Who\u2019s to blame for the\u00a0leaking of 50 million Facebook users\u2019 data?\u00a0Facebook\u00a0founder and CEO Mark Zuckerberg broke several days of silence in the face of a raging privacy storm to go on\u00a0CNN\u00a0this week to say he was sorry. He also admitted the company had made mistakes; said it had breached the trust of users; and said he regretted not telling Facebookers at the time their information had been misappropriated.<\/p>\n
Meanwhile, shares in the company have been taking a battering. And Facebook is now facing\u00a0multiple shareholder and user lawsuits.<\/p>\n
Pressed on why he didn\u2019t inform users, in 2015, when Facebook says it found out about this policy breach, Zuckerberg avoided a direct answer \u2014 instead fixing on what the company did (asked\u00a0Cambridge Analytica\u00a0\u00a0and the developer whose app was used to suck out data to delete the data) \u2014 rather than explaining the thinking behind the thing it did not do (tell affected Facebook users their personal information had been misappropriated).<\/p>\n
Essentially Facebook\u2019s line is that it believed the data had been deleted \u2014 and presumably, therefore, it calculated (wrongly) that it didn\u2019t need to inform users because it had made the leak problem go away via its own backchannels.<\/p>\n
Except of course it hadn\u2019t. Because people who want to do nefarious things with data rarely play exactly by your rules just because you ask them to.<\/p>\n
There\u2019s an interesting parallel here with\u00a0Uber\u2019s response to a 2016 data breach\u00a0of its systems. In that case, instead of informing the ~57M affected users and drivers that their personal data had been compromised, Uber\u2019s senior management also decided to try and make the problem go away \u2014 by asking (and in their case paying) hackers to delete the data.<\/p>\n
Aka the trigger response for both tech companies to massive\u00a0data protection\u00a0fuck-ups was: Cover up; don\u2019t disclose.<\/p>\n
Facebook denies the Cambridge Analytica instance is a\u00a0data<\/em>\u00a0breach<\/em>\u00a0\u2014 because, well, its systems were so laxly designed as to actively encourage vast amounts of data to be sucked out, via API, without the check and balance of those third parties having to gain individual level consent.<\/p>\n So in that sense Facebook is entirely right; technically what Cambridge Analytica did wasn\u2019t a breach at all. It was a feature, not a bug.<\/p>\n Clearly that\u2019s also the opposite of reassuring.<\/p>\n Yet Facebook and Uber are companies whose businesses rely entirely on users trusting them to safeguard personal data. The disconnect here is gapingly obvious.<\/p>\n What\u2019s also crystal clear is that rules and systems designed to\u00a0protect and control<\/em>\u00a0personal data, combined with\u00a0active enforcement<\/em>\u00a0of those rules and robust security to safeguard systems, are absolutely essential to prevent people\u2019s information being misused at scale in today\u2019s hyperconnected era.<\/p>\n But before you say hindsight is 20\/20 vision,\u00a0the history of this epic Facebook privacy fail is even longer than the under-disclosed events of 2015 suggest \u2014 i.e. when Facebook claims it found out about the breach as a result of investigations by journalists.<\/p>\n What the company very clearly turned a blind eye to is the risk posed by its own system of loose app permissions that in turn enabled developers to suck out vast amounts of data without having to worry about pesky user consent. And, ultimately, for Cambridge Analytica to get its hands on the profiles of ~50M US Facebookers for dark ad political targeting purposes.<\/p>\n European\u00a0privacy\u00a0\u00a0campaigner and lawyer Max Schrems \u2014 a\u00a0long time critic of Facebook\u00a0\u2014 was actually raising concerns about the Facebook\u2019s lax attitude to data protection and app permissions as long ago as 2011.<\/p>\n Indeed, in August 2011 Schrems filed\u00a0a complaint\u00a0with the Irish Data Protection Commission exactly flagging the app permissions data sinkhole (Ireland being the focal point for the complaint because that\u2019s where Facebook\u2019s European HQ is based).<\/p>\n \u201c[T]his means that not the data subject but \u201cfriends\u201d of the data subject are consenting to the use of personal data,\u201d wrote Schrems in the 2011 complaint, fleshing out consent concerns with Facebook\u2019s friends\u2019 data API. \u201cSince an average facebook user has 130 friends, it is very likely that only one of the user\u2019s friends is installing some kind of spam or phishing application and is consenting to the use of all data of the data subject. There are many applications that do not need to access the users\u2019 friends personal data (e.g. games, quizzes, apps that only post things on the user\u2019s page) but Facebook Ireland does not offer a more limited level of access than \u201call the basic information of all friends\u201d.<\/p>\n \u201cThe data subject is not given an unambiguous consent to the processing of personal data by applications (no opt-in). Even if a data subject is aware of this entire process, the data subject cannot foresee which application of which developer will be using which personal data in the future. Any form of consent can therefore never be specific,\u201d he added.<\/p>\n As a result of Schrems\u2019 complaint, the Irish DPC\u00a0audited\u00a0and\u00a0re-auditedFacebook\u2019s systems in 2011 and 2012. The result of those data audits included a recommendation that Facebook tighten app permissions on its platform, according to a spokesman for the Irish DPC, who we spoke to this week.<\/p>\n The spokesman said the DPC\u2019s recommendation formed the basis of the major platform change\u00a0Facebook announced in 2014\u00a0\u2014 aka\u00a0shutting down the Friends data API\u00a0\u2014 albeit too late to prevent Cambridge Analytica from being able to harvest millions of profiles\u2019 worth of personal data via a survey app because Facebook only made the change gradually, finally closing the door in May 2015.<\/p>\n \u201cFollowing the re-audit\u2026 one of the recommendations we made was in the area of the ability to use friends data through social media,\u201d the DPC spokesman told us. \u201cAnd that recommendation that we made in 2012, that was implemented by Facebook in 2014 as part of a wider platform change that they made. It\u2019s that change that they made that means that the Cambridge Analytica thing cannot happen today.<\/p>\n \u201cThey made the platform change in 2014, their change was for anybody new coming onto the platform from 1st May 2014 they couldn\u2019t do this. They gave a 12 month period for existing users to migrate across to their new platform\u2026 and it was in that period that\u2026 Cambridge Analytica\u2019s use of the information for their data emerged.<\/p>\n \u201cBut from 2015 \u2014 for absolutely everybody \u2014 this issue with CA cannot happen now. And that was following our recommendation that we made in 2012.\u201d<\/p>\n Given his 2011 complaint about Facebook\u2019s expansive and abusive historical app permissions, Schrems has this week raised an eyebrow and expressed surprise at Zuckerberg\u2019s claim to be \u201coutraged\u201d by the Cambridge Analytica revelations \u2014 now snowballing into a massive privacy scandal.<\/p>\n In a\u00a0statement\u00a0reflecting on developments he writes: \u201cFacebook has millions of times illegally distributed data of its users to various dodgy apps \u2014 without the consent of those affected. In 2011 we sent a legal complaint to the Irish Data Protection Commissioner on this. Facebook argued that this data transfer is perfectly legal and no changes were made. Now after the outrage surrounding Cambridge Analytica the Internet giant suddenly feels betrayed seven years later. Our records show: Facebook knew about this betrayal for years and previously argues that these practices are perfectly legal.\u201d<\/p>\n So why did it take Facebook from September 2012 \u2014 when the DPC made its recommendations \u2014 until May 2014 and May 2015 to implement the changes and tighten app permissions?<\/p>\n The regulator\u2019s spokesman told us it was \u201cengaging\u201d with Facebook over that period of time \u201cto ensure that the change was made\u201d. But he also said Facebook spent some time pushing back \u2014 questioning why changes to app permissions were necessary and dragging its feet on shuttering the friends\u2019 data API.<\/p>\n \u201cI think the reality is Facebook had questions as to whether they felt there was a need for them to make the changes that we were recommending,\u201d said the spokesman. \u201cAnd that was, I suppose, the level of engagement that we had with them. Because we were relatively strong that we felt yes we made the recommendation because we felt the change needed to be made. And that was the nature of the discussion. And as I say ultimately, ultimately the reality is that the change has been made. And it\u2019s been made to an extent that such an issue couldn\u2019t occur today.\u201d<\/p>\n \u201cThat is a matter for Facebook themselves to answer as to why they took that period of time,\u201d he added.<\/p>\n Of course we asked Facebook why it pushed back against the DPC\u2019s recommendation in September 2012 \u2014 and whether it regrets not acting more swiftly to implement the changes to its APIs, given the crisis its business is now faced having breached user trust by failing to safeguard people\u2019s data.<\/p>\n We also asked why Facebook users should trust\u00a0Zuckerberg\u2019s claim, also made in the CNN interview, that it\u2019s now \u2018open to being regulated\u2019 \u2014 when its historical playbook is packed with examples of the polar opposite behavior, including ongoing\u00a0attempts to circumvent existing EU privacy rules.<\/p>\n A Facebook spokeswoman acknowledged receipt of our questions this week \u2014 but the company has not responded to any of them.<\/p>\n The\u00a0Irish DPC chief, Helen Dixon, also went on CNN\u00a0this week to give her response to the Facebook-Cambridge Analytica data misuse crisis \u2014 calling for assurances from Facebook that it will properly police its own data protection policies in future.<\/p>\n \u201cEven where Facebook have terms and policies in place for app developers, it doesn\u2019t necessarily give us the assurance that those app developers are abiding by the policies Facebook have set, and that Facebook is active in terms of overseeing that there\u2019s no leakage of personal data. And that conditions, such as the prohibition on selling on data to further third parties is being adhered to by app developers,\u201d said Dixon.<\/p>\n \u201cSo I suppose what we want to see change and what we want to oversee with Facebook now and what we\u2019re demanding answers from Facebook in relation to, is first of all what pre-clearance and what pre-authorization do they do before permitting app developers onto their platform. And secondly, once those app developers are operative and have apps collecting personal data what kind of follow up and active oversight steps does Facebook take to give us all reassurance that the type of issue that appears to have occurred in relation to Cambridge Analytica won\u2019t happen again.\u201d<\/p>\n Firefighting the raging privacy crisis, Zuckerberg has committed to conducting a historical audit of every app that had access to \u201ca large amount\u201d of user data around the time that Cambridge Analytica was able to harvest so much data.<\/p>\n So it remains to be seen what other data misuses Facebook will unearth \u2014 and have to confess to now, long after the fact.<\/p>\n But any other embarrassing data leaks will sit within the same unfortunate context \u2014 which is to say that Facebook\u00a0could<\/em>\u00a0have prevented these problems if it had listened to the very valid concerns data protection experts were raising more than six years ago.<\/p>\n Instead, it chose to drag its feet. And the list of awkward questions for the Facebook CEO keeps getting longer.<\/p>\n –<\/p>\n Source: Techcrunch<\/p>\n","protected":false},"excerpt":{"rendered":" Who\u2019s to blame for the\u00a0leaking of 50 million Facebook users\u2019 data?\u00a0Facebook\u00a0founder and CEO Mark Zuckerberg broke several days of silence in the face of a raging privacy storm to go on\u00a0CNN\u00a0this week to say he was sorry. He also admitted the company had made mistakes; said it had breached the trust of users; and said […]<\/p>\n","protected":false},"author":14,"featured_media":132889,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[339],"yoast_head":"\n