Facebook – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 Minimizing your digital trail http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/21/minimizing-your-digital-trail/ Sat, 21 Mar 2015 14:55:50 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21210 Continue reading ]]> WASHINGTON — In popular culture, going “off the grid” is generally portrayed as either unsustainable or isolated: a protagonist angers some omniscient corporate or government agency and has to hole up in a remote cabin in the woods until he can clear his name or an anti-government extremist sets up camp, also in the middle of nowhere, living off the land, utterly cut off from society at large.

But is there a way to live normally while also living less visibly on the grid? What steps can you take to reduce your digital footprint that don’t overly restrict your movements?

What is a digital footprint?

Your digital footprint is the data you leave behind when you use a digital service—browse the web, swipe a rewards card, post on social media. Your digital footprint is usually one of two classifications: active or passive.

Your active digital footprint is any information you willingly give out about yourself, from the posts you put up on Facebook to the location information you give to your local mass transit system when you swipe your transit pass.

By contrast, your passive digital footprint is information that’s being collected about you without your express knowledge or authorization, for example, the “cookies” and “hits” saved when you visit a website. When you see personalized ads on Google, for example, those are tailored to you through collection of your personal preferences as inferred through collection of your passive digital footprint.

To assess my digital footprint, I looked through my wallet, my computer and my phone.

The footprint in your wallet

First, the wallet: I have several rewards cards, each representing a company that has a record of me in its database that shows how often I shop and what I buy, which is linked to my name, address, email and birthday—plus a security question in case I forget my password, usually my mother’s middle name.

While I would consider this information fairly benign—they don’t have my credit card information or my Social Security number—these companies can still make many inferences about me from my purchases. CVS, for example, could probably say fairly accurately if I’m sick based on my purchase of medications, whether I’m sexually active based on birth control purchases and any medical conditions I may have based on my prescription purchases.

If I wanted to minimize my digital footprint, I could terminate all my rewards accounts and refrain from opening any more. For me, though, it’s worth allowing these companies to collect my information in order to receive the deals, coupons and specials afforded me as a rewards member.

Next up is my transit pass, which is linked to my name, local address and debit card. The transit authority has a record of every time I swipe my way onto a city bus or train, a record of my movements linked to my name.

A minimal-footprint alternative to a transit pass is single-use fare cards. If purchased with cash, they would leave no record of my travels linked to my name. While this, like the rewards cards, is feasible, it’s far less convenient than the pass —so much less so that again I’m willing to compromise my privacy.

My debit card and insurance card are the two highest-value sources of personal information, but both are utterly necessary—living half a country away from my local credit union, I need my debit card to complete necessary transactions. My medical insurance card, relatively useless to identity thieves unless they have an ID with my name on it, does represent another large file in a database with my personal information—doctors’ visits, prescriptions and hospital stays for the past several years. People with just the physical card, not my license or information, can’t do much with that, but if a hacker gets to that information it could be very damaging.

No driver’s license? No credit card?

To minimize my digital footprint, then, I could pare down my wallet to just the absolute necessities—my insurance card, debit card and my license. You didn’t talk about your license

Computer footprint

If I’m guilty of leaving a large digital footprint, all my worst infractions probably happen across the Web.

Between Facebook, Twitter and Pinterest, I’ve broadcast my name, picture, email, hometown and general movements, if not my specific location, on each of those sites. Of the three, Facebook certainly has the most comprehensive picture of my life for the past seven years—where I’ve been, with whom, what I like and what I’m thinking.

If I wanted to take myself as far off the grid as feasible, simply deactivating the accounts wouldn’t work—Facebook keeps all your information there for you to pick up where you left off. You can permanently delete it with no option for recovery, but some information isn’t stored just on your account—messages exchanged with friends, for example, or any information shared with third-party apps.

If you keep using social networking sites, privacy policies change frequently, meaning that even if you choose the most restrictive privacy settings, you often have to go back and re-set them whenever the company changes its policy. Apps complicate things even further, farming out much of your information to third-party companies with different privacy policies.

Even if you’re vigilant about your privacy settings and eschew apps, your profile is only as private as your most public Facebook friend, said Paul Rosenzweig, a privacy and homeland security expert.

When shopping online, it’s important to check the privacy statements and security policies of the companies you’re using. If possible, purchase gift cards to the specific retailer or from credit card companies and use those to shop, so you don’t leave your credit card information vulnerable to breaches like that of Target.

I know that email is not my friend when it comes to online privacy, but I can’t operate without it.  I use Gmail on Google Chrome for my email, so I installed Mymail-Crypt. It’s one of several “pretty good protection,” or PGP, encryption programs. Using it, my messages appear to be a jumbled bunch of letters until the recipient decrypts it using their private key, which I can save to a key server, like the aptly named Keyserver, where it’s searchable by my email or key ID. I can then link to it on my personal profiles such as Facebook or LinkedIn. People can then send an encrypted email to me using my public key that cannot be read without my private key to unlock it. I’ve also started encrypting my G-Chats using Off the Record chat.

Email can be used against you. Phishers have started to send more sophisticated emails imitating individuals or companies you trust in order to convince you to give up information like your social security number or credit card data. Drew Mitnick a junior policy counselor at digital rights advocacy group Access Now, said you need to be vigilant no matter what you’re doing on the internet.

“Ensure that whoever you’re dealing with is asking for appropriate information within the scope of the service,” he said. In other words, Gap shouldn’t be asking for your Social Security number.

To limit cookies and other data collection during your Internet use, you can open incognito windows in Google Chrome. In incognito mode, the pages you view don’t stay in your browser or search histories or your cookie store—though your Internet service provider and the sites you visit still have a record of your browsing.

Finally, encrypt your hard drive. Privacy laws vary from state to state and country to country so the best way to ensure that you’re protected no matter where you are is to encrypt your computer and be careful not leave it where someone can mess with it, said Mitnick.

Phone footprint

Another source of vulnerability for many people is a smartphone. As long as you have a phone, you’re on the grid—phone companies can triangulate your position using cell phone towers and location services, and they log your calls. Beyond that, though, there are steps you can take to limit information people can access about you using your phone.

First, be judicious when installing apps. Carefully read the permissions an app requires for installation, and if you’re uncomfortable with them, don’t install it! Read privacy policies and terms of use so you know what data the app keeps on you.

Because I have a Windows phone, many of the basic apps (alarms, maps, Internet Explorer, music, and Microsoft Office) are Microsoft apps and use their terms of use and privacy policy, which is pretty good about not sharing my information with third parties. They also delete your account data after you delete their app, though it may take a few weeks.

I have several social apps, such as the aforementioned Facebook and Pinterest, for which the privacy settings are fairly similar to their desktop counterparts—not very private—with the added bonus of them now having access to my location and phone number. It’s entirely possible—and advisable, if you’re trying to leave a minimal footprint—to live without these apps, but I choose not to.

I’m selective about the apps I install on my phone. Aside from the apps that come with the phone and my social media apps, I only have Uber—and that has a lot of access to my phone. According to the app information, Uber can access my contacts, phone identity, location, maps, microphone, data services, phone dialer, speech and web browser. That’s a lot, and not all of it seems necessary—why does Uber need my contacts? Again, though, I chose to compromise my privacy on this one because the convenience, for me, outweighed the risk.

A precaution I’ve always taken is turning off my location service unless I need it. While my cell phone company can still track me, this prevents my apps from accessing my location. I don’t need Pinterest or Facebook to know where I am to get what I want out of the app, so I don’t provide that information to them.

One of the projects Access Now has been working on is “super cookies”—when you use your cell phone, the cell companies can attach unique identifiers to your browsing as you go across multiple sites. Many companies don’t even offer opt-outs. AT&T has now stopped using super cookies, but other companies still do so.

If you don’t already, use two-step verification whenever possible to ensure that no one but you is logging onto your accounts. This process, used by Gmail, has you enter your password and a one-time numerical code texted to a phone number you provide.

Set a passcode to your phone if you haven’t already, and make it something people couldn’t easily guess—don’t use your birthday, for example. I’ve started using random numbers and passwords generated for long-defunct accounts like my middle school computer login that I memorized years ago but that can’t be linked back to me.

Amie Stepanovich of Access Now suggested using four unrelated words strung together for online account passwords—they’re even harder to hack than the usual suggestions of capital and lowercase letters, symbols and numbers.

One final precaution you can take is to encrypt your device. Apple has already started encrypting its phones by default, and Google has promised to do so. Regardless, you can turn on encryption yourself. I have a Windows phone, which does not allow for easy encryption—in fact, I can’t encrypt my SD card at all. To encrypt my phone, I need to log in to Office 365 on my laptop and change my mobile device mailbox policies to require a password, encryption, and an automatic wipe after a number of passcode fails I choose. I then log into Office 365 on my phone to sync the new settings. It’s much more straightforward for an Android—just go to settings, security, and choose “Encrypt phone.”

Off the grid? Not even close

For me – and most people, it’s not feasible to live entirely off the grid. Between my debit card, various online accounts and smartphone, I pour my personal data into company and government databases every day. The trick is to live on the grid intelligently, only providing the information that is necessary and taking steps to protect your devices from unauthorized access.

]]>
The Privacy Game http://nationalsecurityzone.medill.northwestern.edu/blog/2014/03/18/the-privacy-game/ Tue, 18 Mar 2014 19:53:33 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=18508 Continue reading ]]> In a hyper-connected world where people click through each others’ photos on Facebook, follow each other’s thoughts on Twitter and track each others’ careers on LinkedIn, personal information is everywhere. It was hardly surprising when Facebook Founder Mark Zuckerberg said that privacy is no longer the social norm. Thanks to Zuckerberg, people voluntarily post their photos, relationship status, political views and sexual orientation on an easily accessible website. What may surprise you, though, is what else you reveal about yourself each day–and who’s collecting your personal information. Did you think about the privacy implications when buying coffee with your Starbucks Rewards card, posting your highest score on Angry Birds or logging into Netflix? How much do you reveal in a day? Play The Privacy Game to find out!

Created by Jessica Floum and Ellen Garrison

]]>
Privacy concerns arise over DHS’ monitoring of social media http://nationalsecurityzone.medill.northwestern.edu/blog/2012/01/21/privacy-concerns-arise-department-homeland-security-monitoring-social-media/ http://nationalsecurityzone.medill.northwestern.edu/blog/2012/01/21/privacy-concerns-arise-department-homeland-security-monitoring-social-media/#comments Sat, 21 Jan 2012 16:07:34 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=9674 Continue reading ]]> WASHINGTON— Social media sites like Facebook and Twitter have a new audience: the Department of Homeland Security.

After a Freedom of Information Act request by the Electronic Privacy Information Center revealed that the government has hired a contractor to monitor social media for potential threats and public opinion, privacy advocates and government officials are butting heads on the implications on whether the program oversteps privacy boundaries.

The documents obtained by EPIC, which total nearly 300 pages, center around a Department of Homeland Security contract with General Dynamics to provide information on “potential threats” as well as “media reports that reflect adversely on DHS and response activities.”  The company will monitor content from social media websites such as Facebook, Twitter, Youtube and MySpace as well as comments posted on news websites such as Drudge Report, Newsweek and The New York Times blogs.

In an interview with The Washington Post, officials of EPIC highlighted their concerns about the program’s legality, saying it does not meet the DHS’s mission to “secure the nation.”

“This is entirely outside the bounds of the agency’s statutory duties, and it could have a substantial chilling effect on legitimate dissent and freedom of speech,” Ginger McCall, director of EPIC’s open government program, told The Washington Post.

The Republican chairman and top Democrat onf the House Subcommittee on Counterterrorism and Intelligence —  Reps. Patrick Meehan of Pennnsylvania and Jackie Speier of California, respectively —  submitted a letter to the DHS stating that they “believe it would be advantageous for DHS and the broader Intelligence Community to carefully parse the massive streams of data from various social media outlets to identify current or emerging  threats to our homeland.”  The letter did, however, include the representatives’ privacy concerns, explaining that any actions must have oversight “stringent enough to protect the rights of our citizens.”

The documents requested by EPIC include a section titled “Privacy Compliance Review,” which outlines steps General Dynamics must take to protect individuals’ privacy.  The section’s newest revisions from January 2011 state that personally identifiable information can be collected only in explicit circumstances.  These include extreme situations involving “potential life or death circumstances,” government and private sector officials who make public statements, members of the media who “use traditional and/or social media in real time to keep their audiences informed, anchors and on-scene reporters, and terrorists or “other persons known to have been involved in major crimes of Homeland Security interest who are killed or found dead.”

According to the memo, DHS will not collect personally identifiable information on those suspected or charged in crimes, private citizens in any capacity and high-profile people “such as celebrities, sports figures or media members who are victims” unless they served as public officials.

]]>
http://nationalsecurityzone.medill.northwestern.edu/blog/2012/01/21/privacy-concerns-arise-department-homeland-security-monitoring-social-media/feed/ 1
Online Privacy: Is it even possible in today's networked world? http://nationalsecurityzone.medill.northwestern.edu/blog/2010/08/16/online-privacy-is-it-even-possible-in-todays-networked-world/ Mon, 16 Aug 2010 15:05:20 +0000 http://medillnsj.org/?p=2883 Continue reading ]]> WASHINGTON–On July 4th, 1776, the founders of our country adopted the Declaration of Independence, and forever altered the course of history. But at heart of that document is one line that stands out above all others: “We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable rights, that among these are life, liberty and the pursuit of happiness.”

Life, liberty and the pursuit of happiness: three ideas, three unalienable rights that have come to define our country and our country’s mindset. But there’s another idea that is thought to be in line with those: privacy. The Fourth Amendment to the Constitution, part of the Bill of Rights, guards against unreasonable searches and seizures. But is privacy a right, or is it just assumed to be a right? In a modern world where Facebook and targeted ad campaigns based on ¬¬internet surfing patterns reign supreme, can we even assume that our information is being kept private and safe?

In the wake of recent congressional hearings on online privacy, major players such as Facebook, Apple and Google were questioned on that very topic: Is their consumers’  information safe and private?

At the hearing, Facebook chief technology officer Bret Taylor assured Senate leaders that they “never sell data to third parties or advertisers” and that “in every aspect of a product’s design, privacy is an aspect of the discussion.”

However, one day after these hearings, multiple media outlets reported that a hacker had compiled information from 100 million Facebook users—including email addresses, individual websites, and phone numbers—and made all of this information available for download.

This flies in the face of exactly what Taylor said, that such information is private and not  available to hackers. Facebook will counter with an argument centering on user privacy controls, but does the company believe that everyone who uses their product is aware of these controls?

In a recent E-Business and ForeSee Results customer satisfaction index report, Facebook scored in the lowest five percent of private sector companies.

“Our research shows that privacy concerns, frequent changes to the website, and commercialization and advertising adversely affect the consumer experience,” said Larry Freed, president and CEO of ForeSee Results, in a press release.

Google, meanwhile, has faced similar problems concerning privacy. More than two months ago, Google admitted it collected date on users of its Google Maps Street View program. And in a move that will surely raise some eyebrows, Examiner.com reported Monday that a German company recently sold GPS-controlled surveillance drone cameras to Google. The reported purchase of these drones is that they will be used with other mapping projects.

In a world of increasing surveillance and by default, less privacy, is there a reasonable right to expect privacy?

According to the Wall Street Journal, in 2008, Microsoft had plans to unveil its Internet Explorer 8 with a “privacy by default” setting, as opposed to Facebook’s opt-in privacy mantra. But Microsoft’s plan was quickly scrapped in favor of a track-and-sell targeted ad program aimed at its users. The reported reasoning for such a change: “Executives who argued that giving automatic privacy to consumers would make it tougher for Microsoft to profit from selling online ads.”

So the question becomes: If the companies in charge of so much of our so-called “private” information have no incentive to protect what we do online, should demand more control over our privacy?

]]>
Online privacy defined by the marketplace, not government http://nationalsecurityzone.medill.northwestern.edu/blog/2010/05/06/online-privacy-defined-by-the-marketplace-not-government-3/ Thu, 06 May 2010 15:02:43 +0000 http://medillnsj.org/?p=1554 Continue reading ]]> CHICAGO — If you visit a website, without logging into your Facebook account, and are welcomed by a Facebook-themed message citing your name and showing your profile picture, would you be excited or uncomfortable?

In late April, at the annual Facebook developer conference in San Francisco, chief executive officer Mark Zuckerberg announced a pilot program with Yelp, Microsoft Docs and Pandora to “personalize” user experiences using information from Facebook profiles.  All users are automatically opted-in to this setting.  The company also launched social plug-ins for all websites where users can log in using their Facebook usernames to see friends’ activity on that given website.

In response, some top Google engineers deactivated their accounts and Sen. Chuck Schumer (D-NY) requested the Federal Trade Commission to review the policies and mandate privacy protections.  Although several of the site’s members have complained in online forums, a majority of users remain unaware until they log on to a partner site.  Facebook did not respond to requests to discuss these new tools.

“It’s clear that Facebook has proven its willingness to change its privacy policy but it isn’t always as clear about what that means,” said Rebecca Jeschke of the Electronic Frontier Foundation, an advocate for enhanced online privacy.

Making Facebook ubiquitous with the Web has long been cited as the ultimate goal by the organization’s top executives, but the challenge is balancing this desire with privacy protections.  Its critical mass of users prevents people from deactivating accounts, mitigating the threat of a mass exodus, and perhaps tipping the scale towards less privacy.

“Facebook knows that there is a lot they can do before people are willing to walk away,” said Chris Hoofnagle, lecturer in residence at UC Berkeley School of Law.

In the 1990s the Clinton government decided to let marketplace competition drive the development of online privacy policies, assuming the best practice would rise to the top.  This policy also assumed consumers would educate themselves on each website’s privacy policy before deciding whether to stay or provide personal information.

Instead, consumers never paid attention – perhaps they assumed the government had mandated protections – leading to an absence of competition, and in some cases, a complete aversion to the notion itself.

“We’ve seen in recent years an insistence, mainly among technology companies, that young people don’t care about [privacy] anymore,” said Hoofnagle.

But a study released mid-April, co-authored by Hoofnagle, refutes these claims, showing that youth – regardless of their activity on social networking sites – value privacy as much as their elders.  And, interestingly, these youth behave online under an assumption of more privacy than actually exists.

In the survey, conducted jointly by UC Berkeley School of Law and the Annenberg School for Communication at University of Pennsylvania, individuals were asked to rate nine statements as true or false.  The statements were all true, and referenced the right of firms to sell and use consumer data without asking for explicit permission.  This came as a surprise to most youth surveyed, as 88 percent answered two or less correctly.

Protection of privacy has historically been associated with government and issues of surveillance, but private sector companies now hold so much personal data and raises questions about how much private information is available to other people and to advertisers.

“You don’t necessarily know what kind of sophisticated assessments people can make with the information you put out there,” said Jeschke of the Electronic Frontier Foundation, citing a popular study where MIT researchers identified an individual’s sexual orientation by piecing together disparate pieces of online data.  According to Jeschke people need to complete a “gut check” on new tools and policies to ensure they are comfortable with how much personal information enters the public sphere.

The policy options going forward on advertising are unclear, Hoofnagle said.  The key issue of contention will be the advertising industry’s desire to collect all information on consumer behavior online – which sites are visited, in what order, for how long and which content is accessed – and giving consumers the right to not be tracked at all.

Today, consumers can opt-out of tailored advertising through networks like the Network Advertising Initiative, but that does not mean you are no longer being tracked.  It only means that you will not be subjected to the advertisements.

“They want to be able to collect everything as a principle,” Hoofnagle said.  “The [personal privacy] control mantra is a bit loaded.  What if control means I don’t want to be tracked at all? I think they would say no.”

]]>
Social networking websites: the next cyber war zone? http://nationalsecurityzone.medill.northwestern.edu/blog/2010/04/29/social-networking-websites-the-next-cyber-war-zone/ http://nationalsecurityzone.medill.northwestern.edu/blog/2010/04/29/social-networking-websites-the-next-cyber-war-zone/#comments Thu, 29 Apr 2010 15:55:16 +0000 http://medillnsj.org/?p=1119 Continue reading ]]> WASHINGTON — The Government Accountability Office reported April 12 that federal agencies remain vulnerable to cyber attacks and security breaches because they’ve failed to take the required steps to secure Internet connections and computer systems. Experts say cyber attack could come from anywhere—an individual American or someone overseas, a terrorist group, or a country. But the number of ways a cyber attack could infiltrate American systems is growing—and the ever-expanding web of social networking sites could prove problematic for national cyber security.

Social networking technologies are creating potential new challenges for government transparency and security As more agency employees use Twitter, Facebook and similar external sites, officials at all levels of government are reviewing their policies.

Elayne Starkey, chief security officer of Delaware and FOIA coordinator for the state’s Department of Technology and Information, said her organization is cracking down on the problem from the inside.

“Websites like Facebook are blocked from our computers,” Starkey said. “It’s too great a risk and who or what actually gets that information is still quite unknown.”

Starkey said there is a long list of precautions that need to be taken at all levels of government and the private sector to prevent a cyber attack. She said she is working with other groups and agencies in Delaware to raise awareness and educate others on the “very real” dangers that a cyber attack could cause.

“We do a lot of trainings to drill and simulate with other state and federal employees on their IT resources,” said Starkey. “Using the right technical tools is important to have the top level of security we need.”

Among the many things that can help in thwart future cyber terror, Starkey said, would be new legislation. She said that the right legislation would take time though. “There is a gap that needs to be filled—but the proper legislation with the proper partners would need a multi-year window.”

“As more people move into the Web 2.0 phase, they become more comfortable with the websites like Facebook and Twitter,” Starkey said. “There is a false sense of security people have once they enter their password. They feel comfortable that they do things they might not have done elsewhere.”

Targeted ads are drawing more clicks by naïve social media users, increasing the potential for scammers and hackers.  “People are much more likely to click some ad that is tailored to them, and then who knows what is behind that ad.”

Starkey said viruses from social networking sites could work in a similar way that an e-mail virus works, sometimes immediately attacking user’s system­ at other times lurking for months before any damage is noticeable.

“That’s why at our offices, those sites are pretty much blocked,” she said.

Patrick Wells, a participant in the U.S. Cyber Challenge, a competition to find individuals who could be future cyber security practitioners and researchers, said he thinks it is unlikely that social networks will become a target of cyber terror is unlikely.

Wells said the information technology teams at the major social networking sites are more prepared than the government simply because they are individual sites, and as such only to worry about hardening their own target.

“Government websites are more interconnected, yet with different security systems and levels which allow for overlooked loopholes,” said Wells. “Sites like Facebook, although they have a huge amount of traffic, are more secure.”

Wells said Facebook, for one example, was a victim of cyber attacks through its applications, add-ons that could contain games, quizzes or other attractions. Applications are made by outside groups, and in the past anyone could create one. Wells said that was the most common way a hacker could hack through the website. “Now, Facebook has a stronger identification process for those creating applications to prevent that.”

For legal and tracking purposes, there is no sound way to currently archive communication done in social networking site, Starkey said. “The problem is that agencies don’t know how to archive the many forms of communications made on those popular websites.”

As citizens become increasingly accustomed to accessing more types of communication archives, Starkey says that social network archives will be a logical expectation.

Wells said that he doesn’t foresee social networking sites being a target of cyber terrorists, but more of a jumping off point. “Social networking sites are mainly used for information… as a tool to find an employee of a company, to get as much information about the person, and then hack into their system.”

Wells said the more security measures the better, but that social network users should be careful of every bit of information they list, not just inappropriate pictures.

]]>
http://nationalsecurityzone.medill.northwestern.edu/blog/2010/04/29/social-networking-websites-the-next-cyber-war-zone/feed/ 1