We noted yesterday that Facebook is kinda in trouble for the security breach of, oh, ABOUT 530M USERS (or as the article quaintly put it: “if the number of people affected by this breach were a country, it would be the third most populous in the world, behind China and India.”) and oopsie! Facebook forgot to tell these people or indeed report the breach to regulators.
Yesterday, Facebook mentioned it on their blog.
On April 3, Business Insider published a story saying that information from more than 530 million Facebook users had been made publicly available in an unsecured database. We have teams dedicated to addressing these kinds of issues and understand the impact they can have on the people who use our services. It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.
Oh, well, that’s entirely different. Never mind. /Emily Latella
Scraping data using features meant to help people violates our terms. We have teams across the company working to detect and stop these behaviors.
Boy, I bet the hackers are sorry now!
Anyway, I was curious about what could be done, and so checking around I learned about the General Data Protection Regulation, which became a law in the EU in May 2018:
Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data…
Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
If this privacy breach happened AFTER September 2019 (as FB states it probably did), then Facebook could be liable for fines and enforcement action, as it, you know, FAILED TO LET REGULATORS KNOW WITHIN 72 HOURS as the GDPR mandates.
Some of you might recall in July of 2019 that the Federal Trade Commission fined Facebook $5B Ameros (“by far the largest it’s given to a technology company”) for privacy violations, but then the Trump’s FTC Director Joseph Simons cut a deal with Facebook:
Under the settlement, which binds the company for 20 years, Facebook agreed to restrictions on specific data-handling practices. The company, for example, may not use phone numbers collected from users for security reasons to advertise to them. And it must both make plain how it is using facial recognition technologies in its products and ensure that user passwords are encrypted.
Facebook, for its part, said the deal would reform how the company handles user privacy — while also making clear that it’s being held to a higher standard than other U.S. corporations.
So, Facebook’s immunity from FTC fines is for breaches that occurred BEFORE June 2019. Remember Mike Clark saying this world-wide breach happened before September 2019? That’s casting ambiguity on when it did happen, and you can bet Facebook damn well knows exactly when it happened. They even know how it happened:
We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.
That’s right. All those users who allowed Facebook to raid their contacts actually pumped out all that data to the hackers in the end. Your Facebook Rage Uncle gave all your data to the hackers for free. So thank your Facebook Uncle for the next robocall warning you about your vehicle’s warranty, or about your mortgage from before you sold your house, or whatevs.
Anyway, this is a long post to say that Facebook is most likely in trouble with the US and the EU regulators and is probably looking at a hefty fine, and now that Lord Damp Nut is no longer in office, there’s a chance that the FTC might actually do something about it.