The Facebook hack could be Europe’s first big online privacy battle
On Friday, a massive breach opened up a new front in the war on Facebook. According the the company, more than 50 million accounts were taken over by a kind of login worm, which used a series of unpublished vulnerabilities to hijack session keys on an unprecedented scale. Hackers had full access to any of the targeted accounts — essentially, they could do whatever you can do when you’re logged in — and Facebook is still working to survey the full extent of the damage.
Breach response is always chaotic, but this one is particularly haphazard because of a new set of rules established by the EU’s General Data Protection Regulation or GDPR. Implemented in May, the GDPR sets strict requirements for any breach involving EU citizens, requirements that are already guiding Facebook’s response to the session key attack. According to Facebook’s timeline, the disclosure on Friday came just before the 72-hour window for disclosing the news to privacy commissioners, a far tighter deadline than companies usually adopt.
As required, Facebook also sent more formal notifications to various privacy commissioners, who may decide to file suit over the breach. As recently as Sunday, the Irish data privacy commissioner said it was “awaiting from Facebook further urgent details of the security breach.” The UK Commissioner is still determining if the country’s citizens were implicated, although given the broad reach and indiscriminate pattern of the attack, it’s likely that at least a few of them were. “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” the Commissioner said in a statement. “We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.” Facebook is already facing a class-action suit in California and some stern questions from the FTC, but the bulk of the pressure is expected to come from Europe.
There have been countless breaches before — Facebook has even dealt with specific login bugs like this one — but the GDPR changes everything. If the company is found to have violated the rule, it could be liable for up to four percent of annual revenue, a staggering $4 billion. No one has accused Facebook of negligence yet, but the basic facts of the case have yet to be nailed down — and with lawmakers already hostile to Facebook, plenty of privacy commissioners will want to try their luck. Because the law is so fresh, no one knows for sure how such a case would play out, but Facebook is already preparing for what could be the fight of its life.
The new breach is a real contrast with previous GDPR fights, which have largely had to do with policy decisions and terms of service. Both Facebook and Google have already come under fire for having Terms of Service that violate the regulation, although the suits were brought by a third party and haven’t made much progress. Scandals like Cambridge Analytica present another front in the fight, in which apparent violations of user privacy stem from user choices, sidestepping most legal definitions of a breach. But this recent breach is far simpler. Facebook shouldn’t have given these hackers access to the accounts — it wasn’t a data-sharing project or an API gone wrong — so it’s hard to read the fallout as anything other than a breakdown in Facebook security. The only question is how much Facebook will be punished for the lapse.
Under the GDPR, the question of blame largely hinges on whether the company was negligent, ignoring basic practices that could have prevented the breach. We don’t know enough about the attack to judge Facebook’s response at this point, but what’s happened in public has been enough to satisfy some critics. “Facebook has done a decent job so far based on what we know, including the resetting of the tokens,” says Shane Green, founder of Digi.me, an alternative platform focused on data privacy. “The forensics on this stuff isn’t easy, and it’s a tricky balance to give people warning about worst case without scaring them to death or causing an overreaction.”
Still, as more detail comes out, the possibility of a GDPR suit is hard to ignore. So far, Facebook has emphasized the complexity of the bug — a three-part vulnerability in the obscure “View As” function” — but it was Facebook’s own product code that created the vulnerabilities and left them unpatched for more than a year. There have also been a number of rumors that the attack may have reported to Facebook in advance of the breach, rumors made credible by the blustery public threat on Mark Zuckerberg’s account the day before Facebook’s announcement. None of those rumors have been confirmed, but they represent a scary possibility for the company. If any one of those bugs was reported to Facebook in advance of the breach, the failure to promptly patch could be powerful evidence in court.
The case is particularly complicated because the hack extended beyond Facebook itself. Once a given account was compromised, attackers also had access to any third-party accounts that relied Facebook for authentication. This is a common practice on the web — if you’ve ever clicked “login through Facebook” instead of setting up a new password, you’re part of it — but a dangerous one in cases like this. Facebook has revoked the compromised login tokens, but it can’t solve the whole problem itself. Those outside platforms will need to flush their systems too, and it’s likely there will be some who are late to realize the danger. If that line of attack causes further breaches and further damage, it’s hard to say whether the liability will fall on Facebook or the third-party service.
For Facebook, unanswered questions like that are the scariest part of this legal tangle. No one has ever litigated these issues before, and we only have a hazy sense of what a strong or weak GDPR case looks like. The company could be in for years of legal warfare and a billion-dollar payout — or it could walk away scot free. We’re just months into the GDPR regime, and there’s simply no roadmap for how it can be used. Politically, Facebook is the perfect target — an increasingly unpopular American tech company with significant opponents on both the left and right. With the law still working itself out, the details of the case are less important than the overwhelming political logic. Situations like this are never easy, but Facebook picked a uniquely bad moment to have a breach.