Privacy advocates are calling on all social media platforms to more responsibly handle and restrict improper access to data in the wake of Facebook’s latest controversy where it acknowledged users’ personal information had leaked through a third-party app.

“People are shocked this happened, but I’m shocked it didn’t happen sooner… it’s so easy to penetrate this kind of thing with social media providers,” said Joseph Steinberg, founder of social media security company SecureMySocial, in an interview with Threatpost. “The real issue here is Facebook… not the people who collected the data or those who used it. Facebook knew it happened and didn’t say anything to the public.”

Facebook is in hot water after stating that Cambridge Analytica – a consulting group that has worked on several high-profile political campaigns, including that of President Donald Trump’s – used the social media company’s platform to harvest the data of 50 million users.

Facebook’s troubles trace back to 2015 when app developer Aleksandr Kogan requested access to information from users who downloaded his third party app, “thisisyourdigitallife” on Facebook, which billed itself as “a research app used by psychologists.” In reality, that data was being given to Cambridge Analytica, a U.K.-based company that helps political parties target voters with specific messages.

The social media platform has defended itself, saying the incident wasn’t a breach because users consented to giving their data to a third-party app. While security experts agree no systems were breached, they say the Facebook debacle points to worrying overarching issues around security, privacy and personal data harvested by social media companies.

“In a technical sense this wasn’t a breach. This is how the business model is supposed to work. But for end users, if it was a breach in any sense of the word, it was a breach of trust,” said Gennie Gebhart, researcher with the Electronic Frontier Foundation, in an interview with Threatpost.

Up to 270,000 Facebook users downloaded the app – giving Kogan consent to access data, such as the city they live in or content they “Liked” on Facebook. However, in 2015, Facebook also enabled developers to collect data on the Facebook Friend networks for users – meaning that when users agreed to show their data to Kogan, he could also access data about their Friends, catapulting the number of users impacted to up to 50 million.

Facebook, for its part, adamantly says that users were knowingly providing their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked: “The claim that this is a data breach is completely false,” the company said in a statement. “Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent.”

Facebook said Monday it has hired independent forensic auditors from Stroz Friedberg to investigate whether Cambridge Analytica actually destroyed the end users’ data. Cambridge Analytica on Tuesday announced that it has suspended CEO Alexander Nix on the heels of both the Facebook fiasco and videos that emerged from a reporter in Channel 4 News who filmed the executive making inappropriate remarks.

Despite these steps, the company has faced a slew of backlash –including a wave of politicians who have called on Facebook to enforce privacy policies to protect user data, and reports that the U.S. Federal Trade Commission is probing Facebook over whether it violated terms of a 2011 consent decree over its use of personal data.

Making matters worse for the social media platform, in the midst of all this, Facebook’s security chief, Alex Stamos is reportedly planning to step down from the company in August, after he was met with resistance after advocating for more disclosure around Russian manipulation of the platform and some restructuring to better address related issues.

The disruption on Facebook comes at a time when data runs rampant on social media platforms – including where users live, birthdates, political affiliations, photos and likes and dislikes. This data also exists on other platforms, such as LinkedIn and Twitter – and Facebook’s issues have lasting impacts for the social media industry as a whole when it comes to privacy.

“This situation has been laser focused on Facebook’s policies and mistakes, but many if not all social media platforms have the same business model… they are the advertisers and the end users are the product,” Gebhart told Threatpost. “As people start raising these new questions about Facebook, they will begin also questioning other social media platforms.”

What Data Privacy Regulations Exist On Social Media?

Facebook outlines clear policies around data for third-party developers, including that developers must provide a publicly available policy that explains what data they are collecting and how they will use that data.

One rule mandates that developers must “obtain adequate consent from people before using any Facebook technology that allows us to collect and process data about them, including for example, our SDKs and browser pixels,” according to the company Developer’s policy.

However, the Cambridge Analytica incident shows that third-party app developers, such as Kogan, can easily lie about their intents for collecting data – raising questions about Facebook’s ability to enforce data protection policies. “Facebook needs to do a better job ascertaining how data is used, but it’s almost impossible to control where data goes,” SecureMySocial’s Steinberg said.

For instance, Steinberg said, companies could exist who are being sold data in a similar manner from third party app developers – and then using that data for malicious intent – such as fielding their Facebook data for potential passwords (ie a mother’s maiden name). “[Facebook is] saying it’s not a breach, but what if instead of Cambridge Analytica that data had been sold to criminals?”

Another issue is that the company’s default privacy settings on the app automatically shares users’ data – including their email address and public profile – with the apps they interact with.

While users can protect themselves by checking their app settings and customizing what they share with apps, many are unaware that this is the case, said Gebhard.

“Users shouldn’t have to do this, they shouldn’t be settings experts and they deserve so much better.” said Gebhart. “It’s ludicrous – the defaults are terrible, and they serve the business, but not the end users. As long as the defaults confusing and complex, you can’t say that users were informed.”

Some regulations exist to attempt to regulate social media providers’ control over end user data, including a 2011 consent decree mandates that users should be notified that they explicitly gave consent that data is shared beyond the privacy settings that were established. According to reports, the US Federal Trade Commission is currently investigating whether Facebook broke these rules.

However, many social media platforms are still new enough where the government, end users, and social media platforms themselves have an adequate understanding of how to protect data privacy – and what are considered ethical practices when it comes to data security.

“In our era we now have a new model that is unprecedented in human history,” said Steinberg. “When social media is this new, it’s a problem, because it’s hard to educate people about the risks and what they can do.”

Categories: Facebook, Privacy, Web Security

Comments (7)

  1. Rajan Vayakkattil
    2

    It isn’t just Facebook, but any platforms, apps with permissions to use personal data are vulnerable to such a problem

    Reply
  2. David Westerling
    3

    How is this a scandal or a breach? Simply put..Facebook and other platforms like it survive monetarily… no they aren’t free and never have been like most think.
    Stop calling it hacked, breached and all this other BS..
    I just a barely graduated high school some 30+ yrs ago I deleted my account some 4+ yrs ago because I was able to read between the lines.
    Wasn’t then and isn’t now a secret that they sell your data to the highest bidder.
    Then again, I feel most Facebook users live in LaLa land and “sheep”.

    Reply
  3. Anonoman2018
    4

    Facebook wasnt vulnerable, they handed the data over. I dont see how people are upset. it basically states they own anything you post on their site. You are posting your information on a site that is accessible by the public. you cannot get upset if that data can then be seen by the public. no different than putting a sign on your front door that says “I love trump” and getting upset that somehow people found out you love trump.

    Reply
    • Anonymous
      5

      Facebook allowed a third party app to do data mining on people who wasn’t aware of it. If your data is accessed through a friend who agreed to it but you didn’t what good does an agreement make? Do you care that little about privacy? Yes information is public but only selected information…

      Reply
  4. David S
    6

    We are witnessing an epic collapse of Facebook’s brand image. Does anyone think more highly of FB now than they did a few weeks ago. Social Media is fickle, once you loose the coolness factor there is no getting it back. Good-buy Zuck…

    Reply
  5. Raul Dhruva
    7

    Great Article.It is really helpful for getting in depth knowledge about this recent data privacy issue. In addition to this we have also published one blog regarding how we can avoid such vulnerability of our account.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>