Facebook is one of the most popular social media platforms in the world, with over 2.9 billion monthly active users as of the fourth quarter of 2022. However, Facebook’s massive user base also makes it an attractive target for cybercriminals and a potential risk to user privacy. Here we will explore some of the main privacy risks associated with using Facebook and steps users can take to help protect their information.
Data Collection and Targeted Advertising
Facebook collects large amounts of personal data about its users in order to power its advertising model. This includes information users provide on their profiles, content they post, pages they interact with, and external websites they visit that contain Facebook pixels or plugins. Facebook uses this data to build detailed profiles about its users’ demographics, interests, behaviors, and more. These profiles allow advertisers to target users with highly customized ads.
While targeted advertising can seem benign, having such an extensive dossier of information on each user raises privacy concerns. Users have little visibility or control over what data Facebook collects about them and how it is used or shared. The detailed profiles Facebook builds about people go far beyond what most users realize when they sign up for the service. And any data breaches of that sensitive information could have major implications for user privacy.
Potential risks include:
- Users being unaware of the extent of data Facebook collects about them for ad targeting
- Lack of control over how personal data is used
- Potential for data breaches exposing private information
- Possibility of data being used for purposes beyond advertising without consent
Third-Party Apps and Websites
Facebook allows third-party apps and websites to access user data if users grant them permission. However, studies have shown many users do not actually understand what data they are sharing when they connect third-party apps to their Facebook accounts. And in some cases, apps have harvested more data than users realized they had access to.
One infamous example was in 2014 when Facebook allowed Cambridge Analytica to collect profile data not just from users who downloaded their app, but also from those users’ friends. This resulted in the personal data of up to 87 million Facebook users being acquired without their consent. The scandal showed how interconnected apps on Facebook’s platform can exponentially increase the privacy risks.
Potential risks include:
- Apps harvesting more data than users realize they have access to
- Friends’ data being shared without their consent
- Lack of oversight and auditing for how third-party apps use data
- Possibility of data leakage or breaches by external apps
Facial Recognition
Facebook uses facial recognition technology to identify people in photos and auto-tag them. This can raise privacy concerns, as many users may not realize the extent to which their biometric data is being collected and used for identification.
Facebook’s massive photo database makes their facial recognition very powerful. Users have some control over the feature, but it is enabled by default. If compromised, biometric data like detailed facial maps could pose greater risks than other types of data breaches. There are also concerns about the non-consensual collection and identification of non-users in photos uploaded to Facebook.
Potential risks include:
- Non-consensual collection of biometric data
- Biometric data being shared without user awareness
- Possibility of flawed identification and false matches
- Biometric data collection happening without opt-in consent
- Harder to revoke access to biometric data after a breach
Tracking Across the Internet
Facebook engages in extensive tracking of users’ online activities outside of Facebook itself. Through Facebook Business Tools like Facebook Pixel and social plugins such as the Like and Share buttons, Facebook can track users and non-users across millions of websites. This allows them to build even more detailed profiles about people for ad targeting.
Facebook users have some ability to limit off-Facebook tracking in their settings. However, many sites still use Facebook tools, making it impossible to fully control. And non-Facebook users still have their web browsing tracked by Facebook with no way to opt-out. The potential privacy implications are immense.
Potential risks include:
- Lack of transparency into the extent of Facebook’s off-Facebook tracking
- No way for non-users to stop the collection of their web browsing data
- Very limited controls even for Facebook users
- No oversight into what data is collected and how it is used
Encryption and Security Flaws
Despite collecting vast troves of personal information on billions of users, Facebook does not make end-to-end encryption the default across all its messaging services. Only Secret Conversations in Facebook Messenger are encrypted. Additionally, Facebook has suffered multiple security breaches over the years exposing user data.
While no system is completely hack-proof, privacy experts argue Facebook does not go far enough in implementing state-of-the-art security and encryption. This leaves user data needlessly vulnerable. And the large scale of Facebook’s networks provides a very tempting and lucrative target for cybercriminals and hackers.
Potential risks include:
- Persistence of security flaws making breaches more likely
- Unencrypted data more vulnerable to hackers
- Massive trove of personal data a tempting target
- Difficulty containing or revoking access after a breach
Microtargeting and Behavioral Manipulation
Facebook’s detailed advertiser profiles allow political campaigns and other organizations to engage in powerful microtargeting of users. This means tailoring highly specific messages and ads to influence the attitudes or behaviors of select groups of users, often without transparency.
For example, the Trump campaign boasted about microtargeting millions of Facebook users in the 2016 election. Opaque microtargeting raises concerns about manipulation equipped with users’ psychographic data. Facebook has some political ad transparency features, but loopholes remain. The hyper-personalized targeting allows impact at scale.
Potential risks include:
- Lack of oversight into how advertiser profiles are used for microtargeting
- Messages tailored to emotional triggers and biases
- Spread of misinformation to subgroups who will find it most persuasive
- Loopholes allowing opaque political ads and issue-based targeting
AI and Algorithmic Bias
Facebook relies heavily on artificial intelligence, algorithms, and machine learning to optimize its networks and services. However, critics caution that bias can be unintentionally baked into the algorithms trained on human-created data. With Facebook’s scale, even small instances of bias could affect millions of users.
For example, algorithms may learn to show some users more polarizing content that increases engagement at the cost of exposing them to extremist views. Or suppress certain content from marginalized groups. Facebook has taken some steps to address algorithmic fairness but risks remain. The lack of transparency around Facebook’s AI systems makes outside analysis impossible.
Potential risks include:
- Lack of algorithmic transparency on such an influential platform
- Reinforcing existing biases against marginalized groups
- Difficulty detecting let alone proving unequal treatment
- No independent oversight or impact assessments
Data Leaks and Third-Party Sharing
Despite frequent controversies around its privacy practices, Facebook has repeatedly experienced data leaks or undisclosed data sharing with third parties over the years. In some cases, these breaches exposed hundreds of millions of user records.
In 2019, Facebook was fined a record $5 billion by the FTC for allowing millions of users’ phone numbers provided for two-factor authentication to be accessed for advertising purposes. And in 2021, 553 million Facebook users’ data was published online. Facebook claims the data was scraped from profiles before a vulnerability was fixed. But it demonstrates the risks.
Potential risks include:
- Intentional or unintentional data exposure by Facebook’s sharing APIs
- Scraping of public and non-public profile data
- Human error leading to inadvertent leaks
- Sharing of data with device makers and other partners
Geolocation Tracking
Facebook leverages user location data for features like location tagging and maps, as well as targeted advertising. However, privacy advocates argue most users are unaware of the granularity of Facebook’s location tracking and have little meaningful control.
Testing has shown Facebook can access user locations to within 17 meters of accuracy, according to legal filings. And location tracking happens across devices. Facebook claims location data improves experiences and connections. But privacy risks persist without proper consent and transparency.
Potential risks include:
- Near-exact location tracking without informed user consent
- Location data exposure in the event of a breach
- Overly expansive collection beyond what users expect
- Lack of controls over how location data gets used
Real Name Policy Controversies
Facebook requires users to provide their real first and last name on their profile, arguing it encourages authenticity. However, critics contend the real name policy enables employment and housing discrimination, marginalizes communities such as transgender people who use pseudonyms, and jeopardizes activists and whistleblowers globally.
Despite policy tweaks over the years, many say Facebook’s identity rules enable abuse and discrimination more than foster transparency. And the policy grants Facebook even greater ability to link profiles to real people for advertising purposes. Demands continue for more substantial changes to Facebook’s naming rules on human rights grounds.
Potential risks include:
- Enables discrimination and harassment of minority groups
- No recourse for mistaken identity or reporting abuse
- Forces exposure of vulnerable individuals against their will
- Greater network linkage to real identities aids surveillance marketing
User Data Retention and Accessibility
Facebook has faced criticism over its policies on retaining and granting user access to personal data stored on its networks. Facebook data practices make permanently deleting an account challenging, if not impossible for average users.
For example, while users can deactivate accounts, Facebook still retains and utilizes the data for “safety and security” purposes. Retrieving a copy of an account’s data also remains cumbersome compared to deletions. Critics argue Facebook’s data retention practices contradict principles of privacy law like storage limitation and data minimization.
Potential risks include:
- Indefinite retention of personal data users wish to erase
- Prioritizing data preservation over user privacy
- Onerous process for users to access copies of their data
- Lack of transparency around retention rules or schedules
Privacy Issues for Non-Users
Even people who do not have a Facebook account face privacy risks due to the company’s extensive tracking technologies, facial recognition, and obtaining of data from users’ contacts. Non-users have no portal to request their data or see how Facebook has profiled them for ads.
Testing has shown that Facebook creates “shadow profiles” of non-users just based on mentions by users. And Facebook’s login feature that relies on knowing users’ email addresses and phone numbers can out non-users. Facebook has argued that data about others helps provide services to users. But privacy experts counter that non-users cannot consent.
Potential risks include:
- Profiles created about non-users without consent
- Exposure of personal data like phone numbers provided by users’ contacts
- Lack of transparency or controls around data gathered on non-users
- Inability to access or delete data collected by Facebook as a non-user
Young Users and Predatory Behavior
Facebook requires users to be at least 13 years old to create an account. However, critics argue Facebook does not do enough to restrict underage users or protect children from sexual predators and harmful content. Law enforcement has cited instances of criminals using Facebook to target minors.
Facebook has touted education efforts and AI tools to detect predatory behavior and restrict adults contacting minors they don’t know. But problems persist. And child development experts warn excessive social media usage can be harmful to mental health. Facebook has resisted calls to discontinue plans for an Instagram Kids app targeting children.
Potential risks include:
- Insufficient safeguards against child exploitation
- Harmful effects of social media on developing brains
- Failure to screen for predatory adults targeting minors
- Spread of inappropriate or dangerous content to young user
Harmful Health Effects
Research has linked excessive social media usage to negative mental health outcomes, especially in younger users. Critics accuse Facebook’s algorithms of purposefully maximizing engagement time with no regard for the wellbeing impact.
Facebook has introduced some usage management tools like notifications reminders. However, Facebook whistleblowers like Frances Haugen argue the company knows its products can be addictive and toxic to mental health and self-image but prioritizes profits over safety. Stronger regulations on ethical design are needed.
Potential risks include:
- Addictive product design that hijacks attention
- Exposure to misinformation, toxic content, and comparisons
- Social media anxiety, isolation, and depression
- Promotion of self-harm content in pursuit of engagement
Privacy Risks of Metaverse Push
Facebook CEO Mark Zuckerberg has aggressively promoted his vision of the metaverse, a 3D virtual environment blending physical and digital worlds. However, as Facebook races to make its metaverse vision a reality, privacy risks abound.
Facebook wants people to interact in the metaverse using futuristic wearables that could collect even more invasive biometric data, including eyesight, facial expressions, and body movements. Legal experts warn integrating virtual worlds with real-world data will require enhanced privacy rules to protect user consent. There are also psychological risks of increased immersion.
Potential risks include:
- Pressure to provide more biometric data like eye-tracking
- Blending of personal information between digital and physical worlds
- Possibility of constant, inescapable surveillance and data collection
- New avenues for predators, hacking, and harmful content
Conclusion
In summary, despite frequent controversies around its privacy practices, Facebook remains a data collection juggernaut fueled by unprecedented user profiling. Its massive troves of information on individuals, ability to track across the internet, and advanced analytics using AI provide near-unparalleled surveillance marketing capabilities. For users and non-users alike, loss of control over personal data poses multitudes of privacy risks from corporate misuse to identity theft. While Facebook has responded to some criticisms around transparency and settings, most experts argue there is much more to be done to prioritize user privacy and prevent abuse. Comprehensive privacy legislation and aggressive regulatory oversight are likely needed to compel meaningful changes in Facebook’s surveillance capitalism model. Until then, individual users have limited ability to fully understand or manage the privacy risks.