Sunday, 30 September 2018

Until data is misused, Facebook’s breach will be forgotten

We cared about Cambridge Analytica because it could have helped elect Trump. We ignored LocationSmart because even the though the company was selling and exposing the real-time GPS coordinates of our phones, it was never clear exactly if or how that data was misused.

This idea, that privacy issues are abstract concepts for most people until they become security or ideological problems, is important to understanding Facebook’s massive breach revealed this week. 

The social network’s engineering was sloppy, allowing three bugs to be combined to steal the access tokens of 50 million people. In pursuit of rapid growth at affordable efficiency, Facebook failed to protect its users. This assessment doesn’t discount that. Facebook screwed up big time.

But despite the potential that those access tokens could have let the attackers take over user accounts, act as them, and scrape their personal info, it’s unclear how much users really care. That’s because for now, Facebook and it’s watchdogs aren’t sure exactly what data was stolen or how it was wrongly used.

The Hack That Broke The Camel’s Back?

This could all change tomorrow. If Facebook discovers the hack was perpetrated by a foreign government to interfere with elections, by criminals to bypass identity theft security checkpoints and steal people’s bank accounts or social media profiles, or to target individuals for physical harm, out will come the pitchforks and torches. 

Given a sufficiently scary application for the data, the breach could finish the job of destroying Facebook’s brand. If users start clearing their profile data, reducing their feed browsing, and ceasing to share, the breach could have significant financial and network effect consequences for Facebook. After years of scandals, this could be the hack that’s broke the camel’s back.

Yet in the absence of that evil utilization of the hacked data, the breach could fade into the background for users. Similar to the tension-filled departures of the founders of Facebook’s acquisitions Instagram and WhatsApp, the brunt of the backlash may not come from the public.

The hack could hasten regulation of social media. Senator Warner called on Congress to “step up” following the hack. He’s previously advocated for privacy laws similar to Europe’s GDPR. That includes data portability and interoperability rules that could make it easier to switch social networks. That threat of people moving to competing apps could succeed in compelling Facebook to treat user privacy and security better.

One of the biggest questions about the attack is whether the tokens were used to access other services like Airbnb or Spotify that rely on Facebook Login. The breach could steer potential partners away from building atop Facebook’s identity platform. But at least you don’t have to worry about changing all your passwords. Unlike hacks that steal usernames and passwords, the lasting danger of the Facebook breach is limited. The access tokens have already been invalidated, whereas password reuse can lead people to have their other apps hacked long after the initial breach.

Desensitized

If government investigators, journalists, or anti-Facebook activists want to make the company pay for its negligence, they’ll need to connect it to some concrete threat to how we live or what we believe.

For now, without a nefarious application of the breached data, this scandal could blend into the rest of Facebook’s troubles. Every week, sometimes multiple times a week, Facebook has some headline grabbing problem. Over time, those are adding up to deter usage of Facebook and spur more users to delete it. But without an independent general purpose social network they can easily switch to, many users have endured Facebook’s stumbles in exchange for the connective utility it provides. 

As breaches become more common, the public may be desensitized. Between Equifax, Yahoo, and the cell phone companies, we’re growing accustomed to letting out a deep sigh with maybe some expletives, and moving on with our lives. The ones we’ll remember will be those where the danger metastasized from the digital world into our offline lives.



source https://techcrunch.com/2018/09/30/hack-numbness/

Relike lets you turn a Facebook page into a newsletter

French startup Ownpage has recently released a new product called Relike. Relike is one of the easiest ways to get started with email newsletters. You enter the web address of your Facebook page and that’s about it.

The company automatically pulls your most recent posts from your Facebook page and lets you set up an emailing campaign in a few clicks. You can either automatically pick your most popular Facebook posts or manually select a few posts.

Just like any emailing service, you can choose between multiple templates, decide the day of the week and time of the day, import a database of email addresses and more. If you’ve used Mailchimp in the past, you’ll feel right at home.

But the idea isn’t to compete directly with newsletter services. Many social media managers, media organizations, small companies, nonprofits and sports teams already have a Facebook page but aren’t doing anything on the email front.

Relike is free if you send less than 2,000 emails per month and don’t need advanced features. If you want to get open rates, click-through rates and other features, you’ll need to pay €5 per month and €0.50 every time you send 1,000 emails.

The company’s other product Ownpage is a bit different. Ownpage has been working with media organizations to optimize their email newsletters. The company is tracking reading habits on a news site and sending personalized email newsletters.

This way, readers will get tailored news and will more likely come back to your site. Many big French news sites use Ownpage for their newsletters, such as Les Echos, L’Express, 20 Minutes, BFM TV, Le Parisien, etc.

Ownpage founder and CEO Stéphane Cambon told me that Relike was the obvious second act. Using browsing data for customized newsletters is one thing, but many talented social media managers know how to contextualize stories and maximize clicks (even if it means clickbait, sure).

The startup was looking at a way to get this data, and ended up creating Relike, which could appeal to customers beyond news organizations. For now, both products will stick around. In the future, the company plans to add Twitter and Instagram integrations as well as better signup flows for newsletter subscribers.



source https://techcrunch.com/2018/09/30/relike-lets-you-turn-a-facebook-page-into-a-newsletter/

Saturday, 29 September 2018

Facebook is weaponizing security to erode privacy

At a Senate hearing this week in which US lawmakers quizzed tech giants on how they should go about drawing up comprehensive Federal consumer privacy protection legislation, Apple’s VP of software technology described privacy as a “core value” for the company.

“We want your device to know everything about you but we don’t think we should,” Bud Tribble told them in his opening remarks.

Facebook was not at the commerce committee hearing which, as well as Apple, included reps from Amazon, AT&T, Charter Communications, Google and Twitter.

But the company could hardly have made such a claim had it been in the room, given that its business is based on trying to know everything about you in order to dart you with ads.

You could say Facebook has ‘hostility to privacy‘ as a core value.

Earlier this year one US senator wondered of Mark Zuckerberg how Facebook could run its service given it doesn’t charge users for access. “Senator we run ads,” was the almost startled response, as if the Facebook founder couldn’t believe his luck at the not-even-surface-level political probing his platform was getting.

But there have been tougher moments of scrutiny for Zuckerberg and his company in 2018, as public awareness about how people’s data is being ceaselessly sucked out of platforms and passed around in the background, as fuel for a certain slice of the digital economy, has grown and grown — fuelled by a steady parade of data breaches and privacy scandals which provide a glimpse behind the curtain.

On the data scandal front Facebook has reigned supreme, whether it’s as an ‘oops we just didn’t think of that’ spreader of socially divisive ads paid for by Kremlin agents (sometimes with roubles!); or as a carefree host for third party apps to party at its users’ expense by silently hovering up info on their friends, in the multi-millions.

Facebook’s response to the Cambridge Analytica debacle was to loudly claim it was ‘locking the platform down‘. And try to paint everyone else as the rogue data sucker — to avoid the obvious and awkward fact that its own business functions in much the same way.

All this scandalabra has kept Facebook execs very busy with year, with policy staffers and execs being grilled by lawmakers on an increasing number of fronts and issues — from election interference and data misuse, to ad transparencyhate speech and abuse, and also directly, and at times closely, on consumer privacy and control

Facebook shielded its founder from one sought for grilling on data misuse, as UK MPs investigated online disinformation vs democracy, as well as examining wider issues around consumer control and privacy. (They’ve since recommended a social media levy to safeguard society from platform power.) 

The DCMS committee wanted Zuckerberg to testify to unpick how Facebook’s platform contributes to the spread of disinformation online. The company sent various reps to face questions (including its CTO) — but never the founder (not even via video link). And committee chair Damian Collins was withering and public in his criticism of Facebook sidestepping close questioning — saying the company had displayed a “pattern” of uncooperative behaviour, and “an unwillingness to engage, and a desire to hold onto information and not disclose it.”

As a result, Zuckerberg’s tally of public appearances before lawmakers this year stands at just two domestic hearings, in the US Senate and Congress, and one at a meeting of the EU parliament’s conference of presidents (which switched from a behind closed doors format to being streamed online after a revolt by parliamentarians) — and where he was heckled by MEPs for avoiding their questions.

But three sessions in a handful of months is still a lot more political grillings than Zuckerberg has ever faced before.

He’s going to need to get used to awkward questions now that lawmakers have woken up to the power and risk of his platform.

Security, weaponized 

What has become increasingly clear from the growing sound and fury over privacy and Facebook (and Facebook and privacy), is that a key plank of the company’s strategy to fight against the rise of consumer privacy as a mainstream concern is misdirection and cynical exploitation of valid security concerns.

Simply put, Facebook is weaponizing security to shield its erosion of privacy.

Privacy legislation is perhaps the only thing that could pose an existential threat to a business that’s entirely powered by watching and recording what people do at vast scale. And relying on that scale (and its own dark pattern design) to manipulate consent flows to acquire the private data it needs to profit.

Only robust privacy laws could bring Facebook’s self-serving house of cards tumbling down. User growth on its main service isn’t what it was but the company has shown itself very adept at picking up (and picking off) potential competitors — applying its surveillance practices to crushing competition too.

In Europe lawmakers have already tightened privacy oversight on digital businesses and massively beefed up penalties for data misuse. Under the region’s new GDPR framework compliance violations can attract fines as high as 4% of a company’s global annual turnover.

Which would mean billions of dollars in Facebook’s case — vs the pinprick penalties it has been dealing with for data abuse up to now.

Though fines aren’t the real point; if Facebook is forced to change its processes, so how it harvests and mines people’s data, that could knock a major, major hole right through its profit-center.

Hence the existential nature of the threat.

The GDPR came into force in May and multiple investigations are already underway. This summer the EU’s data protection supervisor, Giovanni Buttarelli, told the Washington Post to expect the first results by the end of the year.

Which means 2018 could result in some very well known tech giants being hit with major fines. And — more interestingly — being forced to change how they approach privacy.

One target for GDPR complainants is so-called ‘forced consent‘ — where consumers are told by platforms leveraging powerful network effects that they must accept giving up their privacy as the ‘take it or leave it’ price of accessing the service. Which doesn’t exactly smell like the ‘free choice’ EU law actually requires.

It’s not just Europe, either. Regulators across the globe are paying greater attention than ever to the use and abuse of people’s data. And also, therefore, to Facebook’s business — which profits, so very handsomely, by exploiting privacy to build profiles on literally billions of people in order to dart them with ads.

US lawmakers are now directly asking tech firms whether they should implement GDPR style legislation at home.

Unsurprisingly, tech giants are not at all keen — arguing, as they did at this week’s hearing, for the need to “balance” individual privacy rights against “freedom to innovate”.

So a lobbying joint-front to try to water down any US privacy clampdown is in full effect. (Though also asked this week whether they would leave Europe or California as a result of tougher-than-they’d-like privacy laws none of the tech giants said they would.)

The state of California passed its own robust privacy law, the California Consumer Privacy Act, this summer, which is due to come into force in 2020. And the tech industry is not a fan. So its engagement with federal lawmakers now is a clear attempt to secure a weaker federal framework to ride over any more stringent state laws.

Europe and its GDPR obviously can’t be rolled over like that, though. Even as tech giants like Facebook have certainly been seeing how much they can get away with — to force a expensive and time-consuming legal fight.

While ‘innovation’ is one oft-trotted angle tech firms use to argue against consumer privacy protections, Facebook included, the company has another tactic too: Deploying the ‘S’ word — security — both to fend off increasingly tricky questions from lawmakers, as they finally get up to speed and start to grapple with what it’s actually doing; and — more broadly — to keep its people-mining, ad-targeting business steamrollering on by greasing the pipe that keeps the personal data flowing in.

In recent years multiple major data misuse scandals have undoubtedly raised consumer awareness about privacy, and put greater emphasis on the value of robustly securing personal data. Scandals that even seem to have begun to impact how some Facebook users Facebook. So the risks for its business are clear.

Part of its strategic response, then, looks like an attempt to collapse the distinction between security and privacy — by using security concerns to shield privacy hostile practices from critical scrutiny, specifically by chain-linking its data-harvesting activities to some vaguely invoked “security purposes”, whether that’s security for all Facebook users against malicious non-users trying to hack them; or, wider still, for every engaged citizen who wants democracy to be protected from fake accounts spreading malicious propaganda.

So the game Facebook is here playing is to use security as a very broad-brush to try to defang legislation that could radically shrink its access to people’s data.

Here, for example, is Zuckerberg responding to a question from an MEP in the EU parliament asking for answers on so-called ‘shadow profiles’ (aka the personal data the company collects on non-users) — emphasis mine:

It’s very important that we don’t have people who aren’t Facebook users that are coming to our service and trying to scrape the public data that’s available. And one of the ways that we do that is people use our service and even if they’re not signed in we need to understand how they’re using the service to prevent bad activity.

At this point in the meeting Zuckerberg also suggestively referenced MEPs’ concerns about election interference — to better play on a security fear that’s inexorably close to their hearts. (With the spectre of re-election looming next spring.) So he’s making good use of his psychology major.

“On the security side we think it’s important to keep it to protect people in our community,” he also said when pressed by MEPs to answer how a person who isn’t a Facebook user could delete its shadow profile of them.

He was also questioned about shadow profiles by the House Energy and Commerce Committee in April. And used the same security justification for harvesting data on people who aren’t Facebook users.

“Congressman, in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to [reverse searches based on public info like phone numbers],” he said. “In order to prevent people from scraping public information… we need to know when someone is repeatedly trying to access our services.”

He claimed not to know “off the top of my head” how many data points Facebook holds on non-users (nor even on users, which the congressman had also asked for, for comparative purposes).

These sorts of exchanges are very telling because for years Facebook has relied upon people not knowing or really understanding how its platform works to keep what are clearly ethically questionable practices from closer scrutiny.

But, as political attention has dialled up around privacy, and its become harder for the company to simply deny or fog what it’s actually doing, Facebook appears to be evolving its defence strategy — by defiantly arguing it simply must profile everyone, including non-users, for user security.

No matter this is the same company which, despite maintaining all those shadow profiles on its servers, famously failed to spot Kremlin election interference going on at massive scale in its own back yard — and thus failed to protect its users from malicious propaganda.

TechCrunch/Bryce Durbin

Nor was Facebook capable of preventing its platform from being repurposed as a conduit for accelerating ethnic hate in a country such as Myanmar — with some truly tragic consequences. Yet it must, presumably, hold shadow profiles on non-users there too. Yet was seemingly unable (or unwilling) to use that intelligence to help protect actual lives…

So when Zuckerberg invokes overarching “security purposes” as a justification for violating people’s privacy en masse it pays to ask critical questions about what kind of security it’s actually purporting to be able deliver. Beyond, y’know, continued security for its own business model as it comes under increasing attack.

What Facebook indisputably does do with ‘shadow contact information’, acquired about people via other means than the person themselves handing it over, is to use it to target people with ads. So it uses intelligence harvested without consent to make money.

Facebook confirmed as much this week, when Gizmodo asked it to respond to a study by some US academics that showed how a piece of personal data that had never been knowingly provided to Facebook by its owner could still be used to target an ad at that person.

Responding to the study, Facebook admitted it was “likely” the academic had been shown the ad “because someone else uploaded his contact information via contact importer”.

“People own their address books. We understand that in some cases this may mean that another person may not be able to control the contact information someone else uploads about them,” it told Gizmodo.

So essentially Facebook has finally admitted that consentless scraped contact information is a core part of its ad targeting apparatus.

Safe to say, that’s not going to play at all well in Europe.

Basically Facebook is saying you own and control your personal data until it can acquire it from someone else — and then, er, nope!

Yet given the reach of its network, the chances of your data not sitting on its servers somewhere seems very, very slim. So Facebook is essentially invading the privacy of pretty much everyone in the world who has ever used a mobile phone. (Something like two-thirds of the global population then.)

In other contexts this would be called spying — or, well, ‘mass surveillance’.

It’s also how Facebook makes money.

And yet when called in front of lawmakers to asking about the ethics of spying on the majority of the people on the planet, the company seeks to justify this supermassive privacy intrusion by suggesting that gathering data about every phone user without their consent is necessary for some fuzzily-defined “security purposes” — even as its own record on security really isn’t looking so shiny these days.

WASHINGTON, DC – APRIL 11: Facebook co-founder, Chairman and CEO Mark Zuckerberg prepares to testify before the House Energy and Commerce Committee in the Rayburn House Office Building on Capitol Hill April 11, 2018 in Washington, DC. This is the second day of testimony before Congress by Zuckerberg, 33, after it was reported that 87 million Facebook users had their personal information harvested by Cambridge Analytica, a British political consulting firm linked to the Trump campaign. (Photo by Chip Somodevilla/Getty Images)

It’s as if Facebook is trying to lift a page out of national intelligence agency playbooks — when governments claim ‘mass surveillance’ of populations is necessary for security purposes like counterte

source https://techcrunch.com/2018/09/29/facebook-is-weaponizing-security-to-erode-privacy/

Friday, 28 September 2018

What Instagram users need to know about Facebook’s security breach

Even if you never log into Facebook itself these days, the other apps and services you use might be impacted by Facebook’s latest big, bad news.

In a follow-up call on Friday’s revelation that Facebook has suffered a security breach affecting at least 50 million accounts, the company clarified that Instagram users were not out of the woods — nor were any other third-party services that utilized Facebook Login. Facebook Login is the tool that allows users to sign in with a Facebook account instead of traditional login credentials and many users choose it as a convenient way to sign into a variety of apps and services.

Third-party apps and sites affected too

Due to the nature of the hack, Facebook cannot rule out the fact that attackers may have also accessed any Instagram account linked to an affected Facebook account through Facebook Login. Still, it’s worth remembering that while Facebook can’t rule it out, the company has no evidence (yet) of this kind of activity.

“So the vulnerability was on Facebook, but these access tokens enable someone to use [a connected account] as if they were the account holder themselves — this does mean they could have access other third party apps that were using Facebook login,” Facebook Vice President of Product Management Guy Rosen explained on the call.

“Now that we have reset all of those access tokens as part of protecting the security of people’s accounts, developers who use Facebook login will be able to detect that those access tokens has been reset, identify those users and as a user, you will simply have to log in again into those third party apps.”

Rosen reiterated that there is plenty Facebook does not know about the hack, including the extent to which attackers manipulated the three security bugs in question to obtain access to external accounts through Facebook Login.

“The vulnerability was on Facebook itself and we’ve yet to determine, given the investigation is really early, [what was] the exact nature of misuse and whether there was any access to Instagram accounts, for example,” Rosen said.

Anyone with a Facebook account affected by the breach — you should have been automatically logged out and will receive a notification — will need to unlink and relink their Instagram account to Facebook in order to continue cross-posting content to Facebook.

How to relink your Facebook account and do a security check

To do relink your Instagram account to Facebook, if you choose to, open Instagram Settings > Linked Accounts and select the checkbox next to Facebook. Click Unlink and confirm your selection. If you’d like to reconnect Instagram with Facebook, you’ll need to select Facebook in the Linked Accounts menu and login with your credentials like normal.

If you know your Facebook account was affected by the breach, it’s wise to check for suspicious activity on your account. You can do this on Facebook through the Security and Login menu.

There, you’ll want to browse the activity listed to make sure you don’t see anything that doesn’t look like you — logins from other countries, for example. If you’re concerned or just want to play it safe, you can always find the link to “Log Out Of All Sessions” by scrolling toward the bottom of the page.

While we know a little bit more now about Facebook’s biggest security breach to date, there’s still a lot that we don’t. Expect plenty of additional information in the coming days and weeks as Facebook surveys the damage and passes that information along to its users. We’ll do the same.



source https://techcrunch.com/2018/09/28/facebook-hack-instagram-facebook-login/

Facebook blocked users from posting some stories about its security breach

Some users are reporting that they are unable to post today’s big story about a security breach affecting 50 million Facebook users. The issue appears to only affect particular stories from certain outlets, at this time one story from The Guardian and one from the Associated Press, both reputable press outlets.

When going to share the story to their news feed, some users, including members of the staff here at TechCrunch who were able to replicate the bug, were met with the following error message which prevented them from sharing the story.

According to the message, Facebook is flagging the stories as spam due to how widely they are being shared or as the message puts it, the system’s observation that “a lot of people are posting the same content.”

Update: After attention was drawn to it, the bug appears to be resolved, according to updates on Facebook’s Twitter account. We still don’t have more official information about how or why the behavior occurred.

To be clear, this isn’t one Facebook content moderator sitting behind a screen rejecting the link somewhere or the company conspiring against users spreading damning news. The situation is another example of Facebook’s automated content flagging tools marking legitimate content as illegitimate, in this case calling it spam. Still, it’s strange and difficult to understand why such a bug wouldn’t affect many other stories that regularly go viral on the social platform.

This instance is by no means a first for Facebook. The platform’s automated tools — which operate at unprecedented scale for a social network — are well known for at times censoring legitimate posts and flagging benign content while failing to detect harassment and hate speech. We’ve reached out to Facebook for details about how this kind of thing happens but the company appears to have its hands full with the bigger news of the day.

While the incident is nothing particularly new, it’s an odd quirk — and in this instance quite a bad look given that the bad news affects Facebook itself.



source https://techcrunch.com/2018/09/28/facebook-blocks-guardian-story/

Facebook is blocking users from posting some stories about its security breach

Some users are reporting that they are unable to post today’s big story about a security breach affecting 50 million Facebook users. The issue appears to only affect particular stories from certain outlets, at this time one story from The Guardian and one from the Associated Press, both reputable press outlets.

When going to share the story to their news feed, some users, including members of the staff here at TechCrunch who were able to replicate the bug, were met with the following error message which prevented them from sharing the story.

According to the message, Facebook is flagging the stories as spam due to how widely they are being shared or as the message puts it, the system’s observation that “a lot of people are posting the same content.”

To be clear, this isn’t one Facebook content moderator sitting behind a screen rejecting the link somewhere or the company conspiring against users spreading damning news. The situation is another example of Facebook’s automated content flagging tools marking legitimate content as illegitimate, in this case calling it spam. Still, it’s strange and difficult to understand why such a bug wouldn’t affect many other stories that regularly go viral on the social platform.

This instance is by no means a first for Facebook. The platform’s automated tools — which operate at unprecedented scale for a social network — are well known for at times censoring legitimate posts and flagging benign content while failing to detect harassment and hate speech. We’ve reached out to Facebook for details about how this kind of thing happens but the company appears to have its hands full with the bigger news of the day.

While the incident is nothing particularly new, it’s an odd quirk — and in this instance quite a bad look given that the bad news affects Facebook itself.



source https://techcrunch.com/2018/09/28/facebook-blocks-guardian-story/

Everything you need to know about Facebook’s data breach affecting 50M users

Facebook is cleaning up after a major security incident exposed the account data of millions of users. What’s already been a rocky year after the Cambridge Analytica scandal, the company is scrambling to regain its users trust after another security incident exposed user data.

Here’s everything you need to know so far.

What happened?

Facebook says at least 50 million users’ data may be at risk after attackers exploited a vulnerability that allowed them access to personal data. The company also preventively secure 40 million additional accounts out of an abundance of caution.

What data were the hackers after?

Facebook CEO Mark Zuckerberg said that the company has not seen any accounts compromised and improperly accessed — although it’s early days and that may change. But Zuckerberg said that the attackers were using Facebook developer APIs to obtain some information, like “name, gender, and hometowns” that’s linked to a user’s profile page.

What data wasn’t taken?

Facebook said that it looks unlikely that private messages were accessed. No credit card information was taken in the breach, Facebook said. Again, that may change as the company’s investigation continues.

What’s an access token? Do I need to change my password?

When you enter your username and password on most sites and apps, including Facebook, your browser or device is set an access tokens. This keeps you logged in, without you having to enter your credentials every time you log in. But the token doesn’t store your password — so there’s no need to change your password.

Is this why Facebook logged me out of my account?

Yes, Facebook says it reset the access tokens of all users affected. That means some 90 million users will have been logged out of their account — either on their phone or computer — in the past day. This also includes users on Facebook Messenger.

When did this attack happen?

The vulnerability was introduced on the site in July 2017, but Facebook didn’t know about it until this month, on September 16, 2018, when it spotted unusual activity. That means the hackers could have had access to user data for a long time, as Facebook is not sure right now when the attack began.

Who would do this?

Facebook doesn’t know who attacked the site, but the FBI is investigating, it says.

However, Facebook has in the past found evidence of Russia’s attempts to meddle in American democracy and influence our elections — but it’s not to say that Russia is behind this new attack. Attribution is incredibly difficult and takes a lot of time and effort. It recently took the FBI more than two years to confirm that North Korea was behind the Sony hack in 2016 — so we might be in for a long wait.

How did the attackers get in? 

Not one, but three bugs led to the data exposure.

In July 2017, Facebook inadvertently introduced three vulnerabilities in its video uploader, said Guy Rosen, Facebook’s vice president of product management, in a call with reporters. When using the “View As” feature to view your profile as someone else, the video uploader would occasionally appear when it shouldn’t display at all. When it appeared, it generated an access token using the person who the profile page was being viewed as. If that token was obtained, an attacker could log into the account of the other person.

Is the problem fixed? 

Facebook says it fixed the vulnerability on September 27, and then began resetting the access tokens of people to protect the security of their accounts.

Will Facebook be fined or punished?

If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.

However, that fine can’t be levied until Facebook knows more about the nature of the breach and the risk to users.

Another data breach of this scale – especially coming in the wake of the Cambridge Analytica scandal and other data leaks – has some in Congress calling for the social network to be regulated. Sen. Mark Warner (D-VA) issued a stern reprimand to Facebook over today’s news, and again pushed his proposal for regulating companies holding large data sets as ““information fiduciaries” with additional consequences for improper security.

FTC Commissioner Rohit Chopra also tweeted that “I want answers” regarding the Facebook hack. It’s reasonable to assume that there could be investigators in both the U.S. and Europe to figure out what happened.

Can I check to see if my account was improperly accessed?

You can. Once you log back into your Facebook account, you can go to your account’s security and login page, which lets you see where you’ve logged in. If you had your access tokens revoked and had to log in again, you should see only the devices that you logged back in with.

Should I delete my Facebook account?

That’s up to you! But you may want to take some precautions like changing your password and turning on two-factor authentication, if you haven’t done so already. If you’re weren’t impacted by this, you may want to take the time to delete some of the personal information you’ve shared to Facebook to reduce your risk of exposure in future attacks, if they were to occur.



source https://techcrunch.com/2018/09/28/everything-you-need-to-know-about-facebooks-data-breach-affecting-50m-users/

Facebook hack could hasten regulation as Sen. Warner says Congress must “step up”

Senator Mark Warner has issued a stern reprimand to Facebook over today’s revelation that 50 million users had their access token stolen by a hacker. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users” Warner writes. As I’ve said before – the era of the Wild West in social media is over.”

In July, Warner published an expansive policy paper outlining where he believes regulation is necessary for social media companies. He proposes that companies holding large data sets be regulated as “information fiduciaries” with additional consequences for improper security. He suggests requirements for data portability and interoperability that would allow users to export their personal information and use it elsewhere if they were unsatisfied with their treatment by a social media giant. He also suggests applying similar rules to Europe’s GDPR including a requirement that breaches be disclosed within 72 hours of discovery. Notably, Facebook did disclose this hack within that window.

Facebook’s “View As” tool has been disabled following the hack. It let users see how their profile looked to a certain other user

The breach saw sophisticated hackers combine three Facebook bugs in its video uploader, user profile, and “view as” privacy feature to generate and steal the access tokens that allow users to stay logged into Facebook between sessions. These could be used to take over user accounts and take actions on their behalf. Facebook reset the access tokens of the 50 million users impacted and another 40 million who’d had their accounts viewed through the “view as” tool this year, which means they’ll have to log back into Facebook but won’t need to change their password.

The bugs stem from code pushed back in July, but Facebook only discovered the issue Tuesday afternoon as the hackers tried to scale up the attack to steal more tokens. Facebook patched the issue last night and this morning announced it was investigating, though it currently doesn’t have enough information to determine the source of the attack.. It’s already notifed the FBI, as well as the Irish Data Protection office since the breach has GDPR implications. On a call with reporters, CEO Mark Zuckerberg repeatedly called the problem “serious”. But beyond recounting the steps Facebook is taking to address this breach, he didn’t have a good answer for why users should still trust Facebook with their data.

Always quick to pounce on privacy issues, Warner has become one of the strongeest Democratic critics of the social network. He’s seemingly inherited the position of tech watchdog from former-Senator Al Franken. He’s weighed in on recent social media bias and election interference, Google’s plan to launch censored search in China, White House cybersecurity plans and more. With technology becoming an ever more important and dangerous part of people’s lives, Warner seems to see an opportunity to both protect his constituents and advance his career by demonstrating his expertise and ferocity.

This hack could be by Warner as strong evidence that social media companies like Facebook are not voluntarily doing enough to protect uses’ security and privacy. If regulation around security, portability, and interoperability is enacted, it could cost Facebook money for compliance, slow dow the pace of engineering innovation at the company, and make it more vulnerable to competitors. Right now, it’s tough for users to easily switch to another social network, which insulates Facebook from its PR problems becoming user growth problems. But if ditching Facebook for a competitor becomes simpler, it might force the company to treat its users better.

The Senator Mark Warner’s full statement can be found below:

STATEMENT OF U.S. SEN. MARK R. WARNER

~ On Facebook hack ~ 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, released the following statement on the announcement by Facebook that it discovered a security issue affecting almost 50 million accounts:

“The news that at least 50 million Facebook users had their accounts compromised is deeply concerning. A full investigation should be swiftly conducted and made public so that we can understand more about what happened.

“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.

“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over.”

To kick start the debate around social media legislation, Sen. Warner in July released a white paper containing a suite of potential policy proposals for the regulation of social media.



source https://techcrunch.com/2018/09/28/facebook-breach-warner/

Surprising SEO A/B Test Results - Whiteboard Friday

Posted by willcritchlow

You can make all the tweaks and changes in the world, but how do you know they're the best choice for the site you're working on? Without data to support your hypotheses, it's hard to say. In this week's edition of Whiteboard Friday, Will Critchlow explains a bit about what A/B testing for SEO entails and describes some of the surprising results he's seen that prove you can't always trust your instinct in our industry.

Click on the whiteboard image above to open a high-resolution version in a new tab!

Video Transcription

Hi, everyone. Welcome to another British Whiteboard Friday. My name is Will Critchlow. I'm the founder and CEO at Distilled. At Distilled, one of the things that we've been working on recently is building an SEO A/B testing platform. It's called the ODN, the Optimization Delivery Network. We're now deployed on a bunch of big sites, and we've been running these SEO A/B tests for a little while. I want to tell you about some of the surprising results that we've seen.

What is SEO A/B testing?

We're going to link to some resources that will show you more about what SEO A/B testing is. But very quickly, the general principle is that you take a site section, so a bunch of pages that have a similar structure and layout and template and so forth, and you split those pages into control and variant, so a group of A pages and a group of B pages.

Then you make the change that you're hypothesizing is going to make a difference just to one of those groups of pages, and you leave the other set unchanged. Then, using your analytics data, you build a forecast of what would have happened to the variant pages if you hadn't made any changes to them, and you compare what actually happens to the forecast. Out of that you get some statistical confidence intervals, and you get to say, yes, this is an uplift, or there was no difference, or no, this hurt the performance of your site.

This is data that we've never really had in SEO before, because this is very different to running a controlled experiment in a kind of lab environment or on a test domain. This is in the wild, on real, actual, live websites. So let's get to the material. The first surprising result I want to talk about is based off some of the most basic advice that you've ever seen.

Result #1: Targeting higher-volume keywords can actually result in traffic drops

I've stood on stage and given this advice. I have recommended this stuff to clients. Probably you have too. You know that process where you do some keyword research and you find that there's one particular way of searching for whatever it is that you offer that has more search volume than the way that you're talking about it on your website right now, so higher search volume for a particular way of phrasing?

You make the recommendation, "Let's talk about this stuff on our website the way that people are searching for it. Let's put this kind of phrasing in our title and elsewhere on our pages." I've made those recommendations. You've probably made those recommendations. They don't always work. We've seen a few times now actually of testing this kind of process and seeing what are actually dramatic drops.

We saw up to 20-plus-percent drops in organic traffic after updating meta information in titles and so forth to target the more commonly-searched-for variant. Various different reasons for this. Maybe you end up with a worse click-through rate from the search results. So maybe you rank where you used to, but get a worse click-through rate. Maybe you improve your ranking for the higher volume target term and you move up a little bit, but you move down for the other one and the new one is more competitive.

So yes, you've moved up a little bit, but you're still out of the running, and so it's a net loss. Or maybe you end up ranking for fewer variations of key phrases on these pages. However it happens, you can't be certain that just putting the higher-volume keyword phrasing on your pages is going to perform better. So that's surprising result number one. Surprising result number two is possibly not that surprising, but pretty important I think.

Result #2: 30–40% of common tech audit recommendations make no difference

So this is that we see as many as 30% or 40% of the common recommendations in a classic tech audit make no difference. You do all of this work auditing the website. You follow SEO best practices. You find a thing that, in theory, makes the website better. You go and make the change. You test it.

Nothing, flatlines. You get the same performance as the forecast, as if you had made no change. This is a big deal because it's making these kinds of recommendations that damages trust with engineers and product teams. You're constantly asking them to do stuff. They feel like it's pointless. They do all this stuff, and there's no difference. That is what burns authority with engineering teams too often.

This is one of the reasons why we built the platform is that we can then take our 20 recommendations and hypotheses, test them all, find the 5 or 6 that move the needle, only go to the engineering team to build those ones, and that builds so much trust and relationship over time, and they get to work on stuff that moves the needle on the product side.

So the big deal there is really be a bit skeptical about some of this stuff. The best practices, at the limit, probably make a difference. If everything else is equal and you make that one tiny, little tweak to the alt attribute or a particular image somewhere deep on the page, if everything else had been equal, maybe that would have made the difference.

But is it going to move you up in a competitive ranking environment? That's what we need to be skeptical about.

Result #3: Many lessons don't generalize

So surprising result number three is: How many lessons do not generalize? We've seen this broadly across different sections on the same website, even different industries. Some of this is about the competitive dynamics of the industry.

Some of it is probably just the complexity of the ranking algorithm these days. But we see this in particular with things like this. Who's seen SEO text on a category page? Those kind of you've got all of your products, and then somebody says, "You know what? We need 200 or 250 words that mention our key phrase a bunch of times down at the bottom of the page." Sometimes, helpfully, your engineers will even put this in an SEO-text div for you.

So we see this pretty often, and we've tested removing it. We said, "You know what? No users are looking at this. We know that overstuffing the keyword on the page can be a negative ranking signal. I wonder if we'll do better if we just cut that div." So we remove it, and the first time we did it, plus 6% result. This was a good thing.

The pages are better without it. They're now ranking better. We're getting better performance. So we say, "You know what? We've learnt this lesson. You should remove this really low-quality text from the bottom of your category pages." But then we tested it on another site, and we see there's a drop, a small one admittedly, but it was helping on these particular pages.

So I think what that's just telling us is we need to be testing these recommendations every time. We need to be trying to build testing into our core methodologies, and I think this trend is only going to increase and continue, because the more complex the ranking algorithms get, the more machine learning is baked into it and it's not as deterministic as it used to be, and the more competitive the markets get, so the narrower the gap between you and your competitors, the less stable all this stuff is, the smaller differences there will be, and the bigger opportunity there will be for something that works in one place to be null or negative in another.

So I hope I have inspired you to check out some SEO A/B testing. We're going to link to some of the resources that describe how you do it, how you can do it yourself, and how you can build a program around this as well as some other of our case studies and lessons that we've learnt. But I hope you enjoyed this journey on surprising results from SEO A/B tests.

Resources:

Video transcription by Speechpad.com


Sign up for The Moz Top 10, a semimonthly mailer updating you on the top ten hottest pieces of SEO news, tips, and rad links uncovered by the Moz team. Think of it as your exclusive digest of stuff you don't have time to hunt down but want to read!



source https://moz.com/blog/surprising-seo-ab-test-results

Thursday, 27 September 2018

Facebook policy head makes a surprising cameo at the Kavanaugh hearing

Facebook might be doing its best to stay out of political scandals in the latter half of 2018, but the company had a presence, front and center, at one of the most contentious Senate hearings in modern history.

Facebook’s Vice President of Global Public Policy at Facebook, Joel Kaplan, was spotted sitting prominently alongside his wife, Laura Cox Kaplan, in the section for Brett Kavanaugh’s supporters. He is pictured in the far left of the header image and below, third from left, in front of the Senate Judiciary in April of this year.

WASHINGTON, DC – APRIL 10: Facebook co-founder, Chairman and CEO Mark Zuckerberg concludes his testimony before a combined Senate Judiciary and Commerce committee hearing in the Hart Senate Office Building on Capitol Hill April 10, 2018 in Washington, DC. (Photo by Win McNamee/Getty Images)

Kaplan has not made any public commentary on Twitter or Facebook about his support for the Supreme Court nominee, though through retweets, Kaplan’s wife appears to be of the mind that the hearing is part of a “smear campaign” against the family friend.

His appearance during the hearing is a show of personal support, though it still turns heads for such a prominent Facebook employee to be so visible during such a politically divisive event. Kaplan is not representing Facebook in a formal capacity.

Kaplan served as a policy adviser on George W. Bush’s 2000 election campaign and went on to serve as a policy assistant to the president and as the deputy director of the Office of Management and Budget (OMB) and a deputy chief of staff. Kavanaugh worked for the Bush administration during the same period, joining the former president’s legal team and going on to work on the nomination of Chief Justice John Roberts to the Supreme Court.

Kaplan joined Facebook in 2011 as its VP of U.S. public policy. Kaplan continues to serve in a heavily influential political role with the company today, leading its Washington D.C. office which serves as the company’s lobbying arm.



source https://techcrunch.com/2018/09/27/kavanaugh-facebook-joel-kaplan/

Mozilla pushes PayPal to make Venmo transactions private by default

Earlier this year, the FTC settled with PayPal over the company’s handling of privacy disclosures in its peer-to-peer payments app Venmo, but Mozilla doesn’t think the changes Venmo made as a result went far enough. This week, Mozilla says it delivered a petition signed by 25,000 Americans asking Venmo to set transactions shared in its app to private by default, instead of public.

As Mozilla explains, “millions of Venmo users’ spending habits are available for anyone to see. That’s because Venmo transactions are currently public by default — unless users manually update their settings, anyone, anywhere can see whom they’re sending money to, and why.”

Many Venmo users likely feel that it’s not very dangerous to share through Venmo’s feed – a key feature of its popular payments app – that they paid back a friend for part of the dinner, drinks or some concert tickets, for example.

But a Berlin-based researcher, Hang Do Thi Duc, recently studied the risks associated with this sort of over-sharing.

Do Thi Duc analyzed more than 200 million public Venmo transactions made in 2017 by accessing the data through a public API. This allowed her to see the names, dates, and transactions of Venmo users. She found that a lot could actually be gleaned from this data, including users’ drug habits in some cases, as well as their relationships, junk food habits, location, daily routines, personal finances, rent payments, and more.

In other words, while the individual transaction itself may seem harmless, in aggregate these transactions can be very revealing about the person in question.

Mozilla says it, along with Ipsos, also polled 1,009 Americans how they felt about Venmo’s “public by default” nature. 77% said they didn’t think that should be the case, and 92% said they don’t support Venmo’s justifications for making them public. (It thinks sharing is fun, basically.)

Venmo didn’t respond to Mozilla’s petition directly, but tells TechCrunch via a spokesperson that its takes its users’ trust seriously.

“Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this,” the spokesperson said. “The safety and privacy of Venmo users and their information is always a top priority. Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously,” they added.

The company also pointed out it takes several steps to ensure some level of user protection, including not making sensitive transactions public, never publishing dollar amounts, and allowing users to control the publicity of the item, even after the fact.

As part of the FTC settlement, Venmo also had to make other changes, as well.

The company now has to explain to new and existing users how to limit the visibility of transactions through the use of privacy settings.

We recently saw this in the updated Venmo app, in fact.

Users are walked through a tutorial that spells out how you can change settings to make transactions private by default, or any time you choose.

[gallery ids="1721938,1721939,1721940,1721941"]

Mozilla’s petition comes at a time when PayPal has been weighing whether or not it should change the default in Venmo from public to private, according to a report from Bloomberg last month.

Thanks to large-scale scandals like Cambridge Analytica and others involving user data being overexposed, timed alongside the rollout of new privacy regulations like Europe’s GDPR, many companies are reviewing their data protection policies.

Venmo’s casual over-sharing now feels like a holdover from an earlier, more naive time on the web, and it wouldn’t be surprising if it decided to later adjust the app’s settings to match where consumer sentiment is headed today.



source https://techcrunch.com/2018/09/27/mozilla-pushes-paypal-to-make-venmo-transactions-private-by-default/

The E-Commerce Benchmark KPI Study: The Most Valuable Online Consumer Trend of 2018 Revealed [Video]

Posted by Alan_Coleman

The latest Wolfgang E-Commerce Report is now live. This study gives a comprehensive view of the state of digital marketing in retail and travel, allowing digital marketers to benchmark their 2018 performance and plan their 2019 strategy.

The study analyzes over 250 million website sessions and more than €500 million in online revenue. Google Analytics, new Facebook Analytics reports, and online surveys are used to glean insights.

Revenue volume correlations

One of the unique features of the study is its conversion correlation. All website metrics featured in the study are correlated with conversion success to reveal what the most successful websites do differently.

This year we've uncovered our strongest success correlation ever at 0.67! Just to give that figure context: normally, 0.2 is worth talking about and 0.3 is noteworthy. Not only is this correlation with success very strong, the insight itself is highly actionable and can become a pillar of your digital marketing strategy.

And the stand out metric is (drumroll, please!)...

Number of sessions per user.

To put it plainly, the websites that generate the most online revenue have the highest number of sessions per user over 12 months. Check out the video below to get a detailed explanation of this phenomenon:

Video transcript available below

These are the top factors that correlated with revenue volume. You can see the other correlations in the full study.

Click to see a bigger version

  • Average pages per session (.37)
  • Average session length (.49)
  • Conversion rate by users (.41)
  • Number of sessions per user (.67)
  • Percentage of sessions from paid search (.25)

Average website engagement metrics

Number of sessions per user Average pages per session Average session duration Bounce rate Average page load time Average server response time
Retail 1.58 6 3min 18sec 38.04% 6.84 1.02
Multi-channel 1.51 6 3min 17sec 35.27% 6.83 1.08
Online-only 1.52 5 3min 14sec 43.80% 6.84 0.89
Travel 1.57 3 2min 34sec 44.14% 6.76 0.94
Overall 1.58 5 3min 1sec 41.26% 6.80 0.97

Above are the average website engagement metrics. You can see the average number of sessions per user is very low at 1.5 over 12 months. Anything a digital marketer can do to get this to 2, to 3, and to 4 makes for about the best digital marketing they can do.

At Wolfgang Digital, we’ve been witnessing this phenomenon at a micro-level for some time now. Many of our most successful campaigns of late have been focused on presenting the user with an evolving message which matures with each interaction across multiple media touchpoints.

Click through to the Wolfgang E-Commerce KPI Report in full to uncover dozens more insights, including:

  • Is a social media engagement more valuable than a website visit?
  • What's the true value of a share?
  • What’s the average conversion rate for online-only vs multi-channel retailers?
  • What’s the average order value for a hotel vs. tour operator?

Video Transcript

Today I want to talk to you about the most important online consumer trend in 2018. The story starts in a client meeting about four years ago, and we were meeting with a travel client. We got into a discussion about bounce rate and its implication on conversion rate. The client was asking us, "could we optimize our search and social campaigns to reduce bounce rate?", which is a perfectly valid question.

But we were wondering: Will we lower the rate of conversions? Are all bounces bad? As a result of this meeting, we said, "You know, we need a really scientific answer to that question about any of the website engagement metrics or any of the website channels and their influence on conversion." Out of that conversation, our E-Commerce KPI Report was born. We're now four years into it. (See previous years on the Moz Blog: 2015, 2016, 2017.)

The metric with the strongest correlation to conversions: Number of sessions per user

We've just released the 2019 E-Commerce KPI Report, and we have a standout finding, probably the strongest correlation we've ever seen between a website engagement metric and a website conversion metric. This is beautiful because we're all always optimizing for conversion metrics. But if you can isolate the engagement metrics which deliver, which are the money-making metrics, then you can be much more intelligent about how you create digital marketing campaigns.

The strongest correlation we've ever seen in this study is number of sessions per user, and the metric simply tells us on average how many times did your users visit your website. What we're learning here is any digital marketing you can do which makes that number increase is going to dramatically increase your conversions, your revenue success.

Change the focus of your campaigns

It's a beautiful metric to plan campaigns with because it changes the focus. We're not looking for a campaign that's a one-click wonder campaign. We're not looking for a campaign that it's one message delivered multiple times to the same user. Much more so, we're trying to create a journey, multiple touchpoints which deliver a user from their initial interaction through the purchase funnel, right through to conversion.

Create an itinerary of touchpoints along the searcher's journey

1. Research via Google

Let me give you an example. We started this with a story about a travel company. I'm just back from a swimming holiday in the west of Ireland. So let's say I have a fictional travel company. We'll call them Wolfgang Wild Swimming. I'm going to be a person who's researching a swimming holiday. So I'm going to go to Google first, and I'm going to search for swimming holidays in Ireland.

2. E-book download via remarketing

I'm going to go to the Wolfgang Wild Swimming web page, where I'm going to read a little bit about their offering. In doing that, I'm going to enter their Facebook audience. The next time I go to Facebook, they're now remarketing to me, and they'll be encouraging me to download their e-book, which is a guide to the best swimming spots in the wild west of Ireland. I'm going to volunteer my email to them to get access to the book. Then I'm going to spend a bit more time consuming their content and reading their book.

3. Email about a local offline event

A week later, I get an email from them, and they're having an event in my area. They're going for a swim in Dublin, one of my local spots in The Forty Foot, for example. I'm saying, "Well, I was going to go for a swim this weekend anyway. I might as well go with this group." I go to the swim where I can meet the tour guides. I can meet people who have been on it before. I'm now really close to making a purchase.

4. YouTube video content consumed via remarketing

Again, a week later, they have my email address, so they're targeting me on YouTube with videos of previous holidays. Now I'm watching video content. All of a sudden, Wolfgang Wild Swimming comes up. I'm now watching a video of a previous holiday, and I'm recognizing the instructors and the participants in the previous holidays. I'm really, really close to pressing Purchase on a holiday here. I'm on the phone to my friend saying, "I found the one. Let's book this."

Each interaction moves the consumer closer to purchase

I hope what you're seeing there is with each interaction, the Google search, the Facebook ad which led to an e-book download, the offline event, back online to the YouTube video, with each interaction I'm getting closer to the purchase.

You can imagine the conversion rate and the return on ad spend on each interaction increasing as we go. This is a really powerful message for us as digital marketers. When we're planning a campaign, we think about ourselves as though we're in the travel business too, and we're actually creating an itinerary. We're simply trying to create an itinerary of touchpoints that guide a searcher through awareness, interest, right through to action and making that purchase.

I think it's not just our study that tells us this is the truth. A lot of the best-performing campaigns we've been running we've seen this anecdotally, that every extra touchpoint increases the conversion rate. Really powerful insight, really useful for digital marketers when planning campaigns. This is just one of the many insights from our E-Commerce KPI Report. If you found that interesting, I'd urge you to go read the full report today.


Sign up for The Moz Top 10, a semimonthly mailer updating you on the top ten hottest pieces of SEO news, tips, and rad links uncovered by the Moz team. Think of it as your exclusive digest of stuff you don't have time to hunt down but want to read!



source https://moz.com/blog/ecommerce-benchmark-kpi-study-2018

Pew: A majority of U.S. teens are bullied online

A majority of U.S. teens have been subject to online abuse, according to a new study from Pew Research Center, out this morning. Specifically, that means they’ve experienced at least one of a half-dozen types of online cyberbullying, including name-calling, being subject to false rumors, receiving explicit images they didn’t ask for, having explicit images of themselves shared without their consent, physical threats, or being constantly asked about their location and activities in a stalker-ish fashion by someone who is not their parents.

Of these, name-calling and being subject to false rumors were the top two categories of abuse teens were subject to, with 42% and 32% of teens reporting it had happened to them.

 

 

 

Pew says that texting and digital messaging has paved the way for these types of interactions, and parents and teens alike are both aware of the dangers and concerned.

Parents, in particular, are worried about teens sending and receiving explicit images, with 57% saying that’s a concern, and a quarter who worry about this “a lot.” And parents of girls worry more. (64% do.)

Meanwhile, a large majority – 90% – of teens now believe that online harassment is a problem and 63% say it’s what they consider a “major” problem.

Pew also found that girls and boys are both harassed online in fairly equal measure, with 60% of girls and 59% of boys reporting having experienced some sort of online abuse. That’s a figure that may surprise some. However, it’s important to clarify that this finding is about whether or not the teen had ever had experienced online abuse – not how often or how much.

Not surprisingly, Pew found that girls are more likely than boys to have experienced two or more types of abuse, and 15% of girls have been the target of at least 4 types of abuse, compared with 6% of boys.

Girls are also more likely to be the recipient of explicit images they didn’t ask for, as 29% of teens girls reported this happened to them, versus 20% of boys.

And as the teen girls got older, they receive even more of these types of images, with 35% of girls ages 15 to 17 saying they received them, compared with only 1 out of 5 boys.

Several factors seem to play no role in how often the teens experience abuse, including race, ethnicity, or parents’ educational attainment, Pew noted. But having money does seem to matter somehow – as 24% of teens whose household income was less than $30K per year said they received online threats, compared with only 12% of those whose household incomes was greater than $75K per year. (Pew’s report doesn’t attempt to explain this finding.)

Beyond that factor, receiving or avoiding abuse is directly tied to how much screen time teens put in.

That is, the more teens go online, the more abuse they’ll receive.

45% of teens say they’re online almost constantly, and they are more likely to be harassed, as a result. 67% of them say they’ve been cyberbullied, compared with 53% who use the internet several times a day or less. And half the constantly online teens have been called offensive names, compared with just about a third (36%) who use the internet less often.

Major tech companies, including Apple, Google, and Facebook, have begun to address the issues around device addiction and screen time with software updates and parental controls.

Apple, in iOS 12, rolled out Screen Time controls that allows Apple device users to measure, monitor and restrict how often they’re on their phones, when, what type of content is blocked, and which apps they can use. In adults, the software can nudge them in the right direction, but parents also have the option of locking down their children’s phones using Screen Time controls. (Of course, savvy kids have already found the loopholes to avoid this, according to new reports.)

Google also introduced time management controls in the new version of Android, and offers parental controls around screen time through its Family Link software.

And both Google and Facebook have begun to introduce screen time reminders and settings for addictive apps like YouTube, Facebook and Instagram.

Teens seem to respect parents’ involvement in their digital lives, the report also found.

A majority – 59% – of U.S. teens say their parents are doing a good job with regard to addressing online harassment. However, 79% say elected officials are failing to protect them through legislation, 66% say social media sites are doing a poor job at stamping down abuse, and 58% of teachers are doing a poor job at handling abuse, as well.

Many of the top media sites were largely built by young people when they were first founded, and those people were often men. The sites were created in an almost naive fashion, with regard to online abuse. Protections – like muting, filters, blocking, and reporting, were generally introduced in a reactive fashion, not as proactive controls.

Instagram, for example – one of teens’ most-used apps – only introduced comment filters, blocklists, and comment blocking in 2016, and just four months ago added account muting. The app was launched in October 2010.

Pew’s findings indicate that parents would do well by their kids by using screen time management and control systems – not simply to stop their teenagers from being bullied and abused as often, but also to help the teens practice how to interact with the web in a less addictive fashion as they grow into adults.

After all, device addiction resulting in increased exposure to online abuse is not a plague that only affects teens.

Pew’s full study involves surveys of 743 teens and 1,058 parents living in the U.S. conducted March 7 to April 10, 2018. It counted “teens” as those ages 13 to 17, and “parents of teens” are those who are the parent or guardian of someone in that age range. The full report is here.



source https://techcrunch.com/2018/09/27/pew-a-majority-of-u-s-teens-are-bullied-online/