On the heels of reports that Facebook leveraged its users’ data in its relationships with other companies, researchers say that the tech space needs to re-assess the value of data as it relates to user privacy measures. However, they also said that users need to take steps themselves to safeguard their data.
A Tuesday NBC News report, detailing 4,000 newly-leaked Facebook emails, webchats, spreadsheets and meeting summaries from 2011 to 2015, found that Facebook has been using its user data as leverage in various relationships with other companies. That included rewarding some firms with extended user data access after they spent money advertising on its platform; as well as withholding user data from other companies that posed a competitive threat to the social media firm.
Researchers, for their part, said they aren’t surprised by this latest Facebook faux pas – but stressed that top tech firms need to re-evaluate the meaning of responsibly collecting and sharing data, and that user consent needs to be highlighted and prioritized in the future.
“Facebook is a company built on consuming customer data, and it’s no surprise that they’ve looked for ways to monetize that most valuable asset,” said Tim Erlin, vice president of product management and strategy at Tripwire, via email. He added that this begs the questions: “Should we be outraged that they’re selling our data, that they’re giving it to preferred partners unfairly, or that they’re talking about privacy publicly while behaving in opposition to that narrative?”
NBC News’ report reveals just how valuable user data is for companies looking to strike deals or solidify relationships.
In one example, the report showed that Facebook extended Amazon’s access to user data after the company spent money on advertising and partnered with it for the launch of the Fire phone. Another document showed Facebook officials pondering cutting data access from a messaging app that had become a rival.
But researchers said they aren’t shocked by the findings given Facebook’s track record when it comes to sharing data access to other companies since its Cambridge Analytica scandal in March 2018 first brought data sharing to the forefront.
“The only surprise here is that anyone is surprised by this,” Paul Bischoff, privacy advocate with Comparitech.com, told Threatpost. “Facebook’s primary source of income is advertising, and online advertising relies heavily on user data. Facebook profits from its user’s personal data, who in return get to use the social network for free. The issue is not whether Facebook shared or sold user data, but whether it got proper consent to do so from users.”
Stephen Cox, vice president and chief security architect at SecureAuth, told Threatpost that the explosion of data has spiraled out of control; and at this point, organizations need to begin limiting the number of people that have access to it.
“When data is collected, it must be used responsibly,” he said. “Developers, marketing employees and executives want to collect as much data as possible because it can used to improve user experience, but once collected data is often analyzed, shared, sold or used at a company’s discretion.”
That type of responsibility when it comes to collecting and sharing data has seemed to evade Facebook: as recently as December, the social media giant acknowledged that it had struck broad data-sharing partnerships with more than 150 companies, including Apple, Amazon and Netflix, exempting them from its normal data privacy terms and conditions.
Also in December, internal documents showed the social media giant promoting – and trying to keep secret – the collection of call logs and texts for Android app users; and the Italian Competition Authority (ICA) found that Facebook violated several articles of the statute by misleading consumers about how their data would be used (The company was hit with two fines in response).
This most recent report may just be more of the same type of data-sharing behavior by Facebook, but researchers said that, moving forward, users also have responsibility for taking note of what kind of data is being collected by the social-media company when Facebook and apps on the platform ask for permissions to collect data.
“There’s a special kind of cognitive dissonance that occurs with Facebook users, where we implicitly understand that we’re providing value to Facebook through our personal data, but simultaneously fail to grasp the privacy implications of doing so,” said Erlin. “It’s unclear what it will take for users to change their perception of Facebook in this regard.”
In the very least, data privacy is at the forefront of the conversation within the government: When Facebook CEO Mark Zuckerberg appeared before Congress in April 2018, for instance, politicians stressed the need for regulation to secure end users’ data privacy on social-media platforms.
Currently, a Federal Trade Commission consent decree from 2011 requires the social network to receive explicit permission from users in regards to sharing their data with third parties. The FTC in March announced it is launching an investigation into Facebook’s data-privacy practices after the Cambridge Analytica scandal. Facebook could rack up fines totaling $40,000 per violation if found guilty.
But in the meantime, Facebook and other data-chugging platforms continue to post a privacy and security risk to their users until the conversation about responsibly maintaining data is had, said Cox: “The more people who have access to data that is available, the more likely that bad actors will obtain it through a data breach, or that it will be used improperly,” he said. “Less data collected will reduce the threat surface – and reduce abuse.”
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.