A reader of mine named Najia checked out her Active Sessions recently and was appalled at what she found there. Though she lives just north of Boston, Facebook was telling her that she was logged in from locations more than 400 miles away. She wrote:
About three weeks ago, I logged into my Facebook account and checked to see whether anyone else had logged into my account. For the next week, I monitored it and noticed that my account was being accessed from computers in Virginia and Washington DC. I changed my password and then I took screenshots of all the logins, every time I noticed logins that weren’t mine. I then changed my login preference so that every time someone attempts to login from an unauthorized computer, I would receive a text message. … Not surprisingly, anytime I tried to login to my account, I always had to verify my login via the code provided from the text message that Facebook sent me. NONETHELESS, when I checked if there were any suspicious logins, I noticed my account was still being accessed from different computers. I don’t know how this is possible.
Najia sent me the screenshots. Sure enough, her Facebook account showed log-ins from the D.C. area. Was Najia being Facebook-stalked by the Feds?
Before trying to answer that question, I checked out my Active Sessions and discovered that I, too, had rogue log-ins I couldn’t account for. Specifically, Facebook had me logging in from New York City, when neither I nor any of my devices were anywhere near the Big Apple.
So I asked Facebook how this location information is generated. The answer, like many peoples’ relationship status: It’s complicated.
Per Facebook spokesperson Frederic Wolens:
“We infer the information from carriers and the device IP, some IPs have users from all over a region of the country, in those cases we can’t disambiguate where in the region they are and a central arbitrary location is displayed.”
Translation: Facebook makes its best guess based on your device’s Internet Protocol address. If you’re using a mobile device to log in, the guesses it makes often aren’t very good.
It turns out that the locations that were most off for both Najia and myself were those made from mobile devices – specifically her iPhone and my iPad. So that’s one less mystery left to solve.
It seems that while Facebook does indeed track locations for its nearly 1 billion users, it doesn’t do a very good job of it. That’s either good news or bad, depending on your perspective.
The good news is a) you’re probably not being Facebook-stalked by the Feds, and b) because Facebook location data isn’t really reliable, it shouldn’t be used in a legal context – ie, to prove you were or weren’t in a particular location if that ever comes up in a legal dispute (and the way things are going, it very well might).
The bad news? Your Facebook location data might be used anyway, because local authorities don’t understand how wrong it can be (and they don’t read TY4NS). In that case, bad location information could come back to bite you by suggesting you were some place you weren’t supposed to be, or you weren’t where you claimed to be.
As I’ve said a few times before, location data is the newest and scariest privacy quagmire. It can and will be used against you, even when it’s not remotely accurate.