Musings of an infosec nerd

Why I'm Leaving Facebook


Social data is being weaponised, and I'll have no more to do with it

What has happened?

Last night Channel 4 aired a documentary showing the inner workings of the social media influence platform Cambridge Analytica. If you have 20 minuets to spare I suggest you go and give it a watch.

This highlights the uses that personal data posted to social networking sites are being put to by shadowy organisations who wish to manipulate large numbers of people for the people who are paying them lots of money. These organisations have been shown to be involved with the political processes of countries around the world, including here in the UK and in the United States.

How did they get this data?

We gave it to them, for free.

You may wonder how they managed to get so many people to voluntarily give up access to their own personal postings on Facebook, after all, aren’t people aware of privacy settings and are configuring them to prevent people from just harvesting this stuff? To answer this question, we’ll look at something that a lot of people have seen cropping up on Facebook over the last few years, Personality tests.

These “Tests” are actually Facebook applications developed by third party organisations and hosted by Facebook. To take these “Tests” you have to give the app specific permission to access your profile. So, did Cambridge Analytica fool tens of millions of people into running these apps and giving their permissions? Not exactly. Once you give the application permissions to access your profile, you are also giving it permission to access your friends data, and allowing it to harvest their data as detailed in the article in the Guardian .

Every time you give an app like these tests permission to access your profile, you are not only giving up the keys to your own psyche, just take a look at what Facebook applications can access once you give them permission, but you are also giving a just as valuable level of access to all your friends data. This is data that they have not chosen to share with these third parties. Now, Facebook will say that using data gained in this way is against their T&C’s, but this is a contractual enforcement, not a technical one. The data is there to be grabbed and they have be to caught doing it before anything is done. By this time of course the data is out there.

As an example of the kinds of reach these permissions have, after recently culling my Friends list down to people I at least interact with on a semi-frequent basis, I have 112 people in my friends list. From what I have seen of other users, this is not a high number. Just by taking one “Personality Test” I give up the personal data of 112 people to these manipulative machines. Here’s a personality test for you, if you give these apps the keys to your profile then your Star Wars character is Jar-Jar Binks.

What happened to this data?

The Channel 4 documentary contains hidden camera footage of the higher ups in Cambridge Analytica discussing with a potential client the kinds of things that they can do for them. This included such gems as setting up your political opposition with Ukrainian hookers and getting it on tape to use as blackmail material, but also the ability to tightly target “propaganda” at a mailable portion of the population you would like to influence. We saw this with targeted Facebook postings during both the EU referendum campaign (Arron banks has been quoted as using Cambridge Analytica for this purpose) and the US election (Steve Bannon as said the same) , along with our very own Theresa May and her army of “digital warriors” in the last UK general election.

The insidiousness of this form of manipulation is something that has never been seen before. I have been asked “Why don’t you stay on the platform and help combat this propaganda with well rounded rebuttals?” and one of the reasons is I don’t get to see it. This is targeted to not only be seen by the people susceptible to its message, but also to stay well away from the people who will question it. The echo chamber effect of social media sites also comes into play here, as I have long ago culled the racist reactionaries from my friends list I won’t see the “Fake news” sites that are being shared and liked.

It is worth mentioning “Fake News” in this context, as this is a term which is being thrown around with wanton abandon for the last few years. I am using it in the original, correct context, rather than as a term to label something as something I personally don’t believe, or would like to believe isn’t true. The actual “Fake News” are sites that have been set-up to look like a local or national news organisation, however the organisation they claim to be does not actually exist. These sites are set up to host the straight up false “news story” which the propaganda merchants at places like CA would like to spread, and they look at a casual glance to be legitimate news reports. The people targeted by this campaign will blindly like and share this “article” into their own sphere of influence and it is then further propagated amongst their followers, giving the organic growth that makes this news look legitimate rather than fake.

Why won’t Facebook do something about it?

Because it makes them money. It’s that simple. There is a saying that’s been around a while that states that if you are not paying for a service, then the service isn’t the product, you are. In this case this is literally true. You are the product that Facebook are selling by harvesting their Social Graph and offering laser accurate targeting of any message you like to users who will be susceptible to it. They need the data you give them to operate, and I am done with being sold off like this. When there is a Facebook which restricts access to personal information to only that which you choose to specifically share, and does not monetise though advertising (I’ll pay) then I’ll come back, but until then I am going to choose to do the only thing I have the power to do in this situation, and that is to starve them of this resource that I have control over, me.

I have many friends and family on here who I interact with quite often, and will continue to do so via other methods, such as Signal Messaging, Text, email and other more restrictive social networks such as Mastodon and Twitter. There are others however, such as people I went to school with who I have much less frequent contact with. In that case I am offering an open invitation to add me on these other platforms. If you want my number for Signal then please reply to this post while it is live on Facebook and I will pass send it over. This post will remain live on My contact details for other platforms are below. I hope that reading this will give at least some insight into how you are being used as a product, and to those that choose to remain allows them to use the site in a way which minimises the data that they give out about themselves, and more importantly the data that others have entrusted you with.

Email: Ian [at] Fishermansenemy [dot] com

Twitter FishermansEnemy

Mastodon.Social @FishermansEnemy

The personal blog of a UK based penetration tester