Facebook’s problems in Washington just got worse.
The social media giant announced on Friday that hackers stole information that could have allowed them to take over 50 million user accounts. The unidentified attackers were able to gain access to a range of profile information, including usernames, hometowns and genders, as my colleague Brian Fung reported.
The company has already spent the better part of a year struggling to convince Congress that it can be trusted to safeguard the personal information of its 2.2 billion users. Now lawmakers will have yet another opportunity to hold Facebook’s feet to the fire — and could hasten efforts to rein in the way the company stores and shares data.
Just hours after Facebook’s announcement Friday, Sen. Mark R. Warner (Va.), the Intelligence Committee’s top Democrat, called for a “full investigation” into the hack to “understand more about what happened.” “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. The era of the Wild West in social media is over," he said.
Facebook has its hands full already. The company is under pressure to prevent a repeat of the 2016 election, in which Russian operatives used the platform to carry out a sweeping political disinformation campaign to help elect President Trump. Congress is also probing Facebook’s role in the Cambridge Analytica scandal, in which Facebook shared information on 87 million users with the Trump campaign-linked political consultancy in the run-up to the 2016 election. In hours-long hearings, lawmakers have grilled Facebook chief executive Mark Zuckerberg and other senior leaders about the company’s privacy practices.
The hack only adds fuel to the calls of lawmakers who want legislation to ensure users get the right protections. Congress has started mulling whether to pass comprehensive legislation to protect consumer privacy rights, as my colleague Cat Zakrzewski and I reported last week. And lawmakers have already floated bills that would force social media companies to be more transparent about their data collection practices and would require companies to notify users of breaches or privacy violations within 72 hours.
“Facebook has become a honey pot for malevolent lawbreakers who seek to undermine our society and democracy,” Sen. Richard Blumenthal (D-Conn.), who sits on the Senate Commerce and Judiciary Committees, said in a statement. “Congress should need no further notice to act.”
And it’s not just Congress that may want to demand answers about the hack. The FTC is already investigating whether Facebook’s relationship with Cambridge Analytica violated a 2011 settlement agreement, and the latest breach just keeps the company in the spotlight.
“These companies have a staggering amount of information about Americans. Breaches don’t just violate our privacy, they create enormous risks for our economy and national security,” FTC Commissioner Rohit Chopra told Gizmodo. “The cost of inaction is growing and we need answers.”
It's unclear how long the hack will hold people's attention, as TechCrunch editor Josh Constine notes. There's no evidence at this point that the hack was carried out for political reasons. Nor is it clear what the attackers wanted to do with the information: Facebook says no credit card information was exposed, and there’s no evidence that attackers tried to access private messages or post fraudulent content. And so far, the company hasn't determined who is responsible.
“If Facebook discovers the hack was perpetrated by a foreign government to interfere with elections, by criminals to bypass identity theft security checkpoints and steal people’s bank accounts or social media profiles, or to target individuals for physical harm, out will come the pitchforks and torches,” Constine wrote. But “for now, without a nefarious application of the breached data, this scandal could blend into the rest of Facebook’s troubles.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “A federal judge in California ruled this month that the government cannot force Facebook to break the encryption on its popular Messenger voice app in a criminal case in which agents wanted to intercept a suspect’s conversations, according to several individuals familiar with the case,” The Washington Post's Ellen Nakashima reported. “The decision, which remains under seal, dealt a setback to the Justice Department, which sought to compel Facebook to figure out how to give it access to the encrypted communications. It is a welcome development, however, for tech firms as they try to fend off government pressure to design their devices and services to accommodate surveillance while they build stronger encryption to safeguard their customers’ privacy.”
The judge in the Fresno, Calif., case sided with Facebook. “Devising a way to give law enforcement access to Messenger voice calls would be burdensome and costly, and would exceed the Wiretap Act’s ‘technical assistance’ provision, Facebook argued,” my colleague wrote. The case stemmed from an investigation into the MS-13 gang. It drew much less publicity than a previous episode in early 2016 in which the Justice Department demanded that Apple break into the locked iPhone of one of the San Bernardino, Calif., shooters.
PATCHED: A Seattle tech company's decision to offer free facial recognition tools to schools raises privacy concerns, the Seattle Times's Rachel Lerman reported Friday. One school in Seattle is already using RealNetworks's Secure, Accurate Facial Recognition (SAFR). “SAFR has been watching over the main entrance gate of Seattle’s private elementary University Child Development School since this spring, buzzing in parents who come to pick up or drop off their kids,” Lerman wrote. “The school, where RealNetworks CEO Rob Glaser’s kids were enrolled last year, wanted to try out the system to add to overall security at its University District campus.”
The technology is only used to recognize adults at the school — it does not identify children — and two mothers whose children attend the school told the Times that the tool provides them with a sense of safety. However, Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation, voiced concerns about the practice. “There’s a general habituation of people to be tolerant of this kind of tracking of their face,” Schwartz said, as quoted by Lerman. “This is especially troubling when it comes to schoolchildren. It’s getting them used to it.” RealNetworks does support regulating the use of facial recognition, according to the Times.
PWNED: The FBI directed a suspect in a child abuse investigation to unlock his iPhone X using Apple's Face ID facial recognition technology, Forbes's Thomas Brewster reported Sunday. “It happened on August 10, when the FBI searched the house of 28-year-old Grant Michalski, a Columbus, Ohio, resident who would later that month be charged with receiving and possessing child pornography,” Brewster wrote. “With a search warrant in hand, a federal investigator told Michalski to put his face in front of the phone, which he duly did. That allowed the agent to pick through the suspect's online chats, photos and whatever else he deemed worthy of investigation.”
Fred Jennings, a senior associate at Tor Ekeland Law, told Forbes that the use of Face ID to unlock devices in investigations could be challenged on the basis of the Fifth Amendment's protection against self-incrimination. “In previous rulings, suspects have been allowed to decline to hand over passcodes, because the forfeiture of such knowledge would amount to self-incrimination,” Brewster wrote. “But because the body hasn't been deemed a piece of knowledge, the same rulings haven't been applied to biometric information, like fingerprints or face scans. That's despite the fact that the use of passcodes, fingerprints and faces on an iPhone has the same effect in each case: unlocking the device.”
— Deputy Attorney General Rod J. Rosenstein continued the government's call for private businesses in combating data breaches. Rosenstein made the comments Thursday during a discussion hosted by the Justice Department's Criminal Division that included private cybersecurity companies and public officials, according to a news release issued Friday by the department. “Public-private partnerships addressing cybercrime play a critical role in our efforts to hold criminals accountable for data breaches,” Rosenstein said, according to the department's news release. “We depend on the private sector to help us maintain the rule of law in cyberspace at every stage of our work. That includes working together to obtain critical evidence for investigations and trials, and collaborating on developing the legal authorities needed to protect our 21st century economy.”
— More cybersecurity news from the public sector:
— “Some large U.S. banks have seen an uptick in attempted cyberattacks in recent weeks, according to people familiar with the matter, at a time when federal officials are stepping up warnings to banks about cyberthreats,” the Wall Street Journal's Emily Glazer and Maureen Farrell reported Sunday. “The federal officials have asked the banks — which include Bank of America Corp., Citigroup Inc., JPMorgan Chase & Co. and Wells Fargo & Co. — to monitor traffic from hackers who appear to be searching for weaknesses in the firms’ networks, these people said. The officials have warned banks to be on high alert for potential cybersecurity breaches.”
— More cybersercurity news from the private sector:
— A flaw in the mobile app of the British Conservative Party's conference exposed the data of senior officials including ministers, the Guardian's Mattha Busby, Jim Waterson and Michael Savage reported Saturday. “The data of hundreds of attendees to the Tory conference could be viewed by second guessing attendees’ email addresses, with Boris Johnson, Michael Gove, Gavin Williamson and others among those whose personal information — including their phone numbers — was made accessible,” Busby, Waterson and Savage wrote. “Once logged into the app, users were able to both amend and make the personal details of prominent MPs public.” The flaw was later fixed. “The technical issue has been resolved and the app is now functioning securely,” the Conservative Party said in a statement, as quoted by the Guardian. “We are investigating the issue further and apologize for any concern caused.”
- Washington Post Live Cybersecurity Summit 2018 tomorrow.
- U.S. Election Assistance Commission Election Readiness Summit in Washington on Wednesday.
- Privacy Security Forum in Washington on Wednesday through Friday.
Death toll skyrockets after Indonesian earthquake and tsunami:
Trump on Kim Jong Un: “We fell in love.”
SNL's Kavanaugh hearing vs. the real thing: