General security

5 social media site privacy issues you should worry about

Susan Morrow
January 31, 2018 by
Susan Morrow

I recently took my Amazon Alexa device to a friend’s home so they could see what I had been going on about for months. The friend and her husband, both millennials, instantly reacted almost with horror to the “creepy machine” and asked me to put it back in my car and “get it out of my house!” I did so, then I sat down and asked them about their use of Facebook.

Facebook and its social media cousins like Twitter have become an intrinsic part of billions of people's lives across the planet. In 2017, Facebook had just over 2 billion monthly active users (1). WhatsApp and Facebook Messenger have about 1 billion active users each and 37% of the global population is active on some social media platform or other (2).

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Social media rely on user bases giving it data. They deal in data, communicate using our data, analyze markets using that data, and build their business models on the back of all the data we provide to it. Data is the bread and butter of social media.

But these data are often our personal data—data that represents our digital self. Much of it is obviously personal, such as name, email address, and so on. But other data, like our likes, dislikes, online excursions, and geo-location is less obviously about us, but still gives social media platforms much highly useful information. And it isn’t useful just to social media business models; it is also useful to others, not just cybercriminals, but employers, insurance companies, and many others who can use our personal information to tailor their view of us and our supposed needs.

Social media platforms, because they are built upon our personal data, can impact our lives in more ways than checking out who likes a picture of our cat pulling a funny face. Some recent cases, such as Schrems vs. Facebook (3), exemplify the importance of taking the privacy aspects of social media seriously. Schrems alleged that Facebook was illegally transferring personal data from Europe to the NSA in the U.S.—this was around the time of the Snowden revelations. Under European data protection law, certain criteria must be met to allow personal data to be transferred outside of the EU. The case was convoluted and is still ongoing, but, ultimately, Schrems was attempting to address the transparency of data usage within Facebook. In another, more recent case, a Canadian citizen took Facebook to court for using her photo in their “sponsored stories” campaign without her consent. The campaign allowed marketers to use profile photos of users who had clicked the ‘like’ button for an advertising post (4).

Privacy and social media, it seems, may not be a match made in heaven. To this end, below are listed five of the top privacy concerns when using social media platforms.

Top 5 privacy concerns when using social media

  1. Where’s your head at—privacy settings

One of the most fundamental places where users are caught out is in the privacy settings within a platform. Being unaware of what you can achieve with the privacy settings is an issue in its own right. Because of legal challenges, Facebook and other social sites have tightened up their act and improved privacy options. It is, however, still important to understand what is achievable using the platform's privacy settings and where they extend to or not. Check out this privacy check-up tool from Facebook, for example:

  1. Are you open to offers? Information-sharing gotchas
  2. There was a recent furor about so-called “closed groups” on Facebook. Special groups are available for addicts and those with health issues. They are often used by users to air issues and posts can often contain highly sensitive information, as users expect them to be anonymized. However, a recent Sky News investigation found that these groups are easily searchable and membership lists readily available (5). Keep a watch on the type of information you share on a site, even within the social community you set up, as potential employers and insurance companies could use them to find out personal information. You could also find that this could lead to identity theft.

    1. Location, location, location
    2. We recently witnessed the disclosure that Android users had been unwittingly revealing their location to Google, even when they specifically had location services disabled. Location may seem like an almost innocuous piece of data and not personal, but the reality is that it can be used to build up a picture of your everyday movements. Location data can be coupled with other data and aggregated to create a very specific picture of an individual's life and habits. If a malicious individual were to get hold of such data, they could take stalking to a whole new level.

      1. A sale too far—privacy, AI, and the ad
      2. Going back to Number 3 above, aggregated data, including location data, such as what shopping mall you happen to be in, is prime data for marketers. It can be used alongside your demographic information to push products to you. That is irritating, but perhaps more annoying is the use of artificial intelligence by the marketing industry on data from social platforms that can make this intrusive. AI, social media, and marketing are the perfect combination. Marketing works best when it is personalized and AI tools are offering marketers a way to do this. For example, AI could inform that a user always uses Twitter on days X and Y at times A and B, it could then translate a combination of their demographic data, personal information, location, and social media usage to created highly focused ads. The lines between privacy, intrusiveness, and relevance are becoming somewhat blurred.

        1. The privacy tree
        2. Inherited privacy settings through sharing with friends, of friends, is something we all need to be cognizant of. The privacy tree is convoluted and often obfuscated. It may well be that, by allowing a friend to see something you have posted, they then have the ability to share that with their circle, and so on. You may think you have your privacy tied down, but the privacy tree can have many branches.

          And finally, an extra one...

          1. Digital death
          2. A friend of mine recently died. He was a software developer and had many online accounts. When he died, his wife had to try and deactivate or delete a number of accounts. It was an upsetting time and it was hard for her to have to go through the many hoops that these platforms put in place to prevent malicious closure. However, in adding this “security,” they inadvertently add emotional distress to the loved ones of the deceased. Recently, I had a contact request from that deceased friend as his account, because it could not be closed by his wife, had been left dormant for a year; his account had been hijacked. The privacy of an individual is not just about that person alone, it also can impact extended family and friends. This can even extend to companies they previously worked for and sensitive data could be compromised even after they die. New identity systems are starting to look at the whole area of digital death and our online lives by using inherent mechanisms such as account delegation and digital notarization.

            This piece is dedicated to my good friend Paul who worked as a security software developer for 20 years, building great security products.

            What should you learn next?

            What should you learn next?

            From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


            Susan Morrow
            Susan Morrow

            Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

            Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.