There is a good article in CNN Money about RapLeaf, its ties to Facebook, and the impact of data mining on privacy. In this latest data breach, RapLeaf obtained from Facebook applications (commonly referred to as "apps") the IDs of Facebook members, merged the data with its own database, and then resold that combined data to advertising networks.
You never heard of RapLeaf before? Neither had I. It is one of many information brokers like Acxiom, ChoicePoint, Spokeo, and Quantcast. This blog covered them, and now RapLeaf, too. The Facebook breach fiasco highlighted several related privacy issues. The issues I see affecting consumers:
- The Facebook apps never should have transmitted members' IDs and personal information, especially those Facebook members that had set their privacy settings to private. As I've written before, this breach questions whether Facebook is administratively and technically competent to keep private the personal information its members' specify as private
- There are plenty of information brokers eager to do business with Facebook -- to access the sensitive personal information in Facebook members' profiles and apps. Several information brokers, like RapLeaf, already do business with Facebook
- RapLeaf combined the data it obtained from Facebook, including IDs from members' who had specified their data stay private, and then resold that combined information to advertisers. RapLeaf later said it shouldn't have transmitted Facebook IDs and removed that data element from information it sells to advertisers
- The large network of data sharing relationships in #2 means your sensitive personal information will travel a lot further and faster to more companies and advertisers than you ever imagined. This is the "cost" of a free service like Facebook
- Information brokers' data mining efforts are getting more precise. Before they knew your lifestyle: car owned, rent vs. homeowner, favorite genres of films and music, favorite travel destinations, where you live, favorite websites, and purchases you made. Now they know your habits: when during the day you drive and destinations, the times of day you listen to certain genres of music, when you are at work versus traveling on business or pleasure, where you post messages from, and daily routines
- Many information brokers don't give consumers any control over the information they have collected about you. They view it as their information to use in other products and services, regardless of of whether it is accurate, totally inaccurate or a mix. Consequences to the consumer be damned
CNN Money summarized the problem facing RapLeaf and information brokers:
"... privacy experts said they believe Rapleaf is being disingenuous. They noted that the company links users' names and e-mail addresses to many social networking profiles -- including Flickr, Friendster, LinkedIn, Twitter, Pandora, Wordpress, MySpace, Bebo, Tribe, Livejournal, Yelp and Amazon -- and sells that information to third-parties..."
I agree. Data miners like RapLeaf can't serve two masters. The drive for profits is too great. Consumers' privacy will be the loser.
While reading the CNN Money article, I also learned what a Klout Score is. Do you know your social media Klout Score? A better question might be: what information brokers know your Klout Score. A more insightful question might be: do you have control over who accesses your Klout Score? According to the number-crunchers at Klout.com, my Klount Score (based on my Twitter account) is "5 - Explorer:"
"You actively engage in the social web, constantly trying out new ways to interact and network. You're exploring the ecosystem and making it work for you. Your level of activity and engagement shows that you "get it", we predict you'll be moving up."
"The underlying issue is with a piece of the HTTP header called the referrer URL. We recognize that referrer URLs are a major industry-wide problem with the structure of internet security, so Rapleaf has taken extra steps to strip out identifying information from referrer URLs. When we discovered that Facebook ids were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions."
Really? RapLeaf's information systems are totally reactionary without any quality controls or checks?
Okay, I get it. Facebook IDs were embedded into the referrer URL and RapLeaf didn't scrub the headers and remove said sensitive information. Sounds to me like the system was programmed for speed over both quality and privacy. Rapleaf corrected the problem later, but the damage had already been done.
What exactly was the damage? In his Freedom To Tinker blog, Harlan Yu analyzed the Facebook app breach:
"Because of the way Zynga (the makers of FarmVille) crafts some of its URLs to include the user’s Facebook ID, the browser will forward this identifying information on to third parties. I confirmed yesterday evening that using FarmVille does indeed transmit my Facebook ID to a few third parties, including Doubleclick, Interclick and socialvi.be."
So, it's not just RapLeaf. Yu summarized well the threat to consumers:
"... allowing advertisers and other third parties to easily and definitively correlate a real name with an otherwise "anonymous" IP address, cookie, or profile is a dangerous path forward for privacy."
Dangerous, indeed. What do you think?
During the past few months, I have heard people comment on blog posts that, "online privacy is dead." I don't buy that. It is a lame excuse by corporate apologists and executives who want to do as they please with consumers' personal information without having to worry about disclosures, rules, accountability, or responsibility.
If the information brokerage and advertising industries can't police their companies to ensure consumers with reasonable online privacy, then it will get sorted out in the courts. Several ISPs and technology firms already learned this the hard way with behavioral advertising. Meanwhile, some things consumers can do to maintain privacy online:
- Delete your web browser cookies frequently. If you don't know how, read this
- Avoid "zombie cookies" by using software that deletes the hard-to-find Locally Shared Objects (LSOs) stored in sub-folders on your computer's hard drive
- If your browser offers it, use the Private Browsing mode
- Don't surf the web when signed into Facebook because Facebook social plugin modules track your usage around the Internet
- Lock down your profile on the social networking sites you use. If you don't know how, learn (or don't use the website until you do)
- Stop doing these 7 things on Facebook, or delete your Facebook account
- If you use a public computer in a library or hotel, clear the cache when you are finished
- If you use a public WiFi connection at an airport, hotel, or restaurant, use software to avoid side-jacking
- Read the terms and conditions policies at websites you use, to see how whether that company values your privacy, or not. Use TOSBack.org to monitor changes in these policies at leading websites
- Realize that any company or website offering a free service makes money by reselling your personal data and usage to other companies and advertisers. As the economist Milton Friedman said, "There is no such thing as a free lunch."