Social media: overview of security measures and privacy policies

Every day we use social media and don’t take into consideration how well is our information safeguarded there. How do platforms use it? What are their security measures? What about leaks and breaches? How often do they happen to companies? We, the Analytical department of Falcongaze, did our best to answer these questions objectively. We checked companies’ security measures. We also searched for leaks and breaches happened to them in the past 2-3 years. We hope that this article will help you to choose a platform to communicate or at least be aware of what data you provide a platform with and how an owner uses it.

Facebook

Facebook collects data that users provide it with when using its products. The platform tracks all registration data, content, information about subscriptions, and communications with other users. The company also tracks how a user uses its products: what content they observe, what features they use, etc. If a user buys something through Facebook platform, it stores all payment data, transactions data, and contacts.

Facebook tracks information about users’ devices: not only mobile phones, computers, and tablets, but also web-connected TVs and other devices integrated with Facebook products. Information that is obtained includes device’s attributes (OS, hardware and software versions, battery level, signal strength, etc.), device operations (mouse movements, windows placement, etc.), identifiers (device IDs, identifiers from games, apps, accounts used), device signals, settings, network, connections, and cookie data.

Moreover, Facebook receives data from its partners who use Facebook Business Tools. Consequently, the company is aware of what web-sites a user visits, what they buy, what games they play.

Why does Facebook collect so many data? It personalizes and enhances its products using this information. Also, it analyzes how successful advertising campaigns of Facebook partners are. The company scans these data for presence of spam and fraudulent content.

By the way, the platform also provides users with a possibility to remove their data.

What concerns security measures, Facebook has the following. The platform uses secure protocol HTTPS that automatically encrypts a connection. Also, a user will be notified when an unauthorized access to their account happens. There is 2FA with the following ways of additional identification: Code Generator app or SMS-code. After using one of these ways, you can set up either login attempt approval, or recovery code, or security key.

Facebook had a lot of breaches. In April 2019, 540 million users’ records were exposed on Amazon cloud server. Two third-party developers were responsible for that – Cultura Colectiva (media company based in Mexico) and At the Pool (the app meant to help people to meet up).

In September 2019, 419 million records were exposed. They included users’ telephone numbers and their Facebook accounts’ ID.

In November 2020, South Korea fined Facebook $6,1 million for providing third parties with data of at least 3,3 million South Koreans. It happened because these users registered on other platforms using Facebook accounts. Data were passed without their consent. The incident lasted from May, 2012 till June, 2018.

Instagram

Instagram belongs to Facebook. The platform follows the standard of international human rights in assessing harm or benefit that published content causes. That is the reason Instagram asks users to publish their own photos and videos and not publish content with nudity, artificially collect likes, followers, and shares. The platform asks users to follow the law, because moderators remove all content with threats, humiliations, etc.

Instagram collects data that a user provides it with – content, messages, credentials. It tracks the information about people, pages, hashtags that a user follows. To personalize content and analyze ads campaigns’ success, the platform collects data from devices integrated with its products. Third parties provide the company with information about users’ activities outside Facebook.

Users are able to make their accounts private so that only followers will see published content. There is also 2FA. To sign in using another device, a user will receive SMS with a code or a list of single-use codes.

It must be mentioned that in 2019, Zuckerberg came with idea of integrating company’s products – WhatsApp, Instagram Direct, and Facebook Messenger. He planned to standardize the infrastructure, but let the services operate as stand-alone apps. It is useful in case a user needs to send a message, for instance, in Messenger to the other user who doesn’t have an account there, but they have it in WhatsApp. So, a message will be delivered from Messenger to WhatsApp. Facebook also planned to equip the services with end-to-end encryption.

In September 2020, users from several countries could use this feature in Messenger and Instagram. Also, it is up to users to decide whether to unify their messengers or not.

235 million users of Instagram, TikTok, and YouTube became victims of the leak in August 2020. It happened because of the platform Social Data that sold influencers’ data to marketing specialists. To access the database, a hacker would not need a password. The data included names, contacts, personal information, and statistics on subscribers.

Security researcher Bob Dyachenko figured out that much of data came from Deep Social as datasets were called the same as the platform (ex. accounts-deepsocial-90). But Deep Social forwarded the leak to Social Data which admitted it and took down the servers three hours later. Instagram and Facebook stopped being partners with Deep Social in 2018. They threatened legal action against the platform if it continued scraping their users’ data.

2021 year also began with the breach happened to Socialarks. 408 GB of data of 214 million Facebook, Instagram, and LinkedIn accounts were exposed. Passwords and finance data were stored. Socialarks used web-scrapping of users’ public information. It means that users allowed others to see such data as names, profile pictures, the number of followers, etc. And these data were exposed including those which are not usually open to other users. For instance, telephone numbers and e-mail addresses. How the company managed to receive those data remains unknown.

Twitter

Twitter recommends using strong password that is not used on other web-sites. The platform has 2FA, the second stage of it can be a code, an app or a physical security key.

If a user signs in from another device, Twitter will notify them by an app or e-mail.

The platform does not track user’s location by default. They can switch on that function by themselves, if they want to attach a location to tweets. If this feature is on, then Twitter collects, stores, and uses that information to show a user local events and ads.

Twitter also tracks users’ personal (e-mail address, telephone number, contacts) and additional data (type of device, IP-address). They are used to personalize recommendations and provide security. Twitter allows users to configure what information the company can track.

If a user provides the platform with finance data, they are stored to process operations and track fraudulent activities.

Twitter also receives users’ information from third parties. It relates to web-browsers’ cookie files IDs, mobile devices’ IDs, information about interests, viewed content.

The company will share access to users’ accounts with third-party apps or web-clients only with user’s permission. However, Twitter reserves the right to store, use, and share users’ data, if law enforcements demand for them.

In May 2019, the platform had a glitch, because of which data of iOS users’ location leaked to a partner. The bug was fixed quickly, but the company provided little information about who was affected, when the incident was discovered, and who could access the leaked data.

Last huge Twitter hack happened in July 2020. More than 130 account of famous people were compromised. Among them were the accounts belonged to Barack Obama, Elon Musk, Kanye West, Bill Gates, etc. On their accounts, the malicious actors published the post saying that if a user sent Bitcoin to them, they would receive it back doubled. Scammers earned $120,000 through approximately 300 transactions.

The Analytical department of Falcongaze wanted to tell you about security measures and privacy policies of social media and about breaches happened to them. Hardly had we managed to observe all of them happened in the past 2-3 years. However, we hope that we made it easier for you to choose the platform for communication and information transmissions taking into account those security measures that they provide.

Important publications

What is UBA? 6 August 2019
What is DLP systems? 13 February 2019