Facebook has revolutionized the way people (End-users) communicate with peers and close relatives, these users share personal information with Facebook. The platform, in turn, uses these users’ information to match them with other users who share similarities in information through algorithms. The primary focus of this paper is on the security implications of users sharing their personal information on Facebook. Additionally, we will examine the recent data security breach on Facebook involving Cambridge analytical and its implication for Facebook and other data mining entities. The analysis will examine the loophole exploited by third-party apps to gain elevated access to users and sub-user data. We also want to establish if Facebook is taken appropriate steps to safeguard user information by following the federal trade commission guidelines in protecting user information.
Facebook (www.facebook.com) is the brainchild of then Harvard undergraduate Mark Zuckerberg, the social platform was founded in 2004 (Facebook, 2018). The platform is an integration of different sites that was primarily focused around colleges, users who wish to create an account to use their college uniform resource locator or URL (@college.edu), to register on the platform. Facebook presently boosts of about 1.86billion users making it the biggest online social platform in the world. Users who create a profile on Facebook submit their data to Facebook after agreeing to its Acceptable Use Policy (AUP). The user information allows Facebook to match the user with other profile based on the user's information. Additionally, such user data are also allowing Facebook to update the user’s news feed and suggestions that correlates with the user's profile data.
To ensure the platform free and meet is debt obligations, the user data is used by Facebook to tailor advertisement to these users. What makes Facebook indispensable to other entities is its wealth of user data that can be used to micro target users per their activities and information on the site. Per its website, Facebook collects user information, their activities on and off the site, location, device location, hardware, software, Connection information such as the name of your mobile operator or ISP, browser type, mobile phone number, IP address, etc. In 2007, Facebook opened its platform to third-party apps with the objectives of increasing customer experience and return on investment. Additionally, the introduction of third-party allows users to play games, play quizzes, shop, and use dating apps on Facebook. However, to protect user information, and comply with the Federal Trade Commission Act Section 5, called the "unfair or deceptive act " (ICLG, n. d).
Facebook ensures users accept its term of use policy before the user can access its platform. The opening up of Facebook to third-party applications has increased the firm's return on investment. In the words of Facebook founder Mark Zuckerberg, "Until now, social networks have been closed platforms. Today, we're going to end that," (Pierson D., 2018). However, the opening up of Facebook to third-party application introduced a new kind of security policy concern for Facebook. It raises the concern regarding the amount of data access and privilege these third-party applications has over user data. For the proper analysis of these security concerns, we will examine the firm's security policies that relate to how third parties access or the level of privilege an application has over user data.
Facebook employs the Hyper Preprocessor (PHP) a server-side script which it uses to format the services it renders on its platform. Facebook in its early days stores its data in a central server, however, with the advancement in cloud technologies, the firm has migrated to cloud storage by storing its data at different data farms. The firm's massive data infrastructure must seamlessly to ensure user satisfaction while on its platform. “Before it started building its own server farms, Facebook managed its infrastructure by leasing “wholesale” data center space from third-party landlords” (datacenterknowledge.com, 2010).
Social Networking application/platforms: Social Networking application/platforms like Facebook allow users to share their information on its platform via the user's profile. Such information includes the user's pictures, contact information, lifestyle, activities, and interest. The advantage of Facebook above other social networking site is its algorithm that allows users to be matched with friends based on the information those users provide will registering on its platform.
Information stored on Facebook: Facebook collect and store information about users, this information includes;
- Things you do on Facebook and information a user share on its platform
- Information from friends on their activities and the information they provide
- Information about payments
- User device information
- Information from websites visited by users and
- Information from third-party applications and partners.
These information is used by Facebook to Communication with users, the information is also used to show and measure advertisement and services on its platforms, and promote safety and security.
How Facebook share user information: Facebook share Non-Personally Identifiable Information Only with third-party, such third-party include advertising, measurement and Analytics Services. The user information is also shared with vendors, service providers, and partners.
Statement of Rights and Responsibilities
The statement of rights and responsibilities (SRR) is the terms of services between Facebook and those that interact with the Facebook platform. The purpose of an SRR is to inform users of how their data are been used by Facebook. The SRR inform users of their privacy rights including the right users have regarding the information they share on the platform. For instance, a subsection of the policy states the user grants Facebook a "non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License)"(Facebook, n. d). The Statement of Rights and Responsibilities also inform users about their privileges on the platform, it informs users of what content users can post on the platform, what information users can collect on Facebook. The term of service also prohibits the use of automated means in mining user data. It states, "You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission" (Facebook, n. d).
Apps, websites and third-party integrations on or using our Services. When you use third-party apps, websites or other services that use, or are integrated with, our Services, they may receive information about what you post or share. For example, when you play a game with your Facebook friends or use the Facebook Comment or Share button on a website, the game developer or website may get information about your activities in the game or receive a comment or link that you share from their website on Facebook. In addition, when you download or use such third-party services, they can access your Public Profile, which includes your username or user ID, your age range and country/language, your list of friends, as well as any information that you share with them. Information collected by these apps, websites or integrated services is subject to their terms and policies (Facebook, 2016).
Analysis of Security Policies
The Facebook security policies show that the firm pays more emphasis on securing its platform from malicious actors by using different countermeasures to mitigate risk to it information infrastructures. However, this research work is focuse on its security policy and how it affects the end users. Information security policies can only be effective when there is a management buy-in. In 2011, Facebook settled a case with the FTC for deceiving customers that Users' private information on its platform will remain private. However, the firm allows third-party applications from other users (friends list) access that information. "Facebook promised users that it would not share their personal information with advertisers. It did"(ftc.gov, 2011).
In 2018, Facebook claimed that Cambridge Analytical has illegally harvested fifty million of its user data, however, it was later discovered that rather, eighty-seven million users’ data were compromised (Romano, A., 2018). The analysis of the breach shows that between the two-years period (2013 to 2015), the firm Cambridge Analytical was able to harvest the profile information of eighty million users without informing the users that their data has been harvested. The data which is then used to strategically target users based on their interest, personality, and other information on the user's profile. Additionally, the firm used this data to shape the recently concluded United States Presidential election.
Per reports on the news media, Cambridge Analytical was able to utilize a loophole in the Application Programming Interface (API) of Facebook (Romano, A., 2018). This loophole allows third-party applications to harvest data of users on their application and that of their friends. To effectively analyze the security policy of Facebook, this research will be based on the completeness and thoroughness of its security policy, compliance with recognized industry, government, and regulatory standards.