Every time I open my Facebook, it keeps asking me to complete my profile. The last guy I dated did not even bother to ask what my hobbies are, so thank you Mr. Zuckerberg. Finally, I added fishing as one of my hobbies. I scrolled through my newsfeed to check if the suggested posts have changed. But I only saw a ton of Profoundly posts— throwaway bits of humor, satire, sexual desire or just plain absurdity that may sum up the intelligence of this generation.
Don’t get me wrong, I can use it to ask my friend who is a Facebook-certified lawyer, doctor and economist (probably a fisherman, too) to help me with my newfound hobby.
But amid this internet phenomenon of people asking “Pwede ba kita i-PM?” in anonymity, my concern really is how vulnerable we are to data breach and information theft. Of course, Facebook is not asking what my hobbies are because they are interested to know about me, but because they can use my information to sell me out.
My experience in IT Risk and Assurance at Price Waterhouse Coopers, which heavily deals with IT security controls and data integrity helped me understand the risks of making our data or information available online. Every time we open webpages, click links, perform actions or use the search engine, we leave a digital footprint— a trail of data we create while using the internet. That’s how Facebook or other platforms predict our behavior, how it knows what we like to see or things to buy. It almost feels like we would never have a more persistent stalker ever. Well, porn sites are not that adaptive. They only usually show you what’s popular.
Big Brother: Cyber Edition
Being a financial auditor and data analyst helped me gain a judicious professional skepticism, which acts like a crazy-o-meter of seeing red flags for potential fraud or misrepresentation. When I am paying online, I always check if the website is secured (using https). While against my emotions, I don’t continue with the download when I’m redirected to an ad for varicose veins, although sometimes I love cross referencing some of the claims with journals and statistical sources. Some were based on my personal experience. Like when someone posted my ugly throwback photo on one of our groups in Facebook Messenger, I changed the privacy of almost all my albums to ‘Only me’ and restricted my succeeding posts and ‘excepted’ all my kontrabida friends.
But mind you, there’s no one crazier and more paranoid than my colleagues from IT Audit, especially those who specialize on Information Security. These guys always ask me to lock my laptop even if I’d just get a water, which is a good habit because I almost left my screen on a job hunting site when our executive was roving around our area. They also have this sophisticated privacy tempered glass on their phones, where they look stupid when they’re glaring at the black screen (so I thought).
They also keep track of the password age and usage of their personal devices. Obviously, they’re not satisfied with the face recognition and fingerprint scan, which I don’t even use. When I asked for our pictures during the Christmas party, the file they sent me was encrypted and protected by password which took me a while to figure out.
If I ask someone from them to book a room for our summer outing, he might have given me a list of preliminary findings on the weaknesses in the coding and whatever they call them by just clicking on the ‘View page source’ in the hotel website. Many of them also have no social media accounts. Although I confirmed that some of them use dating apps, on a stealth mode that married guys have also mastered.
I remember when I tried to ask someone from IT Operations if I could add him on Facebook just to know if his profile is just hidden or ‘beware-of-strangers’ private enough (I actually already tried searching because he is very attractive). Sadly, he really doesn’t have one. That moment, I felt like “You’re an IT guy but you’re not technology savvy? Even babies have their own account nowadays. They even reply to your comments, ‘Thank you po sa mga likes’ or ‘Mas gwapo ako kay Daddy.’” My eyebrows were moving like a seismic wave.
They told me that they don’t want to be under the radar of Big Brother, which I am baffled of. If this is the same with the voyeuristic and psychodrama reality TV franchise, then I have to agree to some extent. Facebook is definitely the confession room. Twitter is the eviction hall, it’s just where you go if you don’t like someone. But like the economic principle of Invisible Hand, Big Brother does not refer to a conspiracy-created syndicate group who has a total control of the internet. It is an abstract concept where our data and information are under surveillance of unobservable forces.
Don’t talk to me
For Mr. Cesar Cervantes, Senior Manager for IT Audit of SM Investments Corporation, the famous marketing expression “If you are not in social media, you don’t exist” is only true for businesses. From corporations to entrepreneurs, “establishing social media identity and presence creates a brand that is engaging and inclusive, where consumers can relate and rely on to.” This is true. Who would bother anyway to check a business with no website, or a page with incomplete details and poor layout? We decide on things with just a click of a button.
“There is no such thing as privacy in social media,” he shared. For us private individuals, once we post something on any online social network, its privacy is no longer a personal choice.
“We can always set the privacy of our posts, but we cannot influence others from sharing or commenting on them.” It’s really funny when I remember my friend posting “Don’t talk to me.” on Facebook. Oh please, just block the person or deactivate your account. Then one moment after, she’d post her Maging Sino Ka Man line, “Kung sawa ka na, kung napapagod ka na sa pag-aalaga sa akin then go do it! But don’t go messing around behind my back.” Girl, suntukan?
I always try to limit my posts in social media, mostly reposting memes or videos from other pages. Who doesn’t like a cat who can do karate chops, anyway? I have already been called a poser (I’m not trying to sound famous) for not having public posts. Aside from being bashed, a more important issue is that the location, time stamp or other information on our posts can be used to trace us or to obtain sensitive data. I remember someone posting his PRC ID but he forgot to cover his personal information. It's a great milestone to share, but he was careless enough to let a fraudster steal his identity in just a matter of seconds. And you should never let anyone figure your age from your birthday that easy.
Name a Scam
It’s not only the things we share in social media that we should be wary about. We should be mindful of how we use our accounts to access different applications or websites. An example is the single sign-in feature of Facebook, where we allow or enable third parties of cross platform access by using our Facebook credentials to sign in or login. This growing norm is a double-edge sword, convenient yet highly subject to data security failures. As data become more available and organizations are obliged to share access across publicly mistrusted medium, the potential for and the reality of data compromise have been one of the top risks we face.
Just recently, Facebook is at the center of a privacy controversy after news broke out that copies of passwords for hundred millions of users were kept in plaintext, searchable by thousands of Facebook employees. These big tech companies are not invulnerable to data breach and cybersecurity attacks, considering how they spend millions of dollars in data security and infrastructures. How much more for us who don’t even know how that OMG game app fetches information from our Facebook account. I bet you just click “Allow Facebook to access whatever” without second thoughts.
One thing I learned from IT guys is to always enable two-factor authentication or one-time password, which helps in fending off potential intruders or hackers from accessing my account. I’m one of those guilty of using the same password for every account I have. If someone borrowed my Mobile Legends account, he could access my email or bank accounts or my WiFi (and I don’t simply share my WiFi with anyone). But now, I’m already using a combination of capital letters, numbers, and special characters (e.g., M@g@nD@Ak0).
As the top social media user in the world for four consecutive years, Filipinos are the most exposed to data security issues. With an average of four hours spent on social media daily, every Filipino has met the minimum work experience to be a social media manager. But as they say, experience doesn’t necessarily go with time. There are some who easily get fooled by phishing scams (I’m not referring to my hobby).
Phishing is a fraudulent attempt to obtain personal information by using a fake website. The most notorious are “Receive the latest offer” or “Share and win a prize” scam in Facebook Messenger, and “Your account is cancelled” with a fake reactivation link that contains malwares. And just weeks ago, the use of phishing websites that target those who want to know their anonymous senders in Profoundly. Others were victims of a more complex, psychologically-driven modus like the love scam, where a person pretends to be someone else and cons the victim into a romantic affair, asking to send money or other favors.
I am not a robot
Data breach and information theft are present not only in social media but in the regular use of internet as well. According to ISACA, a professional organization focused on information security and governance, security breaches seem to be a daily occurrence and firms cannot simply turn a blind eye to information security.
Our IT guys always remind me to check every information I put online. And It’s been very helpful, it has always been part of my practice to check the terms and conditions and the purpose of why my personal information is needed. It’s now a conscious effort to decide if I will allow the collection and use of my data. And yes, clicking the ‘I am not a robot’ actually makes me feel like a thinking human being.
With the mandate of Data Privacy Act of 2012, our right against any unauthorized processing of our personal information is upheld and protected. Organizations which collect our information must keep them accurate and relevant, use them only for the stated purposes, and retain them only for as long as reasonably needed. Yes, you have all the legal basis to sue that insurance company who asked for your contact details on their survey then sent you multiple emails on whatever seminars and products.
One time, I tried to search my name in Google to check how pervasive my personal information is. I couldn't remember sending anyone my nudes, but I was rather strung out that I might find one. Oh god, all the guys I had affair with flashed through my mind like a photocopier. Okay, so there's my Facebook (obviously, I have been mentioning it a lot), my post on Yahoo Answers asking about a non-sense topic (I’d be willing to ask about the best fishing spot if I’d post again), my account in Piknu (I could not remember signing up for this), then I was really in a dither when I saw our grades in Integrated Review and CPA board exam at Course Hero, uploaded by king.nersus. It was used as a source data for a thesis about the correlation of the two. I was not able to know more about the study because it says ‘Subscribe to unlock’. I don’t know which is more frustrating, seeing that your personal information is there or knowing that you don’t have money to subscribe.
What really threw off my balance was not my grades that are line of 7 (fortunately, I am not an outlier), but the fact that those information might have been in the internet for quite some time and used to cause prejudice against me or my classmates, and I have no idea. Whatever the academic endeavor of king.nersus was, he should have at least sanitized the data as I don’t recall giving my permission for that specific information. And please, he could have chosen a better alias. I mean, who would believe an academic paper under a name of king.nersus?
Well, this kind of issue is not only a personal dilemma. Early this year, DFA was on hot seat for a possible data breach on passport information, in which millions of records might have been stolen. Although the actual cost remains unknown, the potential level of loss could approach hundred-million-peso mark or more.
But do we really care? Our awareness on data breach is so inutile that I can pass forms in the street asking for personal information in exchange for free pens or popcorns, then sell them as a customer list or intelligence report. And nobody will know, just a bunch of people scratching their heads why they’re receiving unsolicited text promos or email pitches.
While data access and information security design are overly complicated and technical areas only the crazy guys in IT can understand, the next time you put your information online or share your personal information, think crazy like them. My profession has taught me that “to catch a thief, you must think life a thief.” Always think of all the possibilities of how your data can be misused or accessed inappropriately. As for my hobby, receiving invites for tilapia or bangus fishing wouldn’t cause much harm so I’ll leave it as it is.
Reposted from our old website.