Some thoughts on the Facebook Data Breach
Facebook doesn’t seem to get into the news for anything good. From Cambridge Analytica and election engineering through to how it targets its users in advertising, Facebook is not the darling of the press. The latest problem, of course, is that Facebook got hacked and the personal information of around 50 million people was “leaked”. The vulnerability has been fixed and the affected users notified. Should Facebook have had better security? Most definitely! Is Facebook wholly to blame for this? Legally, probably, but in reality, are the users whose data was stolen in any way responsible? Are there steps that Facebook users could have taken to keep their data more secure? Whose is responsible for something like that?
With the benefit of hindsight, it is easy to point the finger at whatever organisation has suffered a data breach, and this is a perfectly understandable reaction. It is a bit like a bank saying that it will look after your cash, locking it in a garden shed and then expressing surprise when the shed was broken into and your money stolen. Different countries have different laws about this, but in Europe, GDPR makes looking after identifiable personal data the responsibility of the businesses controlling and processing it. The laws are strict and the penalties high for failing to take proper care of such data: It is a very big deal.
An organisation is not allowed to collect or store data that it does not need in order to fulfil its function. There seems to be an assumption that people will not want to provide more data about themselves than the absolute minimum, but in the case of something like Facebook, this is simply not the case. Could people do more themselves to look after their own data? There are 2.23 billion Facebook users, that is about 30% of the population of the planet, and a lot of them use Facebook to communicate with others at a level equivalent to broadcasting their lives: the ups, the downs, the good times, the losses, everything. They wholly trust the platform of Facebook and their online lives are very important to them. And yet, for the vast majority, even doing simple things such as setting up two factor authentication (2FA) to login has not occurred to them.
It seems obvious to anyone objectively looking in that doing anything that you can to make your online identity more secure would be a good idea and yet unless Facebook was forcing users to adopt 2FA, it wouldn’t cross the minds of the average person. The reason is that most people do not consider what could happen if the data they share on Facebook was taken and used against them. Facebook probably does not want its users to think this way because if they did, would they share as much information? Would the platform be as interesting to other users? Would the average time online drop? Would the number of users drop? What would be the effect of this on the revenues and value of Facebook?
For a better understanding of Facebook users’ “blinkered vision” mentality, we need only to look at recent UK history. You would have thought that most people want to stay alive and want their families to be safe. However, up until 1983, most people did not wear seatbelts in their cars. If they thought about it, they knew that having a crash without wearing a seatbelt would probably result in much worse injuries than if they did wear one, but they were as used to not wearing seatbelts as they were to not crashing their cars. The unspoken thought being that if they don’t crash their cars then they didn’t need to wear seatbelts. It seems insane, doesn’t it? There had to be laws brought in to force people to wear seatbelts before they would do so. The populous even complained bitterly at the time, that is how detached from the reality of the threats that people were! Take this pre-83 seatbelt mentality and apply it to Facebook users and them taking care of their data and you will have a clear view of the problem.
Would 2FA have helped in this most recent breach? Perhaps it would, perhaps not. Are there other potential holes in Facebook’s digital security? Probably. There are security issues in almost all software services. If there were not, then there would be no need for security patches that seem to be released all the time. Usually, the need for a patch is established because a hacker has found a way through the existing security. A responsible software service provider has skilled people actively trying to break in so that the vulnerabilities can be found and dealt with in a controlled way without having to wait for a data breach to discover there’s a problem.
To conclude: should the likes of Facebook take its responsibilities seriously and do its best to keep its users safe? Undoubtedly! Should people start to be more mindful about what they put online and less trusting of such things as social media platforms? They should, but it might take something big, like prosecuting them for being negligent with their own information, to make them behave responsibly.
Are you concerned about how your business handles identifiable personal data and whether your company should be doing more to be legally compliant? To be put in touch with your local specialist, please call Brigantia on 020 3358 0090 or email firstname.lastname@example.org.