Data Breaches: The Broken Record of Facebook
by Mathew Broughton on 13th May 2019 in News
Social networking platform Facebook has hit the headlines with a damning regularity in recent months due to seemingly chronic mismanagement of their data. Despite cap-in-hand ads running last summer proclaiming: "From now on, Facebook will do more to keep you safe and protect your privacy," in practice the firm's data management practices can be described in terms ranging from 'embarrassing' to 'omnishambles'.
In this article for ExchangeWire, Rick Madigan (pictured below), digital marketing strategist at MMT Digital, discusses how seriously the industry should take such data breaches, and what standards the company should impose to restore trust in their platform.
Yet again, a high-profile blunder hits headlines for Facebook. Earlier this month, cybersecurity researchers at Australian IT company ‘UpGuard’, found millions of user records on third-party databases, resulting in more damage and prolonged trust issues for the social giant.
Sure, we all say ‘naughty Facebook’, but in reality, from a transformational standpoint, the implications that a breach can bring are pretty gruesome. At MMT Digital, a lot of our work focuses on processing, and working with all types of data, including social; and these data breaches, lowered control over developer platforms, and lack of truth in app reviews can cause problems for companies like us!
While they are not the only offenders amongst the big businesses, Facebook has been handed the lion’s share of the headlines, although not unjustly. The Cambridge Analytica breach was severe, and their attempts to mitigate the damage was proactive - a high-profile marketing campaign centred on their dedication to privacy. However, the impact of the campaign was severely hindered/undermined by a series of breaches, anti-Facebook campaigns by celebrities, and a plethora of investigations and inquests driven by governmental bodies throughout the globe.
There’s no doubt that social media has been a godsend for businesses across the world, providing access to powerful data sources that, when used correctly, can support incredibly powerful and engaging user experiences. Facebook has maintained its popularity, with over 68% of adult social media users owning an account on the platform. The sheer volume of data is an enticing prospect, and Facebook has seized upon this to offer developers and marketers the opportunity to leverage this data to deliver applications.
However, this same enthusiasm has been their downfall. Weaknesses in the portal program have led to this latest breach, shaking confidence in the platform, but ultimately, could the breaches have been avoided? Well, yes.
Developers wanting to leverage Facebook’s data must register themselves via the 'Facebook for Developers' portal. A review of the documentation surrounding the portal reveals a very detailed set of policies with a lot of well-considered statements which, from a legal perspective, undoubtedly checks a box.
However, a number of these statements, arguably the critical ones relating to the latest breach, have a fundamental flaw in that they are nearly impossible to police. And, in some cases, there is a worrying lack of governance. It’s little wonder that this breach occurred.
If we consider registration for the portal, the registration is simple - get a Facebook login, which is a relatively simple and painless process.
You could argue that this low barrier to entry is a good thing as you want as many developers and marketers engaging with Facebook as possible to drive users in and boost those advertising revenues. However, as the data breaches have proven, this has swiftly become an Achilles’ heel for Facebook.
Increased scrutiny on data privacy and protection practices because of enhanced legislation, such as the GDPR, has forced businesses and organisations to clamp down on processes to provide the necessary security and governance. This open registration model flies in the face of this change in mindset.
A report released earlier this year by the Pomemom Institute (“Data Risk in the Third-Party Ecosystem”) explored the governance practices across businesses who avoided breaches and compared this to those who suffered breaches. There are common themes that emerge within the report, with a key theme being the necessity to evaluate the security and privacy practices of all third parties.
Relating this back to the Facebook for Developers portal, the argument is that this portal doesn’t deliver.
In the past, Facebook has been elusive on the issue, although they made some steps towards it with the App Reviews that are run prior to go-live of applications connected to the Facebook developer program. However, if you read the documentation around app reviews, you see a clear statement which explains that a developer may have to go through an app review. It is entirely possible that an app, that doesn’t meet the standards, could make its way through the process and out into the world. Although Facebook could take the app down amidst any complaints, the damage is done the minute that app is within the public domain.
In parallel to these concerns, there is little information on the scope of the app reviews. Do they focus purely on the code of the application and its connection to Facebook or do they consider the wider scope of the infrastructure and architecture supporting the application? If we think about this latest breach, the problem (for both Cultura Colectiva and The Pool Party) was down to databases outside of the application holding reams of user data.
The standard line from Facebook in the event of these breaches will often refer to the aforementioned policies. But this is of little use if the data gets out into the public domain in the first place. The key is in preventing this scenario rather than cleaning up the mess.
The developer program is a clear place to start. It’s been left open for a reason but surely we have reached a stage where Facebook cannot afford to let just anyone in. Expanding the registration process from a simple Facebook login to a more detailed vetting process is a must. Asking for more details around security practices, certifications, and controls will help Facebook to focus on working with the most trusted developers. Yes, there may be a reduction in the number of developers bothering to complete this more stringent registration process and there will be a segment lost through failing the vetting process, but the advantage is clear – a network of trusted development partners who place privacy by design at the heart of what they do – whether that be code, architecture or infrastructure.
In line with this, the word 'may' must be stricken from the policy. App reviews must be mandatory, no matter what the app or how extensive it is. In addition, these same reviews should step outside of the application to consider the full stack, from infrastructure through architecture to code. Completing these more comprehensive reviews is imperative in reducing the likelihood of breaches.
For me, there’s no argument. Facebook aren’t exactly short of resources, and while there is clearly an investment of time and money here to get these processes up and running, they have a duty of care to their customers.
If they want to open out their ecosystem to third parties, they need to make sure that the standards they impose (or should be imposing) on themselves are followed through to their third parties. It is easier to invest in security than to have to invest in fire-fighting with PR and campaigns to apologise for yet another mistake.
Follow ExchangeWire