Exploring the Security Issues behind Facebook’s User Tracking from its ‘Big Data’ for Competitive Intelligence
Credit: Taken from https://www.mobistealth.com/blog/facebook-spy-tool-lets-read-messenger-conversations/
(First released in September 2016)
Abstract— Facebook (FB) is one of the most popular social networking sites all over the world. According to Zephoria, there are approximately 1.71 billion FB users worldwide as of July 2016. There are 4.75 billion contents that are shared daily which include status posts, notes, images, videos, etc.  From the business perspective, FB remains (and will remain) free as that they continue to make a profit from ads in their website. This article aims to investigate how FB utilizes its collection of big data and draw competitive intelligence that helps them earn a lot of money yet still be able to produce free and quality services. It also discusses the techniques, methodologies, and technologies that FB uses that continuously make them one of the richest and most successful companies worldwide.
Index Terms— Big data, Facebook, competitive intelligence, cookies, ads
A. Big Data: A Short History
The term “Big Data” has been widely used today and to some extent bastardized into a lot of discussions and papers with confusing meanings. A lot of technology and data companies have also used the term to sell their products and services related to cloud computing and Storage Area Networks (SAN). However, the concept of big data goes way back in the 1940s when Fremont Rider, a Wesleyan University Librarian, published “The Scholar and the Future of the Research Library” which challenges how information can be extracted and utilized from all the libraries in the world. 
Other initiatives on big data emerged in the 1960s when some researches intended to determine the lineages of the Muslims and create a long family tree out of it. It’s also in the ’60s when the concept of Automated Data Compression was first introduced with the expectation that at some point, data will have to be compressed because of its voluminous size. 
Some other interesting early concepts of big data include the study on war correlation where strategies and motivations for a war on different times and places. It was then used to predict which countries might initiate a war and what their strategies are. Another study in Japan in the 1970s was about determining population growth in their country by using and comparing different data sets of their census. 
In some cases, Big Data is able to conclude those unexpected explanations for such outcomes. For instance, in the book Freakonomics, it stated that the crime rate in New York City, USA went very low in the early 1990s and nobody could explain why. As a matter of fact, economists and analysts predicted that the crime rate will go up. However, after some rigorous research, it was found out that the court ruling in the 1970s that abortion was declared legal pulled down the crime rate numbers. It was concluded that most “would-be criminals” from uneducated, unemployed and in poverty group had been aborted way before they could probably spread their crimes.
Nowadays, Big Data is used in our daily lives like when Google is properly able to show you the top 10 most relevant results that you are looking for. It is also useful when Waze is able to determine which route you should take based on traffic severity, distance, etc. Everybody who is connected to the Internet is actually using Big Data.
B. Big Data Characteristics
In all Big Data 101 lessons, the following are the characteristics given to Big Data:
- Volume – The data source is very, very big.
- Variety – The data source has different types of data that can be known or proprietary. Some of the known data types include integers, Boolean, images, strings, and videos. Some of the ‘unknown’ or proprietary data types include DNA, fingerprints, bit-level image, etc.
- Velocity – The data source can be queried at an acceptable speed.
FB is a known social networking site where users can connect to their friends or acquaintances. They can post their status, images, videos, etc. Interestingly, it continuously improves current features like adding more emoticons, introducing Facebook live and adding the 360-degree movement of posted pictures among others.
As mentioned, Facebook has 1.7 billion active users to date and it has a net income of at least 3 billion USD.  It has also killed popular social networking predecessor sites like Friendster and Multiply because it offers more dynamic features.
One of their known slogans is, “It’s free and always will be.” Since the group of Mark Zuckerburg launched FB, the entire website has always been free of use. Obviously, the major source of income of FB comes from advertisements that the users are able to see.
The creativity in Facebook ads involves determining the likes and interests of the user and using these to show ads that are likely to be suited for him/her. In short, FB is able to filter the correct ads for the appropriate market.
II. Problem Statement
Given the premise that FB utilizes the user’s information to introduce related advertisements for their profit points to two important issues. First, FB uses big data to conduct competitive intelligence to its users. This means FB analyzes voluminous amounts of data to determine certain patterns of the user. For example, based on your status, FB is able to determine how much are you willing to spend for a particular brand and at what time do you intend to buy it. Second, there are a lot of security issues that can arise because FB is using the personal data of its users. Exploiting one user can be done to other users as well. The only way for the attacker to launch an attack is to look for an application vulnerability.
With these issues, the problem is focused on security. Particularly, what are the security implications of FB using personal data for their advertisements? The paper will try to look at the different avenues where attacks can be made based on the available attack surface on the application’s interface.
III. Results and Discussion
A. FB Context
From the perspective of FB, everything that you post and configures as a user is collected and stored. When the user signs up for an FB account, he/she agrees to FB’s Data Policy and how the website will use it.  Unfortunately, users do not read the policy and just click on submit.
Last January 2015, FB has modified its policy which included the utilization of tracking cookies to be used for their “services.” These services include providing faster access to its features like suggesting new friends and pages. This also included tracking of the location of the browsing habits of the users. Users who do not agree with this new policy has no option but to leave FB.
In a BBC article, the tracking cookie can help FB with the following: 
- preventing the creation of fake accounts
- reducing the risk of users’ accounts being taken over by other people
- protecting users’ content against theft
- preventing distributed denial of service attacks
From a security perspective, the cited reasons may be valid but the extent of their tracking can be excessive as well, as pointed out by a security research team.
With the issue of the tracking cookies in question, it is important to emphasize three relevant issues on how FB conducts competitive intelligence to its users with its use.
- FB is able to track even those who don’t have any FB account or even if you have logged off your FB account. 
Due to the partnership of FB with a lot of marketers and advertisers, FB tracking cookies start even if you access a different website. In an article by The Verge, it discovered that “The researchers found that sites including OkCupid, MTV, and MySpace placed Facebook’s cookies on computers even if the computer user did not click or interact with the site in any way.”
Usually, this happens when going to a website and there are buttons below or above that says, “Like us on Facebook.” There are other instances where you need to log in FB first before you can comment on a comment section on a website or forum.
In some public places like malls, the Wi-Fi policy actually requires you to log in FB first before you can use their Internet. That is the trend today and a lot of businesses have been doing this already.
Another technique of user tracking by FB is when you access a totally different website, it will be stored and analyzed as well. For example, when you go to Agoda.com to look for hotel promos, you will be prompted by a lot of Agoda and hotel ads the next time you go to your FB account. This means that there is an indirect collection of data even outside the FB website.
- FB is able to control the mood of the users by providing the content in their news feed. 
Similar to what the media can do which can steer public opinion on a particular topic, FB can also do the same freely, easily and quickly. It can create trends like hating terrorist groups like ISIS to supporting somebody for a cause etc. By creating these trends, FB somehow can gain control of the mood of the users. It can even create a cult or even a mob which most of the netizens categorize them as “keyboard warriors” or “trolls.”
To be able to control public opinion is key to information warfare. You can be able to destroy a company with these capabilities without really exerting effort aside from spreading information that can sway moods and emotions.
- FB is able to get what you do not want them to know. 
This issue is very interesting because what you do not want FB to know is something that they collect too. For example, if you intend to make your profile private and even your feed and information, FB will take note of that. It will also take note who are people you are trying to hide from and possibly why. They can provide you with ads related to privacy later on or use the information for other purposes as well.
B. Marketing/Advertiser Context
From the marketing perspective, this becomes way easier for them to advertise their services. They will just create a business page in FB and specify their intended audience. FB will do the rest and provide the results. There’s even a portal where marketers can filter their audience and specify their products and services.
According to Kissmetrics, advertisers can filter their audience based on the following: 
- Relationship Status
The payment of advertisements will depend on the scope of your filter. Based on the information you have provided, FB will search and locate who these potential customers are. Then they will advertise your products and services through your FB page. There are specialized functions on a business page like sign-up, contact, subscribe, etc.
In marketing subscription statistics, there are 16 Million local business pages that have been created as of May 2013 which is a 100 percent increase from 8 million in June 2012. 
C. Security Issues
There are 2 types of security issues that can be seen in FB’s user tracking feature namely, non-technical and technical.
1) Non-Technical Issues 
- Scam – There is a variety of scams on FB that have victimized a lot of users. This included spreading hoax news links to a malicious website and messages that ask for personal information. The highest percentage of scams victims are adults aged 30-39, at least with those aged 60 and above.
- Cyberstalking – Since personal information is accessible if the profile is publicly available, a lot of users can be stalked or extorted. Pictures or videos of the victims can be stolen, and use publicly available information to launch more sinister attacks like resetting passwords or guessing passwords using birthdays or locations, etc.
- Cyberbullying – Cyberbullying is usually the step done after cyberstalking. Users can be bullied or humiliated based on their personalities and beliefs. There are events where the bullies use FB as a medium to post humiliating photos or videos of the victim. In some news, those bullied even commit suicide just to get off with the embarrassment.
- Impersonation / Identity Theft – Impersonation or identity theft is also usually done after cyberstalking. The attacker will create another account similar to the victim’s and post stolen photos and create statuses and make it appear it came from the victim. Some impersonators go to the extent of getting money from the victim’s friends.
2) Technical Issues
- Session Management – With FB putting the bulk of development to usability, there is actually a small room for security to be implemented. FB allows users to access their account to any networked device simultaneously after initial authentication. The problem now is if the session is stolen and replayed, it can lead to an authentication bypass without even providing the password or any authentication mechanism.
- Cross-Site Request Forgery (CSRF) –This is a more complicated issue but it can devastate the user. This involves tricking the user into clicking a link and issuing a transaction request to another website where the user has an account. For instance, I clicked on the link and the link will make a fund transfer request from my account to another account without my knowledge.
IV. Conclusion and Recommendations
Technology can never be suppressed and people should learn how to adapt to it. Big Data and Social Media are two big innovations that have come to dominate our world. There is a countless amount of data that needs to be analyzed to provide better results and answers to questions. Correlated data that are transformed into knowledge can help improve the services and quality of businesses.
However, handling of data is very crucial and should be given priority as well. In the case of FB, it is handling a lot of personal data which includes Personally Identifiable Information (PII).  The PII holds the precise identity of the person that if it gets exposed can destroy the person. PII includes address, social security number, credit number, birthday, etc. There are laws both in the United States and the Philippines that mandate organizations to protect the users’ PII. For instance, there is the Electronic Communications Privacy Act (ECPA) in the United States while the Philippines has its Cybercrime Prevention Act (RA 10175). The only problem with these laws is the implementation. The law should be enforced and checked if it is applied to web applications like FB where billions of users have an account on. Imagine the effect and consequences of these data have been leaked. There have been efforts by the private and public sectors to investigate and regulate how FB is doing its data collection and to what extent. It is strongly recommended that it should be done periodically by a disinterested third party.
Lastly, for the users of FB who have the Fear of Missing Out (FOMO) tendency even after learning the dangers of using FB on user tracking, it is important to stay vigilant and cautious when using the website. Also, apply the concept of ‘Think before you click,’ where Think stands for 
- Truth – Is it the truth?
- Helpful – Is it helpful?
- Inspiring – Is it inspiring?
- Necessary – Is it necessary?
- Kind – Is it kind?
People cannot stop technology. People should not stop technology but learn how to put controls so that its features can be bounded by the policies that we want to enforce.
|||Zephoria Digital Marketing, “The Top 20 Valuable Facebook Statistics – Updated July 2016,” [Online]. Available: https://zephoria.com/top-15-valuable-facebook-statistics/. [Accessed 10 September 2016].|
|||G. Press, “A Very Short History Of Big Data,” 9 May 2013. [Online]. Available: http://www.forbes.com/sites/gilpress/2013/05/09/a-very-short-history-of-big-data/#1f0fc6b755da. [Accessed 10 September 2016].|
|||J. O’Malley, “How big data is changing history,” 4 April 2016. [Online]. Available: http://littleatoms.com/big-data-changing-history. [Accessed 10 September 2016].|
|||J. Wakefield, “What is Facebook doing with my data?,” 10 November 2015. [Online]. Available: http://www.bbc.com/news/magazine-34776191. [Accessed 10 September 2016].|
|||J. Vincent, “Facebook’s tracking cookies affect even users who opt out, claims EU report,” 31 March 2015. [Online]. Available: http://www.theverge.com/2015/3/31/8319411/facebook-tracking-cookies-eu-report. [Accessed 10 September 2016].|
|||R. Meyer, “Everything We Know About Facebook’s Secret Mood Manipulation Experiment,” 28 June 2014. [Online]. Available: http://www.theatlantic.com/technology/archive/2014/06/everything-we-know-about-facebooks-secret-mood-manipulation-experiment/373648/. [Accessed 10 September 2016].|
|||C. Johnston, “Facebook is tracking what you don’t do on Facebook,” 17 December 2013. [Online]. Available: http://arstechnica.com/business/2013/12/facebook-collects-conducts-research-on-status-updates-you-never-post/. [Accessed 10 September 2016].|
|||Kissmetrics, “A Deep Dive Into Facebook Advertising,” [Online]. Available: https://blog.kissmetrics.com/deep-dive-facebook-advertising/. [Accessed 10 September 2016].|
|||A. Go, K. Alfafara, I. Javellana, E. Lee and N. Nicolas, Online Peers Can Mean Offline Perils, Makati: Asia Pacific College, 2013.|
|||C. Dwyer, S. R. Hiltx and K. Passerini, “Trust and Privacy Concern Within Social Networking Sites: A Comparison of Facebook and MySpace,” in Americas Conference on Information Systems, USA, 2007.|
|||EduTech for Teachers, “Think Before You Click!,” [Online]. Available: http://edutech4teachers.edublogs.org/2013/10/23/think-before-you-click-2/. [Accessed 10 September 2016].|
|||W. Oremus, “There Are Two Kinds of Online Privacy. Facebook Only Likes to Talk About One,” 13 November 2014. [Online]. Available: http://www.slate.com/blogs/future_tense/2014/11/13/facebook_privacy_basics_page_what_it_won_t_tell_you_about_personal_data.html. [Accessed 10 September 2016].|