Wednesday, 9 September 2015

Facebook likes - to buy or not to buy?

Buying fake Facebook Likes is as easy as buying bread and milk. A simple Google search will bring up dozens of websites which promise to give you, ‘real’ or ‘active’ Facebook Likes for a fairly nominal amount.  Many people and brands have been known to buy such likes, the biggest question is; WHY?
Quite simply the answer appears to be: to seem popular.  Trying to create a decent fan following, for a Facebook page, is no easy task and requires a solid, social media strategy.  There is a perception that in order to be portrayed as an established company you must have a large fan base, and that this in turn will help improve visibility.  However, in reality, the actual social worth of a page is judged by the level of interaction it gets after putting up a status, picture or polls.  Given the fact that the vast majority of these, paid for fans, are fake accounts, you will more than likely get no interaction on your posts.  If you are lucky, you may have purchased ‘real’ likes, however there is no way to choose bought ‘fans’ who will actually be interested in your business, and there will be a very low likelihood that they will have any interest in interacting on your page in the future.  As the saying goes: ‘if it’s too good to be true, it usually is’.
Now consider EdgeRank – Facebook’s algorithm that determines which posts go into users’ News Feeds.  If your Facebook page has little or no engagement on your posts, in relation to your number of likes, Facebook presumes you are not posting valuable, informative or worthwhile content, and your EdgeRank will drop.  In a nutshell, this means that nobody will see your posts in their News Feeds – including your real likes, who are actually interested in your product and offerings.  In theory, the higher your number of likes, the more interaction (likes, comments and shares) there should be.   
More importantly than your EdgeRank rating, is the fact that buying Facebook likes is illegal.  The majority of people who provide fake likes do so by creating multiple fake accounts, which is strictly against Facebook terms of use. When you buy them from a person doing so, you become a partner-in-crime.  To make users understand the severity and consequences of the situation, Facebook has revealed some of its fraud-fighting tactics.  It’s quite evident to see that selling and buying fake Likes are illegitimate practices that could result in in heavy price to pay.  The day Facebook realises that your likes are fake your Facebook page might run the risk of getting banned altogether.  
Other than the technical and legal issues, let’s look at this in a simpler context; would you trust a person who has to buy friends?  No.  So why would you trust a company that has purchased likes to look good?  With trust and reputation two of the most important elements of branding, one needs to be very cautious when participating in an activity that can be perceived as deceptive.  If a consumer finds out that you have purchased Facebook likes, which is relatively simple to figure out, you will lose credibility and with it a possible, loyal customer.  
In conclusion, the need to have a large fan base is pure vanity, and it delivers absolutely no value in return of your investment and carries more risk than reward.  Real fans are the people that will actually turn into paying customers, or those who will share your posts and actively interact.  Increasing your real likes or organic reach can seem overwhelmingly difficult, leading you to believe that the only way to succeed at this, is by hiring a social media expert.  This is not the case and with a little bit of research and consistency, you can run a successful page.  Take a look here for some inspiration:

Monday, 31 August 2015

Overview of the Protection of Personal Information Act

Protection of Personal Information Act (POPI): how will it affect you?

We live in an ever-increasing digital world – of that there can be no doubt.  Many of us will not go one single day without checking e-mail, Facebook, Instagram, Twitter or some form of digital material. We are all leaving a digital footprint; and our personal information is often freely accessible with the click of a mouse and a few taps on a keyboard.
Mindful of the fact that personal information is often exploited for commercial gain (it is a vital business asset for purposes of marketing and advertising), or used by those with dubious intentions to commit fraud or send a plethora of unsolicited spam e-mail; the South African Government has recently signed the Protection of Personal Information Act (POPI) into law. 

POPI essentially seeks to set out conditions and reasonable standards for the collection, use, storage and dissemination of any form of personal information. An independent regulator will be established in the next few months and enforcement will be strictly monitored – the maximum penalty for misuse is 10 years in prison, or an administrative fine of up to 10 million Rand.

Although POPI was signed into law on 19 November 2013 (following a painfully slow process through parliament), it is not yet fully effective – only a small part of the legislation is currently in operation and the full Act will only be effective when President Jacob Zuma gives notice of this in the Government Gazette – most anticipate this start-date to be towards the end of 2015, and by no later than 2016.  Moreover, companies and individuals will have a further period of one-year to become fully compliant – so although panic is not required just yet, it is now time to consider what steps to take in order to be fully compliant.
First, the critical element to understand about POPI is the definition of personal information.  What is it? Simply, any information that has the ability to identify a living natural person, or to identify a juristic person (a company, for example).

It is quite a broad definition and can include, for example, any form of contact details (e-mail addresses, telephone numbers, physical or postal address information); demographic or personal information (race, age, sex, identity number, blood type); history of an individual (medical, financial, education, criminal, employment, memberships of associations or organisations), and the definition is wide enough to include personal opinions about a product or service or any form of personal correspondence.  The point is: it is very wide and extremely broad.

With the above in mind, POPI sets out eight conditions that a company or individual must comply with if they collect, use, link, store or share any type of personal information. Briefly, the conditions oblige a person or entity to only collect information with a specific purpose, store it safely, ensure the information is relevant and accurate, only collect what is required and allow the “subject” to inspect it – further, and importantly, personal information can only be collected if the individual has “opted-in”. In other words, the person must specifically agree to the information being collected (subject to an exception dealing with existing clients).

All of the above must be documented in a written policy, and all employees of a business that collects personal information must be aware of POPI, the company policy and how to go about the collection, storage and sharing of the information.

So, what can you do?  First, you must be familiar with POPI if you collect, process, store or share personal information.  You must have a policy and ensure your employees are trained.  You must further ensure your IT systems are adequate for purposes of the storage and retention of the data.  And you must ensure your collection of data, above-all, is compliant with POPI – failure to do so will result in hefty fines and even jail time.  This has meant a change in status quo for many corporate entities – banks, insurers, financial service providers etc. – however, many small to medium businesses are operating in blissful ignorance and continue to do what they have always done – if you are someone who is affected by POPI (most businesses will be), now is the time to think about compliance…

About the author: Lee Swales (LLB, LLM) is a law lecturer at the University of KwaZulu-Natal and a consultant to Swales Inc. He can be contacted on

Sunday, 23 August 2015

Information security: Ashley Madison legal action mounts...

By now, news of the Ashley Madison hack is widespread.  The online dating and social network service seeks to facilitate infidelity by targeting people who are married or in a committed relationship. The target line is "Life is short. Have an affair"

Depending on the source, it has been reported that between 32 and 39 million users' private information has been compromised; including names, e-mail addresses, credit card information, transaction history, user messages and internal e-mail messages belonging to the Ashley Madison parent company.

The hackers responsible, known as the Impact Team, stated in a recent interview that they will target "any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians..."

The data leak has lead to many red-faced CEO’s, bankers and government officials; extortion appears likely at some point...

While you may feel zero empathy or sympathy with those affected, the take-away point here must be that the internet is insecure (but permanent) - to think you are anonymous and your personal information is safe online is probably foolhardy. As CNN points out, everything is tracked and the internet is inherently insecure - no company can really guarantee privacy.

Many countries now have comprehensive data protection legislation, great!  However, this does nothing to protect data before the fact; and although it will encourage best practice in data security moving forward, many hackers are a step ahead of the game...

In Canada, the holding companies that own Ashley Madison (the website is based in Canada) have recently been served with a $578 million dollar class action based on the breach of personal information.  In the US, a class action seeking $5 million dollars for damages was also recently launched. 

In South Africa, the Protection of Personal Information Act (POPI) was recently signed into law – it primarily seeks to prevent the negligent disclosure of personal information. 

That being said, to date, POPI is not yet fully operational,  but once it is (which is imminent) it will place South Africans in a similar position to the US, Canada, New Zealand, UK et al in terms of data security legislation.  

Some 49 000 affected users are from South Africa according to a useful infographic on mybroadband’s website.  However, even if the Information Regulator created by POPI was established (this is still in progress) the Regulator may not be in a position to impose fines (or other corrective action) on entities that operate outside the borders of South Africa.  Further, a legal action in South Africa’s courts (against Ashley Madison) would probably also fail on the basis of a lack of jurisdiction.

By way of example, the Privacy Commissioner in New Zealand (similar to what South Africa’s Information Regulator will be) lists advice about what to do and who to complain to (for New Zealand citizens affected by the hack) here; but have said they are not sure they can do much more than investigate and doubt whether they have jurisdiction to take the matter further.

Back to South Africa; POPI primarily seeks to prevent the negligent disclosure of personal information.  Companies will have a one year grace period to fully comply and will be required to demonstrate compliance with documented policies and procedures – these documents must demonstrate compliance with eight key principles contained within POPI.  The core message of POPI is reasonable use, storage and dissemination of personal information – and ensuring information is accurate.

Therefore, even if a data breach occurs in South Africa by virtue of hacking, if a company can show it has taken all reasonable steps (according to current, industry best practice) it may well be immune from fines or further action.  The key here is that the company takes reasonable steps – not every possible step.  Clearly, these steps and internal procedures must be in a written (or electronic) document and all employees must be aware of the policy and how to use (and not use) personal information.  The time is therefore now if your company does not yet have a data security (POPI) policy and/or procedure.

Finally, and in my view, and based on the limited information available in the media, it appears that Ashley Madison did not take all reasonable precautions – particularly in light of the fact that some users paid a fee ($20) for a “full delete” of their personal information and yet this information is still contained within the data that was posted online. 

Further, in a reported interview with the hackers, it was claimed that security on the website was “bad”, and that "nobody was watching" and there was "no security”.

From a layman’s perspective, this does not appear to be reasonable conduct by the owners of the website. That said, the affected users of the hack must establish and allege an actual or certainly impending threat of injury before the case will proceed to quantify the loss suffered – for more information on the US legal position, see here. [PDF]