The True Cost of Social Media is Your Privacy

Our daily lives are increasingly lived out online. The current global pandemic has simply accelerated that fact.  As our need for digital connection increases, consumer security and privacy have never been more important. Escalating security breaches and increasingly invasive advertising practices make it essential that consumers become more aware of how the decisions they make online, can impact their lives offline   

According to Statistics Canada, 94 per cent of Canadians had home Internet access in 2018. It’s no longer become a “nice to have”. It’s a prerequisite for participating in a modern society. Shopping, Banking, Healthcare, Education; almost every facet of our day-to-day lives is increasingly digital first.

The number of ways we can communicate is nearly endless. In 2019, the Canadian Internet Registration Authority (CIRA) reported that 60 per cent of Canadians use social media on a regular basis. Facebook, Instagram, Twitter, YouTube, Snapchat, TikTok, and dozens more. With 2.6 billion active users in March 2020, Facebook is the largest social media platform on the planet.

All these apps, accessed by your phone or computer have two things in common. They are free to use, and they earn revenue through advertising. In 2020, they earned $17.44 billion in advertising revenue, representing 98.3 per cent of total revenues.

All Your Information in One Place

As an advertising company, Facebook’s survival depends on their ability to sell ads. However displaying ads to users at random is rarely profitable. Instead, Facebook targets ads based on people’s  demographics and interests. Any information you enter into a Facebook profile, is combined with other data to create detailed profiles. Every group you follow, every comment you make and every article you share, builds a database of information that Facebook leverages to sell advertisements. 

While it should be no surprise that data created by clicks, likes, posts, and other activity on Facebook is harvested, many users are not aware that visits to other websites are also tracked. Most businesses have added a tracking code, called a Facebook Pixel, to their site.  When you visit their site, information is instantly sent to Facebook. The same site then pays Facebook to target you with ads, along with users who have similar profiles.

According to Facebook, companies use a Pixel to “make sure your ads are shown to the right people. Find new customers, or people who have visited a specific page or taken a desired action on your website.” As a result, Facebook has the seemingly uncanny ability to display ads that are so relevant that some people wonder if their phone, tablet, or computer are listening to their conversations.

From a privacy perspective, it is essential that consumers recognize they are trading their personal information, both directly and indirectly, in exchange for using any social media platform. Facebook discloses information on their data collection practices and appears to comply with applicable privacy legislation, yet most people do not understand the depth and breadth of Facebook’s data collection. You may consent to Facebook collecting personal information, but do you fully understand how much of your information will be collected and how it will be used? 

Facebook is not alone. More than 1.5 billion people have Gmail accounts. Although the Google service is one of the better “free” email services, a paid G Suite account with no advertising costs US $6 per month. Free online services are not actually free. Instead of money, they cost something much more valuable: your personal information. We all hear complaints about privacy and advertising, but little will change until consumers are prepared to pay for services that do not mine their data or depend on advertising revenue.

Paid Services Can Have Security Limitations Too

Paid online services are incentivized to respect privacy. Unfortunately, security breaches are still alarmingly common. The majority of breaches happen due to gross negligence or human error. Nonetheless, even companies with the best defenses can still be compromised. Once consumer data has been breached, it is usually impossible to put the genie back into the bottle.  Most countries require businesses to notify people that their personal data has been hacked but by then, the damage has already been done. If your passwords are compromised, they will almost certainly be used in attempts to access other accounts or services you use.

Security expert Troy Hunt’s site haveibeenpwned.com provides insight into the magnitude of this problem. As of May 2020, he has found information on almost 7.9 billion compromised accounts from over 450 websites. Some of these websites are household names. Hunt uses the information for good, allowing people to check if their information has been compromised. He also educates the public on the best practices of password security, like using a different password on each site. 

It is ultimately up to consumers to decide what personal information they are willing to share. Staying offline entirely is not a realistic option for most. Email has long replaced postal mail, videoconferencing  is reducing the need to travel, and online shopping will soon account for 25% of all purchases across the globe.  The shutdowns due to COVID-19 have now made online interaction the only viable option for many. In practice, the decision is not whether to be online, but rather which services to use.

In addition to consumer awareness, good decisions, and privacy legislation, consumers have a powerful tool at their disposal. Strong, properly implemented cryptography is one of the few security controls we can truly depend upon.

Over the past few years, most websites have transitioned to HTTPS. In security terms, this is often called “protection in transit” because data is protected while moving across the Internet. Without this protection, anyone with access to the network can read or change the data.

“Protection at rest” refers to data being encrypted while stored on a hard drive, server or in the cloud. If, for example, an encrypted disk is stolen, the data can not be accessed. While encryption in transit and encryption at rest are both considered good practices, gaps remain.

For example, a web site may use HTTPS to protect data in transit, and it may store information in a database on an encrypted disk, which provides protection at rest. But if a hacker compromises the web server itself, and uses the server to access the database, the encryption does not prevent the data from being stolen.

End-to-End Encryption

A small but growing number of companies, like password managers 1Password and Lastpass, or  Vaultt, an information management and communication platform for families and caregivers, use a third technique called “end-to-end encryption.” Using this approach, data is encrypted on the user’s device before it is sent and it remains encrypted until back in the hands of another authorized user. The server, and the company which provides the service, do not have the ability to decrypt the data.

End-to-end encryption is the preferred way to protect sensitive data because control of the information remains with the user. Even if a hacker could steal information from the server and database, they would not be able to decrypt it.

End-to-end encryption does not prevent all data theft. It is still important for users to protect their computers, phones, and tablets so that information is not stolen directly from them. But for now, end-to-end encryption remains one of the strongest data privacy, confidentiality, and integrity safeguards available.

Awareness is an important first step. As consumers, we need to ask more questions and remain aware of privacy and security issues when choosing products and online services for ourselves and our families.