Did Facebook Break the Law?
Updated: Mar 16
You probably know Cambridge researchers got access to 50 million Facebook user profiles, then gave the data to a private political operation working on behalf of the 2016 Trump presidential campaign. You can learn more from New York Times and Guardian stories.
Adding fuel to the fire, Alex Stamos resigned his position as Facebook Chief Security Officer . With this breach, perhaps a thankless and difficult job became impossible.
Congress threw more gasoline on the fire, as members of both parties demanded answers from Mark Zuckerberg. Then the FTC launched an investigation. Facebook’s stock price nosedived on fears of new regulation or fines. Social networks (including Facebook itself) are full of articles telling users how to delete or lock down their Facebook account.
While this was not a traditional data breach like Equifax (no one hacked into Facebook’s systems), it was nonetheless a massive data spill affecting 1 out of 4 US users. What data was lost? Is Facebook required to notify affected users? Did Facebook violate its privacy policies? Will there be lawsuits? How can you protect yourself?
Facebook User Data
Downloading your Facebook profile can help you understand the kinds of personal information potentially lost in the Cambridge breach. Their Help Center tells you how to download your own Facebook profile. Every Facebook user should do this.
I tried it. Within minutes I had a 95MB ZIP archive containing 975 files that represent my personal Facebook record. The download includes my name, phone number, birthday, IP addresses, family members, friends, work history, education, etc.
It also includes everything I “like” on Facebook (books, movies, music, etc.). I’ve been on the platform since 2011 and my list got pretty long. It seems I hit the “Like” button more than I should. The download also includes all my posts and photos, as well as private messages with friends and family.
Breach Disclosure Law
Facebook’s home state of California passed one of the earliest security breach disclosure laws, SB 1386, which became the model for many other states. There is no federal US law at this time.
California’s law covers social security numbers, driver’s licenses, and financial account information (credit card number, PIN, etc.). It was later amended to include license plate data. If such data is lost in a breach, can be tied to individuals, and was not encrypted, then the law requires notifying affected California residents.
A search of the state’s data breach list for “Facebook” comes up empty.
Facebook generally does not store social security or driver’s license data. It sometimes obtains credit card information in the context of payments, but that wouldn’t be in the public profile normally accessible to apps.
It seems Facebook is not required to notify breach victims, at least in California. I believe it would be the right thing to do, nonetheless, so let’s hope it happens. Better late than never.
It's also possible Facebook violated privacy laws in the UK or Canada (both have launched investigations) or violated terms of its 2011 agreement with the United States FTC.
Facebook’s Data Policy page is still working though. It says “We transfer information to ... partners who globally support our business, such as … conducting academic research and surveys.” Such information transfers are subject to strict confidentiality agreements.
But Facebook didn’t directly transfer information to Cambridge. Instead Cambridge created a Facebook app that collected data on users and their friends.
This is what the Data Policy says about apps:
When you use third-party apps, websites or other services that use, or are integrated with, our Services, they may receive information about what you post or share…. When you download or use such third-party services, they can access your Public Profile, which includes your username, age range and country/language, your list of friends.
It’s unclear if Facebook violated its Data Policy. Some unconfirmed reports imply Cambridge received broader access to information than is normally offered through the platform’s App API, particularly regarding a user’s friends.
Alice playing Farmville shouldn’t pose a threat to Bob.
This ability to access friend data is what allowed Cambridge to extrapolate from 270,000 people who used their app to 50 million profiles. If Facebook policy allows this, it’s a bad policy.
Class action lawsuits may be filed on behalf of the 50 million affected Facebook users. If recent history is any indication, they will fail. For example, last January a class action privacy lawsuit against Facebook’s Irish subsidiary was dismissed by EU’s highest court. Since the US has laxer privacy laws than the EU, a privacy suit is a long shot.
A lawsuit on security grounds might stand a better chance. Breach suits against Equifax and Yahoo are moving through US courts now, and some such suits have succeeded or reached settlements in the past (e.g., Anthem, Home Depot, Sony, Target, etc.). No doubt Facebook’s lawyers are watching closely.
What Can You Do?
Electronic Frontier Foundation posted a helpful page explaining how to adjust your Facebook settings to keep your personal information private from apps. It’s surprisingly easy, so do it now!
Once you've tightened your settings, you can sign the Mozilla petition asking Facebook to make its user settings secure by default.
UPDATE 4/5/2018: Facebook now estimates 87 million accounts were affected, not 50 million.
UPDATE 7/24/2019: Facebook was fined a record five billion dollars by the FTC for privacy violations. Its Board of Directors is also required to form a privacy committee to oversee Zuckerberg's team.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.