Facebook Security: 2019 Year in Review
Facebook spent the past year both trying to deal with the consequences of the Cambridge Analytica scandal that rocked its public relations in 2018, as well as other issues afflicting the social media platform – from data security challenges to political misinformation campaigns. Following are the biggest Facebook security and privacy stories of 2019.Facebook Privacy Breach: 100 Developers Improperly Accessed Data
In November, Facebook said that 100 third-party app developers improperly accessed the names and profile pictures of members in various Facebook groups – data that was restricted in 2018 by the platform after its Cambridge Analytica privacy snafu. Facebook said that the developers had improper access to the data through the Groups API, an interface between Facebook and third-party apps, where the app can integrate with a group if it has been authorized by the administrators.Facebook Sues NSO Group Over Alleged WhatsApp Hack
In October, Facebook filed a lawsuit against Israeli company NSO Group, creator of the Pegasus spyware, alleging that it was behind the massive WhatsApp hack earlier in the year. In May 2019, a zero-day vulnerability was found in WhatsApp’s messaging platform, exploited by attackers who were able to inject spyware onto victims’ phones in targeted campaigns. A new lawsuit by WhatsApp owner Facebook alleges that NSO Group developed the surveillance code and used vulnerable WhatsApp servers to send malware to approximately 1,400 mobile devices.Facebook Removed Tens of Thousands of Apps Post-Cambridge Analytica
On the heels of Cambridge Analytica, Facebook said it suspended tens of thousands of apps as part of its ongoing investigation into how third-party apps on its platform collect, handle and utilize users’ personal data. The apps, associated with about 400 developers, have either been suspended or banned completely. Facebook said that several of the apps in question have inappropriately shared data obtained from its platform, made data publicly available without protecting people’s identity or something else “that was in clear violation of our policies.”Facebook Records User Audio, Sparking Privacy Questions
After reports emerged, Facebook admitted that it was transcribing audio chats between its users on its Messenger platform. While Facebook confirmed that it had been transcribing users’ audio, it maintains that affected users chose to have their voice chats transcribed. In answering questions related to a Congressional probe last year, the company said that it “only accesses users’ microphone if the user has given our app permission and if they are actively using a specific feature that requires audio (like voice messaging features).” It also said that it is halting the program – which is meant to train its algorithm to be more accurate – to review the privacy implications.Officials and Facebook Butt Heads Over Encrypted Messaging
In October, U.S. Attorney General William Barr and other government officials asked Facebook CEO Mark Zuckerberg to halt or at least delay a plan to add end-to-end encryption to its messaging services in an effort to bolster consumer privacy.The letter is in response to Zuckerberg’s “A Privacy-Focused Vision for Social Networking” which expressed clearly Facebook’s intention to ensure people can chat privately on the company’s messaging services, including Instagram and WhatsApp—the latter of which has 1.5 billion users worldwide.FTC Fines Facebook $5 billion For Privacy Violations
On the heels of Cambridge Analytica, the Federal Trade Commission slapped a $5 billion fine on Facebook for privacy violations in July. While the fine may be the largest ever levied by the agency, lawmakers and privacy analysts derided the fine as “chump change” and ineffective. The fine came after the FTC in March 2018 announced it was launching an investigation into Facebook’s data-privacy practices on the heels of the Cambridge Analytica scandal.Facebook Used User Data to Leverage Company Relationships
An April report, detailing 4,000 newly-leaked Facebook emails, webchats, spreadsheets and meeting summaries from 2011 to 2015, found that Facebook has been using its user data as leverage in various relationships with other companies. That included rewarding some firms with extended user data access after they spent money advertising on its platform; as well as withholding user data from other companies that posed a competitive threat to the social media firm.Facebook Boots 74 Cybercrime Groups From Platform
Facebook in April booted more than 70 cybercrime groups off its platform that were peddling illicit services – from email spamming tools to stolen credentials and payment information sales – in plain sight. Researchers said a simple search on Facebook for keywords like “spam,” “CVV” or more returned results for a slew of groups carrying out these illegal services. In total, the groups had approximately 385,000 members – and some had been up on Facebook for as long as eight years, researchers said.Facebook Data of Millions Exposed in Leaky Datasets
Hundreds of millions of Facebook records – including account names, personal data, and more – have been found in two separate publicly-exposed app datasets. The first publicly-exposed dataset originates from a Mexico-based media company, Cultura Colectiva, and contains over 540 million records including comments, likes, reactions, account names and more. The second publicly-exposed backup, a Facebook-integrated app titled At the Pool, exposed plaintext app passwords for 22,000 users and other data. Both exposed databases have been secured, researchers said in April.Facebook Stored Passwords in Plain Text For Years
Hundreds of millions of Facebook user passwords were discovered being stored in plain text for years, the social media giant acknowledged. KrebsOnSecurity, which first reported the news, said that specifically between 200 and 600 million passwords were stored in plain text as early as 2012, and were searchable by thousands of Facebook employees. Plain text means that the stored passwords are unencrypted, meaning they can be easily accessed and read by people who had access to Facebook’s internal data storage systems.