Cyber Saturday—Challenging Facebook’s ‘#10YearChallenge,’ Tim Cook’s Privacy Plea, Mega Password Leak

Samsung Users Cannot Delete Facebook App
The FTC considers a record fine for Facebook for its violations of a user-privacy settlement it made in 2012.
NurPhoto via Getty Images

My reaction to the #10YearChallenge circulating on Facebook: Nope.

Perhaps I am a curmudgeon. In my view, the meme, which prompts people to post before-and-after photos of themselves on Facebook, Instagram, and other social media sites, is no better than a data-siphoning social engineering attempt. The viral campaign exploits our vanity, encouraging us to surrender images of ourselves from a decade ago. People just happen to be packaging the chronology of their physiognomy in a usable format for machines to parse.

One can imagine how this dataset might be useful for big tech to train facial recognition algorithms. The photo cache could help these companies determine people’s ages at a glance, trace identities over time, or digitally mirror the aging process (as well as the reverse). It doesn’t take a great leap of the imagination to see how these abilities might benefit marketers looking to personalize advertisements—for retirees (picture yourself—literally—in this lovely home), for beauty products (want to look dozens of years younger?), and untold other age-discriminating possibilities.

Facebook did not respond to my requests for more information about the origins of the so-called challenge, but a spokesperson told Kate O’Neill, an author and speaker who wrote a thoughtful commentary on the subject for Wired, that it played no part in the campaign’s inception.

“This is a user-generated meme that went viral on its own,” a Facebook spokesperson told O’Neill. “Facebook did not start this trend, and the meme uses photos that already exist on Facebook. Facebook gains nothing from this meme (besides reminding us of the questionable fashion trends of 2009). As a reminder, Facebook users can choose to turn facial recognition on or off at any time.”

I disagree, at least in part; Facebook does gain something.

Consider applying the #10YearChallenge to the beast that begat it. In 2009, Facebook overtook MySpace for the first time. The site spring-boarded from college campuses into the homes of tech-savvy youngsters everywhere, setting it on a path that would produce the world-dominating media juggernaut we know today. Ten years later Facebook’s demographics are skewing much older; Millennials and Gen Z-ers are ditching the flagship site even as parents sign up. Many Baby Boomers-and-up are no doubt uploading selfies to which Facebook previously had no access. Same goes for youngsters newly joining Instagram.

To be fair, this particular meme may very well be benign—just some harmless fun! But the same may not be true of the next viral phenomenon. Even if the 10-year challenge is not some grand conspiracy with an ulterior motive (see: Cambridge Analytica), it’s worth considering what ulterior outcomes one’s participation might enable.

Before engaging in another seemingly innocent round of show-and-tell, check for wrinkles.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Dumpster diving. A huge trove of data spilled onto the web and has been helpfully uploaded to HaveIBeenPwned, a leaked password-checking database for consumers, by security researcher Troy Hunt, the site's proprietor. The leak, dubbed "Collection #1," contains nearly 773 million unique email addresses and more than 21 million unique passwords—making it Hunt's largest-ever upload. It's unclear where exactly the data originated, although the anonymous person(s) who posted them online claim they came from many different sources. Best use the opportunity to clean up your password hygiene.

Be yourself. Facebook is still combatting disinformation. Nathaniel Gleicher, Facebook's head of cybersecurity policy, said the media giant booted two Russian operations—including one involving Sputnik, a Moscow-based news agency—off Facebook and Instagram on Thursday. Facebook suspended hundreds of accounts and pages that he said engaged in "coordinated inauthentic behavior." He noted that the fight against fakers is "an ongoing challenge."

Chinese finger trap. Federal prosecutors are probing Huawei for allegedly stealing intellectual property from U.S. companies, including components from a T-Mobile phone-testing robot called "Tappy," reports the Wall Street Journal. The investigation is "at an advanced stage and could lead to an indictment soon," the Journal's unnamed sources said. Add this development to the mess of controversies entangling the Chinese company.

Demand a recount. The Financial Times said it discovered evidence of "huge fraud" in the Democratic Republic of Congo's December presidential election. The paper claims that its own independent tally of votes, based on data leaked by an unnamed source close to Martin Fayulu, the contest's loser (but actual winner?), exposes the fraud. The report corroborates the view of the Catholic Church, which earlier denounced the election's "results" after conducting its own audit.

Look; don't touch. A California judge recently ruled that police officers are not authorized, even in possession of a search warrant, to force suspects to unlock their phones using biometrics, like a fingerprint or facial scan, Forbes reports. Judges had already ruled that passcodes were protected against such coercion, meaning people could refuse to supply them, thereby preventing self-incrimination. The judge, who called the original law enforcement request "overbroad," wrote, "If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device."

Just your friendly neighborhood NSA

Share today's Cyber Saturday with a friend:

http://fortune.com/newsletter/cybersaturday/

Looking for previous Data Sheets? Click here

ACCESS GRANTED

Laying down the law. Tim Cook, CEO of Apple, the once-most valuable company in America (until recent snags in China set it back), penned a full-throated call to action in Time, Fortune's once-sibling magazine. He urges consumers to demand greater privacy protections and prods regulators and lawmakers to enact privacy-oriented legislation. Cook takes direct aim at data brokers, which he says operate in a "shadow economy that's largely unchecked," and he proposes that the Federal Trade Commission create a clearinghouse for greater oversight of the industry.

Preach, Mr. Cook:

In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours. Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.

This problem is solvable—it isn’t too big, too challenging or too late. Innovation, breakthrough ideas and great features can go hand in hand with user privacy—and they must. Realizing technology’s potential depends on it.

That’s why I and others are calling on the U.S. Congress to pass comprehensive federal privacy legislation—a landmark package of reforms that protect and empower the consumer.

FORTUNE RECON

U.S. CEOs Are More Worried About Cybersecurity Than a Possible Recession by Erik Sherman

Government Shutdown Puts U.S. at Major Hacking Risk, Cybersecurity Experts Warn by Laura Stampler

Researchers Discover Big Cybersecurity Flaw In Fortnite by Jonathan Vanian

U.S. Brings Multiple Charges over 2016 SEC Data Hack by Lucas Laursen

Offensive Security Names New CEO; Former No. 2 at HackerOne, Lynda by Robert Hackett

Huawei Founder Ren Zhengfei Breaks Silence as Global Pressures Mount by Eamon Barrett

Russian Hackers Allegedly Attempted to Breach the DNC After the 2018 Midterms by Renae Reints

Apple, Netflix and YouTube among Streamers Flouting EU Privacy Law, Say New Complaints by David Meyer

Why Hackers Had Thousands of DNA Tests Delivered to Random People Over the Holidays by Emily Price

ONE MORE THING

AirBnvasionOfPrivacy. Jeffrey Bigham, an associate professor of computer science at Carnegie Mellon University, discovered two cameras spying on his family during a stay at an Airbnb rental. He unplugged them and later fought with Airbnb—and the host—about whether this surveillance had been properly disclosed. (One camera appeared in a picture of the living room, if you squinted.) After his blog post went viral, Airbnb apologized for initially dismissing his complaint and refunded his money. Officially, such cameras are not allowed in Airbnb rental units, unless properly disclosed. It makes one wonder about what cameras might be hidden...

Subscribe to the Eye on AI newsletter to stay abreast of how AI is shaping the future of business. Sign up for free.