How OWASP helped me quit Facebook

Over the last couple years I have been getting fed up with social media. For me, that mostly means Facebook and various Google services and software. Google was once thought of as an ethical company and beloved by nerds. However, I don’t really buy “Don’t be evil” any more. Apparently they have also decided it is too high a bar. As I am fond of saying, companies are robots made of people. Now that Alphabet has become huge, the intentions of the founders and the other humans that work there don’t guarantee “not evil” behavior by the profit-driven collective. The issue really isn’t social media, it is services paid for with advertising revenue. The impact of the algorithms used to increase “engagement” in these types of services has disturbing implications.

I have been mulling over this for a while, and decided that for me the cost versus benefit of Facebook in particular does not add up anymore. During my first programming job in 1999—before Facebook even existed—I was involved in developing banner ad hosting solutions. I believe I have always used these services with full knowledge that I am the product.

I have been leaning on Facebook more then ever during the COVID lockdown. I use it to keep up with friends and have some social interaction with someone other than my wife and dog.

I told myself as soon as I am vaccinated and can see folks in person, I am going to pull the plug!

As I was making up my mind to “drop out,” I also realized it is my privileged position in life that allows me to be so dismissive of the value of these advertising supported services. For example, if I was starting a small business or if I was a professional of any kind from an underprivileged group I would have no choice but to use platforms like Twitter, Facebook, YouTube, Etsy, etc. (see what I did there?) to promote my business or look for career opportunities.

That framing brought me back to something I have been passionate about since the early days of the web. I wish for everyone that when they use computers—in hopes of making their lives better—to clearly understand what thing of value they are trading for that betterment. This is pretty clear with traditional installed software—you pay a dollar amount for a program, read the EULA and you know what the ROI is. With advertising driven services, this whole equation becomes murky. Not only murky, but obscure on purpose.

As I continued to chew on this idea, it occurred to me that what makes this so difficult is that there is an objective aspect and a subjective aspect to calculating the cost-benefit ratio for apparently free services.

There are aspects that are knowable and measurable. For example, it is objectively true that when I visit a web site hosting ads from Google Ad Network my impression of seeing the banner and whether or not I clicked it will be sent back to Google and stored on their servers. The assessment of whether or not I am personally annoyed at seeing those ads—or if I would rather be shown static or targeted ads—is entirely subjective. Some of my friends say, “Well, if I have to be shown ads, they may as well be targeted. It is more likely the product will be interesting to me, so I don’t mind.”

This whole train of thought reminded me of something I ran across during OWASP training while working for a client subject to PCI DSS.

The methodology

OWASP Risk Rating Methodology is explained really well in this article I ran across in that training.

This OWASP methodology was designed to evaluate security threats, but it can be applied to a lot of different things. I think something interesting will come from applying this methodology to evaluating the risk from using services supported by targeted advertisement.

The core concept can be summed up with this equation:

Risk = Likelihood * Impact

I like the way this separates the objective analysis of likelihood from the subjective evaluation of impact.

Since we are applying this to a choice to use an advertising supported service, I think it is interesting to revise that equation to consider the value exchange.

Risk = Likelihood * (Cost - Benefit)

The steps laid out in this methodology are:

• Step 1: Identifying a Risk
• Step 2: Factors for Estimating Likelihood
• Step 3: Factors for Estimating Impact
• Step 4: Determining Severity of the Risk
• Step 5: Deciding What to Fix
• Step 6: Customizing Your Risk Rating Model

The rest of the details in the OWASP article sort of apply, but to make it simple let’s just say I am going on a tangent starting from the details above.

I’ll express the likelihood as a percentage, and the Cost and Benefit with an arbitrary 1 to 10 scale. This can result in a final Risk with a negative sign, which might mean there is more reward than risk for me.

Let’s dig in!

To examine some concrete examples, let’s say I went through Step 1 and picked these risks.

I will be shown advertisements targeted using my activity data

My attention will be “stolen” by factors I do not control

Conversations with my friends will be influenced by an algorithm

I am getting a “bad deal” because my data is being re-sold for more than the value of the service

For each risk, I’ll spend some time making a case for likelihood, the more objectively measurable factor. I’ll combine Steps 3 and 4 drawing a line around how I decided on the impact for myself. There are sometimes interesting mitigations to talk about that might change the impact, so I will loosely combine Steps 5 and 6.

Risk: I will be shown advertisements targeted using my activity data

For both Google and Facebook there is a 100% chance this will happen without mitigation.

I am showing the (Cost - Benefit) below. Rolled in to the Cost is the result of any mitigations I am willing to take.

When this results in a negative number for the overall score, then the risk is turned on its head. I guess we could call it a Reward Score.

There are enough painless mitigations—mainly using an ad blocker—to give Google a lower cost for me. Due to the nature of Facebook’s mobile app and web interface, there are really no mitigations that improve that score.

I consider the base cost to be low, I think I do a good job of ignoring some kinds of targeted ads, and I’ve lived with them for a long time.

Google

For the purposes of this risk, I am just thinking about using the Google search engine, although it applies to using YouTube as well if you consider suggested videos and promoted search results to be roughly the same thing.

So, of course the likelihood of this happening is 100% without some significant mitigation steps. This is Google’s whole business model. They very clearly sell the dynamic and data driven features of their tracking to anyone looking to purchase ads. Google also has their own advertising network, Google Display Network. Thanks to the same-origin policy and the fact that they have a huge share of the web marketing…ummm…market, they can also track activity on a huge number of sites. And then can clearly correlate your search history and browsing activity (for sites that have their ads.)

The most straightforward step you can take to reduce the likelihood of being tracked—and therefore being shown targeted ads—is to use an ad blocker of some kind.

However, if you use the Google search engine, they will still be able to “know” about everything you search for and correlate it to activity on sites that host their ads. They will just have a less accurate and granular notion of “you.” Instead of a cookie which is specific to your browser and session, they will have your IP address and whatever degree of fingerprinting they choose to use.

You can opt out of having your search data tracked by using an alternate search engine such as DuckDuckGo—which purports to treat your data with more respect. This isn’t a “mitigation” to make using Google better as such. If the core value we are talking about is the ability to easily search for web sites and visit them, you can have all of that by using some other browser than Chrome and an alternate search engine.

100% x (2 - 8) = -600 # a negative risk is a reward

Facebook

This is of course Facebook’s business model, so the tendency for this risk to happen is high. Their ad network is smaller so the amount of tracking they can do on arbitrary web sites is less than Google. Of course—again thanks to the same-origin policy—the Like button serves the same purpose in terms of tracking activity outside of Facebook’s main web site. It seems to me the popularity of the Like button has waned so that might not be as much of a factor as it once was.

I tried to find a source for this and went down such a rabbit hole—lots of people giving (apparently) free advice about how to market and promote your site with Facebook, instructions how to do it, very many parasitic outgrowths of this apparently successful business model. I will take this nine year old Quora post as evidence that this question has been answered and stop thinking about it now.

Both Google and Facebook have similar models. You are shown advertisements, tracked in detail while using their services, and also shown ads and tracked to a lesser degree on web sites in their respective ad networks. Depending on usage habits, I would guess folks spend more time interacting with the Facebook web and mobile apps than Google search.

Using an ad blocker while interacting with the Facebook web site will provide some protection although there isn’t much you can do about suggested posts. Ad blockers can slow down your browsing experience and mess with web site layouts. And of course when it comes to something like Facebook, we are providing them with rich data about our interests based on where we click, which posts we comment on, and what photos we react to.

One might think that logging out of Facebook might reduce the amount of tracking, however logging out doesn’t remove all the Facebook cookies, and even if you also delete those, there is still the possibility of using IP address and browser fingerprinting.

When it comes to using the Facebook mobile applications and web site there isn’t much you can do.

100% x (5 - 2) = 300

Impact Reaction: Tightening up my tinfoil hat

I do a lot of debugging of JavaScript and the DOM in my browsers. In the early days—and still today to a lesser degree—running an ad blocker can really make this difficult. So, I have made do without using one for a long time. Apparently I haven’t rated the cost of this very high in the past. As I said, I am re-evaluating my exposure to such things lately.

I have recently switched to Safari configured to use DuckDuckGo for personal browsing along with the Better ad blocker on my Mac, and it has been pretty painless.

Risk: My attention will be “stolen” by factors I do not control

For this risk it is interesting to compare Facebook with YouTube. The likelihood for Facebook is pretty much identical to the previous risk (targeted ads), however the likelihood for YouTube is greater than for Google search, because of the forced inline ads.

I care about this more than being shown targeted ads, it just feels more invasive and harder to filter, so the cost is high for both services. YouTube—go Alphabet!—is once again giving me more value than Zuckerberg and team, so the benefit there is greater.

YouTube

I guess it is pretty cool that they are transparent about it. Watching the “Skip this ad in 3 seconds…” message is the new “Back in two and two!”.

Thinking back on the developments of the last 25 years, I am truly astonished at how well self publishing video works with YouTube.

I am talking about the journey from publishing hand written static HTML, to the days of Geo Cities, through the era of Flash videos and animations, MySpace, lots of WordPress and other content management systems, and blogging platforms in between…phew. The dream of anyone in the world being able to publish whatever they create to the entire Internet has been an evolving goal. In other words, YouTube certainly is providing a clear value for both the creators and audience.

But your attention is pwned owned for a clear period of time for each viewing. And, what a business model. As of this writing, they require 1000 followers before you can “monetize” your YouTube page by hosting ads that earn you some paltry percentage of the revenue. So many aspiring influencers driving a base level of traffic to their web site.

90% x (8 - 8) = 0 # this one is a toss up!

Facebook

The likelihood of this is pretty much identical to the last risk, “I will be shown advertisements targeted using my activity data.” I give it a full 100%. Between suggested posts and the algorithm picking “most popular” everything—your attention is theirs. Of course, that means most popular with their accountants.

100% x (8 - 2) = 600

Impact Reaction: Maximize the economy of attention

I know initiative and attention are limited resources. I don’t think of them as fixed resources, because they can be renewed and are sometimes fungible. I do think about my “attention budget” as I plan my activities and the rhythm of my life. I give this a pretty high cost across the board, balanced with the value I see out of each service.

Risk: Conversations with my friends will be influenced by an algorithm

I posit that this is a sure thing for Facebook. It is also mostly a sure thing for Twitter if you use their web site or mobile app. I am giving them similarly high likelihoods.

For me, the base cost of this is really high. I am very salty about having my conversations messed with. I am also worried about the social and political implications of this for our society and the world.

However, the existence of a fully featured API and third party clients means there is a decent way to mitigate this risk for Twitter, so I am giving it a lower calculated cost.

Twitter

Although the application itself is much simpler, Twitter works pretty much the same way as Facebook in regards to a machine algorithm picking the tweets you see. There are also promoted tweets in addition to advertisements shown in their apps.

If you really value Twitter, there is an interesting workaround that will let you have your cake and eat it. Due to the features exposed by the Twitter API, there are third party clients that don’t show you suggested Tweets or ads. In this way, theoretically there is no algorithm manipulating your communication. I would not say that this mitigation takes the likelihood to zero. Unless all the people in your feed are as fastidious as you are, you will have second order effects of their influence from algorithms designed to increase engagement.

Risk: 80% x (2 - 6) = -320 # another reward

Facebook

This is something I have been more passionate about since the 2016 US presidential election. I find the idea that targeted “marketing” was successfully used to manipulate large numbers of people very disturbing. I feel like I can’t have a serious truthful conversation on Facebook and I can’t enjoy the trivial and sentimental aspects knowing I am just a product. Worse than that, my attempts at authentic human communication are being warped for the sake of commerce and politics. I give this a Cost of 9, and lower Benefit as usual.

Risk: 100% x (9 - 2) = 700

Impact Reaction: Taking back my conversations

I would give Facebook a likelihood of 100% for this risk. On the other hand, I give Twitter an 80%, because you can work around some of their algorithm. Based on the reasonable mitigation of using a third party client to easily get an unfiltered chronological feed, I would take the cost for Twitter down to 2, resulting in another possible reward. I have been enjoying using Tweetbot to keep up the work life Twitters, not sure if I am going to cultivate a personal set of connections after leaving Facebook.

Risk: I am getting a “bad deal” because my data is being re-sold for more than the value of the service

Fundamentally the bad deal aspect of the likelihood percentage is more subjective than some of the other risks, so this one is unique in that there are subjective aspects on both sides of the multiplication. But, we can objectively talk about how our data is being monetized. My impression is that Google is more transparent about how your data is used than Facebook is. I also only put so much energy into caring about this. Living in a capitalist society, I am accustomed to idea that there are companies profiting off my my activities all day every day. This reduces the likelihood percentage by maybe 25 points for both services.

For the Impact Score (cost minus benefit) this one is more subtle. The cost is about the same, a little less for Google. However I perceive that the benefit from some of Google’s service—YouTube and specifically Live Stream—is very high compared to Facebook. I am willing to put up with quite a lot of privacy loss and tracking for the use of their video platform.

Google

I made reference about no longer believing the “Don’t be evil” motto since Google’s explosive growth and the creation of Alphabet. It is true I don’t 100% believe it, but I know there are a lot of well-meaning folks at Google, and they are very transparent about what they collect and how your data is used.

I trust them enough that I don’t worry too much about there being other data sales and profit being made aside from what they disclose. What they explicitly tell you they are using is plenty profitable. They also have a pretty complex opt-out interface. This means even without using an ad blocker, you could tighten down what data you allow Google to use, which you might interpret as getting a better deal, giving them less for the benefit of Google Search, Gmail, YouTube, and all the rest.

50% X (6 - 8) = -100 # I suppose I will keep using your ubiquitous services...sigh

Facebook

You can’t talk about the value of our data without talking about stock value and the core truth that a stock is worth whatever people think it is worth. I have a thought exercise where I imagine—what would I be willing to pay for XYZ service, setting aside whether anyone else in the world would be willing to pay for it? Then I try to imagine the business model. Would Facebook’s shareholders be excited if they eliminated all the indirection and just charged users $20.00 a month, got rid of all ads, and stopped selling any of our data? I would think the answer to that is…no. There is no dollar amount you could put on that service to make the stock go up. The point is, I think many many tech companies are intentionally vague about how they might make money off our data. They are being intentionally obscure. In my estimation, Facebook is at the pinnacle of this tendency.

What does that mean? It means from my perspective all they have to offer is a bad deal for us, their users. No matter what value you get out of the service, their business model is to make whatever money they possibly can from our data and be as vague about it as they can get away with.

75% x (8 - 2) = 450 # still noope!

Impact Reaction: Sometimes I am OK with the trade

I get so much benefit in exchange for my data from services like YouTube Live Stream and Google Docs, not to mention their search engine.

I ran a Darwin QuickTime Streaming Server for a long time on my own infrastructure. So I know what the cost in labor, bandwidth, and hosting could be if I decided to do this independently. I used that open source media server to stream live techno shows, and also to host video that could be streamed “on demand” and embedded in web pages. This was about fifteen years ago, when there were many fewer options. Of course, using this server I did not have the benefit of the rest of the YouTube cloud services. I had to do all the video editing locally. If I wanted to keep a copy of a video from a show, I had to have hard drive space for it. Ugggh…not to mention keeping decent backups of intermediate high resolution files and Final Cut or Premiere project files. It was a royal PITA. Needless to say, the whole suite of tools that Google supplies, all running in the cloud and backed up continually is quite valuable to me.

Google Docs—both free and the paid G Suite version—are also a really amazing value. It isn’t a perfect business document suite, but for the most part I think they have struck a good balance between simplicity, usability, and features. There are certainly alternatives to Google Docs, but nothing I have found offers a full suite of these tools that all inter-operate.

I really do get a benefit from Facebook. I believe I have always used their services fully knowing I am the product. I appreciate being able to see pictures from friends and family across the country all in one place. The thing about social media is—the more popular it is the more useful—which poses kind of a conundrum.

For my own friends group, I have always been careful and only accepted requests from actual humans I love. I use the, “Would I have you over for a beer?” test. When someone I barely remember from high school or a past job sends a request, I reply thanking them for reaching out. I indicate I want to keep my Facebook friends list short and intimate. I usually provide a quick life status update and give them my email. Pretty much no one ever emails. Social media makes it so easy to have virtual acquaintances, but not any easier to have deep meaningful friendships IRL.

However, I don’t get nearly as much benefit from Facebook as Google, so the overall Impact Score is much higher in this case.

Just because everyone does it…right?

Online, offline, everywhere you go, however you communicate, businesses are trying to leverage your data to make more money. It is easy to be hair on fire about web-based services and apps selling our data. However, it is all a matter of degree. People like free stuff. This kind of commercialization of information has been around a long time. The most basic type of “targeted advertising” was present in the first newspapers. I would bet that depending on if you read a Tory broadsheet or a Whig rag, you would surely see different adverts.

I had a laugh when I opened my Capital One credit card bill and saw this disclaimer on the back of the bill. It explains in a pretty easy to understand way how my data is being shared—as in sold. The funny thing is, they are so blasé about it. There is really nothing you can do to change what data is shared—other than the obvious choice of finding another credit card.

It is truly overwhelming. Even as much as I am interested in this, I have certainly not read the data privacy statements being sent to me all the time by my insurance company, private gas and electric providers, or all the banks and bank-like businesses that have my information.

The degree and detail of tracking is so much greater with web sites and mobile applications. Fortunately with “virtual” services—as opposed to your natural gas provider or other IRL entanglements—you have many ways to control your data and mitigate the impact for yourself. However, using the OWASP model to assess the risk through considering likelihood and impact can be applied to these real life use cases in much the same way.

Your data is valuable, and you have every right to exchange it for services or not. At Test Double we have opted for a privacy-minded approach to analytics for our website. You can read our privacy policy to better understand how very little information we collect, and opt-out of the anonymized Matomo website analytics tracking if you wish.