Ctrl + N
Data privacy experts say Facebook may have run afoul of Europe’s tough data privacy rules by insecurely storing hundreds of millions of account passwords for years.
Facebook said yesterday it discovered in January that users’ passwords were exposed in plain text in a readable format potentially visible to the company’s employees. Experts say the company could be in violation of European Union's General Data Protection Regulation — that includes rules governing how companies process sensitive data.
“There’s no doubt this is going to add to the list of woes for Facebook under GDPR,” said Justin Antonipillai, chief executive of WireWheel and a former Obama administration Department of Commerce acting undersecretary.
Data protection regulators in Ireland, which enforces the GDPR rules, told my colleague Tony Romm that they were in communication with Facebook, which contacted the regulators about the incident this week. They have already has 10 open probes into the social network’s data collection practices.
“We are currently seeking further information,” officials said.
The incident only adds to the steady drumbeat of regulatory headaches at Facebook since the public first learned of the Cambridge Analytica scandal this time a year ago. That was two months before Europe's privacy laws took effect — giving regulators a new hammer to bring down on the company when data privacy incidents arise.
And GDPR could just be the beginning of policymakers holding companies to a higher bar on data security. Antonipillai tells me the security incident could also have violated California's privacy law -- which will take effect in 2020. It's also inciting more calls for Congress to pass a tough federal privacy law.
“Facebook acted with reckless disregard for the security and privacy of hundreds of millions of users,” Sen. Ron Wyden (D-Ore.) said in a statement. “My privacy bill sets baseline privacy and data security rules which would have prevented this.”
Other companies have previously disclosed similar glitches that left passwords stored insecurely, such as Twitter and GitHub. However, both of those incidents were disclosed several weeks before GDPR took effect last May, so they could not be investigated under the new regulatory regime.
Data privacy experts also say the Facebook incident raises broader questions about how the company is addressing the privacy and security of its users. The company recently announced a pivot to privacy as it grapples with the fallout of repeated scandals.
“One announcement after another really is tough when privacy is so critical to your business model,” Antonipillai said.
On social media, the incident only amplified skepticism of Facebook's recent privacy commitments. From Petri.com executive editor Brad Sams:
Facebook's 'pivot to privacy' is really them just hashing your passwords finally. https://t.co/kigRKCgyKC— Brad Sams (@bdsams) March 21, 2019
Facebook disclosed the password problem after a report from longtime security journalist Brian Krebs. The company said the users most affected were people with Facebook Lite accounts, which are designed for regions with lower Internet connectivity.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company said in its blog post. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
The company did not believe it was under obligation to report this incident as a personal data breach under either European or U.S. law. But security experts say because many people reuse passwords on many sites, the company should have disclosed the incident it discovered in January much more quickly.
Antonipillai warned that it could be in violation of the European rules, which require companies to disclose security breaches within 72 hours.
It's also concerning that the passwords were exposed for so long at a company with vast resources to tackle cybersecurity issues, experts say. Krebs reported that some of the passwords were exposed in this manner since 2012.
“First and foremost it makes you wonder how this is possible,” said Lukasz Olejnik, a research associate at the Center for Technology and Global Affairs at Oxford University in an email. “It is true that the reality at technology companies is such things may simply happen. But considering Facebook's scale of operation, the extreme sensitivity of this material, the expectations of higher standards commensurating with the company size are reasonable. It's very good that the company has proactively detected the issue.”
Olejnik added that companies will be engaging in more “breach-hunting” under the new privacy regulations.
BITS: The Trump administration is naming its first chief technology officer — after the position sat vacant for the first two years of his presidency. Trump plans to promote Michael Kratsios, who currently serves as deputy chief technology officer and is already the White House's de facto top tech adviser.
Kratsios has already developed strategic plans or national initiatives for artificial intelligence, quantum computing, 5G and autonomous vehicles. He also has convened meetings with tech executives at the White House on issues such as artificial intelligence as well as math and science education.
“Over the past two years, I've seen how passionate he is about developing smart, results-oriented policies that unleash America’s technological strengths and innovative spirit,” said IBM president and chief executive Ginni Rometty in a statement. “He also knows that innovation is about people as much as technology, and that we need education and training policies to help students and workers succeed in a tech-powered economy.”
Kratsios previously served as a principal at Thiel Capital, one of the venture firms founded by Peter Thiel, one of Silicon Valley's most outspoken supporters of President Trump.
NIBBLES: Instagram is the top place for young people to socialize — but that also makes it the next likely battleground for misinformation, Taylor Lorenz reports. The platform has largely escaped the scrutiny in the fallout since the 2016 election.
Instagram may have escaped high-level attention in part because of its reputation among older users — who primarily use it to post personal photos or keep in touch with friends. But teenagers on the other hand use it to explore their identity — and often to consume information about current events.
“Instagram is teeming with these conspiracy theories, viral misinformation, and extremist memes, all daisy-chained together via a network of accounts with incredible algorithmic reach and millions of collective followers,” Lorenz writes. “These accounts intersperse TikTok videos and nostalgia memes with anti-vaccination rhetoric, conspiracy theories about George Soros and the Clinton family, and jokes about killing women, Jews, Muslims, and liberals.”
BYTES: The founder of 8chan — a website known for allowing content banned by mainstream social networks — is expressing regret in the fallout of the New Zealand mosque shooting, the Wall Street Journal's Robert McMillan reports.
Fredrick Brennan, who cut ties with 8chan in December, said the site's administrators were too slow to remove a post last week from Christchurch shooter Brenton Tarrant and other posts inciting violence. Brennan said their reluctance to remove the post, coupled with the spread of posts praising the shooting, make Brennan think the site will one day again be connected to another mass shooting.
“It was very difficult in the days that followed to know that I had created that site,” Fredrick Brennan told McMillan in an interview. He added: “It wouldn’t surprise me if this happens again.”
Before starting the shooting rampage last week, Tarrant posted on 8chan, allegedly calling readers of the site to spread his message and make memes. The users of the site responded by designing memes of the shooting. As my colleague Drew Harwell wrote earlier this week, 8chan played a significant role in the spread of the violent videos after the shooting. A user recorded Tarrant's Facebook Live broadcast of the shooting and posted it on 8chan before Facebook was alerted to it.