Skip to content

AT&T, Sprint, Verizon, T-Mobile US pledge, again, to not sell your location to shady geezers. Sorry, we don’t believe them

…and neither should you!

QUOTE

US cellphone networks have promised – again – that they will stop selling records of their subscribers’ whereabouts to anyone willing to cough up cash.

In a statement on Thursday, AT&T said: “In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services – even those with clear consumer benefits,” adding: “We are immediately eliminating the remaining services and will be done in March.”

That same March deadline was referenced by T-Mobile US’s CEO John Legere who had promised last June to end the sale of subscribers’ private location data. Legere tweeted this week: “T-Mobile is completely ending location aggregator work. We’re doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised.”

While there is money to be made and no law preventing it, it is a virtual certainty that AT&T and others will figure out a way to profit from selling their customers’ private data. Last time around, FCC boss Ajit Pai refused to investigate the matter, and while there has been no response from Pai on the renewed calls for an investigation thanks to the partial US government shutdown, it is a virtual certainly that he will continue his pro-telco agenda and stay away from the issue.

Meanwhile, pressure grows in Congress to introduce a privacy law – an American version of Europe’s GDPR – especially in the light of abuses by Facebook and others. But that process is very far from certain given that many of the companies that benefit most from selling user data are also some of the most powerful and generous lobbyists in Washington DC.

Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were Not Encrypted

Just maybe, I am not saying for sure, but just maybe, that reason for such stupidity is the companies like Marriot are hiring too many newbies to save money and ignoring the more senior members of the IT community. Or maybe that there is no real hard financial penalties for breaches. Maybe both.

But the real story here is not only Marriot, but the continued onslaught from China. No surprise.

Quote

WASHINGTON — Marriott International said on Friday that the biggest hacking of personal information in history was not quite as big as first feared, but for the first time conceded that its Starwood hotel unit did not encrypt the passport numbers for roughly five million guests. Those passport numbers were lost in an attack that many outside experts believe was carried out by Chinese intelligence agencies.

What made the Starwood attack different was the presence of passport numbers, which could make it far easier for an intelligence service to track people who cross borders. That is particularly important in this case: In December, The New York Times reported that the attack was part of a Chinese intelligence gathering effort that, reaching back to 2014, also hacked American health insurers and the Office of Personnel Management, which keeps security clearance files on millions of Americans.

Taken together, the attack appeared to be part of a broader effort by China’s Ministry of State Security to compile a huge database of Americans and others with sensitive government or industry positions — including where they worked, the names of their colleagues, foreign contacts and friends, and where they travel.

“Big data is the new wave for counterintelligence,” James A. Lewis, a cybersecurity expert who runs the technology policy program at the Center for Strategic and International Studies in Washington, said last month.

One top official of the Chinese Ministry of State Security was arrested in Belgium late last year and extradited to the United States on charges of playing a central role in the hacking of American defense-related firms, and others were identified in a Justice Department indictment in December. But those cases were unrelated to the Marriott attack, which the F.B.I. is still investigating.

China has denied any knowledge of the Marriott attack. In December, Geng Shuang, a spokesman for its Ministry of Foreign Affairs, said, “China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law.”

Do make me laugh

The Marriott investigation has revealed a new vulnerability in hotel systems: What happens to passport data when a customer makes a reservation or checks into a hotel, usually abroad, and hands over a passport to the desk clerk. Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system. An additional 20.3 million passport numbers were kept in encrypted files, which would require a master encryption key to read. It is unclear how many of those involved American passports, and how many come from other countries.

Yes you read that correctly. Morons asleep at the switch

Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system.

It was not immediately clear why some numbers were encrypted and others were not — other than that hotels in each country, and sometimes each property, had different protocols for handling the passport information. Intelligence experts note that American intelligence agencies often seek the passport numbers of foreigners they are tracking outside the United States, which may explain why the United States government has not insisted on stronger encryption of passport data worldwide.

Asked how Marriott was handling the information now that it has merged Starwood’s data into the Marriott reservations system — a merger that was just completed at the end of 2018 — Connie Kim, a company spokeswoman, said: “We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”


“We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”

 

Which means 1) they are still NOT encrypted and 2) They need to fire the person(s) managing the vendors and the vendors themselves (assuming vendors haven’t been screaming at Marriot to do something which may indeed be plausible.)

The State Department issued a statement last month telling passport holders not to panic, because the number alone would not enable someone to create a fake passport. Marriott has said it would pay for a new passport for anyone whose passport information, hacked from their systems, was found to be involved in a fraud. But that was something of a corporate sleight of hand, since it provided no coverage for guests who wanted a new passport simply because their data had been taken by foreign spies.

So far the company has ducked addressing that issue by saying it has no evidence about who the attackers were, and the United States has not formally accused China in the case. But private cyberintelligence groups that have looked at the breach have seen strong parallels with the other, Chinese-related attacks underway at the time. The company’s president and chief executive, Arne Sorenson, has not answered questions about the hacking in public, and Marriott said he was traveling and declined a request from The Times to talk about hacking.

The company also said that about 8.6 million credit and debit cards were “involved” in the incident, but those are all encrypted — and all but 354,000 cards had expired by September 2018, when the hacking, which went on for years, was discovered.

So far, there are no known cases in which stolen passport or credit card information was found in fraudulent transactions. But to cyberattack investigators, that is just another sign that the hacking was conducted by intelligence agencies, not criminals. The agencies would want to use the data for their own purposes — building databases and tracking government or industrial surveillance targets — rather than exploiting the data for economic profit.

Idiots, And the U.S. and State Governments are just as culpable. We need very strong laws that mandate extremely stiff penalties for breaches.

Depression in girls linked to higher use of social media

Is anyone surprised?
Quote

Research suggests link between social media use and depressive symptoms was stronger for girls compared with boys

Girls’ much-higher rate of depression than boys is closely linked to the greater time they spend on social media, and online bullying and poor sleep are the main culprits for their low mood, new research reveals.


It found that many girls spend far more time using social media than boys, and also that they are much more likely to display signs of depression linked to their interaction on platforms such as Instagram, WhatsApp and Facebook.

As many as three-quarters of 14-year-old girls who suffer from depression also have low self-esteem, are unhappy with how they look and sleep for seven hours or less each night, the study found.

“Girls, it seems, are struggling with these aspects of their lives more than boys, in some cases considerably so,” said Prof Yvonne Kelly, from University College London, who led the team behind the findings.

The results prompted renewed concern about the rapidly accumulating evidence that many more girls and young women exhibit a range of mental health problems than boys and young men, and about the damage these can cause, including self-harm and suicidal thoughts.

The study is based on interviews with almost 11,000 14-year-olds who are taking part in the Millennium Cohort Study, a major research project into children’s lives.

It found that many girls spend far more time using social media than boys, and also that they are much more likely to display signs of depression linked to their interaction on platforms such as Instagram, WhatsApp and Facebook.

Google shifted $23bn to tax haven Bermuda in 2017, filing shows

“Do No Harm” …errh should be “behave like pigs”

Quote
Google’s owner, Alphabet, has seen an effective tax rate in the single digits on non-US profits for more than a decade.

Google moved €19.9bn ($22.7bn) through a Dutch shell company to Bermuda in 2017, as part of an arrangement that allows it to reduce its foreign tax bill, according to documents filed at the Dutch chamber of commerce.

The amount channelled through Google Netherlands Holdings BV was about €4bn more than in 2016, the documents, filed on 21 December, showed.

“We pay all of the taxes due and comply with the tax laws in every country we operate in around the world,” Google said in a statement.

“Google, like other multinational companies, pays the vast majority of its corporate income tax in its home country, and we have paid a global effective tax rate of 26% over the last 10 years.”

For more than a decade the arrangement has allowed Google’s owner, Alphabet, to enjoy an effective tax rate in the single digits on its non-US profits, about a quarter of the average tax rate in its overseas markets.

The subsidiary in the Netherlands is used to shift revenue from royalties earned outside the US to Google Ireland Holdings, an affiliate based in Bermuda, where companies pay no income tax.

The tax strategy, known as the “double Irish, Dutch sandwich”, is legal and allows Google to avoid triggering US income taxes or European withholding taxes on the funds, which represent the bulk of its overseas profits.

However, under pressure from the European Union and the United States, Ireland in 2014 decided to phase out the arrangement, ending Google’s tax advantages in 2020.

Google Netherlands Holdings BV paid €3.4m in taxes in the Netherlands in 2017, the documents showed, on a gross profit of €13.6m.

Asleep at the Switch

Quote

Facebook Data Scandals Stoke Criticism That a Privacy Watchdog Too Rarely Bites

Last spring, soon after Facebook acknowledged that the data of tens of millions of its users had improperly been obtained by the political consulting firm Cambridge Analytica, a top enforcement official at the Federal Trade Commission drafted a memo about the prospect of disciplining the social network.

Lawmakers, consumer advocates and even former commission officials were clamoring for tough action against Facebook, arguing that it had violated an earlier F.T.C. consent decree barring it from misleading users about how their information was shared.

But the enforcement official, James A. Kohm, took a different view. In a previously undisclosed memo in March, Mr. Kohm — echoing Facebook’s own argument — cautioned that Facebook was not responsible for the consulting firm’s reported abuses. The social network seemed to have taken reasonable steps to address the problem, he wrote, according to someone who read the memo, and most likely had not broken its promises to the F.T.C.

“They have been asleep at the switch,” said Senator Richard Blumenthal, the Connecticut Democrat and ranking member of the subcommittee charged with overseeing the agency.

The Cambridge Analytica data leak set off a reckoning for Facebook and a far-reaching debate about the tech industry, which has collected more information about more people than almost any other in history. At the same time, the F.T.C., which is investigating Facebook, is under growing attack for what critics say is a systemic failure to police Silicon Valley’s giants and their enormous appetite for personal data.

Almost alone among industrialized nations, the United States has no basic consumer privacy law. The F.T.C. serves as the country’s de facto privacy regulator, relying on more limited rules against deceptive trade practices to investigate Google, Twitter and other tech firms accused of misleading people about how their information is used.

But many in Washington view the agency as a watchdog that too rarely bites. In more than 40 interviews, former and current F.T.C. officials, lawmakers, Capitol Hill staff members, and consumer advocates said that as evidence of abuses has piled up against tech companies, the F.T.C. has been too cautious. Now, as the Trump administration and Congress debate whether to expand the agency and its authority over privacy violations, the Facebook inquiry looms as a referendum on the F.T.C.’s future.

“They have been asleep at the switch,” said Senator Richard Blumenthal, the Connecticut Democrat and ranking member of the subcommittee charged with overseeing the agency. “It’s a lack of will even more than paucity of resources.”

Long Overdue: It is time for the US to develop strong data privacy along the lines of the EU GDPR ( General Data Protection Regulation). It is also time for US “Netizens” to demand strong data privacy protect laws with extremely stiff penalties for non compliance.

BOGUS SCIENCE: Facebook Takes On Tricky Public Health Role

Among the other 100s of reasons, it is time to stop using Facebook.

A police officer on the late shift in an Ohio town recently received an unusual call from Facebook.

Earlier that day, a local woman wrote a Facebook post saying she was walking home and intended to kill herself when she got there, according to a police report on the case. Facebook called to warn the Police Department about the suicide threat.

The officer who took the call quickly located the woman, but she denied having suicidal thoughts, the police report said. Even so, the officer believed she might harm herself and told the woman that she must go to a hospital — either voluntarily or in police custody. He ultimately drove her to a hospital for a mental health work-up, an evaluation prompted by Facebook’s intervention. (The New York Times withheld some details of the case for privacy reasons.)
….

Facebook has computer algorithms that scan the posts, comments and videos of users in the United States and other countries for indications of immediate suicide risk. When a post is flagged, by the technology or a concerned user, it moves to human reviewers at the company, who are empowered to call local law enforcement.

“In the last year, we’ve helped first responders quickly reach around 3,500 people globally who needed help,” Mr. Zuckerberg wrote in a November post about the efforts.

But other mental health experts said Facebook’s calls to the police could also cause harm — such as unintentionally precipitating suicide, compelling nonsuicidal people to undergo psychiatric evaluations, or prompting arrests or shootings.

And, they said, it is unclear whether the company’s approach is accurate, effective or safe. Facebook said that, for privacy reasons, it did not track the outcomes of its calls to the police. And it has not disclosed exactly how its reviewers decide whether to call emergency responders. Facebook, critics said, has assumed the authority of a public health agency while protecting its process as if it were a corporate secret.

Yes you read that right. “Facebook said that, for privacy reasons, it did not track the outcomes of its calls to the police.” B.S. — how about formal clinical trials like the rest of the medical world? Their algorithm should get FDA approval first at a minimum.

“It’s hard to know what Facebook is actually picking up on, what they are actually acting on, and are they giving the appropriate response to the appropriate risk,” said Dr. John Torous, director of the digital psychiatry division at Beth Israel Deaconess Medical Center in Boston. “It’s black box medicine.”


“In this climate in which trust in Facebook is really eroding, it concerns me that Facebook is just saying, ‘Trust us here,’” said Mr. Marks, a fellow at Yale Law School and New York University School of Law.

Right – Trust Facebook? Never. I submit the real reason that miscreant Zuckerberg is doing this is that it is now well known that a plausible link exists between increased social media use and depression and suicide. Just say no to Facebook.

2012 – Social Media and Suicide: A Public Health Perspective

2017 – The Risk Of Teen Depression And Suicide Is Linked To Smartphone Use

Our Cellphones Aren’t Safe

Great article by Cooper Quintin og the Electronic Frontier Foundation with one glaring omission. Even if the cell networks were 100% secure, the apps people install are an even larger source of malware and privacy leaks.

Quote

America’s cellular network is as vital to society as the highway system and power grids. Vulnerabilities in the mobile phone infrastructure threaten not only personal privacy and security, but also the country’s. According to intelligence reports, spies are eavesdropping on President Trump’s cellphone conversations and using fake cellular towers in Washington to intercept phone calls. Cellular communication infrastructure, the system at the heart of modern communication, commerce and governance, is woefully insecure. And we are doing nothing to fix it.

This should be at the top of our cybersecurity agenda, yet policymakers and industry leaders have been nearly silent on the issue. While government officials are looking the other way, an increasing number of companies are selling products that allow buyers to take advantage of these vulnerabilities.

Spying tools, which are becoming increasingly affordable, include cell-site simulators (commonly known by the brand name Stingray), which trick cellphones into connecting with them without the cellphone owners’ knowledge. Sophisticated programs can exploit vulnerabilities in the backbone of the global telephone system (known as Signaling System 7, or SS7) to track mobile users, intercept calls and text messages, and disrupt mobile communications.

These attacks have real financial consequences. In 2017, for example, criminals took advantage of SS7 weaknesses to carry out financial fraud by redirecting and intercepting text messages containing one-time passwords for bank customers in Germany. The criminals then used the passwords to steal money from the victims’ accounts.

How did we get here, and why is our cellular infrastructure so insecure?

The international mobile communications system is built on top of several layers of technology, parts of which are more than 40 years old. Some of these old technologies are insecure, others have never had a proper audit and many simply haven’t received the attention needed to secure them properly. The protocols that form the underpinnings of the mobile system weren’t built with security in mind.

SS7, invented in 1975, is still the protocol that allows telephone networks all over the world to talk to one another. It was built on the assumption that anyone who can connect to the network is a trusted network operator. When it was created, there were only 10 companies using SS7. Today, there are hundreds of companies all over the world connected to SS7, making it far more likely that credentials to the system will be leaked or sold. Anyone who can connect to the SS7 network can use it to track your location or eavesdrop on your phone calls. A more recent alternative to SS7 called Diameter suffers from many of the same problems.

Another protocol, GSM, invented in 1991, allows your cellphone to communicate with a cell tower to make and receive calls and transmit data. The older generation of GSM, known as 2G, doesn’t verify that the tower that your phone connects to is authentic, making it easy for anyone to use a cell-site simulator and impersonate a cell tower to obtain your location or eavesdrop on your communications.

Larger carriers have already begun dismantling their 2G systems, which is a good start, since later generations of GSM such as 3G, 4G and 5G solve many of its problems. Yet our phones all still support 2G and most have no way to disable it, making them susceptible to attacks. What’s more, research has shown that 3G, 4G, and even 5G have vulnerabilities that may allow new generations of cell-site simulators to continue working.

Nobody could have envisioned how deeply ingrained cellular technology would become in our society, or how easy and lucrative exploiting it would be. Companies from China, Russia, Israel and elsewhere are making cell-site simulators and providing access to the SS7 network at prices affordable even to the smallest criminal organizations. It is increasingly easy to build a cell-site simulator at home, for no more than the cost of a fast-food meal. Spies all over the world — as well as drug cartels — have realized the power of these technologies.
Editors’ Picks
Forget the Suburbs, It’s Country or Bust
Dorm Living for Professionals Comes to San Francisco
This Town Once Feared the 10-Story Waves. Then the Extreme Surfers Showed Up.

So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice to “be forthright with federal courts about the disruptive nature of cell-site simulators.” No response has ever been published.

The lack of action could be because it is a big task — there are hundreds of companies and international bodies involved in the cellular network. The other reason could be that intelligence and law enforcement agencies have a vested interest in exploiting these same vulnerabilities. But law enforcement has other effective tools that are unavailable to criminals and spies. For example, the police can work directly with phone companies, serving warrants and Title III wiretap orders. In the end, eliminating these vulnerabilities is just as valuable for law enforcement as it is for everyone else.

As it stands, there is no government agency that has the power, funding and mission to fix the problems. Large companies such as AT&T, Verizon, Google and Apple have not been public about their efforts, if any exist.

This needs to change. To start, companies need to stop supporting insecure technologies such as 2G, and government needs a mandate to buy devices solely from companies that have disabled 2G. Similarly, companies need to work with cybersecurity experts on a security standard for SS7. Government should buy services only from companies that can demonstrate that their networks meet this standard.

Finally, this problem can’t be solved by domestic regulation alone. The cellular communications system is international, and it will take an international effort to secure it.

We wouldn’t tolerate gaping potholes in our highways or sparking power lines. Securing our mobile infrastructure is just as imperative. Policymakers and industries around the world must work together to achieve this common goal.

Cooper Quintin is a senior staff technologist with the Electronic Frontier Foundation, where he investigates digital privacy and security threats to human-rights defenders, journalists and vulnerable populations.

Microsoft Issues Emergency Fix for IE Zero Day

Quote

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.

According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.

No one likes a lying a-hole like Zuckerberg and crew

Quote

Mark Zuckerberg did everything in his power to avoid Facebook becoming the next MySpace – but forgot one crucial detail…No one likes a lying asshole

Comment Let’s get one thing straight right off the bat: Facebook, its CEO Mark Zuckerberg, and its COO Sheryl Sandberg, and its public relations people, and its engineers have lied. They have lied repeatedly. They have lied exhaustively. They have lied so much they’ve lost track of their lies, and then lied about them.

For some reason, in an era where the defining characteristic of the President of the United States is that he lies with impunity, it feels as though everyone has started policing the use of the word “lie” with uncommon zeal. But it is not some holy relic, it is a word, and it has a definition.

Lie (verb)
1 : to make an untrue statement with intent to deceive
2 : to create a false or misleading impression

By any measure, Facebook as an organization has knowingly, willingly, purposefully, and repeatedly lied. And two reports this week demonstrate that the depth of its lying was even worse than we previously imagined.

Before we dig into the lies, though, it’s worth asking the question: why? Why has the corporation got itself into this position, and why does it have to be dragged kicking and screaming, time and again, to confront what it already knows to be true?

And the answer to that is at the very heart of Facebook, it goes to the core of Mark Zuckerberg’s personality, and it defines the company’s corporate culture: it is insecure. And it has good reason to be.

The truth is that Facebook is nothing special. It is a website. A very big and clever website but a website that is completely reliant on its users to post their own content. Those users don’t need Facebook and they could, in a matter of seconds, decide to tap on a different app and post their thoughts and updates there, instead. If enough people make that decision, the company collapses. All 340 billion dollars of it.

Mark Zuckerberg knows that all too well, and as internal emails handed over to the British Parliament and then published make clear, the top tier of Facebook was highly focused on that question of existential dread: how do we avoid becoming the next MySpace, Geocities, Google Plus, or Friendster?
Novelty item

With thousands of people working underneath them, the world’s largest companies knocking at their door with blank checks for advertising, and the globe’s political leaders inviting them to meetings, Facebook tasted greatness, but couldn’t shake a huge question underneath it all: how does Facebook survive once the novelty wears off?

And the answer was the smart one: make yourself a part of the digital ecosystem. Yes, Facebook was completely reliant on its users, but everyone else wanted those users, too, and while it had them, the corporation needed to make sure it became enmeshed in as many other systems as possible.

It became a savvy businessman making sure that all his money and resources aren’t in one market: diversify, Mark! And that became the driving force behind every subsequent strategic decision while the rest of the company focused on making Facebook a really good product – making it easy to do more, post more, interact more.

And so, we had music service Spotify granted access to Facebook users’ private messages, once users had linked their Spotify and Facebook accounts. Why on Earth would Spotify want to read people’s private messages?

Easy: it is a huge, tasty dataset. You could find out what bands people are excited about, and send them notices of new albums or gigs. You could see what they think of rival services, or the cost of your service. People were encouraged to message their pals on Facebook through Spotify, letting them know what they were listening to. All in all, it was access to private thoughts: companies spend small fortunes paying specialist survey companies for these sorts of insights.

Likewise Netflix. It had access to the same data under a special program that Facebook ran with other monster internet companies and banks in which they were granted extraordinary privileges to millions of people’s personal data.

Facebook cut data deals with all sorts of companies based on this premise: give them what they want, and in return they would be hauled onto Zuckerberg’s internet reservation.

For example, Yahoo! got real-time feeds of posts by users’ friends – reminding us of Cambridge Analytica gathering information on millions of voters via a quiz app, and using it to target them in contentious political campaigns in the US and Europe.

Microsoft’s Bing was able to access the names of nearly all Facebook users’ friends without permission, and Amazon was able to get at friends’ names and contact details. Russian search engine Yandex had Facebook account IDs at its fingertips, though it claims it didn’t even know this information was available. Facebook at first told the New York Times Yandex wasn’t a partner, and then told US Congress it was.

Crossing the line

Plugging large companies into users’ profiles, and their friends’ profiles, became a running theme, and for the antisocial network, it all worked: the data flowed.

But then things took a darker turn. The users and privacy groups started asking questions. Facebook’s entire strategy started looking shaky as people decided they should have control over what is done with their private data. In Europe, a long debate led to solid legislation: everyone in the EU would soon have a legal right to control their information and, much worse, organizations that didn’t respect that could face massive fines.

Facebook started cutting shadier and shadier deals to protect its bottom line. Its policy people started developing language that carefully skirted around reality; and its lawyers began working on semantic workarounds so that the Silicon Valley titan could make what looked like firm and unequivocal statements on privacy and data control, but in fact allowed things to continue on exactly as they had. What was being shared was not always completely clear.

The line was crossed when Facebook got in bed with smartphone manufacturers: it secretly gave the device makers access to each phone user’s Facebook friends’ profiles, when the handheld was linked to its owner’s account, bypassing protections.

And you know how you can turn off “location history” in the Facebook app, and you can go into your iPhone’s settings and select “never” for the Facebook app when it comes to knowing your location? And you can refuse to use Facebook’s built-in workaround where you “check in” to places – at which point it will re-grant itself access to your location with a single tap?

Well, you can do all that, and still Facebook will know where you are and sell that information to others.

To which the natural question is: how? Well, we have what we believe to be the technical answer. But the real answer is: because it lies. Because that information is valuable to it. Because that information forms the basis of mutually reinforcing data-sharing agreements with all the companies that could one day kill Facebook by simply shrugging their shoulders.

That is how Sandberg and Zuckerberg are able to rationalize their lies: because they believe the future of the entire company is dependent on maintaining the careful fiction that users have control over their data when they don’t.
Meet Stan

Here’s a personal example of how these lies have played out. Until recently, your humble Reg vulture lived next door to a man called Stan. Stan had spent his whole life in Oakland, California. He was a proud black man in his 70s who lived alone. This reporter moved next door to him having spent his entire life up until that moment not in Oakland; a white man in his 30s. To say we had no social connections in common would be an understatement. The only crossover in friends, family, culture, and hangouts were the occasional conversations we had in the street with our neighbors.

He had good taste in music. And I know that in the same way I knew he had an expensive and powerful stereo system. But we didn’t even go the same gigs because most of the music he played was from artists long since dead.

Despite all this, Facebook would persistently suggest that I knew Stan and should add him as a friend on Facebook. The same happened to my wife. I took this as a sign I needed to tighten up my privacy settings but even after making changes cutting Facebook off from my daily habits, it still recommended him as a friend. The only thing that finally stopped it? Deleting the Facebook app from my phone.

Sensing a story, and in my capacity as a tech reporter, I started asking Facebook questions about this extraordinary ability to know who I lived next to when it didn’t have access to my location. And the company responded, repeatedly, that it doesn’t. You have control over your data. You can choose what Facebook can see and do with that data. Facebook does not gather or sell data unless its users agree to it.

Except, of course, the opposite was true. It was a lie. And Facebook knew it. It had in fact gone to some lengths to make sure it knew where all its users were.

Precisely how it manages to say one thing and do the opposite is not yet clear but we are willing to bet it is a combination of two factors: one, its app stores and sends several data points that can be used to figure out location: your broadband IP address and/or Wi-Fi and Bluetooth network identifiers. It may be possible to figure out someone’s location from these data points: for example, your cable broadband IP address can often be narrowed down to a relatively precise location, such as a street or neighborhood, especially if you have a fixed IP address at home.

At this point, using Stan’s location from his IP address or from his phone app, Facebook could work out we live next to each other, or at least are near each other a lot, and thus might be friends.
Control is an illusion

With the news that Facebook signed dozens of data sharing agreements with large tech companies, it seems increasingly likely that Facebook was in fact not gathering my location data directly to figure out where I was, but was pulling in data from others, perhaps mixing in my home broadband IP address’s geolocation, and correlating it all to work out relationships and whereabouts.

We don’t yet know what precise methods Facebook uses to undercut its promises, but one thing is true – the company has made to this reporter, and many other reporters, users, lawmakers, federal agencies, and academics untrue statements with an intent to deceive. And it has created false or misleading impressions. It has lied. And it has done so deliberately. Over and over again.

And it is still lying today. Faced with evidence of its data-sharing agreements where – let’s not forget this – Facebook provided third parties access to people’s personal messages, and more importantly to their friends’ feeds, the company claims it broke no promises because it defined the outfits it signed agreements with as “service providers.” And so, according to Facebook, it didn’t break a pact it has with the US government’s trade watchdog, the FTC, not to share private data without permission, and likewise not to break agreements it has with its users.

Facebook also argues it had clearly communicated that it was granting apps access to people’s private messages, and that users had to link their Spotify, Netflix, Royal Bank of Canada, et al, accounts with their Facebook accounts to activate it. And while Facebook’s tie-ups with, say, Spotify and Netflix were well publicized, given this week’s outcry, arguably not every user was aware or made aware of what they were getting into. In any case, the “experimental” access to folks’ private conversations was discontinued nearly three years ago.

The social network claims it only ever shared with companies what people had agreed to share or chosen to make public, sidestepping a key issue: that people potentially had their profiles viewed, slurped, harvested, and exploited by their friends’ connected apps and websites.

As for the question of potential abuse of personal data handed to third parties, Facebook amazingly used the same line that it rolled out when it attempted to deflect the Cambridge Analytica scandal: that third parties were beholden to Facebook’s rules about using data. But, of course, Facebook doesn’t check or audit whether that is the case.
Sorry, again

And what is its self-reflective apology this time for granting such broad access to personal data to so many companies? It says that it is guilty of not keeping on top of old agreements, and the channels of private data to third parties stayed open much longer than they should have done after it had made privacy-enhancing changes.

We can’t prove it yet, and many never be able to unless more internal emails find their way out, but let’s be honest, we all know that this is another lie. Facebook didn’t touch those agreements because it didn’t want anyone to look at them. It chose to be willfully ignorant of the details of its most significant agreements with some of the world’s largest companies.

And it did so because it still believes it can ride this out, and that those agreements are going to be what keeps Facebook going as a corporation.

What Zuckerberg didn’t factor into his strategic masterstroke, however, was one critical detail: no one likes a liar. And when you lie repeatedly, to people’s faces, you go from liar to lying asshole. And lying asshole is enough to make people delete your app.

And when that app is deleted, the whole sorry house of cards will come tumbling down. And Facebook will become Friendster.

Call to Boycott All Businesses With Facebook Links

Well, at the moment, it seems, one would need to stop all commercial activities. But it needs to start somewhere. Look, before the Facebook scam, one could go to a website and not be inundated with Facebook analytics, prompts to use your Facebook login, links to “like us” and all the other gimmicks to get users to surrender their private information.

Perhaps it is time to start boycotting all businesses, charities, orgs, government entities, schools, etc. that insist on sporting and wiring their sites to enable the ilk that is Facebook. Speed kills. Facebook kills. Here are a few links about how Facebook has blood on their hands:

https://www.bbc.co.uk/news/resources/idt-sh/nigeria_fake_news

https://www.nytimes.com/2018/10/15/technology/myanmar-facebook-genocide.htmlv

https://www.nytimes.com/2018/10/15/technology/myanmar-facebook-genocide.html

The list goes on….

Act now! Delete your Facebook Account and boycott those enterprises that continue to support Facebook.

Comments welcome.