What we still don’t know about the Facebook breach

It’s been three days since Facebook reported that hackers obtained access tokens for 50 million user accounts, in what is believed to be the largest such data breach in its history. Here’s what we’ve learned since then — and what we haven’t.

One, the breach may have affected other third-party services that use the Facebook Connect identity platform. Several large internet services rely heavily on Facebook logins, including Spotify, Airbnb, and Tinder. Anyone who had full access to a user’s account would have been able to log into those services as well, possibly undetected. Notably, none of these Facebook Connect customers have had much to say about the effect of the breach on their own services, likely because they are still investigating. Tinder was the exception, saying Facebook had shared only limited information and calling on it to share more.

The third-party developer situation set off a secondary debate about the wisdom of using Facebook login. On the pro side, Facebook login offers enhanced security measures such as “risk-based logins” — challenging users to provide additional information if it suspects a password has been stolen. On the con side, Facebook’s dominance has created something resembling to a single point of failure for online security.

Two, the legal consequences of the breach are becoming apparent. A class-action lawsuit was filed with terrifying speed. And while Facebook appears to have disclosed the breach within the 72 hours required by the General Data Protection Regulation, the European Union privacy watchdog could still fine Facebook up to $1.63 billion, Sam Schechner reported in the Wall Street Journal. Separately, the Irish Data Protection Commission said Monday that less than 10 percent of the breach’s victims live in the European Union. (Le Monde says it’s fewer than 5 million.)

This sort of breach is precisely the sort of thing that GDPR was designed to protect against. As such, it’s the first real test of the law since it went into effect earlier this year, Russell Brandom reports:

No one has accused Facebook of negligence yet, but the basic facts of the case have yet to be nailed down — and with lawmakers already hostile to Facebook, plenty of privacy commissioners will want to try their luck. Because the law is so fresh, no one knows for sure how such a case would play out, but Facebook is already preparing for what could be the fight of its life.

The new breach is a real contrast with previous GDPR fights, which have largely had to do with policy decisions and terms of service. Both Facebook and Google have already come under fire for having Terms of Service that violate the regulation, although the suits were brought by a third party and haven’t made much progress. Scandals like Cambridge Analytica present another front in the fight, in which apparent violations of user privacy stem from user choices, sidestepping most legal definitions of a breach. But this recent breach is far simpler. Facebook shouldn’t have given these hackers access to the accounts — it wasn’t a data-sharing project or an API gone wrong — so it’s hard to read the fallout as anything other than a breakdown in Facebook security. The only question is how much Facebook will be punished for the lapse.

Three, a Facebook executive on Monday repeated the idea that the breach came as the result of “a sophisticated attack.” Speaking at an Advertising Week panel, the company’s global head of marketing, Carolyn Everson called the still-unknown attackers an “odorless, weightless intruder that walked in” and that Facebook could only detect “once they made a certain move.” (Everson also had the one-liner of the day. When asked about the acrimonious departures of the billionaire WhatsApp founders earlier this year, she replied: “I’d like to hear more about their philanthropy.” Which deserves a spot on any list of the funniest things ever said on stage during an Advertising Week presentation.)

Finally, the breach has given the world fresh occasion to assess its trust in Facebook. On Friday’s press call, two reporters asked Mark Zuckerberg why people should continue to trust the platform with their data. He deflected the questions, as Will Oremus recounts:

“This is a serious issue and we’re very focused on addressing it, which is why we patched the vulnerability and kind of taken additional security measures,” he said. Perhaps sensing that wasn’t enough, he hesitated, then dredged up a familiar talking point about how “security is an arms race, and we’re continuing to improve our defenses.” Facebook has “a lot of talented people working on this and, I think, doing good work,” he added, unconvincingly. “This is going to be an ongoing effort, and we’re going to need to keep focusing on this over time.”

I spent Monday waiting for further shoes to drop on the breach. But the truth is we learned very little over the weekend. The best explanation for that is that GDPR forced Facebook to disclose the breach just as its investigation was getting underway. We’ll know more eventually, but it might not be soon.

Source: The Verge