Another month, another set of Facebook privacy scandals.
The one most people heard about – because it made leading news stories across the globe – involved the hack that exposed the personal information of 50 million Facebook user accounts. Much of which no doubt is now up for sale on the dark web.
A New York Times storysaid: "Three software flaws in Facebook's systems allowed hackers to break into user accounts, including those of the top executives Mark Zuckerberg and Sheryl Sandberg, according to two people familiar with the investigation but not allowed to discuss it publicly."
This is the largest breach in the history of Facebook, which has spent the past year apologising for various breaches, including the whole Cambridge Analytica mess, and for poor content management decisions exposed by a Channel Four investigation that looked at how the company and its subcontractors deal with offensive and disturbing content in Dublin.
It’s appalling, and on every level is a reminder of just how exposed we become in using social media sites. The serious social media issue isn’t that poorly considered drunken photo – it’s all your personal data for sale on the dark web.
Zuckerberg’s response to the breach, in a conference call with reporters, was ridiculous.
“We’re taking it really seriously,” he stated. Well, 50 million of us are glad to know it is considered a “serious” breach. He added: “I’m glad we found this, but it definitely is an issue that this happened in the first place.”
What?! “I’m glad we found this.” Glad? Zuck, try, “appalled”, “disturbed”, “alarmed”, perhaps? It’s “definitely an issue”. An “issue”? We’re so definitely glad that it has registered as such. Good grief, who scripts these anodyne, unacceptably insubstantial responses to this company’s, ahem, largest ever data breach? Is this the pathetic best the chair and chief executive can do?
The case has now resulted in a formal enquiry by Facebook's EU regulator, Irish Data Protection Commissioner Helen Dixon. The regulator's office has said it was quickly informed of the breach by Facebook – a requirement under the EU's General Data Protection Regulation (GDPR) – but that the notification "lacked detail".
Her office also noted that it was believed perhaps 10 per cent of the total accounts involved EU individuals. But that’s still an extraordinary five million accounts.
Punishment
The case will be a test of Dixon's mettle. Will she – please? – opt for the full punitive punishment available under GDPR, a breathtaking fine of 4 per cent of global turnover? For Facebook, that would mean a payment of $1.6 billion (okay, so that's just an eighth of the cash sitting in the Apple/Ireland escrow account as part of the disputed EU tax ruling, but it's still a lot of money).
Given every other appalling thing security- and privacy-wise that has happened with this company, just in the past 24 months, it’s hard to see how anything less would be adequately stringent.
That’s especially the case given that there was another Facebook scandal last week that received less public attention, but dovetails in a disturbing way on both privacy and security fronts with the data breach.
That’s a report from researchers, which indicates Facebook has been letting advertisers target individuals on Facebook with ads, using the phone numbers Facebook gains from users who sign up for the added security of two-factor authentication (where Facebook sends a text to your mobile so you can confirm a log-in).*
They have been doing this, without making this clear when you sign up for this important added layer of account security. Or even if you never gave them your number for this security feature, but Facebook instead got it from the contacts list of one of your friends (via a so-called "shadow contact").
This is yet more evidence of how jaw-droppingly obnoxious and cavalier the company is on both security and privacy fronts. A phone number is a highly personal identifier connected to an individual, of great value to marketers, data brokers and hackers.
To get phone numbers and use them for revenue generation, on the basis of a security programme many likely signed up for in the immediate wake of all the recent security breaches is infuriatingly exploitative. So is using phone numbers gained indirectly, from contacts, without our knowledge.
Then, to not clearly disclose such use when suggesting users sign up for two-factor authentication, failing to notify individuals that their number has been obtained through a contact, or give individuals any ability to turn off such use of their number?
Surely this is an egregious violation of GDPR. Secretive acquisition of the highest category of personal data, no transparency regarding phone number use on two-factor security, no default opt out.
Facebook deserves to be hit with every single cent of that $1.6 billion fine.
*This article was edited on October 5th