On Friday morning, Facebook announced that its massive security breach was worse than previously thought. Though the number of users affected dropped to 30 million from 50 million, there was a new disclosure: The attack exposed some users’ emails and phone numbers, as well as profile information including gender, location, birthdates, and recent search history. Facebook wrote in a blog post that the FBI is investigating the breach.
The possible fallout for affected users is potentially staggering; Some of the exposed data (location, recent search history) is invasively personal. Even more concerning is how it might be abused in the aggregate. Facebook is arguably the internet's most sought-after advertising engine largely because of its ability to assemble very targeted data profiles for its users.
Now, some of that data — 14 million users' worth — is in the possession of some unknown and malignant attackers. Facebook itself acknowledged this on Friday, noting that "the information may allow them or other third parties to use it to create and spread spam on and off Facebook." Left unsaid here is how exactly Facebook defines "spam," which could mean anything from selling you a gravity blanket to foreign state actors attempting to target you with misinformation.
This, it bears repeating, is a privacy disaster.
This, it bears repeating, is a privacy disaster. The ripple effects may go unnoticed for weeks or months, but as long as users' deeply personal information is floating around the internet, it is exposed and open to misuse. And what recourse do people have to reclaim that information? Two-factor authentication, for example, will now be much harder for users who've had their email address and phone number compromised by the attack. As Slate's Will Oremus noted, unlike a password, location histories and search histories aren't things you can change. "If your password is stolen, you change your password. The damage is done and you move on. But if all your identifying personal information is stolen? You can't change that. It could haunt you for the rest of your life," he tweeted.
On a Friday press call with reporters, Facebook Vice President of Product Management Guy Rosen offered an apology to users for the security breach, noting that "people's privacy and security are important to us, and we are sorry this happened."
"We have a responsibility to protect your information. If we can’t, we don’t deserve it."
But by Facebook's own standards, an apology is insufficient for a breach of this magnitude. And users looking for redress or guidance in the wake of the attack might do well to look to the words of Facebook's founder and CEO, Mark Zuckerberg, from March of this year, when he took out full page ads in the New York Times, Wall Street Journal, Washington Post, and 6 UK papers noting, “We have a responsibility to protect your information. If we can’t, we don’t deserve it."
Zuckerberg ended the ad thanking Facebook's more than 2 billion users "for believing" in the company. "I promise to do better for you," he wrote.
But Facebook, which continues to brazenly demand personal information from users (this week it announced a voice-activated video chat tablet with an always-listening microphone and camera), has not done better since Zuckerberg's March pledge. In the case of this current breach, it was 13 days before Facebook disclosed the attack to users.
Now, as we scramble to determine whether our personal information has been compromised, it's worth considering Zuckerberg's pledge. Does Facebook deserve our trust? By Zuckerberg's own standards, it would appear not.