Word got out this weekend that a Facebook data set consisting of personally-identifiable information for 533 million users (including about 3.5 million Canadians) had been made available for free online:
The data is from a much earlier breach. It was previously available through a Telegram service that let you query the data set for a fee; the new change is that the full trove is now much more accessible.
The data includes things like names, birthdays, locations, employers, and phone numbers. On the surface this may seem trivial, but the obvious question one might ask is “if it’s trivial, why were people paying to access it through a bot?” The answer is that information like these makes it easier to send spam or phishing attacks to known numbers, or to conduct identity theft. Most people prefer to keep the same phone number over time – even if they switch service providers – so a number combined with a common name becomes a unique identifier, much like (say) a social security number. And when combined with other sources of information, something like a phone number can be used to defeat two-factor authentication systems that many sites and services are using to protect accounts (for example, the 6-digit code that your bank sends to your phone as part of your login request).
A lot will be said about all this over the next few days, but I have two early observations to make.
Facebook’s formal response is callous and ignorant
As expected, Facebook responded quickly to this news: not with an apology or even an expression of regret, but with a terse message whose subtext is: “this has nothing to do with us”:
This is a monumentally stupid response. It implies that that the impact of a breach is meaningless as long as the source of the breach has been addressed. If a pipe in your house exploded and flooded the place, the Facebook Plumbing Co response would be to walk in, turn off the water main, and then say “it’s fixed” without acknowledging the knee-deep water or the damage it might cause. You might complain, and then they’d say “listen, we stopped the leaking. We can’t control all the crazy things ‘water’ does! Water’s gonna water, amirite?”
In my opinion, we taught Facebook this response: they’ve never been made fully accountable for the damage they cause (genocide, anyone?) so they’ve learned to be blasé about their responsibilities in this area. As an example, if Facebook were found guilty of contravening Canadian privacy legislation by not notifying users of this breach, they would be subject to a fine of up to $100,000CAD — hardly a rebuke for a company whose 2020 revenue is $86 billion (US dollars).
The public response includes some alarming sentiment
There is a flurry of activity on Twitter related to this dataset being made available online: everything from rage to widespread curiosity from individuals about whether or not their own data is in the set (you can currently check this at haveibeenpwned.com by entering your email address, but the site notes that only 2.5 million email addresses are available in the full 533 million account set). Most alarmingly for me, there is a tone of surrendered acceptance: “I share this kind of info with everyone already, so who cares” or “I just assume that hackers know all this already, so this is no big deal.”
My concern here is that the conversation around collection and disclosure of personal data online is still framed in terms of isolated pieces: a phone number, an email address, etc. The larger implications of these kinds of breaches are not easy to grasp and often not considered. It’s not the phone number alone that is problematic: it’s what happens when people combine those elements with other pieces of data to isolate and target individuals. Hackers will do it, for sure, but we would all be naive to think that companies like ClearView AI and Palantir won’t be just as eager to ingest this data and combine it with their already-invasive surveillance and privacy invasion systems, where it can and will be sold to anyone with an interest in targeting people for any purpose.
We are long, long overdue for a very serious conversation about holding companies like Facebook to account for their recklessness.
