Content, Security Staff Acquisition & Development

Facebook Data Privacy Debate: CISO Reportedly Exiting

Facebook CISO Alex Stamos
Facebook CISO Alex Stamos

As you may have noticed, social media, Facebook to be precise, is on the hot seat again. Make no mistake, it’s well-deserved, the company’s protestations notwithstanding.

The background: The data analytics firm Cambridge Analytica, cloaked to a degree in political overtones, three years ago harvested with Facebook’s tacit complicity behavioral data on some 50 million of the social networking giant’s users, as multiple reports have chronicled.

Perhaps on a related note, Facebook Chief Information Security Officer (CISO) Alex Stamos plans to leave the social media giant by August, according to The New York Times. Stamos had advocated more disclosure around Russian interference of Facebook and some restructuring to better address the issues, but was met with resistance by colleagues, The Times reported.

Data Breach Or Something Else?

The big question on a lot of minds: Was it a Facebook data breach that allowed Cambridge such access to private information? To say that the data was used to help Donald Trump’s 2016 presidential campaign (as it did) would gloss over the salient point: Facebook’s data access policy left open doors, arguably in a self-serving way, that surreptitiously compromised the privacy of millions of its users.

But wait, not so fast: Maybe it was actually a bigger issue, a blurring of the lines of user privacy that regrettably travels along with data sharing?

Here’s what’s going on:

  • Starting in 2015, Cambridge harvested private information -- names, location, email, friends list, from which psychological profiles could be built -- both directly and indirectly from the Facebook information of more than 50 million users. The catch is the data firm never asked permission of those users but instead quietly exploited Facebook’s relatively open customer data privacy policy.
  • Did Facebook know but looked the other way? After all, the perils of third-party data harvesters have been around for some time. At the time, Facebook wanted to go easy on software developers and made available tools, such as Facebook Login, that allowed people to access a website or app by using their Facebook account rather than registering as a new user. By doing so, however, users gave up some of their privacy to data miners. In this case that affected some 270,000 people who used Facebook Login to engage with an app called “thisisyourdigitallife.”
  • That 270,000 who consented eventually mushroomed -- fed by Facebook’s policy -- to some 30 million Facebook users and from there to 50 million subscribers who did not say okay. Facebook says it wasn’t hiding anything, that its policies were well documented in its terms of service. But that doesn’t make it right: This particular one has since been amended and is no longer allowed, an admission of sorts that the prior policy leaked.
  • Facebook, which first downplayed the whatever-it-was events, contends that when Cambridge University professor Dr. Aleksandr Kogan, who created the app, shared the information with Cambridge Analytics he violated its rules. That didn’t amount to a breach, said Stamos, but rather a misuse of the data and “does not retroactively make it a breach.”

Big Debate

If not a breach then what? A huge swatch of Facebook's users' data, unknowingly to all but a few, was compromised. There’s that. Then there’s bad policy: Facebook let developers behind the user data curtain, conveniently characterized as mistrust. And, while Kogan misused the data he “did not break into any systems, bypass any technical controls, or use a flaw in our software to gather more data than allowed,” Stamos said.

And, then there's this: Cambridge may still have the data in its hands, according to the NYT’s sources, which, by definition, kind of makes the whole thing a heist. If the loot is gone and it's found in your hands, it's hard to say it wasn't you.

What it was, Paul Grewal, Facebook’s VP and deputy general counsel, told the New York Times is a "scam -- and a fraud,” referring to Kogan’s cover that the data was for academic purposes. “We will take whatever steps are required to see that the data in question is deleted once and for all — and take action against all offending parties,” he said.

Facebook Data Sharing and Privacy: The Bigger Discussion

Still, rather than assigning culpability, the real issue here is setting the boundaries of data sharing. It’s easy to say that what we’re seeing is an aberration. But it's not. More appropriately, it's data harvesting on steroids. The more purposeful conclusion takes it beyond the principal players: In today’s world of sophisticated algorithms user consent doesn’t mean much.

The privacy risks associated with inputting personal data into apps isn’t as clear to users as it might seem. Furthermore, an open door policy that allowed developers to grab user data to eventually shuttle off to data harvesters callously endangered Facebook's users. How this be called anything other than a preventable Facebook data breach is hard to figure.

Some Congressional legislators are alluding to the same issue.

In a letter sent to Facebook CEO Mark Zuckerberg on Monday, Oregon Senator Ron Wyden said, "The troubling reporting on the ease with which Cambridge Analytica was able to exploit Facebook’s default privacy settings for profit and political gain throws into question not only the prudence and desirability of Facebook’s business practices and the dangers of monetizing consumers’ private information, but also raises serious concerns about the role Facebook played in facilitating and permitting the covert collection and misuse of consumer information."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.