More specifically,
Timeline creates a chronological history of all of a user’s activity on
Facebook since he or she first joined the site—including wall posts,
photos, “likes,” and public messages. Those items can be quickly sorted
by month and year, thus expediting a user’s walk down memory lane. The
default setting for Timeline is to post all of your past interactions.
(The privacy settings for each posting mirror the settings that were in
place when that posting initially appeared.)
Timeline will be
mandatory, and applicable to all Facebook geographies. If you want to
remain a Facebook user, you must shift to Timeline soon. You can’t opt
out, although you will have a chance to edit your history. However, if
you are a frequent poster, such editing may be cumbersome and
time-consuming. Some users will face the task of looking through—and
possibly deleting—years of embarrassing postings. And, if you have
changed political persuasions, found a new religion, or been a “party
animal,” you may want to delete or alter numerous postings relating to
your former life.
Many commentators have
raised general privacy concerns about Timeline, pointing out that it
will unearth much of our old content and make it available to friends
and advertisers alike, in one fell swoop. But are there other more
specific risks, as well? Some privacy advocates and security experts
believe that Timeline may also heighten a consumer’s risk of identity
theft.
In this column, I will
discuss how Timeline may exacerbate existing risks relating to social
networking and identity theft. I will also discuss how users can take
steps to protect themselves, and what role, if any, government watchdogs
might play in preventing the potential misuse of our personal
information that Timeline may enable.
What Is Timeline?
Facebook bills Timeline
as “a new kind of profile that lets you highlight the photos, posts and
life events that help you tell your story.” Facebook also explains
that, with respect to Timeline, “You will be able to add a cover; edit
your basic info; jump to the past; view your activity log; see
highlights from each month; star stories you want to highlight; add life
events; update your status; view and add photos”—and the list goes on.
Many Facebook users have
threatened to leave the site over this new development, which will be
rolled out over the next several weeks, supposedly in February. When a
user receives Timeline, he or she will receive a notification update
from Facebook, appearing at the top of the user’s old profile, and then
will have seven days to preview—and alter—what’s contained in Timeline
before anyone else sees it. (You can also edit your Timeline later, as
well, but by then, others may have already seen its content.) A user
who does not want Timeline seemingly has no other option but to
permanently delete his or her Facebook account right away.
Why Timeline May Make Facebook Users More Susceptible to Identity Theft
Some experts have said
that because the new Facebook design gives users cues or incentives to
add even more personal information on their profiles, it may make people
more vulnerable to identity theft.
Formerly, Facebook asked
you to complete a basic profile and to supply certain basic facts about
your life, education, “likes,” and places of employment. Timeline,
however, is asking—via drop-down menus—more nuanced, detailed questions
about our daily lives and existence, such as where we travel, and what
is the state of our health and physical and mental wellbeing.
One new category is
“Map,” an extension of Facebook Places. When you click on “Map,” a big
map page opens up, allowing you to enter a place you have visited. The
Map program also highlights places you might tag in a photo, or places
you mention visiting in a post—such as the grocery store or beauty
salon.
And the Map feature can
include dates and times of your visits to places. This information
could be a treasure trove for a stalker, ex-lover, or thief. The
default when you place something on the map is “public”. You need to
edit individual red pushpins on your “Map” to make various locations
private, or viewable by a select few friends. Many people are wondering
how much information we should be providing online about our past,
present, or future locations. Do we really want to provide a visual
trail, complete with dates?
Timeline’s status bar
also has a new item, “Life Event.” If you click on “Life Event,” you
get a variety of options prompting you to enter all sorts of data—data
you may not have considered before these drop-down menus emerged. If a
Facebook user accesses such drop-down menus at a vulnerable moment—for
instance, after being recently divorced, when feeling suicidal, or
having lost a loved one—he or she may later regret sharing certain
personal information.
There is also the Health
and Wellness category—where we can provide information about our current
health. We know from studies that sharing information online and
joining online support groups can be beneficial. However, it has to be
done correctly and actively. And then there is the category for “Travel
and Experiences.” It’s one thing to say that you saw the Royal Wedding,
but quite another to mention the drunken bar fight you got into while
on vacation.
Of course, users always
need to use their own common sense and judgment. Yet Facebook’s
addition of these more personal categories encourages users to be more
confessional about their lives, and to create more robust profiles
regarding how they feel, and what they do, on a daily basis.
Facebook will also pair
the new Timeline profile with a new set of apps that will display users’
activity on other websites on their profiles and on their friends’
Timelines automatically. These are called “frictionless” apps—because
you won’t be notified each time your information is shared with friends,
or with certain businesses. If you use “Spotify,” for example, to let
people know you like a certain song, or are reading a certain article,
then those postings will be shared automatically—so that others can more
seamlessly know what you are doing and thinking at a given moment.
Will Timeline Lead to Identity Theft?
Up until this point, I’ve
discussed some problems that Facebook users might get into, based on
using Timeline. Mostly, these problems are based on the risk that
Timeline’s drop-down menus could elicit damaging and/or foolish user
oversharing. But such problems seem to be, at least in part, users’ own
fault. However, Timeline raises another risk that cannot so easily be
pinned on the user: the risk of identify theft.
Due to Timeline, all
Facebook users will have a lot more information available to their
friends than previously was the case. Moreover, many users will now
have more information that is available to businesses—especially because
businesses that supply apps to us often request or require permission
to access our user information.
We can, of course,
control or edit our Facebook information, and who has access to it, at
any stage. But keeping track of to whom, how, and when access has been
granted is time-consuming. Here, Facebook is likely banking on consumer
inertia to ensure that much of a user’s vital information can still be
procured, despite users’ ability to edit.
How can Timeline lead to
identity theft? By encouraging customers to “fill out” their Timeline
by providing personal information, such as date of birth. Facebook
captures such data in order to better target its advertisements to users
who may respond to them. However, that information, when combined with
some other kinds of information that people typically post—place of
study, hometown, type of job, employer, etc.—makes the task of
impersonating a Facebook user much easier. Not only is online identity
theft a risk, but so is offline identity theft—for instance, applying
for a store credit card in another person’s name.
It doesn’t take much for
an identity thief to gather a wealth of information from an unguarded
Facebook account. And even those who have their Facebook profiles
restricted sometimes have found themselves sharing more than they wanted
to, due to the way Facebook has allowed applications to bypass user
settings. In many cases, using a very basic application has meant
granting that application full access to a person’s entire Facebook
profile, as well as allowing the app to post user information elsewhere
and send the user emails. This may well become a bigger issue than it
has been in the past, with the advent of Timeline and its frictionless
apps.
A Disturbing Study Reveals How Facebook Increases Users’ Risk of Identity Theft
In 2009, the Internet
security firm Sophos conducted a study focused on Facebook and identity
theft. Sophos researchers created two fictitious users with names based
on anagrams of the words “false identity” and “stolen identity.”
Twenty-one-year-old “Daisy Felettin” was represented by a picture of a
toy rubber duck; 56-year-old “Dinette Stonily,” by a picture of two cats
lying on a rug. Each fictitious user sent out 100 friend requests to
randomly-chosen Facebook users in her own age group. Within two weeks, a
total of 95 strangers chose to befriend Daisy or Dinette—an even
higher response rate then when Sophos had first performed the same
experiment two years earlier, in 2007, with a picture of a plastic
frog.
Worse still, in the 2009
study, eight Facebook users befriended Dinette without even being
asked. And, 89% of the 20-somethings, and 57% of the 50-somethings who
befriended Daisy and Dinette also shared their full birthdate. Nearly
half of the 20-something crowd, and just under a third of the
50-something crowd, also shared personal details about their friends
and family with these complete strangers.
In one form of identity
theft, the thief creates a new, fake Facebook profile using photos of an
actual person—and then reaches out to that person’s friends or
acquaintances, seeking money urgently and claiming, for instance to have
been robbed while on vacation. By making more information about a
Facebook user accessible, Timeline may heighten the risk that this kind
of scam will succeed.
A New Twist on Identity Theft: “Like-Jacking” via Timeline
Already, Facebook is
warning users to beware of a new type of spam appearing on their
Timelines. Facebook and the Washington State attorney general are suing
a Delaware company based on the practice, which is called
“like-jacking.”
“Like-jacking” refers to a
practice of luring Facebook user to the popular “like” feature, and
then enticing them to click onto websites that can lead to identity and
credit card theft. According to Facebook, the fraud begins when you
notice an intriguing post on your Facebook page that a “friend”
supposedly “likes” and has shared with you. The post looks genuine, but
it’s a clever form of spam that leads you to online surveys or
products.
Just this month, the
Washington State Attorney General’s Office joined forces with Facebook
to sue Adscend Media, an online marketer. The company allegedly lures
Facebook users, via “like” messages, into giving up personal information
and ordering products that it has no intention of selling. Then, it
takes another step by sending similar “like” messages, supposedly from
the defrauded Facebook user, to all of his or her friends.
Does Timeline Violate Facebook’s Privacy Settlement with the Federal Trade Commission?
As noted above, Facebook
says that its upgrade to Timeline is mandatory. But some privacy
advocates claim that making Timeline mandatory violates the recent
Federal Trade Commission (FTC) Settlement Agreement requiring Facebook
to obtain a consumer’s “express affirmative consent” before materially
exceeding their privacy settings.
Facebook and the FTC
reached that settlement in November 2011, after the FTC charged that
Facebook had not followed its own privacy policies; shared its users’
personal information with advertisers; and changed its privacy policies
without obtaining its users’ prior consent.
The settlement required
Facebook to implement a comprehensive privacy program, including
external privacy audits, for the next 20 years. Facebook is also barred
from misrepresenting its privacy practices going forward. And both
Facebook and apps it hosts must offer the user the option to opt-in to
any actions that would override the user’s privacy settings. But as
noted above, the Timeline feature is mandatory; there is no opt-in
option.
The Electronic Privacy
Information Center (EPIC) says Facebook’s Timeline might violate the FTC
settlement. Thus, EPIC has sent a letter to the FTC requesting that
the agency investigate whether Timeline is legal. By exposing their
entire lives to Timeline, EPIC contends, Facebook users “become more
vulnerable to stalkers, government agents and potential employers.”
EPIC notes also that “with Timeline, Facebook has once again taken
control over the user’s data from the user and has now made information
that was essentially archived and inaccessible widely available without
the consent of the user.”
Facebook addresses the
charges by explaining that Facebook gives people seven days to review
their Timeline before it becomes public, and that the new “Activity Log”
feature helps users monitor what information they’re sharing.
EPIC’s letter also
specifically mentions the Timeline “Health and Wellness” category, which
suggests that users should update their profiles with life events
related to medical changes. Facebook has partnered with pharmaceutical
companies to market drugs and medical treatment to consumers, and EPIC
sees a clear—and worrisome– connection.
Facebook Users May Want to Invoke Self-Help When It Comes to Timeline
With Timeline coming, and
no opt-out in sight, what’s a Facebook user to do? Of course, users
can always permanently delete their profiles, but few may want to take
that drastic measure. Short of that, users should take the seven-day
window afforded to them to clean up their Timelines. Although that may
be tedious and time-consuming for frequent posters, it’s the best way to
ensure that your Timeline portrays you as you wish to be viewed.
In addition, Facebook
users should ensure that they know which apps are accessing their
personal information—and control which ones they permit to access their
new and more detailed Timeline profiles. A new website,
MyPermissions.com, makes it quicker and easies to screen the
applications you’ve given permission to access your information on eight
social media sites, including Facebook.
When you add an app to
one of your social media accounts—even just to play a game—it asks for
permission to access and monitor personal information related to your
account. You might use the app once and forget about it, but unless you
revoke your permission, it remains active. And applications that have
your permission to access your profile information can potentially put
that information at risk.
Finally, as we use
Timeline and the depth and volume of information that our Facebook
accounts contain expands, it may be time for us to reconsider how broad
our circle of online friends should be. With a greater risk of identity
theft, the more information we have online, we should arguably stop
calling people friends when in fact, they are really just acquaintances.
Anita
Ramasastry, a Justia columnist, is the D. Wayne and Anne Gittinger
Professor of Law at the University of Washington She writes on law and
technology, consumer and commercial law, and international law and
globalization.
No comments:
Post a Comment