Apr 20, 2019, 08:00am
Facebook's Privacy Seems To Be Traveling Away
Joe Gray
Cybersecurity
https://www.forbes.com/sites/joegray/2019/04/20/facebooks-privacy-seems-to-be-traveling-away/#6e0b5b7b230c
Regarding Facebook, there is no shortage of controversy or concerns facing their users. Whether it be a privacy breach from data misuse, Instagram passwords being compromised or the Cambridge Analytica data collection activities. Facebook has had its share of media attention from excessive permissions or not being upfront about new Terms of Service agreements.
Fast forward and it is brought to my attention that Facebook was advertising "Traveling Friends" to users of the mobile app. I stopped using the mobile app a few months ago after researching the permissions and data collection practices in favor of using a mobile browser that does not allow the same data collection. So I decided to reinstall the app on iOS (Apple iPhone) to see if I could recreate the condition. I searched for "Traveling Friends" and found some pages that appeared to be attempting to convince users that it was legitimate. I decided to try to find it via the "Nearby Friends" feature. There it is.
To be completely transparent, I also had to enable location services and to be able to see all "Traveling Friends," I had to give the app permission to always collect location information. I would not normally enable such a feature out of an abundance of caution. I understand that by having a Facebook account, one cannot attain full anonymity or privacy just as it is impossible to attain even if one avoids social media altogether. From my experience in Open Source Intelligence (OSINT), I have found that it is easier to manage one's online presence by having accounts and exercising sound techniques in access controls, app permissions and the data input into the social media platform.
Regarding the vulnerability feature that is being discussed here, when navigating to "Nearby Friends" via the iOS mobile app, I was prompted to change the location services setting. Once that is changed, I was able to see that 4 of my friends were traveling. I searched the Facebook Newsroom for an announcement on the vulnerability feature, which I was unsuccessful in finding anything. I noted where the 4 friends live and where they were listed. As observed in the screenshot below, all 4 people are 100 more miles away and presumably have location services turned on and set to "always."
I blurred out the listed distance because that could be used to compromise my precise location. One friend is from my hometown and was in a nearby big city 150 miles away. I reached out to another friend and they were 100 miles away with their lover. I looked up the locations of the other two friends and they were one and three states away from "home" respectively. So, it appears as if a user has nearby friends turned on and is more than 100 miles from the location listed as home on their profile, then they will show up. I have some upcoming travel so I will test in a controlled manner on the trip.
Regarding the privacy implications, this is something that could affect many people's operations security (OPSEC) if enabled with location services. In an abuse case scenario, this could implicate an employee who falsely claims to be sick while actually on a recreational trip (if they are Facebook friends with any colleagues). Alternatively, this could give up locations of law enforcement or military when conducting operations outside 100 miles. This also gives unscrupulous people who are on a user's friends list the information that would assist them in knowing no one is home and that it may be easier to rob that home.
To protect oneself and your location, I recommend not enabling location services at all. If you do not have a necessity to use the application or have an interest in enhanced security, do not even use the mobile app, log in via a web browser. If you have a reason to enable location services, change the app's setting to "only when using the app." If possible, enable location services via the phone (not the app) only when using them. This will prevent any changes to the default configuration during app updates. Using social media can be fun, rewarding or exciting but if misused or used without all the information, it can be quite the opposite.