Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find.  You know that the cheeseburger is unhealthy, but you choose to eat it anyway.

TikTok is worse for you than a cheeseburger

Many of us mis/use the Internet by installing apps that we know collect our data. We tweet, share, post, repost, reshare, retweet, and say little (if anything!) about the dangers of the platforms that we use.  It is a “risk worth taking to connect with friends and family online.” 

We partake in this ocean of data collection platforms because, like the cheeseburger, we are willing to willingly trade our personal data and intimate details of our Internet behavior to strangers for something that we want even though we know it is not good for us.  And like eating a cheeseburger yesterday, a new day begins today, and we are seemingly unharmed from yesterday’s use of these platforms, which encourages us to eat another cheeseburger (I mean, log into TikTok again).  We justify this unbalanced trade so that we can “connect” with friends and family online.

TikTok is like a triple stack, bacon cheeseburger.

Every person working in any aspect of “information security”, from the IT admin to the deep-diving forensicator, knows all about how social media platforms are purposely developed for the collection of data of its users. We know without doubt that the sole purpose of these platforms (ie, the code) is to collect personal data from users to specifically sell it. Yet, here we are using them, to connect to friends and family.  To be honest, we also know that one day, all of the unhealthy cheeseburgers will hit us hard one day. But we ignore that warning.

We are all breached

In defense of using “malicious” social media platforms, I hear the argument often that since the breaches have already happened, we have nothing left to lose.  It is true that our personal data has been breached, leaked, stolen, and sold multiple times. Our DOBs, SSNs, and mother’s maiden names have all been collected by hackers many times over and we used to treat our DOBs and SSNs as practically TOP SECRET information! But now, for less than five bucks, you can get anyone’s DOB and SSN in minutes.  For a little physical effort on a keyboard, you can probably find it for free.

The point that I stress is that our behavior is being collected. Our behavior speaks volumes more than our biological identity, especially when behavior is tied to an identified person.

Sure, when Facebook monitors your website visits, this is collecting your behavior, but even that is not what I am talking about. Facebook wants your browsing history and purchasing history so that it can make money from your Internet behavior. If Facebook informed every user in big, colorful letters that it is providing Facebook free in exchange for users’ Internet history and personally identifiable information, they would lose exactly no users. No one cares because the effect is almost unnoticeable. By the way, I am not defending Facebook in the least bit.

An entirely different level of ‘breached’

I consider every social media platform as malware even as I also use social media. How bad is that!?!  The most devasting impacts of social media platforms is not the selling and reselling of our phone number in order for a company to sell us something. It is not about being sent targeted ads. It is about the type of our information that is not being sold which is the worst kind of breached: our offline behavior.

Online dis/mis/information directly modifies our offline behavior, both intentionally and unintentionally by Internet platforms and other users. A person or persons in one country can cause a person in a different country to behave against their best interests or against the interests of their own country through misinformation, disinformation, and even with bullying online behavior. This can happen to corporations and even to governments, or more accurately, by corporations and governments.

We know it, but we ignore it, because we like cheeseburgers

TikTok is clearly malicious. Your PII and offline behavior are both being captured.  TikTok is malicious in the clear definition of being malicious. Data is collected surreptitiously for bad purposes, in the sense of marketing of “TikTok is totally free; we are not taking any personal information <wink wink>.”

A guy on reddit reversed engineered #TikTok

Here’s what he found on the data it collects on you

It’s far worse than just stealing what’s on your clipboard: pic.twitter.com/oqaQyYDXT2

— Dan Okopnyi 🇺🇦 (@d1rtydan) June 28, 2020

This is an unstoppable train

The train has left the station: Offline behavior of geolocation data, smartphone contacts, IP addresses, personal photos, bank account information, connected apps, the places you regularly visit, the routes that you regularly use, and the dates and times of your travels and destinations. All of this is in the hands of the developers of the apps on your device.

With the right machine learning, the right artificial intelligence, and the right intuitive design of an effective operation, you could start riots, create race wars, bankrupt corporations, shutdown economies, sway elections, and even start kinetic wars between countries based on this information.

No, I am not overreacting

In 2013, in a book that I wrote, I stated that “…mobile devices are practically an attached GPS device on the user.”  I should have added “…without needing probable cause for a warrant.”  And could have added, “…and can be used as an effective behavior modification device.”

All of this is already happening. It’s not a new method of warfare. Psychological operations have employed for many wars for as long as humans have warred.  The only difference is that with the Internet, PsyOps is more effective, easier, and quicker to see results. Where a few decades ago, a PsyOps campaign may not see results for months or years, we can see results in mere days and hours. Push the right buttons on the right person and a riot is sparked.  Our devices not only give our location but also collecting the identity of those near us who also have connected devices. Think about it: a gathering of any social group can be completely identified in minutes by date, time, location, and the personal contacts between people based on the physical distances of each person's mobile device.  What could you do with that information if you wanted to modify the behavior of a group?

I am past preventing the misuse of PII or collection of offline behavior. I think all of us should move past that, including our government. For as long as people use the Internet, this information will be collected maliciously or with consent. The more effective measure is what to do about the effects of what we cannot control. How do we correct our misdirected behavior created by trolls and enemies? How do we separate what is fake from what is real? What is our countermeasure?

We can ban malicious apps today, but without question, others will come tomorrow. Apps that we assume to be non-malicious today can easily turn malicious with the change of a few lines of code at any time of use. If not the app itself, malicious insiders will always, and have always, stolen and sold information to adversaries. We can't blot out the sun but we can put on sunscreen.

A forensics-thinking approach

One thing about the digital forensics mindset is that everything in the electronic data world is questioned during an analysis. No competent forensic analyst will blindly accept the date of a file as being the actual date of the file without some corroborating data. One point of circumstantial evidence is just an opinion.  We need more than a single point of data to separate a fact from opinion.

The same holds true for every social media platform. We cannot blindly accept that our use of any platform is free from being used to harm others or ourselves by malicious actors or even the platform provider (sometimes they are the same!).  Bots, puppet accounts, and hijacked accounts are most always trusted at first glance, and many times, continue to be trusted until it is too late.

Question everything that makes you question questions

One of the traits that makes a good investigator is listening that little voice in your head that asks, “Why…”.  You have an ability that raises red flags and gives doubt, but you have to act upon that ability. Humans are too quick to accept what they see or hear, and thereby not question it.  Have you ever walked into a new restaurant, got a bad feeling, ate there anyway, and ended up regretting it? That's what I mean. Find the answers to the questions of the little voices* that you hear.

In a digital forensic case, acting on uncorroborated evidence can result in case dismissals, or worse, wrongful convictions. In the offline world, acting on uncorroborated information can result in personal and physical attacks on innocent people or worst, the complete breakdown of a society.

There are no coincidences

I did some time in military intelligence units and one of the things that I learned was that there is no such thing as a coincidence. Anything that happens, happens for a reason and someone was behind it happening. I carried that experience and training into undercover investigations in law enforcement by creating "coincidences' in my cases. It was a simple op to gather intel on criminals and 'coincidently' to bump into them to develop relationships without having to be introduced. These planned coincidences resulted in going from zero in a case to practically being #2 or #3 in an organization.

The Internet is no different. There are no coincidences on the Internet. Everything has a purpose and plan. Whether individuals create dissent, or they are useful idiots in a bigger operation by organizations or nations, consider that there is something behind everything if it is on the Internet. More so with the "free" social media platforms.  You are not the product in these scenarios. You are the pawn.

The hard way of surveillance

At a federal task force, my group needed to come up with a plan to install listening devices in a house. The house was irregularly occupied and of course, always locked. The team that actually installed the devices had a plan. We created a 'power-line down' ruse in the neighborhood to stop all incoming traffic, the install team broke into the house through the garage, cut a hole in the wall to access a room, installed the devices and software, repaired the hole that they cut out, and left undetected. That was a major operation and the occupants didn't have a clue until they read the affidavit...

In another case, I needed to install a hardwired-GPS on a vehicle that was extremely difficult to catch at a place for the installation. The only way feasible was to get a search warrant to steal the car, order a key from the manufacturer, install the GPS after 'stealing' it, and then "report" the stolen car to local PD as a stolen recovery.  Again, lots of work just to install a GPS.

Today, if I were a spy and wanted to do these things, I would walk down the hall to the computer team and request development of a free, social media app. Then I would market it like crazy to the country/countries of choice.  And monitor it and wait until my targets, or the children of my targets, or the friends of my targets installed the app. Then I would be in their home, quite literally in the sense of being able to hear and see anything. And potentially influence them. Or I could influence the populace slightly by pushing a few key users into a pre-planned direction of disruption. Not that this could be happening now.........I wonder if I could get law enforcement officers, political figures, movie stars, and their children to use my app?

A step in the right direction

Be prepared to address what is coming. Be prepared with solutions to the problems when people start complaining. When your government wants to implement an overreaction to a perceived problem, be prepared to have a better-measured response. 

Consider the current encryption debate. The government can’t break encryption, so their solution is banning encryption altogether (a backdoor is an encryption ban, fight me if you want). Any person in information security knows that this is not only an over-reaction, but it will be the biggest detriment to security in the history of security. There are better solutions. One would be for investigators to do better jobs in their investigations rather than outright ban encryption.

We are all smart enough to know what is happening with the breaches, the leaks, and the malicious social media platforms. If the data is not being sold for profit, it is being caressed into a format useful for warfare (cyber or otherwise).

As a side note, every country is doing this to their own countries in the search of potential dissidents and criminals. Remember that what you do today may be illegal or unacceptable tomorrow. Some governments may allow for the past to go unpunished, which other governments may (will) retroactively punish past behavior that was legal at the time but subsequently made illegal.

You Should Already be in Condition Yellow

Anyone working in the infosec field should be in Situational Awareness Condition Yellow. Being aware of threats now decreases the time between identification and action which thereby increases your odds of success to handle threats.

Of course, we are aware of the threats that the Internet holds for society. From cyberbullies pushing victims toward suicide through nation-states creating internal turmoil in their enemy’s countries using online PsyOps. But being aware is only one step. We should be thinking of countermeasures and remedies.

Be ready for when those in Condition White begin to overreact, you can bring them down to Yellow when they go straight to Red without a plan. No one wants to hear from complainers without solutions, and by being ready with something, you will be further ahead and maybe we can get this right the first time.

Until then, cut back on the cheeseburgers because the day to pay up for those burgers will be here soon enough.

*by little voices in your head, I mean "gut feeling", "intuition", "bad feeling", "paranoia", or anything else describing the feeling that something not quite right.

Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics.  In case you missed it, here it is!

A “new” article on imposter Facebook accounts was published today in the Philippines.  I put “new” in quotes because this is not a new issue, but I am glad that more public attention is being given to spoofed social media accounts.

I am referring to imposter accounts as “spoofed”, “faked”, and “imposter”, where the account was not created by the user. Conversely, there are fake accounts created by a user as a multiplier to voice misinformation/disinformation, but not used against a real person. The fake accounts of real people are a different matter.

How does this affect you, aka: TL/DR?

A fake account can affect your personally by:

• *  Ruining your personal reputation,
• *  Destroying family relations,
• *  Getting you fired from your job,
• *  Having criminal charges filed against you, and
• *  Creating a risk of being sued.

On the professional side of using Facebook as part of OSINT investigations, you can be led on rabbit trails of false and misleading information whereby you put an innocent person at risk of all of the above bullet points, plus other devasting problems that I probably overlooked. Simply, if you find your suspect's account and use that information as a foundation of fact, you will be chasing an innocent person being framed with disinformation.

I wonder how many alibis have been successfully used with disinformation on social media platforms...

Today’s News is Old News but it is Relevant News for Today

In the Philippines article, students and journalists are the targeted victims with spoofed Facebook accounts created in their name and without any other information, such as personal photos. Fake accounts have been happening for years, so this is not new. However, it is just as relevant today as it was years ago. Perhaps more so now than ever before.

I am using “Facebook” throughout this post as Facebook is this article’s focus, but everything that I say about Facebook can be applied to almost any social media platform.  Social media has been an amazingly positive force in the world for connecting people and sharing information, but just as any tool that has an incredible power to do good, the same tools have the power to do the exact opposite for bad.

https://www.bloomberg.com/news/articles/2020-06-07/philippines-probes-proliferation-of-impostor-facebook-accounts

Found 3 fake Facebook accounts using my name last night. Already down (I think?) after I reported. One good thing about having a unique name is I’m sure the accounts are not owned by actual people with the same name as mine. pic.twitter.com/7TBptLnofU

— Jodesz Gavilan (@jodeszgavilan) June 7, 2020

So what?

With a standard disclaimer that I am not a lawyer, creating fake accounts probably isn’t a crime in most countries, because who cares if a fake account with no information on it was created.  Certainly, fake accounts may violate the TOS (terms of service) of the platform provider and the accounts can be removed by the provider.  

By the way, you can report a fake account to Facebook here: https://www.facebook.com/help/1216349518398524?helpref=hc_global_nav

As far as criminal laws are concerned, the Internet doesn’t create a new world of criminal laws as the Internet only facilitates existing crimes electronically. The laws are basically the same, but have a sexier title like, "computer facilitated". Meaning, harassing someone online with racial or threatening comments is not different than doing the same thing at a workplace. Threats are threats. Identity theft is identity theft. The Internet just makes it easier, faster, and more explosive. Please don’t @ me with laws on Internet crime…I’m speaking extremely broadly on the legal aspect of fake accounts. I want to focus on the more important issues that affect you personally and affect your cases.

Technically, a fake account is just a fake account if it just sits there, right? I mean, I even checked my name in Facebook and found a fake account! No photo or any information, but it is there.. This is a fake Facebook page in my name (again, I did not create this).

https://www.facebook.com/pages/Brett-Shavers/163135850514643
In case you may be thinking that this could be a different “Brett Shavers” with a Facebook page, I highly doubt it.  In fact, this fake page was created with me specifically named based on seeing (1) author under my name since I am an author, (2) Renton Police Department as a related page, which is where I was a detective in my former career, and (3) Amped Software- Forensic as a related page since I am somewhat involved in deeply involved in forensics.

There is also a notation (4) of “Unofficial Page”, which Facebook defines as a page that was not created by the named user.  If I want, I can claim this page, or merge it, or ask that it be deleted. If I were to do this, I assume it would begin a game of whack-a-mole.

The interesting thing about me and Facebook is that I do have a personal Facebook page, but I don’t use it. Nothing is on it. I don’t like the concept of Facebook for many reasons. I created it in a futile attempt to prevent someone from creating a fake Facebook in my name.  My effort was completely in vain. My real page looks like this (again, I did create this page).

How many fake accounts are out there?

This is one of the unknowns in life, as you can’t know the unknowable. However, Facebook has deleted BILLIONS of fake accounts.  More specifically, Facebook has taken down over 5.4 BILLION fake accounts.  Consider that the planet’s population is about 7.8 billion and that there were at least 5.4 billion known fake Facebook accounts. Still, this is not the most important issue to you as I move toward the juicy stuff!

The juicy stuff!

By now, I know that your brain has already gone through a dozen scenarios of how bad this situation with fake accounts sucks.  I can’t think of a better word than “sucks”, because that is how this feels. To make sure that you covered the most important scenarios in your head, here are a few to think about if you missed one.

What can a fake Facebook account do against you?

• *  Target you personally
• *  Target your professional
• *  Target your criminally
• *  Target your civilly

These are easy to see. In this world of angry Internet users, any person can be the target of an army of one or an army of many through Internet attacks. A fake account can make you seem to be a far left/right political threat, a criminal peddling some form of criminal evidence (drugs, stolen property, etc..), or use your name/account to post threats to businesses, people, or to a government. None of these are good and all will require substantial resources to remedy, as in, prove your innocence. Also, the permanent effects of personal damage online is…permanent.

Criminals can (do) scope out targets and monitor their social media accounts. Creating a fake account in their target's name takes this one step and a million miles further. Imagine a fake Facebook account in your name that friends one of your friends. In minutes, your entire life’s connections can be mapped out with friends of friends and friends of those friends, and so forth. One fake account and you are completely exposed to an attacker. Before you are made aware, the account can be removed and you now your attacker has a complete dossier on you for their mission of destruction.

Not cool at all.

How can fake Facebook accounts affect your investigations (criminal or civil)?

• *  Misleading information
• *  Disinformation

For those who use OSINT (open source intelligence) as part of your job with either civil or criminal investigations, any criminal can create a fake account to throw you off their trail and on the trail of an innocent person. Imagine finding someone admit to a crime on Facebook, in their name, with their photo! That breaks the case!  But if it was fake, you may or may not figure it out, and if not, an innocent person could end up charged and convicted of a crime that they did not commit.

Regardless if you can figure out if the account was faked, the effort involved to verify and corroborate the information wastes valuable time in any investigation. Your casework is affected nonetheless.

A bigger threat?

• *  Facebook data collection
• *  Government collection from third party Facebook

Facebook collects personal data. And it sells it to other businesses. And it gives it to governments. We expect that now. The surprise no longer exists that Facebook is a data collection machine that makes money off its users’ personal information. But that is not the issue, because if you don’t want to be part of that machine, you can avoid creating a personal account. Right?

Wrong. Facebook might make a personal page for you anyway without telling you anything about it. If they don’t make a personal and public page for you, they are certainly collecting your information anyway, even if you have never ever visited a www.Facebook.com website..ever.

Packet Storm wrote an amazingly important article in 2013 that describes basically your personal is collected by Facebook through friends and family on Facebook. Many in the security field are aware of this, where John Doe will post on his Facebook page about Jane Smith. Jane Smith might not have a Facebook page and is doing everything to avoid being online, but now her friend John just outed Jane to the Internet world.

Take this a step further. When John logs into the dozens of social media accounts through his mobile device or computer, he will usually give access to his contacts to the social media platform. Now, dozens of social media platforms have Jane’s contact information, even though Jane has no account on any of these platforms.  Eventually, these contacts are collected by Facebook through the same manner of allowing access to the user’s contacts, and Facebook practically has the contact information of every person on the planet who has an email address or name.

Facebook has been questioned about “shadow” accounts or “invisible” accounts and claimed that the collection of this information was a technical glitch. This bug was, in effect, mapping the world regardless if everyone had a Facebook account.

The bigger threat, even more important than being targeted by criminals, is that of being wrongfully targeted by a government.  Let’s take the Philippine’s situation as an example.

“This was first reported by U.P. Cebu’s official student publication Tugani, which said it found fake accounts of student activists who were arrested in an anti-terrorism bill protest on June 5.” - https://www.bloomberg.com/news/articles/2020-06-07/philippines-probes-proliferation-of-impostor-facebook-accounts

It seems that students who were protesting and subsequently arrested, discovered fake Facebook accounts in their name. What would the purpose of that be, other than tracking people critical of their government? Over the course of human history, every group of people has had their turn of being critical of their government. Everyone takes their turn. Some nations allow public critiques without interference and other governments execute dissidents on the spot, in the street, for all to see.

3^rd Party Access Trumps 4^th Amendment protection

But the United States has the 4^th Amendment! Come back with a warrant, bro! This is true, and generally, the Constitutional protections are followed by the US government (all levels).  I say “generally” because there is always an instance of abuse that occurs inadvertently or intentionally.

Most people aren’t intimately aware of Constitutional Rights, and when asked, will usually recite something that they remember from a Hollywood movie or TV show. They don’t get it right often. Those “in the know” know that Facebook’s data is not protected by the Constitution. Your home and everything in it is protected from unreasonable search and seizure, but the data collected by Facebook (or any 3^rd party) is not.  That means knocking on Facebook’s door with a written request for data bypasses the wall between your data and the government.

The issue is when the data with your name on it is not your data but is tied to you. Or perhaps it is your data, collected and curated by Facebook that your entire life is memorialized in a neat zip file. Hopefully, the information collected was not disinformation by a competitor or criminal or scorned lover wanting to set you up for a fall.

All Existing Data is at Risk to be Breached

Social media platforms and any company that collects data are under varying degrees and sometimes opposing requirements of data preservation and data destruction. Some types of data is required to be maintained for a certain number of years and other data is mandated to be destroyed in a different number of years or months. Some providers swear to not keep any data.

The thing is, no one really knows how long data is kept or destroyed. Personally, I have written affidavits for data that should exist but told that it does not. I have also received data that should have been destroyed but was “overlooked”, resulting me getting extra information… On top of that, I have personally seen corporations not even know the data that they were maintaining that they certainly should have destroyed (legally) a decade earlier.

This data, all of it, including the fake accounts, are ripe for the taking by anyone with access to the data. Access does not only imply “legal” access, but any access to include hackers. It’s bad enough for your real data to be stolen, but it may be much worse if fake data is stolen and attributed to you.

What can you do?

Unfortunately, it is whack-a-mole with your private data and doubles with the fake accounts that might be attributed to you. At one point, I made a Keybase account, where you can verify the platforms and websites under your control. I verified everything in hopes that if a fake account was made (which there are a few for me…..), I could easily point to a verification site to disprove the fake news.

But, Keybase was purchased by Zoom, and with Zoom’s security problems, I deleted my keybase. The good news is that Keybase doesn’t allow me to recreate my account with my same name. That in itself is a good security feature for you. I recommend creating a keybase account and then delete it in order to prevent someone from creating a keybase account in your name. Of all fake accounts, Keybase would be a bad one to have made in your name as it professes to the world that you are you. Another example of platforms communicating (ie, sharing) data between each other is Zoom's iOS app sending data to Facebook as reported in Motherboard. The funny part? Even if you don't have a Facebook account, Zoom sends it to Facebook anyway. Add to this that Zoom purchased Keybase. Before you start spiraling out of control in conspiracy theories with social media platforms, keep in mind that I am only focusing on the fake Facebook accounts.

A personal story

Way back when, when I was a new patrol officer, my wife made a website.  This was really incredible at the time. To give you a hint of when this was, it was during dialup, and websites were made by straight typing HTML. WYSIWYG wasn’t a thing yet, but she taught herself and made a site on one of the free platforms at the time. It was a family website and because I was in law enforcement, I stressed to not use our names or personally identifiable information, especially as our kids were young at the time. Anyway, her website became popular and made it into several print magazines in Japan. Oh yeah, the website was in Japanese. This will be important to know shortly.

The punchline is that one day in patrol, dispatch sent me a message on my MDC (mobile computer) and said something to the effect of, “Hey. I found a website with pictures of you and your family on it. Did you know that?”

Long before the Internet searching became really easy, a dispatcher somehow found me online with my family, on a website that was in Japanese. My wife took the site offline when I told her.

Later, in my undercover days, my threat level substantially increased. I flew around the country and internationally, many times unarmed (dumb in-country rules...), and hung out with organized crime. My conversations were talking to people about people that they killed or had killed, informants that were tortured, corrupt cops, smuggling humans across borders, and all things drugs and guns. I had cars drive slowly in front of my home, been followed on more occasions than I want to remember, and bumped into targets while off duty while with my family.  During this time, I found that a relative of mine was posting pictures of me and my family online, even knowing the job that I was doing. I blame the ignorance of security more than anything, but to be unaware that photos you send to friends and family end up on their social media platforms is uncool without asking permission. Then at a point, I had threats and guns stuck in my belly added to the mix.  Having a gun stuck in my belly and also my personal information exposed online, I can say that the Internet exposure was worse. Oh yeah, my ID was stolen with all of this too.

I have more of these types of stories than any one person should have, but the point is that the Internet is a dangerous place for not only those with intelligence or law enforcement jobs, but for any person who somehow gets in the crosshairs of an angry person, or someone who needs a scapegoat for their crimes. Fake social media accounts are a serious concern, and for you, the IT, Infosec, or DF/IR pro, your first responsibility is to protect your family. Protect the world as a secondary task as you get to it.

Stay safe.

Billions of fake accounts: Who's messaging you on Facebook?

https://bigthink.com/politics-current-affairs/facebook-banned-accounts?rebelltitem=1#rebelltitem1

Philippines Probes Proliferation of Impostor Facebook Accounts

https://www.bloomberg.com/news/articles/2020-06-07/philippines-probes-proliferation-of-impostor-facebook-accounts

Facebook has shut down 5.4 billion fake accounts this year

https://www.cnn.com/2019/11/13/tech/facebook-fake-accounts/index.html

DOJ to probe sudden surge of fake Facebook accounts

https://www.cnnphilippines.com/news/2020/6/7/DOJ-probe-fake-Facebook-accounts.html

Shadow profiles: Facebook has information you didn't hand over

https://www.cnet.com/news/shadow-profiles-facebook-has-information-you-didnt-hand-over/

Facebook: Where Your Friends Are Your Worst Enemies

 https://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html

Facebook admits year-long data breach exposed 6 million users

https://www.reuters.com/article/net-us-facebook-security/facebook-admits-year-long-data-breach-exposed-6-million-users-idUSBRE95K18Y20130621

Zoom + Keybase

https://keybase.io/blog/keybase-joins-zoom

ZoomiOS App Sends Data to Facebook Even if You Don't Have a Facebook Account

https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account