There was a bit of a fuss earlier this month when personal data turned up on the dark web for more than 500 million Facebook users, including name, phone number, gender, marital status, city/country, and occupation.
The response was pretty muted. Security experts could barely muster the energy to look shocked. An internal Facebook memo was accidentally leaked that didn’t quite shrug but said, yup, that happened, things like that will likely happen again, oh well, best thing is for people to get used to it – “normalize” the issue, in the words of the memo.
I hate to say it but that’s basically correct. You can dream of privacy but you shouldn’t be surprised to discover that a lot of people know everything about you.
The details of the Facebook leak will help you understand why your expectations for privacy should be low.
The leaked Facebook data turned up this month on the dark web for free, available to download by bored hackers and spammers, but it’s not new information. The database has been kicking around online since 2019; the only difference is that it was being sold on the dark web until somebody uploaded a copy this month for everyone to share.
The information was scraped from Facebook by automated tools that leveraged a feature for matching users with people they may know. In other words, Facebook was not hacked. This was not a case where bad guys did something clever with ninja hacking skills. When you sign up with Facebook, you give consent for them to share this kind of data with almost anyone. Consent meaning, it’s in the terms of service you couldn’t understand even if you read them, which you won’t. People with many motives – some of them evil but some just mercenary – scraped that data and assembled it into big databases. Facebook’s terms of service say that such behavior is strictly forbidden. I’m sure the people who scraped the data feel terrible about that.
In the last year or so, Facebook has made it more difficult to obtain that information with automated tools. But the information is still out there and it’s not considered to be “private.” You filled in the forms and told Facebook to find your friends. This is an unfortunate side effect of that process.
It’s so normal that there was barely any notice when similar data from 500 million LinkedIn profiles turned up on the dark web two weeks ago. The LinkedIn database is being sold, but two million records are available for free as samples.
Loyal readers will recall that I wrote too many words a couple of years ago about privacy and data collection. It’s a great series. You should read it. If you already read it, you should review it so you have a head start for the final exam. Spoiler alert: the conclusion is that we are doomed to be tracked continuously. Big tech companies know far more about us than any company has known about individuals in history.
Your personal information is compiled into profiles from a variety of sources, many of them public:
“An information broker or data broker collects information about individuals from public records and private sources including census and change of address records, motor vehicle and driving records, user-contributed material to social networking sites, media and court reports, voter registration lists, consumer purchase histories, most-wanted lists and terrorist watch lists, bank card transaction records, health care authorities, and web browsing histories.”
The “legitimate” data brokers have been refining their databases for years with more powerful tools and a constant inflow of new data.
The bad guys on the dark web are doing the same thing. Their sources of information are more disorganized and include data from hacks of large companies. But they are also constantly improving the quality of the data, making it more likely that all your information is together in a single profile and up to date.
New York Times columnist Ron Lieber wrote a column yesterday about how bad guys used personal data to file a fake unemployment claim in his wife’s name. Lieber had security freezes on the credit reports for himself and his wife. That should have kept the bad guys from getting his wife’s drivers license number, the last bit of information they needed to file the phony claim.
It turns out that for nearly a year, scammers have been exploiting a hole on some car insurers’ websites to get drivers license info to add to your profile. One example was reported a week ago – Geico was forced to reveal that drivers license numbers were being harvested from its website for several months.
With the drivers license number and some of the other readily available basic information (name, address), the bad guys filed the fake claim with everything set up to steal the government checks.
And so it goes. You should assume that your personal information is widely known. Between the unrelenting efforts of the data brokerage industry and the widespread distribution of personal data on the dark web, almost anyone can find out about you.
Oh, and you’re not very valuable. The price of a full set of personal data for a US consumer has dropped to about $8. The LinkedIn profile data on 500 million people was being hawked for a few thousand dollars and the leaked Facebook data can be downloaded for free by anyone who wants to go find it on the dark web.
We’re being tracked. Huge companies know about the details of your life. Best way to cope: the advice that I closed with a couple of years ago.
Far and away the best way to stay calm in a surveillance state is to be a decent person without any important secrets. I’m being completely serious! If you have nothing to hide, it doesn’t matter as much if the details of your life are known to tech overlords. Don’t post offensive comments online in the belief that you are “anonymous.” Don’t harass people. Don’t send dick pics. Don’t have affairs. Don’t be racist. Don’t do things that would be embarrassing if they became known.
That’s not a complete answer, of course. Many of us, most of us, have parts of our lives that are meant to be private, for good and decent reasons. But, well, the surveillance economy has created some pressure to modify our behavior. There are good reasons that we don’t see as many pictures of drunk people at parties on Facebook. Make an effort not to do stupid stuff.
Sleep well, secure in the knowledge that everyone is watching you all the time.
Another great read Bruce. And I promise not to send you anything risque.