No 'likes' for Facebook leak, but it's no data breach—nor news

Facebook is accused of collecting and sharing far more information about its users than those same users understand. It’s come to light as part of the Cambridge Analytica brouhaha.

Politics aside, the mainstream media has “suddenly” realized that Facebook knows a heck of a lot about us. And they’re shocked (shocked!) to find that its OpenGraph API might reveal almost everything about everyone—to anyone. And security pros state clearly that it's not a data breach.

Of course, Techbeacon readers will have known about this for many years, right? Right? In this week’s Security Blogwatch, we #DeleteFacebook.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  The Russian Reversal

Gartner Magic Quadrant for Application Security Testing 2018

Delayed reaction on data privacy

What’s the craic? Dustin Volz and Munsif Vengattil put Facebook under pressure:

Privacy regulators are seeking a warrant to search the offices of … Cambridge Analytica … following reports that the company may have improperly gained access to data on 50 million Facebook users. … U.S. and European lawmakers demanded an explanation of how the consulting firm … gained access to the data.

[It] presents a new threat to Facebook’s reputation, which is already under attack over Russia’s alleged use of Facebook tools to sway U.S. voters. [And] Facebook was already facing calls … for regulation from the U.S. Congress after the reports … over the weekend.

It gets worse for Zuck: David McLaughlin, Ben Brody and Billy House have the FTC Probing Facebook for Use of Personal Data:

Facebook Inc. is drawing scrutiny from the main U.S. privacy watchdog and half a dozen powerful congressional committees. … The U.S. Federal Trade Commission is probing whether Facebook violated terms of a 2011 consent decree over its handing of personal user data … according to a person familiar with the matter.

Facebook said it would conduct staff-level briefings of six committees Tuesday and Wednesday. That includes [both] Judiciary Committees [and] the commerce and intelligence committees of both chambers.

The FTC is the lead U.S. agency for enforcing companies’ … own privacy policies and could fine the company into the millions of dollars. … Under the terms of the 2011 settlement, Facebook agreed to get user consent for certain changes to privacy settings as part of its resolution of federal charges that it deceived consumers and forced them to share more personal information than they intended.

The FTC … has the power to fine the company more than $40,000 a day per violation. … Facebook previously said in a statement it rejects "any suggestion of violation of the consent decree."

Plus ça change, plus c'est la même chose, n'est-ce pas? Not so long ago, Om Malik opined Facebook won’t ever change:

Facebook’s (much deserved) media nightmare continued this week. … Facebook is addicted to growth and engagement.

Facebook’s ultimate goal is to make it expensive to buy hyper-personalized advertising … and I am not surprised that Facebook is thinking about releasing touch screen smart speakers. It will be a great way to spy — sorry, I mean … bucket you for future ad targeting.

This helps keep the ARPU growing, which in turn means Facebook will keep making more money. … Money and obsession with growth and engagement are what makes Facebook go around.

That is embedded in its psyche, its DNA, and it will never change. … That’s why all of our angst and headlines are not going to change a damn thing.

Yep, the knives are really out now. Josh Constine speaks of Facebook’s endless string of worst-case scenarios:

Facebook … routinely ignores or downplays the worst-case scenarios, idealistically building products without the necessary safeguards, and then drags its feet to admit the extent of the problems. This … has led to its latest scandal.

Cambridge Analytica used an API designed to help people recommend relevant job openings to friends to purposefully harvest data that populated psychographic profiles of voters. … Facebook is responsible for its significant shortcomings. … Facebook knew about Cambridge Analytica’s data policy violations since at least August 2016.

Each time, Facebook built tools with rosy expectations, only to negligently leave the safety off and see worst-case scenarios arise. … Each scandal further proves it can’t police itself, inviting government regulation that could gum up its business.

Facebook’s can-do hacker culture … that asks for forgiveness instead of permission, is failing to scale to the responsibility of being a two-billion-user communications institution.

But do we really need meddling guv’mint regulators? Christian Kastner says it’s an interesting opportunity for the FTC:

The amount of data being amassed by Facebook, Google and others has become exorbitant. … If Facebook indeed violated the 2011 consent decree, then [it] presents the FTC with the opportunity to send a message to these data hoarders: protect the data you collect, or else.

It shouldn't be the government's job to ensure that the data gets protected, this should be in Facebook's own self interest.

I remember distinctly quote from Mark Zuckerberg that "privacy is the concept from the past". Then, a couple years later I read he bought houses surrounding his house to ensure his own privacy.

First, Jonathan Stempel kills all the lawyers: [You’re fired—Ed.]

Facebook Inc and … Cambridge Analytica have been sued. … The proposed class-action complaint filed … by Lauren Price, a Maryland resident, is the first of what could be many .

The complaint was filed in the U.S. District Court in San Jose, California. … Facebook and Cambridge Analytica did not immediately respond … to requests for comment.

Price accused Facebook and … Cambridge Analytica of negligence and violating a California unfair competition law. … The complaint seeks unspecified damages, including possible punitive damages. … The case is Price v Facebook Inc et al, U.S. District Court, Northern District of California, No. 18-01732.

OK, but is this really news? David Gordon gins it up:

A couple of years or more I was posting on Facebook regarding [these] practices and was considered a tin foil hat and crazy. … I knew exactly how we could utilize the Facebook API back then to elicit the kind of data we are talking about, and completely legally. … I did put together multiple PoC's from 2011 to 2014 to see what was possible and it was bad.

Cambridge Analytica is just one small tip of a fractal iceberg whose body is Facebook and the big five, your internet connection and … your smartphone. … Google, Apple and Amazon are no less culpable.

And fortythirteen has been there, done that:

I was in meetings with FB almost 10 years ago, as the OpenGraph API was being implemented, where they were openly selling, to anyone willing to pay, exactly what [Cambridge Analytica] supposedly "hacked their way into".

So, no. Not really news. The appropriately-monikered api explains:

People don't care about things like this until there are consequences.
 
Nobody cares about pollution until it impacts their health or destroys their property. Nobody cares about financial crime until it crashes the economy and costs them their job.
 
I think we're reaching the point where all these data mining honeypots we've built over the past 20 years are being used in ways that are nefarious enough that people are starting to care.

And it’s not just the public, according to SirGarlon:

As long as most of our legislators and regulators remain willfully ignorant, there will be no meaningful safeguards on privacy.
 
It's sleazy to frame this as "here is how Trump cheated at the election." … But if that's what it takes to get politicians to think about privacy, bring on the sleaze.

But doesn’t Facebook have a policy against collecting such data? Steven J. Vaughan-Nichols tells us How Cambridge Analytica used your Facebook data:

This led for over 50 million users' data being passed on to Cambridge Analytica. This is against Facebook's "platform policy" which banned the collection of friends' data for … any reasons besides improving user experience.
 
Yeah. That worked out well.

Meanwhile, perhaps GDPR will save us? Pam Baker describes some Tricky Obstacles Security Teams Face:

Cookies, IP addresses and other data points that enable someone to deduce a person’s identity are now considered personal identifying data, too. [But] a lot of these types of data are routinely and automatically collected and … companies typically are not aware of what data they are collecting and storing.

“The right to be forgotten” … means you’ll need to be able to delete all data about any customer or user who … wishes to review what you have prior to telling you to delete it, or simply wants to see what information you have. Be sure you can find, copy and deliver or delete such information on short notice.

[GDPR] makes no delays or exceptions in reporting a breach. You must find it fast and report the breach immediately or [you] will be hit with potentially catastrophic fines and penalties.

Good luck!


The moral of the story? You may have been collecting data in similar, industry-standard ways for years. But the mainstream news cycle has a way of catching up when you least expect it.

And Finally…

In Soviet Russia, Finally Ands you


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: PXhere (cc0)

State of Security Operations 2018: Go Inside World SOCs
Topics: Security