Australia’s Privacy Act

The breachbook chronicles: FAQ on Facebook’s latest privacy debacle

In certain circles, news of fresh incidents involving Facebook’s mishandling of data have become at once increasingly mundane and painful. At Access Now, in an open letter we sent to Facebook CEO Mark Zuckerberg earlier this year, we were already noting the frequency of the breaches, observing, “[o]nce again, Facebook is making headlines for its disregard of users’ privacy and the protection of personal data.”

The most recent incident is different from the “typical” Facebook breach. On September 28, Facebook announced that hacking resulted in access to at least 50 million accounts. The data privacy of another 40 million users may have also been implicated. The company logged users out of all 90 million active sessions for security purposes (you have an “active session” when you’re logged in to Facebook, whether or not you’re currently using the service).

This wasn’t Facebook yet again changing its privacy settings, and it didn’t happen because the company failed to conduct due diligence on the data uses of third-party app providers. Instead, via manipulation of several vulnerabilities, bad actors were able to gain access and full control of users’ accounts, including getting full access to private messages and hidden photos, among other things.

This is the kind of breach that you read about in dystopian fiction, not what you expect to happen to you. In fact, it’s exactly the type of breach Facebook officials were so adamant insisting did not take place in the incident involving Cambridge Analytica. We still don’t know exactly what the impact will be, but the implications for our data privacy are huge. As we wait in the dark for more information, we have to face the fact it’s entirely possible that millions of us have had some of the most private information about our lives compromised for the purpose of exploitation and abuse.

What we know so far

On September 25, Facebook’s engineering team discovered the security breach affecting almost 50 million accounts. Unknown attackers, about which we still know nothing, exploited vulnerabilities related to Facebook’s “View As” feature. This feature let you see exactly what your profile looked like to another specific user. So if you wanted to see what your sister saw when she visited your profile, you would click on  “View As,” select her account, and you would see your page as she would see it through her log-in.

Exploiting the vulnerabilities in this feature let third parties gain access to session “tokens,” and this let them take over people’s accounts. Note, the token appears to have provided direct access, so the third parties did not need, and reportedly did not have, access to any user passwords. So changing your password was not necessary to recover from the breach.

Facebook announced that the company fixed the vulnerabilities and then reset the access token for the 50 million accounts with compromised tokens, and as an additional precaution, also reset the token for an additional 40 million potentially implicated accounts. As of now, the company is still investigating the breach and has not said whether, or to what extent, people’s personal information was accessed.

The biggest Facebook breach

The 90 million users affected represents 4.5% of Facebook’s total population.That makes it the largest security incident of this kind for Facebook.

Were you affected? Here’s how you tell. If you had an active session that you were logged out of, and you had to re-enter your password to get back in, you were either one of the 50 million users known to have had tokens compromised, or one of the 40 million also implicated in the attack.

You could also be a victim if you got an alert at the top of your screen when you logged in to Facebook after the attack. This alert was shown to all 90 million affected users (below is a screenshot of the alert, which Facebook published on a blog post about the incident).

We are not sure where geographically people have been affected, but we have heard reports from the U.K., France, the U.S., India, and Peru, and Facebook has committed to providing a geographic overview of the accounts affected. And we do know that around 5 of the 90 million affected accounts belong to Facebook users in Europe.

If you were among those affected, what does Facebook say you should do?

Not enough.

When Facebook revealed the breach, the company said those affected did not need to change their passwords and could just reconnect to their account. Since then, Facebook hasn’t shared any further information on the impact of the breach or what data the attacker/s may have accessed. It’s likely that the company itself doesn’t yet have this information.

Facebook was exceptionally quick to notify users about the the breach and an in-depth investigation into the issue would take time. However, even this early in the process of handling the breach, there have been some notable stumbles.

First, the “notice” that impacted, or potentially impacted, users saw at the top of their newsfeed didn’t actually notify users of anything at all. Let’s take a look at that again. Here’s what it said:

“Your privacy and security are very important to us. We want to let you know about recent action we’ve taken to secure your account.”

The message is followed by a “learn more” button that takes you to another page providing a bit more context on the breach and recommending that you monitor apps linked to your Facebook account.

This notification does not tell you that you specifically were impacted or potentially impacted by the breach. It just says that an incident occurred, and that’s something you might easily confuse with a generic “FYI” for all Facebook users, not a specific notice telling you that you were affected.

But more important is the fact that neither the notice nor the blog post that it links to gives you any information for figuring out whether you specifically have suffered any damage from the breach. Even if Facebook isn’t sure yet what, if any, of an individual’s information has been compromised, it might have been helpful to advise people to review the information they have in their accounts. As the old adage says, it’s smart to “hope for the best but prepare for the worst.” That should be applied here from the perspective of the impacted users.

If your bank information were compromised, you would probably know exactly what to do to limit the potential harm. However, let’s consider a situation where there is limited risk of financial harm and “bracing” yourself for potential hit to your personal life is the only thing you can do. That too would be a failure in a situation like this. There are often few paths for remedy from harm when the damage is not monetary. It’s long past time that companies like Facebook, along with governments, academics, and civil society organizations, invest in research to find solutions when people are victimized like this.

Which leads us to the next point…

You use Facebook to connect to lots of other apps and services. Are you safe?

Many of us use Facebook to log in to other sites and apps, including Tinder, Spotify, Instagram, Airbnb, and a ton of others. These apps, just like Facebook, store a large amount of personal information, from pictures, to messages, or even your bank account details. If your Facebook account is compromised, and a hacker gains access to all these other services, the privacy, security, and financial impact of the breach would rapidly multiply.

Following the breach, Facebook said there is “no evidence” so far to suggest that the attackers accessed any third-party apps on the platform. But since we still don’t know whether they did or not, you may want to examine what services are linked to your account. The full list can be found in the “Apps and Websites” section of your Facebook settings.

At least some of the people impacted by the breach had access to all of their third-party apps “expire,” and they had to renew these session tokens as well.

It would be smart to check on the status of your app and website log-ins. However, since the onus should not be entirely on you, Facebook could (and should) make this kind of check-in easier by pushing impacted users to this screen when they next log in.

Looking at the bigger picture, there are systemic issues with protecting yourself and recovering from a breach. Facebook and other technology platforms have to invest more in making their privacy and security settings easier to access, understand, and use. Even those of us who are seasoned privacy “experts” have trouble navigating the complicated web of menus and sub-menus for managing access and control of data. Given the investment companies are already making for user-friendly use of a service, it should be much easier to figure out what to do to when your goal is to protect yourself.

Is Facebook being held to account for this breach? Is anyone investigating?

Yes, data protection authorities in the European Union are looking into this. In the E.U., Facebook is subject to the General Data Protection Regulation (GDPR). The GDPR requires companies like Facebook comply with a series of obligations to protect people’s information, such as ensuring high standard of data security and reporting data breaches to a data protection authority (DPA) within 72 hours after they are discovered.

Facebook did notify the Irish Data Protection Commission (DPC) within this time frame, and the DPC has opened a formal investigation. If Facebook is found not to have complied with its legal obligations under the GDPR, the company faces a maximum fine of up to 4% of annual global revenue. For Facebook, that is $1.63 billion (USD). How much it could be fined depends on the extent to which the company cooperates with the DPC, how diligent Facebook is with its obligations, and whether or not past data protection violations are taken into consideration. So far, Facebook seems to have taken all proper steps in the event of a breach. But as we explain above, its notification to users was poor, and Facebook’s long list of privacy and security scandals may complicate the issue.

The bottom line:  after the biggest breach, it’s time for the biggest privacy-by-design rethink

As we have said before, if you can’t protect it, don’t collect it. Now, perhaps more than ever, people are beginning to understand that data protection matters for human rights and the health of our societies and democracies. In the past, companies like Facebook have appeared to move ahead with business as usual after data breaches and privacy scandals. A few companies also choose not to disclose data breaches at all. Such is the case with the recently revealed breach at Google —- which the company reportedly chose not to make public in order “to avoid public scrutiny of how it handles user information.” Attacks and breaches like this will keep happening, and yes, people need to know about it. There are signs we are becoming less numb to the impact. If the prevalent business model is to profit from the collection and analysis of massive amounts of our personal data, it’s time to innovate and invest in alternative business models.

Facebook’s scandal involving Cambridge Analytica allowed for the profiling and targeting of U.S. voters. As a result, Facebook was fined the highest possible amount under U.K. law by the data protection authority. Multiple investigations continue in the E.U. and in the U.S.

But, lest we forget, that was not the only recent Facebook scandal. There was the Facebook “bug” that changed the default settings of up to 14 million users, making their posts public to the whole world without their knowledge. More recently, Facebook was forced to admit that when users supplied their phone numbers for security purposes, in some cases they were also used for targeted ads. Notably, such a practice is likely unlawful under the GDPR, since it contradicts the concept of purpose limitation (where data are to be used for a specific, defined reason). There are also live legal challenges in the E.U. over possible “forced consent” to Facebook policies, among others dubious privacy practices.

Note: all of this has happened in only the past six months.

To regain users’ trust, Facebook needs to become a platform worthy of it. What we recommend above in the wake of the latest data breach is only a temporary bandage, when it is clear the patient is ill. After the Cambridge Analytica scandal broke, we asked Facebook to commit to a global independent audit of its data and security practices. We reaffirm that request today. Unless Facebook makes a comprehensive reassessment of its behavior and changes the “collect it all” data practices that harm our rights, the harm will too big for anyone to ignore.