The query of whether or not Facebook will face any regulatory sanction over the newest large historic platform privateness fail to come back to gentle stays unclear. But the timeline of the incident seems more and more awkward for the tech large.
While it initially sought to minimize the information breach revelations revealed by Business Insider on the weekend by suggesting that info like individuals’s beginning dates and telephone numbers was “old”, in a weblog publish late yesterday the tech large lastly revealed that the information in query had in truth been scraped from its platform by malicious actors “in 2019” and “prior to September 2019”.
That new element in regards to the timing of this incident raises the problem of compliance with Europe’s General Data Protection Regulation (GDPR) — which got here into software in May 2018.
Under the EU regulation knowledge controllers can face fines of as much as 2% of their international annual turnover for failures to inform breaches, and as much as 4% of annual turnover for extra critical compliance violations.
The European framework seems essential as a result of Facebook indemnified itself in opposition to historic privateness points within the US when it settled with the FTC for $5BN again in July 2019 — though that does nonetheless imply there’s a interval of a number of months (June to September 2019) which may fall outdoors that settlement.

Yesterday, in its personal assertion responding to the breach revelations, Facebook’s lead knowledge supervisor within the EU mentioned the provenance of the newly revealed dataset wasn’t completely clear, writing that it “seems to comprise the original 2018 (pre-GDPR) dataset” — referring to an earlier breach incident Facebook disclosed in 2018 which associated to a vulnerability in its telephone lookup performance that it had mentioned occurred between June 2017 and April 2018 — but additionally writing that the newly revealed dataset additionally appeared to have been “combined with additional records, which may be from a later period”.
Facebook adopted up the Irish Data Protection Commission (DPC)’s assertion by confirming that suspicion — admitting that the information had been extracted from its platform in 2019, up till September of that 12 months.
Another new element that emerged in Facebook’s weblog publish yesterday was the actual fact customers’ knowledge was scraped not through the aforementioned telephone lookup vulnerability — however through one other methodology altogether: A contact importer device vulnerability.

This route allowed an unknown variety of “malicious actors” to make use of software program to mimic Facebook’s app and add massive units of telephone numbers to see which of them matched Facebook customers.
In this manner a spammer (for instance), may add a database of potential telephone numbers and hyperlink them to not solely names however different knowledge like beginning date, electronic mail tackle, location — all the higher to phish you with.
In its PR response to the breach, Facebook rapidly claimed it had mounted this vulnerability in August 2019. But, once more, that timing locations the incident squarely within the interval of GDPR being lively.
As a reminder, Europe’s knowledge safety framework bakes in an information breach notification regime that requires knowledge controllers to inform a related supervisory authority in the event that they imagine a lack of private knowledge is prone to represent a danger to customers’ rights and freedoms — and to take action with out undue delay (ideally inside 72 hours of changing into conscious of it).
Yet Facebook made no disclosure in any respect of this incident to the DPC. Indeed, the regulator made it clear yesterday that it needed to proactively search info from Facebook within the wake of BI’s report. That’s the other of how EU lawmakers supposed the regulation to operate.
Data breaches, in the meantime, are broadly outlined beneath the GDPR. It may imply private knowledge being misplaced or stolen and/or accessed by unauthorized third events. It also can relate to deliberate or unintended motion or inaction by an information controller which exposes private knowledge.
Legal danger connected to the breach seemingly explains why Facebook has studiously averted describing this newest knowledge safety failure, through which the private info of greater than half a billion customers was posted at no cost obtain on a web based discussion board, as a ‘breach’.
And, certainly, why it’s sought to downplay the importance of the leaked info — dubbing individuals’s private info “old data”. (Even as few individuals frequently change their cell numbers, electronic mail tackle, full names and biographical info and so forth, and nobody (legally) will get a brand new beginning date… )
Its weblog publish as a substitute refers to knowledge being scraped; and to scraping being “a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums” — tacitly implying that the private info leaked through its contact importer device was someway public.
The self-serving suggestion being peddled right here by Facebook is that a whole lot of hundreds of thousands of customers had each revealed delicate stuff like their cell phone numbers on their Facebook profiles and left default settings on their accounts — thereby making this private info ‘publicly available for scraping/no longer private/uncovered by data protection legislation’.
This is an argument as clearly absurd as it’s viciously hostile to individuals’s rights and privateness. It’s additionally an argument that EU knowledge safety regulators should rapidly and definitively reject or be complicit in permitting Facebook (ab)use its market energy to torch the very basic rights that regulators’ sole goal is to defend and uphold.
Even if some Facebook customers affected by this breach had their info uncovered through the contact importer device as a result of that they had not modified Facebook’s privacy-hostile defaults that also raises key questions of GPDR compliance — as a result of the regulation additionally requires knowledge controllers to adequately safe private knowledge and apply privateness by design and default.
Facebook permitting a whole lot of hundreds of thousands of accounts to have their information freely pillaged by spammers (or whoever) doesn’t sound like good safety or default privateness.
In brief, it’s the Cambridge Analytica scandal once more.
Facebook is attempting to get away with persevering with to be horrible at privateness and knowledge safety as a result of it’s been so horrible at it up to now — and sure feels assured in preserving on with this tactic as a result of it’s confronted comparatively little regulatory sanction for an countless parade of information scandals. (A one-time $5BN FTC tremendous for a corporation than turns over $85BN+ in annual income is simply one other enterprise expense.)
We requested Facebook why it didn’t notify the DPC about this 2019 breach again in 2019, when it realized individuals’s info was as soon as once more being maliciously extracted from its platform — or, certainly, why it hasn’t bothered to inform affected Facebook customers themselves — however the firm declined to remark past what it mentioned yesterday.
Then it advised us it will not be commenting on its communications with regulators.
Under the GDPR, if a breach poses a excessive danger to customers’ rights and freedoms an information controller is required to inform affected people — with the rational being that immediate notification of a menace will help individuals take steps to guard themselves from the dangers of their knowledge being breached, corresponding to fraud and ID theft.
Yesterday Facebook additionally mentioned it doesn’t have plans to inform customers both.
Perhaps the corporate’s trademark ‘thumbs up’ image can be extra aptly expressed as a center finger raised at everybody else.