Opinion: Facebook to Blame for Data Breach
In the face of blistering news coverage, Facebook has been insistent that the loss of 50 million users’ data is actually not that big of a deal and not even a data breach at all. They have been at pains to play this off as an isolated example of an abuse of Facebook’s terms of service. So what exactly is the story of this data? Was it a breach or not?
According to CNN, the data was legitimately collected by an app for academic research. This was a valid use for the data at the time of the collection under Facebook’s TOS. However, after being harvested, the information was then distributed to third parties including Cambridge Analytica. The distribution and the use of the information afterward violated Facebook’s policies. Facebook says they can’t be held responsible for what that developers did with the data after they gave it to them.
Unfortunately for Facebook, its attempt to eschew responsibility for what is ultimately its own loss of control of user information is wholly transparent, and serves only to exacerbate its image as a mega-corp ready to throw its consumers under the bus for the sake of stockholders.
Consider this analogy: we give banks our money in order to earn interest from it, with the understanding that they will keep it secure. Similarly, users have entrusted Facebook with their personal data so that they may benefit from Facebook’s software, with the understanding that they too will keep it secure. What would we think of the bank that left all our money laying open on the floor, with a sign that said “Take only what you are allowed in accordance with our terms or service”? Certainly we would hold the bank accountable when our money was inevitable stolen: their sign would hardly be considered adequate security. We would expect them to keep our money in a vault, with limited and controlled access to ensure people could only take what they are supposed to.
The most basic security practice dictates that you lock your user account when you leave your computer, you lock PII up in secured locations and you put the servers behind keypads. Why? Because signs don’t work, and you’ll be held responsible when someone gets that info.
The idea that we are supposed to accept Facebook’s honor system of security is laughable. What is obvious is that despite its bid to become the single-sign-on of the internet, Facebook has clearly not developed adequate systems for enforcing its own terms of service or for protection against abuse like this. Facebook simply does not appear to have developed the protocols and practices necessary to safely engage in business the way it does at the scale it does.
As The Guardian puts it:
Facebook has strong technical oversight of how and why third parties can access user data on the platform. But what can it do to stop this information being shared?
It needs to do something. Whose responsibility is it to enforce its terms of service? Its own. No; to try and lay the blame for this on those who took advantage of Facebook’s lack of oversight is to blame the thief you invited into your own house.