Yet more bad news for Facebook. This week brings revelations that Zuckerberg’s finest really have been selling your private data. Except they don’t call it “selling”; the company is “sharing with its partners,” which is obviously completely different.
It’s the latest in a steady drip-drip-drip stream of seriously bad PR for Facebook. Sooner or later, the trickle of reports that people have deleted their Facebook accounts will become a flood.
And then what? In this week’s Security Blogwatch, we wonder if this story will be the straw that breaks the camel’s back.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Improv Everywhere …
Farcebork
What’s the craic? Gabriel J.X. Dance, Michael LaForgia, Nicholas Confessore, and Matthew Rosenberg tag-team to trash the ’book—the social network gave Microsoft, Amazon, Spotify and others far greater access to people’s data than it has disclosed:
For years, Facebook [has been] effectively exempting those business partners from its usual privacy rules. … Personal data has become the most prized commodity of the digital age, traded on a vast scale by some of the most powerful companies.
…
Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages. [It] permitted Amazon to obtain users’ names and contact information. … It let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier. … The Russian company Yandex, which has been accused of funneling information to the Kremlin, had access to Facebook data as recently as last year.
…
Facebook has been reeling from a series of privacy scandals. [It has] assumed extraordinary power over the personal information of its 2.2 billion users — control it has wielded with little transparency or outside oversight.
…
[We] interviewed more than 60 people, including … about 50 former employees of Facebook and its corporate partners. [We] also reviewed more than 270 pages of Facebook's internal documents, and performed technical tests and analysis to monitor what information was being passed between Facebook and partner devices and websites.
The pun-tastic Cyrus Farivar calls it a Face Off:
The news comes days after Facebook disclosed a massive photo bug, weeks after 50 million people were affected by an access-token harvesting attack, and less than a month after it was revealed that Facebook considered selling access to its users’ data. And all of those scandals are in addition to the Cambridge Analytica debacle. In June 2018, Facebook dodged some lawmakers' questions in written testimony, after two days of CEO Mark Zuckerberg's appearance before the US Senate.
…
These arrangements apparently let selected partners continue to access users’ contact details via friends—despite the fact that in 2014 Facebook said it was ending such access. … Facebook spokeswoman Katy Dormer [offered] two statements from two executives, neither of which denied or refuted the [allegations].
’Tis the season to be snarky. Here’s Rebecca Hill—Dear Santa, all I want for Christmas is: 1. More ad revenue, and 2. Good PR. Lots of love – Mark, aged 34½:
Facebook has found itself the subject of yet more shouty headlines [from] details of deals that gave more than 150 companies special access. … But the latest report promises to be particularly damaging to user trust.
…
Companies are reported to have been able to read and delete messages. … Facebook appears to have failed to keep track of the hundreds of deals … and didn't turn off this special access when the partner no longer provided the feature it was given the access for. … That included Yahoo!, which reportedly still had the ability to view real-time feeds of friends' posts for a feature the company had ended in 2011.
…
Facebook has been keen to emphasise that none of the agreements actually break a 2011 consent decree handed to it by the [FTC], on the grounds that the partners were "service providers." … Whether the company's assessment will stand up to scrutiny remains to be seen, [but] your average Joe would be forgiven for feeling deceived.
O RLY? @dannivancouver thinks not:
Um. This is why your favorite apps and webservices are free, dummies.
But Wondering’s mind is wandering: [You’re fired -Ed.]
The sad thing is, they ruined something that could have just as easily made users happy while making money for them. There seems to be some amount of data most people are willing to let companies have in exchange for something they want … as long as the company is transparent about it. But Facebook … have pulled off a never ending series of lies and deception aimed at tricking people out of their privacy.
Think of TV commercials: nobody likes them, but they're willing to put up with them in exchange for programming. … It's the deception that's the problem.
…
Some people argue the retort: "If you're not paying for a product, you are the product." But that's true with advertising as well. It's one thing to be the product; it's another thing to be deceived.
We’ve been here before, writes @ProcessISInc:
Compliance and controls are hard. Can bring down the house of cards. Ask Theranos. Zenefits.
Soon Facebook.
This week’s master of the run-on sentence is squiggleslash:
It's somewhat ironic that Google is the one that's always being accused of selling your data when its business model actually revolves around making money by using the data, but keeping it secret, while Facebook "leaks" (actually sells) your data over and over again, and everyone's attitude is just "Oopsie, don't do it again" when selling your data is their actual business model.
And if that weren’t bad enough, then there’s this: Aleksandra Korolova and Irfan Faizullabhoy reveal Facebook’s Illusion of Control over Location-Related Ad Targeting:
When it comes to one of the most privacy-sensitive types of data, location, Facebook does not provide meaningful controls and is misleading in its statements to users and advertisers. … Facebook creates an illusion of control … which can lead to real harms.
…
A reasonable Facebook user might conclude that turning off Location History and not granting Facebook the permission to access location on the mobile app will prevent the geo-targeting of ads. But that is not the case. … Moreover, Facebook makes false claims about the effect of controls.
And this: Walt Mossberg—will shut up:
I’ve decided to deactivate my Facebook and Facebook Messenger accounts. … I will be deleting the apps from my devices. I’ve already quit Facebook-owned Instagram and erased its app.
…
After being on Facebook for nearly 12 years … my own values and the policies and actions of Facebook have diverged to the point where I’m no longer comfortable here.
Yikes, amirite? jens4 claims to be a Facebook employee:
The issues are not just Facebook issues or technical issues. What is happening involves society as a whole. … There are deep sociological and psychological issues that have been uncovered over the last couple years, that have always existed beneath the surface.
…
If it wasn't Facebook surfacing them, it would have been YouTube or Twitter or Reddit or whoever else. I am not saying grave errors haven't been made and the future does look scary. [But] who else out there has the skills [or] experience handling/understanding data flows at this scale … to do something about this stuff?
…
There is seriously no one out there, besides the Chinese govt. … The expertise being built up in Facebook is going to be fundamental in addressing and eventually finding solutions to these problems. … We have a much better idea about what the issues are and therefore solutions are more likely to be found not less.
…
My mother has cancer and her biggest support system … is a group on Facebook. So I know personally [how] a well functioning social network … can contribute to well being. The good stuff happening is not going away.
Meanwhile, what of Europe? JumpCrisscross sounds cross:
The records … were "generated in 2017" and "some were still in effect this year." That means not only did these agreements cross through Facebook's representations to various governments, they also overlap with GDPR.
The moral of the story?
Playing fast and loose with your users’ privacy will catch up with you, sooner or later.
And finally …
The back story and behind-the-scenes
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
