Facebook Data Privacy Concerns and Potential Regulatory Action

The possibility of regulatory penalties for Facebook concerning a recently revealed, large-scale historical privacy lapse remains uncertain. However, the sequence of events surrounding the incident appears increasingly problematic for the technology corporation.

Initial Response and Timeline

Initially, Facebook attempted to minimize the significance of the data breach disclosures published by Business Insider, suggesting that details such as birth dates and phone numbers were “outdated”. However, in a blog post released late yesterday, the company acknowledged that the data had, in fact, been scraped from its platform by unauthorized parties “in 2019” and “before September 2019”.

This revised timeline is significant as it raises questions regarding adherence to Europe’s General Data Protection Regulation (GDPR), which became enforceable in May 2018.

GDPR Implications and Potential Fines

According to EU regulations, data controllers may face financial penalties of up to 2% of their total global annual revenue for failing to report data breaches. More severe compliance violations could result in fines reaching up to 4% of annual turnover.

The European framework is particularly relevant because Facebook previously reached a settlement with the FTC for $5 billion in July 2019, covering historical privacy issues in the US. Nevertheless, a period of several months – from June to September 2019 – remains potentially outside the scope of that settlement.

Conflicting Statements and Data Origin

In a statement responding to the breach reports, Facebook’s primary data supervisor in the EU indicated uncertainty regarding the dataset’s origin. They suggested it “appears to consist of the original 2018 (pre-GDPR) dataset” – referencing a prior breach disclosed in 2018 related to a phone lookup vulnerability occurring between June 2017 and April 2018. However, the supervisor also noted the dataset seemed to include “additional records, potentially from a more recent period”.

Facebook subsequently confirmed this suspicion in its blog post, admitting the data was extracted from its platform in 2019, up to September of that year.

Method of Data Scraping

A further detail revealed in Facebook’s blog post was that the data wasn’t scraped through the previously known phone lookup vulnerability. Instead, it was obtained through a vulnerability in a contact importer tool.

This allowed malicious actors to utilize software mimicking Facebook’s application to upload extensive lists of phone numbers, identifying those associated with Facebook users.

Potential for Phishing and Data Enrichment

This method enabled malicious actors, such as spammers, to link phone numbers to additional user data like birth dates, email addresses, and locations, facilitating phishing attempts.

Facebook stated it addressed this vulnerability in August 2019. However, this timing places the incident within the active period of GDPR enforcement.

Data Breach Notification Requirements

The GDPR mandates that data controllers notify relevant supervisory authorities without undue delay – ideally within 72 hours – if a data loss is likely to pose a risk to users’ rights and freedoms.

Notably, Facebook made no disclosure of this incident to the DPC. The regulator clarified yesterday that it had to actively request information from Facebook following Business Insider’s report, a deviation from the intended function of the regulation.

Defining a Data Breach

Under GDPR, data breaches encompass a broad range of scenarios, including the loss, theft, or unauthorized access of personal data, as well as deliberate or accidental actions or inactions by a data controller that expose personal data.

Downplaying the Severity

The potential legal ramifications likely explain Facebook’s reluctance to characterize this data protection failure – involving the exposure of information from over half a billion users – as a ‘breach’. The company has also attempted to minimize the significance of the leaked information, referring to it as “old data”.

Despite the fact that individuals rarely change their mobile numbers, email addresses, or biographical details, and no one legally receives a new birth date, Facebook continues to characterize the information as outdated.

Framing the Issue as Data Scraping

Facebook’s blog post frames the incident as “data scraping,” a common practice involving automated software to collect publicly available information from the internet. This implicitly suggests that the leaked data from the contact importer tool was somehow public.

A Questionable Argument

Facebook’s argument implies that hundreds of millions of users either published sensitive information on their Facebook profiles or maintained privacy-compromising default settings, rendering their data publicly available and exempt from data protection legislation.

This argument is demonstrably flawed and disregards individuals’ rights and privacy. EU data protection regulators must decisively reject it to prevent Facebook from exploiting its market dominance to undermine fundamental rights.

Compliance with Privacy by Design

Even if some users had their information exposed due to unchanged privacy settings, this still raises concerns about GDPR compliance, as the regulation also requires data controllers to adequately secure personal data and implement privacy by design and default.

Allowing hundreds of millions of accounts to have their information freely accessed by malicious actors does not reflect robust security measures or default privacy settings.

Echoes of the Cambridge Analytica Scandal

This situation bears striking similarities to the Cambridge Analytica scandal.

Facebook appears to be attempting to avoid accountability for its persistent privacy and data protection shortcomings, likely believing its past failures and limited regulatory consequences will allow it to continue these practices. A one-time $5 billion FTC fine represents a negligible expense for a company generating over $85 billion in annual revenue.

Lack of Transparency

We inquired with Facebook regarding its failure to notify the DPC about the 2019 breach when it became aware of the malicious data extraction, and why it hasn’t informed affected users. The company declined to provide further comment beyond its previous statement and refused to discuss its communications with regulators.

Notification Requirements for High-Risk Breaches

Under GDPR, if a breach poses a high risk to users’ rights and freedoms, data controllers are obligated to notify affected individuals, enabling them to take protective measures against potential risks like fraud and identity theft.

Facebook has stated it does not intend to notify users.

Perhaps the company’s signature ‘thumbs up’ symbol should be interpreted as a dismissive gesture towards everyone else.