Social Media Apps

Social Media Apps

Social media applications (or apps) provide users with efficient communication and entertainment options. Users accept app policies and terms and conditions without fully comprehending the implications, prioritizing ease of use and functionality over their personal security and privacy. As a result, apps such as Facebook, Instagram, Twitter, TikTok, LinkedIn, YouTube, Reddit, and Snapchat obtain vast data collections on both users and non-users in the digital realm using marketing tools and data sharing with third parties. This enables social media apps to profile individuals for targeted advertisements and personalized content. Nonetheless, this data collection increases users' risk, as their data may be vulnerable and accessed by malicious actors. We will examine each app, including background history, data collection, policies, data collection tools, data breaches, privacy violations, and recommendations to help reduce overall unwanted data collection.

Facebook

Facebook, an online social media network, was established in 2004 by Harvard University students Mark Zuckerberg, Eduardo Saverin, Dustin Moskovitz, and Chris Hughes. Facebook traces its origins to an earlier app, Facemash, launched in 2003 by Zuckerberg to enable Harvard University students to evaluate the physical appearance of their peers. However, Facemash was curtailed within 48 hours of its launch after Harvard University discovered that Zuckerberg had contravened university regulations by illicitly accessing the system to obtain students' photos. Despite this setback, Facemash's initial success in drawing 450 users inspired Zuckerberg, and with the help of Saverin, Moskovitz, and Hughes, they developed the concept for Facebook. Today, Facebook ranks first as the largest social media app globally. It has recently rebranded its parent company as Meta, emphasizing the metaverse which is a virtual reality environment that allows users to engage with one another.

Facebook users may disregard the app’s policies and inadvertently allow the collection of significant personal data without fully comprehending the extent of such data collection. Data includes personal information (i.e., name, phone number, and email address), financial information, videos, photos, metadata, contacts, network, messages, activities, interactions, as well as device information (i.e., IP addresses, internet service provider (ISP), and GPS location) and various device characteristics (i.e., battery percentage, device type, operating system, and storage). This data collection occurs across all types of devices, including smartphones, laptops, computers, tablets, and other devices. Additionally, Facebook has been known to obtain users' biometric data, primarily users' facial recognition, without their "opt-in" consent. Facebook stores users' digital face templates in facial geometry algorithms to match their faces in photos and suggest picture tags to users. However, as of December 2021, Facebook decided to discontinue its facial recognition system due to numerous privacy concerns raised by the government.

In addition to the data collection practices, Facebook has been known to gather information from its users and non-users who have never created a Facebook account. Facebook obtains this information through websites that utilize Meta Conversion APIs, such as "Like" and "Share" buttons and the advertising tool Meta Pixel. Pixels—also known as marketing pixels, tracking pixels, web beacons, or web bugs—are snippets of code (in the form of HTML or JavaScript) or invisible images placed on web pages used to collect information on visitors and monitor their activities or “events.” Meta Conversion APIs (CAPI) are similar to pixels, but more powerful and accurate. Meta Pixel and Meta CAPI are commonly integrated into Meta products and social media applications but have distinct differences. Pixels only display partial events and can be easily blocked by ad blockers and web browsers. Moreover, the data obtained through pixels is owned by Facebook, not the website using Meta Pixel. However, Meta CAPI provides organizations with complete user journey data, which cannot be blocked by ad blockers, and is owned by the organization itself. Unlike Meta Pixel, the organization sends data to Facebook through Meta CAPI.

Meta Pixel and Meta CAPI are used in Meta products and services, including Facebook, Instagram, Messenger, and WhatsApp. Business partners and third parties use digital marketing tools to track users' activities and better understand their online behavior. The information is then sent to Facebook in the background without the user’s knowledge. Facebook also examines users' browsing history and cookies, which provide insights into the visited pages and items added to their shopping carts. As a result, Facebook can profile users and non-users to match interests and preferences for targeted advertisements, especially on users' feeds. This profiling allows Facebook and its business partners to share information and continuously retarget users with ads that are tailored to their interests. Given Facebook's considerable size and scope, many businesses use Meta Pixel and CAPI, including retail stores such as Lululemon, PetSmart, and Sephora, and technology stores such as Microsoft, Apple, and Amazon. Additionally, users who do not have a Facebook account may be identified based on their friend’s phone contacts, and Facebook may use this information to encourage them to join the app through targeted advertisements.

Facebook has a history of experiencing data breaches, especially the most prominent case of the Cambridge Analytica scandal reported in 2018. This data breach involved a now-defunct British political consulting firm that harvested data from Facebook through an external app called "thisisyourdigitallife," which was hosted on the app. The app obtained information from the profiles of 87 million users who took a personality quiz and their friends' profiles. The harvested data included details on users' likes, activities, and locations, which were then used to construct psychological profiles. Cambridge Analytica utilized these profiles to target specific individuals who fit the profile with pro-Trump content, as the Trump campaign had hired their services for this purpose. This precise targeting strategy played a significant part in influencing the outcome of the 2016 US presidential election. Despite Facebook's request in 2015 for Cambridge Analytica to delete the harvested data, the social media company failed to take adequate measures to verify whether the data was deleted, as raw copies of the data were still visible online in 2018. Due to the improper handling of user data, the Federal Trade Commission imposed a $5 billion fine on Facebook. Furthermore, Facebook settled for $725 million in a lawsuit by users who alleged that the company had breached federal and state laws by enabling third parties to harvest their data without their permission.

In 2019, Facebook experienced another data breach where the personal information of 533 million users, including their phone numbers and email addresses, was disclosed online through an amateur hacking forum. Unfortunately, Facebook did not alert its users and failed to demonstrate a sufficient plan to address the data breach, which revealed the company's inadequate concern for its users' privacy and security.

In addition, Facebook Messenger does not have default end-to-end encryption (E2EE) on private messages between users, which risks sensitive information conveyed between users. Many social media apps do not have E2EE due to the potential interruptions to certain features, such as message searching. Apps are also required to comply with relevant laws and regulations, which law enforcement may require access to user data to protect users from cybercriminals and other potential threats.

Given Facebook's extensive history of privacy concerns and data breaches, there are several steps users may take to protect their personal information. We recommend that users audit their Facebook apps and games and uninstall any unnecessary apps and games to limit data collection. Users are advised to manage their off-Facebook activity and disable facial recognition and location services in the settings to safeguard their data. Other recommendations include disabling photo tagging, limiting Facebook pixels by avoiding certain websites and utilizing reliable ad-blocker tools, and opting out of personalized ads. Users may adjust their settings and permissions and refrain from accepting cookies and permissions that could compromise their privacy. Additionally, we suggest using private web browsing to avoid Facebook tracking.

Instagram

Instagram is an online social network service that primarily enables photo and video sharing. Its creators, Kevin Systrom and Mike Krieger, launched the app in 2010. Systrom, a former Google employee and Stanford University graduate, developed the initial app called Burbn, which was named after his fondness for bourbon and whiskey. Upon securing funds, Systrom brought in Krieger, a fellow Stanford University graduate with prior experience developing the social media app Meebo. Together, they revamped the Burbn concept and rebranded it as Instagram. Today, Instagram is owned by Meta Platforms, the parent company of Facebook, and is the world's fourth largest social media app.

As a subsidiary of Meta, Instagram gathers significant amounts of user data, including personal information, photos and videos, financial data, metadata, user activities within the app, and data from other Meta products and services. Instagram also collects facial recognition data, geolocation data (i.e., GPS location), and device details (i.e., device identifiers, battery life, apps, operating systems, IP addresses, and mobile carrier information). As a result, Instagram can identify a user's precise location by analyzing their Wi-Fi access points, GPS data, and Bluetooth emitters based on their phone data.

Furthermore, numerous conjectures and reports from users indicate that Instagram may be utilizing their phone's microphone to eavesdrop on their conversations, as advertisements for products or places that were never digitally searched for appeared shortly after being vocalized. When questioned on this matter during an interview, Adam Mosseri, head of Instagram, dismissed the notion that Instagram listens to private conversations and attributed the phenomenon to mere “dumb luck.” The more plausible explanation for this occurrence is the comprehensive data collection of Instagram, Facebook, and Meta. They construct precise and detailed user profiles and tailor advertisements based on user preferences. Despite the absence of any credible evidence to suggest that Facebook or Instagram engages in listening to users' private conversations, users' persistent reports and concerns over an extended period raise legitimate privacy issues.

Like Facebook, Instagram employs the same Meta pixel and Meta CAPI to gather data on its users and non-users, even outside the app. Instagram also collects user cookies and browsing history across all their devices, which contributes to creating or enhancing existing user profiles within the Meta database and is used for targeted advertising on Instagram feeds. Furthermore, facial recognition is employed to suggest photo tags for images on the app. All this data collection and tracking occurs because users often agree to Instagram's policies without taking the time to read them, sacrificing their privacy and security in exchange for the app's convenience and functionality. Per the policies of Instagram, the app shares user data with both business partners and third-party entities, much like its parent company, Facebook. Furthermore, given that Instagram's parent company is Meta, which also encompasses Facebook and Messenger, user data is often shared across these apps. Consequently, any information that business partners collect on behalf of Facebook or any applications that allow users to log in using their Facebook accounts is received by Instagram. These apps consistently utilize such data to create more specific user profiles, targeting specific interests for advertising purposes.

Instagram has faced the occurrence of several data breaches over the years. In May 2019, an unprotected Amazon Web Services server owned by a social media marketing company called Chtrbox led to the exposure of 49 million accounts, including personal contact information such as email addresses, phone numbers, and account descriptions and data. In August 2020, another breach occurred when an unsecured database of 235 million profiles scraped from Instagram, TikTok, and YouTube was exposed online. Instagram was accountable for 100 million of the affected profiles, which contained personal information such as names, phone numbers, email addresses, and statistics of their profile descriptions. Data collection was executed by Deep Social, a third-party entity that Facebook had banned in 2018 for scraping user data, which is against their policy. In January 2021, another data breach resulted from a cloud misconfiguration by SocialArks, a Chinese startup social media management company. The data breach exposed an unsecured Elasticsearch database containing personally identifiable information (PII) belonging to 214 million users across social media apps such as Facebook, Instagram, and LinkedIn. Additionally, Instagram does not have E2EE like Facebook, leaving sensitive information in private messages vulnerable.

Given the amount of user data collected by Instagram and its associated privacy concerns, users may adopt several recommendations to safeguard their information. One recommendation is restricting Instagram's access to location services by disabling location permission on the app. Users may also adjust privacy settings on the app to control what information they share with Instagram and other third-party entities. For example, users may restrict data collection by controlling ad activity and deleting unnecessary information and contacts from their security settings.

Twitter

Twitter is an online app for microblogging that disseminates short messages referred to as "tweets" and has significantly impacted contemporary culture and politics. Twitter emerged from Odeo, a podcasting company created by Evan Williams, Biz Stone, and Noah Glass in 2004. Odeo changed direction in 2005 when Apple announced that it would add podcasting to iTunes. Jack Dorsey, an Odeo engineer, proposed a short message service (SMS) for sharing small blog-like messages, which Glass proposed the name “Twttr.” The completed version was released in 2006 as “Twitter.” In 2022, entrepreneur Elon Musk acquired Twitter for 44 billion dollars and Twitter merged with X Corp. in 2023. Twitter ranks 14th as the largest social media app used today.

Twitter gathers an extensive range of user information, including login details, phone numbers, email addresses, metadata, and activities performed on Twitter. Additionally, Twitter collects data on direct messages, device information (i.e., IP addresses, browser type, and language), operating systems, referring webpages, access times, pages visited, location, mobile carrier, device and application identifiers, search terms and IDs (including those that are not submitted as queries), advertisements that have been shown to users on Twitter, Twitter-generated identifiers, as well as identifiers that are associated with cookies, location (i.e., GPS, browsing histories, cookies, advertisement interactions, and third-party websites) within Twitter.

Moreover, Twitter collects user data beyond its own app using cookies and browsing history. This data includes information shared by business partners, such as advertisers, who provide data to Twitter in order to customize advertisements and content displayed to users. Twitter also employs its branded website tag, the Twitter Pixel, which tracks user actions and behaviors. In addition, Twitter has their own Conversion API, which enables websites to share data with Twitter to facilitate Twitter campaigns through a server-to-server connection.

The security and privacy of Twitter users are at risk due to several concerns, including access to user data by most Twitter employees, lack of internal privacy controls, and unencrypted direct messages. This vulnerability was demonstrated when a teenager hacked into some of the largest accounts on the app in 2020 by phishing Twitter employees in order to gain access to the internal systems. Additionally, Twitter was fined $150 million in 2022 for misrepresenting user privacy information. The company collected phone numbers and email addresses for security purposes but then sold that information to targeted audiences.

In January 2023, it was reported that 235 million Twitter accounts' records and the email addresses used to register them were posted to an online hacking forum. This exposure increases the risks of compromised users' identities, allowing anonymous handles to be linked to real-world identities. Threat actors can use email addresses to reset passwords and take over accounts, particularly those without multi-factor authentication. Twitter's flawed system allowed outsiders to access any account that had shared its email address or phone number with the app. Twitter said it had learned about the vulnerability in January 2022 through its reward program for bug reports. However, in July 2022, Twitter discovered that someone exploited the flaw when threat actors sold 5.4 million Twitter account handles, associated emails, and phone numbers. Currently, it is possible that more than 200 million accounts were exploited during the flaw. At the time of this writing, Twitter has not yet commented on the latest breach or has taken any action regarding the violation.

Given the range of privacy and security concerns regarding Twitter, users are advised to consider adjusting their privacy settings and permissions to limit the data collected by Twitter, including controlling personalized ads to minimize data collection. Another way to limit the amount of data collected is by using the app without logging in or browsing in incognito mode, which can help decrease the data collection processes.

TikTok

TikTok, a social media app that allows users to create, share, and watch videos, started as three different apps. The first app was Musical.ly, which was launched in Shanghai in 2014 and had a strong presence in the market. In 2016, Chinese tech company ByteDance launched Douyin, similar to Musical.ly, which gained attraction in China and Thailand. Since ByteDance wanted to expand under a different brand, TikTok, it bought Musical.ly in 2018 and merged into what is now known as TikTok. TikTok was the most popular and downloaded app in 2022 and is currently the sixth largest social media app worldwide.

TikTok collects extensive user data that encompasses both users and non-users. TikTok's data collection process begins when users access the application or website through their smartphone, tablet, or computer. Through cookies and trackers, TikTok collects a wide range of information, including device information such as location, IP address, search history, the content of messages, device identifiers, and interactions with advertisements. Upon creating an account, TikTok gathers data on the activities and interests of its users by tracking the videos they watch. TikTok also collects biometric information (i.e., face and voiceprints) and personal information (i.e., email address, phone number, date of birth, and metadata). TikTok's data collection process extends to the contents of a user's clipboard when shared with third parties. Furthermore, TikTok collects contacts and calendars every hour, device information such as operating system, location, battery, and device characteristics, as well as keystroke patterns. TikTok also scans the hard drives of user devices and collects information on what applications are installed and running in the background of the user's device. TikTok uses this vast array of data to infer the user's age range, gender, and interests based on the profile built by the users for targeted advertisements and personalized content.

TikTok's data collection methods are unique among social media apps. Unlike other applications, TikTok does not offer the option to open in a default browser and instead uses an in-app browser with the InAppBrowser.com tool to monitor other applications' actions. Recent investigations revealed that TikTok was injecting codes into third-party websites to capture keyboard inputs and taps known as keyloggers. Moreover, TikTok has an aggressive data collection approach, constantly requesting users to agree to a multitude of permissions. TikTok is persistent with these permission requests and users have limited functionality on the app until users agree to the permissions. Similar to other applications, TikTok utilizes its own branded pixel, TikTok Pixel, enabling the app to collect data on users and non-users outside of the app. With TikTok Pixel, websites can track customer activities such as clicks, downloads, cart items, purchases, and payment information, among other information, which is sent to the TikTok database. In addition, TikTok employs its own conversion API, allowing partners and third parties to track user activities and share only the required data with TikTok through server-to-server means. TikTok utilizes the data collected from its users through TikTok Pixel to construct a comprehensive profile of its users, which it then employs to create targeted advertisements and deliver personalized content to its users through its algorithm-based "For You Page," which is a personalized page or news feed based on users’ views and interests. Also, TikTok's business partners are granted access to this data to offer their products and services to TikTok's users.

TikTok has a history of data breaches and vulnerabilities. In September 2022, TikTok faced allegations of a data breach by a threat actor known as “AgainstTheWest,” which the company disputed and claimed that no breaches had occurred. However, prior to this, in August 2022, Microsoft detected a critical vulnerability in TikTok's Android app, which could have allowed threat actors to gain control of users' accounts with a single click. By exploiting this vulnerability, threat actors could inject an arbitrary URL into the app's WebView and access the attached JavaScript bridges, thereby potentially gaining access to sensitive user information. Although the flaw was subsequently resolved, it could have potentially exposed users' personal and sensitive data, including private videos and messages. Furthermore, TikTok does not have E2EE which results in vulnerable private messages between users.

TikTok has been subject to multiple lawsuits and fines for unlawfully collecting data on children aged 13 years and below without parental consent, including names, email addresses, and locations. In February 2021, the company reached a $92 million settlement for the largest privacy-related payout in history, following allegations of data collection on 89 million users, primarily children, with some as young as six years old. Additionally, the company confirmed that some of its China-based employees have access to specific information on US users. TikTok, however, claimed that it is working with the US government to strengthen data security around any sensitive data.

TikTok data collection and the potential sharing of this data with the Chinese government has raised concerns and resulted in an ongoing ban on the app. The geolocation of TikTok's data linked to China has added to these concerns, as Chinese companies are legally obliged to share their data with the Chinese government under China's National Intelligence Law. In response to these concerns, the US government prohibited the use of TikTok on all federal government-owned devices, with lawmakers debating a nationwide ban on the app.

In January 2023, Governor Murphy of New Jersey released a cybersecurity directive that prohibits using high-risk software and services, including TikTok, on devices managed by the State. The directive was accompanied by a Joint Circular from various state departments that prevents the procurement, acquisition, installation, and usage of software and services from certain technology vendors.

As of April 2023, at least 34 State governments—including Texas, Pennsylvania, Florida, Alabama, and Louisiana—have enforced a prohibition on the usage of TikTok on devices managed by the state, while other states have proposed a similar measure. Other nations apart from the United States also prohibited or limited the utilization of TikTok, such as India, Bangladesh, Indonesia, Pakistan, Afghanistan, Iran, The European Union, Canada, Australia, Belgium, Denmark, France, Latvia, Netherlands, New Zealand, United Kingdom, Taiwan, and Norway. These actions were implemented to ensure the protection of the confidentiality, privacy, and safety of both the public and the government.

 

Image Source: Wikipedia

To ensure the safeguarding of user privacy and the minimization of data collection on TikTok, users are advised to restrict permissions for TikTok. Regularly clearing cache and cookies will also enable users to erase their app search history and browsing data. Users are advised to limit the amount of personal information disclosed on their profiles, refrain from sharing sensitive information such as their phone number and email address, and utilize a Virtual Private Network (VPN) to encrypt their internet connection, preventing TikTok from tracking their online activities.

LinkedIn

LinkedIn, a social networking app for professional networking, was established in 2002 by a group of individuals, including venture capitalist Reid Hoffman, marketing professional Konstantin Guericke, and engineers Eric Ly and Jean-Luc Vaillant. The app enables users to find potential career opportunities, connections, and jobs. As it expanded, LinkedIn allowed companies to advertise and post job listings on the app. Microsoft acquired LinkedIn for approximately $26 billion in 2016; since then, the app has experienced global growth. Today, LinkedIn is one of the biggest social networking apps, with 300 million users monthly.

In accordance with its policies, LinkedIn collects various types of data from its users, including information provided when creating an account, such as their names, email addresses, mobile phone numbers, passwords, and optional financial information if they subscribe to premium services. Like other apps, LinkedIn collects information added to the profile, such as personal information, photos, education, work experience, skills, city area, endorsements, calendars, and contacts. Demographic data and salary information are also collected if users participate in surveys, fill out job applications, or submit resumes via the app. When permitted by the user in the settings, LinkedIn collects public news, comments, and posts related to users as well as personal data—including job titles and work email addresses—from LinkedIn partners (i.e., employers and applicant tracking systems for processing job applications).

LinkedIn gathers usage data from its users--including browsing history, cookies, device information, and IP addresses--for identification purposes and app improvements. Like other social media sites, LinkedIn uses pixels and ad tags, similar to cookies, to obtain information on and off the app to offer targeted ads and better understand users if they opt in. The app has created the LinkedIn Insight Tag, its own branded pixel and conversion API, to help website owners optimize their campaigns, retarget customers, and gather insights on their behaviors. With permission, LinkedIn also obtains location and GPS data from users' mobile devices. Additionally, the app collects data on other websites that users visit while logged in or applying for positions on LinkedIn to improve the personalized experience for its users and enhance its services. LinkedIn utilizes the data collected from its users to facilitate connections among colleagues, partners, clients, and professionals. Additionally, this data is used to keep users informed about news, events, and professional topics, as well as related careers and job opportunities. Users who subscribe to premium services can search for and contact other members through the app, including job candidates, sales leads, and co-workers. The premium services allow users to manage talent and promote content through social media channels.

LinkedIn allows users the option to manage the visibility of their profiles by manually modifying their account privacy settings. Depending on the settings, certain information such as activity history, group membership, shared information with companies, followed accounts, and profile viewers may be visible to members and third-party search engines. Users may also choose to share archived messages with their clients or employers. In addition, LinkedIn may share user data with affiliated services and combine information from multiple services. Third-party service providers may access user data for maintenance, audit, and payment purposes. Third parties may also access private messages between members, as LinkedIn does not provide E2EE. In the event of a legal request, LinkedIn may share personal data, and user data may be disclosed in the event of a sale, merger, or acquisition.

In recent years, LinkedIn has experienced data breaches that have exposed users’ personal information. One notable breach in June 2021 resulted in leaked data belonging to 92 percent of LinkedIn's users, or approximately 700 million people. A hacker posted the leaked information on a popular hacker forum, including email addresses, full names, phone numbers, physical addresses, geographical records, LinkedIn usernames and URLs, personal and professional backgrounds, genders, and other social media accounts. LinkedIn confirmed that the data was authentic and up to date when it was leaked. Although LinkedIn claims that the data came from other websites besides LinkedIn, they have not denied that the information was harvested. Although no financial records or login credentials were exposed, users are still at risk for identity theft, phishing, social engineering attacks, and hacked accounts due to threat actors being able to construct complete profiles using the exposed data.

LinkedIn users are advised to take measures to limit the information they provide on the app by adjusting their privacy settings accordingly and exercise caution when accepting permissions and sharing their data with affiliated services or third-party providers. While LinkedIn is committed to protecting user privacy and only shares data under applicable laws and regulations, it is vital for users to implement their own measures to safeguard their personal information.

YouTube

Chad Hurley, Steve Chen, and Jawed Karim created YouTube on February 14, 2005, intending to provide a simple app for sharing experiences through digital videos globally since there was no dependable online apps for video sharing at the time. That same year, Google Inc., an American search engine company, launched its own video-sharing service, Google Video. However, the Google Video app failed to gain traction among users, prompting Google to acquire YouTube for $1.65 billion in stock in November 2006. Instead of merging the two websites, Google allowed YouTube to continue its operations as an independent platform. To address concerns about copyright infringement, Google established partnerships with several entertainment companies to permit their copyrighted video content to appear on YouTube. Additionally, YouTube users were granted the ability to include specific copyrighted songs in their videos to prevent legal action. Today, YouTube is the second largest social media worldwide and the second most frequently used search engine after Google.

Per Google's privacy policy, YouTube collects a range of user data, including basic information (user's language preference, location, and device details) and personal information provided by the user when creating a Google account (name, password, phone number, and financial information). Any content a user creates, uploads, or receives through Google services is collected, including emails, photos, videos, and YouTube comments. Information about a user's activity within Google services is collected, including search terms, videos watched, interactions with content and ads, voice and audio data, purchase history, and activity on third-party sites and apps that use Google services. The user's location is also collected, determined by GPS, IP address, and activity on Google services, as well as information about nearby locations. Furthermore, YouTube collects information from publicly accessible sources, such as news articles and trusted partners, such as directory services and marketing partners. Moreover, Google collects and preserve user information by using various technologies, including, cookies, pixel tags, conversion APIs, local storage like browser web storage or application data caches, databases, and server logs.

Google employs various means to share personal information with third parties. For instance, when users are affiliated with organizations, their domain administrators may access their Google account information. Additionally, Google may disclose users' account information to comply with applicable laws, regulations, or governmental requests. Google also shares personal information with trusted business partners, such as other services that help operate its data, products, services, and support users. Moreover, Google may share personal information with advertisers or developers for specific advertising purposes. In the event of a merger, acquisition, or sale of assets, Google ensures the confidentiality of user's personal information and provides notice to affected users before transferring their personal information or subjecting it to a different privacy policy.

Despite being a prominent and technologically advanced entity, Google has encountered various vulnerabilities and data breaches. For example, in March 2018, Google experienced a vulnerability in their Google+ API, which allowed third-party developers to access users’ personal data, including their names, email addresses, occupations, and ages. This breach affected approximately 52.5 million Google+ users. While Google was able to address the issue in November 2018, the company only disclosed the incident publicly a few months later. This occurrence marks the second significant data breach that has taken place on Google+. Also, Google and its subsidiary YouTube have been involved in privacy violations in the past. The US Federal Trade Commission fined YouTube $170m in 2019 for gathering personal information on children under the age of 13 without parental consent, violating the Children's Online Privacy Protection Act. Google was discovered to have benefited considerably from these data collection tactics. Although YouTube has vowed to restrict data gathering on child-directed videos, it plans to persist with targeted advertisements. Another privacy violation occurred when a settlement of $391.5 million was reached between Google and 40 US states following an investigation into the company's tracking of users' locations, even after they had opted out of such tracking. The investigation was launched in response to a report by the Associated Press in 2018 that revealed Google's continued collection of user's location data despite the "location history" feature being disabled. This case has raised concerns about privacy and surveillance. Since then, Google has been committed to improving transparency about its location tracking practices, giving users greater control and assurance over their data.

Users are advised to take several steps to protect their privacy while using YouTube and other Google services. Privacy settings may be adjusted to opt out of certain information being collected, such as search terms or watched history. Users may change or delete their personal information provided to Google, such as their name, password, and financial information. Additionally, users may opt out of location tracking to prevent Google from collecting information about their physical location. Finally, users may manage their search and watch history on YouTube to reduce the amount of data being collected.

Reddit

Reddit is a social news app where users, also known as Redditors, can create accounts, share content, and leave comments on others' posts. The website was founded in 2005 by Steve Huffan and Alexis Ohanian, who received $100,000 in funding from Y Combinator, a start-up accelerator that provides resources and funds to early-stage companies. In 2006, the site was sold to Conde Nast Publications for $20 million and became a subsidiary of Advance Publications. Reddit became an independent company again in 2011 with Yishan Wong as CEO. Ellen Pao succeeded Wong as CEO and was later followed by Steve Huffman in 2015, who now holds the position. Currently, Reddit is ranked as the 16th largest social media app worldwide.

Reddit collects a wide range of personal information on its users, including user's account names (not necessarily their real names) and email addresses used to create an account. Additionally, Reddit collects data provided by the user, such as their interests, bio, gender, age, location, or profile picture. The app records users' preferences and settings. Reddit also collects data on the content that a user submits, which includes videos, texts, links, images, and audio. The app tracks user activity, such as likes, upvotes, saves, reports, follows, blocks, communities joined, subscriptions, and moderator status. Furthermore, Reddit may collect users' financial information when they purchase products or services, such as Reddit Premium or Reddit Coins, which may include name, address, email address, phone number, and details of purchased items. The app may gather public blockchain addresses, such as those associated with acquiring an NFT or creating a Reddit Vault. In addition, Reddit collects any other details that users provide when filling out a form, participating in a Reddit-sponsored activity, applying for a job, or seeking customer support.

Reddit automatically collects log information when accessing their services, such as IP address, user-agent string, browser type, operating system, referral URLs, device information such as device IDs and device settings, mobile carrier name, pages visited, links clicked, the requested URL, and search terms. Reddit also utilizes cookies to personalize content and advertisements for users. If a user chooses to share their location with Reddit, the app can determine their location based on their IP address. Similarly, Reddit employs its own Reddit Pixel and CAPI to obtain user data from third parties and business affiliates. Reddit collects and utilizes user data to improve its app and personalize services, content, and features that align with user activities, preferences, and settings. Furthermore, the data is used to ensure the safety of Reddit's user community by preventing spam, addressing abuse, and enforcing policies. The information is utilized to optimize and measure the effectiveness of ads displayed on the app, develop new services through research, and analyze trends, usage, and activities concerning its services.

In adherence to Reddit's policy, certain information pertaining to users is publicly available, such as their username, karma, awards received, trophies earned, moderator status, Reddit Premium status, and length of membership. However, Reddit may share additional user information in various ways, including with the user's consent, through third-party services when a user links their Reddit account, and with vendors or service providers who require access to user data to carry out work for Reddit. Like many apps, Reddit also does not have an E2EE for the purpose of its services. Additionally, Reddit may disclose user information in response to applicable laws or governmental requests, in emergencies where harm to a person may be prevented, and to enforce Reddit policies. Furthermore, Reddit shares user information among affiliated companies but does not sell personal information, and the app maintains confidentiality and security measures to safeguard user data shared with vendors and service providers.

In February 2023, Reddit was the victim of a cyberattack in which threat actors gained access to the company's internal business systems, stealing internal documents and source code. The threat actors used a phishing technique to target Reddit employees, using a landing page that looked like the company's intranet site to steal credentials and multi-factor authentication hardware tokens. One employee fell for the ploy, allowing the threat actors to breach internal Reddit systems and access data and source code. The stolen data included limited contact information for company contacts and employees and some details about the company's advertisers. However, no credit card information, passwords, or ad performance was accessed. Reddit states that there was no indication that the threat actors breached production systems used to run the website.

Users may reduce the data collected by controlling the linked services connected to their accounts. They may adjust their privacy settings to opt out of targeted advertisements, adjust cookies to reject third parties, and select the "do not track" option. Users may further adjust their privacy settings regarding location information, phone notifications, and communications from Reddit to limit the amount of personal data shared with the app.

Snapchat

Snapchat is an instant messaging application that permits users to send temporary photos, videos, and text messages to individuals or groups, which disappear after a brief period. The app was developed by Evan Spiegel, Bobby Murphy, and Reggie Brown, former students at Stanford University to create a mobile-first app emphasizing user interaction with virtual stickers and augmented reality objects. In 2011, they created the initial version of Snapchat, called Picaboo, to send photos that would disappear, but they soon discovered that users could take screenshots on their iPhones, defeating the disappearing effect. To address this, they added a notification feature that would alert users if someone took a screenshot of their message. Later that year, they rebranded the app as Snapchat, added captioning features, and relaunched it in the iOS App Store. Snapchat currently ranks as the 10th largest social media app globally and is particularly popular among younger generations.

As outlined in Snapchat's privacy policy, the app collects personal information from users when they create an account, which includes name, email address, phone number, username, password, date of birth, and avatar image. The app may collect credit or debit card information when users make purchases. Furthermore, Snapchat tracks user activity, including filter usage, story viewing, and advertisement interaction. The app also collects information about a user's device (i.e., the hardware model, operating system version, device memory, advertising identifiers, unique application identifiers, apps installed, unique device identifiers, browser type, language, battery level, and time zone), as well as data from device sensors (i.e., accelerometers, gyroscopes, compasses, microphones, and connected headphones), wireless and mobile network connections (i.e., mobile phone number, service provider, IP address, and signal strength), and precise location data with permission using methods that include GPS, wireless networks, cell towers, Wi-Fi access points, and other sensors, such as gyroscopes, accelerometers, and compasses.

Moreover, Snapchat obtains access to users’ contacts lists and device camera rolls such as videos and pictures. It utilizes web technologies (i.e., cookies and other technologies, such as web beacons, web storage, and unique advertising identifiers, to collect information about users’ activity, browser, and device) to collect data on browsing and app usage behaviors. Like other social media apps, Snapchat offers its branded pixel, Snap Pixel, and its own conversion APIs to third-party entities and businesses to gather information about users' behaviors and activities in order to personalize advertisements and improve the application's functionalities. Furthermore, information may be shared between Snap Inc.'s affiliated companies, advertising partners, and third parties. Data is typically gathered from three sources: user-provided information, information collected while using Snapchat, and information obtained from third-party sources owned by Snap Inc.

Snapchat has a track record of privacy and security issues. Like other social media apps, Snapchat does not offer E2EE for their private messages between users, thereby exposing them to various risks. Moreover, according to reports in 2018, a government official from Dorset in the UK notified Snapchat that a phishing website, klkviral[.]org, contained a publicly available list of usernames and passwords for 55,851 Snapchat accounts. Although not all the credentials were valid, some were publicly available for an unspecified amount of time. The attack was initiated through a link sent to users from a compromised account, which directed them to a phishing website that mimicked the Snapchat login screen. The timing of the phishing attack is unknown, but several apps began flagging k1kviral[.]org. Snapchat claims to use machine-learning techniques to identify suspicious links sent within the app and actively blocks thousands of suspicious URLs each year.

In May 2019, there were reports of Snapchat employees misusing their privileges to monitor user activity. These employees reportedly used an internal tool known as SnapLion to access user location information, phone numbers, and email addresses and view messages. Initially, SnapLion was developed to assist law enforcement agencies in gathering data through court orders and subpoenas. However, it was later used to track spam and abuse and analyze harmful activities such as bullying. Former employees have stated that authorized employees only sometimes utilized the tool for legitimate purposes and were spying on users without proper oversight. At the time of this writing, the extent of the unauthorized activity is unknown, including how many accounts were accessed or whether impacted users faced any consequences. It is also unclear when the unauthorized activities began or if they are still ongoing.

Users may adjust their privacy settings including disabling location sharing, turning off cookies, and limiting the information shared with third-party partners. Users may revoke permissions they may have previously granted to Snapchat, such as access to their device's camera, microphone, and contacts. Users may use a VPN to remain anonymous and protect their online activities. Finally, users may opt out of tracking and personalized advertising to restrict the amount of information that Snapchat collects and shares with third-party partners.

Final Assessment

According to the data presented by pCloud, the leading social media apps that share the highest amount of user data with third-party entities are those apps under the Meta services. Specifically, Instagram ranks first with 79 percent of shared data, while Facebook ranks second with 57 percent. LinkedIn is the third highest data-sharer, followed by YouTube in sixth place, TikTok in twelfth, Reddit in fifteenth, Snapchat in seventeenth, and Twitter in twenty-eighth.

The major social media apps, including Facebook, Instagram, Twitter, TikTok, LinkedIn, YouTube, Reddit, and Snapchat, are among the most significant data collectors, amassing a wealth of user information such as personal information, financial data, device information, location, and more. These apps utilize marketing tools such as pixels and API conversions to gather information on users on and off their apps and with data sharing from business partners and third parties. This data is then utilized to construct user profiles and enhance their algorithms to facilitate better-targeted advertising. Despite being the largest social media apps, they are susceptible to data breaches and have a history of privacy violations resulting in fines. Users are also at risk of data and privacy breaches, particularly since most do not comprehend the privacy policies, prioritizing convenience and app functionality over their own security. Moreover, the majority of apps' messaging services lack E2EE, which poses a significant risk to users' privacy, particularly in cases where sensitive information is exchanged and can be accessible by malicious actors. However, the positive aspect is that users may alter app settings to reduce data collection by modifying privacy settings and opting out of permissions, declining and disabling permissions, reducing content posts, employing a VPN, and/or ultimately deleting the app.

The NJCCIC recommends users and organizations research reviews and assess the risks of using software, applications, and services. Review permissions and privacy policies, adjust privacy settings to reduce data collected, download applications from trusted official sources and keep apps and devices up to date. Additionally, apply cybersecurity best practices and review the NJCCIC instructional guides for configuring privacy and security settings. Please review the User Beware: Your Smartphone Is Tracking Your Every Move and Mobile Device Security NJCCIC products for additional information on the risks associated with using mobile devices and associated apps, including user tracking, information exposure, and additional recommendations.