What we still don’t know about the Facebook breach
It’s been three days since Facebook reported that hackers obtained access tokens for 50 million user accounts, in what is believed to be the largest such data breach in its history. Here’s what we’ve learned since then — and what we haven’t.
One, the breach may have affected other third-party services that use the Facebook Connect identity platform. Several large internet services rely heavily on Facebook logins, including Spotify, Airbnb, and Tinder. Anyone who had full access to a user’s account would have been able to log into those services as well, possibly undetected. Notably, none of these Facebook Connect customers have had much to say about the effect of the breach on their own services, likely because they are still investigating. Tinder was the exception, saying Facebook had shared only limited information and calling on it to share more.
The third-party developer situation set off a secondary debate about the wisdom of using Facebook login. On the pro side, Facebook login offers enhanced security measures such as “risk-based logins” — challenging users to provide additional information if it suspects a password has been stolen. On the con side, Facebook’s dominance has created something resembling to a single point of failure for online security.
Two, the legal consequences of the breach are becoming apparent. A class-action lawsuit was filed with terrifying speed. And while Facebook appears to have disclosed the breach within the 72 hours required by the General Data Protection Regulation, the European Union privacy watchdog could still fine Facebook up to $1.63 billion, Sam Schechner reported in the Wall Street Journal. Separately, the Irish Data Protection Commission said Monday that less than 10 percent of the breach’s victims live in the European Union. (Le Monde says it’s fewer than 5 million.)
This sort of breach is precisely the sort of thing that GDPR was designed to protect against. As such, it’s the first real test of the law since it went into effect earlier this year, Russell Brandom reports:
No one has accused Facebook of negligence yet, but the basic facts of the case have yet to be nailed down — and with lawmakers already hostile to Facebook, plenty of privacy commissioners will want to try their luck. Because the law is so fresh, no one knows for sure how such a case would play out, but Facebook is already preparing for what could be the fight of its life.
The new breach is a real contrast with previous GDPR fights, which have largely had to do with policy decisions and terms of service. Both Facebook and Google have already come under fire for having Terms of Service that violate the regulation, although the suits were brought by a third party and haven’t made much progress. Scandals like Cambridge Analytica present another front in the fight, in which apparent violations of user privacy stem from user choices, sidestepping most legal definitions of a breach. But this recent breach is far simpler. Facebook shouldn’t have given these hackers access to the accounts — it wasn’t a data-sharing project or an API gone wrong — so it’s hard to read the fallout as anything other than a breakdown in Facebook security. The only question is how much Facebook will be punished for the lapse.
Three, a Facebook executive on Monday repeated the idea that the breach came as the result of “a sophisticated attack.” Speaking at an Advertising Week panel, the company’s global head of marketing, Carolyn Everson called the still-unknown attackers an “odorless, weightless intruder that walked in” and that Facebook could only detect “once they made a certain move.” (Everson also had the one-liner of the day. When asked about the acrimonious departures of the billionaire WhatsApp founders earlier this year, she replied: “I’d like to hear more about their philanthropy.” Which deserves a spot on any list of the funniest things ever said on stage during an Advertising Week presentation.)
Finally, the breach has given the world fresh occasion to assess its trust in Facebook. On Friday’s press call, two reporters asked Mark Zuckerberg why people should continue to trust the platform with their data. He deflected the questions, as Will Oremus recounts:
“This is a serious issue and we’re very focused on addressing it, which is why we patched the vulnerability and kind of taken additional security measures,” he said. Perhaps sensing that wasn’t enough, he hesitated, then dredged up a familiar talking point about how “security is an arms race, and we’re continuing to improve our defenses.” Facebook has “a lot of talented people working on this and, I think, doing good work,” he added, unconvincingly. “This is going to be an ongoing effort, and we’re going to need to keep focusing on this over time.”
I spent Monday waiting for further shoes to drop on the breach. But the truth is we learned very little over the weekend. The best explanation for that is that GDPR forced Facebook to disclose the breach just as its investigation was getting underway. We’ll know more eventually, but it might not be soon.
Sundar Pichai’s visit to Washington seems to have been fairly uneventful, reports Tony Romm. But he did agree to testify before the House about “bias” against conservatives.
Weeks after President Trump accused Google of having “rigged” search results, the company’s leader paid the White House a visit, meeting on Friday with Larry Kudlow, one of the president’s top economic advisors, a spokeswoman for the White House confirmed. During the private session, which focused on “issues impacting internet platforms and the economy in general,” Pichai agreed to attend an upcoming “roundtable with the President and other internet stakeholders,” the White House announced.
The spokeswoman said details would be forthcoming, including other tech giants invited to the meeting. Previously, Kudlow said the Trump administration was open to regulating search results but the president later seemed to distance himself from the idea.
Here’s a popular tweet citing a Wall Street Journal report that does not exist. Jane Lytvynenko:
The tweet implied, without any proof, that the prosecutor Republican senators retained to question Supreme Court nominee Brett Kavanaugh and Christine Blasey Ford, one of the women accusing Kavanaugh of sexual misconduct, stopped asking Kavanaugh questions because she determined that he lied. It falsely sourced the information to the Wall Street Journal and was soon amplified by reporters and commentators on Twitter, racking up thousands of retweets and likes.
Greg Jaffe writes about two women struggling to stay friends amid opposing views of Brett Kavanaugh and the Trump presidency, and it’s remarkable how Facebook is the backdrop of so much of their discussions. And not always for the better:
When she returned home from work in the evening, the testimony was finished. So, she flipped on Fox News and checked her Facebook feed. One of her friends had posted a short video that was circulating online of an African American woman passing an envelope to one of Ford’s lawyers. The post suggested that it could be a clandestine payment of some sort. Laynette wasn’t sure what to believe, but from what she knew about Washington it seemed possible.
“I bet they know a heck of a lot more than the rest of us,” she said, thinking of the hearing room packed with lawmakers and journalists. “To be honest, we don’t trust the media to tell us the truth anymore.”
There’s been lots of good discussion lately about whether WhatsApp-fueled violence is a technological problem or a societal one. Rohan Venkataramakrishnan has a nice, long look at the subject, which contains this memorable complaint from an unnamed WhatsApp spokesperson about the suggestion of a former WeChat employee that the company attempt to suss out fake news by analyzing its metadata:
“It’s unsurprising that a former WeChat employee would support monitoring on a private messaging app,” the spokesperson said. “We strongly disagree with their approach as it would seriously weaken people’s privacy – with important global implications.” The spokesperson went on to say, “There are also several inaccuracies, the most glaring of them is that we do not retain a log of all messages being sent and their claim that WhatsApp ‘reads and stores parts of metadata of every message being sent on its platform’ – is just flat wrong.”
Gupta said he too is not in favour of breaking encryption. He said he was a supporter of Apple when it refused to give up data on a locked iPhone to American investigators in 2016, and that he would not have written this paper that year. But, with people dying, he said he sees the danger of companies like WhatsApp refusing to do anything about it, since it gives the government an excuse to intrude.
After a weeklong interregnum in which seemingly very few people understood what was happening, Adam Mosseri has been named head of Instagram. (This is his official title.) Mosseri is smart and well liked, but his job here is to be a good soldier rather than an auteur. The most notable thing in this blog post is the look-we’re-all-friends photo of Mosseri sitting in between Mikey Krieger and Kevin Systrom; the second-most notable thing is the founders’ doomed cry in their new farewell blog post. “To us, the most important thing is keeping our community — all of you — front and center in all that Instagram does.” That is not the most important thing to Facebook and, they know it. (Which is why they wrote it.)
Semi-relatedly, the supremely talented Sarah Frier announced today that she’s writing a book about the history of Instagram. Frier is one of the very best reporters on the Facebook beat, and this one will be a must-read. Especially if Systrom and Krieger cooperate.
Here’s a weaselly and exasperating semi-mea culpa from (the presumably pseudonymous) Winston Wordsworth, who laments his time writing lies for a website that he refuses to name. Because he won’t identify the people who paid for him to write fiction about growing up Muslim, among other extremely problematic assignments, the piece is worthless.
Chris Peterson, who teaches comparative media studies at MIT, tweeted about some feminist academic research and got suspended from Twitter as a result. He speculates it was because Twitter incorrectly flagged his tweets as containing “dehumanizing” speech, since they referred to people by their gender. Twitter said nothing, but reversed course after BoingBoing wrote about it.
JK Trotter has the tale of a YouTuber with 9 million subscribers who has managed to smuggle a bunch of offensive crap into videos that are available to children even in “restricted mode.”
But when Cook got around to watching SML for himself, he was alarmed by what he found: an array of racist stereotypes, misogynist humor, homophobic jokes, and worse, smuggled into videos that are clearly aimed at children. A character named Jackie Chu, for example, is portrayed by a puppet who, as his Fandom entry explains, “pronounces things wrong such as ‘Cacurus’ (Calculus), ‘Rawn’ (Wrong), ‘Crass’ (Class)… and cannot see as well as others, due to his eyes being squinted too tightly.”
India’s Infibeam Avenues Ltd. lost 71 percent of its market value on a single day after a WhatsApp message circulating among traders raised concerns about the online iPhone and iPad retailer’s accounting practices, Santanu Chakraborty and Ameya Karve report.
Do you ever use YouTube and wish you were targeted more by advertisers? Well congratulations because now you are!
Google is expanding its use of lucrative search-based advertising tools on YouTube, to help advertisers target potential customers as they search for everything from products to movie trailers on the video site. The news, announced this morning at Advertising Week and reported by CNBC, marks a shift in how Google treats YouTube. Increasingly, the company is relying on YouTube as an extension of its core search engine instead of a separate entity. To help drive home the point, Google representatives told the crowd at Advertising Week that YouTube is the second most popular search engine in America, behind Google Search.
Facebook’s recently departed chief security officer, Alex Stamos, has a thread on how the requirement that Facebook announces breaches within 72 hours could have prevented it from catching the bad guys. It’s a good read that helps to capture some of the debate around this breach internally:
Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete.
1) Announce & cop to max possible impacted users.
2) Everybody is confused on actual impact, lots of rumors.
3) A month later truth is included in official filing. https://t.co/VSCVfYB8om
— Alex Stamos (@alexstamos) October 1, 2018
And finally …
A marketing agency put rented and furnished an apartment designed to be the ultimate Instagram backdrop, and is now loaning it to influencers. Sapna Maheshwari has the memorable tale of a totally artificial space and the people who need it to work:
There is also the “rah-rah-Instagram-slash-feminist-wall,” an area filled with photographs of Instagram influencers and messages of female empowerment.
Honestly I thought empowerment might look different than this!
Talk to me
Send me tips, comments, questions, breaches: firstname.lastname@example.org.