoroughly about how their own platform could be abused.


The guy who came clean, the pink haired Canadian, Christopher Wylie is a pretty bright guy who, albeit a little late, has some moral fibre. What he did, regardless of how it was used, was special. He essentially worked out and bit of sexy AI to derive some interesting trends in behaviour from what is seemingly unrelated actions. He tapped into what I was saying Facebook is good at, allowing letting the introverted narcissist in all of us, to providing indicators (like wearing a Nike t-shirt) to your real opinions without you directly having to convey them. An example he gave was that people who trending down the ‘I hate Israel’ path on Facebook also tended to like Nike shoes and KitKats. I think he made that one up but I also like KitKats and Nikes so I hope the trend doesn’t work in reverse as I’m off to sunny Israel for a conference soon!

What is facsinating (from an academic perspective of course) is that his idea, in combination with some nifty big data processing is what apparently shifted the tide in several key occasions like, allegedly, the Trump election and potentially Brexit among others.

How though? Facebook allows you to target paid advertising but what it doesn’t provide you is the reverse of the above relationship. You can’t easily target people who hate BrandX for example. You CAN target the people who “like” Nike. Deriving your real opinions from your indicators (likes an shares etc) was brilliant. Again it’s worth stating for the benefit of Nike that this is a made up relationship. The more of those relationships you can draw where targetable data can be associated with behaviour and opinion, the more you can start to make in-roads into people’s normally private Facebook bubble in ways not previously possible. Get it? Powerful stuff especially when you use it for the wrong agenda.

Has anybody stopped using Facebook? Not that I’ve seen so far. While the stock of the tech behemoth has taken a hit dropping initially 10% it’s already bouncing back largely due to Mark Z’s frank responses and essentially genuine presence in response to all the media fervor.

Facebook is stealing a lot of the limelight while we continue on with our business as usual social mediaing via twitter, WhatsApp (facebook), messenger and Instagram. I’ll leave Snapchat out of that because that clever program was designed to delete everything after a certain amount of time. I like that idea.

So what about everything else?

Can I (you) limit what google and Facebook know about me? YES! It’s a great big YES! You just need to know how.

Backing it up a bit, the 1st thing you can do is, not leave yourself logged into Facebook and Google as you surf around the web. Have you ever noticed that Facebook and Google are happy to trust your computer and leave you logged in for a surprising duration without any further authentication? It’s so convenient! There is a reason it does that and it’s a bit win-win. You don’t have the hassle of logging in and any page with a Facebook widget or Google analytics (which is many) get’s to track your digital where-abouts both in terms of your internet activity AND the location from which you’re searching.

If you’re curious about what google knows about you, you can find out! There was a really good article in wired magazine about digital identity and how to find out what google knows. Here’s a quick like to find out the activity associate with your currently logged in account. If there are things on here you don’t want the world (or just google) to know… you can also delete your history.

Let’s talk about what your digital where-abouts actually are? This can be the URL, your email associated with the account and any other default details but also, the IP address of your visit and… we’ll let me break it down for you straight from googles own data privacy section…

Data Google Collects 

Things that you search for
Email address and password
Date of birth
Telephone number


Websites that you visit
Videos that you watch
Ads that you click on or tap
Your location
Device information
IP address and cookie data
Emails that you send and receive on Gmail
Contacts that you add
Calendar events
Photos and videos that you upload
Docs, Sheets and Slides on Google Drive

I find the “Your location” an interesting one. Naturally we are all now carrying with us a homing beacon by owning a smart phone. Ever get creeped out by how google knows where you are when you’re on your laptop? Google tracks the router you’re on via it’s BSSID which is kind of the tech address rather than the named address of your router and associated it with a location. The BSSID is broadcast out so you can’t really hide it. All it takes is one mobile phone to use it and bang… google knows forever where it is and will keep using that information. I have heard that as part of the google mapping, those cars are also acquired any BSSID details broadcast on WiFi from the local area so you probably don’t even have to use your mobile for it to have a pretty accurate map.

What does the future hold for data privacy?

Facebook is getting it’s wrist slapped for something they obviously screwed up a few years ago but the reality of the matter is, they have long since closed the API that released all the data to Cambridge Analytica, and clamped down on other aspects which temporarily even broke Tinder… OH NO! It was a quiet night in Tinder down. People read books, started hobbies, called their families and other unheard of activities. And they it was back online to people could get with the banging again.

But why are Facebook and actually many other technology companies tightening their data privacy sphincter?

THE EU (with Britain still)

The EU… yes that oppressive regime that, like technology itself, has been holding Britain back for decades (sarcasm alarm) is implementing a new regulation called GDPR or General Data Protection Regulation. I could do a whole long podcast about it (and I still might). Or you could watch this clever video comparing it to leaving your kids with a school.

Previously, we in the UK were covered by the Data Protection Act which was established way back in 1995 before many of your were born and in terms of the internet, very close to the big bang. That fact that it actually identified email as a form of personal data was pretty forward thinking for 1995. Now, just over 20 years later, data has changed to, essentially that epic list that I mentioned that google was harvesting about you, plus anything else which could be considered personal like medical records like what your health app tracks or what eating habits and weight loss preferences MyFitnessPal vomited all over the internet recently to what your smart fridge is saying your need to pick up on the way home for dinner. It’s a pretty comprehensive list and that’s a good thing!


Of course the idea of “regulation” never tends to go down well. Nobody ever gets excited about new regulation. William Wallace did NOT say “they can take our lives but they’ll never take our REGULATIONS!!!!”

The word itself implies a removal of freedom but in this case it works in our favour. The freedoms which are being clamped down are those of the businesses which are collecting and processing our data.

The basic summary of GDPR is privacy by default. That pretty much says it. It means anyone asking for data needs to be clear about how it’s being used, it needs to assume you do not want your data used for anything else or by 3rd parties unless you’ve explicit expressed it AND, it gives you the right to say, no more. You can have your digital existence deleted on request. If you think about that, it means a shedload of changes for just about every company you’ve ever signed up with or given any data to even if it’s as simple as an email to get free WiFi access at the airport. It’s a revolutionary change that effectively and, better late than never, attempts to put a stop to companies who realised cleverly quite a long time ago that data = money. Think about Facebook and Twitter and WhatsApp and why they have value. There was a phrase I used on the Data Breaches podcast which was “if you’ve being given something for free, then you’re the product”.

In the past, speaking certainly for myself at least, we’ve become so acclimatised to offered data and frankly just assuming it’ll be sold off somehow and there was nothing we could do about it. I got my broadband through BT a few years back and of course they gave me a email address which I never used. In order to make some account changes I checked it about 6 month into the subscription and I had SPAM email in the account! How??!!! The only people who knew that email address existed was BT and me so clearly they gave me the email address and immediately sold it on as part of some marketing deal and no doubt as part of some complex terms and conditions, I’d said that was ok. NO MORE! As part of GDPR, privacy has to be there by default and permission cannot be buried or hidden in complicated terms and conditions.

It’s probably clear that I’m a fan of GDPR. So much so I put together this FAQ on it…

Here are the answers to the most frequently asked questions about GDPR

Going forward it’s going to be better. But what else can we do right now?

DOWNLOAD MEIt is interesting that many of the major data controllers, the Googles and the Facebooks are adding services to allow you control over your data. In the not too distant past Facebook added the ability to you to download all your data.
Check it out at

Just go to the top right corner of your Facebook and click on Settings near the bottom. You’ll see a not very well integrated link which says “Download a copy of your Facebook data”. It’s worth a go just to see what’s in there. Additionally, it’s also now quite easy to do things like turning off application access to Facebook. In fact between writing the data breaches episode and this one, Facebook has already changed the way it treats applications such that they expire if they haven’t interacted with Facebook in a certain amount of time. I realise that sounds great but that doesn’t stop an application sucking your data out regularly as that will be an active application. Nevertheless Facebook are cracking down. They have to. Did I mention what can happen if they don’t? Let me return to GDPR for a moment.

Even though the GDPR is really only applicable to EU citizens (of which technically I am not even though I’ve been here for 19 years), it does apply to any company who offers services to and collects data from EU citizens. Facebook for example is clearly one of these. So, even if you’re not EU, if you share an application with EU citizens you benefit. Good news for all! Also, many countries are seeing the GDPR as a template for their own national Privacy regulations is it’s already so widely binding.

What happens if companies which control and process your data screw up and release it into the wild either by accidental design or hacking (which can be the same thing sometimes)? Fines from the EU are 2-4% of annual global revenue OR 10-20,000,000 Euro which ever is MORE! That’s a real number even to really big companies so it’s no surprised they are all scrambling to have this ready and in place for May 25th which is all becomes legal.

Getting back to what you can do for now.

I’ve seen some articles and how-tos claiming you should delete your cookies in the browser settings. I’m not entirely sure that’s necessary. Cookies can contribute to tracking you because some of the embedded ads that are on pages leave cookies which are intending to do just that to serve up ads based on browsing trends and form a profile of you. You would be better served to install Ad Block or a similar tool to just stop those ads appearing. I realise that I’m recommending a browser plugin which can be dangerous but Ad Block is pretty legit so I’m taking the risk. Ironically I search around for other ad block options and found a site called tomsguide which had a list of ad blocking software just caked in dodgy ads. It was ironic. I tried it with and without Ad Block and it was much more tolerable so, there we go, a more pleasurable browsing experience and less ad based tracking.

We haven’t touch on the WhatsApp vs Messenger aspect of privacy so quickly… WhatsApp is better. Everything you say on WhatsApp is sent encrypted and even Facebook (who own it) cannot read it or use it for advertising. Messenger not so much. Although… you start a “secret” conversation on Facebook Messenger by starting the chat but before you write anything, clicking on the settings for the conversation and switching it to “secret”. Then you are all good. The problem is, it’s not by default so if you’re having a long conversation on messenger about perennial fungus, expect that ads based on your discussion may start appearing.

All that said, what I’d really recommend is clicking in the show notes, the link to the full blog article where I’ve got a short collection of URLS at the bottom which can guide you to limiting what the big companies can do, even deleting prior history and if you want, you can even use a web services application called “Deseat Me” to really wipe your digital identity and start fresh once these new regulations come into play.


Adblock Wiki Entry (NOW APRIL 2018) (COMING IN MAY 2018)

Privacy Preferences

GDPR Links
The video


Here are the answers to the most frequently asked questions about GDPR

Previous Blog about Social Engineering via Facebook way before all this stuff kicked off

The post Social Media versus Data Privacy (& GDPR) appeared first on Codifyre.

*** This is a Security Bloggers Network syndicated blog from Codifyre authored by Stephen Giguere. Read the original post at: