Thursday, February 2, 2012

Facebook’s New Timeline Feature: Will It Increase Users’ Risk of Identity Theft?

Facebook bills its new Timeline feature as a virtual scrapbook—a chronology of your postings, photos, and activity that allows you to remember what you were doing way back when.  But others view this new feature as an intrusion upon users’ privacy.  Previously, old Facebook postings seemed to vanish; you had to work hard to find something you had posted years ago.  But now, Timeline will make it much easier for you or your “friends” to scroll through a new biography of your online life—a digital dossier and electronic archive of many of your best and worst memories and musings.

More specifically, Timeline creates a chronological history of all of a user’s activity on Facebook since he or she first joined the site—including wall posts, photos, “likes,” and public messages.  Those items can be quickly sorted by month and year, thus expediting a user’s walk down memory lane.  The default setting for Timeline is to post all of your past interactions.  (The privacy settings for each posting mirror the settings that were in place when that posting initially appeared.)
Timeline will be mandatory, and applicable to all Facebook geographies.  If you want to remain a Facebook user, you must shift to Timeline soon.  You can’t opt out, although you will have a chance to edit your history.  However, if you are a frequent poster, such editing may be cumbersome and time-consuming.  Some users will face the task of looking through—and possibly deleting—years of embarrassing postings.  And, if you have changed political persuasions, found a new religion, or been a “party animal,” you may want to delete or alter numerous postings relating to your former life.
Many commentators have raised general privacy concerns about Timeline, pointing out that it will unearth much of our old content and make it available to friends and advertisers alike, in one fell swoop.  But are there other more specific risks, as well? Some privacy advocates and security experts believe that Timeline may also heighten a consumer’s risk of identity theft.
In this column, I will discuss how Timeline may exacerbate existing risks relating to social networking and identity theft.  I will also discuss how users can take steps to protect themselves, and what role, if any, government watchdogs might play in preventing the potential misuse of our personal information that Timeline may enable.
What Is Timeline?
Facebook bills Timeline as “a new kind of profile that lets you highlight the photos, posts and life events that help you tell your story.”  Facebook also explains that, with respect to Timeline, “You will be able to add a cover; edit your basic info; jump to the past; view your activity log; see highlights from each month; star stories you want to highlight; add life events; update your status; view and add photos”—and the list goes on.
Many Facebook users  have threatened to leave the site over this new development, which will be rolled out over the next several weeks, supposedly in February.  When  a user receives Timeline, he or she will receive a notification update from Facebook, appearing at the top of the user’s old profile, and then will have seven days to preview—and alter—what’s contained in Timeline before anyone else sees it.  (You can also edit your Timeline later, as well, but by then, others may have already seen its content.)  A user who does not want Timeline seemingly has no other option but to permanently delete his or her Facebook account right away.
Why Timeline May Make Facebook Users More Susceptible to Identity Theft
Some experts have said that because the new Facebook design gives users cues or incentives to add even more personal information on their profiles, it may make people more vulnerable to identity theft.
Formerly, Facebook asked you to complete a basic profile and to supply certain basic facts about your life, education, “likes,” and places of employment.  Timeline, however, is asking—via drop-down menus—more nuanced, detailed questions about our daily lives and existence, such as where we travel, and what is the state of our health and physical and mental wellbeing.
One new category is “Map,” an extension of Facebook Places. When you click on “Map,” a big map page opens up, allowing you to enter a place you have visited.  The Map program also highlights places you might tag in a photo, or places you mention visiting in a post—such as the grocery store or beauty salon.
And the Map feature can include dates and times of your visits to places.  This information could be a treasure trove for a stalker, ex-lover, or thief.  The default when you place something on the map is “public”.  You need to edit individual red pushpins on your “Map” to make various locations private, or viewable by a select few friends. Many people are wondering how much information we should be providing online about our past, present, or future locations.  Do we really want to provide a visual trail, complete with dates?
Timeline’s status bar also has a new item, “Life Event.”  If you click on “Life Event,” you get a variety of options prompting you to enter all sorts of data—data you may not have considered before these drop-down menus emerged.  If a Facebook user  accesses such drop-down menus at a vulnerable moment—for instance, after being recently divorced, when feeling suicidal, or having lost a loved one—he or she may later regret sharing certain personal information.
There is also the Health and Wellness category—where we can provide information about our current health. We know from studies that sharing information online and joining online support groups can be beneficial.  However, it has to be done correctly and actively.  And then there is the category for “Travel and Experiences.” It’s one thing to say that you saw the Royal Wedding, but quite another to mention the drunken bar fight you got into while on vacation.
Of course, users always need to use their own common sense and judgment.  Yet Facebook’s addition of these more personal categories encourages users to be more confessional about their lives, and to create more robust profiles regarding how they feel, and what they do, on a daily basis.
Facebook will also pair the new Timeline profile with a new set of apps that will display users’ activity on other websites on their profiles and on their friends’ Timelines automatically.  These are called “frictionless” apps—because you won’t be notified each time your information is shared with friends, or with certain businesses.  If you use “Spotify,” for example, to let people know you like a certain song, or are reading a certain article, then those postings will be shared automatically—so that others can more seamlessly know what you are doing and thinking at a given moment.
Will Timeline Lead to Identity Theft? 
Up until this point, I’ve discussed some problems that Facebook users might get into, based on using Timeline.  Mostly, these problems are based on the risk that Timeline’s drop-down menus could elicit damaging and/or foolish user oversharing.  But such problems seem to be, at least in part, users’ own fault.  However, Timeline raises another risk that cannot so easily be pinned on the user: the risk of identify theft.
Due to Timeline, all Facebook users will have a lot more information available to their friends than previously was the case.  Moreover, many users will now have more information that is available to businesses—especially because businesses that supply apps to us often request or require permission to access our user information.
We can, of course, control or edit our Facebook information, and who has access to it, at any stage.  But keeping track of to whom, how, and when access has been granted is time-consuming.  Here, Facebook is likely banking on consumer inertia to ensure that much of a user’s vital information can still be procured, despite users’ ability to edit.
How can Timeline lead to identity theft?  By encouraging customers to “fill out” their Timeline by providing personal information, such as date of birth. Facebook captures such data in order to better target its advertisements to users who may respond to them.  However, that information, when combined with some other kinds of information that people typically post—place of study, hometown, type of job, employer, etc.—makes the task of impersonating a Facebook user much easier.  Not only is online identity theft a risk, but so is offline identity theft—for instance, applying for a store credit card in another person’s name.
It doesn’t take much for an identity thief to gather a wealth of information from an unguarded Facebook account.  And even those who have their Facebook profiles restricted sometimes have found themselves sharing more than they wanted to, due to the way Facebook has allowed applications to bypass user settings.  In many cases, using a very basic application has meant granting that application full access to a person’s entire  Facebook profile, as well as allowing the app to post user information elsewhere and send the user emails.  This may well become a bigger issue than it has been in the past, with the advent of Timeline and its frictionless apps.
A Disturbing Study Reveals How Facebook Increases Users’ Risk of Identity Theft
In 2009, the Internet security firm Sophos conducted a study focused on Facebook and identity theft.  Sophos researchers created two fictitious users with names based on anagrams of the words “false identity” and “stolen identity.”  Twenty-one-year-old “Daisy Felettin” was represented by a picture of a toy rubber duck; 56-year-old “Dinette Stonily,” by a picture of two cats lying on a rug.  Each fictitious user sent out 100 friend requests to randomly-chosen Facebook users in her own age group.  Within two weeks, a total of 95 strangers chose to befriend  Daisy or Dinette—an even higher response rate then when Sophos had first performed the same experiment two years earlier, in 2007, with a picture of a plastic frog. 
Worse still, in the 2009 study, eight Facebook users befriended Dinette without even being asked.  And, 89% of the 20-somethings, and 57% of the 50-somethings who befriended Daisy and Dinette also shared their full birthdate.  Nearly half of the 20-something crowd, and just under a third of the 50-something crowd, also shared personal  details about their friends and family with these complete strangers.
In one form of identity theft, the thief creates a new, fake Facebook profile using photos of an actual person—and then reaches out to that person’s friends or acquaintances, seeking money urgently and claiming, for instance to have been robbed while on vacation.  By making more information about a Facebook user accessible, Timeline may heighten the risk that this kind of scam will succeed.
A New Twist on Identity Theft: “Like-Jacking” via Timeline
Already, Facebook is warning users to beware of a new type of spam appearing on their Timelines.  Facebook and the Washington State attorney general are suing a Delaware company based on the practice, which is called “like-jacking.”
“Like-jacking” refers to a practice of luring Facebook user to the popular “like” feature, and then enticing them to click onto websites that can lead to identity and credit card theft.  According to Facebook, the fraud begins when you notice an intriguing post on your Facebook page that a “friend” supposedly “likes” and has shared with you.  The post looks genuine, but it’s a clever form of spam that leads you to online surveys or products.
Just this month, the Washington State Attorney General’s Office joined forces with Facebook to sue Adscend Media, an online marketer. The company allegedly lures Facebook users, via “like” messages, into giving up personal information and ordering products that it has no intention of selling.  Then, it takes another step by sending similar “like” messages, supposedly from the defrauded Facebook user, to all of his or her friends.
Does Timeline Violate Facebook’s Privacy Settlement with the Federal Trade Commission?
As noted above, Facebook says that its upgrade to Timeline is mandatory.  But some privacy advocates claim that making Timeline mandatory violates the recent Federal Trade Commission (FTC) Settlement Agreement requiring Facebook to obtain a consumer’s “express affirmative consent” before materially exceeding their privacy settings.
Facebook and the FTC reached that settlement in November 2011, after the FTC charged that Facebook had not followed its own privacy policies; shared its users’ personal information with advertisers; and changed its privacy policies without obtaining its users’ prior consent.
The settlement required Facebook to implement a comprehensive privacy program, including external privacy audits, for the next 20 years. Facebook is also barred from misrepresenting its privacy practices going forward.  And both Facebook and apps it hosts must offer the user the option to opt-in to any actions that would override the user’s privacy settings.  But as noted above, the Timeline feature is mandatory; there is no opt-in option.
The Electronic Privacy Information Center (EPIC) says Facebook’s Timeline might violate the FTC settlement.  Thus, EPIC has sent a letter to the FTC requesting that the agency investigate whether Timeline is legal.  By exposing their entire lives to Timeline, EPIC contends, Facebook users “become more vulnerable to stalkers, government agents and potential employers.”  EPIC notes also that “with Timeline, Facebook has once again taken control over the user’s data from the user and has now made information that was essentially archived and inaccessible widely available without the consent of the user.”
Facebook addresses the charges by explaining that Facebook gives people seven days to review their Timeline before it becomes public, and that the new “Activity Log” feature helps users monitor what information they’re sharing.
EPIC’s letter also specifically mentions the Timeline “Health and Wellness” category, which suggests that users should update their profiles with life events related to medical changes.  Facebook has partnered with pharmaceutical companies to market drugs and medical treatment to consumers, and EPIC sees a clear—and worrisome– connection.
Facebook Users May Want to Invoke Self-Help When It Comes to Timeline
With Timeline coming, and no opt-out in sight, what’s a Facebook user to do?  Of course, users can always permanently delete their profiles, but few may want to take that drastic measure.  Short of that, users should take the seven-day window afforded to them to clean up their Timelines.  Although that may be tedious and time-consuming for frequent posters, it’s the best way to ensure that your Timeline portrays you as you wish to be viewed.
In addition, Facebook users should ensure that they know which apps are accessing their personal information—and control which ones they permit to access their new and more detailed Timeline profiles.  A new website, MyPermissions.com, makes it quicker and easies to screen the applications you’ve given permission to access your information on eight social media sites, including Facebook.
When you add an app to one of your social media accounts—even just to play a game—it asks for permission to access and monitor personal information related to your account. You might use the app once and forget about it, but unless you revoke your permission, it remains active.  And applications that have your permission to access your profile information can potentially put that information at risk.
Finally, as we use Timeline and the depth and volume of information that our Facebook accounts contain expands, it may be time for us to reconsider how broad our circle of online friends should be.  With a greater risk of identity theft, the more information we have online, we should arguably stop calling people friends when in fact, they are really just acquaintances.

Anita Ramasastry, a Justia columnist, is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington She writes on law and technology, consumer and commercial law, and international law and globalization.

No comments: