Whether Facebook will face regulatory sanction due to the failure of the platform’s latest historic massive privacy platform is unclear. But the timeline of the incident looks increasingly tricky for the tech giant.
While he initially sought to downplay the revelations about the data breach released by Business Insider over the weekend by suggesting that information such as people’s birthdates and phone numbers were “old,” in an article by blog late yesterday, the tech giant finally revealed that the data in question had indeed been ripped from its platform by malicious actors “in 2019” and “before September 2019”.
This new detail on the timing of this incident raises the question of compliance with the European General Data Protection Regulation (GDPR) – which entered into force in May 2018.
Under the EU regulation, data controllers can face fines of up to 2% of their aggregate annual turnover for non-notification of breaches and up to 4% of turnover. annual business for more serious compliance violations.
The European framework seems important because Facebook indemnified itself against historic privacy concerns in the United States when it settled with the FTC for $ 5 billion in July 2019 – although that still means there is a period. months (June to September 2019) which could drop. outside this colony.
Yesterday, in his own statement responding to revelations of the breach, Facebook’s top data supervisor in the EU said it was not entirely clear where the newly released dataset came from, writing that “seems to include the original 2018 (pre-GDPR) dataset ”- referring to an earlier breach incident that Facebook revealed in 2018 and related to a vulnerability in its find phone feature which it claims is was produced between June 2017 and April 2018 – but also wrote that the newly released dataset also appeared to have been ‘combined with additional records, which could be from a later period’.
Facebook followed the Irish Data Protection Commission (DPC) statement in confirming this suspicion – admitting that the data had been pulled from its platform in 2019, until September this year.
Another new detail that surfaced in the Facebook blog yesterday was that user data was scraped not through the aforementioned phone finder vulnerability – but through another method: an import tool vulnerability. contacts.
This route allowed an unknown number of “bad actors” to use software to mimic the Facebook app and download large sets of phone numbers to see which matched Facebook users.
In this way, a spammer (for example) could download a database of potential phone numbers and link them not only to names, but to other data such as date of birth, email address, location – the better to get phished.
In its PR response to the breach, Facebook was quick to claim that it fixed this vulnerability in August 2019. But, again, this timing places the incident squarely within the GDPR activation period.
As a reminder, the European data protection framework is part of a data breach notification regime which requires data controllers to notify a competent supervisory authority if they believe that a loss of personal data is likely to constitute a risk for the rights and freedoms of users – and to do so without undue delay (ideally within 72 hours of being informed).
Yet Facebook did no disclosure of this incident to the DPC. Indeed, the regulator clearly indicated yesterday that it had to proactively search for information on Facebook following the BI report. This is the opposite of how European lawmakers wanted the regulation to work.
Data breaches, on the other hand, are broadly defined in the GDPR. This may mean that personal data is lost or stolen and / or viewed by unauthorized third parties. It may also relate to a deliberate or accidental action or inaction of a controller who exposes personal data.
The legal risk of the breach is probably the reason why Facebook carefully avoided describing this latest data protection breach, in which the personal information of more than half a billion users was posted for free download on a forum. online, as a “ violation ”.
And, indeed, why we seek to downplay the importance of leaked information – by calling people’s personal information “old data”. (Even though not many people regularly change their cell phone number, email address, full names and biographical information, etc., and no one (legally) gets a new date of birth …)
Rather, his blog post refers to scratched data; and pigging being “a common tactic that often relies on automated software to extract public information from the Internet which may end up being distributed on online forums” – implying tacitly that personal information disclosed through its tool import contacts were somehow Public.
The self-serving suggestion that is being peddled here by Facebook is that hundreds of millions of users had both posted sensitive items like their cell phone numbers on their Facebook profiles. and have left the default settings on their accounts – thus making this personal information “ publicly available for scraping / no longer private / discovered by data protection legislation. ”
This is an argument that is as obviously absurd as it is viciously hostile to the rights and privacy of individuals. It is also an argument that EU data protection regulators must quickly and definitively dismiss or be complicit in allowing Facebook (ab) to use its market power to torch the very basic rights that the only one regulators’ goal is to defend and enforce.
Even though some Facebook users affected by this breach had their information exposed through the Contact Importer tool because they had not changed Facebook’s unfriendly privacy defaults, which still raises questions keys to GDPR compliance – as the regulation also requires data controllers to properly secure personal data and enforce privacy by design and default.
Facebook allowing hundreds of millions of accounts to have their information freely looted by spammers (or whoever) doesn’t seem like good security or privacy by default.
In short, it is once again the Cambridge Analytica scandal.
Facebook tries to continue to be terrible when it comes to privacy and data protection because it has been so terrible in the past – and probably feels confident it will continue with this tactic as it faces relatively few regulatory penalties. for an endless parade of data. scandals. (A one-time $ 5 billion FTC fine for a business that generates more than $ 85 billion in annual revenue is just another business expense.)
We asked Facebook why it hadn’t informed the DPC about this 2019 breach in 2019, when it realized that people’s information was being maliciously pulled from its platform again – or, in fact, why he didn’t bother to inform affected Facebook users themselves – but the company declined to comment beyond what it said yesterday.
Then he told us he would not comment on his communications with regulators.
Under the GDPR, if a breach poses a high risk to users’ rights and freedoms, a controller is required to notify those affected – the reason being that prompt notification of a threat can help individuals to take steps to protect themselves from the risks of their data breached, such as fraud and identity theft.
Facebook also said yesterday that it also did not plan to notify users.
Perhaps the company’s branded ‘thumbs up’ symbol would be best expressed as a middle finger raised towards everyone.