F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click here.

Facebook has unparalleled access to data tracking more than a billion individuals across the globe.

This access is “given” by people who would be denied access to Facebook and their “friends” if they do not agree to baffling terms and conditions. These Facebook users may not even be aware of what they’re disclosing or are so overwhelmed by the reality of what they’re revealing about themselves that they may be in denial of the potential consequences.

Regardless of what people tell themselves, there is an undeniable anxiety that feeds persistent rumors that Facebook spies on their users via the microphones and cameras on their mobile devices. This excellent ReplyAll podcast gives fascinating examples of how and why this notion persists in the general public, and just how hard it is to dispel even for the technically aware.

But Facebook does not need to use our microphones and cameras. It already has more than enough information from our metadata to know us better than even our spouses do.

However, understanding the power of metadata is not easy.

Metadata’s power does not come from any one piece of information, but from the sum of many insignificant pieces of information. All the little pieces are cleverly combined and correlated to guess precise and thoroughly creepy information that we never provided directly.

To give an idea of some of the information Facebook can infer about you, here is a list of nearly 100 spookily precise categories that they allow advertisers to use when targeting you.

One amusing demonstration of how this works is the satirical case of a “ye olde data scientist” working for the British colonial office who identified Paul Revere as the ringleader of the American Revolution, allowing the Red Coats to snuff out liberty before it had a chance to start.

Facebook has a lot more little insignificant pieces of information than we can easily grasp. It is impossible to really list every single possible piece of data that the site can capture about us, but I will try anyway!

The data Facebook potentially has on us all can be classified in 7 key categories:

1. Data your hand over willingly: everything you post directly; everything you ‘like’; every location check-in you make; all your friends/followers; all messages you send privately to your friends/followers; all your searches.

2. Data they can gather about your behaviour on their properties without any real consent: all your clicks; how long you stay on each image/video/text; how your mouse moves around (correlates with eye movements); all you type but don’t submit.

3. Data they can gather without any real consent about your behaviour on other properties that include Facebook spyware (ads, pixels, share/like buttons): all the same information as 1 & 2 combined; also Facebook create shadow profiles for tracking ‘users’ who have never used a Facebook service.

4. Data they can gather without any real consent from your phone/tablet: fine detailed geo-location over time; what other apps you use; files (videos/photos/documents) on your devices; user names, contacts, messages, calls; the name and metadata of every WiFi hotspot and BlueTooth device you have ever connected to; the infamous camera/microphone surveillance that they deny.

5. Data they can gather without any real consent from your phone/tablet via other apps: same as 3 but without installing any Facebook app on your device; for example, Facebook bought a VPN app that can report back on all internet traffic from all apps on a device with the app installed.

6. Offline data they can buy and/or get via partnerships without any real consent: your credit history, your bank card payments history; your shopping loyalty program history; any available government records (house ownership, voter registration, etc).

7. Online data they can buy and/or get via partnerships without any real consent: results of online tests you have taken for fun, which are often run by data stalking companies to build psychometric profiles (for example think Cambridge Analytica).

This list is far from complete, but this is all real data that we know Facebook and similar companies gather. None of it requires using the microphone and camera permissions that you ‘agreed’ to give them during installation.

And it’s only the beginning. They are also using cutting edge psychological research to manipulate what we see to secretly push changes in our behavior, including related to voting. Like Google, it has bought a generation of the world’s best and brightest in fields as diverse as AI and anthropology, and put them all to work day and night trying to make the ultimate in paid advertisements.

We are wasting so much talent that could be curing diseases, elevating humanity, and making the world a more just and free place. And on what? Twisting society into a fishbowl with a very few people standing outside watching and making invisible changes to our water for their own purposes.

Protecting our privacy matters to the whole society. Without privacy all other civil and human rights are endangered. This is an obvious area where government regulation can make sense to restrict and outlaw socially destructive behaviors. This is what regulation is for: creating incentive structures that make our society more tolerable for more people, rather than the opposite.