Full Report
Facebook updated its privacy settings at the end of January. As Facebook turns 11 today, here’s what you need to know about the new settings and how they could affect you.
Analysis Summary
# Main Topic
Facebook's major privacy setting update in January 2015, which users automatically accepted by logging in, significantly expanded the platform's data collection capabilities to track user activity across partner websites and applications via the Atlas advertising platform, enabling highly personalized tracking and targeted advertising that cannot be stopped by browser 'Do Not Track' functions.
## Key Points
- Users accepted the new privacy terms simply by logging into Facebook after January 30th.
- The core change allows Facebook to harvest user data from any 'partner website' utilizing the Atlas advertising platform, extending personalization outside of Facebook.
- Tracking includes on-site behavior (purchases) and app usage on mobile devices when logged in.
- Facebook asserts it does not share Personally Identifiable Information (PII) like name or email address when collecting data for advertising purposes.
- Users cannot opt-out of the data collection process.
- A related finding indicates that Facebook 'likes' can be combined to create detailed personality profiles, potentially more accurately than close family members, posing ethical concerns when sold to companies or used by law enforcement.
## Threat Actors
- **Facebook (Platform Operator):** Acting as the primary entity collecting and processing the data under the new terms. The report does not detail malicious threat actors, but rather platform policy changes that increase data exposure risk.
- **Researchers (Stanford/Cambridge):** Developed the algorithm capable of building accurate personality profiles but stated that the service generating this information required user consent to purchase data.
## TTPs
- **Automated Consent Acquisition:** New terms accepted implicitly upon login, minimizing user awareness or active agreement.
- **Cross-Site Tracking:** Utilizing the Atlas advertising platform to monitor user activity (browsing, purchases) on external partner sites and apps.
- **Behavioral Profiling:** Synthesizing 'likes' data to create detailed personality assessments (e.g., >300 likes predict personality more accurately than a spouse).
## Affected Systems
- **Platform:** Facebook platform (web and mobile access).
- **Technology:** Facebook Atlas advertising platform.
- **Scope:** Any website or mobile application that integrates with Facebook's advertising platform or uses its tracking mechanisms.
## Mitigations
- **Data Review:** Users can download a report detailing the data Facebook has stored via the General Account Settings area.
- **Complaint Mechanism:** Users can complain about specific targeted ads using the Ad Preferences Tool (reactive, not preventative).
- **Note on Prevention:** Browser 'Do Not Track' functions are explicitly stated as ineffective in preventing Facebook's ad tracking.
- **Research Caveat:** The personality profiling algorithm purchase was subject to user consent regarding the use of their profile data in that specific research service.
## Conclusion
The primary threat identified is the **unannounced expansion of ubiquitous and inescapable user tracking across the web** tied to Facebook account usage, coupled with the significant privacy risk posed by the ability of third parties to create highly intimate personality profiles from simple behavioral data ('likes'). Users are urged to review their stored data, though preventative actions against the core cross-site tracking outside of account deactivation are limited based on the provided context.