The hackers made off with data from 14 million users that included profile information such as details of birth dates, employment and education history, religious preference, types of devices used, pages followed and recent searches and location check-ins. Another 15 million users saw data on names and contact details being accessed. Facebook revealed that the attackers accessed posts and friend lists of an additional 400,000 users.
In what was cold comfort Facebook commented that the hackers did not access personal messages nor did they manage to hack information related to financial transactions.
The hackers this time exploited Facebooks ‘view as’ feature which had three different vulnerabilities that allowed hackers to both post and browse the accounts of users.
Facebook faced the ire of not only congressional authorities in the United States for the breach that had been ongoing since July 2017. The Irish data protection commissioner, opened an investigation into the breach. Authorities in other jurisdictions including the U.S. states of Connecticut and New York also looked into the attack, as did Japan’s Personal Information Protection Commission (JPPC).
Commenting on the attack Zuckerberg said, “I feel like we’ve let people down and that feels terrible, but it goes back to this notion that we shouldn’t be making the same mistake multiple times.” However the fact of the matter is that Facebook seems to be making the same mistakes again and again when it comes to both privacy and data security.
Enter Facebook Portal
In early October Facebook announced the launch of its Portal device. The device harnesses the company’s messaging system to allow users (amongst other functionality) to make high quality video calls. Facebook was adamant that no data would be collected through Portal. Not even call log data or app usage data, like the fact that you listened to Spotify — will be used to target users with ads on Facebook said a spokesperson at the launch. Reporters were skeptical given Facebooks checkered record when it comes to privacy issues.
They were right not to take that statement at face value. Their cynicism was rewarded when Facebook clarified their stance by announcing that although Portal doesn’t have ads it will gather data about who you call and data about which apps you use on Portal. That data can be used to target you with ads on other Facebook-owned properties.
A spokesperson said, “Portal voice calling is built on the Messenger infrastructure, so when you make a video call on Portal, we collect the same types of information (i.e. usage data such as length of calls, frequency of calls) that we collect on other Messenger-enabled devices.””
When a company is not even sure of its own messaging on a subject like privacy, especially with a track record like Facebook, users have every reason to get anxious. This is especially true when Facebook announced that they had even further plans for living rooms across the globe. A project codenamed Ripley is in the pipeline – a camera that you plug into your TV to turn it into a ‘mega Portal.’ Facebook’s claim that Portal is “private by design” is in tatters. Consumers who were excited about Portal may now be slightly more apprehensive.
The bad news keeps coming
Facebook executives might have been cautiously confident that they could make it to the end of 2018 without further privacy related incidents – however, that was not to be.
On December 14 the company announced that a bug may have allowed third party apps to access and download 6.8 million private images from users accounts even if the images were not publicly posted. The vulnerability occurred over a 12-day period in September of 2018.
Facebook commented on their blog that because of the bug, roughly 1,500 apps could access “a broader set of photos than usual.” It’s worth noting that Facebook allows apps by third-party developers to obtain users’ permission and access photos shared on their timeline.
Marc Rotenberg, the executive director of the Electronic Privacy Information Center commented, “It’s stunning that Facebook has the ability to send user photos to third parties when the user has not fully uploaded the photo … It’s like a provider sending draft emails.”
More to come?
It’s been a bad year for Facebook – and a worse one for its users. However – many of the problems at the social media company are systemic – and the product of its own attitude to harnessing the data of users to run targeted ad campaigns. The company is the custodian of vast amounts of this data – and it provides that to third parties. The problems experienced by Facebook are largely self-inflicted and the direct result of their business model. That isn’t going to change anytime soon. However – the regulators (as well as lawmakers) in the United States and in the European Union are rapidly losing faith and patience with Facebook – it is only matter of time before they take action – and that could be very bad news for Zuckerberg and co.