50 comments

[ 3.7 ms ] story [ 108 ms ] thread
Behind paywall, clicks away
How does a credit score service know which of the dozens of John Does you are on Facebook?

The only ways in which this can work is a) you have a pretty unique name on FB or b) you have to give your FB name on your credit application (if I'd see this on a form, I'd just tell the bank guy to forget everything and walk out).

Of course, this opens a possibility for manipulation - either you use someone else's clean FB page, or a malevolent entity creates a profile in your name, or you yourself have one "clean" profile and one "real" profile which many people already do to hide their pot smoke pics from potential employers.

I'm findable on facebook with my name and the name of the city I live it. It's not so hard.
Also I think things like who's in your friends list, etc.
The credit score service doesn't know, but FB does.

Can you imagine that FB sells this information anywhere in the near future? I bet they can make great profiles of you, and compared to a big pile of people with similar profiles, the bank can see what profiles predict risk.

First, the bank might not care whether it's really you. If there is someone with "bad behavior signs" who is sufficiently similar to you the prudent thing to do if you want to minimize loan risk is to assume that it's you. Secondly, it's really simple to deanonymize data. Check for example

http://33bits.org/2011/03/09/link-prediction-by-de-anonymiza...

As the site name implies, you need just 33 bits of good information to distinguish every person on Earth. It's not hard to get enough bits from your Facebook timeline to cross-correlate it with other stuff the bank might know about you.

I am one of three people in the entire world with my firstname, lastname combination. One of the other two goes by a different name, and the other is Portuguese.

It must be nice to have a common name.

I'm curious. How do you know this?
(comment deleted)
1) That would be why they are trying to push their irresponsible "real names" policy.

2) Let's not forget they have more than your name. They can geolocate your IP, for example, to get an approximate location. If I remember correctly, name and zip alone has something like an 85% chance of uniquely identifying someone. If you tell them your birthday, that chance goes up into the high 90s.

3) Once you have their cookie, they have many other sources of information thanks to "beacon"[1]. Identification becomes significantly easier when they have other businesses adding data.

[1] https://en.wikipedia.org/wiki/Facebook_Beacon

Why would you keep your FB posts public and not limited to your friends or to some subset of those (depending on what you are posting)?

Comments here seem to once again indicate as if everything posted to Facebook was automatically and irrevocably public. I don't really see that going on at least on my group of friends.

What if it becomes a prerequisite to grant your bank or FICO access to your Facebook posts, as part of the loan application?
Or what if FB just decide to sell access to all posts (regardless of privacy setting on that post) to certain companies.

Could they do that? You'd probably have to read (and keep up with) the T&Cs.

A: "What Facebook profile?"
"I see. Lowest credit rating then."

Same as for us foreigners who don't have any credit rating records valid in US. Meaning you get the crappiest deals and worst apartments.

Then you simply tell them that you don't have a Facebook account. If they find a private account with your name, you can tell them that it's not you.
If FB couldn't figure out who you are, they locked your account and required a photo of your driver's license or other state/national ID to verify identity.
It seems unlikely that this process will involve a human to intervene. Bots could do this easily, and could exploit things your friends share without you knowing. "I got super wasted with x last night" being posted or...

Or worse. They get access to those Facebook Messages?

You can create user groups or G+ style circles on FB. For instance, I've got posts that only my friends see, most of them are also visible to my parents and very few are visible to acquaintances.

Add the representative of the bank to one of the limited visibility groups.

Not sure how that works when FB API is used.

Wasn't this a big thing years ago? Employers asking for your Facebook username and password during the interview process?

I seem to remember a lot of articles about that and then it just stopped.

Because _everyone_ has a facebook account? Bank/work somewhere else if the prerequisite is to have a facebook account that is accessible to people who are not your friends.

Alternatively, if you are genuinely worried about being able to do this, I would advise setting up a public profile separate from a personal one (cpt obvious).

I remember when it was a faux pas to put your real name on the internet - long live the days of having an alias that you can make a whole bunch of mistakes to a private group of friends without being publicly remembered for it.

You will be surprised how easy is to create second facebook profile.
I could see this starting as an opt-in for a little bump (of rate, score, etc.) in your favor, like how the car insurance companies give you a discount if you let them log your driving and it shows safe behavior (e.g. https://www.progressive.com/auto/snapshot/)
I'd rather just close my Facebook account.
A lot of people have all their posts public and either do not realise this, or don't know the implications of being fully public.
Why wouldn't you?

I post default-public, on purpose. I welcome everyone to stalk me on Facebook as much as they like and to comment on anything that's interesting for them. I have very little personal secrets I want to limit access to, and generally live a single life. I understand it's a privileged position, as I'm just a pretty average straight, white, male, cisgendered, neuro-sort-of-typical Western geek, but I see no reason to post private when I don't need it.

I understand most people limit posts to friends or friends-of-friends (the latter is I think the default setting on Facebook now), though this kind of annoys me when I want to learn something about a person I'm not friends with and see an empty profile, or when I want to share a post from one friend to another friend (usually in a private message, in the form of "look at this insightful post or funny picture I saw on my timeline"), but the former has the post visible to his friends only, and the latter isn't friend with them. There are trivial workarounds for last case though.

EDIT: I'm not telling anyone that they should go full-public. But OP seems to be bewildered by the fact that some people do in fact keep full-public profiles on purpose.

You are lucky.
I'm also the majority (sans the geek part).

In threads about Facebook I see people so focused on various minorities and corner cases that they act surprised by behaviour of people on Facebook, even though said behaviour is perfectly ok for the vast majority of Facebook's users. I think it's good to remind everyone that not everyone wants everything they do to be as private as possible, or has a reason to. In fact, most users don't.

It's people like you who are telling the US government that it's ok to surveillance citizens. With your logic, you are saying you have no reason to hide anything, so the government can keep tabs on you. Just because you have nothing to hide doesn't mean you can become a victim of an error as well. Take this story http://www.wired.com/2015/10/familial-dna-evidence-turns-inn... where a man who "has nothing to hide" and innocent became the suspect in a murder due to him sharing similar DNA It could be you one day, you don't know.
Hey, I'm not telling the USGOV anything. I'm also pointing out that a lot of people have perfectly good reason to have default privacy level set to "full public", and it's neither weird or wrong. I responded to a HNer apparently bewildered by that fact.

I support you keeping whatever privacy level you like, but don't force me to hide things if I consciously, in full physical and mental capacity, decide I don't want to.

You can also be tagged in other people's posts, which you have to actively remove from photos (and I don't think it's possible to remove name-references in text at all).

Your group of friends is not a representative sample, and neither is mine.

There's a setting that makes tagging require you verify and accept the post/photo. I.e. when I turn it on, you can type the letters making up my name, but without my explicit consent given on a case-by-case basis, the name won't turn into a link to my profile. Not everyone enables it, but it's not an obscure feature either. Also, some combinations of privacy settings make you disappear from the tagging suggestion lists completely, but I haven't figured out how it works yet.
> There's a setting that makes tagging require you verify and accept the post/photo.

Where is that?

there's Timeline review (though I don't think it's exactly what he's saying, it lets pictures tagged with you avoid your wall unless you explicitly accept it)
Went and checked. There are two things you can do:

1) The second option on Settings/Privacy page controls how things you're tagged in end up on your timeline. On my account there's a link that to the Timeline Review page[0], on which you can enable or disable reviewing things before they become visible on your timeline.

2) There's a whole Settings page for Timeline and Tagging[1]. There you can control who can post on your timeline, how tagging you will work, whether your friends will see posts you get tagged in and whether or not you appear in tag suggestions. The tagging options work across Facebook, not just for your timeline.

[0] - https://www.facebook.com/INSERT_PROFILE_NAME/allactivity?log...

[1] - https://www.facebook.com/settings?tab=timeline

That setting doesn't help if you don't have a facebook account. Putting the responsibility on the named person is just another form of victim blaming.
I can't tag you if you don't have a Facebook account. What are you proposing? That typing someone's name without their consent should not be allowed? I think that would be seriously infringing on the right to write things.

> Putting the responsibility on the named person is just another form of victim blaming.

Victim blaming is quickly becoming a term for "I don't like how the reality works, so I'll just throw a temper tantrum".

> I can't tag you if you don't have a Facebook account.

I have no idea if that's true now. Historically, this was encouraged. I know my name has been added on pictures by my sister, at a minimum. I've never had an account at FB and never will. I'm assuming it is common knowledge on HN that just because you haven't registered an account with facebook doesn't mean your account doesn't exist.[1]

> That typing someone's name without their consent should not be allowed?

Obviously not. This thread is about credit scores, which facebook shouldn't be influencing based on hearsay. The bigger point is that "failure to opt-out" is not consent.

> Victim blaming is quickly becoming a term for "I don't like how the reality works, so I'll just throw a temper tantrum".

Absolutely not. Just because technology has allowed a power shift away from individual rights doesn't mean that's the way "reality works". The entire point of law is that we shape these aspects of society. It is not a "temper tantrum" to point out that responsibility doesn't fall upon the individual just because a rent-seeking corporation framed the discussion in that manner.

An easier to understand variant of this problem is so-called "identity theft". Nobody can steal your identity. They can impersonate you, but you still are the same person. The actual problem is e.g. banks giving loans to people without properly verifying the identity of the person. As a 3rd party, the bank has no valid reason to involve you in their, but by calling it "identity theft" they re-frame the situation as if was the your responsibility to keep your identity from being stolen (which is basically impossible).

[1] http://arstechnica.com/tech-policy/2015/03/report-facebook-t...

Facebook is gathering, processing, and storing my personal information (my name, my face) without my permission, and not acting when people ask them to stop processing and storing information about me.

That's probably not legal in EU.

Thankfully I deleted my Facebook account back in 2007. Paranoia pays off.
You did, did you? Try logging in again into that Facebook account you "deleted" and see what awaits you...
After two weeks from deactivation an account is removed completely. At least it was that way in 2011.
Facebook never deletes anything. An object (account, photo, posting, comment, like, etc) may no longer be visible, but it still lives on in FB's massive data repository.
I suppose that's a catchier summary than "Facebook history may allow people without credit scores to get loans".
Having worked for a subprime lender for several years, screw you.
Also people with subprime credit scores. But not if they publicly mention being wasted ;)
There's so much potential for mis-scoring here. Take the 'wasted' example. You can't just grep for the word, it depends on the context. e.g. What if someone is a big fan of the GTA games? The game uses the phrase 'wasted' when you die - so if you happen to be posting GTA videoe, your descriptions might end up lowering your credit score!

Credit scores at the moment at least can be queried and mistakes corrected. This new kind of scoring will be opaque and unaccountable.