INF529: Security and Privacy In Informatics

Social Networks

Prof. Clifford Neuman

Lecture 6 21 February 2020 OHE 100C Course Outline

• What data is out there and how is it used • Technical means of protection • Identification, Authentication, Audit • The right of or expectation of privacy • Social Networks and the social contract – February 21st • Criminal law, National Security, and Privacy – March 6th • Big data – Privacy Considerations – March 13th • Civil law and privacy Regulations – March 27th • International law and conflict across jurisdictions – April 3rd • The Internet of Things – April 10th • Technology – April 17th • Other Topics – April 24th • The future – What can we do – may 1st March 6th Presentations

Criminal Law, National Security, and Privacy Presentations on March 6th • Various elements related to national security and policing use of information. • Glenn Johnson • Madhuri Jujare • Joshua Vagts • Shagun Bhatia • Anthony Cassar • Haotian Mai • Harshit Kothari • Tejas Pandey • Uddipt Sharma March 13th Presentations

Privacy Considerations in Big Data and AI • Kaijing Zhang • Brendan Chan • Aashray Aggarwal • Dwayne Robinson • Di Rama • Zhejie Cui • Zishu Wang New Readings

• [CAS] Cloak and Swagger: Understanding Data Sensitivity Through the Lens of User Anonymity.

• [Levemore] Saul Levemore, "The Offensive Internet: Speech, Privacy, and Reputation"

• [Nissenbaum] Helen Nissenbaum, "Privacy in Context: Technology, Policy, and the Integrity of Social Life" Social Networks and Social Media

Services that Enable us to: – Share our thoughts and experiences – Record intricate details of our lives – Create communities of like minded individuals – Manage our relationships with others online.

The intersections of technology with social interaction.

Bulletin Boards, AOL, Myspace, Facebook, Twitter, Instagram, SnapChat, and many related services. But also includes email and the rest of the web. Threat Vectors – Social Media

Our use of social media – dissemination Others use of social media – retrieval Monitoring and surveillance of Social Media False information in social media Reputation and permanence Many forms of impersonation Inferences from network analysis Social Engineering through Social media What we Post

Pay careful attention to what you post through social media. We include much information we might otherwise think of as private. We think it is going to only our friends We think it is ephemeral Remember what information is out there: Fortune Teller How Our Data is Used

Surveillance through Social Media

Social Media Surveillance Could Have a Devastating Impact on Free Speech. Here's Why.

Surveillance through Social Media – Good or Bad • FBI’s near-brush with suspect in Florida school shooting draws scrutiny What is “actionable”. Is this prosecuting “pre-crime” Today’s Presentations

Privacy in Social Networks Presentations on February 21st • Various elements related to specifically social networks and/or how this data is used. • Instagram Policy - Chinmaya Pandit • Instagram Security/Privacy - Venkat Ramana Reddy Mareddy • TikTok - Ziwei Zhao • Surveilance - Christopher Samayoa • Targeted Ads - Abhishek Tatti • User Data on Social Media - Shanice Williams SOCIAL NETWORKS Chinmaya Pandit

• Instagram Privacy Policy • Instagram Security and Privacy • Privacy and Security of TikTok • Social Media and Surveillance • Privacy in Targeted Ad Generation • Privacy Concerns With User Data On Social Media INSTAGRAM PRIVACY POLICY

CHINMAYA PANDIT Agenda

• What Is Instagram • Instagram’s Privacy Policy • Information Collected • How Is The Information Used • How Is The Information Shared • How Ads Work On Instagram • Transparency Reports • Data Storage And Retention • What’s up with Instagram • References About IG

A platform for quality pictures and videos

What to use Insta for? • Follow • Feed • Likes and comments • Stories • DM Privacy Policy

A privacy policy is a statement or a legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data.

Effective date: January 19, 2013 • https://www.instagram.com/about/legal/privacy/before-january-19- 2013/

Effective date: November 1, 2017 • https://help.instagram.com/581066165581870 Data Collected

Type of Data

Information users provide directly • Creating a new account: Email address, username, password, user profile information, language, user content, location of a photo, communication with Instagram • Find friends: Social media sites, contact lists • Payment Information: card number, authentication information, shipping and billing address, contact details Type of Data

Information collected automatically • Usage of the service • Device Information: IP Address, device identifiers, model of the device, mobile operator or ISP, storage available, hardware- software versions, battery level, signal strength, connection speed • In some cases: Information about other devices nearby. • Device operations: mouse movements, window information, • Bluetooth signals, beacons, cell towers, nearby Wi-Fi access points, Access to GPS location, • Cookies • Metadata: hashtag, geotag, friends, groups, actions, login details, purchases Type of Data

Information provided by others • Log in with Facebook, Google • APIs, SDKs, Facebook Pixel • Analytics Providers • Third party Advertisers • Web pages visited, add-ons, web-beacons How Is This Information Used?

• Saved: So you will not have to enter it when you re-visit • Metrics: Total number of visitors, traffic • Detect and fix technical problems • Auto-updates of the application • Hashtags are collected for certain Events • Personalize –News feed, Instagram feed, Instagram stories and Ads • Consistent experience on all Facebook products • Location information for improving Ads • Testing and improving the product • To verify account, detect and prevent spam, detect suspicious activities, violation of terms and policies • To conduct and support research and innovation • To communicate with the customers How Is The Information Shared

➢ The information is not shared without user content except with the following parties: • Affiliates • Service Providers and Vendors • Third Party Partners • Analytics Services – Can Use Anonymization And Data Aggregation • Advertisers – Reports • Measurement Partners • Researchers And Academics • Law enforcement • Legal Requests

➢ Public information can be shared with anyone – Even if they don’t have an account! ➢ User Content – Users can decide (Public or Private accounts, close friends) How Ads Work On Instagram?

• Shows Ads relevant to you – people you follow, things you like

• Instagram doesn’t share information with advertising partners or advertisers that personally identifies you unless you give us permission Personally identifiable information (PII) is information like your name or email that can by itself be used to contact you or identify who you are Transparency Reports

• Valid subpoenas, court orders, and search warrants required for obtaining records • May voluntarily disclose information to law enforcement where there is a good reason to believe that the matter involves imminent risk of serious physical injury or death

• Legal Process Requests Requests we receive from governments that are accompanied by legal process, like a search warrant. We disclose account records solely in accordance with our terms of service and applicable law. • Emergency Disclosure Requests In emergencies, law enforcement may submit requests without legal process. Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death. Data Storage And Retention

• Information stored and transferred in any other country in which IG, its Affiliates and Service Providers maintain facilities.

• Instagram can not ensure the security of any information you transmit to Instagram or guarantee that information on the Service may not be accessed, disclosed, altered, or destroyed.

• Following termination or deactivation of your account, Instagram, its Affiliates, or its Service Providers may retain information (including your profile information) and User Content for a commercially reasonable time for backup, archival, and/or audit purposes.

• If you remove information that you posted to the Service, copies may remain viewable in cached and archived pages of the Service, or if other Users or third parties using the Instagram API have copied or saved that information.

• Content you delete may persist for a limited period of time in backup copies and will still be visible where others have shared it. What’s up with Instagram?

• 'Instagram Privacy Policy Changes' is a Hoax • Where did the likes go? • How to mess with IG's Tracking Algorithm Recent Privacy Breaches

• Instagram confirms security issue exposed user accounts and phone numbers ! References

• Wikipedia • Google • Instagram Privacy Policy THANK YOU !

FIGHT ON ☺ INSTAGRAM SECURITY AND PRIVACY

VENKAT RAMANA REDDY MAREDDY Data?

▪Names and passwords of account holders.

▪Captured content, such as photos and videos.

▪Data that links users to the photos they took, tagged or liked.

▪Text message history, address book contacts or other similar personal information.

▪Metadata on how people use the Instagram mobile app.

▪Transactional data from Facebook products and services.

▪Facial recognition data.

▪Data on which devices are linked to which accounts.

▪Geolocational data. Use of Data

What Is Instagram's Privacy Policy? Here's What To Know About The App's Rules by Lizzy Rosenburg

▪App doesn’t rent or sell your information

▪They may share info such as cookies, device identifiers, log files and location data

▪If you remove information posted, will there be any copies of it?

▪Who are the service providers for the Instagram?

▪Why do they need the info of account and can they misuse it?

▪What are businesses within the same group as Instagram? Privacy Settings

▪Private profile

▪Remove a follower

▪Turnoff activity status and green dot

▪Block comments

▪Stop Direct Messages

▪Disable resharing posts to stories

▪Hide story

▪Approve tagged photos

▪Clear search history How to steal data from Instagram

▪Guessing sensitive information

▪Using a Virus- keylogger

▪Password Requesting Application

▪With the help of phishing

▪Subversion Security issues with Instagram

Hackers Are Using Instagram 'Nasty List' To Steal Passwords

Instagram Hacker Confirms 1 Million Account Takeover Attack

Instagram Security Warning: Millions At Risk From ‘Believable’ New Phishing Attack

Instagram Allowed an Ad Partner to Track Millions of Users' Data, and It's a Major Privacy Problem Why hackers target accounts?

▪All the fake accounts being deleted by the services every year ▪For buyers who wants to spread spam or propaganda ▪For monetary benefits from owners Possible threats?

▪Likejacking

▪Fake giveaways

▪Unbelievable news that’s really malware

▪Affiliate scams

▪Fake followers

▪Phishing attempts with fake links

▪Catfishing

▪Cyberbullying and abuse

▪Identity theft

▪Private messages with dodgy links How can we stop?

▪Pick a strong password

▪Trust Nobody, Protect Your Sensitive Information

▪Do Not Click on Shady Links

▪Make your account private

▪Block specific followers

▪Turn on two-factor Authentication

▪Prevent third party Apps from getting your data

▪Check if someone has hacked your Account Your Account is hacked?

Use Instagram’s New Account Recovery Process

▪Change your password or send yourself a password reset email. ▪Revoke access to any suspicious third-party apps. https://www.elitedaily.com/p/what-is-instagrams-privacy-policy-heres-what-to- know-about-the-apps-rules-18689769

https://www.theverge.com/2019/3/26/18282196/how-to-protect-privacy- security-instagram

https://later.com/blog/instagram-account-hacked/

https://www.instafollowers.co/blog/how-to-hack-an-instagram-account

https://cio.economictimes.indiatimes.com/news/enterprise-services-and- applications/instagram-rolls-out-new-feature-to-prevent-phishing- attacks/71497691

https://www.forbes.com/sites/daveywinder/2019/04/14/hackers-are-using- References instagram-nasty-list-to-steal-passwords-heres-what-you-need-to- know/#344a455f69dd

https://www.forbes.com/sites/daveywinder/2019/08/27/instagram-hacker- confirms-1-million-account-takeover-attack/#43cb8457b6de

https://www.forbes.com/sites/zakdoffman/2019/08/24/new-critical-security- warning-issued-for-1-billion-instagram-users/#190c0bcb2f6e

https://www.guidingtech.com/instagram-privacy-settings/

https://uk.norton.com/internetsecurity-online-scams-11-social-media-threats-and- scams-to-watch-out-for.html Privacy and Security of TikTok

Name: Ziwei Zhao USCID: 6649875947 Introduction

TikTok is a short-form, video-sharing social networking app that allows users to create a variety of videos ranging from challenges, dance videos, magic tricks, and other funny videos and share 15-second videos, on any topics. The app has been downloaded over 1.5 billion times worldwide across the Apple App Store and Google Play. 8.2% of the growth comes from United State. Source: https://www.businessinsider.com/tiktok-hits-15-billion-downloads- outperforming-instagram-2019-11 News

• The U.S. government fined the app now known as TikTok $5.7 million for illegally collecting children’s data (Feb. 27, 2019 ) • The operators of Musical.ly — now known as TikTok — knew many children were using the app but they still failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13,” said FTC Chairman Joe Simons • The 1998 law, called Children’s Online Privacy Protection Act, sharply limits the collection of personal data of online users younger than 13, but regulators in the past have been unsure of how to apply the law to general-interest sites, as opposed to ones specifically directed at children. • Source: https://www.washingtonpost.com/technology/2019/02/27/us-government- fined-app-now-known-tiktok-million-illegally-collecting-childrens-data/ Privacy Policy

• For Younger Users (under 13) • For Adults (beyond 13) • Source: https://www.tiktok.com/legal/privacy- policy?lang=en What can users do?

Younger users Adults • view videos from other creators • Not specifications and explore their creativity by capturing their own videos with music and special effects. While Younger Users may save these videos directly to their device, the videos will not be saved by us or viewable by other users. What information would be collected?

• Younger users

• When a Younger User registers for TikTok, we collect only limited information, including username, password, and birthday. • We may also collect certain information automatically from the user’s device, including internet or other network activity information such as device ID, IP address, web browser type and version, country-level location, as well as certain app activity data, such as video watches, time in the app, and general usage data. What information would be collected?

• Adults • Information users choose to provide • Information obtained from other sources • Information collected automatically Information users choose to provide

• Registration information, such as age, username and password, language, and email or phone number • Profile information, such as name, social media account information, and profile image • User-generated content, including comments, photographs, videos, and virtual item videos that you choose to upload or broadcast on the Platform (“User Content”) • Payment information, such as PayPal or other third-party payment information (where required for the purpose of payment) • Your phone and social network contacts, with your permission. If you choose to find other users through your phone contacts, we will access and collect the names and phone numbers and match that information against existing users of the Platform. If you choose to find other users through your social network contacts, we will collect your public profile information as well as names and profiles of your social contacts Information obtained from other sources

• Social Media. if you choose to link or sign up using your social network (such as Facebook, Twitter, Instagram, or Google), we may collect information from these social media services, including your contact lists for these services and information relating to your use of the Platform in relation to these services. • Third-Party Services. We may collect information about you from third-party services, such as advertising partners and analytics providers. • Other Users of the Platform. Sometimes other users of the Platform may provide us information about you, including through customer service inquiries. • Other Sources. We may collect information about you from other publicly available sources. Information collected automatically

• Usage Information: link your subscriber information with your activity on our Platform across all your devices using your email, phone number, or similar information. • Device Information: IP address, unique device identifiers, model of your device, your mobile carrier, time zone setting, screen resolution, operating system, app and file names and types, keystroke patterns or rhythms, and platform • Location data: SIM card and/or IP address. With your permission, we may also collect Global Positioning System (GPS) data. • Messages • Metadata • Cookies How does TikTok use the information?

Younger Users Adults

• We use the information we collect to provide • To customize the content you see when you and support our services. For example, we use use the Platform username and password to authenticate • To improve and develop our Platform and Younger Users. We may use the information conduct product development that is collected automatically to provide personalized content;. • To measure and understand the effectiveness of the advertising we serve to • Younger Users cannot publicly share personal you and others and to deliver targeted information, including videos or profile advertising information. • To support the social functions of the Platform How does TikTok share the information?

• Younger Users: • We share the information we collect with our corporate group and with service providers as necessary for them to perform a business purpose, professional service, or technology support function for us. • We may disclose personal information if permitted or required by law (i) in response to a court order or a subpoena; (ii) in response to a law enforcement or public agency’s (including schools or children services) request; (iii) if we believe disclosure may prevent the instigation of a crime, facilitate an investigation related to public safety or protect the safety of Younger Users using our sites or applications; (iv) to protect the security or integrity of our sites, applications, and other technology, as well as the technology of our service providers; or (v) enable us to take precautions against liability. How does TikTok share the information?

• For Adults • Service Providers and Business Partners • Within Our Corporate Group • In Connection with a Sale, Merger, or Other Business Transfer • Legal Reasons • With Your Consent: We may share information for other purposes pursuant to your consent or with your further direction. • If you access third-party services, such as Facebook, Google, or Twitter, to login to the Platform or to share information about your usage on the Platform with others, these third-party services may be able to collect information about you, including information about your activity on the Platform, and they may notify your connections on the third-party services about your use of the Platform, in accordance with their privacy policies. Security of the information

Younger Users Adults • We take steps to ensure that your • We use reasonable measures to help information is treated securely and in protect information from loss, theft, misuse accordance with this policy. Unfortunately, and unauthorized access, disclosure, the transmission of information via the alteration, and destruction. You should internet is not completely secure. Although understand that no data storage system or we will do our best to protect your transmission of data over the Internet or any information, for example, by encryption, we other public network can be guaranteed to cannot guarantee the security of your be 100 percent secure. information transmitted through the Platform; any transmission is at your own risk. Security Problems

• SMS Link Spoofing： It is possible to send a SMS message to any phone number on behalf of TikTok with a malicious link. • Cross-Site Scripting (XSS): One of TikTok’s subdomains is vulnerable to XSS attacks, a type of attack in which malicious scripts are injected into otherwise benign and trusted websites. • Cross-site Request Forgery (CSRF): With the vulnerabilities above, hackers can perform actions on behalf of the victim, without his/her consent, including creating/deleting videos, change a private video to public one and exposing sensitive data such as email address, payment information, birthdates • Source: https://research.checkpoint.com/2020/tik-or-tok-is-tiktok-secure-enough/ Thank you!

Name: Ziwei Zhao USCID: 6649875947 Social Media and Surveillance

CHRIS SAMAYOA FEBRUARY 21, 2020 Initial Questions

What data is/was available? ◦ Publicly available social media posts ◦ Data aggregated by third parties ◦ Geolocation information Acceptable for law enforcement use? ◦ Potential to stop crime ◦ Target criminal activity Potential for discrimination? ◦ ACLU (American Civil Liberties Union) ◦ Concerns over who is being targeted What if lives can be saved? About Geofeedia

Company founded in 2011 Funding 7 ◦ CIA venture capital firm, In-Q-Tel, provided 2nd round funding for $1.3 million ◦ Last funding round received February 2016 for 17 million Provided aggregate geospatial data from Twitter, Facebook, Instagram, YouTube, Flickr, Picasa, etc. ◦ Content could be searched based on geographic area ◦ “Firehose” connection to social media sites Advertisements ◦ Openly marketed for following protestor activity Loss of social media API access ◦ Report released by ACLU October 2016 documenting law enforcement use ◦ Loss of API access from Facebook, Twitter, and Instagram shortly after ACLU Reports on Geofeedia

“The ACLU of California has obtained records showing that Twitter, Facebook, and Instagram provided user data access to Geofeedia, a developer of a social media monitoring product that we have seen marketed to law enforcement as a tool to monitor activists and protesters.” 3 “Because Geofeedia obtained this access to Twitter, Facebook and Instagram as a developer, it could access a flow of data that would otherwise require an individual to “scrape” user data off of the services in an automated fashion that is prohibited by the terms of service.” 3 Policies requested 3: ◦ “No Data Access for Developers of Surveillance Tools” ◦ “Clear, Public, & Transparent Policies” ◦ “Oversight of Developers” Current State

Excerpt from Geofeedia Privacy Policy: “7.4 Access and Compliance (Law Enforcement Customers). If You are utilizing the Services in a law enforcement capacity, You acknowledge that third party licensors of Social Media Content (a) only permit use of Social Media Content, in a law enforcement capacity, to serve Public Safety Purposes; and (b) prohibit the segmentation of social media user data (and derived profiles of social media users) in a law enforcement capacity by (i) alleged or actual commission of a crime; (ii) health status (having a disease or condition); (iii) negative financial status or condition; (iv) political affiliation or beliefs; (v) racial or ethnic origin; (vi) religious or philosophical affiliation or beliefs; (viii) sex life (including pregnancy); or (viii) trade union membership.” 8 Market Interest

Geofeedia claimed 500 law enforcement and public safety clients before ACLU report 3 ◦ Marketed as a tool to track Black Lives Matter protesters News agencies ◦ CNN a customer up until late 2015 ◦ BBC Facebook 1 ◦ Company claimed it was unaware of Geofeedia’s practices ◦ Facebook used platform to catch “intruder” into Mark Zuckerberg’s office ◦ Confirmed it was a Geofeedia customer publicly ◦ Statement from Facebook: “Specifically, Geofeedia is required to get our approval before giving new clients access to our data”, privacy policy stated at the time that no developer could “sell, license, or purchase any data obtained from us or our services” or “put Facebook data in a search engine or directory” without permission Acceptable Use Policies

Facebook, Instagram, and Twitter have all banned the use of their data services for surveillance ◦ Example from Facebook in Platform Policy for Developers: “don’t use data obtained from us to provide tools that are used for surveillance.” 17 Challenges faced by social media platforms ◦ Pressure from ACLU and similar groups to protect user data ◦ Inability to directly control what third parties are doing with data ◦ User accessibility of data is necessary Who is responsible for these protections? Why the Concern?

Historical Context ◦ 2013 United States District Court for the Southern District of New York ruled “stop-and-frisk” practices unconstitutional 14 ◦ Broken Windows style policing ◦ Documented racial discrimination in the United States Digital “stop-and-frisk”? Difficulty gauging success ◦ Prevention is often difficult to quantify ◦ Increased detection of crime in targeted areas could be attributed to disproportionate attention and bias 14 Law Enforcement Examples

Operation Crew Cut 15 ◦ NYPD initiative to monitor social media posts of “gang members” ◦ Loose verbiage ◦ Implemented shortly after stop and frisk was disallowed ◦ Led to large number of arrests ◦ 94 of 103 individuals charged in a raid took a plea deal rather than stand trial ◦ Operation targeted at underprivileged communities Capital Gazette Shooting (2018) 18 ◦ Police say that Geofeedia could have helped to prevent shooting ◦ Tweet sent by attacker beforehand ◦ “F*** you, leave me alone” ◦ Years of threatening comments on social media Current State of Aggregation Sites

Plethora of social media data aggregation services still available ◦ ShadowDragon SocialNet – specifically marketed as investigation tool ◦ Dataminr – Twitter owns 5% and also funded early on by In-Q-Tel 7 ◦ Social Sentinel – markets to schools Terms of Service still lack clarity – e.g. Dunami 6 ◦ Advertised as corporate research tool for business marketing ◦ Dunami Privacy Statement excerpt: “Although we draw inferences from the data we collect about you, such as interests or preferences, we do not make any decisions based on that data. We make the data available to our customers who make their own decisions about how to use it.” ◦ No mention on restrictions regarding use for surveillance by law enforcement Student Monitoring

Social Sentinel 4 ◦ Per student pricing model for monitoring social media activity ◦ Automated alerts to school administrators for review ◦ Parameters for alerts set by Social Sentinel Difficulty defining a threat ◦ Student social media posts not handled in a consistent manner ◦ Do online claims substantiate guilt of a crime? ◦ Similar racial bias concerns Law Enforcement by Proxy Examples

NY Times 13 ◦ Sandy Hook school district: “In 2015, as the first anniversary of a shooting at Florida State approached, a post expressing sympathy for the gunman and an intent to visit the campus was intercepted by Social Sentinel, the campus police chief said. The man was stopped on campus and warned to stay away. When he returned, he was arrested.” ◦ "In 2013, the Huntsville City Schools in Alabama enlisted a consulting firm for a surveillance program that led to the expulsion of 14 students, 12 of them African-American.“ ◦ "One student had been accused of “holding too much money” in photographs, an investigation by the Southern Poverty Law Center found, and one was suspended for an Instagram post in which she wore a sweatshirt with an airbrushed image of her father, a murder victim. School officials said the sweatshirt’s colors and the student’s hand symbol were evidence of gang ties, according to the investigation.“ ◦ "Casey Wardynski, the district’s former superintendent, told local news organizations that the program had helped break up a local gang, and some students were expelled for wielding guns on Facebook." Examples Continued

The Atlantic 11 ◦ "Multiple teenagers have been punished for posting images of themselves legally holding guns outside of school hours, including a pair of boys from Lanoka Harbor, New Jersey, who were given in-school suspensions because they posted images on Snapchat showing themselves at a shooting range on a Saturday, and who are now suing the school district." ◦ 2018 social media post from student stating he would "shoot the f*****g school up“ in Dayton, OH ◦ No arrest after investigation ◦ One year later same student posts "You arent even prepared for tomorrow" on Snapchat ◦ Again PD found no evidence of threat – still suspended from school and removed from main campus ◦ Student in Scottsburg, IN expelled over social media posting of 7 second Walking Dead game clip ◦ Arrested and released two days later Current Direction

Privacy Over Security ◦ ACLU public reports ◦ CCPA (California Consumer Privacy Act) ◦ GDPR (General Data Protection Regulation) ◦ Increased Awareness Security Over Privacy ◦ Florida mandated creation of centralized repository of data to combine information from state agencies and individual social media accounts in an effort to prevent school shootings 9 ◦ Ever increasing monetization of user data by companies No Clear Path to Enforcement References

1 Brandom, R., & Lecher, C. (2016, October 19). Facebook caught an office intruder using the controversial surveillance tool it just blocked. Retrieved from https://www.theverge.com/2016/10/19/13317890/facebook-geofeedia-social- media-tracking-tool-mark-zuckerberg-office-intruder 2 Brandom, R. (2016, December 15). Twitter cuts off geospatial data access for police intelligence centers. Retrieved from https://www.theverge.com/2016/12/15/13969110/twitter-dataminr-fusion-center-geospatial-data-surveillance 3 Cagle, M. (2016, October 11). Facebook, Instagram, and Twitter Provided Data Access for a Surveillance Product Marketed to Target Activists of Color: ACLU of Northern CA. Retrieved from https://www.aclunc.org/blog/facebook- instagram-and-twitter-provided-data-access-surveillance-product-marketed-target

4 Chen, N. (2019, February 13). This software program could help prevent future school shootings. Retrieved from https://www.cnn.com/2019/02/13/health/school-shootings-software-social-media/index.html 5 Cushing, T. (2016, October 17). ACLU Dumps Docs On Social Media Monitoring Firm Geofeedia; Social Media Platforms Respond By Dumping Geofeedia. Retrieved from https://www.techdirt.com/articles/20161015/14143935806/aclu- dumps-docs-social-media-monitoring-firm-geofeedia-social-media-platforms-respond-dumping-geofeedia.shtml

6 Dunami. (2020). Privacy Statement. Retrieved from https://www.dunami.com/company-privacy-statement/ References (continued)

7 Fang, L. (2016, April 14). The CIA Is Investing in Firms That Mine Your Tweets and Instagram Photos. Retrieved from https://theintercept.com/2016/04/14/in-undisclosed-cia-investments-social-media-mining-looms-large/ 8 Geofeedia Service Agreement. (2016). Geofeedia Service Agreement. Retrieved from https://geofeedia.com/legal/service- agreement/geofeedia_service_agreement__july_2016_website_version.pdf 9 Herold, B. (2019, February 20). To Stop School Shootings, Fla. Will Merge Government Data, Social Media Posts. Retrieved from https://www.edweek.org/ew/articles/2018/07/26/to-stop-school-shootings-fla-will- merge.html 10 Hunckler, M. (2015, April 17). Geofeedia Enables Real-Time Social Search By Location. Retrieved from https://www.forbes.com/sites/matthunckler/2015/04/17/geofeedia-enables-real-time-social-search-by- location/#3a1f84cd499f 11 Kingkade, T. (2019, October 21). The False Alarms That Get Kids Arrested. Retrieved from https://www.theatlantic.com/politics/archive/2019/10/fake-school-shooting-threats-getting-kids- arrested/600238/ 12 Leetaru, K. (2016, October 12). Geofeedia Is Just The Tip Of The Iceberg: The Era Of Social Surveillence. Retrieved from https://www.forbes.com/sites/kalevleetaru/2016/10/12/geofeedia-is-just-the-tip-of-the- iceberg-the-era-of-social-surveillence/#1bae19a95b90 13 Leibowitz, A. (2018, September 6). Could Monitoring Students on Social Media Stop the Next School Shooting? Retrieved from https://www.nytimes.com/2018/09/06/us/social-media-monitoring-school- shootings.html References (continued)

14 Patton, D. U., Brunton, D.-W., Dixon, A., Miller, R. J., Leonard, P., & Hackman, R. (2017). Stop and Frisk Online: Theorizing Everyday Racism in Digital Policing in the Use of Social Media for Identification of Criminal Conduct and Associations. Social Media Society, 3(3). doi: 10.1177/2056305117733344 15 Rivlin-Nadler, M. (2016, May 12). The Strange Aftermath of the Largest Gang Bust in New York History. Retrieved from https://www.vice.com/en_us/article/8gkwaa/the-strange-aftermath-of-the-largest-gang-bust-in-new-york-history 16 Stewart, C. S., & Maremont, M. (2016, May 8). Twitter Bars Intelligence Agencies From Using Analytics Service. Retrieved from https://www.wsj.com/articles/twitter-bars-intelligence-agencies-from-using-analytics-service- 1462751682

17 Ullman, I. (2017, March 28). Social Networks Need Clearer Terms of Service. Retrieved from https://slate.com/technology/2017/03/the-geofeedia-controversy-shows-why-social-networks-need-clearer-tos.html 18 Wong, A. (2018, July 1). What is Geofeedia? The tool police say could have warned them to Capital Gazette shooter. Retrieved from https://www.usatoday.com/story/tech/2018/06/30/geofeedia-software-police-say-could-have-helped- track-capital-gazette-shooter/746009002/ INF 529 Security and Privacy in Informatics

Privacy in Targeted Ad Generation Abhishek Tatti Target Advertising

• What is it based on ? • Directed towards audiences What is with certain traits, based targeted on the advertising ? product or person the advertiser is promoting. Example

• I am looking for Gym Gear on Google • Soon I open my Instagram account • What do I find? Surprise !!! How does it work?

•

• Ads are based on Facebook activity - pages you and your friends like • Facebook and Instagram profile What all data is • Places you check in using Facebook • Your activity with other businesses on FB. used to • Whose apps or websites you have interacted with generate • Whose ads you’ve clicked • User activity on websites and apps that you use and visit advertisements • Whom you’ve hidden – Advertisers you want to hide? • Your Information: About you and Your Categories ? • Cookies: Advertisements, recommendations and measurement. • User Location • Ad Preferences Algorithm/ Ad

Advertiser chooses a campaign objective

Advertiser identifies desired audience

Advertiser creates ad

Auction

Expected Feedback

Display Ad Facebook outside Facebook

Facebook Pixel

Facebook Audience Network

Facebook Software Development Kit Ethos

Detect and target the most depressed, lonely, or outraged people in society.

Build your behavioral profile,

Calculate your emotion quotients

Estimate your income.

Manipulate peoples thinking and beliefs

Data breaches

Call logs, messages and microphone

Lack of clarity and transparency

Predict your actions Ad Preferences

What information do users provide via Ad• Preferences? • Personal Interests - Business and Industry, Sports and Outdoors, People, Shopping and Fashion, News and entertainment, Lifestyle and culture, Removed Interests, etc • Advertisers and Businesses Who uploaded a list with your info and advertised to it • Bookmyshow, Swiggy, HealthifyMe, Codecademy, HDFC Bank, etc. • Sharing with business without revealing actual identity Whose apps or websites you have interacted with • Instagram for Business, Allset, CNBC, Disney+, Amazon.com, etc. Whose ads you’ve clicked

Whom you’ve hidden – Advertisers you want to hide?

Your Personal Information: About you and Your Categories User Control

Ads based on data from Partners

Ads based on social activity

Ads based on FB company Products

Hide Ad Topics

Clean browsing practices Privacy Protection & Control Case Study Cambridge Analytica Privacy Laws & Regulations

Limit a developer’s access to user data.

Restrict app developers to access its users’ data due to inactivity

Reduce information sharing with third parties.

Audit all apps.

Only authorized advertisers in the US are able to run electoral ads or issue ads

"Paid for by" disclaimers for all election-related and issue ads on Facebook and Instagram in the US.

The Ad Library is made publicly available for anyone to access at http://facebook.com/adlibrary Facebook Pixel & GDPR

Websites using Facebook pixel • A retail ecommerce website using cookies • A blog that uses an analytics provider • A news media website that uses a third-party ad server • A Facebook advertiser who installs the Facebook or Atlas pixel on its website Custom Audiences • Uploading email list - data controller. • Subscriber Consent Compliance with GPDR CCPA

Facebook targets their ads to users it believes fit the requested profile generated on general demographics. Facebook refuses to change their Web Tracking services

Believes that CCPA doesn’t apply to them.

Businesses are able to install Pixel free of charge, Pay only for Facebook to deliver targeted ads based on the information they harvest. They are not directly selling the personal data

It is never made visible to them. Conclusion

Privacy – “The Cost of Convenience”

Learn the correct way to use social media

Know your rights Thank You Privacy Concerns with User Data on Social Media Shanice Williams 02/21/2020 Agenda

• Privacy concerns to user data in Social Networking environments

• Threats / Attacks used to gain the data

• Ways to protect yourself and data?

• References Privacy Concern’s/Threats

• Privacy concerns on social media can mostly be categorized into two groups • Company use of data from users • Ads • 3rd Party PII • 3rd party apps/ system vulnerabilities • Data/privacy breaches • Kinds of data user provides to Social Media • Location Tracking (Posts, geotags, etc.) • Identity Theft • Social Engineering Company Use - Ads

• Uses data mining tools to suggest user specific ads • Beneficial? • Allows users to only see ads they are interested in

• Privacy invasive? • Invading users data without their knowledge • Collecting information on user base on users activity within the app Company Use – 3rd Party PII

PII – Personal Identifiable Information

• 3rd parties such as app developers, cloud services, etc. have access to an users personal information • Name, address, age, likes, friends/family, photos,etc.

• 3rd parties can exploit your data • Sell your data for profit • Piece up data and use for their own good (stalking, impersonating, identity theft, try to gain access to your accounts, etc.) Company Use – 3rd Party Apps/ Vulnerabilities

• Trust in their systems • Not sure of where your data resides • Is data encrypted during transmission and at rest? • What data do they have and how is it being used? • Possible data breaches • Includes a 2nd factor of a possible breach of information • Adversary can make up fake apps to collect users data Company - Data/ Privacy Breaches

• Just like any other breach, it is out of users control • User records of their identities, usage on site, friends’ lists, likes, and comments are centrally stored on servers. • These collections of social media items located at a central place can provide too much knowledge about users’ personal information. • User Data Compromised • Puts users data in the wrong hands • Adversary uses data for their own profits and gains

• Types of Attacks • Infrastructure attacks • Malware/ Virus Attacks • Phishing Attacks User - Location Tracking

• User location is a key privacy measure • User location within social networks discloses a lot of information to data analyst and adversaries.

• Displaying locations in social media can cause a severe threat to user

• Users can be tracked by geotags, pictures you post in popular destinations/ attractions, GPS, etc. • Most users don’t think about this, and typically post pictures for likes. Users – Identity Theft

• Identity Theft is taking the identity of someone and portraying yourself as if you were that person. • Ways Identity Theft can occur in social networks: • Gain access to users social accounts through passcode cracking or company breaches • Uses information posted on your social media accounts to answer your security questions, change passwords, hack into other important accounts you own. • Photos and Videos you post can provide an adversary to deeper insights of who you are, friends/ family, and interests. Usually the types of security questions you see. User – Social Engineering

• Social Engineering is interaction between humans that is used to manipulate and exploit information

• Adversaries are able to gain knowledge of who someone is or associates with based on the data you provided on your social site and your friends list.

• Common Scams used: • Grandparent Scam, Lottery Scams, Online Dating Scams, Senior Citizen Fraud, etc. https://www.researchgate.net/publication/334813966_Privacy_Concerns_in_Online_Social_Networks_A_Users'_Perspective https://www.researchgate.net/publication/301234158_On_Privacy_and_Security_in_Social_Media_-_A_Comprehensive_Study How to protect yourself?

• Understand the fine print • Read the policy agreements and understand what you signing up for - What to look for in the privacy policy: • Who owns the data that a user posts? • What happens to the data when the user account is closed? • How does changes in the privacy policy be made aware to its users? • The location of the privacy policy that is effective • Will the profile page be completely erased when a user deletes the account? • Where and how can a user complain in case of any breach in privacy? • For how long is the personal information stored?

• Check privacy settings Protecting yourself on Social Networks

• Be aware of photos / videos you post • Always be cautious on what you post online, it will be there forever • Minimize use of personal information you post

• Only invite friends you know to your social networks

• Have unique usernames and passwords for each social network account References

• Ali, Ahmad, et al. “Privacy Concerns in Online Social Networks: A Users' Perspective.” Privacy Concerns in Online Social Networks: A Users' Perspective, International Journal of Advanced Computer Science and Applications , Aug. 2019, www.researchgate.net/publication/334813966_Privacy_Concerns_in _Online_Social_Networks_A_Users'_Perspective. • Kumar, Senthil, et al. “On Privacy and Security in Social Media – A Comprehensive Study.” On Privacy and Security in Social Media – A Comprehensive Study, Procedia Computer Science, Dec. 2016, www.researchgate.net/publication/301234158_On_Privacy_and_Sec urity_in_Social_Media_-_A_Comprehensive_Study. • Mali, Joy. “Identity Theft Through Social Networking? Lessons to Take Now!” Lifehack, Lifehack, 5 July 2013, www.lifehack.org/articles/technology/identity-theft-through-social- networking-lessons-take-now.html. Mid-Term

Review for Mid-Term Exam • Mid-term will be Open Book, Open Note. • Electronic devices may be used, but you must have them in airplane mode, i.e. no Internet Access. • Previous mid-term exams on website.

• ** You will be asked to argue BOTH sides of at least one Privacy issue *** Mid-Term Outline of Material

Overview of security and privacy What are they, why we have neither Relationship between the two

Understanding our data in the cloud What data exists and who can access it Both officially and unofficially What is the data used for What can it be potentially used for Mid-Term Outline of Material

Overview of Technical Security Confidentiality, Integrity, Availability The role of Policy Risk Management from multiple perspectives Mechanisms Encryption/Key Management, Firewalls, Authentication, Digital Signatures, Authorization, Detection, Trusted hardware Attacks Malicious Code Social Engineering Attack Life Cycle Mid-Term Outline of Material

Identity Management and Privacy

Expectations of Privacy

Issues on Government Access for Law Enforcement or other Purposes.

I will ask opinions on the predominant current events: GDPR, Facebook, Google, (others, let’s discuss), specifically with respect to how they relate to the topics above. Mid-term Format

Sample service sector Description of the service Questions for you Analyze the information requirements And the policies to apply to preserve privacy. Discuss ethical issues around that policy. What are the expectations of users. Discuss the vulnerabilities that likely exist and how attacks might be facilitated Discuss technical and design measures one might use to preserve security and privacy in the system. 2019 Mid-Term

How did they get my data? (30 points) Privacy breaches involve inappropriate access to or use of personally identifiable information. Such inappropriate access typically takes one of two forms. Either data held legitimately is disclosed through the actions of criminals that breach the security of a system, or alternatively, the holder of the information gives the data to someone that should not have access or uses the data in ways that are not authorized or collects data they shouldn’t be collecting to begin with.

a) List the three primary ways that adversaries can get hold of your personally identifiable data in the systems that you use. (10 points) [Hint, of the three different ways, two of them are probably your own fault]

b) Explain the role that malware, malicious apps, or apps that exceed their legitimate authority play in mis-use or release of our PII. (10 points) [Hint, it can play a role in any of the three ways covered in 1a, but you must explain how it does so]

c) If you were designing a system that used PII, what are some of the steps you would take to minimize the risk of inappropriate disclosure of PII to others. (10 points)

107 2019 Mid-Term 2) Much of the information collected about us has been collected and stored for many years. The first photograph was taken around 1827, the first video (moves) were recorded in 1888. The earliest transaction receipts (records of goods traded) go back at least as far as the Mesopotamian civilizations. Given that such data has been recorded for years, what has changed about our technology that makes things different in terms of its impact on our privacy? (10 points)

108 2019 Mid-Term

• The primary focus in class for our discussion on expectations of privacy was on access to our private data by our government (e.g. search and seizure, wiretaps, our encrypted data, messages, email, as well as transaction records, information from security cameras, and even D.N.A.). The discussion was very much focused on the expectations of individuals within the United States. There are equally legitimate arguments on both sides of the issue regarding what kind of access is to be permitted and what should be the conditions under which the data may be used. These arguments attempt to balance potential rights of privacy with the need of government to stop crime and protect its citizens. These arguments have been made for and against proposals in the United States, and they have been made in other countries as well, sometimes resulting in different outcomes in terms of the laws that apply. • In this question you are to make arguments in favor of the rights of individual privacy over the need for governments to have access to significant private information for the purpose of public safety. You are ALSO to make arguments in favor of the need for government to have access to private information, even at the cost of diminishing individual privacy. I want you to make equally compelling arguments on each side of this issue, and you should provide example scenarios or real world examples that support each of the opposing arguments. • You do not need to tell me where your personal beliefs fall in terms of these arguments. I am not grading your viewpoint. If, however, you object to arguing the opposing side as your own, then you may cast those arguments as “Others ague that”, or with similar wording. (30 points)

109 2019 Mid-Term

You have been hired by a joint commission comprising the FTC in the United States, and investigators from the E.U. to analyze the security and privacy practices of Facebook, Google, Apple, and similar data brokers In particular, you are asked to check whether the practices of these organizations are consistent with the terms and conditions / privacy policies of the organizations, and with applicable law in Europe and the U.S. • List some of the actions (and inaction) by these three organizations that have come under fire by regulators for demonstrating a lack of concern for the privacy of individuals. [hint, most of these items were the subject of multiple current event discussions] (10 points)

• Discuss policy, technical, and procedural recommendations that you have for these three organizations, and other organizations that process this kind of PII, that will help them to address these concerns. (10 points)

• Discuss your recommendations for elements that you feel should be part of a comprehensive U.S. privacy law in order to address the potential misuse of our PII by these and other private organizations. (10 points)

110